A plaintiff is seeking class-action status in his lawsuit against Square, the electronics payments company. The facts as alleged are that the plaintiff received treatment from a medical provider who used Square to execute a credit-card payment for the medical service. Inexplicably thereafter, “Square allegedly sent a text message linking to a digital invoice with information about the treatment he received to a friend (of the patient allegedly without authorization).”
I know nothing about what happened with the Square technology, what information to which Square had access from the patient’s credit card, how Square uses the information it garners, or whether Square has access to user’s personal contacts, including their phone numbers. What I do know is that Square most assuredly did not want the alleged event to form the basis of a lawsuit and did not want negative coverage from the news outlets. Worse, as reported in the Wall Street Journal on July 2, 2019, “misfired receipts issued by Square have ruined surprise gifts, spilled secrets, informed spouses of the spending habits of their significant other and unnerved consumers who wonder how stores got their contact information when they don’t remember providing it . . . .”
Self-preservation and stock valuations would seem to dictate that these news reports and lawsuits are not good for business. I believe Square is a good corporate citizen. I also believe Square, like so many other businesses, do not actually know how they handle all of the information to which they have access in every given situation. It is easy to be critical of Square’s alleged failure but much more difficult to be perfect when managing information today because there is so much of it, and it is moving at the speed of light through networks the company does not necessarily own or control.
Most companies are at a tipping point as they collect, grab, mismanage, misdirect, expose, lose, and improperly share electronic information day in and day out with greater downside, and they are not fixing the problem because most businesses do not have a good sense of the electronic information assets in their “care, custody or control.” However, there are constructive measures that businesses can take that won’t break the bank, can add value, and can even be accretive to the bottom line.
This article is meant for every business because every business has information, and every business could be doing a better job at wrangling it.
Why Every Company Should Know More About Its Information
Like any company asset, the company and its executives are remiss if they mismanage any company information asset. That is why every container moving through the global shipping network is tagged, monitored, and essentially babysat so that the owner of the container or its contents—or the truck, train, or ship on which the container sits—know its whereabouts at all times. Similarly, produce growers who sell their products through a major retailer, for example, are using blockchain technology to create an immutable record that travels with the plant from sprout to plate to document provenance and safety. Such technology would allow immediate recall if claims of product adulteration are alleged. Payments to vendors above a certain amount require the approval of higher-level executives who are specifically tasked with managing company assets. Company inventories are generally tightly controlled with sophisticated barcoding and GPS because loss or pilferage impacts the bottom line.
When it comes to managing information assets, however, most companies are not managing information like other company assets, and that must change. After all, information allows the company to better respond to customer needs, plan for the future, and generally advance business while protecting legal interests. That is just the beginning: information is increasingly a commodity that is sold, traded, and transformative for a business. That is certainly worth protecting, but information is still the often-discussed valuable “step-child” to whom companies do not show nearly enough real love.
What Is “Care, Custody, and Control” in 2020?
In the old days before the widespread use of computers, having control over company information was not really an issue. Information existed in paper form at employees’ desks or in banker’s boxes at a storage facility. The proliferation of information was limited to the copy machine, and companies did not really have to worry much about having their information exposed or stolen in wholesale form.
Then came the roaring 1990s with the growth of the internet, e-mail, and networked systems that changed the calculus completely. Information became transportable and easily misdirected or misappropriated. Controlling information was a completely new paradigm. Further confounding matters was that more business processes were outsourced, which meant that third parties working on behalf of companies arguably now had “care, custody, and control” over company information and may have believed that the information was theirs. The move to the Cloud complicated things still further as more and more company information was stored in another company’s servers, and doing business in social media environments meant that evidence of those transactions was “trapped” in someone else’s software and/or hardware. In other words, in this brave new information world, knowing what information is yours, where it is, who else has access to it, and what contracts give others rights to use it has created a completely new challenge.
Six Steps to Take Stock
Not surprisingly, getting a handle on your information assets to take back control is essential, but is not so simple. Businesses should take the following six steps to better control their electronic information.
1. Take an Inventory
The only way to know what information resources a company possesses is by looking. That doesn’t mean that the company can inventory each and every file, but rather use tools (some of which the company likely already owns) to understand what information exists, the business units to which it relates, and the storage locations and servers on which it is parked, etc. What is in the structured databases, and what information resides in unstructured share drive environments? What is the aging and continued use of the data? Do records retention rules allow the information to be disposed? This can do several valuable things. Knowing where your information lives will promote a methodical and less burdensome litigation response and discovery process. Assessing content using analytics tools can help unearth trade secrets and personally identifiable information (PII) that is stored in locations that pose a greater risk of exposure. Mostly, however, knowing what information assets the company possesses and where the information is promotes a better business in various ways.
2. Understand What Contracts Dictate
Every business unit likely has various business relationships with partners and third parties working on behalf of the company. Those relationships likely have been memorialized in contracts, which may delineate who owns the information, what rules apply to it, who can use it and how and with whom it can be shared, what happens when litigation arises, etc. The company should develop a process to understand what contracts exist that implicate company information. Thereafter, the company should develop standardized language for contracts that deal with all relevant information issues, such as access, ownership, responsibilities, and costs in responding to requests for information and so on. Building consistency in contracts through proactive, well-thought-out, boilerplate language will begin to build a better information ecosystem.
