Information Governance

Professor Michael Adams, Head of UNE Law School, InfoGovANZ Advisory Board

Introduction

The last two years have been a period of disruption due to COVID-19 pandemic and the need for all businesses and organisations to “pivot”. In the information governance space this has been a major positive and a serious risk. The positive is an up-grade in technology, so people can work from home. The use of collaborative tools, such as Sharepoint, MS Teams, ZOOOM, Google docs and many more have been a boon for flexibility.

The EY 2022 Future Workplace Index [1] based on over 500 company responses across many sectors that 75% anticipate no central physical office in the foreseeable future and 72% have hybrid remote/office approaches in place.

The big news is Pre-COVID about 45% of companies expected everyone in the office and only 15% could work remotely. Currently the status is only 27% in the office with 31% fully remote and hybrid leading the way with 42%. But the survey also asked about the future anticipated arrangements with 35% expected in the office, 20% remote working and a massive 45% in hybrid mode.

The negative side of this quantum shift is cyber-security and privacy poor control of data. In a corporate environment, control over passwords and storing sensitive data is much easier to enforce.  People working from home, logging in with less than secure wi-fi networks add to a myriad of other issues.

What is the impact of cybersecurity? [2]

GRC2020 published “2021 Trends: Governance, Risk Management & Compliance (GRC): An integrated focus on business integrity and resiliency” in January 2021. This document explains the lessons learnt from 2020 with GRC functions. Governance needs reliably achieve objectives and risk management to address uncertainties. Compliance must act with integrity and there is a need for interconnected risk analysis. Disruption has become the norm and only dynamic and agile businesses can survive.  2022 will without doubt rely upon integrity, resilience and integration. 

Information security from cybersecurity issues, will be the number one issue for the next few years. The 2020 pandemic has required greater focus on health and safety, as well as the broader environment. Similarly, the greater use of GRC technology to address these changing trends. Greater engagement with stakeholders, especially consumers and regulatory authorities, as well as the number employee perspective.

It has been reported that cyber ramson threats have been made to 1500 key bodies in Australia in 2021.[3] The organisations have been governments, schools, healthcare providers, law firms and other entities. Data has been stolen by cyber criminals or held to ransom. More than 75,000 organisations worldwide have failed to update their Microsoft Exchange email servers following the discovery of a major vulnerability in January 2021. It is believed that Chinese state-sponsored hacking group, called “Hafnium” was behind the majority of the cyber-attacks. Although Microsoft released multiple security updates, had 92% update the vulnerability by March 2021, that still left a major hole to be exploited.

This same issue hit the Prime Minister’s office in Malaysia, the US Chemical Safety/Hazard Board and the Michigan Supreme Court, to name a few organisations. No Australian federal or state government domain are identified as being at risk. However, 32 Australian healthcare providers have not updated their servers and are at risk, as well as 18 law firms and 24 private schools.

In September 2021, a government report was released that showed the Australian Cyber Security Centre received 67,500 reports, last financial year, of attacks – up 13% on the previous year. It appears that China is responsible for more than two-thirds of state-sponsored cyber-attacks around the world. [4] Additionally, in September 2021 a former UNSW student has been sentenced to seven years imprisonment for pleading guilty to stealing A$123million (US$90m) from investors in a crypto currency fraud. Mr Stefan Qin was born in Canberra and was convicted in a New York Court for deliberately falsifying account statements from over 100 investors for personal gain. The then 20-year-old ran a crypto fund called Virgil Sigma Fund from Sydney in 2017 through a company (Virgil Capital). He was reported to have made 500% over 12 months for his clients by the Wall Street Journal. [5] The outbreak of war between Russia and Ukraine has lifted the level of cyber-attack occurring throughout the world.

Human face of information leakage

In October 2021, the former Facebook (now Meta) executive, Frances Haugen, testified before the US Senate subcommittee on the influence of social media giants. She demonstrates that the unstoppable juggernaut bulldozing society on its way to the bank at the expense of citizens and legal rights. [6] The exposures of Facebook via leaked internal documents, as reported by the Wall Street Journal, illuminated the inside knowledge of the damage that was being done to body image teenagers and misinformation of COVID vaccines. 

The question, as put by Malcolm Gladwell’s 2000 book The Tipping Point is how little things can make a big difference. For corporate executives, directors and other officers, the use of corporate information governance is absolutely crucial. The author pointed this out back in June 2018 at the NSW Governance and Risk Forum under the acronym SEMTEX, where the “T” represented technology. [7]

This was followed by a doctoral thesis at the University of New England by Saranne Cooke entitled “Relationships, Risk and Remuneration: ASX200 Director’ practices of the ASX Corporate Governance Council Principles”. Cooke identified from a large sample of interviews with ASX200 companies that the number one fear was expressed as “my fear is not what I know and what I decide upon, but what I don’t know”. 

Directors are very aware of their personal circumstances and the political catastrophic consequences for their companies from poor decisions – but the critical importance of the relationship and trust between executives and the board. Technology playing a central role in giving all stakeholders greater certainty of flagging critical issues.

