Search Results

Records management has come a long way from the days of paper files and databases that house records. With the proliferation of technology such as AI, BI, IoT devices, and other advanced systems, the role of the records management department (a.k.a., records retention department, information governance department, information management department, RIM department, etc.) should have expanded significantly over the last decade. However, most have yet to. It is more important now than ever for organizations that want to harness the value and mitigate the risk associated with one of their critical assets – information. Regardless of what a company calls the department or the role, it is the individual(s) or department responsible for developing and maintaining policies related to what information a company must retain or dispose of according to laws and regulations and business needs. If information is mismanaged, it can, and more than likely will, increase a corporation's risk profile and hinder its ability to harness the value of the information. If it hasn't already, the traditional record management department and role must evolve quickly and become part of the company's risk management framework. Since blogs are supposed to be 5-minute reads 😊, I will quickly discuss a few reasons organizations and records professionals must take action now to start mitigating risk associated with managing information. All Information, Not Just Records. In today's complex and fast-paced digital environment, records professionals must increase their responsibility to cover all information to ensure it has a predictable end of life, regardless of its record classification. I did a survey a few months ago that indicated less than 25% of a company's information is a record. The other ~75% of the information in your company needs governing, too! Records professionals must ensure all information, not just records, is identified so it can be managed in accordance with laws, regulations, and business value. Laws and regulations are evolving to dictate how long information can be retained, and over-retaining information can negatively affect a company. Records professionals need to be inquisitive regarding the new technology their organizations are using, the latest business activities they are venturing into, the latest information they buy from third parties, etc., and get it part of their governance programs. Take Action: Show your organization where policies and retention schedules don't address critical non-record information, such as the data collected and transmitted by a product with personal information about a consumer. Privacy by design assumes you have this information on a retention schedule that dictates when it will be disposed of or, at minimum, does not conflict with how long it is retained. Finding several examples in your company like this can help you show why your role needs to expand. New Technology, New Information. Using AI, BI, ML, IoT devices, and other advanced technologies allows organizations to collect, receive, create, transmit, and manage large amounts of data, gaining valuable insights and making real-time decisions. Products such as implanted medical devices, connected vehicles, TVs, appliances, etc., regularly collect and transmit data to the manufacturer or third parties. Artificial intelligence is creating data in large volumes as it acts like a human in business activities. Data lakes and warehouses collect data from social media, customer behaviors, other applications in the company, IoT devices, etc., so the data can be analyzed across different domains. Records professionals must ensure policies and retention rules govern these initiatives and products that create, store, and transmit data. Record professionals' roles must evolve to cover information generated by services and products, not just traditional corporate records like finance and human resources. This type of information can pose a significant risk to an organization – much more than conventional records did in the past. Take Action: First, research your company in the news discussing how they use artificial intelligence to reduce costs, improve customer satisfaction, or something similar. Then see if that related information is on your company's retention schedule and try to find the root cause of why it wasn't added to the schedule when the new technology was implemented. Plug that hole! Knowledge and Currency of Laws and Regulations Impacting the Organization's Retention of Information. Laws and regulations are changing quickly while trying to keep pace with the information companies create, receive, and manage. Laws and regulations govern how long information must be maintained for regulatory purposes and when it must be disposed of to protect people. Record professionals need to make sure they know about new or modified laws and regulations, such as Utah Code 34.46.203, mandating that an employer may not retain the information collected about an applicant obtained through an initial selection process for more than two years after the day on which the applicant provides the information to the employer if the employer does not hire the applicant within those two years. Records professionals need to be aware of AI laws that are advancing. Over 50 nations have adopted AI laws and regulations over the last five years. These laws will likely start addressing the retention of information collected, received, or generated by AI technology to prove there was no prejudice and to prove many other actions of the technology. As technology advances and new types of information are generated, like biometric data, records professionals need to work with the legal department to ensure the new laws and regulations or clarifications to existing laws and regulations are reflected accurately in the company's retention policies. An excellent example of this is the recent decision by the Illinois Supreme Court stating workers and consumers have five years to sue for violations of the state's unique biometric privacy law. The court said that because the Illinois Biometric Information Privacy Act does not specify a statute of limitations for lawsuits, the state code of civil procedure's five-year catchall period will apply. Organizations need to review this decision to determine the risk it may pose to their organization and adjust the retention of related information is modified accordingly. Take Action: Research new laws and regulations that have recently been passed that impact the retention of information. I have provided two interesting talking points in this section to start with. Do you allow people from Utah to apply for jobs? Do you collect biometric data on people in Illinois? Do your retention schedules reflect that reality? Harnessing the Value of Information. A byproduct of record professionals' daily job working with all business units across the globe is that they typically know the most about the information in a company and understand all the business activities taking place in a company. Today, all business activities generate, use, transmit, receive, share, buy, or sell information. Information is the lifeblood of most organizations. This knowledge allows record professionals to provide valuable insights related to big data analytics projects, cost reduction projects, finding buried skeletons that may still be wearing crown jewels, etc. Companies that are killing it by harnessing the value of information have elevated the positions of record professionals because of their knowledge of the company's information assets. These professionals can quickly spot risks and business potential. Take Action: 1. Review your company's privacy data categories and see what is missing based on your knowledge of the data the organization collects. Use the org chart as a guide. Find a few departments where it isn't apparent they would collect or manage personal information, like the product technology department, product warranty department, or the company's foundation. Find where you know legacy systems were decommissioned, but the data still exists in the company. Look for information on your schedule that would have personal information that is often overlooked, like foundation donors, rejected job applicants, contractors, interns, bought data, medical records, etc. Then see if your privacy folks have identified it. In conclusion, your organization's recording professional(s) is a critical asset to help mitigate risk and maximize the value of information in today's complex digital environment. By moving away from old-school thinking about record management professionals, organizations can reap the full benefits of their data assets and stay ahead of the competition. Suppose you can't quite make the leap to records professionals playing a pivotal role in harnessing the value of information; you must at least take the step forward that they play a crucial role in reducing the corporation's risk profile. #recordsmanagement #recordsmanager #records #informationgovernance #infogov

