When Information Becomes a Liability


A while back I wrote a couple of posts (one and two) about attempting to value information as an asset, carried on the balance sheet. I took a very accounting oriented approach, and I think I’ve made some progress. This post follows, after a fashion, those two previous posts.

During my session (here’s a link to the deck) at the 2014 AIIM conference, someone from the middle of the room respectfully disagreed that information is always an asset. My response at the time was that information is always an asset and that you need to set up a contra account to offset any of the negatives that can happen. For example, a contra account for Accounts Receivable would be Allowance for Bad Debts. You can read more about contra accounts here, on Investopedia.

What I should have said was …

When information reaches the stage where it can harm you, let’s say in litigation, you need to create a contingent liability account in order to capture how much (in dollar terms) you anticipate the exposure to be. Now, I’m not an accountant, but from what I can find out an asset cannot be transformed into a liability (please correct me if I’m wrong). However, assets that expose organizations to financial risk, can be accounted for by using contingent liability accounts. You can read more about contingent liabilities on Investopedia.

The other thing I should have said was that organizations need to evaluate the value:risk ratio of their information periodically. It’s absolutely true that certain types of information don’t age well and expose organizations to risk that is greater than the information’s value. At this point an organization needs to determine whether they will dispose of the information (legally) or commit additional resources to mitigating the risk, in whatever manner is most appropriate (doing nothing is not an option).

So, to the gentleman in the middle of the room; Thank you. Your comments forced me to dig a bit and learn something.

For those of you interested, here’s the presentation to which I am referring …

Posted in ECM, EIM, General, Governance, Information Governance, Information Management, PHIGs, Records Management, Retention | Tagged , , , , , , , , | 1 Comment

My Reaction – Laptop Stolen – 620K Patient Records Compromised


Last week a story was reported in the news about a stolen laptop. The laptop contained patient information for more than 620,000 Albertans. This is my response to the situation. It’s far less ranty than what was in my head before I started typing.

Last night I wrote a letter to the Alberta Privacy Commissioner (Jill Clayton), the Alberta Minister for Health (Fred Horne), and Medicentres (hope it gets to Dr. Arif Bhimji). I would have included the consultant, but he/she was simply identified as “IT Consultant”. I did copy the letter to CTV News (where I first read the story) and the Edmonton Journal.

The following links are to the stories on the CTV News site.

I’ll update this post if I hear anything from anyone involved.

http://edmonton.ctvnews.ca/laptop-containing-health-information-for-thousands-stolen-province-seeking-investigation-1.1651500

http://edmonton.ctvnews.ca/privacy-commissioner-frustrated-after-laptop-with-personal-information-stolen-1.1653696

This is a bonus story - http://edmonton.ctvnews.ca/patient-information-stolen-from-covenant-health-1.1656104#commentsForm-478263

Note to Medicentres – Please direct this to Dr. Arif Bhimji

I’m writing to you in regard to the theft of a laptop containing health information of approximately 620,000 Albertans.

My name is Chris Walker. I’m an Albertan whose health information may have been compromised by the above mentioned theft (I visited the St. Albert Medicentre in 2011 or 2012). I am also a consultant who specializes in Information Management and Governance.

First of all, I don’t understand why a consultant would be allowed to store personal information on his/her laptop and then leave the building with it. I’ve been a consultant for more than 25 years and have never had the need to store personal or sensitive information on a non-client controlled device, and I have never removed such information from client premises. During my career I’ve dealt with information from banks, pharmaceutical companies, provincial ministries, federal governments, municipal governments, etc. During many of those engagements I’ve had occasion to deal with extremely sensitive information. In all cases the information was stored and secured on client servers, or it was masked / redacted / sanitized before I even saw it. In the rare cases where I needed to access real information, it was always by using client hardware.

To the Consultant – I’d love to know what you were working on that you thought you needed to store live patient data on your laptop. I’d also love to know whether you were at Medicentre as an independent contractor or you were working on behalf of one of the System Integration firms. In either case, I’d love to know who you are so that, in case our paths cross, I can either educate you on how to properly handle sensitive information or make sure you’re never involved on any project that I am associated with.

To Dr. Bhimji – You need to go through those records and inform every one of the affected Albertans. Don’t put the onus on us to find out if we’ve been compromised. Be responsible and do the right thing. The fact is, as soon as you were aware of the theft you should have started identifying affected individuals and begun informing them of the situation. As it is, enough time has passed that damage may already have been done.

The complete lack of mention about the breach on your (Medicentres) website does not provide me with the sense that Medicentres is giving this matter the due it requires. That’s just my opinion as an Albertan, one of your patients, and as someone that makes a living by advising organizations about the proper management and handling of information.

That you’ve made some policy adjustments is great, however, how is that going to help any of us if our information’s been compromised? You really ought to have done something ages ago. For what it’s worth, you may also want to consider not giving access to live data to anyone that doesn’t absolutely need it to do their job. If you need some help sorting this out let me know; I’d be happy to help.

