Category: Blog Posts Page 74 of 78

by Barry Gabay, Associate Staff

If you are at work and you are reading this, you may be subject to federal criminal sanctions.

The Computer Fraud and Abuse Act, the federal government’s key anti-hacking law, was originally enacted in 1986 to deter hackers from wrongfully obtaining confidential governmental and financial information, or inflicting “federal interest” computers with harmful viruses.  In passing the act, Congress sought to regulate only those computer crimes that were interstate in nature, particularly those involving large financial institutions and governmental organizations.[1]  However, the statute was amended several times to ultimately broaden the CFAA’s reach.  In the mid-90s, for example, Congress placed criminal misdemeanor liability upon individuals who acted merely “recklessly” in their computer use,[2] and later placed liability upon individuals who obtained and read “any information of any kind so long as the conduct involved an interstate or foreign communication.”[3]  But Congress went even further in 2008 when it most recently amended the CFAA.  For starters, Congress eliminated the $5,000 misappropriation threshold for CFAA liability.  But further, while previously a defendant must have stolen information through interstate commerce or foreign communication to be prosecuted under the CFAA, the statute was amended to now encompass all information obtained “from any protected computer.”[4]  

Today, liability under the CFAA can be proven by showing that a defendant (1) intentionally accessed a computer (2) without authorization or exceeding authorized access, and thereby (3) obtained information from a protected computer.[5]  The pertinent definition of “protected computer” is any computer “which is used in or affecting interstate or foreign commerce or communication.”[6]  Courts have found that the Internet is “an instrumentality and channel of interstate commerce,” thus within the realm of Congressional regulation, and for purposes of CFAA violations, the defining characteristic of a “protected computer.”[7]  To put it in perspective, this criminal statute was broadened from pertaining only to computers with direct “federal interest” to now any computer connected to the Internet.

Nevertheless, the main litigable issue has proven to be determining when an individual is “authorized” to use a computer.  Under the CFAA the phrase “exceeds authorized access” is “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to obtain or alter.”[8]  Whereas an employee who uses a computer “without authorization” has “no rights, limited or otherwise, to access the computer in question,” an employee who “exceeds authorized access” had initial authorization to use the computer “for certain purposes but goes beyond those limitations.”[9]  However, the phrase, “without authorization” is not defined in the CFAA, and a circuit split has thus developed over the interpretation of the phrase.  

The majority broad view, adopted by the First, Fifth, Seventh and Eleventh Circuits, holds that an employee’s computer authorization is terminated the moment that an employee acts contrary to his employer’s interest.[10]  These circuits hold that any time an employee uses a company computer in a way not in direct benefit to his employer the Department of Justice has jurisdiction to prosecute.  As Justice Floyd noted in the summer of 2012, “[s]uch a rule would mean that any employee who checked the latest Facebook posting or sporting event scores in contravention of his employer’s use policy would be subject to the instantaneous cessation of his agency and, as a result, would be left without any authorization to access his employer’s computer systems.”[11]

However, in the two most recent federal appellate cases on the issue, the Fourth and Ninth Circuits both adopted a narrow interpretation of the statute.  Those circuits held that an employee is “authorized” to use a company computer when the employer gives that employee permission to use it.  An employee’s subsequent misuse of an employer’s computer would not be subject to federal sanctions, as that employee was “authorized” to use that computer under the CFAA. [12]

While a broad interpretation of the CFAA may deter some individuals from using computers in ways not intended by their employers, that deterrence derives from ludicrous sentencing for comparatively innocuous criminal actions.  Aaron Swartz, the well-documented Internet activist who allegedly downloaded millions of articles from MIT’s online library, faced a maximum sentence of 35 years incarceration before the 26-year-old took his own life. [13]  In comparison, the maximum federal sentence for a first-time felon guilty of attempted murder who left the victim with life-threatening bodily injury is 24 years.  A first-time child pornographer who distributes images of a child under the age of 12 engaged in explicit sexual acts would receive a maximum federal sentence of 30 years imprisonment.  If an employee merely getting fired by her employer is not enough deterrence for misusing a company computer, then state criminal statutes and tort and contract law surely provide adequate deterrence.  Thus, in practice, the broad interpretation of the CFAA merely serves to make ordinary working individuals, who, while perhaps distracted during the workday possess no real criminal intent whatsoever, into federal criminals. 

