• Adam Cohen

InfoGov Overview

I collected my introductory and conclusory remarks from the class I am teaching (online) for Cardozo Law…

Information Governance


InfoGov is largely about risk management, and in that respect, it's one of those thankless jobs that you only hear about when something goes wrong. However, as organizations of every shape and size are immersed in the waters of information technology, the need for knowledgeable guidance in the field has never been greater--and it is hard to imagine how this need would go in any direction other than increasing.

When you step back and consider the immense scope of considerations for InfoGov, a wave of anxiety may swell inside you. The total pervasiveness of information technology in our business and personal lives can make the notion of "governing" it seem like an impossible dream. Many organizations get stuck at the planning stages of InfoGov and increasingly infrequent "committee" meetings eventually die out.

Achieving Digital Discipline becomes a real possibility only when you begin with a core approach or methodology that binds together each of the components of dealing with information technology legal risk. The methodology ensures comprehensiveness and consistency notwithstanding conflicting stakes and stakeholders and constantly changing technology. The approach is based on facts and "best practices" that are well-established and unimpeachable.

The facts begin with the physical and logical reality of the Information Assets the governance of which is under consideration. Identification, description, and documentation of these kinds of facts through tools like systems overviews and data classification matrices is necessary. As you progress, you will quickly appreciate that these representations of the information technology environment are the bedrock for all of the legal risk management decisions an organization makes with respect to information security, privacy, regulatory compliance and each of the rest of Digital Discipline's components. Yet in the real world, experience indicates that this bedrock is rarely in place. We hope you will be equipped to help change this sad state of affairs and establish solid foundations for the way we manage digital assets!

Systems and Data:

The “object” of our InfoGov or Digital Discipline efforts is the information technology environment--the various systems, and data that make up an enterprise’s Information Assets and intersecting third party Information Assets. You will see that just by identifying characteristics of this environment, InfoGov issues will bubble to the surface. Others will require more digging before they reveal themselves.

Learning about information technology in the context of InfoGov does not mean that you need to become a "super-geek" or have a degree in computer science. However, the inescapable reality is that in the main--and of course there are exceptions like paper and oddball sources of information unique to certain niche enterprises--the information part of "Information Governance" is in digital form.

This means that there is no alternative but facing the music and doing what is necessary to have an informed approach. Hopefully, technology is something that interests you and you will find learning about it enjoyable. Moreover, the InfoGov professional is expected to be proficient at explaining technology to stakeholders and other people involved in one way or another with the process. This skill is demanded in tasks such as drafting policy documentation that any employee can understand, even those who do not work on a computer all day.

The skill of describing information technology is an art you will develop over time, encountering variations on the challenge as you experience new situations; for example, contributing to a lawyer's brief explaining your employer's enterprise I.T. environment to a judge, where a plaintiff has accused your organization of deliberately destroying harmful evidence. Fun!

InfoGov practitioners are often members of functional units like Legal & Compliance. In their zeal to address governance issues related to legal and compliance-like policies and procedures, they leapfrog the entire project of identifying and understanding the information eco-system their rules and regulations are supposed to govern. This often leads to square pegs trying to fit into round holes and the inevitable disconnect between what should be and what is.

Consequences can be serious when the time comes to face regulators, courts and other decision-makers unsympathetic to organizations lacking in digital discipline.

After toughing it out through this module, you have the tools to start at the beginning. As you build an InfoGov program with people, process, and technology, you know that your program will be built on a foundation that reflects the reality of the information lifecycle at your organization. It should be custom made, based on the actual contours of the information assets at stake, rather than a theoretical web of "best practices" that may require impossible alterations.

If you recall our introductory, cautionary, true story about a big bank hit with the legal equivalent of a nuclear bomb because it lost control of information assets, you don't need any convincing about the importance of information asset management to successful InfoGov. It is a lynchpin of digital discipline and you will see it come up again in various forms in several of the forthcoming modules.

