Information overload. Big data. Social media. Mobile computing. Bring-your-own-device policies. Cloud computing. New technologies. Records and information management continues to struggle with fundamental and, to a degree, existential challenges. The challenges to records and information management created by today’s technology are unprecedented and ever changing. Executives responsible for ethics and compliance must now address growing complexities in the management of records and information within their organizations. They must identify and implement new tools and techniques to match the challenges of today and the future while creating a culture of compliance in the records and information management sphere that aligns with the needs of 21st century business.
The Definition of a Record Is Changing: Records Are Created and Stored Differently
The vast majority of today’s business is fueled by, and conducted using, technology. Business records are almost exclusively becoming electronic and are generated by a wide variety of ever-changing devices, systems and applications. Records managers who have historically employed retention schedules to detail appropriate retention periods and records disposition actions are faced with adjusting their thinking to accommodate new and different types of records. The volume of data and the proliferation of that data across many platforms, repositories and devices makes capturing, preserving, managing and eventually disposing of records exceedingly difficult.
Mobile Devices and Smartphones
Mobile devices are now the business tools of choice. Smartphones, tablets and other personal digital assistants (PDAs) are generating and holding more records than ever before. Information technology functions are now abandoning efforts to “control” which devices are used by employees in favor of a bring-your-own-device (BYOD) approach. With this flexibility come numerous risks for the records manager, including:
- difficulty accessing company records that are housed on mobile devices;
- rapid sharing and proliferation of records from device to device and from one to many people;
- difficult and expensive discovery efforts when records are needed for litigation, regulatory review and other business purposes;
- co-mingling of business and personal records;
- difficulty in preserving and managing records through their life cycle and in accordance with legal, regulatory and business requirements when they are located on mobile devices; and
- difficulty in achieving compliance with litigation hold requirements.
Rapid expansion of data requirements, expenses associated with running company data centers, complex infrastructure upgrade projects and numerous other traditional IT challenges are made even more difficult with the explosion of data volumes and cost pressures on companies whose focus must be on their core business. As a result, many IT departments are electing to move all or part of their infrastructure “to the cloud.” Cloud computing enables companies to reduce their investment and take advantage of greater infrastructure flexibility over time. For the records manager, associated risks have emerged, some of which coincide with those for mobile devices, such as:
- difficulty in having off-site data managed according to company retention requirements and in accordance with legal, regulatory and business requirements when in a shared environment;
- difficulty in accessing records during discovery and other business requests; and
- difficulty in implementing and achieving compliance with litigation hold requests.
The very nature of information is also transforming from relatively small-sized documents to very large, media-intensive files that make transport through traditional infrastructure difficult. This is leading employees to find alternate ways to transmit large volumes of data; cloud-based file sharing and storage services such as Dropbox, Google-Docs and Box are presenting additional challenges to the management of data, records and information.
The volume of data being created and stored by companies today is rapidly increasing, as is the variety of types of data. Managing, processing and deriving insight from this data now requires more sophisticated tools and techniques. The term “big data” refers to the efforts of companies to manage the volume of data and to use this data to discover business insights that were previously inaccessible or unknown. As more and more insight is derived from big data efforts, new challenges are presented to the records manager: what exactly is a record, where are records actually located and what should be managed, preserved and disposed of in the world of big data analysis? Since business insights can be derived from sophisticated analysis of large amounts of data created and collected over time, many companies are abandoning efforts to discard any data, regardless of how insignificant it may appear. This idea runs counter to some very basic concepts of records management, and this conflict is creating real challenges that now must be viewed with a new business lens.
Historically, records management has utilized a model for managing records that includes policies, procedures and guidelines focused on the creation, use, retention and disposal of records. The main risk associated with big data is that all data that is retained is potentially discoverable in litigation. Additionally, without regularly implemented policies and procedures for the disposal of data, companies involved in litigation will incur the risk of court sanction, adverse inference judgments or other penalties and fines should they be unable to respond to discovery requests for data that is difficult to locate, lost or destroyed. The disposal of records should not be perceived as haphazard or random; rather, a well-defined and routinely implemented approach to destroying data is how companies best protect themselves from these types of risks.
The explosion of social media continues to transform the world as we know it. The nature of these platforms is changing the way people connect, collaborate and communicate, and it is dramatically changing the way businesses operate. It is now common practice for companies to use social media to market themselves, collaborate with business partners, connect with customers, and even to develop new products and business strategies based on social media. Many of these interactions should be captured as business records, and most companies struggle with managing them. Despite the difficulties in managing records created using these platforms, there are many regulations and requirements that companies must comply with regarding these records. For example, the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) require that all business records related to financial transactions over any media, including social media, be preserved appropriately.
