Don't Bet the Business

It has just been reported that neither Hillary Clinton nor Colin Powell used U.S. government email during their respective tenures as U.S. Secretary of State and instead communicated through private email accounts. 

It is unclear if either official broke the law or if the private email accounts were adequately secured. Even if this practice was legal and the data safe, it is certainly controversial.  

While your business information does not likely consist of state secrets (and you are probably not running for president), the current controversy exemplifies the potential negative consequences of inadequate data governance.

Here are five tips for protecting your business from its own email hullabaloo and avoiding costly e-discovery and data privacy heartburn. 

1.  Understand your data preservation and privacy obligations. What data are you legally required to save by law or by contract? What data are you legally required to keep private and secure? Use this information to craft the minimum requirements of a data governance policy that will keep you compliant with the law and your contractual obligations.

2.  Inventory your data preservation and data security practices, needs, and desires.  What data do you want to keep? What data do you want to share or sell with other businesses? What are your current practices? How are your employees navigating the fuzzy lines between personal and private data devices and technologies? Incorporate this information in creating a data governance policy that meets your business needs while helping you achieve your business objectives.  

3.  Maintain strong data governance.  Once you know your legal obligations, your practices and your desires, you should create and implement a comprehensive internal data governance policy. The policy should be fluid, but firm, and reflect your legal requirements, business needs and practical realities. Because it is often impractical to preclude employees from using personal devices for work purposes, you should plan accordingly. As your legal and practical needs change, adjust your policy.  Do not look for a one-size-fits-all data management solution -- it does not exist. 

5.  ENFORCE YOUR POLICIES. Conduct regular data audits to make sure that all of your employees are complying with mandated policies and that your data security measures are effective. Demand honesty and transparency by your employees about their data practices, problems and “work-arounds.” Do not exclude your top executives from your audit – no one should be too important to audit. If your policies are not being followed, modify them until the policy and the practice mirror one another. If your data security policy is ineffective, fix it. The best policies are meaningless if they are not followed.

6.  Mandate privacy-by-design and information governance-by-design. When thinking about implementing a new technology or software in your business, consider data creation, preservation, privacy and security. Before a new product launch, determine how your IT staff and employees will continue to follow your policies after implementation of the software. If you do not have a chief information officer, be sure to consult with an IT professional in executive decision-making.  

At some point, your business may be involved in contentious litigation, the victim of data theft or the recipient of a subpoena.  While the U.S. House of Representatives’ Select Committee on Benghazi is unlikely to come calling, a state or federal government agency may seek information from you. Following these five tips and proactively addressing data governance will help you avoid your own email troubles.