Thursday, June 12, 2014

The path to hell is paved with good intentions.

I am not sure I have any good way to say what I am about to say. And in fact, I am so trepidatious that I have to couch my commentary in verbiage subterfuge. I am not spineless, but just don’t want to create a bunch of enemies with my cohort. So here goes. I am certain you will get my point even if I hide the true identities of the offending parties to protect the innocent and/or guilty.
Assume for a moment that an international information association, decided that the industry and more specifically companies needed a way to assess if they had a mature information management program.  So the organization got a bunch of their folks together to develop criteria by which they should evaluate if their program was good enough to pass muster. And let’s say after much talking and thinking they settled on an information management Maturity Model and related criteria.

Recently, a client of ours had us look at their self-assessment of their information management program using one such Maturity Model Best Practice self-assessment tool. (The client is now considering having us perform a new Gap Assessment).  It is one of my favorite clients and it’s a great company that does so much right. So when I reviewed their self-assessment, I was stupefied. They used the information management’s organizations Maturity Model criteria and concluded they were seriously substandard. I totally disagreed with most of the conclusions of the assessment. I am not going to lay out why I think the various criteria are flawed in total, but let me give you an example to make my point. One of the criteria by which this company evaluated itself according to the self-assessment was information “integrity”. Based upon how the assessment MADE the client answer the questions, they got a flunking grade.  I told my client given what I knew about their business processes and IT framework, that on the information integrity scale I would give them a Rhodes Scholar type grade—at least an “A”.  SO why such a disconnect?
I get the whole thing about “one man’s hot is another man’s cold” but this is not about perception. It is about the criteria and maturing the process and still utterly failing even if what you have done is at least good enough.  From my humble perspective, the evaluative criteria are aspirational, not functionally helpful, impracticable and may sell your company unfairly down the river. BOOM! I believe it sets up companies to fail that use the self-assessment, on criteria that are not really central to success. Every organization would be flagging miserably if put under the assessment’s microscope. And that’s just not the way it should be.

Which bring me to the PG&E San Bruno disaster and how industry “best practices” evaluations can be helpful at fixing failings and can also provide the basis for regulators to whack companies for failing to properly manage records, among other things. The tragedy was horrible. The loss of life and property is unthinkable. And the company may have had records management failings. But look close enough at any company and most organizations fail miserably. See the report at the following link.

There are lots of information management industry standards, best practices, evaluations from all sorts of organizations. There is some terrific guidance and there are some downright damaging unattainable “best practices”. I’m sure all comes into being with great intentions. But massaged, manipulated and maneuvered by lawyers and a good company begins to smell dirty. 

We developed a methodology called “Information Management Compliance” for evaluating the “goodness” of your Information Governance Program which has been used by so many companies.  I borrowed the criteria from the Federal Sentencing Guidelines, which help judges evaluate what is good corporate behavior. I figured if the court will evaluate your company by the criteria, that you should build your program according to the criteria. (This is also the topic of “Information Nation-Seven Keys to Information Management Compliance”, See also

Look close enough at any company’s information management practices and you will find flaws. Lawyers are in the business of exploiting flaws. I don’t need to give them material to work with that isn’t even real. So companies, evaluate carefully, document thoughtfully and pick criteria by which you evaluate circumspectly. Just saying.

Randolph Kahn, ESQ.

Wednesday, January 22, 2014

Data is the Target

When your logo is a red bullseye and you’re in the retail business, I guess you should expect to be a target.

We are learning that more people were affected by the data breach at Target. We are learning that the breach was likely perpetrated by Eastern European cyber thugs and that tens of millions of Americans may be impacted to the tune of billions.  What we haven’t seemed to learn is that no matter how vigilant and how much is spent seeking to protect the information Crown Jewels, that nothing can protect information completely from the criminals. There will be hacks and data will be stolen. But for the average person, while scary, what it tells them is that they need to take action to protect themselves. Perhaps that means getting identity theft insurance or some protection from cyber crime.  

