 So, welcome everyone today to Mara's guest lecture, and our guest lecturer is Robert F. Smallwood. He's the managing director for the Institute for Information Governance and I Merge Consulting. And Robert is an industry leader as far as being an author, keynote speaker, consultant, and educator in the field of information governance electronic records management. He is the author of the text we're using for information governance course, information governance concepts, strategies, and best practices. And he has three other books out, and we just heard about an executive edition of the IG book that will be coming out in December. His other book that you may be very familiar with is managing electronic records, methods, best practices, and technologies. And then there's another one very closely related on safeguarding critical e-documents. Robert is a founding partner of I Merge Consulting. He heads up the Institute for Governance, as I said, and he does teach information governance and consults with leading organizations. So, he has practical experience that he's going to be able to share with us. So, right now without any further ado on my part, I'm going to introduce our guest speaker, Robert, and Robert, you can take it away. Okay. Thanks very much, Pat. I'm happy to be here. I'm pleased that this is my inaugural lecture at the university. So, you can tell your grandkids you were the first at some point, huh? So, I'm really looking forward to this. And just to introduce myself, I guess, as Pat said, I'm the author of the information governance concepts, strategies, and best practices, and the managing electronic records book. And it's been picked up by some major university programs. These books are being used to teach these courses at not only San Jose State, but the University of Oxford in England, University of Michigan, University of Toronto, NC State, University of Maryland, and a number of others. So, I'm pleased and proud with those developments. And just to give you a little background about the Institute for Information Governance, which is a practice area of emergency consulting, which I've been a founding partner of and member of for the last 20-some years. And so, I focus on information governance training. And if you go to igtraining.com, there's more information there. And I teach classroom classes on site, as well as live online and HD video. And I have the archived sessions that are recorded for On The Man. And we offer two corporations and government organizations, certificates and various information governance courses. And some of our organizations we've done some training for already are Pacific Gas, Electric, NARA, Tyson Foods, Warner Music, Bankery and National Cellaments, and others. So, this has been, I've really been teaching this about 18 months, and the book has been out just about that length of time. So, we're going to talk about information governance today. And I'll tell you how many conversations I've had when people kind of slip up and say, let's look at information governance. What is that? So, we'll talk about information governance. So, if you're looking for any evidence that whether this is a trend or not, you can just look back to 2014 last year. And this was sort of the year that IG got launched. It's when the Information Governance Initiative launched their initiative of about 15 vendors got together and decided they needed to clarify the marketplace, do some research, provide some events and so forth. And that's a group of 15 that's growing to 25 or more today. And they have a Chief Information Governance Officer Summit in Chicago and that they held the first one in the spring and in the fall they have Information Governance, the InfoGovCon in Hartford in the fall. ARMA, the Records Management Association, had their first executive conference on Information Governance. AIM launched their Information Governance Training, which in my opinion is less than, it's just not as good as mine, put it that way, than our organization launched our training. And InGenius, which is an organization out of Irvine, California, added to their e-discovery retreats, added Information Governance, so they're moving in that direction. Of course, my book was published last year in April and Information Governance was added to the first step of the electronic discovery reference model if you go to edrm.net. And it did say Information Management, but now it says Information Governance because if you have better governance on the front end, it's going to make all those downstream processes in e-discovery in terms of finding information and producing it much more smooth fashion. So this didn't happen in 2013 or 2012, these things didn't start to happen this year. They all happened last year, so if you're looking for a sign of an industry that's taking off and growing, I think it's pretty clear. Now, we've had some, I think missteps and confusion as to what Information Governance is and started with some of these larger consulting groups which came out with definitions like this, which cover everything in the kitchen sink, and it's probably true, but I just think it's too much of a mouthful for anyone to actually digest and articulate. So I wouldn't recommend this definition anymore. Basically what Gartner did was they took their data governments definition and tweaked it a little bit and said, now that's Information Governance, but this is what happens when you create a definition by committee. And ARMA came out with theirs as well, which is similar, it's a little less verbose, but still it's just, it doesn't say anything about risk, it doesn't say anything about cost, it's just too much. So the Information Governance initiative came out with their definition last year and it's really the same as what IDCs was, you know, I guess four or five years ago, it's very similar, which is the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs. And the reason I'm going through these newer definitions is because these are developments