In the wake of Aaron Swartz’s suicide, the Justice Department and members of Congress have recently expressed their willingness to narrow the scope of the Computer Fraud and Abuse Act.[14]  The bipartisan Aaron’s Law was introduced in the House of Representatives to limit the scope of the CFAA.  That limitation is long overdue.  It is a well-established canon of statutory construction that courts must construe criminal statutes narrowly, so as to avoid over-criminalization.  But courts, obviously unable to define a crime, are relegated merely to the text, and hinge liability on the terms “without authorization” and “exceeding authorized access.”  With the firmly entrenched circuit split now in place, the Supreme Court may in the not too distant future weigh in on the issue if Congress does not first amend this overbroad statute.

By: Associate Technology and Public Relations Editor, Taylor Linkous

            As bitcoin continues to rise in popularity and value and steadily establishes itself in the mainstream economy, it has simultaneously revealed its flaws and weaknesses.  Will bitcoin successfully establish itself as a revolutionary technology that is here to stay or will its faults cause it to eventually fade out?  Moreover, if it is here to stay, what should the government do with it?

            First of all, bitcoin is a virtual form of currency that was created in 2009 by an anonymous programmer who goes by the code name, “Satoshi Nakamoto.”[1]  Bitcoin is not backed by any government or banks and actually exists only online.[2]  What makes it attractive yet dicey is that transactions are made directly between users with no middle men and buyers and sellers remain anonymous.[3]  Bitcoins are created through “mining.”  Explained in those most basic terms, “mining” is when people solve very complex math puzzles on computers and are rewarded with bitcoins.[4]  Many businesses have already decided to accept bitcoins including a Subway sandwich shop in Pennsylvania, CheapAir.com, and even some law firms.[5]

Bitcoin’s rise in popularity and value is evidenced by the steep increase in its value.  As of December 2013, bitcoins were worth $1,100 each.[6]  Further, the first Bitcoin ATM was installed in a coffee shop in Vancouver, Canada and had 81 transactions on its first day.[7]  In fact, just recently, the first Bitcoin ATMs offering Bitcoins for cash in the United States opened up in Boston and Albuquerque and the first Bitcoin ATM Machine to dispense cash for Bitcoins is set to open in a bar in downtown Austin this week.[8]  These Bitcoin ATMs are predicted to encourage people to use the virtual currency in their everyday lives, bringing it out of the deep, complex tech world and into the “real world.”[9]

However, despite bitcoin becoming increasingly recognized as legitimate, it is still unregulated and there are remaining concerns about its prevalent use for criminal activities because of the anonymity.  Bitcoin was the currency used for Silk Road, a website that was shut down by the FBI last year for facilitating the purchase and sale of drugs and other illegal items such as guns and child pornography.[10]  Silk Road 2.0 was launched after the original website’s shutdown; however, a glitch in the website allowed hackers to steal $2.7 million from the customers who had their money in Silk Road’s accounts.[11]  Thus, not only are there concerns about bitcoin use for criminal activity, this incident with Silk Road 2.0 has called into question bitcoin’s credibility and hurt its chances of becoming more mainstream.[12]

Regardless, the growing popularity and value did spark a conversation in the Senate Committee on Homeland Security and Government Affairs this past November.[13]  At the hearing, law enforcement officials expressed concerns about anonymity and their need for help in catching people who are using bitcoin for criminal activity.[14]  On the other side, bitcoin users and The Bitcoin Foundation stated the government should leave the virtual currency unregulated and allow it to continue to grow and thrive on its own.[15]

Currently, even though users of bitcoin are not regulated, businesses acting as “money transmitters” are covered under current law.  Other existing statutes, such as mail and wire fraud, could be used to prosecute some misuse of bitcoin.[16]  Other than that, regulators are having a hard time deciding how to deal with it.  It is unclear whether bitcoin should even be treated as a legitimate currency.[17]  For example, Canada has taken the position that bitcoin is not considered currency and they will not regulate it.[18]  Germany is treating bitcoin like a foreign currency and Brazil passed a law in October 2013 specifically dealing with electronic currencies, such as bitcoin.[19] 

It will be interesting to see whether the introduction of the Bitcoin ATM’s will help bitcoin secure its spot as a legitimate currency or whether the Silk Road 2.0 incident will stunt bitcoin’s otherwise rising popularity.  Even more importantly, if bitcoin is here to stay, will the government allow it to remain unregulated or recognize it as currency and step in to create a regulation?