There is another contract activity that should be undertaken as well. Companies should know what “agreements” exist between the company and customers or potential customers. If a company tells employees information will not be shared, then the company must comply. Saying the company is complying and making sure everyone is actually complying is a different story. Conduct routine audits to ensure the company and all of its movable parts are following suit. One last thing is that contract language telling nonlawyers about what the company may do with information should be devoid of legalese and should be brain-dead simple. In this environment, saying the customer “waived” his or her right to object to the company selling information because the customer could have reviewed the linked legal language (which is multiple pages of lawyerly drivel) is not prudent.
3. Assess Third-Party Actions
Separate but related to step two is getting a handle on what is being done with your information. Beyond contract language, what third parties have access to or use of your company information? Once it is determined who, it’s important to understand what others are doing with that information. The Facebook/Cambridge Analytica fiasco is a good reminder of why it is important to understand not only what your employees are doing, but also what others may be doing as well.
Additionally, your company should understand what its own employees are doing with other companies’ or individuals’ information inside your company. If a business unit shares information from a partner it did not realize should not be shared, there could be substantial consequences. In other words, your company should be on top of where its information comes from and where it goes at a macro level to help promote less information chaos, mitigate liability, and better its business.
4. Assess What Employees Do in the Company’s Name in the Social World
If your company is like most today, multiple business units are doing real business in various social network or media environments. Maybe it is looking for new hires or marketing products and doing competitive analysis. That is great for business, but invariably the company is parking company information in an environment that is outside its control. The social environments are not inclined to accommodate your information needs and apply your information rules, even if you are paying for their service.
5. Understand Where Employees Park Company Information
With the proliferation of cloud computing and working from home came the reality that company information moves to myriad places without the company knowing. With data loss prevention (DLP) tools and similar monitoring applications, companies increasingly can watch and stop the movement of data leaving it, but the reality is that more and more information is parked outside a company computer by more and more employees for various reasons. Efforts should be undertaken to reign that in through policy and technology to monitor and audit the flow of information.
6. Understand Information Created by IoT Devices
Increasingly, noncomputing devices that assess, collect, or distribute information in many business processes (commonly referred to as IoT) are being added to companies usually without much thought about the information output created. Companies must assess each and every business process that is using an IoT device or appliance and determine what information is collected, by whom, where the information is stored, and who has access to and use of it.
Create an Information Asset Register
Whether it is inventorying databases, understanding what third-party applications are used to conduct business, or applying IoT devices likely transforming your business, keeping track of this organically growing and morphing ecosystem of information is increasingly complex and begs for management. One of the concrete steps companies can take to address the chaos is to centralize the process of sizing up all the information inputs and outflows in an Information Asset Register (IAR). This process will routinize the collection of information, and the IAR will provide a centralized view of all things information that can drive business efficiency and mitigate risk.
Avoiding Things That Explode
The information landscape of most companies looks like the data equivalent of a “yard sale”—stuff everywhere without rhyme or reason; chaos that does not reflect the true value of the objects. What we have learned from so many horror stories is that every company is on the brink of disaster if it does not get its informational act together. Put another way, mismanagement has no upside, loads of downside, and there are ample horror stories to prove it.
For example, Facebook regularly graces the front cover of many news outlets with yet another story of how it is “breaching the public trust” or exposing, selling, or otherwise misusing personal information. Because of prior issues, Facebook must now deal with a steady diet of U.S. and foreign regulators seeking to ensure it is following past agreements and not running afoul of the law anew.
Whether it is a litigation headache with a cloud provider who does not have the technical personnel available to accommodate helping with discovery requests on your tight timeframe, or the inability to find the final contract documenting in an important transaction, information mismanagement is bountiful, inconvenient, and expensive.
The Tale of Two Companies
A client recently realized that it had tens of thousands of information storage tapes on which it had never conducted discovery despite the fact that the company has hundreds of active lawsuits at any given time. That’s a company problem waiting to explode. As the head of an information governance consultancy, we have helped many companies clean up their information chaos, sometimes reactively and sometimes proactively. In the process, we have learned that being proactive is much less costly and painful.
Another client is migrating to Office 365 and rather than move outdated digital data detritus, we helped them clean out the crud. That’s a company taking stock now so that it doesn’t explode later. That same client just finished a project to crawl their share drive environments and e-mail to find and lock down all PII. Although this client used our help, great companies have great employees who can get a lot accomplished with thought, planning, and guidance from their lawyers. In other words, just because cleaning up the past is tough doesn’t mean you can’t or shouldn’t do it.
Conclusion—The Gift That Keeps Giving
If you have had any bad information event, what you quickly realize is that problems tend to be more painful than originally expected. For example, a west coast gas and electric company penalized by the state for failing to properly manage records now has a regulator routinely in the company’s “shorts,” ensuring it takes the necessary corrective action for years to come. Additionally, an attack on the way your company managed information on one occasion can be extrapolated to all situations if the same process and technology is always used. Finally, Facebook is a reminder that breaching the trust of users or customers comes with a heavy price. The court of public opinion is difficult to change, and the last thing your company wants to lose is its customers. Information flows and customers vote with their feet. Take stock now.
Randolph Kahn’s forthcoming book The Executive’s Guide to Navigating the Information Universe will help companies understand the opportunities and risks presented by harnessing and harvesting information.