No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Governance

Records & Information Management: 2015 Risk Perspective

by Michael Salvarezza
June 25, 2015
in Governance

Information overload. Big data. Social media. Mobile computing. Bring-your-own-device policies. Cloud computing. New technologies. Records and information management continues to struggle with fundamental and, to a degree, existential challenges. The challenges to records and information management created by today’s technology are unprecedented and ever changing. Executives responsible for ethics and compliance must now address growing complexities in the management of records and information within their organizations. They must identify and implement new tools and techniques to match the challenges of today and the future while creating a culture of compliance in the records and information management sphere that aligns with the needs of 21st century business.

The Definition of a Record Is Changing: Records Are Created and Stored Differently

The vast majority of today’s business is fueled by, and conducted using, technology. Business records are almost exclusively becoming electronic and are generated by a wide variety of ever-changing devices, systems and applications. Records managers who have historically employed retention schedules to detail appropriate retention periods and records disposition actions are faced with adjusting their thinking to accommodate new and different types of records. The volume of data and the proliferation of that data across many platforms, repositories and devices makes capturing, preserving, managing and eventually disposing of records exceedingly difficult.

Mobile Devices and Smartphones

Mobile devices are now the business tools of choice. Smartphones, tablets and other personal digital assistants (PDAs) are generating and holding more records than ever before. Information technology functions are now abandoning efforts to “control” which devices are used by employees in favor of a bring-your-own-device (BYOD) approach. With this flexibility come numerous risks for the records manager, including:

  • difficulty accessing company records that are housed on mobile devices;
  • rapid sharing and proliferation of records from device to device and from one to many people;
  • difficult and expensive discovery efforts when records are needed for litigation, regulatory review and other business purposes;
  • co-mingling of business and personal records;
  • difficulty in preserving and managing records through their life cycle and in accordance with legal, regulatory and business requirements when they are located on mobile devices; and
  • difficulty in achieving compliance with litigation hold requirements.

Cloud Computing

Rapid expansion of data requirements, expenses associated with running company data centers, complex infrastructure upgrade projects and numerous other traditional IT challenges are made even more difficult with the explosion of data volumes and cost pressures on companies whose focus must be on their core business. As a result, many IT departments are electing to move all or part of their infrastructure “to the cloud.” Cloud computing enables companies to reduce their investment and take advantage of greater infrastructure flexibility over time. For the records manager, associated risks have emerged, some of which coincide with those for mobile devices, such as:

  • difficulty in having off-site data managed according to company retention requirements and in accordance with legal, regulatory and business requirements when in a shared environment;
  • difficulty in accessing records during discovery and other business requests; and
  • difficulty in implementing and achieving compliance with litigation hold requests.

The very nature of information is also transforming from relatively small-sized documents to very large, media-intensive files that make transport through traditional infrastructure difficult. This is leading employees to find alternate ways to transmit large volumes of data; cloud-based file sharing and storage services such as Dropbox, Google-Docs and Box are presenting additional challenges to the management of data, records and information.

The volume of data being created and stored by companies today is rapidly increasing, as is the variety of types of data. Managing, processing and deriving insight from this data now requires more sophisticated tools and techniques. The term “big data” refers to the efforts of companies to manage the volume of data and to use this data to discover business insights that were previously inaccessible or unknown. As more and more insight is derived from big data efforts, new challenges are presented to the records manager: what exactly is a record, where are records actually located and what should be managed, preserved and disposed of in the world of big data analysis? Since business insights can be derived from sophisticated analysis of large amounts of data created and collected over time, many companies are abandoning efforts to discard any data, regardless of how insignificant it may appear. This idea runs counter to some very basic concepts of records management, and this conflict is creating real challenges that now must be viewed with a new business lens.

Historically, records management has utilized a model for managing records that includes policies, procedures and guidelines focused on the creation, use, retention and disposal of records. The main risk associated with big data is that all data that is retained is potentially discoverable in litigation. Additionally, without regularly implemented policies and procedures for the disposal of data, companies involved in litigation will incur the risk of court sanction, adverse inference judgments or other penalties and fines should they be unable to respond to discovery requests for data that is difficult to locate, lost or destroyed. The disposal of records should not be perceived as haphazard or random; rather, a well-defined and routinely implemented approach to destroying data is how companies best protect themselves from these types of risks.