by Danielle Bringard, Associate Survey and Symposium Editor       

             We’ve all done it.  We’ve all taken the “selfie.”  Facebook, Twitter, Tinder, Instagram, and Snapchat are just a few of these social media applications that allow users to transmit photos and videos to each other from various electronic devices.  However, unlike most social media sites, Snapchat has a unique feature.  Unless a user takes a “screenshot” of the photo or video while it is being received, than the photo or video is deleted after up to 10 seconds.[1] 

            The only information you can obtain from Snapchat about a user is: the user’s email, the user’s phone number, the username, a log of the last 200 snaps that have been sent and received, and the date the user created the account.[2]  The exception being if either the sender or the recipient downloaded the message, kept it saved, and was able to be retrieved from the actual device rather than from the Snapchat application.  The Richmond Journal of Law and Technology has recently published an article which explores the dangers of Snapchat and sexting,[3] but what about the admissibility of a Snapchat history in a court of law?

            While there have been no cases specifically dealing with Snapchat, there have evolved two competing theories regarding the authenticity of social media evidence in general.[4]  First, in the Griffin case, the court requires: the testimony of the creator, documentation from the creator’s computer, or information obtained directly from the social media site which would tend to show that the evidence seeking to be admitted was not falsified or created by another person.[5]  Under the Griffin Test, Snapchat could be authenticated with the report from Snapchat Legal which gives the user’s email, phone number and username provided the party seeking admission could show a match with the purported author.  Second, in the Tienda case, the court will admit social media evidence on a ruling from the judge that a jury could reasonably find that the proffered evidence is authentic.[6]  Under this ruling authenticity could also easily be established with a report from Snapchat Legal.

            While the Griffin test appears to be more stringent that the Tienda test, both courts examined the content and the context of the social media page seeking admission in making its ruling.  Given that requesting the proper authenticating information from Snapchat Legal is no series of hoops to jump through, it is likely that most courts will overrule any objection to the authenticity of a user’s history report from Snapchat Legal.

by Catherine M. Gray, Associate Manuscripts Editor

Just before Valentine’s Day, a Racine County Circuit Court judge banned a Wisconsin resident from using the Internet for thirty months.¹ Jason Willis, a thirty-one year old resident of Waterford, created a Craigslist ad requesting “nude male suitors” using his neighbor’s picture and address.² As one might imagine, Willis’ neighbor “Dawn” was shocked when several men arrived at her door, one wearing only a trench coat.³ In banning Willis from the Internet, Judge Allen Torhost declared, “[i]f you want to drive drunk, you’re not allowed to drive. To me, a public availability of the internet [sic]—to use it the way he did—is unconscionable.”⁴

But did Judge Torhost’s violate Willis’ human rights? A 2011 United Nations report declared “that disconnecting people from the internet [sic] is a human rights violation and against international law.”⁵ While the report focused on the United Kingdom and France’s efforts to block individuals accused of illegal file sharing and countries who would block Internet access to “quell political unrest,” it calls into question whether Judge Torhost’s decision in some way violated Willis’ fundamental rights in modern society.⁶ In the United States, higher courts than Judge Torhost’s have declared banning an individual from the Internet is an appropriate remedy.⁷ Nevertheless, there is a question of whether, in a society and work industry so intrinsically linked to the Internet, banning an individual from being online constitutes a human rights violation. Will the individual be able to secure and maintain employment? Does the answer to that question really matter?

Despite the United Nations’ assertion that the Internet is a human right, I’m inclined to agree with Judge Torhost and the Eleventh Circuit here. Recently, Miranda Barbour admitted to killing more than twenty individuals across the United States, lured to their deaths through Craigslist.⁸ The use of the Internet for the purposes of harassment, child pornography, and even murder does much to counter the U.N.’s argument for a human right to the World Wide Web. In these cases, I see little wrong with banning convicted offenders from using the Internet, even permanently. Part of being a productive, contributing member of society is acting responsibly, and Judge Torhost got it right when he likened use of the Internet to driving. The Internet, like the driving, is a privilege, not a right, and abuse of a privilege means it’s revoked.

