Information Technology Navigator

Protecting sensitive and classified information when working for the Federal Government requires constant vigilance. When the government issues a contract, it must specify to the performing contractor when covered defense information (CDI) or controlled unclassified information (CDI) will be generated under the contract. Many prime contractors “flowdown” every FAR and DFARS clause to subcontractors and vendors without considering if that subcontractor or vendor will be processing, storing, or transmitting CDI. Anticipating where CDI may reside once awarded a contract can be a challenge. Here is guidance on ways CDI can flowdown to subcontractors and the defense industrial base (DIB), and steps those organizations should take before signing an agreement.

An Introduction to DFARS

Read More

Preparing for a Cybersecurity Maturity Model Certification (CMMC) 2.0 assessment can be completely overwhelming. Here’s the good news: If you’re NIST 800-171 compliant, you’re more than halfway there. If you’re not, you’ve got some work to do for sure, but it’s not as complicated or daunting as you may fear.

NIST 800-171

Read More

On July 16, 2020, the European Court of Justice (ECJ – the EU’s high court) invalidated the EU-US Privacy Shield Framework as a potential mechanism for meeting the GDPR's cross-border personal data transfer restrictions.

Effective immediately, U.S. companies that process EU “personal data” can no longer rely on registration under the Privacy Shield and must establish an alternative legal basis for any continued EU-US transfers.

Previously, cross-border transfers to the US were permitted under three mechanisms: 1) the Privacy Shield (http://privacyshield.gov), 2) Standard Contractual Clauses (SCC), and 3) Binding Corporate Rules (BCR).

Read More

In the wake of the Cambridge Analytica scandal, restrictions on monetization of personal information (aka PI or PII) are coming to California in 2020. The California legislature unanimously passed a historic bill to adopt many of the core privacy principles of the EU General Data Protection Regulation (GDPR) for California consumers. The bill was fast-tracked into law in order to avoid the likely passage of a more rigorous ballot initiative in the November election.

Read More

In December 2015, the electronic discovery provisions of the Federal Rules of Civil Procedure (FRCP) were amended to substantially expand the Safe Harbor against sanctions for destruction of electronic data. In my November 2015 white paper, C-Level Guide to Covering Your Information Governance Assets, I predicted that the amended rules signaled a pivot away from one of the main sources of eDiscovery uncertainty - the inconsistent imposition of severe sanctions for the loss of electronically stored information relevant to dispute resolution. The prediction holds.

Read More

Many of us have a closet, attic, or even a basement corner for all the things that we’re not using but just aren’t ready to throw away quite yet. We just assume we’ll get to sorting what stays and what goes some other day.

The same is true for businesses – and usually the larger the enterprise, the more dark data they have. Many IT departments are burying huge amounts of data, resulting in digital mountains that are increasingly unwieldy to manage, let alone easily search through when key data discovery is needed.

Does your IT organization fit this description? If so, it’s time to recognize you have a problem. It’s called digital hoarding. You, my IT friend, are a data hoarder.

Read More

Given the great highs and lows experienced by financial institutions over the past 10 years, there’s no doubt that today’s industry is highly resilient.

The same is also true for the industry’s IT teams. In the past, IT has been routinely asked to navigate everything from mergers & acquisitions to sophisticated security threats and emergent application demands from a fast growing segment of mobile consumers.

Read More

A document retention policy is in reality a document destruction policy. Therefore, a key reason for an organization to adopt a document retention policy is to establish a program for the deletion/destruction of information that is not required for business, regulatory and other needs. This reality is made necessary by the fact that digital information is growing at an unprecedented rate and that much of it is contained in “unstructured” storage such as email, SharePoint and shared network drives. Data hoarding not only increases direct information technology costs but it presents other substantial risks and costs to an organization ranging from discovery of “smoking gun” documents during investigation, litigation or audit; to reputational damage from information security breaches (hacking).

Read More

In 2005 the ABA Business Law Section published a short book titled, Sailing in Dangerous Waters: A Director’s Guide to Data Governance. It warned in stark terms:

Those Directors who defer or delegate to specialized personnel their understanding and command of data governance will be at increasing risk of incurring personal liability for failing to fulfill their fiduciary duty of care to ensure that their companies comply with rapidly emerging legal requirements concerning deficiencies in data governance.[i]

Read More

Gartner defines Information Governance as an accountability framework that includes the processes, roles, standards, and metrics to ensure the effective and efficient use of information in enabling an organization to reach its goals. One of the core requirements of a legally defensible Information Governance program is a reasonable and consistently applied Records & Information Management system (“RIM”). Accountability and defensibility hinge on the ability of an organization to govern its information in all formats and on all media, and to ensure or prove that it is compliant with all legal requirements.

Read More