However, more importantly what does this mean for business? What can be done to mitigate the harm and risk? Insurance shifts the risk and is a good thing but it doesn't solve the underlying problem. More IT security is useful but how many more IT experts can be retained and will that solve the problem? I think not.

While I don’t have all the answers, I do want to share a story that makes the point that process and technology can help minimize the harm.

A few years ago, I was speaking in Southern France to a bunch of Hungarian bankers. They recounted how they were dealing with cyber theft which was a big issue in Hungary especially those people making credit card purchases. To combat theft of credit card info, the Hungarian banks implemented a simple and seemingly inexpensive system whereby every credit card holder got immediate and real time notice of any and all impending transactions on their cards. If the transaction was bogus, a text message could be instantly sent back to the bank to shut down the account and terminate the criminal transaction.

Well maybe the text notification system is not the right or only answer, but it seems like coming up with ways to make the theft less valuable by minimizing the transactions amounts or frequency will take a bite out of crime.

If you can’t undo all criminals hellbent on cyber crime, perhaps we can get creative and interactive to diminish the economic harm.

I’m interested in what you would do about cyber theft.  Email me your ideas at  

Friday, November 8, 2013

Make Your OSHA Injury Records Available to the Public--Say What?

Companies must retain records. From time to time regulators ask to see those records. When companies fail to produce the requested information, there is usually a consequence-from a minor hand slap to a full-fledged flogging.

For big companies that are required to retain worker injury and illness records (that is many businesses) to comply with OSHA, that records keeping requirements may be about to get more painful.

The US Labor Department just proposed a new rule that would require companies with more than 250 employees to file electronic injury reports and make these records AVAILABLE TO THE PUBLIC.  I don’t know if that is better or worse than making the CIA disclose records about interrogating terrorists, but I would bet that most companies will have something to say about it.

What do you think—good transparency or an accident waiting to happen? Pun intended. Boom. 

Tuesday, October 29, 2013

The Tale of Two Bobs

This is the tale of two Bobs. One Bob—let’s call him Robert, works for a large financial services company as a senior IT executive. The other Bob, let’s call him Bobby, is a super quick, super smart, super happening twenty-something having graduated from that amazing university around the corner with a tree as its mascot. He went from Palo Alto to somewhere between San Francisco and pathetically wealthy, way too early. 

Robert has had a different career trajectory. Twenty six years, three months, six days, fourteen hours and thirty three minutes at the same company slogging it out through the ranks. Boom, his slightly above average pay check comes every two weeks whether he needs it or not. He evaluates, he tests, he researches, he does an ROI, he purchases, he implements, all in the hopes that the technology he just bet his reputation on will help make his company “faster, better and cheaper.” 

Robert set in New York. Bobby flitting to and fro, somewhere south of San Francisco.  Their worlds seemingly, well, worlds apart. Yet they collide.

The article in the October 22, 2013 Wall Street Journal read, “Request by CFTC has Deutsche Bank, Citibank, and Others Sifting Through Trader’s Emails, Chats.”  So what’s the big whoop -- a bunch of financial services companies have to produce some business records to a regulator. And by the way, why does that have anything to do with Bobby?   You read on, “Deutsch Bank, the world’s largest foreign-exchange dealing bank… is spending millions of dollars scouring traders’ emails, and chat sessions…” This is the deal-- there are many Bobby-types that each and every day work of developing new technologies for whomever will buy them.  Then someone working at Big Company brings some new technology into the enterprise. While some companies preempt such conduct, many others leave the door wide open.  And when there is nothing to prohibit the introduction of technology “from the street”, new technologies made by the Bobbies of the world find their way into your business.  What the Roberts of the word forget about is that, for each new technology that Bobby makes, there will be some informational output.  Increasingly, there are mountains of informational output that make Robert’s job increasingly more challenging in several kinds of ways. More information, in more places, that doesn’t lend itself to easy management. And when Bobby builds, he usually is not thinking about how the new technology will be used by a financial services company with very stringent records keeping requirements. As the Wall Street Journal article makes clear that new casual information output may be a company record that needs to be retained and possibly produced to a regulator down the road. Unearthing information is invasive, complex and costly.