that have happened in the last two years since my book was published. So in my book I offered the ARMA definition, the Gartner definition of several others and I'm just trying to give it a flavor of that. But this is a much more crisp definition here, so it's fairly easy to take that away because it's a fairly easy elevator pitch to be able to say, oh well it's minimizing risks and costs of information while maximizing the value. And I tried to boil that down a little, distill it a little more and I got down to what I would say the most crisp definition I could get, which is security, control and optimization of information. And it maps to the Information Governance Initiative definition if you look at it. So let's see here, let's start from the optimization then. So optimization, if you look at the value, maximizing value, that means optimization. So maximizing value is optimization but also minimizing costs is optimization. So we're minimizing costs and maximizing value, that's optimization, okay. And we have, you've got a control. Control would be having your information under control, meaning you know where it is, you know who has access to it and the proper people have the right information at the right time, you're minimizing your costs when you have control. You're also, when you have control of your information, you're minimizing your risks because you know where your personally identifiable information is, where your protected health information is, where your credit card information is and you protected that so you have more control when you're reducing your risk. And with security, if you've got security, secure information, then you have got lower costs because you've reduced the cost of breaches. You've reduced the impact of breach when it does happen. And with greater security, information security, you've also reduced your risks. So I believe that this definition maps to the IDMission definition but it's more succinct and more crisp and it's easier to remember. What is information governance? Security control and optimization of information. And this is, you know, after some hard thinking over the last couple of years. So let's just look at where information governance sits in this stack of different types of governance that is often confused. First, you have corporate governance which has been around as long as corporations have been around and that involves what's called governance risk management and compliance, there's software for that, for GRC. And that's a very high level of mostly talking about financial compliance there. Risk management in a broader sense than just information risk and governance in a broader sense. So your corporate governance has to do with your shareholder agreements, your board of directors election, your bylaws, your articles of incorporation, you know, how you're going to run the corporation, the organization. Information governance would fall below that, it would be, it should be more and more of the responsibility of boards and CEOs and that's security control and optimization of information. And we're talking about both structured information which is databases, which are easy to manage relatively, and unstructured information which is everything else. Your email, PowerPoint, spreadsheets, word processing documents, Microsoft Word and so forth. So it's all that unstructured information where sometimes termed semi-structured because it has some metadata attached to it. Unstructured in general doesn't have metadata or not much to speak of. Harder to, so that's harder to manage. And you have IT governance which is really was formed so that, I mean in the old days, 30 years ago when I started in computer business, you had these IT managers who would just go off and do their own thing and they'd be developing their own software code. They would be, you know, not documenting it well. They would start projects that senior management didn't really know what was going on and they needed to get a handle on it. So IT governance is about getting the IT department to run more efficiently and to focus their development and their service efforts on meeting corporate objectives. So you have, with IT governance, you have some of the more popular frameworks are COVID which is now COVID-5, ITIL, COVID is Control Objectives for IT. ITIL which is IT Infrastructure Library which came out of the UK. It's the largest used framework for service management in the world. And there's also ISO Standard, ISO 38500 which all of these are compatible. They map to each other and they're all involved around getting results from the IT department and getting them focused on objectives that the senior management can view and see them making progress toward accomplishing business objectives. So it was really a way to do that. And then you have IT governance and IT governance, I mean, I'm sorry, data governance. And then data governance is really at that raw level that are getting good quality data. And I'm talking about numbers and letters here, getting that input. So it's not only getting an input but making sure you have data quality at that lowest level so that all those downstream reports are more accurate. And there's software that does data cleansing, data scrubbing, deduplication. There's some data gets corrupted in the course of business because you've got the physical movement on disk drives and physically moving eventually things wear out. Eventually they might make mistakes. So there's software that can go find where there's bad data, corrupted data, strip that out, replace it with new, fresh, accurate data. And so it's about maintaining good, clean data. And Carl Thomas, who's the Information Governance Lead for J.P. Morgan Chase, said in their information governance program when they went out to the business units, the biggest issues that managers of those business units had was information quality. They didn't trust the information they were being given so they didn't therefore trust the reports and the