December 02, 2019

disputes and investigations governance risk compliance

Parenting as a metaphor for complex problems

George Lakoff recently retired from his career as a professor of linguistics at the University of California, Berkeley. Lakoff is best known for his belief that people use a small set of central metaphors to guide complex decision-making.

One of the key metaphors Lakoff found people use as a roadmap elsewhere in life is their parenting philosophy. He categorized peoples’ approaches into either a “strict father model” or a “nurturant parent model.” People in the strict parenting camp tend to view the world as a challenging, if not dangerous, environment where the role of a parent is to prepare a child for survival. Those in the nurturant camp tend to see their parenting role as one where they provide support and empathy as the child finds their own way through the journey of life.

Lakoff suspected an individual’s parenting style may be a strong indicator of their political beliefs. Those who lean toward a strict parent model would be more likely to hold conservative political beliefs, while those who fall into the nurturant model would more likely have liberal political beliefs.

A University of Minnesota psychologist, Marti Gonzales, recently tested that theory and found it holds true (NPR’s “Hidden Brain” podcast has a great episode on this topic). Specifically, Gonzales found that the narratives used in political advertisements frequently leverage parenting metaphors–with Republican candidates consistently favoring the strict father model and Democratic candidates consistently favoring the nurturant parent model (Filson Moses, Jennifer & Hope Gonzales, Marti, 2014. Strong Candidate, Nurturant Candidate: Moral Language in Presidential Television Advertisements).

 

The nurturant parent approach to information governance

Startups in Silicon Valley are known for both their forward-thinking products and untraditional work environments. Not surprisingly, these organizations are quick to embrace new technology.

A software developer may spend the bulk of her waking hours in front of her computer–and much of the remaining hours interacting with her cell phone. The technology such an employee uses is a more critical component of her overall work environment than the physical space of her office. Given the choice between an office with an ocean view or a powerful computer with an excellent monitor, a developer will likely opt for the latter.

Productivity is at stake here. A typical full-stack web developer may need upwards of 10 applications running at any given time. With so many applications to constantly bounce between, it is difficult to overstate the importance of comfort and familiarity. Developers heavily leverage keyboard shortcuts and mouse gestures to switch between all of these applications and perform repetitive tasks during debugging. If such an employee is forced to use applications she is not comfortable with or, worse yet, switch from her preferred operating system, the decrease in productivity can easily amount to hours lost per day.

In this environment, the nurturant parent approach to information governance makes a lot of sense. Accordingly, small startups often let employees bring their own devices and place little or no restrictions on choice of hardware or software. In fact, BYOD policies play a role in attracting and retaining talent in this community (a trend that seems to be gaining momentum outside the startup world as well).

Then, the startup gets sued for the first time. This is often a watershed moment. Every step of the discovery process can be painful. Management may struggle to identify where critical data is stored and who had access. Some of the great new technology the team uses may be so new that the other startup down the road that made that software hasn’t thought to build compliance or export functionality into it yet. Some of the convenient cloud-based tools the team uses may have synchronized critical data to myriad unintended (and undesired) devices–or, worse yet, geographies. It becomes clear at this point that the lax information governance policy has been a lurking problem for some time.

After collection, things don’t get much easier. E-discovery software doesn’t typically catch up to new platforms right away. Processing tools may not be able to open the collected data and review tools may not be able to display the data in an intuitive manner for the document review team. Even if the legal team makes it through all of this, they’re likely to be pulled into court and forced to explain themselves when opposing counsel receives a production of the difficult-to-review data and argues that the defendant is playing discovery games by producing in this format.

The nurturant parent model that bred a happy, collegial workplace for the first couple years of this startup’s life seems to have failed, leaving the company exposed and struggling to explain itself in court.

 

The strict parent approach to information governance

At a Big 4 accounting firm, believing “Casual Friday” means you can wear jeans is a rookie mistake (even if the handbook explicitly says it’s allowed, it’s not really). Employees are each issued one of two laptop options–there’s usually a small, sad black plastic knockoff of a MacBook or a gigantic, hardly portable option with a big screen and a full numeric keypad to the right of the keyboard. Both options include a screen privacy filter that simultaneously prevents your neighbor on an airplane from snooping and prevents you, the user, from ever being able to read text on the screen without squinting.

Running a version of Microsoft Windows that is at least 5 years old, all computers are dispatched from IT with a dizzying array of security software. During the 5-minute boot process, the anti-virus software loads up (and performs a painfully comprehensive daily scan), along with a VPN client, a corporate messaging client, a file backup and synchronization client, and nearly a dozen other applications with unclear functionality (each adding another icon to the system tray). Employees are not permitted to install any additional software on their computers.