Courts now routinely rely on social media communications in the context of litigation. Social media platforms encourage casual and informal communication, which is often seen as more “authentic” compared with carefully managed corporate communications. Professionals using social media to conduct business conversations need to be educated in how to responsibly and respectfully communicate using these media so as not to create enhanced risk.
The risks that records managers face from social media are:
- inability to collect and manage company records created and located on social media;
- difficulty in searching for and finding appropriate records for litigation, regulatory or business requirements; and
- the spontaneity and informal nature of social media communication increases the risk of embarrassing, damaging or potentially inappropriate content existing in company records.
Some of the greatest risks for records and information management today are associated with information security. Increasingly, companies are finding themselves the targets of data theft, destruction and corruption. Many high-profile data breaches have hit the media airways recently, with damaging, and sometimes calamitous, effects on the companies whose data has been stolen. In 2013 and 2014 alone, massive breaches of customer credit card information and other personal data occurred at Home Depot, Target and JPMorgan Chase, to name just a few.
Target’s breach occurred during the holiday shopping season and significantly impacted its sales as customers grew wary of shopping at its stores. Home Depot’s breach has resulted in millions of new credit and debit cards being issued by various banks to mitigate the potential damage from stolen credit card information. And JPMorgan Chase’s reputation has suffered as customers question the security of their financial records and assets in the bank.
The trend is for these data breaches to continue as hackers and other unauthorized people endeavor to break in and steal sensitive information. These hackers and thieves are becoming more technologically proficient and companies are more vulnerable as greater amounts of personal data are now in their custody and control. Companies that store any type of personal information (especially sensitive information such as medical records, credit card information, financial records and other personal information) face increasing pressure to protect this information and prevent breaches. Those that don’t take effective measures to protect information and prevent data breaches will experience elevated risk of financial and legal penalties, along with reputational damage and loss of business as customers gravitate away as a result of a loss of confidence.
New credit card systems, referred to as Chip and PIN cards, are now being introduced to better protect retailers and consumers from data breaches. This new technology, formally known as EMV (Europay, Mastercard and Visa) technology, requires customers to enter a data-encrypted PIN at the point of transaction rather than simply using a signature and a magnetic strip credit card. In October 2015, the credit card industry will see a shift in fraud liability rules, which will allow credit card companies to shift liability for fraud on signature-based transactions to the retailers if they haven’t implemented chip technology. This will create a strong incentive for companies to adopt these new technologies. U.S. President Barack Obama recently signed an executive order requiring U.S. government bodies to make this transition by January 2015, fully 10 months in advance of the October 2015 change. Compliance officers in any company that deals with credit card payments should be focused on ensuring that this new technology is being implemented, and records managers should be working with IT professionals to ensure that the data created by these new systems is managed appropriately.
New and emerging technology will also present challenges and risks to companies that need to protect personal information. One example is “wearable technology,” which entails wonderful new devices and applications to help people in their lives while also creating repositories of personal data never envisioned in the past. Sleep tracker watches, wearable fitness tracker devices and other health and wellness devices capture various types of data about the personal habits and health of the person wearing them. Records management must ensure that this new type of personal information, regardless of its form or function, is secured, protected and eventually destroyed appropriately. While the technological strategies to mitigate these risks are best left for IT professionals, the explosion in the volume and variety of data and the risks associated with the theft, loss or corruption of that data are creating significant challenges to records management programs. Records management and information technology need to work together to properly mitigate the risks faced by companies today in these areas.
Records management is essentially—and has historically been—about governance. In this context, governance refers to the creation and implementation of policies and programs designed to manage company records in accordance with regulations, laws and business requirements. Historically, records managers would rely on tools such as a records retention schedule to document the requirements of the records management program. Records retention schedules would simply detail which types of records need to be retained by the company and for how long. Properly created records retention schedules would incorporate legal and regulatory requirements, along with business needs, and were relatively easy to understand as a model for managing records.
Investments in New Tools Are Necessary
Today’s technology makes compliance with regulations and other legal requirements difficult. The historical methods used by records management to achieve its objectives of ensuring that records are retained for as long as they need to be, such as records retention schedules, are no longer feasible without additional new tools and technology. Because of the volume of data and the many decentralized, disconnected and disparate platforms on which it is being created and stored, the ability to search for data is now more important than the ability to capture it and store it away in a dedicated repository. In order to do this more effectively, companies need to consider investing in auto-classification capabilities, as well as sophisticated search technologies and techniques. Auto-classification allows for large amounts of data to be classified properly without manual intervention; sophisticated search can then easily find those records by looking across multiple locations and repositories.
