Organizations need information governance to protect against data risks, says panel

Organizations that collect large amounts of data on customer behavior, their own workers, health records, financial transactions and other processes need to put in place a system of comprehensive information governance, an expert panel told a Feb. 24 National Press Club Newsmaker.

Conor R. Crowley, principal of his own law office in McLean, Va., explained that organizations create value for themselves by mining large data sets to, for example, target ads on the Internet or to decide where to place products in stores.

He cited, for example, a grocery market study in Australia that found construction workers tend to babysit at home on their days off. As a result, the stores placed beer and diapers close together on days that construction sites were not active.

Organizations using large data sets not only risk violating privacy laws, but also risk being targeted by computer hackers and facing potential litigation,said members of the panel. The potential solution for organizations, they agreed, is information governance.

Such governance would draw upon on a range of disciplines - lawyers, statisticians, linguists, programmers and experts on machine learning Paul Starrett, counsel and chief global risk officer for UBIC North America, told the audience.

Information governance puts in place a comprehensive framework of addressing risk, security, privacy, electronic discovery and information management to record, preserve and discard, where appropriate, information, Crowley said.

"We are all information governance evangelists," said Jason Baron, former director of litigation for the National Archives and Records Administration.

Monica McCarroll, chair of the law e-discovery discovery and information governance section at the William Mullen law firm, with offices in D.C., Virginia and North Carolina, said information governance could lower costs of finding a data item needed for disclosure in a lawsuit from $3 to $5 to between 50 cents and $1. In addition, she noted, information governance can direct searchers to an item of data or determine that it has been disposed of properly.

Baron said that, based on research evidence, machines are at least as good as people, and more efficient in searching through documents, to find information in lawsuits.

Starrett described supervised and unsupervised data mining. The latter involves clustering items to find patterns in the data, he explained, in contrast to supervised data mining, in which the user specifies classifications, for example.

"It's all about finding the signal in the noise," he said.

Crowley said legal risks can vary with the laws in jurisdictions where data resides. He noted a possible legal risk of using a "cloud" -- contracting services of data storage on another organization's servers. That could mean that the data might change jurisdictions as the contract manager moved data from one set of servers to another to save costs, depending, for example, on changes in electricity prices, he said.