Happy February 20^th and Information Governance Day! Today is an opportunity to reflect on the evolution of information governance and, more importantly, its future. In our view, information governance is in its ascendency and is only becoming more and more important to our clients.

We have been providing legal advice on information governance (IG) to our clients for over twenty years. For most of that time, IG has been the misfit toy in the cupboard of data risk as compared to e-Discovery, cyber, and privacy. Traditionally, it has received the least attention and been poorly resourced. The benefits of strong records management were seen as too vague or diffuse, while the risks of poor records management – especially the costs of over retention of data – were considered too minor to justify meaningful investment. Even for serial litigants, the increased e-Discovery costs caused by excessive data retention were often dismissed as just another cost of doing business or too speculative to warrant serious attention.

We believe information governance has reached—or even surpassed—a tipping point, emerging as a central focus for IT, Information Security, Legal, and Compliance. These teams increasingly recognize its critical role in mitigating key risks and shared pain points. This shift is driven by a convergence of powerful forces gaining momentum. In response, Norton Rose Fulbright has established a unified legal practice that integrates its information governance, cyber, privacy, and e-discovery lawyers:

1. Cyber incidents are more expensive and high profile than e-Discovery matters. Cyber security incidents have become an epidemic and are now the top risks that concern the C-suite. Data that is properly deleted cannot be stolen, and well organized data is easier to segment and protect. Information governance is becoming a key tool in minimizing the impact of inevitable cyber incursions.
2. Data minimization is one the most important elements of data privacy. Good privacy compliance revolves around minimizing the risk of improper collection, disclosure, and use. Companies are recognizing that the less personal data collected, distributed, stored, and transferred, the less risk of a privacy failure. One of the primary purposes of information governance is data minimization.
3. Mobile devices, third party messaging applications, and decentralized communications have transformed corporate communications. No longer confined to the structured flow of enterprise email and company-issued laptops, communication has fractured into a complex web of messaging apps, texts, and mobile devices. This shift has created significant logistical, administrative, and compliance challenges for organizations. In particular, plaintiffs and regulators are increasingly demanding the production of these communications in litigation.
4. Regulators are forcing focus on better information governance. Beyond the SEC imposing massive fines on regulated companies for not managing text messages and other communications, many other regulators in and outside the US have fined companies for not having effective information governance programs and/or over retaining data. 
5. Customers, clients, and employees are demanding better information governance. The spate of cybersecurity incidents and their accompanying notice obligations have highlighted to business partners, clients, and customers how much obsolete data companies are keeping (this is particularly problematic for former customers, clients, and employees). In turn, there is greater push back from impacted clients and demands for better organization and disposition practices.
6. Generative AI demands better information governance. While AI may eventually help with information governance by providing tools that will help classify, store, and dispose of data more efficiently, generative AI works best when the quality of its data is good.
7. IT is transforming from a service function to a strategic partner focused on maximizing the value of data. Data management can no longer be hoisted on employees with the expectation that they will clean up their email and file shares in their spare time. It is understood that programmatic tools and permissions need to be implemented in corporate applications to integrate not just privacy by design principles, but information governance by design principles such that the whole life-cycle of data is properly managed.

The benefits of good information governance is no longer ambiguous or diffuse. They are concrete, real, and address important risks that are the focus of senior executives beyond just Chief Compliance and Legal Officers. Because cyber, privacy, regulatory, and e-Discovery risks overlap and have both common causes and solutions, we are seeing more and more emphasis (and resources) put on good information governance and organization. Instead of siloing these legal, compliance, and technical issues, we are seeing mature companies bring these mandates together to foster communication, cooperation, and solutions. This is a good step forward and a reason to celebrate on Information Governance Day!