Social Media

The explosion of social media continues to transform the world as we know it. The nature of these platforms is changing the way people connect, collaborate and communicate, and it is dramatically changing the way businesses operate. It is now common practice for companies to use social media to market themselves, collaborate with business partners, connect with customers, and even to develop new products and business strategies based on social media. Many of these interactions should be captured as business records, and most companies struggle with managing them. Despite the difficulties in managing records created using these platforms, there are many regulations and requirements that companies must comply with regarding these records. For example, the Financial Industry Regulatory Authority (FINRA) and the Securities and Exchange Commission (SEC) require that all business records related to financial transactions over any media, including social media, be preserved appropriately.

Courts now routinely rely on social media communications in the context of litigation. Social media platforms encourage casual and informal communication, which is often seen as more “authentic” compared with carefully managed corporate communications. Professionals using social media to conduct business conversations need to be educated in how to responsibly and respectfully communicate using these media so as not to create enhanced risk.

The risks that records managers face from social media are:

  • inability to collect and manage company records created and located on social media;
  • difficulty in searching for and finding appropriate records for litigation, regulatory or business requirements; and
  • the spontaneity and informal nature of social media communication increases the risk of embarrassing, damaging or potentially inappropriate content existing in company records.

Information Security

Some of the greatest risks for records and information management today are associated with information security. Increasingly, companies are finding themselves the targets of data theft, destruction and corruption. Many high-profile data breaches have hit the media airways recently, with damaging, and sometimes calamitous, effects on the companies whose data has been stolen. In 2013 and 2014 alone, massive breaches of customer credit card information and other personal data occurred at Home Depot, Target and JPMorgan Chase, to name just a few.

Target’s breach occurred during the holiday shopping season and significantly impacted its sales as customers grew wary of shopping at its stores. Home Depot’s breach has resulted in millions of new credit and debit cards being issued by various banks to mitigate the potential damage from stolen credit card information. And JPMorgan Chase’s reputation has suffered as customers question the security of their financial records and assets in the bank.

The trend is for these data breaches to continue as hackers and other unauthorized people endeavor to break in and steal sensitive information. These hackers and thieves are becoming more technologically proficient and companies are more vulnerable as greater amounts of personal data are now in their custody and control. Companies that store any type of personal information (especially sensitive information such as medical records, credit card information, financial records and other personal information) face increasing pressure to protect this information and prevent breaches. Those that don’t take effective measures to protect information and prevent data breaches will experience elevated risk of financial and legal penalties, along with reputational damage and loss of business as customers gravitate away as a result of a loss of confidence.

New credit card systems, referred to as Chip and PIN cards, are now being introduced to better protect retailers and consumers from data breaches. This new technology, formally known as EMV (Europay, Mastercard and Visa) technology, requires customers to enter a data-encrypted PIN at the point of transaction rather than simply using a signature and a magnetic strip credit card. In October 2015, the credit card industry will see a shift in fraud liability rules, which will allow credit card companies to shift liability for fraud on signature-based transactions to the retailers if they haven’t implemented chip technology. This will create a strong incentive for companies to adopt these new technologies. U.S. President Barack Obama recently signed an executive order requiring U.S. government bodies to make this transition by January 2015, fully 10 months in advance of the October 2015 change. Compliance officers in any company that deals with credit card payments should be focused on ensuring that this new technology is being implemented, and records managers should be working with IT professionals to ensure that the data created by these new systems is managed appropriately.