Stakes and Stakeholders:

Not only does everyone in the organization use information, but they all have a role in “governing” it. In this module, we will explore the range of InfoGov roles and how they interact, overlap, conflict and other aspects of their sometimes-rocky relationships with each other when it comes to InfoGov. Think about all of the different issues that arise with enterprise information in different contexts and all of the different tasks that people in the organization need to do with that information and the potential for tension becomes quickly apparent--which is more important, security or performance? Accessibility or data integrity? Availability or cost?

As you will find out, there are different models for dealing with the InfoGov constituents that need to be harmonized for the good of the enterprise. However, legal compliance is generally not an area with much flexibility. Not optional. Accordingly, when it comes to InfoGov, legal and compliance professionals tend to hold an authoritative position in al It would be hard to imagine an organizational imperative with farther reaching relevance to stakes and stakeholders of the organization than InfoGov.

This makes it challenging to determine the optimal participants in developing and implementing an InfoGov program. Including everyone is not an option where timeframes are limited. There is no right answer to the question of which human resources to include, but guidance from the trials and tribulations of others and analysis from different perspectives has led to emerging practices. As does the technology, InfoGov stakes and stakeholders will continue to evolve and new breeds of professionals will provide opportunities for those with the right skills.

Governance Models & Frameworks:

Here we consider "governance" in the narrower, more traditional sense, rather than as Digital Discipline, the meta-field. In this sense, governance is about the higher-level structures and processes for making strategic decisions about the information-related "sub-fields" like security, privacy, e-Discovery, etc. This is the level at which higher-level executives and members of the Board of Directors would be involved, also known as "strategic."

In recent years, regulatory and so-called "thought leadership" publications have focused specifically on governance related to information security, for reasons apparent to any consumer of news media; directors and senior executives are interested in, among other things, their potential personal liability for the inevitable "data breach" fiasco so frequently reported.

The body of corporate governance scholarship in which this literature has its roots expanded in the wake of the Enron catastrophe and the associated Arthur Andersen debacle, along with the many other corporate governance horror stories of the era (think "Sarbanes Oxley").

There is an emergent body of thought leadership of a more contemporary vein, certainly with respect to if or how the radically transforming enterprise I.T. landscape, with phenomena such as behemoth public cloud computing services, mobile devices more powerful than a "supercomputer," the pervasive and invasive Internet of Things, Big Data, etc., impacts governance recommendations.

Governance is a concept that can encompass people, process, and technology (note that some authors include "policy" in this list; we deem policy to fit under process). Among other things, a governance framework or model (or structure, or architecture, etc.!) aligns stakeholders with roles, responsibilities, and accountability.

From a legal perspective, there are serious potential consequences of the governance structure and its implementation. These consequences can include the nature of a regulator's assessment of compliance, judicial determinations about liability and particular effects on individuals arising from their position and behavior in the information governance dimension. In this course, we generally treat the domain of information governance as broader in scope and greater in depth than the more "traditional" coverage addressed in this module. However, the issue of governance in the narrower sense is crucial to the overall pursuit of Digital Discipline, both in terms of legal compliance and enterprise risk management as a whole.

As you can see, there are limitless options when it comes to governance architectures, so you are unlikely to encounter square pegs for round holes—if you think you have one, jog your brain for a little creativity and try the visual or diagramming approach.

Policies, Procedures, etc.:

Now we address the documentation that memorializes, expresses and communicates the enterprise's rules, positions, instructions and other aspects of its overall InfoGov program. These include policies, procedures, standards, guidelines and more. Such documents are generally created for internal use, by employees, but they may be shared with third parties who interact with information assets in pertinent ways--as well as with regulators, courts and less neutral parties to the legal process where required.

Accordingly, they are typically prepared (very carefully) with direction, review and approval by lawyers, notwithstanding that much of the content is about technical matters. Always remember that every technical decision has a legal consequence and vice versa. Documentation is a crucial element in demonstrating legal compliance.

We will review the interrelated, hierarchical web of documentation that would be appropriate for enterprises with complex I.T. environments and massive volumes of data, active regulatory and litigation concerns, commercial activity and a variety of financial transactions, intellectual property, etc. and also consider how a program for such an enterprise could be "scaled back" for smaller organizations.