Nontraditional technology, like the Internet of Things (IoT) and Artificial Intellegence, is becoming more prevalent across most industries, from implanted medical devices to connected vehicles. Data is being generated from products that previously didn't generate data. Medical devices today can send data about your medical condition directly to your doctor or a third party that interprets the data for your doctor. Your vehicle can send data back to the manufacturer about tire pressure and location data when an accident occurs. As technologies continue to advance, corporations are struggling to govern the data produced by new technologies. The ability to identify what data is being collected, generated, received, transmitted, stored, shared, sold, etc., by new technologies is becoming very complex, which makes it challenging for organizations to govern the data per laws and regulations. Furthermore, the risk of cyber-attacks on nontraditional technology has increased over the last few years as bad actors realize the value of the data these technologies generate. Cyber-attacks can target various electronic systems, communication networks, algorithms, software, hardware, and the data itself, potentially compromising the quality of the data and exposing sensitive personal information to bad actors. Deployed nontraditional product technologies and associated data are generally not managed in their company. It often needs to be made clear who is responsible for ongoing information governance and data protection when captured data may be automatically sent to a third-party device for storage or analysis. Typically, product engineers own the development of the technology and the related data network design, but they don't own the product or data once it is implemented or deployed. Similarly, security and information governance professionals are traditionally part of an IT or legal department and don't deal with product-related technology or data. When ownership is unclear, it is challenging to develop information governance, privacy and security policies, and retention schedules to address ALL data in a corporation because no one at the table can represent the needs of the "data owner." Similarly, we find that data assets and privacy inventories never address data being collected by nontraditional technology such as medical devices, products that transmitted data, data collected by an Apple or Droid Apps, data being sent from a vehicle, data being sent from a household product, data being sent from a time clock, data being generated by Artificial Intelligence, etc. This usually contributes to a need for more evident ownership of this type of data. Kahn Consulting has spent the last decade enhancing our processes and expertise related to nontraditional technology and its data output. If your company would like to determine if nontraditional technology and associated data are part of your information governance program(s), don't hesitate to contact us to learn more about our Information Governance Assessment. #informationgovernance #infogov #cybersecurity #KahnConsultingInc #PrivacyLaws #NontraditionalTechnologies #Compliance #DataProtection #DataCollection #LegalConsultation #InformationGovernanceAssessment #CyberAttacks

