I work for a higher-end ECM vendor. This situation is one of many reasons to invest in ECM.

SharePoint does do some basic logging of who accesses a document, permits role-based access, and is quick to set up. The product I work on does much more, allows metadata-based security, and a hundred other things I won't plug here. Still, no ECM software I'm aware of solves the problem that once you permit content to be viewed, it can be sniffed, screencapped, saved as, copy-pasted, etc.

Maybe that isn't a requirement. Short of limiting physical access (which computer you allow people to view documents on) in ways that will cripple business use in creation and distribution, that is pretty hard to solve. Most of us not working in classified labs meet our legal(IANAL!) and business(IANAVP!) requirements by implementing suitable intrusion detection, by logging access to important content, by getting signatures on policies about data handling, journalling and archiving email, and applying share- and file-level security to prevent casual browsing. Will that prevent any misuse? No, but there is an audit trail there in terms of who accessed the document and what they sent in email.

Sometimes it is far more important to have a well-thought out, implemented, and DOCUMENTED strategy that can reassure a customer or partner. Show them that you have a good framework in place, and they will trust better that you know what you are doing. That may also be a good place for the organization to be if a legal discovery phase occurs.

It may be a software/IT problem to acquire and require metadata to be stored with a piece of information, but how do you design an indexing scheme that makes it obvious how to index data and enforces consistency while still allowing meaningful classification? How do you create a culture where a user's time spent indexing and cleaning said information is considered well-spent and valuable in its own right? How do you get people to look for and use the data, however well-indexed it is?

It's not like we don't have examples of classification systems that work. Finding a piece of information in a library might take a few minutes to locate a set of data, and then minutes to review material and find a fact, or hours or days to poll opinions and assemble an informed picture of the subject under investigation. Indexing schemas in document management are evaluated by how many clicks it takes to get to an already known piece of information.

Or maybe it is that the business metrics applied to this sort of activity are based on the speed and volume rather than the quality of work? If a poor decision was made through a lack of information, was it the difficulty in locating this information, or was it a lack of will or desire to adequately research a decision before making it?