You won't find many people who think drafting InfoGov documentation is fun or "sexy."

Unfortunately, someone literally has to do it for any enterprise with information to govern and laws to follow. You are now equipped to enlighten the lost souls who suffer from common misconceptions:

  1. that "having a policy" is enough for InfoGov legal compliance; and,

  2. that any "legalistic" corporate issued document distributed internally to employees is a "policy."

Hopefully, this is not all you are now ready to do. With an understanding of the InfoGov documentation topology, you will be moving on to learning how to turn documentation into practice, in other words, reality.

Implementing InfoGov:

Many enterprises have InfoGov policies that parrot "best practices" according to authoritative sources and InfoGov leadership structures that appear to devote important people to major responsibility regarding InfoGov compliance, but having these elements is meaningless without implementation. Implementation refers to the actual putting into practice, in reality, of the enterprise's stated InfoGov requirements as represented in policy and planning documents.

Moreover, where implementation is absent or policies are honored more in the breach, the existence of the InfoGov documentation can actually make matters worse, because it suggests that the organization at some level knew what was right but made a decision to deviate. We will be studying specific scenarios where this kind of inference has palpable legal consequences.

The way to avoid this situation, as previewed in earlier modules, is to base modeling and policymaking on the practical reality in which they are to be implemented. This does not mean that the details of the implementation plan need to be determined at the policymaking stage, just that some "due diligence" take place in the form of thinking through the outlines of how the policies would be put into action.

And even organizations that are aware of and make an effort to avoid the disconnect between InfoGov theory and implementation often have unforeseen problems when they get down to the nuts and bolts of doing what the policies require. The reasons for this vary, but in general, it is to be expected where strategizing and developing policy takes time and the business, legal and technology environment changes constantly.

Another obstacle is the communication and information exchange necessary among the stakeholders; in particular, bridging the divide between the legal/compliance side of the house and the information technology department.

Next, we get down to a lower altitude and buzz the InfoGov sub-disciplines. You will soon appreciate that in every one of them, implementation is just as critical. Many an executive has been disappointed to learn that the budgetary impact of InfoGov is not limited to the expense of drafting policies.

Many of them also pull the plug on spending further on internal or external resources for implementation, even though policy drafting is not even the beginning of the end (as Winston Churchill would say). Then they learn the hard way because the risks that InfoGov manages are certain to materialize over time. In any enterprise where there is accountability, this is where new executives come in, perhaps promising regulators that the company has learned its lesson.

We will begin our close up on the sub-disciplines by looking at one that is often misperceived as coterminous with InfoGov and has many other monikers—records management, records retention, information management and the old-time favorite, "document retention."

Records Management:

In the paper era, there was a perfectly rational explanation for destroying records—they occupied space; real, physical, actual space. On the other hand, the inability to apply electronic search to whittle the paper buildup made it hard to separate the wheat from the chaff for disposal. Accordingly, many businesses had document retention policies prepared upon the advice of counsel but never managed to breathe life into these paper tigers.

One obvious difference between paper and ESI is that the latter consumes significantly less space—raising the issue of whether this difference warrants retaining relatively more information in electronic forms. Another, perhaps less obvious, difference is that electronic records are much harder to destroy with finality. With the replication of data across systems and networks and the seemingly magical capabilities of digital forensics, truly eliminating ESI is no simple matter, especially in the enterprise setting.

Apart from unnecessary cost and inefficient allocation of resources, failing to actively manage ESI can lead to problems in litigation as well as with regulators. Certain statutes and regulations require the retention of ESI for prescribed time periods; the law bars the destruction of such information when litigation is reasonably anticipated, and factfinders are permitted to draw negative inferences from a party's destruction of documents under certain conditions.

As we saw in the example of the Murphy Oil v. Fluor case reviewed in the last module, retaining unnecessary ESI can lead to significant expense when a company has to search through that data in connection with discovery or in response to a regulatory request or subpoena; accordingly, the absence of an enforced policy can dramatically increase costs of complying with discovery requests.