analyses that were coming from that data. So it's about getting good, clean data at that lowest level. And I'm talking about structuring data here, databases, and having it flow into reports downstream and be more accurate. So if you look at the right here, you see it becomes more and more specific as you move down from corporate governance to information governance, IT governance to data governance. So that, now that you know the difference, if you ever read an article, I mean I've seen supposed experts writing articles on information governance and then make the articles about data governance. Or, you know, if you buy this book, Selling Information Governance to the Business, which I thought was going to be helpful for writing my book, it's all about data governance. They just start to replace. So, you know, data governance is about structuring data at that low level. Information governance is much higher level and involves unstructured data and security control optimization data. And once you get that right, it will bug you, it'll drive you crazy when you see people confusing or mixing or conflating information governance with data governance. So they are two different things. Although data governance should be a part of an information governance program. Now what is information governance? It's just getting your house in order. George Sosha, who's a principal at edrm.net and one of the co-authors of the eDiscovery reference model as well as the IG reference model. So it's just getting your house in order, cleaning things up. The example he gives is he was in his daughter's room and he found a sleeping bag in her closet. And he said, now that to me, it didn't fit there. It was supposed to be in the basement in a certain cubby hole. And then as far as the classification, that's not where I would have ever put it. So I wouldn't even think to look there. And that's what happens in organizations. People file information away the way they feel like they would want to retrieve it, but other people can't find it. So you have information chaos because there's no structure. There's no classification. People aren't on the same page. Information governance is sort of a super discipline. It's made up of multiple disciplines that in records and information management, IT, legal, privacy, security, and risk management and a number. So it just emerged in the last five years, particularly in the last couple of years. And it emerged due to more and more regulations, more and more litigation, more and more data, more and more information with this big data trend. We're just hitting the beginning of that. We're going to be swamped with it. So organizations are looking at growth internally of 40 to 50% a year of information. And now, if they're getting to the choking point, they've been adding disk and they've been adding it, but they haven't been organizing it. Then there are big, big downsides to that. If you look at PG&E, Pacific Gas Electric, they had a great record with your kids' schedule, but they weren't following it. Then they couldn't produce the proper records. So they're looking at a billion dollar fine and criminal penalties because of poor information governance. Well, I can tell you right now, they have a strong information governance initiative going on at PG&E and they have a reason to do it, but they're not alone. If you look at the largest banks and the largest insurance companies, they all have the same dirty little secret in the back room behind those closed doors. It's a mess. They definitely can't find things. They've been saving it forever, 10 years or more, even though nobody's retrieving the information that's sitting out there and multiple, multiple duplicates and so forth. So really, multiple overlapping disciplines were needed to address all those challenges. And so information governance includes key concepts from corporate governance, records management, information security, e-discovery, litigation readiness, all of these pieces here and more. That's information governance. So you can see why it's sort of hard to get your arms around that. And the IG initiative, which does surveys and studies, just released a couple of weeks ago, a study where they sort of solidified what is information governance, what are the pieces of it. And last year's study said about the same thing. Records and information management was most closely associated with information governance. Then information security and protection, which has kind of moved up a little bit in this scale. Compliance, e-discovery, data governance, privacy risk management. Now last year, e-discovery was about here and data governance was up here. So e-discovery moved up a little bit. So just to kind of, and you can see, if you go around here, it's big data at Messer, data management analytics and so forth, all of this. And so if you kind of look at the slice of the first third of that, then I would say that's where you can focus, that's where you can focus on what is information governance. It's REM, it's information security, it's information compliance, e-discovery, data governance, privacy, risk management, and data storage and archiving means like email archiving, content archiving. If you archive in real time, you can make sure that you capture the information without any spoliation or adulteration. Spoliation means it was, the information was possibly corrupted, changed, and so forth, not preserved in its original format, in an original form. So you can see all of those pieces, all of these little pieces, they map to pretty much the information governance reference model, which is REM and IT, which is data governance and privacy and security, information security here, legal, which is e-discovery and related. And they have business here, which is the business units focusing on profit. In the center of this diagram, you'll see sort of the traditional records management paradigm. But I've recommended that I wrote a blog post if you go to my LinkedIn page, and I invite