New and emerging technology will also present challenges and risks to companies that need to protect personal information. One example is “wearable technology,” which entails wonderful new devices and applications to help people in their lives while also creating repositories of personal data never envisioned in the past. Sleep tracker watches, wearable fitness tracker devices and other health and wellness devices capture various types of data about the personal habits and health of the person wearing them. Records management must ensure that this new type of personal information, regardless of its form or function, is secured, protected and eventually destroyed appropriately. While the technological strategies to mitigate these risks are best left for IT professionals, the explosion in the volume and variety of data and the risks associated with the theft, loss or corruption of that data are creating significant challenges to records management programs. Records management and information technology need to work together to properly mitigate the risks faced by companies today in these areas.

Mitigating Risks

Records management is essentially—and has historically been—about governance. In this context, governance refers to the creation and implementation of policies and programs designed to manage company records in accordance with regulations, laws and business requirements. Historically, records managers would rely on tools such as a records retention schedule to document the requirements of the records management program. Records retention schedules would simply detail which types of records need to be retained by the company and for how long. Properly created records retention schedules would incorporate legal and regulatory requirements, along with business needs, and were relatively easy to understand as a model for managing records.

Investments in New Tools Are Necessary

Today’s technology makes compliance with regulations and other legal requirements difficult. The historical methods used by records management to achieve its objectives of ensuring that records are retained for as long as they need to be, such as records retention schedules, are no longer feasible without additional new tools and technology. Because of the volume of data and the many decentralized, disconnected and disparate platforms on which it is being created and stored, the ability to search for data is now more important than the ability to capture it and store it away in a dedicated repository. In order to do this more effectively, companies need to consider investing in auto-classification capabilities, as well as sophisticated search technologies and techniques. Auto-classification allows for large amounts of data to be classified properly without manual intervention; sophisticated search can then easily find those records by looking across multiple locations and repositories.

In a recent court case, Da Silva Moore v. Publicis Groupe, Civ. No. 11-1279 (ALC) (AJP) (S.D.N.Y. Feb. 24, 2012), U.S. Magistrate Judge Andrew Peck issued an opinion stating that computer-assisted review of records was an acceptable way to search for documents related to the case. The plaintiff in the case had filed a Title VII class-action gender discrimination claim against the defendant. Based on the records requested and the large number of possible locations and custodians of those records, the parties estimated a potential pool of 3 million documents. Cost estimates of searching these documents using traditional methods exceeded $1 million. However, both parties proposed the use of predictive coding, a type of sophisticated computer-assisted review of documents, in an effort to reduce costs by reducing the number of documents to be reviewed from 3 million to 20,000. The courts had not previously addressed the acceptability of using these types of tools in e-discovery situations, and Judge Peck’s opinion is now indicative of judicial approval for these methods.

In the case of litigation, this method of sorting huge volumes of data can significantly reduce the time and effort and, therefore, the costs of discovery. While this ruling was focused on e-discovery for litigation purposes, the issues faced by records and information management are related. Despite challenges with the economy, the need to strengthen records management persists, and investments in these types of sophisticated technologies are necessary for effective management of records in the future. As evidence for this growing trend, some estimates suggest the global market for records management tools will grow by 10 percent in 2015.

Information Governance

Records managers should implement new policies, procedures and programs to address records management concerns, but they should not do so in isolation. Information governance is an emerging term that refers to the set of activities and technologies that organizations utilize to derive the maximum value of their information while minimizing associated risks and costs. Effective information governance addresses the inter-related issues facing IT, information security, data privacy, records management, litigation, compliance and, ultimately, the needs of the company’s business.

Mitigating the Risks of Big Data

Because of the anticipated benefits derived from big data analysis, policies and procedures must be rewritten to incorporate the desire to retain large volumes of data while ensuring that requirements for retention of records for specific periods of time are met. Additionally, the desire to save data for big data analysis must not be allowed to create an environment where data is destroyed randomly or without specific procedures. Records management must work with business leaders and IT to create the most appropriate procedures and policies for the company that meet these needs.

Mitigating the Risks of Cloud Computing

In order to manage records in the cloud, records management executives must first address service-level agreements and contracts with cloud providers to ensure that records are managed in accordance with company needs, regulatory requirements and legal obligations. Employees should be educated on the proper usage of cloud storage and transfer facilities, and company policies on the appropriate use of cloud-based facilities should be created and communicated.