Without an implemented policy, it is also more difficult to identify which documents have been retained and which destroyed. It is not hard to imagine a situation where the burden of searching and reviewing ESI is so great that a business where the burden of searching and reviewing ESI is so great that a business required to do so in response to a discovery request chooses to settle the case rather than incur the expense of conducting the search—even if the underlying case has no merit.

Organizations must also consider the security and privacy risks inherent in retaining sensitive information; in short, retention expands what is known as the “attack surface” in cyber-security vernacular.

Records retention and disposition, a/k/a "records management" or "document retention" is one of the oldest InfoGov sub-disciplines. As you hopefully appreciate at this point, however, there is a lot more to it, then simply consulting a schedule to determine when to discard documents. Doing records management well requires identifying and isolating the most important "records" from the legal compliance perspective and uncompromisingly enforcing policy as to those records.

The wider the net, the greater the likelihood that custodians "too busy" for matters like records management will nibble away at the webbing until the compliance exceptions swallow the whole. Some populations of storage media—backup tapes come to mind—are notorious repeat offenders. InfoGov justice demands that they be rounded up and banished to the greatest extent possible. Those that are allowed to stick around need to be tamed through bar-coding, indexing, catalogs and inventories. Even then their lifespans should be curtailed mercilessly.

As we move through the rest of the InfoGov sub-disciplines, you will more clearly see the common thread of Digital Discipline weaving them together.

Information Security:

The scope of Information Security ("InfoSec"), or cyber-security, is conceptualized in the "C-I-A Triad"--an acronym representing Confidentiality, Integrity and Availability. Confidentiality is what most people think of as associated with InfoSec, the constant battle to protect valuable secrets from the "bad guys" called "hackers." But InfoSec is also about protecting the integrity of Information Assets, the quality of trustworthiness that allows us to rely on the accuracy of data for critical purposes, sometimes in matters of life or death. If a system is compromised--infiltrated and controlled by hackers--how can we be confident the data has not been manipulated? Finally, InfoSec guards against destructive attacks, inadvertent errors or non-human sources of disruptions that cut off services or content.

InfoSec affects all of us, but practicing it professionally is not an art for dilettantes. InfoGov professionals don't need to be independently certified as InfoSec professionals (although it wouldn't hurt), but substantive familiarity with this sub-discipline is essential. Not only does it account for so much of the focus InfoGov has received recently, but the voluminous body of InfoSec research and scholarship has developed thoroughly over decades of combat experience. As such, it bears a wealth of material suitable for modeling in other InfoGov sub-disciplines and for InfoGov more generally as a meta-discipline.

In current times, the InfoSec landscape is arguably the most critical piece of the enterprise InfoGov puzzle. Mistakes on any level can be devastating and this fragility faces: a) an increasingly varied and sophisticated threat environment, b) attacking a rapidly changing and harder to control I.T. environment, amidst c) an absolute mess of potentially governing laws and legal exposure presided over by a gaggle of competing agencies at every level of government.

Sounds fun right? It is if you like a challenge and find complexity in law and technology interesting! Just don't be the CISO.

One of the "rights" InfoSec protects is privacy and as a result, a lot of the security issues can be described in privacy terms and vice versa. Accordingly, you will be seeing some familiar InfoSec ghosts hovering in the next module.

Data Privacy:

Data privacy has become an ever-present concern of global proportions. It is closely related to cybersecurity, which among other things is tasked with protecting data privacy. Legally, the environment is complex and evolving. Historically, legal regimes outside of the United States have protected privacy with much greater priority. In the European Union, privacy is considered a "human right" which has recently been bolstered by what many U.S. companies would describe as a compliance nightmare -- the General Data Protection Regulation (much of the substance of which has been adopted by...California!). State governments in the U.S. have established state privacy laws targeting specific informational concerns in the employment context, such as personal social media, compensation history and much more.

Constitutional data privacy rights are debated in the context of law enforcement activity and in the civil context as well.