you to go ahead and connect with me on LinkedIn. You'll see my article that I wrote, I wrote a blog post on why the information governance reference model should have change management in it, because you can't really do information governance without change management. You have to do the training, you have to do communications. You have to redesign business processes and change the way people work. And so I recommended that it go outside all of this, there should be a circle around it, George Silesia believes it should be in the center, but nevertheless, there took my recommendation under advisement, and I wrote a little more detail and submitted it, and they're going to add change management. So next year, it'll have change management in it. Now, what is the whole focus of information governance? The whole idea is to focus on that information that has real value. They did this study and OCEG has decided in just about every IG presentation you'll see, which is that only about 25% of information that organizations have has real business value, and about 5% has to be kept as business records. About 1% is retained for litigation on average. So that means if you do the math, 69% is just costly jobs. So that means you've got your IT department and you've got high value resources there, highly qualified, expensive people, and you're spending the same amount of resources and effort to manage the garbage as you are to manage the high value information, which makes no sense. It's a complete misapplication of resources. And let's say you're completely off. Let's say it's not 69%, it's only 40%, or if it's only 33%, that's still one third of your whole budget of managing the data. I'm talking about not only the disk drives and the air conditioning and so forth, it's just all the overhead and the labor to keep that up. It's just really a waste. And most of this could be termed what is called ROT. And if you haven't heard of that, ROT is redundant, outdated, or trivial information. So that means they've done some different studies. You have these copies upon copies, sometimes seven or more copies. This is typical. You'll find in organizations. In fact, up to 40% of what's managed in organizations is just duplicates. And you don't need duplicates. You just need the one copy and you can refer to that. It's often content. So content that somebody created and they've left the organization three or five years ago and no one else has a use for it. Or it was created with a certain application, which was sunset or decommissioned and that it no longer applies. It's still sitting out there. Or you have just things that are created during the course of regular operations, log files, temp files, PST files. Then you have unknown content, which is also often referred to as dark data. Where it just don't know what it is. And it's kind of crazy, but in organizations there's a lot of information they're managing. They're spending those high value resources. Managing it and they don't know what's in there. And they're also illicit or unauthorized content. So for instance, you go into shared drives in large organizations and they'll have people's iTunes library on there and they'll have their pictures from homecoming or Superbowl or whatever it might be. And so all that needs to be cleaned up. And all you really need to do is go in and find out if you've got a SharePoint site, for instance, and it's not supposed to have audio files on there. You can just go in and delete those at will, because they're not supposed to be there according to the governance of that SharePoint site. So a lot of that, people say, oh, I think this is too much work, too hard, but it's actually, it's finite. It's logical. It's something that can be solved. And how do you solve it? You use software that's often termed file analysis software. And this is one tool you can use. The longer term is file analysis, classification, and remediation. Just to give you some examples, if you want to look up some of these companies, Acaveo in Canada. What happened to that? Come on. Acaveo, Acaveo, and Newrex, which originally came out of Australia. Acaveo, Acaveo, and Navigation, and there are others. And those would be some that you might also file facets. There are others. And basically what the software does is it goes out through all your shared drives and all your network attached storage and all your storage area network and looks to do file analysis. It crawls and it looks at all of the characteristics of your files and it can locate personally identifiable information, protected health information, PCI, credit card information. You know, if Sony Pictures would have done this prior to their breach, then they would have been able to find that personally identifiable information that their employees, they were out there on their employees. All 3,800-some employees got their name, birthday, address, social security number, next of kin. All that information was devolved. The way you stop that is if someone penetrates the exterior through their firewall, is you lock down that information with encryption. So even if they get there, they can't read it and they don't have the encryption keys. So that would save a lot of problems. But you could also find out things like the file type, the author, when it was created, when it was last accessed. If you find out, basically, information has much value in the first 30 days. And if you find out that, and it goes down from there, if you find out that Sony's information hasn't been accessed for 10 years, it's a good candidate for deletion. And you have to have your policies in place and okay with legal to delete this stuff, but that's what you need to do. And some organizations do it sort of in a stair step fashion. For instance, take all this information we think we should be deleting and let's put it in the cloud because it's cheaper storage. And okay, your people in business unit A or B, you have 90 days to tell us whether you need this information for business reasons or not. Otherwise, we're going to delete it. So it's about the proper tiers of storage as well as deleting. So you have tier one, tier two storage. So tier one would be your fastest, most expensive disk drive. That's the information you need every day quickly. And you'd have tier two, which would be a little slower. You could have near line, which means somebody has to mount it. You could have offline. So there's really a hierarchy to managing your information according to its value. And file analysis gives you this feedback to help identify targets for defensible deletion. And it gives you a picture of what your information holdings are. And that allows you to create a data map or information map so you know where your information is and how to properly classify and manage it. Some of the more sophisticated file analysis software can actually go out there and do a content inspection on the content and actually start to insert metadata tags. So it can actually say here's the topic, here's the author, here's the date. It can start to insert those tags. And oh, one thing I wanted to say about the garbage that you can find is, you know what the number one thing you found that was a garbage file at a large oil company on the West Coast? It was empty Excel spreadsheets. People start a spreadsheet, they name it, and then they go to launch and they forget about it. And then they come back the next day and they start it again. So people do this kind of things all the time, same with Word documents. And if you can find that there's no data in there, those are candidates for deletion. So back to this classification piece for file analysis. The remediation part is actually starting to insert metadata tags on this content and get it organized. So it's pretty cool software. So what does information governance do? The net is it helps you comply with global regulation. So you have all these regulatory requirements and you have to produce the records and you have to be able to prove that those have integrity and authenticity and you can produce that for regulators. It can help in value-based archiving. In other words, the most valuable information is kept and that which you don't need, the 69% or whatever the number is, is deleted on a regular basis. And you have a consistent process for that. Automate the legal hold notification process. Legal hold notification is sort of one of the pillars or one of the first big steps that you have to get in place with information governance to be able to have an efficient e-discovery process in litigation. You can automate your retention management and reduce the cost of storage. And then so ultimately you have lower costs, reduced risk, improved information quality, improved business insights. So it sounds great, right? So why wouldn't anybody do this? Because it's hard. What you really want to do is to redesign the business processes and bake in those privacy considerations, bake in those security considerations, bake in those records management considerations into the business processes. So that means it's going to require business process redesign, business process analysis, business process redesign, training, and communications, so that you have consistent, repeatable processes and that you're continuing to standardize and have those processes embedded in the organization. And so it becomes routine. In other words, what Carl Thomas and JPMorgan Chase calls rootnize to rootnize those processes. And that's what they strive for in terms of improving operational efficiency. Now why do organizations implement information governance? This comes from that study that was just released a couple of weeks ago by an IG initiative. The key drivers are external regulatory compliance or legal obligations. You know, we have, we see this all the time. The large top five bank that we have done some work with, they've estimated the risk of poor information governance at over a billion dollars or more. And the reason is because the city courts and the JPMorgan's and the Bank of America's of the world have already been fined over a billion. And in fact, Bank of America has paid out over 90 billion since 2008 in fines and settlements because of poor information governance. So we've got all these systems and got great software and everything, but it's just not being managed and controlled well. Otherwise, other drivers would be triggering events like lawsuit, dig a big thing, not only the lawsuit, but when the litigation costs start to spiral out of control, that's when the CEO starts to get upset. It just run away. And I'll tell you, with this big bank that we've worked with, the legal department didn't want to say, didn't want to report, how much was the cost of legal in e-discovery and break it out and how much was just regular legal fees and so forth. They didn't want to say because they want a bigger budget next year. They, you know, they all want to go with a bigger budget, but now they're starting to be some pressure there because it's getting to be too, too much, too high. Desire to mitigate risks associated with data that could have been defensively deleted. In other words, if you go to court and the data is there, then in the other side knows that you have to produce it. But if you have a record retention schedule that you follow routinely and systematically and delete that information according to the life cycle that you stated in that record retention schedule, then you could say, sorry, judge, it's gone. We deleted that. But that's because we always do. That has a life cycle of three years and we deleted it. And this is our record retention schedule, so it's not available. So there's risk out there of keeping information. And this a lot of times has to do with email because that's where the smoking gun would be. So organizations might implement what would be called destructive retention of email. So in other words, they'll say, we're going to keep emails for 90 days or 120 days or 180. And then after that, we're blown