Over the years, not surprisingly, the laws have reacted to the technology marketplace.  Over the years the financial services regulators have been dealing with the creations of the Bobby’s of the world. Regulations and laws have already popped onto the legal landscape to deal with legality of storing electronic information on computers, retention of email, chat technologies and social media. There are rulings on just about every new communication technology being used in the financial industry and if not it will be coming in one form or another.

Which brings me to my real point.

1.  Companies are failing at information management and can’t discern records requiring retention and information that can be disposed. That needs to change.

2. Companies are not proactive enough when allowing or implementing new technologies—companies need policy first that tells employees what to do and technology needs to be utilized that manages the lifecycle no matter how long or short.

3.  Just because Bobby makes cool technology, unless there is a legitimate and documented business reason to allow technology, the technology shouldn't be allowed. Only after the business case has been satisfied, then the company needs to understand what their obligations with that new information chunk is and manage it accordingly.

Thursday, May 30, 2013

Information Governance “Eight Essential Steps to Attacking the Piles”

Maybe your Information Governance project is bogging down because you are solving a problem that your colleagues don’t think exists.

Do you know the Muffin Man and if you do, do you care where he lives? I know Peter Pan thought Wendy could fly but did Wendy actually believe it? What if the band, “The Who”, was called, “The Why”?

Anyway, I was listening to a “one hit wonder” radio show when “Who Let the Dogs Out” came on.   As I listened (though I wanted to change the channel several times), that got me wondering if “Who Let the Dogs Out” was really the operative question?  Was the song really about dogs that are gone? If it was about dogs, why are we worried about blaming someone for letting the dogs out?  Why not ask where the dogs went or better yet, how are we going to get them back? Further, do we really want them back?
 And that got me thinking about all the questions we ask on a regular basis that drives us to seek answers to myriad business questions. But what if the right question is actually different than the one we asked? The answer that we get is different than one we would get if we asked the right question.  And that got me thinking that we probably take actions based upon answers to the wrong questions all the time.  So perhaps we choose the wrong path, because we ask the wrong question to begin with. 

And that, of course, got me thinking about information sprawl and the piles of data growing unfettered all over every big organization. Why do the piles exist? Who is at fault? Maybe for certain business folks the piles were intended to grow? If not, how can we ensure that they are defensibly disposed when the information is no longer needed? In other words, why does the company allow the piles to exist? And then and only then can we really address the sprawl.

But wait, the right first question is, do the folks that create or keep piles think the piles have much value?  I assume that so much of organizational information overload is outdated crud. But what if others think it’s all valuable information. If they do and I am nonetheless right, I will still need to change their thinking before I get to my questions. Otherwise attacking their piles doesn't make sense to them. They will be hard pressed to go along with spending time and resources cleaning up the pile.  My questions assume there is lots of valueless stuff in the piles. Their perspective may be that the pile is all valuable.  So it makes sense to not assume anything and ask the right question of the right folks. 

And that got me thinking about planning my attack on the reason the piles exist. So here are “Eight Essential Steps to Attacking the Piles.”

1.            Who is your audience? Knowing who your audience is will matter for two reasons. First, who they are in the company or what they do for a job impacts how they see the world and the reason the piles exist in that world. For example, litigators see evidence and their inclination may be to refrain ever destroying any of it. To get their approval to cleaning house will require allaying their concern for destruction of evidence and the impact that would have on a case, the company and their career. If I can’t address their worry, usually all other efforts to get rid of information, even if it makes business sense, will be fruitless.

If I am talking to a project manager on a “Big Data” business process improvement initiative, that person will likely see the piles as being a treasure trove of valuable business information that can be analyzed, scrutinized, and monetized.  Getting rid of the pile will likely be perceived as making her job a lot more challenging and literally sucking the lifeblood out of her project.

2.            You need to answer whether or not your audience thinks that they own fixing the problem?  If they don’t take any ownership around the piles, then convincing them to take action is fruitless.

