This piece from ZDNet blogger Paul Murphy brings to light some misconceptions that are common in IT departments. Just as Murphy points out, as much as these assumptions are oh-so-common, they are also oh-so-wrong. Here they are:
- Legal defense costs aren't IT costs.
- A regulatory, court, or government mandated product recall that has nothing to do with IT isn't chargeable to IT.
- Personal costs incurred by employees because a third party lost a laptop full of personnel data aren't attributable to IT.
All three of these things, Murphy says, represent IT failures.
As for the first one, every record "from the phone switch to board minutes" should be saved twice, each copy on separate removable storage, with chain of custody tracked and maintained. E-mails and other records should be easily located in the event of a discovery request.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Murphy doesn't mention them specifically, but this is where the amendments to the Federal Rules of Civil Procedure concerning electronically stored information come in. If those documents aren't easily located and produced, the fines and court costs that could result may far exceed what it would have cost to install and maintain a proper records management system.
The second is also an IT failure because the recall is "driven from IT abilities to limit the costs of compliance."
The third is also easy, according to Murphy. All it takes is "getting top level management to accept and enforce sensible policies on data access."
To convince top management to take the action you need them to take, focus on what it would cost to litigate the issues and/or insure against the risk, Murphy says.