To Minister Horne – I agree that changes to legislation need to happen. I don’t think that you need to wait until the Privacy Commissioner releases her report to get started. To be frank, many changes to operating policies and procedures for managing information can be made without changing legislation at all; think of them as preventative measures.

Enacting new legislation for dealing with breaches is necessary since we’ll never have 100% security as far as sensitive information is concerned, but we also need to focus on preventing security breaches in the first place. Effective controls are far more cost effective than trying to clean up the potential messes that would occur once a breach happened.

To Commissioner Clayton – I don’t envy your position. I trust that you wanted to do the right thing, but were hampered by legislation. I hope that your investigation into this matter is fast-tracked. I encourage you to make the results of the investigation public; we have a right to know.

To All of You – I strongly suggest that you get involved with professional organizations such as AIIM (Global Community of Information Professionals) and ARMA (Association of Records Managers and Administrators). Both of these organizations are focused on managing, governing, and securing information. There are also organizations that deal specifically with information security and privacy. With the resources available to us today and with what we know about managing information, there’s just no excuse for what happened.

As someone whose information may have been compromised, I am angry. As someone who consults on Information Management and Governance, I’m incredulous that this happened considering how easy it is to prevent this type of thing. While the theft was a criminal, deliberate act, the presence of patient information on the stolen laptop was nothing more than negligence.

Sincerely,

Chris Walker

Update January 29, 2014 …

Much to my surprise, I did hear from Dr. Bhimji of Medicentres. Below is an excerpt from the email he sent last night. I’m happy to note that there is now mention of the privacy breach on Medicentres home page.

I can advise that we reported the breach to the Privacy Commissioner and have worked closely with them.  The Commissioner approved the form and wording of the notification.  

 The website is updated regularly and the information is found under the patient tab and has been present there since the announcement.  I have asked the operations people to consider putting some information on the main landing page.

 Patients have been advised about what measures they can take to determine if there have been any intrusions on their privacy.  This information is available on our website and also by calling our call centre if you wish more detailed information.

 

Update January 31, 2014

Heard from the Privacy Commissioner’s office that she will be making the results of the investigation and review public. – I’m very happy about this.

Heard from Medicentres’ folks that if you visited one of their clinics during the time period stated, you details are on the laptop that was stolen. We (the Medicentres person and I) both speculated that the theft was for the laptop, not the data, but we could be wrong.

Posted in General, Rants, Governance, Privacy, ECM, Information Governance, Government | Tagged , , , , , , , , , , , , , | 1 Comment

PHIGs take Phlyte – AIIM Conference Preview


Eat Your PHIGs

As some of you may already know, I will be speaking about the Principles of Holistic Information Governance at the AIIM Conference in Orlando (my session is at 2pm on April 3). Here’s a brief preview of what I’ll be talking about.

This is a little story about how the Principles of Holistic Information Governance (the PHIGs) were leveraged to turn a pure Records Management project into something the entire organization, and its stakeholders, could benefit from.

I was approached by a partner to help them out on a project they are working on for a public transportation company. Their project is to put together a new web communication and presence strategy, and to implement it. Where they asked me to help out is on developing a Records Management strategy. The two projects were to be separate from each other since the RM project was really to fill in some gaps in the client being compliant with legislation and in helping them to respond to Freedom of Information (FOI) requests. There was no thought given to integrating the two projects or to looking at how an holistic approach could benefit the entire organization and its stakeholders.

As all good analysts and consultants do, I started gathering as much information about the organization and the projects as I could. The two critical documents that I had access to were the Web Communication project strategy (summary and detailed) and the organization’s 20 year strategic plan and roadmap.

There were obvious tie-ins to linking the RM project and the Web project, but selling them to the organization wasn’t easy as they just didn’t care all that much. They were happy to go forward with identifying what was a record, and subject to FOI, then just firing that content into their RM tool (which they don’t have yet). The real clincher to getting the organization to accept a PHIGged approach was the long term strategic plan. In the plan were articulated six values and five major objectives.

Values

  1. Safety
  2. Customer Service
  3. Sustainability
  4. Integrity
  5. Innovation
  6. Collaboration

All six of the values can be directly supported by information, provided it’s properly governed and managed, from cradle to grave.

Major Objectives

  1. Develop Financial Sustainability
  2. Support and Shape Livable Communities
  3. Change the Perception of Transit
  4. Deliver Operational Excellence
  5. Strengthen our People and Partnerships

Like the values, the objectives will benefit from taking an holistic view of how information lives in the organization.

One of the other things that I did was to review the RM strategy document I was provided and link those objectives to the objectives in the Web Communication strategy and the long term strategy.   It’s both funny and sad that folks get so focused on their own view of the world that they don’t see the bigger picture. The RM strategy probably had 85% of what was needed for an organization wide (I’m trying not to use the word “enterprise” too much) information management strategy.

