Editor: Please tell us about your professional background.
Gonsowski: I am an attorney by training, having received my law degree from the University of San Diego. I practiced for some years litigating and doing corporate work, and then, during the Dot-com era, in the mid- to late 1990s, I went into business development for some venture-backed companies in San Francisco. When the bubble burst, I moved to Denver, and around 2000 started a computer forensics company with a friend, which essentially launched my career in electronic discovery. After that company was purchased, I moved to a few different e-discovery firms. When I saw that the locus of e-discovery control was moving in-house, I began looking at in-house solutions, and in 2008 went to Clearwell, where I built up its professional services organization and thought leadership. After its acquisition by Symantec, I came to Recommind in January of this year.
Editor: What is driving the need for information governance?
Gonsowski: Fundamentally, data growth. All of the “three Vs” of big data – not only volume but also velocity and variety – are at play. It is relatively easy to account for greater volumes of data, from megabytes to gigabytes and even to terabytes, but it is far more challenging to cope with the complexity that arises from different types of data such as blogs, Wikis and social media, complexity that is exponentially increased by the various platforms and devices. And, these different forms of data are moving very quickly.
So while the three Vs are creating many opportunities in the realm of big data, on the governance side they are posing overwhelming challenges. Beyond the three Vs, companies are realizing that the risk associated with information has become very severe; at the same time, while much information has value, in many cases, that value is very short-lived. A particular PowerPoint presentation, for example, may be useful for a month, but the risks associated with that information in terms of regulatory inquiry, litigation, privacy and security extend well beyond that window of usefulness – and so do the storage and maintenance costs of keeping it, particularly as it is moved to back-up media and legacy systems. Information governance is the challenge of optimizing the value of your information while controlling the risks and the costs associated with that same piece of information.
Editor: What are the risks associated with not managing data?
Gonsowski: The risks include data leakage, breach of information, loss of personally identifiable content, e-discovery costs on data that you do not need to keep – risks that exist whether you embrace information governance or not. But an organization that is fragmented in its ability to govern its information ultimately multiplies its risk, and companies are recognizing that their legal, IT, risk, compliance and information security departments are often extremely siloed, which precludes them from creating any semblance of a holistic policy, procedure or enabling technology. Each group views what is essentially the same problem through a different lens, so that when there is a security breach, data loss or a regulatory inquiry, everyone has to scramble to address the situation together.
Bring-your-own-devices (BYOD) and cloud solutions shine a brighter light on this problem. If an organization decides to put data in the cloud for a subset of users, for example, the privacy and data security implications abound. What happens if an institutional hold must be placed on that data? Such a problem bleeds out of one group’s silo into all of the others.
What’s more, even extremely rigorous information security protocols can’t prevent an individual within the organization from breaching them. For example, a certain healthcare company has strong on-premises security, with data archiving and other enabling technologies, but one of its practitioners creates a Dropbox and places personally identifiable health records into it, creating the risk of HIPAA violations, among others. Likewise, an employee on a business trip might work around her company’s system in order to get the data she needs that day onto her iPad. Such work-arounds or “end-arounds” can breach all of a company’s protocols. All of these scenarios demonstrate the governance consequences of the Three Vs: as data grows in volume, increases in variety, and moves with greater velocity, the capabilities required to govern it must increase exponentially.
Editor: What are the benefits of truly governing your information?
Gonsowski: First, greater efficiency. Having coordination of information between the various departments within your company significantly improves efficiency overall. Second, risk and cost reduction. Keep in mind that the goal of data management is to get value out of information; when the ability to extract value from information no longer exists, risk can be managed and costs reduced by disposing of that information.
Editor: Where should a company start?
Gosnowski: To move into the realm of better information governance, an organization should start with smaller initiatives and modular projects – for example, migrating data off a legacy system – that the company can use as discrete, controlled test cases. By using a coordinated information governance approach with the requisite stakeholders, a company can move forward with better governance hygiene.