The more data a company has, ideally, the more it can understand its customers, improve its products and services, reduce costs, improve product quality, etc. As companies collect and store more data, they also face the risk of over-retaining information beyond its useful life, which may lead to bad business decisions. People’s needs, wants, and behaviors change over time, environmental cost factors change over time, products change over time, and product usage changes over time. At some point, data will become a liability and can have negative consequences for both the company and its customers. Additionally, over-retaining information can make it challenging for companies to comply with data protection laws that require companies to delete or destroy customer data when it is no longer needed. By over-retaining information, companies put themselves at risk of violating privacy-related laws and potentially causing harm to their customers if the data is exposed. How does over-retention happen in a company? Traditionally, most companies’ Retention Schedules had “minimum” retention periods for each type of information which meant it must be retained for at least that long, but it could be retained longer. Additionally, retention periods were based in large part on how long a law or regulation dictated. Today, Retention Schedules should provide the exact retention period for each type of information – no shorter and no longer. The retention decision must be made by the corporation’s executive team to ensure all stakeholders’ interests are considered – legal, records, risk, privacy, IT, and business units. Furthermore, retention periods must consider business use of the information, not just laws and regulations. In many instances, information has true business value beyond what a law or regulation requires. To avoid over-retaining information, companies can start by developing a retention policy that reflects what the company does for a living in the various jurisdictions it does business. That will inform what laws and regulations may be implicated. The applicability of laws and regulations and the use of data by various business units is becoming more complex with advances in technology, making it crucial for companies to inventory their data and determine how data is collected, used, managed, shared, and sold to ensure ALL data has a predictable end of life. It is also important to consider the secondary use of data when developing policies and retention schedules. As an example, data collected during a customer's application for a service or product may have multiple uses beyond its primary purpose. By understanding and accounting for these secondary uses of data in retention policies, companies can ensure a predictable end of life for all data. #informationgovernance #infogov #privacy #overretention #retentionschedule #recordretentionschedule #datadisposition #kahnconsultinginc #defensibledisposition

A recent headline encapsulates the problem big business has with data and compliance: “Large Wall Street firms agreed to pay $1.8 billion in fines over failures to keep electronic records such as text messages between employees on personal mobile phones.”[1] Isn’t it strange how little some companies care about one of their most valuable assets? A shipping company knows where every shipping container is located 24/7. A financial institution documents the existence and ownership of every asset in its control. A restaurant chain micromanages its inventory so it has the freshest product for customers with minimal waste and maximal profits. But every business today is also an information business; most big companies spend significant portions of their budget on IT to make their business efficient, competitive, and responsive to their markets and customers. The commodity of information is so valuable that it is sold and traded and has transformed businesses. And yet, most executives have little to no clue about all the information assets their companies have or how they are being created and used. And that is a compliance failure waiting to happen and a strategic advantage squandered. Continue Reading

Taking a Journey Through Our Information Universe Information has never been more important and more confounding. Company records are a source of competitive advantage, the lifeblood of every organization, and a major challenge to manage. Today, executives see information as a major asset and potential risk and are now asked to be something well beyond what they signed up for. These sessions are way beyond the record storage boxes sitting in off-site storage. We will go on a journey from where you were yesterday to where you need to be tomorrow. You will learn; hopefully, you will be reinvigorated, and we will have some fun along the way. The one-hour virtual sessions will be based on content from Randy's most recent book titled, "The Executive's Guide to Navigating the Information Universe." Speaking Sessions Greater Seattle ARMA Chapter January 12, 2023 Vancouver ARMA Chapter January 18, 2023 Austin ARMA Chapter January 25, 2023 San Diego ARMA Chapter March 8, 2023 Twin Cities & South Dakota ARMA Chapters November 14, 2023 Charlotte Piedmont ARMA Chapter TBD, 2023 Check the Chapters website for registration information.

