Reproduction permitted for personal use only. For reprints and reprint permission, contact firstname.lastname@example.org.
- The prospect of e-discovery and the possibility - make that probability - of data breaches are enough to make any chief executive reach for antacids, but if the CEO's top technologist doesn't mind consulting with the legal team, a great deal of heartburn can be avoided.
That was the message of attorney Erik Phelps, a partner in the law firm Michael Best & Friedrich
, who told a Fusion 2007 gathering that since e-mail is now discoverable in court, and more than 100 million personally identifiable records have been subject to security breaches - and those are only the ones that have been publicly announced - it's a good idea for CIOs to communicate with the company's legal brain trust.
Virtually every CIO will have to deal with an e-discovery related lawsuit at some point, Phelps said, and a well-informed attorney has an enormous strategic advantage because he or she can manage a company's legal costs without hurting its case.
To do that, the attorneys will need the help of CIOs, he added, to produce discoverable e-documents and craft a business process to manage risk.
CIOs add value to an organization if they have good record-retention policies, Phelps said.
Matter of process
Phelps said it makes more sense to get your arms around the process than to make a game plan for different legal scenarios.
It's probably more process oriented because the prospective range of data breaches is so wide, I think you would spend way too much time trying to chase them all, Phelps said. So the key is defining roles and responsibilities, and defining decision-making processes.
Among other things, the CIO will have to lead a process examination, and answer key questions like who gets to make important calls? Who needs to know before the calls are made? Are there various triggers within any individual incident that would necessitate going further up the corporate food chain?
Some things arguably would be a board-level or CEO decision, while some that are purely technical might be CIO decisions (with appropriate consultation). What's even more important is which organizational players are going to get in a room to address how the issue is going to be reported, how it's going to be managed, and who gets to decide.
Phelps said the CIO should lead a committee comprised of representatives from legal, internal audit, IT security, human resources, and public relations. The latter two are the most often overlooked, but HR tends to have the pulse of the organization, and it's better to bring in PR early so they know the story in the event that dealing with the outside world becomes a practical necessity. Pervasive technology, pervasive risk
Just in case there still are business organizations that downplay the current legal environment, Phelps noted that Morgan Stanley
was hit with a $1.45 billion judgment in a fraud case - now being appealed - after it erroneously informed the judge that it had no more discoverable e-documentation related to the case. Existing data lies all over the place, on every device used in business, and even open source code has emerged as a potential legal risk in the due diligence phase of the mergers and acquisitions process.
Security is in the top five of most CIO priority lists, and managing IT risk will not only require time commitments, but financial resources.
David Cagigal, chief information technology officer for Alliant Energy Corp.
, said one of the best ways to get risk mitigation funded is to conduct an annual risk assessment - an inventory of your greatest vulnerabilities - and take the results to the board of directors.
In risk assessments, Cagigal said the technology risks bubble up to the top pretty quickly, and the process is a way of informing upper management that at least we've got a good assessment of risk, and our appetite for it.Related stories
Fusion 2007: Innovation drives productivity in post 24x7 world
Fusion 2007: CA chief says IT complexity raises risk
Fusion 2007: CEOs say bar is raised for CIOs
What do CIOs want? Fusion2007 speakers weigh in