Yes Information Governance Is A Must For The Government Too!
Two words: Information Governance.
You’ve heard of it right? If not, I’ll save you the hassle of typing it into Google. According to IT research and advisory company Gartner, Inc., Information Governance is:
“[T]he specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
Wait, what? Here is a more succinct definition by author and subject matter expert Robert Smallwood: “Security, control, and optimization of information.” If you’re still with me, I’ll do my best to flesh that statement out. Attorneys Patrick Fraoli, Jr. and Harrison Finch effectively sum up the fundamental structure of an Information Governance program into these five components:
Identify, Protect, Detect, Restore and Recover.
a. Identify what information assets you have, and assess your business risk for using them;
b. Protect the information with reasonable care;
c. Detect any potential compromise;
d. Restore your systems & processes to operational status; and
e. Recover, mitigating any harm, and go forward profitably.
Information Governance, Business, and The Private Sector
While Information Governance remains a high priority for many private sector businesses, establishing an Information Governance program may be even more important for federal, state, and local government agencies. Why? Although many (if not most) government agencies are charged with creating, retaining, and distributing vast catalogues of valuable information, they do not have a holistic understanding of how to manage it. Many government agencies have yet to digitize the virtual mountains of paper files in their custody, and may not fully comprehend what information those files contain. With the reality of tightening budgets, an increasing demand for regulatory compliance, the risk of damaging data breaches, and the omnipresent threat of litigation, government agencies can no longer afford casual or haphazard data management.
In the private sector, businesses hand over their Information Governance duties to a Chief Information Officer (CIO), Chief Privacy Officer (CPO), or Chief Information Security Officer (CISO), or simply farm it out to knowledgeable vendors. Understandably, government agencies are often apprehensive of the cost associated with establishing and complying with a robust Information Governance program. But as the cases below illustrate, the cost of non-compliance is often significantly higher.
In United States ex rel. Baker v. Community Health Systems, Inc., the failure to store and archive relevant data resulted in sanctions against the federal government. After this qui tam lawsuit was filed under the False Claims Act (FCA) alleging Medicaid fraud against defendant hospitals, the government waited nearly four years before filing its notice to intervene. And although it issued a notice to the hospitals to preserve relevant documents near the beginning of the litigation, the government failed to issue its own litigation hold until it decided to intervene four years later. By that time, several crucial pieces of electronically stored information (ESI) concerning two key employees of the Centers for Medicare and Medicaid Services (CMS) had been deleted. Although Magistrate Judge Alan Torgerson denied the defendants’ request for an adverse inference jury instruction that the destroyed documents would have cleared them of wrongdoing, he nevertheless awarded sanctions requiring the government to produce documents withheld under the work product doctrine, to produce all emails from, to, or copying the key CMS employees, to pay attorney’s fees related to the motion for sanctions, and to show cause why it should not be required to perform additional forensic analysis for the purpose of identifying the missing ESI.
Similarly, the failure to establish and enforce Information Governance policies had dire consequences for a sheriff department in Florida. In Swofford v. Eslinger, the plaintiff, a Florida state lottery winner, was shot in his own yard by sheriff deputies who encountered the man with a gun while chasing two burglary suspects. Notwithstanding its independent duty to retain such investigation-related evidence, and despite Swofford’s attorney’s request that the sheriff’s office retain all evidence related to the shooting, the sheriff department lost or deleted one of the deputy’s laptop computer, over a year’s worth of investigation-related emails, and both deputies’ radios, guns, and uniforms used on the night Swofford was shot. In addition, no litigation hold memos had been issued to anyone in the sheriff’s office regarding the lawsuit, even after a Motion for Spoliation Sanctions had been filed. Interestingly, the sheriff’s office produced an instant message conversation from one of the deputies involved in the shooting that indicated he thought he should have “Lotto killa” displayed on the side of his work vehicle while Swofford was fighting for his life in the hospital. As a result of this egregious behavior, the judge lambasted the sheriff’s General Counsel, and issued nuclear sanctions directing the jury to infer that the deleted emails, missing accessories, and lost laptop all contained information detrimental to the defendants. The judge also ordered defendants and General Counsel to pay all legal costs related to the spoliation.
Is Your Information Governance Plan Robust Enough?
A robust Information Governance plan has been proven to prevent costs related to unintentional spoliation, but more importantly, it can also shed light on potential sources of unexpected exposure. For example, the Washington Supreme Court recently held in Nissen v. Pierce County that a public employee’s text messages sent or received in the course of his or her official capacity are public records as defined by the state’s Public Records Act. Such potential landmines can be sidestepped by executing Information Governance strategies like providing proper employee training, adopting personal device policies, or even identifying message capturing software options.
The simple truth is that government agencies, with their level of responsibility and the vast array of information they hold, likely have a greater need for Information Governance than most private businesses. A government agency’s Information Governance program can be utilized to improve work processes, measure the success of government programs, impart and share agency knowledge, and document agency courses of action. Now, more than ever, the success (or failure) of government agencies to manage and utilize their most valuable assets lies in the hands of a well thought out and executed Information Governance strategy. From record-keeping policies, to ideal data structures, to appropriate access controls, it is imperative that agencies themselves, or with the help of a qualified vendor, draft, maintain, and implement the necessary protocols to protect themselves and the public.