From a technology point of view there will be many different tools used to provide the solutions that the organization will, over time, implement. But, they’ll be underpinned by the PHIGs. The PHIGs are there to help organizations take a look at how and why information exists and affects all relevant stakeholders.  The PHIGs aren’t about technology; they’re about business and doing it better by understanding what you need from information.

By reordering and rewording some of the RM strategy objectives, and adding a couple of new ones, we were able to change the focus from an RM project that would provide very limited benefits, to an organization-wide information management program that will benefit all stakeholders. Of course it’ll take longer to get to the end, but at least the client has taken the first step and realized the importance of information to the proper running of the business.

Below is the presentation from my session at the AIIM 2014 conference …

Posted in ECM, Education, EIM, General, Governance, Information Governance, PHIGs, Records Management, Requirements, Retention, Search | Tagged , , , , , , , | 2 Comments

Book of PHIGs is Dead


Some of you may be shocked, but I’ve decided to kill the Book of PHIGs. “Why?” you may ask. Even if you don’t, I’ll answer.

My plan was to make the book available electronically via iTunes, Kobo, and Amazon. Have you seen the administrative, contractual, and tax crap that that plan entails? Holy sh*t!!! Now, I’d put up with all that nonsense if I thought that I could make a living selling a book about Information Management; but I doubt it. I mean, how long can one live on dozens of dollars? This doesn’t mean that I have given up on the PHIGs or on making them available to whomever is interested. No; it means that I am changing my approach.

I’m going to take a whitepaper approach to making the PHIGs available. Whether it’s one long whitepaper or a series of per-PHIG whitepapers remains to be seen. I’ll try, as much as possible, to draw on experiences from past and current projects as I write. I won’t be charging anything or asking folks to register for anything in order to download the PHIGs. When something’s ready I’ll announce it on Twitter, LinkedIn, Facebook, etc., and provide a link. Pretty simple, but I like it that way.

To be honest, I never planned or wanted to make a living from writing the book; my intent all along has been to make a living from leveraging the book into consulting, training, and speaking engagements. For those organisations and people that don’t want / need any of my services, I still wanted to make the PHIGs available because I believe they’re important and that they contain stuff that any organization can use.

 

cryingoverPHIGs

Posted in PHIGs | Tagged , | 4 Comments

Get Sh!t Done – Right People Do Right Things


This is a response to this post by David Spinks of Feast and The Community Manager. Simply put, David points out all that`s wrong about a “Get Sh!t Done” mentality. Obviously, GSD’s not worth a S if the capabilities and tools aren’t in place to enable getting stuff done. It also helps that you’ve got an actual clue about what stuff should be getting done, when.

In my personal and business lives (going back to my mid-teens) I’ve been a coach, team lead, mentor, father (still am), team member, and manager. I’ve worked on dozens of projects in many countries and industries, many of them with a great sense of urgency to GSD. I do not, however, have much experience with startups. In all of those roles and projects I’ve been told, and told others, to “get sh!t done.”

Regardless of the business, there is always pressure to get sh!t done. Whether it’s getting a product out the door, processing a benefits application, getting a website updated, implementing software, putting together a budget, crafting an HR policy, … whatever, people need to perform and things need to get done. It doesn’t matter if the organization is a startup, an established multi-national, or a government entity; the expectation is that things get done.

“Get sh!t done” needs to be prefaced with an understanding that the right stuff is getting done and the right people are being tasked to do it. What makes people right for getting it done? They have the necessary skills, capabilities, attitude, and time to get it done. If they don’t, and they are still being asked to get it done, it’s their manager’s fault, unless they’ve lied to their manager.

If someone is told “GSD” there has to be an assumption that the doer has the necessary resources and skills. If not, either the manager is mismanaging or the intended doer needs to pipe up and articulate any deficiencies in resources or capabilities.

There are type A’s and type C’s out there, just as there are people who will always be less productive than others. Why they’re like that may be interesting to discover, but is ultimately a waste of time (unless it’s a temporary blip brought on by circumstances). What’s more productive is to determine whether or not they fit in the organization. Depending on the dynamics of an organization, having people that aren’t type A, super-productive-ambitious may actually be a good thing. As a manager you need to know how to deploy them correctly and keep them motivated; you need to find out what their capabilities and limits are. If they don’t fit in to how things need to be done, you need to get them out of the way. As long as everyone is working towards the same overall objectives, things are good.

Get sh!t done is a tactic. Shipping a product or some software code is not the goal; the goal is profitability. In the case of government, the goal is delivering services and governing without wasting taxpayer funds. Lots of little sh!ts need to get done to meet organizational goals; simply living a mantra won’t get you there.

Posted in Change Management, General, Productivity | Tagged , , , , | Leave a comment