The swell of legal activity directed at data privacy reflects a cultural awakening in the U.S. Whereas in the past employees generally accepted the notion that employers monitored certain electronic activity, the evolving workforce in a world where digital business and personal activity commingle on devices and networks bristles at the notion of being snooped on (gee, thanks Edward Snowden) and employers are increasingly sensitive to these concerns while at the same time fretting about the impact on information security.

There is a saying in Information Security that there is no security without visibility--unfortunately, there may be no data privacy with visibility. In this environment, the InfoGov practitioner faces some of his or her most challenging puzzles in terms of satisfying competing stakes and stakeholders. The first step in rising to the occasion is understanding the what you are facing. This module will start to pull back the curtain on your data privacy journey.

The need to respect data privacy rights of individuals, employees, customers, business partners and anyone else whose personal data is handled by the organization, is a major influence on InfoGov in every respect. While many of the issues relating to protecting such information fall into the domain of InfoSec, the legal landscape involves additional and different laws, which extend globally even for businesses which are not multinational in their physical presence. The data privacy regulatory environment has become so complex that without approaching InfoGov with a "privacy by design" approach, associated legal risk cannot be managed in an optimal manner.

The links between the sub-disciplines should be coming into better focus, which will continue in the next module on electronic discovery. How does the enterprise square its obligations to produce relevant information on its systems with privacy protections that may be applicable to the same information? Stay tuned for the next module to find out!


E-Discovery has different meanings to different people in different contexts that have varied over time. The most inclusive is represented by the Electronic Discovery Reference Model (EDRM), which treats the area as covering everything from InfoGov to evidentiary admissibility at trial. In practical usage today, the term usually refers to data processing and hosting for review for purposes of producing documents to an adversary or regulator. We will treat it as covering the preservation of electronically stored information (ESI) through production of the data, although we will need to understand a little bit about evidentiary issues to know how to do this preceding part of the process correctly.

E-Discovery law is mainly driven by U.S. federal law, and specifically the Federal Rules of Civil Procedure and the cases interpreting these rules.

E-Discovery has become a priority risk and cost issue for many business enterprises, especially the larger of them, and so InfoGov has been tasked with preparing for E-Discovery rather than dealing with it on an ad hoc, “fire drill” basis as was typical historically.

As we roared into the transition from paper to electronic, corporate parties to litigation started to get slammed by courts for failing to preserve electronic evidence on a regular basis. At the same time, they reported massively increasing costs from litigation arising from the need to deal with great volumes of e-mail. Against this background, "electronic discovery" burst onto the scene as a new field of law, a new technology industry and a new risk for InfoGov to manage.

In many ways, the current interest in InfoGov—which seems to go hand in hand with concerns about cybersecurity—was really ignited by electronic discovery. Successfully handling e-discovery requires preparation and execution in aligned InfoGov sub-disciplines. There is nothing like a good e-discovery catastrophe to reveal flaws throughout an InfoGov program!

Man-made catastrophes aside, information is vulnerable to disasters meted out by higher authority "force majeure" as well. InfoGov needs to prepare for these as well. In the next module, on Business Continuity and Disaster Recovery, we look at how InfoGov takes the worst-case scenario in stride.

Business Continuity & Disaster Recovery:

We have studied a number of enterprise risks involving law and technology that InfoGov attempts to avoid or manage. So far, the risks that we have studied arise from acts or omissions by people. In contrast, business continuity and disaster recovery planning (BCDRP), the subject of this module, addresses preparing information assets and the business processes that depend on them for disasters that don't normally have a direct human cause. This category includes what lawyers traditionally call "acts of God" (even if they are atheists) or "Force Majeure" (if they want to be fancy). Think earthquakes, hurricanes, floods, etc.

In geographical locations where these kinds of unfortunate events are rare or non-existent, it can be easy to procrastinate on BCDRP. Think about how many organizations fail to proactively prepare for relatively routine events like litigation and you can imagine how much worse this lethargic attitude is with respect to BCDRP. Fortunately, in the industries that tend to be more regulated, BCDRP is an express requirement.

Moreover, the circumstances that are the subject of BCDRP planning, like systems outages or facilities closures, can be caused by more mundane forces (e.g., malicious people).