Mitigating the Risks of Social Media

Social media platforms present unique challenges in terms of access and preservation of records. Records managers should investigate emerging management systems technology to capture records and preserve them for records management purposes, but should also be aware of the casual nature of social media communications, which heightens risk for inappropriate records creation. Without discounting the value of effective social media policies and guidelines, extra attention must be placed on educating workers who are engaged with social media platforms from a records management perspective.

Conclusion

Government agencies are increasingly focused on addressing the obsolescence of existing policy and law as technology rapidly transforms the world around us. Ethics and compliance executives in 2015 must remain committed to the governance of records in their companies while addressing the significant challenges brought by advances in technology. Funding is necessary for management systems and software tools to address the identification, capture and preservation of company records that exist in the cloud, on mobile devices and on social media platforms. In order to attain that funding, records management executives must encourage the business to identify the risks associated with properly managing corporate records. These risks include those presented by the loss, theft or breach of sensitive information, as well as the need to address existing regulatory and legal requirements pertinent to the company and its business. More importantly, records management executives must also encourage the business to identify the benefits associated with properly managing corporate records.

Michael Salvarezza is an expert with LRN’s  Ethics & Compliance Alliance (ECA). The ECA is an online community of thought leaders and practitioners that provides unique resources and support to enhance enterprise-wide knowledge, mitigate risk, support collaboration with experts and implement program components. It provides a unique opportunity to interact and collaborate with leading subject-matter experts across all the major ethics and compliance risk areas and provides an extensive library of hands-on resources and tools to include model policies and program materials, risk assessment procedures, legal research, analyses of recent legal developments and educational materials such as the ECA Risk Forecast Report.

The ECA Risk Forecast Report is an annual publication of the most significant risks facing organizations today, as reported upon and analyzed by 12 leading ethics and compliance experts. These individuals—leading specialists whose articles are featured in the body of the Report—provide insight into the regulatory and compliance challenges we face in 2015 and the developments that are likely to result.


Previous Post

Colorado High Court’s Marijuana Ruling Strengthens Employers’ Hand, Attorney Says

Next Post

Preparing for the Unexpected

Michael Salvarezza

Michael Salvarezza

Mike Salvarezza headshot 9-8-14Michael Salvarezza is a tenured and accomplished leader with a career that includes extensive experience in the complementary disciplines of information technology, records and information management, and compliance systems, enabling him to succeed in traditionally difficult areas by combining unique perspective and knowledge. After working in the defense industry for nearly a decade, Mike transitioned to a successful career at Altria Group, Inc., where he embraced various positions of increasing responsibility within the IT function to include a role as Group Director, IT, that included responsibility for setting technology standards on a global basis. Until 2014, Mike was actively involved in LRN’s Governance System, and helped pioneer, communicate, and integrate knowledge in the areas of legal, compliance, governance, and risk; ethical leadership; social responsibility; and environmental responsibility.

Related Posts

Fox_DOJ Speeches_f

Analysis of Recent DOJ Statements

by Corporate Compliance Insights
March 23, 2023

DOJ leaders provide insight into agency's plans. Analysis of Recent Statements DOJ Shaping the Future of Corporate Criminal Enforcement What’s...

Fox_2023 ECCP Update_f

2023 Evaluation of Corporate Compliance Programs

by Corporate Compliance Insights
March 23, 2023

Keeping up with 2023 changes to DOJ guidelines. Additions, Deletions & Changes From 2020 2023 Evaluation of Corporate Compliance Programs...

encompass update

Encompass Launches pKYC Maturity Model

by Corporate Compliance Insights
March 22, 2023

KYC automation platform Encompass has unveiled a new perpetual Know Your Customer (pKYC) maturity model designed to help banks improve...

consilio onna partnership

Consilio, Onna Seek to Streamline eDiscovery for Cloud Apps

by Corporate Compliance Insights
March 22, 2023

Legal technology provider Consilio has launched a new platform, Sightline Collect, powered by data management supplier Onna. The platform is...

Next Post
Preparing for the Unexpected

Preparing for the Unexpected

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT