Information governance ‘an important issue’ in-house
For organisations that hold large amounts of data, information governance should be a high priority. For in-house legal teams, however, convincing other department heads to invest in this area can be tricky.
Tom Balmer is the APAC director at TransPerfect and recently spoke on a panel at the Lawyers Weekly Corporate Counsel Summit about how businesses can prepare themselves for litigation.
Information governance is becoming more and more important for legal departments to be abreast of and is a “fancy way of saying how an organisation creates and manages its data”, according to Balmer.
“The more data you have, the more risk you have. They call it an attack surface in the cyber industry. And so, you’ve got this massive attack surface. This makes it much easier for criminals to download your data and start putting on the dark web. So, it’s a really important issue for legal departments to start thinking about, and there are some easy steps that you can take. You know, we offer information governance consulting upfront, and really what we’re looking at doing there is assessing the current state,” he said.
“Well, understanding their regulatory and compliance obligations that they would have, because every company is different. But then we’re just looking to assess what’s there, assess what they’ve got, understand where their data sources are, where the critical information is, how that’s secured and then look to kind of control it better. So, setting up retention policies, internal rules around information governance, making sure that people are trained on this stuff.”
Training should be a high priority within organisations, according to Balmer, who said that many people on the ground outside of legal, risk and cyber teams don’t actually understand the importance of information governance and data management.
“We’re involved right at the start of disputes, talking with custodians or the people who are involved in them about their data, and they won’t think that their messages on WhatsApp between employees are going to be coming up in discovery, but they are a lot of the time, people just don’t think about it. And I think that training is really, really important. But before you train, you kind of have to set up those measures – getting an understanding of what data is there, figuring out what you need to keep, and otherwise getting rid of it, deleting it securely,” he said.
“So, I would figure out where your data is, where it sits, what systems people interact with. So, that’s talking with different departments that are actually getting on the ground and having that conversation because it won’t necessarily know all those answers. And talking to the different department heads, [asking], where do you save data? How do you save it? How do you secure it? When do you delete it?
“And then creating a data map is going to be really important. It’s also useful for litigation then, as well. So, you know, where you have to go to find the data and then working with it to put in place those policies and then making sure that those policies are followed and there’s compliance through training would be my simple advice.”
In terms of how to convince other teams in the organisation to improve processes around information governance, Balmer said that all in-house legal teams need to do is show them key examples making national headlines.
“Talking about the Optus hack, talking about Medibank and asking them, do you want our company up in the lights like this? Because if we don’t address this issue, that’s what’s going to happen. I think a lot of people do have an underlying understanding of the importance of this stuff once it’s made clear to them, or they look at those examples, but buy-in from those companies is like, you know, your department might not actually exist if we don’t have the funds from the massive scale litigation and class action that comes off the back of a breach for us, cost of breaches are only increasing,” he said.
“I’d also look at the personal side of it. Would you want your information stored at a company to this extent and kind of ask them that question? There’s very detailed patient records online now on the dark web of people with depression or who’ve been through horrific injuries, and there’s just stuff on there that you don’t want to be seeing and people don’t want to be seeing. And that’s enough, I think, to convince any department head that this is an important issue.”
The transcript of this podcast episode was slightly edited for publishing purposes. To listen to the full conversation with Tom Balmer, click below:
Lauren Croft
Lauren is a journalist at Lawyers Weekly and graduated with a Bachelor of Journalism from Macleay College. Prior to joining Lawyers Weekly, she worked as a trade journalist for media and travel industry publications and Travel Weekly. Originally born in England, Lauren enjoys trying new bars and restaurants, attending music festivals and travelling. She is also a keen snowboarder and pre-pandemic, spent a season living in a French ski resort.