Accordingly, the benefits of BCDRP are not enjoyed only under apocalyptic conditions. You will soon see, in a continuation of the common thread that runs through all of the digital sub-disciplines, that efforts directed at risks to information security (remember the "availability" prong of the C-I-A triad?), records management and electronic discovery are all valuable in the context of BCDRP and vice versa.

Forensic Technology and InfoGov:

When technology is used for investigative purposes, pursuant to procedures designed to support the validity of the results of its use as evidence, we call it "forensic technology" or "digital forensics" (shortened below to "forensics"). We used to call the field "computer forensics" but the word "computer" started to sound terribly archaic in light of the variety of devices, media and systems routinely becoming the objects of forensic investigation. The body of case law involving forensic examinations of computer hard drives is extensive and cases involving forensic examinations of mobile phones is growing fast. We also have a growing body of case law regarding forensic examinations of other kinds of systems, such as corporate database systems of different types.

What does this have to do with InfoGov, you ask? Doesn't digital forensics belong in the shadowy world of investigations or the bloody battlefield of litigation? Generally, yes--but don't worry, we will not be plumbing those depths. Our concern here is with the implications of forensics for InfoGov and what to do about it. If our InfoGov architecture is built on assumptions that certain data has been rendered into nothingness, for example, in compliance with regulatory limitations on retention, for the benefit of security and privacy, what happens to our construction project when developments in forensic technology make the data recoverable given the right tools and expertise? (Recall the media sanitization guidelines from NIST we looked at in the records management module.)

History is filled with examples, going back decades, of individuals who were shocked to learn that the e-mails they thought were gone--because they "deleted" them--were recoverable when an image of their computer's hard drive was examined. As we learned in the electronic discovery module, digital forensics masters often surprise less experienced practitioners with the recovery of data from smartphones that application of commercial forensics software failed to unearth. We can reliably expect digital forensics technology to continue to amaze us with its new developments, just like every other technology.

However, we have something of an "arms race" in this arena. The InfoGov professional must keep reasonably abreast of developments in technology meant to defeat forensic recovery as well as the latest capabilities to make it obsolete. Otherwise, the InfoGov program that looked like such a prudent and progressive way to spend limited resources may crumble like a cheap deck of cards.

In spite of our best InfoGov efforts, bad things happen to good people--data breaches, lawsuits, regulatory investigations, etc. In difficult episodes like these, it's often critical to be able to preserve and recover evidence in electronic form through the use of forensic technology and techniques. But forensics can be a challenging issue to deal with when we need certainty about information's accessibility, such as when a document retention policy mandates destruction in conformance with a regulatory requirement.

These matters involving the intersection of InfoGov and digital forensics become further complicated when you factor in the nature of changing technology; with cloud adoption comes less physical access to storage media and infrastructure and we are at the whim of the service provider as far as access to logging/audit trail data. With the major device manufacturers catering to consumer demand for data privacy, individuals have greater latitude to hide information.

No doubt brilliant minds in digital forensics research and development will invent unforeseen ways of overcoming hurdles to reconstructing data that otherwise would be lost or concealed. And so, we are caught in a constant "arms race" as digital forensics meets new technical challenges with counter-punches that work...until the technology changes again. InfoGov professionals don't need to be digital forensics experts, but part of developing effective digital discipline at the enterprise level requires understanding the issues raised by digital forensics and having a process that addresses those issues in balance with other imperatives of the program as a whole.

Depending on the nature of the enterprise, this could mean maintaining a full-time forensics team housed in an on-site lab or just vetting service providers who are used to deploying resources at the drop of a hat. Forensic needs can be anticipated to some degree by tools designed to help InfoGov professionals gain visibility and control over data. Conveniently, this is the subject of our next module.

InfoGov Tools and Technology:

In some sense, any information technology that an organization uses is unavoidably an "InfoGov tool" and in the broad definition of InfoGov, each of the sub-disciplines involves multiple specialty technologies. However, there are tools directly marketed as purpose-built for "information governance." In this module, we will take a look at the tools, in the sense of software and hardware, in all of these categories.