In a recent court case, Da Silva Moore v. Publicis Groupe, Civ. No. 11-1279 (ALC) (AJP) (S.D.N.Y. Feb. 24, 2012), U.S. Magistrate Judge Andrew Peck issued an opinion stating that computer-assisted review of records was an acceptable way to search for documents related to the case. The plaintiff in the case had filed a Title VII class-action gender discrimination claim against the defendant. Based on the records requested and the large number of possible locations and custodians of those records, the parties estimated a potential pool of 3 million documents. Cost estimates of searching these documents using traditional methods exceeded $1 million. However, both parties proposed the use of predictive coding, a type of sophisticated computer-assisted review of documents, in an effort to reduce costs by reducing the number of documents to be reviewed from 3 million to 20,000. The courts had not previously addressed the acceptability of using these types of tools in e-discovery situations, and Judge Peck’s opinion is now indicative of judicial approval for these methods.
In the case of litigation, this method of sorting huge volumes of data can significantly reduce the time and effort and, therefore, the costs of discovery. While this ruling was focused on e-discovery for litigation purposes, the issues faced by records and information management are related. Despite challenges with the economy, the need to strengthen records management persists, and investments in these types of sophisticated technologies are necessary for effective management of records in the future. As evidence for this growing trend, some estimates suggest the global market for records management tools will grow by 10 percent in 2015.
Records managers should implement new policies, procedures and programs to address records management concerns, but they should not do so in isolation. Information governance is an emerging term that refers to the set of activities and technologies that organizations utilize to derive the maximum value of their information while minimizing associated risks and costs. Effective information governance addresses the inter-related issues facing IT, information security, data privacy, records management, litigation, compliance and, ultimately, the needs of the company’s business.
Mitigating the Risks of Big Data
Because of the anticipated benefits derived from big data analysis, policies and procedures must be rewritten to incorporate the desire to retain large volumes of data while ensuring that requirements for retention of records for specific periods of time are met. Additionally, the desire to save data for big data analysis must not be allowed to create an environment where data is destroyed randomly or without specific procedures. Records management must work with business leaders and IT to create the most appropriate procedures and policies for the company that meet these needs.
Mitigating the Risks of Cloud Computing
In order to manage records in the cloud, records management executives must first address service-level agreements and contracts with cloud providers to ensure that records are managed in accordance with company needs, regulatory requirements and legal obligations. Employees should be educated on the proper usage of cloud storage and transfer facilities, and company policies on the appropriate use of cloud-based facilities should be created and communicated.
Mitigating the Risks of Social Media
Social media platforms present unique challenges in terms of access and preservation of records. Records managers should investigate emerging management systems technology to capture records and preserve them for records management purposes, but should also be aware of the casual nature of social media communications, which heightens risk for inappropriate records creation. Without discounting the value of effective social media policies and guidelines, extra attention must be placed on educating workers who are engaged with social media platforms from a records management perspective.
Government agencies are increasingly focused on addressing the obsolescence of existing policy and law as technology rapidly transforms the world around us. Ethics and compliance executives in 2015 must remain committed to the governance of records in their companies while addressing the significant challenges brought by advances in technology. Funding is necessary for management systems and software tools to address the identification, capture and preservation of company records that exist in the cloud, on mobile devices and on social media platforms. In order to attain that funding, records management executives must encourage the business to identify the risks associated with properly managing corporate records. These risks include those presented by the loss, theft or breach of sensitive information, as well as the need to address existing regulatory and legal requirements pertinent to the company and its business. More importantly, records management executives must also encourage the business to identify the benefits associated with properly managing corporate records.
Michael Salvarezza is an expert with LRN’s Ethics & Compliance Alliance (ECA). The ECA is an online community of thought leaders and practitioners that provides unique resources and support to enhance enterprise-wide knowledge, mitigate risk, support collaboration with experts and implement program components. It provides a unique opportunity to interact and collaborate with leading subject-matter experts across all the major ethics and compliance risk areas and provides an extensive library of hands-on resources and tools to include model policies and program materials, risk assessment procedures, legal research, analyses of recent legal developments and educational materials such as the ECA Risk Forecast Report.
The ECA Risk Forecast Report is an annual publication of the most significant risks facing organizations today, as reported upon and analyzed by 12 leading ethics and compliance experts. These individuals—leading specialists whose articles are featured in the body of the Report—provide insight into the regulatory and compliance challenges we face in 2015 and the developments that are likely to result.