Lenexa, KS (Vocus) April 16, 2007
Making headlines can be a good thing - unless it's because an organization has mishandled its sensitive records and information. Just ask Affiliated Computer Services, Radio Shack, TJX, the most recent examples of this apparent phenomenon.
- On April 9, the Georgia Department of Community Health announced that Affiliated Computer Services confirmed the loss of a CD containing personal data of 2.9 million Medicaid and PeachCare for Kids™. The data was presumably not encrypted and included personal, identifying information - including full names, birthdates, and Social Security Numbers.
- On April 2, the Texas State Attorney General filed suit against Radio Shack Corp. (to be heard in the district court of San Patricio County, Texas, case number S-07-5333CVC) because employees at one of its stores dumped bulk records containing unencrypted personal, identifying information for thousands of customers in garbage receptacles behind the store. Radio Shack could face fines of $50,000 per incident, plus civil penalties of up to $500 for each abandoned record. (http://www.oag.state.tx.us/oagnews/release.php?id=1961)
- On March 28, TJX revealed that hackers accessed credit card and debit card information for almost 46 million customers in 2005 and 2006, plus driver's license numbers and other personal information for an additional 451,000 customers who returned merchandise. It's being called the biggest financial breach ever.
The costs of such incidents can be devastating, not only financially but also in terms of customer trust.
"The only protection any company has against these types of occurrences is a well-developed, enterprise-wide records and information management program," states Marilyn Bier, Executive Director of ARMA International, a not-for-profit association and authority on managing records and information. Not only do the policies and procedures have to be in place and well documented, adds Bier, but there must be adequate training throughout the enterprise.
So how do you ensure your company doesn't suffer a similar fate as these and many other companies (remember Bank of America, Choice Point, DSW)? Here are some important steps to take today:
Form an information management compliance team. In today's information-centric enterprise, compliance requires that Legal, IT and RIM all be at the table. No one department can provide a complete solution to ensure your company is compliant with current regulations, effectively protecting its data, and ready for electronic discovery in case of litigation. Assemble a team from these and other key compliance-related areas to work together to assess the organization's potential risks and identify the policies, processes, and technology required to address them.
Assess your current program's potential risks. Before you can identify solutions, you need to know what the problems are. You need to find out where your current records and information management program is vulnerable. Do you know what information you have, where it's located, and how to retrieve it? Particularly your e-mail and other electronically stored information (ESI)? Recent changes to the Federal Rules of Civil Procedure specifically establish this expectation. There are online self-assessment tools available specifically designed to help you determine where you are at risk. Look for tools that are based on current case law, standards, and best practices for best results. (See http://www.arma.org/profiler)
Evaluate your e-mail management policies. E-mail continues to challenge organizations. With the growth of e-mail, voice-mail, and instant messaging - as well as other electronic records - the capacity for discoverable information has increased. This month, create or review your company's electronic records policies. Pay particular attention to your e-mail retention policies emphasizing retention based on the content of the messages, not the application. For best results, this will be done in collaboration with the rest of the compliance team.
Update and document your policies and procedures. Once you've performed your self-assessment, you should have a good idea as to which policies and procedures need to be developed or updated. There are a number of resources available to help you in this effort, including various standards and guidelines. (See http://www.arma.org/bookstore) It's also critical that your policies and procedures are well documented. That's one of the things courts look for: do you have a policy and did you follow it?
Take the time to train: Individual employees play a critical role in helping your organization comply and succeed in litigation, audits, document preservation, and daily records and information management tasks. If you don't have an enterprise-wide training program that is delivered at least annually, now's the time to implement one. One of the expectations put forth in the new federal rules is that all employees are trained on how to appropriately manage electronic information. Securing that information should be part of that training, as well. To make it easier, ARMA International and Kahn Consulting Inc. have produced Keeping Good Company, a DVD-based information management training program complete with facilitator and participant workbooks. It can even be licensed for use on your corporate intranet for easier access and administration.
Additional resources and information about managing records and information are available from ARMA International at http://www.arma.org.
About ARMA International
ARMA International is a not-for-profit professional membership association and the authority on managing records and information. Established in 1955 and with a membership of 10,000+ records and information managers worldwide, ARMA is the oldest and largest international association dedicated to the management of records and information. ARMA International's members include records managers, archivists, corporate librarians, imaging specialists, legal professionals, IT managers, consultants, and educators, all of whom work in a wide variety of industries, including government, legal, healthcare, financial services, and petroleum in the United States, Canada, and numerous other countries.
ARMA International is active in the United States and internationally in the development of standards and guidelines related to records and information management, including ISO 15489, the only international records management standard. It also publishes the award-winning Information Management Journal, a bi-monthly publication featuring articles on the cutting-edge technologies, business trends, and issues in records and information management.