away. We're deleting it, unless it's on legal hold, could potentially be on legal hold or is declared a record. So that's your policy and you do it consistently. Then you're OK. You're in the clear legally. Reduce storage costs is another key. And then it goes down from there. So often information governance projects, I taught a gentleman from the Bank for International Cellaments, which is sort of Bankers Bank in Basel, Switzerland. And what he did was they piggybacked on a data governance initiative. So that's a way to sort of expand that. And we already have some budget. We already have a project going. But they also had some audit results. And that's a good way to leverage and start an IG initiative because the audit results say, hey, we've got gaps in security here. We've got privacy concerns here. And they audit says this. And so let's move forward and address those concerns. And so if you look at sort of the sequencing of information governance projects, this is what practitioners would, this is how they would rank them if they had their choice. They would first create a corporate governance framework for IG. What's a framework? An IG framework? It's your steering committee. It's your executive sponsor. It's maybe you have a chief information governance officer that you named to be the liaison for the whole thing. It's looking at best practices. It's looking at standards. And it's creating that whole framework within which you're going to make your information governance decisions. And then the first thing you would do after that is update your policies and procedures starting with email and focusing on e-discovery. And wherever the pain points are, because information governance looks a little different in each organization. So there will be different pain points. One organization might have a big problem in e-discovery. Another organization might have a low mitigation profile, but they have some problems with regulators. So they would update the policies in that area. Defensive of deletion, which is getting rid of the data debris that you can get rid of. Data loss prevention, which is DLP software, is software that really prevents or tries to prevent the exit of sensitive information from your organization. So you'll put in key verbs, key phrases, and it will look for those and maybe certain people and stop it at the firewall. And this could be software. It could be a hardware device with software. It'll stop it before it exits the organization. The problem with it is sometimes you tighten it down too much and that impedes the flow of business and then it doesn't do its job. So sometimes that they lose it up, it's going through and it's not doing its job. So it's difficult and it's tricky. So they often will use a complementary technology called information rights management, which is what my safeguarding critical e-doc in this book is largely about. And information rights management, or IRM, is like a security wrapper that goes around a document upon creation and it follows it wherever it goes and it controls the rights based on the roles and responsibilities of the person who created the document, the right to view, to print, to edit, to forward, and so forth. So if you have that software, if someone had 10,000 or let's say an Edward Snowden and he downloaded a million documents and you have all those and you're unauthorized. With information rights management, all those documents would be encrypted and as soon as you try to open them, it would go to the cloud or go to a server and say, does this person have access, authorized access to this document? Yes or no? If they've been terminated, you can sort of remote control and turn off access. So it'll go back down to that device and shred, do a virtual shredding of all those documents. So DLP, Daedalus Prevention Combined with Information Rights Management, is probably a good combination. Legal hold tracking would be the next piece they would do. They would do a legacy data cleanup and execute a big data analytics. So these are some of the types of projects and this is sort of a good sequence that they said they would like to do in that order. So what are some of the barriers to information governance? A lot of it is education, education and training. Another is siloing because you've got, all of a sudden you've got people with legal at IT and records and information management and privacy and security and they're all involved and they're supposed to work together. And I wrote a blog post called Information Governance is a Contact Sport because basically these are all people at the C level that let's say your general council is here and your CIO is here. They're both competing to be Chief Operating Officer or CEO. So now you're telling them to work together, right? They're used to just telling people who work for them what to do and they can control that. Now you have these different groups that have to work together so that makes it difficult. That changed management. So this is a critical piece, getting people to actually change. You run into people that are two or three or four years away from retirement. They just don't want to change the way that they've been doing things the whole time. And so for insufficient, not addressing the IG during the planning phase and insufficient funding here so there's a number of barriers to moving IG forward and there have been a number of failures in information governance programs. So now to get to the crux of the matter of what we wanted to talk about today, there's a camp in the IG community who started to and this is mostly sort of the big data in search people who said, hey, you don't really need to do information governance. No need to do all that cleanup. You don't need to do all that classification because of these, this is our case. We don't know what information might have value in the future. We don't have the construct to know what might be valuable in a year or five years or even 10 years. So we want to keep everything. Now