Most company policies, information-related policies, and procedures are not static company artifacts. Rather, any company directives should be considered “living” that should reflect the current business operations, processes, and technologies in use. That means that they may need to be augmented, updated, or changed from time to time. If you are not convinced, the recent action by the Justice Department may be the needed motivation. On September 15, 2022, the US Department of Justice issued a memorandum, the subject of which was “Further Revisions to Corporate Criminal Enforcement Policies Following Discussions With Corporate Crime Advisory Group.“ That memorandum from the Justice Department seeks to help corporations take actions to better their corporate compliance. Of particular note, as it relates to information and records management, the Justice Department issued a statement dealing with company employees' “use of personal devices and third-party applications.” The Justice Department makes clear that given the ubiquitous use of personal smartphones, tablets, laptops, and other devices that create significant corporate compliance risk, corporations “should have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, should provide clear training to employees about such policies, and should enforce such policies when violations are identified.” #compliance #governance #policies #rim #infogov

Published by the American Bar Association - Business Law Today As the company’s information treasure trove grew, two things were clear: With more information in more places, with more value, traveling across the globe at the speed of light, something bad was eventually bound to happen. And the consequences of failing to manage information assets began to have greater implications for stock value, reputation, executive’s careers, customers, regulators, courts, and the court of public opinion. The US Department of Justice recently updated its “Evaluation of Corporate Compliance Programs,” which guides prosecutors and courts in the adequacy and effectiveness of a corporation’s compliance program. Implicit in a good compliance program is that companies can’t babysit all their employees all day, every day. But if a company constructs an artifice to help employees comply with company policy, for example, the consequences of failure may be reduced or nothing at all. In that sense, good compliance is like insurance—you may never need it, but it provides solace just knowing it exists and is good. So, knowing the criteria a company may be evaluated against someday should help it bolster its corporate compliance programs. More specifically, this article is about information governance compliance programs that are becoming increasingly important, with corporate information growing at 23% each year (per IDC), the increase in privacy regulations, and the adoption of big data projects. Continue Reading: Who Is Afraid of the DOJ? Why Companies Should Revisit Their Information Governance Program - Business Law Today from ABA

Do you want to find out what prosecutors will use when making decisions about your company’s compliance program? Read this update to the “Principles of Federal Prosecution of Business Organizations” in the Justice Manual (download (justice.gov)). Here’s a clip: “These factors include ‘the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision’ and the corporation’s remedial efforts ‘to implement an adequate and effective corporate compliance program or to improve an existing one.’”

Your organization is an information business, even if you don’t think it is. For any company, information can be a differentiator. It is as real as any physical plant, inventory, product, or service. For most, if not all, companies, there is newly available data, connectivity, and insight generated on a regular basis. Companies are changing the way they do business by capitalizing on the available data. We live in a world that requires companies to use data to better understand their customers’ needs and desires, to improve products and services, and to reduce costs and improve business efficiency. Successful companies are using technology to cut to harness and harvest the right information. Companies are ensuring policies and practices address data that doesn’t fit the old paradigm of a “record.” Just because a law or regulation doesn’t dictate the retention of a certain kind of data doesn’t mean it there isn’t great value to the organization. Administrative processes such as customer call centers have improved customer support significantly by harnessing data that is available to them. Many customer support call centers today operate very differently than they did a decade ago. Providing online chats can significantly reduce the volume of calls and allows the younger generation of customers to use the media they prefer. Online chats can use AI technology that learns from years of knowledge generated by customers when they call for support. A company needs to know what information it has in order to harness the value of it. Today’s reality for many companies is that information is managed all over the organization by different business units and different technology groups. It can be very challenging to cross-pollinate the data to find the bigger, more valuable hidden asset. Companies need to learn from other innovative companies that have pioneered new thinking on how data can transform their business. Companies need to find possible alternate purposes for the information. They also need to explore how cross-pollinated data from across their enterprise can be harvested to drive change. Just because you sell widgets or services, don’t fall into the trap of thinking that your information lacks value beyond its original use. All organizations need to look outside the traditional “information box.” All information should be reviewed to determine how it may be used to improve performance, reduce cost, impact the company’s bottom line, promote sales, development of new products or services, be sold to another company, etc. To leverage information, those who create it, maintain it, share it, repurpose it, and destroy it all need a clear understanding of value, opportunities, and risks across the enterprise and not just for their own slice of information in isolation. Leaders should set the tone that is memorialized in the organization-wide information strategy. Leaders also clear the path to allow information to be used across functional areas and processes in support of the overarching strategy. A clear understanding of privacy, access, use, ownership, intellectual property, and security issues must inform the analysis in order to balance risk and opportunity. Just because you can doesn’t mean you should. In other words, data may be exploitable, but that doesn’t mean exploiting it is necessarily worth the risk or reputational damage it may cause your company. Executives need to proactively set the “information ethics and integrity” tone for the company. Learn from the Hiccups of Transformative Movers Facebook has undoubtedly transformed the world; the company’s platform provides an array of services that connects billions of people across the globe. But today, Facebook is being reminded that although it may have the contractual “right” to exploit user data, disregarding the user’s expectation of trust may negatively impact the public’s perception of the company and its business. Companies may benefit by routinizing the governance of information to ensure that an ethical information mindset pervades the enterprise. It is important that all employees know the right thing to do. Some companies are building information governance programs that seek to holistically manage information to ensure compliance with laws and contractual obligations as well as doing right by the customer. The Sedona Conference Commentary on Information Governance makes clear that “[c]ompanies, including publicly traded organizations and those in highly-regulated industries, may adopt Information Governance as a complement to their internal control systems, ethics, and integrity programs to ensure information-related legal compliance and risk management.”1 1The Sedona Conference, Commentary on Information Governance, Second Edition, 20 Sedona Conf.J. 95, 117 (2019), available at https://thesedonaconference.org/sites/default/files/publications/Commentary%20on%20Information%20 Governance_0.pdf.

