• Paul Peter Nicolai

WHY EVERY COMPANY SHOULD KNOW MORE ABOUT ITS INFORMATION

Information is a company asset. Mismanaging it is like mismanaging inventory. Every container moving through the global shipping network is tagged and monitored so that the owner of the container or its contents knows its whereabouts always. Produce growers selling through major retailers use blockchain technology to create a record that travels with the plant to document provenance and safety. Payments above a certain amount require the approval of higher-level executives who manage company assets.


Most companies do not manage information like other assets. That needs to change. Information lets the company better respond to customer needs, plan for the future, and advance the business while protecting legal interests. That is not all: information is a commodity sold, traded, and transformative for a business.


In the old days before widespread computer use, having control over company information was not an issue. Information was on paper. Proliferation was limited to the copy machine. Companies did not have to worry much about having information exposed or stolen in wholesale form.


The internet, e-mail, and networked systems changed that completely. Information is now transportable and easily misdirected or misappropriated. Controlling information is a completely new paradigm. As more business processes are outsourced, third parties working for companies now have care, custody, and control over company information and may believe the information is theirs. The Cloud complicates things further as more and more company information is stored in another company’s servers. Doing business in social media environments means evidence of those transactions is trapped in someone else’s system. In this new context, knowing what information is yours, where it is, who else has access to it, and what contracts give others rights to use it creates a completely new challenge.


Getting a handle on your information assets to take back control is essential, but not simple. Businesses should take steps to better control electronic information.


  • The only way to know what information resources you possess is by looking. That doesn’t mean to inventory each file, but to use tools to understand what information exists, the business units it relates to, and the where it is parked. What is in structured databases, and what information is in unstructured share drive environments? What is the aging and continued use of the data? Do records retention rules allow the information to be disposed? Knowing where your information is will promote a less burdensome litigation response and discovery process. Assessing content using analytic tools can help unearth trade secrets and personally identifiable information (PII) stored in locations that pose a greater risk of exposure. Knowing what information assets the company has and where the information is promotes a better business.

  • Every business unit likely has business relationships with partners and third parties. Those relationships are governed by contracts which may delineate who owns the information, what rules apply to it, who can use it and how and with whom it can be shared, etc. The company should develop a process to understand what contracts say about company information. The company should develop standard language for contracts that deal with relevant information issues like access, ownership, responsibilities, and costs in responding to requests for information and so on. Building consistency in contracts will help build a better information ecosystem. Companies should know what agreements exist between the company and customers or potential customers. If a company tells employees information will not be shared, the company must comply. Saying the company is complying and making sure everyone is actually complying are different things. Routine audits will ensure the company and its movable parts are following suit. Contract language telling non-lawyers about what the company may do with information should be simple. In this environment, saying a customer waived a right to object to the company selling information because the customer could have reviewed the linked legal language is not safe.

  • Get a handle on what is being done with your information. Beyond contract language, what third parties have access to or use your company information? It’s important to understand what others are doing with that information. Your company should know what its employees are doing with other companies’ or individuals’ information inside the company. If a business unit shares information from a partner it did not realize should not be shared, there could be consequences. Your company should be on top of where its information comes from and where it goes.

  • Multiple business units are doing real business in social network or media environments. Maybe it is looking for new hires or marketing products and doing competitive analysis. Invariably this means the company is parking company information in an environment outside its control. The social environments are not inclined to accommodate your information needs and apply your information rules, even if you are paying for their service.

  • The proliferation of cloud computing and working from home means company information moves to many places without the company knowing. With data loss prevention tools and other monitoring applications, companies increasingly can watch and stop the movement of data leaving, but the reality is more and more information is parked outside the company computer by more and more employees for various reasons. Efforts should be made to use policy and technology to monitor and audit the information flow.

  • Noncomputing devices that assess, collect, or distribute information in many business processes (IoT) are being added to companies usually without much thought about the information created. Companies should assess each business process using an IoT device or appliance and determine what information is collected, by whom, where the information is stored, and who has access to and use of it.

  • One of the concrete steps companies can take to address the information flow chaos is to centralize the process of sizing up all the information inputs and outflows in an Information Asset Register (IAR). This process will routinize the collection of information, and the IAR will provide a centralized view of all things information that can drive business efficiency and mitigate risk.

The information landscape of most companies is the data equivalent of a yard sale. Stuff everywhere without rhyme or reason; chaos that does not reflect true value.


Whether it is a litigation headache or the inability to find the final contract documenting in an important transaction, information mismanagement is bountiful, inconvenient, and expensive.