By: Jasmine McKinney, Associate Manuscripts Editor   

By now, most of us probably know that Facebook is no stranger to lawsuits.  Just a mere two years ago, Facebook was involved in a class-action lawsuit where the social networking giant was found to have used members’ images without their permission in advertisements commonly called “sponsored stories”.[1]  Facebook users involved in the suit reported that Facebook had used their personal images shared on the website for various commercial activities.[2]  Though at the time users had no choice to opt out of being featured in sponsored stories, they could configure their privacy settings to share information with only certain people.[3]  The suit that was settled in 2012 cost Facebook a whopping $10 million.[4]

Fast-forward to today and throngs of people are still up in arms over Facebook’s lackadaisical privacy policies.  The settlement has yet to take effect due to the large number of appeals making their way through court.  However, under the settlement, Facebook agreed to change its privacy policies so that Facebook users between the ages of thirteen and eighteen could indication whether their parents were also Facebook users and give the parents control over the use of their children’s ‘likes’ and comments for advertising purposes.[5]  For children whose parents were not Facebook users, the site promised to opt their children out of social advertising until age eighteen.[6]  Still many are unsatisfied.

Now, a group of parents as well as child advocacy and privacy groups are asking a federal appeals court to throw out the 2012 settlement with Facebook over the website’s use of children’s images in these advertisements or sponsored stories.[7]  The plaintiffs and other public interest groups claim that despite the 2012 action, Facebook still uses children’s images without the proper authorization.[8]  Though parents have the ability to ask Facebook, to remove an image used in advertisements on the site, many still believe Facebook should ask for permission first.[9]  Plaintiffs in the case claim that Facebook’s practices continue to violate laws prohibiting the use of a minor’s image without parental permission in several states, including: California, Florida, New York, Oklahoma, Tennessee, Virginia, and Wisconsin.[10]

Scott Michelman, a lawyer for the nonprofit group Public Citizen argues that Facebook is currently exercising a backwards approach to privacy concerning it’s younger users.  “The default should be that a minor’s image should not be used for advertising unless the parent opts in.  Putting the burden on the parent to opt the child out gets it exactly backward.”[11]  Another group known as the Campaign for Commercial-Free Childhood has also concluded that the previous settlement offers little protection to children and has taken the same stance as Public Citizen on the issue.[12]

Over the years, Facebook has continued to emphasize that its takes the privacy of its users seriously, but many may question how this can be true given the company’s history of frequently making changes to its privacy policy (some of which have not always been the best in terms of privacy).[13]  The safety of minors online is undoubtedly an important issue and the result of this new suit is bound to show Facebook’s true stance on protecting the privacy of its younger users.

By Jessica Ertel, Associate Articles Editor

The D.C. Court of Appeals recently turned down federal net neutrality legislation, thus allowing Internet service providers to charge Internet companies fees for faster delivery of Internet content.

Net neutrality legislation requires that broadband providers treat all Internet traffic equally. The Federal Communications Commission also calls this “Internet openness.” The FCC supports an open Internet because without net neutrality legislation, broadband providers might prevent their subscribers from accessing certain websites altogether or degrade the quality of these sites in order to direct Internet traffic towards their own competing services, or to collect fees from these websites.¹ The Commission’s purpose in the net neutrality legislation was to prevent broadband providers from blocking or discriminating against certain Internet site providers.

By throwing out net neutrality legislation, the decision opens the door for Internet Services providers to charge fees to companies who want their Internet content to be delivered to consumers more quickly. Internet services providers, such as petitioner Verizon, applaud the ruling, because it means that they can make money off of Internet companies who want the information from their sites delivered “first class.” The Internet companies who deliver streaming content are the ones most distressed by the U.S. Court of Appeals’ decision. Netflix is one such company. The CEO of Netflix, Reed Hastings, responded to the outcome of the case: “Were this draconian scenario to unfold with some [Internet Service Provider], we would vigorously protest and encourage our members to demand the open Internet they are paying their ISP to deliver.”²

Big companies such as Netflix would be the ones most hurt by this ruling, and the company estimates that it would potentially be forced to pay as much as 10 percent of its annual revenue to broadband providers.³ This could in turn be pushed onto the consumers in the form of higher prices to access sites like Netflix. Yet such a price increase is unlikely to happen soon, and further, Internet service providers have expressed their commitment to their consumers’ ability to freely access Internet sites.⁴

In spite of this roadblock for the FCC, it has promised to find other ways to pursue Internet openness. The Appeals Court did find that the FCC had the authority to regulate broadband providers’ treatment of Internet traffic.⁵ The FCC appears ready for the challenge to find other ways to promote Internet openness.

by Dylan Denslow, Associate Technology and Public Relations Editor

          Since its launch in September 2011, Snapchat has amassed some 26 million users who together send an average 400 million “snaps” each day.[1]  To say the app is popular is an understatement.  However, Snapchat’s reputation has been primarily as an outlet for teenagers and college students to send scandalous or embarrassing photos of themselves.  Recently however, a new app named Confide has taken the idea behind Snapchat, the notion of a disappearing message, and brought it to Wall Street.[2]  

            Confide is a “new ‘off-the-record’ messaging app” that has raised $1.9 million in seed funding, and was initially referred to as “Snapchat for business”.[3]  Business people commonly run into a situation where they do not want to create a paper trail of emails discussing a particular subject – instead they prefer to talk over the phone where their discussions aren’t recorded and may not bring about as many legal consequences.  Confide is meant to alleviate this situation where phone tag is frequent and an unnecessary impediment to transacting business.[4] 

            On its face, this seems like a great idea that could cure business problems faced on a daily basis.  However, the app is ripe for abuse and potentially provides a mechanism by which employees may be able to skirt or break state and federal laws.  Insider trading immediately comes to mind.  For example, an executive with a stock tip could send a message through Confide to an investor knowing that the record of that message would soon disappear.[5]  The messages sent on Confide are not stored on servers, and the company has put in place protections to avoid users taking screenshots of the messages themselves.[6]  This seems like a perfect mechanism to help exec’s and employees send messages without worrying about later consequences of their statements.

            Although geared towards the business world, it is also likely that the app will eventually fall into other hands as well.  This in itself creates a number of potential legal issues.  For example, imagine a drug dealer with use of the app.  No longer is there a record of his texts to buyers, instead his messages are deleted immediately, making it more difficult for law enforcement to connect him with his past activities.  Although this violates the terms of Confide’s user agreement, it is unlikely that such an agreement would deter someone already involved with such criminal activity.[7]

            Snapchat has certainly brought value to its users, primarily through its ability to allow them to share fun experiences.  However, there have already been allegations that Snapchat is being used for insider trading, even when its reputation typically involves a drunken “selfie” at a bar or college party.[8]  Now, Confide brings a similar product to market specifically geared at the business community.  A user agreement prohibiting illegal activity will not be enough to deter law breaking.  As this technology moves into the business arena, messages will have more serious financial effects than the seemingly harmless Snapchats.  Lawmakers should be poised to monitor and regulate use of this technology in order to avoid any potentially serious legal issues that may arise.

       by Cate Gray, Associate Manuscripts Editor

     On January 5, 2014, PBS premiered season four of critically acclaimed period drama Downton Abbey to record-breaking ratings in the United States.[1]  The problem for diehard fans truly committed to knowing the trials and tribulations of the Crawley family?  In the United Kingdom, the season four finale already aired on December 25, 2013.[2]  Fans of BBC One’s Sherlock can sympathize; season three premiered nearly a month later here in the US than in the UK.[3]

            So, devoted US fans, why not utilize one of the many websites devoted to allowing viewers to stream these shows and stay up to date with our neighbors across the pond?  Simply put, it’s illegal.  In an effort to combat copyright infringement online, Congress defined all such websites as “dedicated to infringing activities” and therefore in violation of title 17 of the United States Code.[4]  But should it be? 

PBS, the Public Broadcasting Service, is available to any viewer with a digital antenna, so watching programming on the network doesn’t require a paid cable or satellite subscription.  The network itself is funded largely through private donations.[5]  Therefore, because the public does not pay for the ability to watch the channel, there is a question as to whether there is actual harm done to PBS.  Does streaming content from the United Kingdom that is not yet available to those of us in the United States truly harm PBS?

The more important question, however, is when will the law, and technology, catch up to an increasingly global society?   Television shows no longer have fans based solely in one country, and for those of us behind in broadcasts due to our geographic location, the Internet is a minefield of countless spoilers for episodes yet to air on our local networks.  The delay in airing shows in other counties with large fan bases creates a market for online streaming, and all but encourages fans to engage in a technically illegal activity in order to stay up to date with viewers in other locales.  Such a result places both the U.S. law and television networks in a difficult situation, and only time will tell whether they take steps to decrease the time between premiers in different regions, thereby reducing the need for online streaming.

     by Peter Sloan, Husch Blackwell LLP

February 5, 2014

If anything cries out for organizational governance today, surely it is information.   Data volumes are rising relentlessly; information is flowing in and out of organizations more pervasively than ever; and mobile computing, cloud services, big data analytics, and social networking are fundamentally transforming the organization’s relationship with information.  Meanwhile, the compliance environment grows yet more complicated, as organizations, regulators, and the courts wrestle with the repercussions of massive data breaches, the evolving scope of e-discovery, and allocation of responsibility for the retention and protection of information.  Shortcomings of the traditional practices used by organizations to deal with information are becoming clear, as is the need for a new, comprehensive approach.  And that fresh approach has been dubbed “Information Governance.”

