Digital Discipline: A Better Name for What We Do
By Adam Cohen
Several fields of professional practice (and academic study, among other things) involve addressing legal compliance risks relating to information technology, although various terms are used to identify them. These fields include at least:
Business Continuity & Disaster Recovery
The fields in the table form a meta-field, to which the rubric “information governance” is sometimes applied, although this moniker is also used for what is generally considered the “proactive” side of managing legal compliance risks associated with information technology, something more akin to “records management.” Occasionally, a distinction is drawn between “management” and “governance”—with management deemed to indicate a process closer to implementation of risk management controls and governance covering the process for making decisions about how to manage risk as a higher-level process, including roles and responsibilities, as well as decision making procedures and accountability.
This is an unacceptable state of nomenclature. There seems to be no disagreement that the fields in the table (the “sub-fields”) share common threads, at least as roughly described in the introductory sentence above—they all involve legal compliance risks relating to information technology. However, this is a mouthful not a moniker– too many words, too long to be a useful way to refer to them collectively. Nor is “information governance” suitable recourse in view of its close, if not synonymous, association with records (or information) management and the opinions about the definition of governance that hold it separate from management.
Accordingly, there is a need for an appropriate name for the meta-field. It should sound cool, because it is cool, it has to convey meaning directly in terms of describing what it covers and it has to be much easier to say than a long string of words. For the reasons set forth below, I propose: Digital Discipline.
Use of the word discipline for this purpose carries a multi-pronged payload of profound meaning. Discipline is required to successfully manage risk in each of the sub-fields. Virtually all the time, we know what should be done, the question is whether we have the discipline to do it. If not, we risk discipline in the sense of punishment at the hands of courts, regulators, or other authorities like organizational superiors. Icing on the cake is the use of discipline as another word for a field of study or professional area of focus.
Perhaps the most compelling argument for Digital Discipline is the way discipline goes to the core of what is required for mastering the meta-field, both on an organizational and individual level, for client and advisor. Discipline is a word that sums up a proven methodology for taming technology. It is the key, the “secret sauce,” to staying on the right path through each of the (potentially dangerous) sub-fields.
As advisors in the meta-field of Digital Discipline, we can still rely upon essential “best practices” in almost every situation, even where the inevitable and accelerating changes in technology leave predictable legal outcomes in the dust. Yes, there are interesting and difficult questions at the edges, but we can generally avoid the edges by heeding the big, bright, flashing warning signs. As professionals, we must have discipline to stay abreast of rapidly changing technology and law, which requires constant learning. We must convey the importance of discipline to our clients as well or our counseling will be in vain.
To use an example based on the current technology environment, consider the revolutionary transformation led by the major cloud service providers. There is abundant discussion about the appropriate allocation of risk between provider and customer by legal professionals and others who practice Digital Discipline. However, a review of reported incidents involving unauthorized access to large volumes of sensitive data in AWS, by far the leader in the cloud, reveals repeated episodes of customer (and even consultant) negligence so extreme that it tempts the suggestion that the victims’ behavior was willful. The behavior certainly appears to have been intentional in the legal sense, in that the negligent behavior in question was not caused by physical accident, e.g., a sneeze causing several mouse clicks in just the right order to cause a coincidental security exposure of monumental proportions.
Time and again, the victim’s own operators, configuring cloud storage in the ironically named “Simple Storage Service” of AWS, choose to override the default privacy setting protecting access to the repository (not to mention the incredible trove of other security help AWS tries so mightily to foist on apparently reluctant customers), thereby making it public. Whereupon, it is immediately open season for the growing hordes of miscreants monitoring the Internet for such accessibility, who rush in and grab sensitive data. While there is a rising chorus calling for AWS to do more to protect customers from themselves, we can all agree that these incidents have nothing to do with finding a solution to a close and cutting-edge issue at the intersection of technology and law.
More generally, almost without exception, “data breaches” reported publicly are exposed as having been preventable simply by following well-known, longstanding information security best practices. These practices are not secret, too hard to understand, or expensive. How do we explain it when a company with abundant resources is hacked because of a failure to apply patches issued long ago for widely known vulnerabilities? There was no meeting where following basic best practices was proposed and a decision was made to accept the risk of unpatched systems. If there were policies and procedures for patch management and they weren’t followed, there was a breakdown in discipline somewhere. If there were no policies, that would also suggest a discipline deficit. No matter where you place the organizational defect, it comes down to discipline.
Discipline means that proven methodology is followed; rules promulgated and personnel trained to follow them. When the time comes to act in accordance with the rules, everyone involved must have the discipline to follow them (whether or not they feel like it). From a Digital Discipline process perspective, the organization must have the discipline to develop and document a policy, e.g., “When configuring AWS S3 buckets containing sensitive information, you must not change the default access setting to public.” That policy must be documented and communicated appropriately (not rocket science); those to whom it applies must certify their understanding and intent to comply, and this is buttressed by training, monitoring and testing. These are fundamental steps, among many timeless practices which are not widely enough adopted, essentially because of laziness, which is a lack of Digital Discipline.
The annals of electronic discovery show similar cases, which have become less frequent with greater awareness among lawyers over more than two decades, but still regularly occurring. Spoliation sanctions cases have rarely if ever involve something like the hypothetical sneeze alluded to above--or close judgment calls on which reasonable minds might differ--instead they involve people intentionally destroying harmful information (lack of moral discipline) or simply ignoring preservation obligations (lack of awareness or plain laziness). Digital Discipline in the form of a litigation hold process, etc. was absent.
A disciplined approach to the process of developing rules or policies as well as what comes next is also necessary. Here we find more common thread binding the Digital Disciplines or the sub-fields. Far too many business enterprises are unable to readily provide fundamental and legally important facts about their systems and data (“Information Assets”), the foundation upon which any policies about them should be based. Facts are reality. To create policies or attempt to execute required compliance measures without knowing whether or how they correspond with I.T. reality is plainly undisciplined, but more common than not. Evidence is plentiful in the avalanche of businesses frantically engaged in “data mapping” in the shadow of the looming GDPR deadline.
Calling the practices in the table Digital Discipline emphasizes the importance of self-control on an organizational and individual level to do what we all know is right. Copious guidance on the fundamentals of how to control legal risk involving information technology, whether in the form of compliance with retention requirements, privacy of personal data, cybersecurity or anything else, is available with a Google search. The only “magic bullet” is to take a disciplined approach. We should do the same with our terminology and call the meta-field Digital Discipline.
 While it has been suggested that Data Discipline would be easier to say, “data” is not inclusive enough given that much of what the meta-field involves is more appropriately described as “systems.” Accordingly, the broader moniker of “digital” is more accurate—much the way that many professionals have transitioned from “computer forensics” to “digital forensics.”