I have known and worked with Rebecca for decades, including as an IT leader and professional, and in high-stakes complex litigation. Rebecca is outstanding: brilliant, forensic, technical, responsive, reliable, and passionate about excellence. She has testified in multiple cases and is simply unflappable. She has a unique ability to master complex issues efficiency, economically, and under high pressure. She’s also a true pleasure to work with – a real team player. I’m privileged to rely on Rebecca frequently in diverse, challenging matters.                                                                John Maley, Partner, Barnes & Thornburg

IS DIGITAL ASSET OVERSIGHT MISSING FROM YOUR AUDIT COMMITTEE?

 In large, publicly traded organizations, the bite of Sarbanes-Oxley, with criminal repercussions for executives has the Audit Committee closely monitoring financial controls. Are digital assets garnering the same level of monitor and control? Legislative-protected data, such as Personally Identifiable Information (PII), may earn a bit more oversight; but what about other high-value digital assets?

With the headlines splashing one data breach after another, the protection of PII is clearly falling short.

In August 2023, Statista reported that 422 million individuals were affected in 2022 from a data breach, leakage, or exposure.

Data breaches of legislative-protected data can be followed closely by class-action lawsuits.

Data is legally described as Electronically Stored Information or ESI.  Some ESI is sought after, making it highly valuable. Breaches targeting this high-value ESI can result in fines, penalties, and/or settlements.

With every breach, organizations face unexpected financial expenditures.

Any sized organization can begin mitigating those unexpected costs by adding ESI oversight, which focuses on the ESI itself, not just the system, technology, or application.

If your current audit strategy is looking at data through the lens of applications, systems, and technologies, then your high-value ESI might be overlooked, or this ESI is devalued when lumped into a mixed class of ESI, resulting in access and protection decisions that leave it exposed.

For organizations with established Audit Committee functions, controls are in place to protect financial assets. Exasperated executives loath when well protected financial assets slip away through the costs, fines, penalties, or settlements that can accompany a breach.

Forward thinking organizations recognize that controls over high-value assets are necessary and similar control methodologies can be deployed across all high-value assets, whether it is financial, physical, organizational, or digital. The next logical step is adding ESI expertise to the Audit Committee's resources and/or talents.

An ESI Audit helps an organization quantify and understand its ESI which is the first step in adopting ESI valuation principles. ESI valuation guides the executive team in decisions using cost/value/risk matrices. Consider the addition of ESI Oversight to identify the gaps in ESI controls employed today. Next, evolve to an ESI Audit in moving towards the adoption of ESI Valuation principles.

Are you focused on the ESI itself or the technology, systems, and applications that use the ESI?

At the end of the day, it is the exposure of legislative-protected ESI itself, including PII and HIPAA, that will result in unexpected financial costs, which can include fines, penalties, and/or settlements.


Complete the form below to start a conversation about ESI Oversight & ESI Audits in the journey toward ESI Valuation principles.

To see more about our engagement options, click here.