How does a corporation handle situations like the above where policy no enforcement or selective enforcement becomes a larger problem? The information systems involved were administrative and...

How does a corporation handle situations like the above where policy no enforcement or selective enforcement becomes a larger problem? The information systems involved were administrative and operational and had little to no sensitive information on them. How does one go about protecting data at a level that is commensurate with its sensitivity, value, and criticality when those parameters can change due to circumstances such as a lawsuit?