When companies worry about BYOD and consumerization, their first line of thought is probably data leaks: a lost phone with customer records, or the employee who accidentally stores secret product plans in a shared folder on a public cloud service.
But there's another equally pressing concern that many companies ignore. What if you're served with a request for information as part of a legal proceeding? Do you know what information your employees are creating, and where they're storing it? Could you retrieve it if required by law? Are they destroying information that's supposed to be kept, or keeping information that's supposed to expire after a certain date?
It's called data governance or information governance, and it's going to become a big problem over the next few years warns CITE 2013 speaker Deborah Juhnke, the director of information management consulting for the law firm Husch Blackwell.
"We're certainly making good strides on controlling risk, but so much focus has been on security. We're not doing such a good job yet on controlling the risk of the data itself -- the fact that it's even out there," says Juhnke. "I cant find anything in the literature that says anybody's really focused on the governance aspect of data. Where is it, what is it, how long does it need to be kept, should we be keeping it at all, how do we comply, and how do we get rid of it when we're supposed to?"
Peter Sloan, a partner at the firm who leads the information governance group, says the problem lies in basic human behavior -- because people are using their own devices for work, they're more likely to treat the data they create as personal, too. "I think of it as my own device, so the organization's rules may not apply to my behavior. It's an inherently risky environment."
Classifying data and having smart data policies in place are important. But the key to addressing the problem is more mundane: Training.
"Policies are certainly important, but I think one of the least used and most critical tools is good training," says Juhnke. "Noboby likes to do training. Training's boring, training's expensive. But I don't see how you can expect people to do the right thing if they haven't been told what the right thing is."
Training should include information on the specific policies of the organization -- where information can and cannot be stored, how long it has to be retained, and so on. But equally important, says Juhnke, "It's good for end users to know what could happen to their information -- they probably don't appreciate that, and don't appreciate that they give up a significant amount of privacy when they use personal devices for work. They also give up a lot of privacy when they put information out of their physical control" -- like in a public cloud service.
Sloan emphasized that if you use your personal device for work, and the company is forced to turn over information for discovery, your personal smartphone can be seized, as other legal experts have said. "Absolutely."
There's no great technical solution for the problem, either, although Juhnke points to virtualization as a possibility. "You're still allowing people to do their work, just they're not physically downloading information to their device."
Juhnke emphasizes that this is not just an IT problem -- it's a management problem. Losing control of data can lead to huge fines -- like the physician at the Massachussets Eye and Ear Infirmary who lost his laptop with personal patient information, later landing his employer with a $1.5 million fine from the Department of Health and Human Services.
"Senior leadership of organizations must lead by example and give clear direction that information governance is as important to an organization’s well-being as financial governance," says Juhnke. "Information governance is everyone’s responsibility."
Be sure to catch Juhnke at the CITE Conference from June 2-4 in San Francisco, where she'll be offering concrete advice on how to establish information governance policies, processes, and metrics for BYOD.