Many things will never be the same after the COVID-19 affliction. More and more employees will spend less and less time at an office. As more employees work remotely, they will use more technologies to connect and collaborate, and they will store more company information in the Cloud and on various home devices with a range of setups and vulnerabilities. Bad actors, cyber thieves, and hackers will undoubtedly have greater luck exploiting the resulting chinks in the information security armor. Indeed, hackers and cyber warriors began attacking the soft underbelly of corporate security—the devices employees use (sometimes their own and sometimes provided by the company) and the networks on which they connect—right after COVID-19 hit. Businesses must have a concrete plan to deal with these new realities and become more “information lean.” This new environment is also accelerating digitalization, which is building better business processes through the strategic use of technologies. That is important because it provides companies the opportunity to reevaluate what they are doing and why. Shifting through old processes allows not only new efficiencies to emerge but also the chance to build compliance needs processes from the beginning, which can make them transparent and seamless. In other words, addressing issues such as privacy and security in the planning and design phases of a project means it will not need to be retrofitted downstream. Continue Reading on the American Bar Association. Click Here

To create and manage your own content, open the Blog Manager by hovering over your blog feed and clicking Manage. Here you can create, edit and delete posts and manage categories. You can also update your post settings and SEO, duplicate or draft posts, turn off commenting, or delete a post altogether by clicking Edit on each blog post. To delete or edit an existing image or video in each post, click on the media to reveal a toolbar, which also allows you to customize the size and layout of your visuals. Add more elements to your post by clicking on each of the symbols at the bottom of your post. Insert an image or gallery, embed HTML, or add a GIF to spice up your content. Add a cover photo to your post before publishing by clicking Settings on the left sidebar. Your cover photo is visible to all users who browse the blog on your site. Edit how your posts show up on search results and make them more discoverable by editing the SEO for each post. Add categories to your posts so users can navigate your blog pages by topic. Once you’re satisfied with your post, go live by clicking Publish.

To edit the way your blog feed looks on your site, hover over your blog feed and click on Design. Here, you can pick from different layouts. If you add a blog feed section to a different page on your website, you can pick a design that’s different from your main blog page. Edit what info and details your blog feed displays by clicking on Settings (look for the 3 dot icon). From the Settings panel, Wix Blog lets you hide or display the author name and picture, date and reading time, views, comments and likes counter. Toggle between the options and view your changes in real time. If your blog is connected to a Members Area, you’ll want to make sure the Login button is visible to users. To send automatic email notifications to blog subscribers every time there’s a new post, turn on the email notification option on your Settings panel. Start managing your blog posts by clicking on Manage Posts once you’re happy with your blog settings.