Such a unified information governance effort can also serve as the impetus for different departments to collaborate substantively, which has its own benefits for an organization. We witnessed this phenomenon in e-discovery five or ten years ago when legal and IT began communicating about preserving data. Significant language barriers existed then, but the dialog evolved rapidly since and has proved very beneficial all-around. This same phenomenon has spread outward to include records managers and various privacy, security and compliance groups, who are all called upon today to build coalitions that weren’t necessary in the past.
Editor: Who inside a business drives an information governance initiative?
Gonsowski: This issue is still nascent, and so the answer is – it depends. Whether it be the CIO, the general counsel or someone else, it’s essential that an organization choose someone with a strong voice and the ability to get executive buy-in, along with a budget. In different organizations, the key governance person is someone who recognizes the importance of the task and is willing to step up to the plate. We are beginning to see the title “director of information governance” crop up in organizations and recruiting efforts.
Editor: Who are the early adopters of information governance?
Gonsowski: This function is beginning to appear in larger companies that see a high degree of regulation and frequent litigation, as well as in smaller companies in the more regulated verticals – the financial services industry being a prime example because FINRA, the SEC and the DOJ are looking closely at them, and the stakes are much higher.
Likewise, multinational manufacturing and technology companies with cross-border data have adopted information governance functions to ensure compliance with each jurisdiction’s regulations – for example, the EU’s more stringent privacy regulations around personal data. The information governance challenges of heavily regulated industries are beginning to hit other corporations as well, and although it may be a while before we see information governance at small and mid-sized businesses, we are certainly seeing it among multinationals and companies of scale.
Editor: What is predictive information governance?
Gonsowski: Managing risk around information is not new; the challenge is how to effectuate policies and the taxonomies that are in place. We know what valuable information is, and so we ask custodians to preserve that information and create record management systems to store it. As logical as that approach seems, it just does not work.
We know that, even when individuals have the time to sort data, humans are simply not very good at classifying information. In the e-discovery context, we’ve already witnessed that individual custodians at companies are not good at governing their own information.
This is precisely where technology can step in and help systems function with minimal human supervision. Say there is a class of contracts that are very valuable to the organization. We take a look at those contracts and train the system on how to find those pieces of content in the unstructured data universe. The system will return hundreds of pieces and ask if they conform to what the end user wants. Then we train the system through an iterative process until the required level of accuracy is reached, at which point the system can reach out and predictively govern information specific to the organization. Humans simply do not have the bandwidth to make this happen.
Editor: Might such predictive information governance meet with defensibility challenges down the road?
Gonsowski: E-discovery is the testing ground and the cutting edge for this technology, and predictive coding has been scrutinized by the bench and the bar. The courts swung from questioning if the process was defensible to stating that the technology is so good that legal professionals should be using it. Besides, the standard in information governance is one of reasonableness, which is lower than the standard you must meet in litigation. (Courts have routinely said that bona fide record retention programs are presumptively valid.)
Editor: What are some of the use cases for Recommind’s predictive information governance solution?
Gonsowski: The Recommind solution builds on our heritage in search, categorization and predictive coding because all of those elements are required in effective predictive information governance. You could govern information manually or deploy sped-up or scaled-up traditional solutions, but these are point solutions. Recommind’s integrated solution offers a broad array of capabilities that allows users to move from sensibly deleting information all the way to creating taxonomies and categorizations that ultimately enable users to extract value from their information – allowing a company’s information governance program to mature smoothly.
Editor: Is predictive information governance a big data initiative?
Gonsowski: Not necessarily. Just because you have a lot of data doesn’t mean you actually have big data; however, risk and cost considerations exist whether or not you are extracting any big data value out of your information. If, in addition to controlling costs and minimizing risk as core elements of information governance you can also extract and optimize the business value that exists within the information, then you will receive some of the big data benefits from your predictive information governance initiative.
The goal of predictive information governance is to get the right data to the right people at the right time to be useful for an organization. I think of it as a bridge to big data initiatives: if you start with governing your e-discovery and expand your information governance outward, you will likely realize big data benefits while reducing your risk exposure and data management costs. I would urge organizations that are thinking about big data to calculate carefully the risk and costs associated with big data versus its benefits, and to govern their information accordingly.