What if the person I am talking to is the head of storage and is under no compunction to care about making the piles smaller. First, she doesn't think she owns the information (which is owned by the business) so therefore taking action to “right-size” the pile is neither her problem nor her province.  Do you think she will like her budget being reduced if the piles are smaller? If she has 30% less data to store and 30% less budget that has real impact to her department, head count and budget.  She may not care whether the content is valuable or not. She cares about budget. So I have to know who I am talking to in order to speak a language that gets through to her.  Maybe cutting waste will provide sufficient incentive and saving millions will be recognized by the executives, but in the end, what moves the recipient will be directly related to where they sit in the organization and how they perceive the problem.

3.            Does your audience think there is business value in the piles? 

For data miners big is better. For the CFO, saving millions is a way to ensure longevity in his coveted job and provide value to shareholders.  For users they want access to their information and their instinct is always that everything is important. So first it is essential to understand that everyone, to a greater or lesser degree, has packrat tendencies. 

In order to take on house cleaning, there has to be a more objective way to evaluate information value to the enterprise without being clouded by subjective and personal opinions of individual employees.  If your organization has a retention schedule and the retention rules were properly developed then real business interest and needs and the true business value for the information across the organization should already be known.  And there is NO need to revisit business value question.

And that begs another very important question—if you have retention rules and are not applying them to various types of electronic records, does that undermine your records program.  Answer—you betcha. Which is Canadian for “You’re darn tootin”, which is Alabaman for Duh, which is American middle schooler for…You get the idea.

If you don’t have a good schedule then you will need to assess value in a different non-emotional, non-personal way.

4.            Do they think there is legal value in the piles?

Some lawyers want everything gone tomorrow and other want everything forever.  But in the end neither approach is viable.  So you have piles and somehow you will need to answer two questions before the lawyers will go along with house cleaning. One, does the pile contain any records required to be retained? Two, is there any information that otherwise still needs to be preserved for audit, litigation, investigations or other formal matters?  If the answer to both questions is no and can be demonstrated with sufficient diligence (hopefully without looking at every document), then the lawyers should be comfortable with cleaning house.  No matter, you will need to work with them A LOT as they are a nervous bunch.

Remember different lawyers see the world differently. Compliance lawyers will be thinking compliance with policies and laws. Corporate lawyers will be thinking business needs and maybe risk. Litigators are motivated by making sure the company doesn't get whacked in litigation for failing to produce evidence.  Revert back to number 1 above so you can speak to each group and move them by speaking their language and addressing their concern.

5.            Who owns the storage “parking lot” in which the piles are piled up?

Taking on the piles requires understanding who actually owns the technology and applications on which the content sits.  Does a business own the application and technology? Do all business units park data in that environment?  Will the technology owner be authorized to take action to clean up the content on their system?  Remember the owner of the storage “parking lot” is likely not going to be the same person who owns the records or content.

6.            Who owns the content in the piles? 

To make information go away, you will need buy in on agreement from the business folks who really own the information.  The business unit owners own the content and you will need to get their involvement in the process.  What do they need to hear, to believe that the piles can be culled of crud?  If they paid for its storage directly out of their budget would that move them to action?

7.            The next question is how to take on the challenge. 

Defensible disposition is no small task. It is dirty, complicated, and not without expense (with potentially significant savings). It requires effort from within and outside the organization. But different chunks of data can and must go away and each will require a different diligence process depending upon what the pile is, how old it is, whether it is subject to litigation, if it is being used for business, if it is technically disaster recovery back up piles, etc.  Remember you are getting rid of chunks and piles and chunks within piles not individual documents so making these culling decisions requires expertise and convincing lawyers that it is ok. 

8.            How can you make the case that the piles need to go away?

Information is growing at 20-50% per year if your organization is like others.  Businesses already are having a hard time finding information to run their business. Litigation response has gotten costlier and more painful—another data point to tell you information governance is broken.  Bad up front management means expensive e-discovery events will likely follow.  We have clients that stand to save tens of millions of dollars just through storage savings over the life of the project.  That seems like a compelling motivator for any executive. There are many more compelling facts that argue in favor of taking action, but they need to be tempered against real costs and risks.

There are a whole lot of questions. The place you start asking may be way too far down the road.  Assume nothing. Ask the right question of the right person. But ask?

By the way, “Why Did They Let the Dogs Out?” is a less catchy name for the song for sure, but it’s an essential inquiry nonetheless.  

Tuesday, March 12, 2013

The Case for Rightsizing Your Information Footprint, Cleaning House and Stopping Stupidity

 Demystifying Storage Is Cheap

It’s really funny when a smart IT person tells me that “storage is cheap” and asks why they should clean house of digital data debris (D3). For most businesses their information volume is growing between 30-50 % per year. The decline in storage cost per terabyte is a few % per year. So in real terms, most businesses are spending way more in real dollars to store information. The storage cost along for 1 petabyte of information is roughly between $5-10 million per year.   So why care about D3—because if you could get rid of some of it, there is potentially a whole bunch of savings associated with the action.

In a few short years Facebook has amassed an information pile that is not surprisingly really massive.  According to the March 11, 2013 Wall Street Journal the data comprising just Facebook users alone is 100 petabytes of stuff.  For those of you not tapped into information volumes, that is a 1 followed by 17 zeros.  In simple terms that is in excess of a hundred billion files.  Imagine what the Facebook info trove will look like after a few decades in business.

Debunking Big Data

Big data is not just a description of a huge pile of info. Rather Big Data is the idea that if you take your big pile of info minus D3 and connect the dots using powerful analytics technologies, that you will be a faster and better business. You can learn things about business past and future to be more efficient. Assuming that you can actually pull off harnessing Big Data for big value, the D3 is still unneeded information background noise that makes unearthing info import that much more challenging. So get rid of D3.

Lawyers are People too and Litigators are Predictably Short Sided

Contrary to popular belief, lawyers are people too. They make mistakes just like the rest of you people.  When they do something that is going to add to your pile of D3 and you don’t know why, stop and address the issue. Usually lawyers stop the wheels of progress (i.e. preserve the back-up tapes though policy says it should go away after a short time) or cleaning up the crud because the one involved litigator sleeps better being able to say that nothing could have been destroyed because they don’t destroy anything. The problem is that while they are sucking their thumb in their bunny eared feety pajamas the IT folks are up wandering the halls wondering how they will pay for the mess and keep systems running without overloading and seizing up. Once this “Lawyer Induced Everything Saved” (LIES) regime is started, trying to unwind it is really difficult especially with so many subsequent lawsuits.  So unless a court mandates the “save everything” regime, don’t give in. “You’re smart enough, and strong enough, and gosh darn it I like you.”   

Thursday, February 21, 2013

Get Your Information Retention Under Control

Most sizable companies spend millions or tens of millions of dollars every year storing unneeded business content.  So please don’t get me started about the fallacious “storage is cheap” hokum.

The CIO is tired of having his dog wagged by the legal tail whose mantra is getting old. It sounds like this-- “But wait, WHAT IF we need that one document for a lawsuit and its gone”. So don’t get me started about how we should keep everything just in case there is a lawsuit down the road for which we need a specific document. That approach is contrary to your records policies and makes little or no sense.

Ok this is the reality, you can’t keep everything forever, buy you are afraid. If only I could hear it from a judge that would make me comforted.

Your wish is my command. I’m a Defensible Disposition fairy.

A lawyer seeks to justify why her company needs to keep all information.
“…part of the reason eDiscovery is so expensive is because companies have so much data, that serves no business need, but it’s so easy just to keep it there…. I think despite the economy, companies are going to realize that it’s important to get their information retention, their information governance under control, get rid of the data that has no business need and mine the data that has business needs – you know the so called Big Data – things like that in ways that will improve the company's bottom line on the business side and reduce costs on the eDiscovery side as a benefit as well.”

United States Federal Magistrate Judge Andrew J. Peck, “JD Supra Law News,” February 4, 2013.