But what exactly is Information Governance?  Despite widespread use of the term,[1] few definitions have been offered.  With due deference to Shakespeare’s Juliet,[2] and also to Justice Stewart,[3] names and definitions matter. They are particularly important when the subject, unlike roses and pornography, has not been with us for a very long time.  And Information Governance indeed is a new approach for addressing information issues.  To be more precise, Information Governance involves a new reconciliation of departmental interests (such as those of IT, Legal, Compliance, Records Management, and lines of business) and of traditional information disciplines (such as records & information management, privacy & data security, and litigation preservation & discovery)—in essence, connecting familiar building blocks in a new, different, and more effective way, to better serve the organization as a whole.  So, definitional clarity is essential here, precisely because Information Governance involves a fundamental change in established perspectives and practices.

What definitions have been proffered for Information Governance?  According to Gartner, the global information technology research and advisory company, Information Governance is “the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information.  It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”[4]  ARMA International similarly defines Information Governance as “a strategic framework composed of standards, processes, roles and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align and contribute to the organization’s goals.”[5]

The Compliance, Governance, and Oversight Council (“CGOC”) has defined Information Governance as “the discipline of managing information according to its legal obligations and its business value, which enables defensible disposal of data and lowers the cost of legal compliance.”[6] 

Most recently, the Sedona Conference has defined Information Governance as “an organization’s coordinated, inter-disciplinary approach to satisfying information compliance requirements and managing information risks while optimizing information value.”[7] 

While each of these definitions has its strengths, here’s what I like about the Sedona Conference definition:[8] 

• Success with Information Governance requires strategic commitment by the organization’s leadership, which is best accomplished when clear benefits accrue to the organization.  Embedding compliance, risk management, and value into the definition communicates a clear “why” for pursuing Information Governance.  These words articulate concrete, strategic benefits for the organization as a whole, and they also anchor the endeavor’s purpose. 
• The terms “coordinated’ and “inter-disciplinary” succinctly capture the essence of Information Governance, addressing the strategic “what” that is being accomplished.  The most challenging aspect of adopting Information Governance is bridging across traditional information silos.  To be successful with Information Governance, the organization’s individual departments and functions such as Legal, IT, Records, Compliance, and lines of business must coordinate so that decisions about the organization’s information will reflect the needs of the organization as a whole, rather than parochial interests.  And success with Information Governance also requires inter-disciplinary assessment and decision-making, so that information decisions are not based solely on the limited perspectives of traditional disciplines such as records & information management, privacy & data security, and litigation preservation & discovery.  This is the essential feature of Information Governance, through which the organization expands its perspective to consider all aspects and angles of information compliance, risk, and value.

The Sedona definition does not prescribe the particulars of how Information Governance is implemented, referring instead to the organization’s “approach” to accomplishing this coordinated, inter-disciplinary effort, and leaving the specifics of the implementation “how” to supporting guidance.  I think that’s prudent, because there will be various approaches for implementing Information Governance, and the definition should not be too limiting.  Reality suggests that different organizations adopting the Information Governance approach will operate at different points on a maturity continuum.  Some, frankly, will begin by simply getting the right people together in the room to thoroughly explore all angles to information-related decisions at the organization before they are made.  Others will put in place elements of structure, direction, and resources to support Information Governance efforts, along with mechanisms for accountability.  Yet others will establish robust control systems for Information Governance, based upon applicable information-related standards[9] or modeled upon standards for internal control systems generally.[10] 

Years from now, perhaps most organizations will be well along the path of this maturity continuum, and hopefully so.  And yes, organizations certainly will need authoritative guidance on implementation frameworks, strategies, and options for building Information Governance programs. But my hunch is that, at least in the short term, different organizations will pursue Information Governance programming in a wide variety of ways.  While I may feel strongly about the importance of conducting Information Governance assessments and setting program objectives, followed by establishing structure, direction, resources, and accountability for an effective Information Governance program, these are specifics of implementation — the How, rather than the definitional What and Why.