remember, they want to keep everything, including those MP Excel spreadsheets and all that stuff. Don't delete. They don't want to delete anything that later regulators and superiors might want in the future. And they also believe that it's just not worth it from a time and cost standpoint, time consuming, politically charged because you got legal. You got IT. You've got privacy and security all battling it out. And if they don't see a direct benefit to them, or if they're not the ones that can benefit primarily, then they can drag the fee, not show up to a couple meetings, maybe kill the project, the program. The cost of storage, now here's the big one. It's funny to me, the cost of storage is effectively being driven down to zero with cloud offerings and low cost storage up front and Microsoft, Apple and Google, those types will win. Well, Microsoft just announced this week that they used to say you could do unlimited storage on one drive and now they're back to linking it to one terabyte. And some people were actually using it for unlimited storage. They were using 75 terabytes or whatever. They're backing up the whole systems up there. So they said no. So I've got problems with that because what happens when they get all your information and it's all in the cloud and they change their mind, they change their strategy. And also here's the big one, search technology is so good we can just find what we want. We'll just classify it and find what doesn't matter if the garbage is there. Well, I thought about this, not thought about it for months to try to figure out how would I, what would be the report to this. So I came up with some of these points and there's a blog post if you go to LinkedIn that articulates this in more detail. The culture, I think it sends a wrong message from senior management. Basically what it says is we can keep our information looking like this and it doesn't matter because we can search and find what we need. Or maybe it's like this, it's a little better organized, but it doesn't really matter. So that tells your employees we're not worried about professionalism, we're not worried about organization and efficiency, operation efficiency. When really you want electronically the metaphor to look like this. And it can look like this, just like a library. When you walk into a library within five minutes you go to the card catalog or online card catalog and you can find exactly what you want because it's orderly, it's organized and you can find what you need. The next thing is core data quality. You've got all this garbage out there and so any analytics you run on it is are going to be inaccurate. It also burdens the data scientists. So you've got these rock star hot shots that are data scientists which what they say is the worst part of your job is cleaning and organizing this data. And when you talk about unstructured information they can't even do an analysis on that until you get the metadata from it, right? So your metadata design has to be in place and has to be consistent and enforced. And you have to strip out that metadata to allow the data scientists to do their work. On that it's 85 or 90 percent of the information in organization is unstructured. So they don't like cleaning it up and it just overwhelms them. You know data quality problem and then costs. Just the cost of e-discovery. The more information, the more irrelevant information you have that you have to go through when you are in e-discovery in that process of litigation. The higher the cost is because you're paying high power attorneys in some cases paralegals, they'll expend a lot of dollars to go through it. And to go through that information it's about $16,000 per terabyte. Now there are some ways to offset that and that would be using software like predictive coding which is software that you can train to look for the right documents and you can get an iterative process. An expert can for a particular legal matter train it to go out and say here find this more like this and not like this, more like this and not like this. So it's a cost thing. The other pieces is storage costs. Now say okay if Microsoft or Apple, anybody else says you know box even. Storage is free right, you think it's free. But there is a cost to it. There's somebody running those data centers. There are physical disk drives, optical drives, backup media, all that stuff costs money. So just because they haven't shifted the cost to the consumer on the front end doesn't mean it isn't there. And it also means that they can shift their model later once they have all your information because it's not very easy to get your information from box to drop box or anything else. Or you know from Microsoft to Apple, it's just not very easy. There are no tools to do mass migration from those because it's not in your best interest to do that. Risk, you've got litigation risk that is, it means the more information that's out there the more you'd have to produce and the more likely there'd be a smoking gun that would damage you in litigation. But also just the risk of not being able to find and produce the records that you're supposed to be able to produce. And that's why these organizations are looking at billion-dollar fines because of that. You also have the risk of information breaches. If you don't have your information organized and there's a breach and you find yourself in a situation like the Office of Personnel Management in the government which had people's personal information, PII, unprotected and people that hadn't worked for the government for 20 years, it was unprotected. And so it was released, right? Same thing with Sony, it was unprotected. That PII was unprotected, released. Now they've got big problems and those people whose PII was released will have problems the rest of their lives with credit and so forth. Search accuracy, the more organized that your information is, the faster and more accurately you can search. And when you reduce that redundant outdated or trivial