Corporate policy is quite clear that the company’s devices are for work use only and all activity on the devices can be monitored at any time. This policy also extends to the company-issued iPhone, which uses an Orwellian mobile device management platform, enabling IT to locate, wipe, or inspect any data on the device or transmitted to/from the device at any time.

At first glance, it would seem that–while this organization has implemented information governance policies that qualify it as a police state–they have at least eliminated the litigation-related risks that our nurturant startup faced. Unfortunately, that’s often not the case.

Because this information governance structure ignores the reality of daily technology use, you can rest assured that employees are regularly violating the policies. It’s hard to imagine anyone today making it through an entire work day without engaging in any personal technology use. No one likes carrying two phones around and even those who do occasionally have to cross devices (perhaps they left one device in the car or one device has a dead battery). At a bare minimum, we can be fairly certain employees are using either company devices for unapproved personal use or unapproved personal devices for work purposes.

Where systems are this locked down, the workarounds users come up with create gaping security and compliance holes. This is the scenario where you’ll often hear the ominous phrase “so I just forwarded it to my personal email.” The rest of the story ends up in court documents or, worse yet, the press. Draconian policies that ignore the reality of normal use may ultimately pose a greater risk to an organization than laissez-faire policies.

Another risk to this approach may come not from the end users themselves, but rather from the individuals who oversee these systems. Some mobile device management platforms provide a rogue IT employee with a formidable toolkit if used for nefarious purposes (i.e., stalking a fellow employee). Carefully assess how much access a prospective MDM solution gives to admins and consider carefully whether your organization needs–or wants–to have such access.

 

The case for moderation

Taking almost any philosophy in life to its extreme will yield a poor outcome. Picture the child of the strictest parent you can imagine. Picture the child of the most free-spirited parent you can imagine. Chances are, you don’t view either scenario as ideal.

Whether it’s parenting, politics, or information governance, it’s generally best to approach complex problems with an open mind, gather as much information as possible, look for a solution that balances all interests, and understand that complex problems rarely have perfect solutions.

To further illustrate the point, let’s switch metaphors for a moment: imagine if we applied common information governance policies to cars in the workplace. A car is useful for both work and personal reasons. Employers don’t ask their employees to drive around with a trailer behind them so they can switch back-and-forth between their work vehicle and their personal vehicle throughout the day. They also don’t ask employees to place an audio recorder and a homing beacon in their personal car before allowing them to drive it to a meeting (which is effectively what some MDM platforms do to an employee’s cell phone). That doesn’t mean vehicle use isn’t an issue–it often is. Some employees abuse company cars, some are involved in car accidents, and some cars get stolen with important company records in the trunk. Cars have been around long enough for us to accept that we need policies and safeguards around their use in the workplace. But we also knew that their ordinary use will sometimes result in challenges that cannot reasonably be avoided without unduly burdening the employer, the employee, or both.

Practical tips for a moderate IG structure

As a practical matter, what does a balanced approach look like? Cloud solutions and containerized (or “sandboxed”) applications–properly utilized–are both excellent tools for building a balanced and effective information governance structure. Cloud-based productivity solutions, like Microsoft’s Office 365 and Google’s G Suite, offer robust web-based interfaces for their tools. Administrators can restrict users’ ability to download content to a device’s local storage. A web-based approach provides a strong foundation upon which to build a flexible BYOD policy that minimizes many key risks. Containerization is also a great approach to keeping company data safe where a web-only interface would be insufficient. With containerized applications, company data is sandboxed into a protected storage area, which the company can closely control without needing access to system resources outside of the application’s container. Citrix and Blackberry (which acquired Good Technology) both offer containerized mobile solutions. Containerized mobile email is a great alternative to more comprehensive MDM platforms (such as MobileIron or AirWatch) in situations where the built-in security features of Exchange or Gmail have been deemed insufficient (a common, but debatable conclusion).

 

You can’t eliminate data-related risk, but you can mitigate it

Today’s information governance challenges are real and they are complex. Remember: no matter how much you lock down a device, a bad actor can still simply point a camera at the screen and take a picture. Data risks cannot be completely eliminated–only mitigated. No employee expects their workplace to be without rules or structure, but no one wants to be spied on or made to work with low-quality tools. Similarly, an employer cannot ignore their information governance responsibilities, but they are not expected to eliminate every possible risk. As with parenting, perhaps the best approach is one of moderation.