The President of the Australian Law Reform Commission, Justice Sarah Derrington, and former Professor of Law at the University of Queensland, is chairing an enquiry into the complexity of the Corporations Act 2001 (Cth). In particular, why there are 13,000 acts, 5,000 legislative instruments and over 100,000 court judgments that impact on corporate officers?

One last consideration for directors is the growing role within technology of cybersecurity and the growth in blockchain technology, from cryptocurrency (like Bitcoin) to new governance models known as DAO. [8] The Australian Securities and Investment Commission (ASIC) has issued a Report 429 on the issue [9] and a case ASIC v R I Advice Group Pty Ltd [10] (2021). The Australian Cybersecurity Strategy 2020 [11] is proposing major reforms on the role of privacy laws, consumers, data protection laws and directors’ duties, via an Australian Standard on Cybersecurity.

The growth and importance of information governance

Information governance, data protection and security, privacy, cybersecurity and artificial intelligence (AI) have all become critical topics for boards and government bodies to consider. Historically, the issues tended to be dealt with under either “IT” issues or records and information compliance issues.  In recent years, the importance of cybersecurity, AI and data analytics together with changing privacy regulations have brought new governance challenges to the forefront of the minds of directors.  

One of the top law firms, King & Wood Mallesons, in its 2016 Directions report had listed digital disruption at number 3. By the release of its 2019 Directions: navigating a new order [12] report, the issue of managing IT and cybersecurity had moved to the number 2 spot as a priority for boards.  Similarly, the 2019 Governance Institute of Australia released its own paper, entitled “The Future of the Governance Professional” [13] and had three major themes – technological disruption was the third highest priority for governance changes into the future (2025). Over 75% of the respondents agreed that the issue was vital or very important due to “the use of new technology and its effects on the workforce, and also because the rate of change and implementation of these technologies is accelerating”. [14]

There is acceptance that machines will be better than humans at some tasks, including taking minutes, gathering vast amounts of information and highlighting what is relevant for directors. But there will still be a need for emotional intelligence and creativity, which humans bring to the table (with bias and other unconscious attitudes). As well as AI, the developments in real-time information flows, big data analysis, increased automation and improved ‘regtech’ with blockchain and voice recognition to all affect the governance role. 

Previously, the author examined the link between corporate governance and the digital economy in Governance Directions. [15] The definition of information governance has generally been accepted as:

 “the activities and technologies that organisations employ to maximise the value of information while minimising associated risks and costs”. 

This definition has been affirmed by 90% of the Information Governance ANZ (InfoGovANZ) survey report, published in 2019. [16] The 2021 survey report accepted the definition by 81% of the respondents. [17] This survey built on the 2017 edition [18] and reinforced that information governance is an umbrella concept that describes all information management activities.

Conclusion

As we transition from pandemic to endemic and the world returns to a “new normal” the traditional governance processes are just not fit for their purpose now. What stakeholders, including governments, regulators, owners and employees actually expect has had a seismic change. There is a distinction between governance practices in the digital age and a framework for contemporary governance. The importance of cyber-security, new working frameworks and the value of information governance.

[1] https://www.ey.com/en_us/real-estate-hospitality-construction/ey-survey-on-future-workplace-index

[2] Legal Issues in Information Technology (editor Mark Perry),Lawbook Co 2022, Michael Adams chapter 2 “Theoretical frameworks and governance of information” pages 7-48.

[3] Liam Mendes, ‘Cyber ramson threat to 1500 key bodies’ (2021) The Australian 16 September, 7.

[4]< Anthony Galloway, ‘China behind majority of cyber attacks’ (2021) Sydney Morning Herald 16 September 15.

[5] Jessica Sier, ‘UNSW dropout jailed for $123mcrypto scam’ (2021) Australian Financial Review 17^th September 18.

[6] Australian Financial Review, 8^th October 2021 p2

[7] Michael Adams, “Top 2018 governance concerns: #SEMTEX” Governance Directions, Sept 2018

[8] Decentralised Autonomous Organisations

[9] LINK to ASIC website: https://asic.gov.au/regulatory-resources/find-a-document/reports/rep-429-cyber-resilience-health-check/

[10] [2021] FCA] 877

[11] https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/strategy

[12] King & Wood Mallesons, Directions 2019: Navigating a new order – https://www.kwm.com/en/au/knowledge/hubs/directions-non-executive-directors

[13] GIA, The Future of the governance professional, August 2019 – https://www.governanceinstitute.com.au/media/884166/govinst_the-future-of-the-governance-professional_august-2019.pdf

[14] Corporations and Markets Advisory Committee, 2006, Personal Liability for Corporate Fault Report 9.

[15] Adams, M & Bennett, S, 2018, “Corporate governance in the digital economy: The critical importance of information governance” 70(10) Governance Directions

[16] Information Governance ANZ, IG Industry Survey, July 2019 https://www.infogovanz.com/wp-content/uploads/2020/01/IGANZ2019ReportFinal.pdf

[17] Information Governance ANZ, IG Industry Survey, May 2021  https://www.infogovanz.com/wp-content/uploads/2021/05/InfoGov_IndustrySurvey_MAY2021.pdf

[18] Information Governance ANZ, IG Industry Survey, August 2017 https://www.infogovanz.com/wp-content/uploads/2020/01/IGANZ_Industry_Survey_AUGUST_2017.pdf