information, you can get to the information that has business value and improve your accuracy. And that improves the professionalism of knowledge workers and improves their ability to make decisions. It reduces the time that they have to spend searching. Makes them more productive. Privacy regulations, particularly in California, once you, you have to protect PII and PHI and PCI, but once you're done with it, you also are supposed to discard it. You're supposed to get rid of it. Once your business has used someone's personal, personally identifiable information, when they're finished, you're supposed to get rid of it, okay? So you have that. And if you don't know what you have and you don't know where your PII is, then you can't protect it. Productivity, just overall reduced time to search, more accurate information, more trusted information, closely related to the search accuracy. So there are all these reasons why just kicking the can down the road isn't a good idea from a management standpoint. Just bear in mind that with these breaches and so forth, people are the weakest link. Something like 96% of the cause of breaches can be attributed to human error. Someone made it, somebody left their laptop in the car and stolen. Someone didn't realize that they left their themselves logged on or they gave a co-worker their logon credentials, something like that. So training and communications really are key. And I just wanted to review some best practices in your book there 25 best practices in information governance that were the first ones to be published. And I added three more on a blog post and I'll probably continue to add to them. And those aren't the only ones. They'll be more and more that emerge. But certainly having a strong executive sponsor is the most critical and crucial factor for success. You also need to create an information governance framework. That means your steering committee, a steering committee that works. An executive sponsor who can drive the program on an ongoing basis for a long term. PG&E, so the gas electric. Their executive sponsor is the president of gas operations. He reports directly to the CEO. That's a strong executive sponsor. And also you may need to make decisions on which best practices you want to leverage. The ones that are being used within your own industry are the most relevant. And also which standards that you might feel would be helpful to use. And cross-functional approach. You have to have people on that team from legal, IT, records management, privacy, security, risk management, cross-functional approach. You need to cross-train those people so that the records management people start to understand legalese. The legal people understand more about IT and they understand more about records and information management. It has to be some more collaboration there. You need to identify your risks and rank them. You should certainly your top five risks, rank them, and the likelihood they can happen and what the potential impact is. So there's some examples in your book. You know, let's say a data breach, if we have a breach it would cost us five million. You know, the possibility of that happening is one percent. So, you know, what would that be? A $50,000 total expected value of that breach. But if it happens it'll cost you the whole five million, right? So then you develop a risk mitigation plan. I was in New Orleans when Hurricane Katrina hit and there was an ISP down there, an internet service provider, who had a generator in their basement. And every year they would run off the generator for a week and they tested it. And when Hurricane Katrina hit and the power was cut, they were able to continue operating. And this was critical because they were supporting clinical systems for patients in hospitals as well. So they actually tested the plan and when the hurricane hit, their biggest problem was after a week they were running out of diesel fuel and they were able to through the radio and so forth to get some more fuel and keep running. And also information governance is an ongoing evergreen program. It's like a workplace safety program. It never goes away. So just remember information governance you just never finish. So overall information governance is about standardization and consistency in your processes to bake in information governance considerations. And those being primarily privacy, security, records and information management and quality, information quality. You need a strong executive sponsor. It requires training and communication. So a heavy change management effort. In other words, people have to understand how it's going to benefit them and how it's going to benefit the organization, how it's going to make their job better and easier. So you'll have resistance to any change, but change management is a critical component. It's a long-term project, a program, but you need to have shorter term projects to build some early wins. So the idea is let's say the first thing to do would be defensive deletion. So you just get rid of stuff. Because that doesn't have anything to do with user adoption or training or anything else. There's no user acceptance, no user adoption there, except to say, do you need this for business reasons? Otherwise, we're going to delete it. So that would be a way to say, hey, look boss, look executive sponsor. We just deleted 20% of our information and we don't need it anymore. So all this space is screwed up for next year for good information to be stored. And so I believe overall that the keep everything approach just won't fly. It's not a Bible management strategy because of the increases in data, information quality concerns, search productivity, protecting personal identifiable information, costs, legal and regulatory risks and potential breaches. And with that, I thank you and I appreciate your time today. It's been a pleasure and we'll move to questions here in the next session. Please join me in thanking your guest speaker for this informative presentation.