Continuing the previous post, this response just came in from a lawyer in response to my questions about de-dupe and compliance and the role of the information governance folks within companies.
Question 1: how does anyone know whether dedupe violates the rules? Do we need to wait for a test case?
The issue will come up if and when the authenticity of reinflated data is challenged as a matter of its admissibility in evidence. A serious challenge will probably require a Daubert hearing to take expert testimony about the processes involved to determine whether there has been a material change from the original. This is a “battle of experts,” and the “best” expert will win. I would expect the data to be admissible unless the expert challenging the processes can make a very persuasive case that the processes do change the data in ways which matter. Any given case will really only be precedent for the particular software under challenge, so the vendor really better be ready to back it up in court – otherwise a loss in one case might result in precedent against admission of data run through the process, which might not be technically binding on other courts but would be very persuasive, and the product would be doomed.
Question 2: how does the governance/compliance officer evaluate and weigh this risk?
By trying to understand the process and its results. If the vendor is really ready and able to stand behind the product in court per Question 1, someone should be able to explain it to a compliance officer too. After all, the judge who would be deciding in a Daubert hearing is no more likely (and is probably less likely) to be trained in technology issues than a compliance officer.
Question 3: should there be a formal process in a company to evaluate the impact or potential impact of new technology on the corporate information governance position?
Yes, but good luck talking most of them into it.
Question 4: technologies like dedupe are slipping in under the radar as features of venerable storage products from trusted vendor suppliers and may be escaping notice of audit/compliance/governance. Plus they are new and untested. Plus they are not vetted by any standards or testing group in the industry. Plus most governance/compliance/and even records management folks don’t understand the technology to begin with (nor do many IT folk for that matter). Are we outsourcing our risk analysis to the vendor selling the gear and taking his word for its “safety” from the standpoint of risk? If so, name one other area of corporate operations where compliance decisionmaking is outsourced to the vendor of the product you buy?
I assume these are rhetorical questions because many organizations buy applications which are sold as “compliant” with one law or another, which are new and untested and not subject to any established standards, without understanding them.
Is this smart or prudent? No.
Is it prevalent? It’s certainly common.
Fascinating.
{ 1 comment… read it below or add one }
Nice answers! Pass along my compliments.
You must log in to post a comment.