We will take a selective approach because there are no clear delineations among categories and our goal is to understand the landscape rather than to develop a comprehensive list of tools that are in any event constantly changing and multiplying in number. Delineations are difficult not only because any given tool might have multiple functionalities that make it hard to categorize exclusively, but also because there is no standard, consensus, authoritative taxonomy.

Different analysts use different category rubrics.

Our goal is to understand the lay of the land, in terms of the kinds of tools available as well as the kinds of features InfoGov professionals seek. As you explore this landscape, think about how the technology you see might apply in practice. You may see applications for a product that the vendor has not recognized--and they may be much better applications than what the vendor is promoting!

When it comes to InfoGov, information technology is part of the problem, but also part of the solution. For professionals involved in InfoGov initiatives at most organizations, the information technology environment is hand they will have to play as dealt. However, in organizations with the resources to invest in additional technology to assist InfoGov, there are many options and the list of choices is getting longer every day.

Alas, there is no magic bullet for either InfoGov or any discrete sub-discipline under its umbrella. Don't worry, the time you have spent learning about InfoGov is not going to become irrelevant when the InfoGov robot army takes over, at least not for a few years. Even AI has crucial human components without which it can be dangerous. Transparency in terms of understanding why it does what it does is critical for responsible application of this broad category.

Clearly, AI is part of the future of InfoGov from a technology perspective. But what else is on the horizon for InfoGov more generally, not just on the technical level? Stay tuned to find out in the next module.

The Future of InfoGov:

Predicting the future in InfoGov, just like in other areas, is a gamble--the easy calls don't pay off very well and luck is the only common denominator in seemingly-unlikely-but-winning bets. However, what an informed InfoGov aficionado sees as an easy call might be a revelation to someone who hasn't been exposed to the discipline. Part of making these not-so-bold predictions reasonably well should involve looking at developments and trends in law and technology more generally, then answering the question of how these developments and trends will impact InfoGov.

With law, this exercise can be particularly perilous because politics can have such a dispositive impact. However, there is clearly a trend towards greater regulation regarding data privacy and cybersecurity. With the interconnected and overlapping nature of the InfoGov sub-disciplines, these regulations impact each of the other disciplines in ways that are direct and indirect. For example, the New York Department of Financial Services cybersecurity regulations you learned about earlier in the course contain provisions requiring BCDRP and limitations on data retention.

In technology, the acceleration in the very pace of change makes assessments of potential future state perilous. The emergence of software-defined networking, containerization, hyper-convergence and other cloud computing I.T. "buzzwords" points to change in the direction of abstraction and virtualization. We will delve further into what these concepts mean--and what they mean for InfoGov--in the following lessons.

Another way to approach future state predictions is to look at the problems, hindrances or hurdles into which InfoGov runs currently and consider the potential for solutions. For example, we looked at the "arms race" in digital forensics and can assume that this back-and-forth in terms of ESI accessibility will continue. Beyond that...let's go to our time machine!

In the future, some people see InfoGov fading into the clouds--invisible to the user because the rules are built into the technology and a wizard behind the curtain pulls the strings. This doesn't mean that InfoGov professionals won't have a ton of work to do. After all, someone needs to develop the rules, figure out what has to be disclosed to users and how, configure the system's options appropriately and design reactive processes that will work in a legal system that involves real time, in person trials, hearings, court appearances, etc...among many other things of course.

In general, however, the prognostications of integrated solutions, deploying technologies such as AI and blockchain to maximum effect, point to the importance for InfoGov practitioners of getting educated about them and considering how they are likely to be regulated. A world where such systems predominate may well shift a substantial amount of regulatory burden to a few gigantic service providers, rather than spreading it around as it is today. And users will always surprise (and usually not delight) enterprise risk managers. If there is a way to break the system, someone will do it!

9 views0 comments

Recent Posts

See All

DevOps and the Fate of Secure Software Development

Reconciling Technology Development, Security and the Lawyer’s Role (originally published in the Cybersecurity Law Report) No matter how much new law is written on the topic of cybersecurity or data pr