Integrated ECM Solutions: Where Records Managers, Knowledge

50TH YEAR

AN ARMA INTERNATIONAL PUBLICATION JULY/AUGUST 2016

Integrated ECM Solutions: Where Records Managers, Knowledge Workers Converge Page 18 Five Steps In-house Counsel Should Take to Mitigate Information Risk Page 24 Minimizing the Use of Trigger Events to Increase Records Retention Compliance Page 29 Don’t get burned by MISMANAGED INFORMATION.

Your amount of sensitive customer and business data is doubling by the year. And a little loss could have a big impact on your bottom line. Now more than ever, the way you manage your company’s information matters. Find out where you stand with the Next Level Information Governance Assessment. Through this self-administered online assessment tool, you’ll discover areas of strength. You’ll also uncover opportunities for improvement. In the end, you will be empowered to increase your organizational transparency and data integrity. Start turning information into an asset by visiting arma.org/nextlevel. 50TH YEAR

JULY/AUGUST 2016 VOLUME 50 NUMBER 4

DEPARTMENTS 4 INFOCUS A Message from the Editor 6 UPFRONT News, Trends, and Analysis FEATURES 18 FELLOWSFORUM Integrated ECM Solutions: Where Records Managers, Knowledge Workers Converge Patricia C. Franks, Ph.D., IGP, CRM, CA, FAI 24 Five Steps In-house Counsel Should Take to Mitigate Information Risk H. Kirke Snyder, J.D. 29 Minimizing the Use of Trigger Events to Increase 18 Records Retention Compliance Tom Corey, J.D., CRM SPOTLIGHTS 32 TECHTRENDS Software Updates May Be Compromising Your IG John T. Phillips, CRM, CDIA, FAI 36 MANAGEMENTWISE 3 Keys to Managing Change for a Successful RIM Program Implementation Melissa Dederer, IGP, CRM and Aaron Swan SPECIAL SECTION 40 50THYEAR 50, 25, 10 Years: A Look Back... 24 43 INREVIEW A Primer for Corporate Librarianship and Information Management Melanie Sucha 44 INREVIEW How the Hybrid Information Environment Is Transforming Libraries, History, Scholarship Mary Broughall 46 INREVIEW Visualize It! The Key to Driving Better Business Decisions Robert Bailey, Ph.D., CRM 29 CREDITS 47 AUTHORINFO 48 ADVERTISINGINDEX BONUS CONTENT B-49 UPFRONT News, Trends, and Analysis B-50 Legal Requirements for Electronic Records Retention in Western Europe: An Overview William Saffady, Ph.D., FAI B-50 Standard Human Resource Record Categories Teri Mark, CRM JULY/AUGUST 2016 INFORMATIONMANAGEMENT 1 Publisher: Robert Baird, IGP, CRM, PMP Editor in Chief: Vicki Wiler Contributing Editors: Nikki Swartz, Jeff Whited, April Dmytrenko, CRM, FAI Art Director: Brett Dietrich Advertising Account Manager: Jennifer Millett

Editorial Board: Sonali Bhavsar, IBM • Alexandra Bradley, CRM, FAI, Harwood Information Associates Ltd. • Sara Breitenfeldt, PepsiCo • Marti Fischer, CRM, FAI, Wells Fargo Bank • Uta Fox, CRM, Calgary Police Service • Mark Grysiuk, CRM, CIP • Parag Mehta, Esq. • Preston Shimer, FAI, Records Management Alternatives • Sheila Taylor, IGP, CRM, Ergo Information Management Consulting • Stuart Rennie, Stuart Rennie Consulting • Karen Shaw, CRM, BSP Consulting • Mehran Vahedi, Enbridge Gas Distribution Inc. • Jeremy Wunsch • Penny Zuber, Ameriprise Financial

Information Management (ISSN 1535-2897) is published bimonthly by ARMA International. Executive, editorial, and advertising offices are located at 11880 College Blvd., Suite 450, Overland Park, KS 66210.

An annual subscription is included as a benefit of professional membership in ARMA International. Nonmember individual and institutional subscriptions are $150/year (plus $20 shipping to destinations outside the United States and Canada).

ARMA International (www.arma.org) is a not-for-profit professional association and the authority on governing information as a strategic asset. Established in 1955, the association’s approximately 27,000+ members include records and information managers, information governance professionals, archivists, corporate librarians, imaging specialists, legal professionals, IT managers, consultants, and educators, all of whom work in a wide variety of industries, including government, legal, healthcare, financial services, and petroleum, in the United States, Canada, and more than 30 other countries around the globe.

Information Management welcomes editorial submissions. We re- serve the right to edit submissions for grammar, length, and clar- ity. For submission procedures, please see the “Author Guidelines” at http://content.arma.org/IMM.

Editorial Inquiries: Contact Vicki Wiler at 913.217.6014 or by e-mail at [email protected].

Advertising Inquiries: Contact Jennifer Millett at +1 888.277.5838 (US/Canada), +1 913.217.6022 (International), +1 913.341.3742, or e-mail jennifer.millett@ armaintl.org.

Opinions and suggestions of the writers and authors of articles in Information Management do not necessarily reflect the opinion or policy of ARMA Inter- national. Acceptance of advertising is for the benefit and information of the membership and readers, but it does not constitute official endorsement by ARMA International of the product or service advertised.

Periodical postage paid at Shawnee Mission, KS 66202 and additional mailing office.

Canada Post Corp. Agreement No. 40035771

Postmaster: Send address changes to Information Management, 11880 College Blvd., Suite 450, Overland Park, KS 66210.

2 JULY/AUGUST 2016 INFORMATIONMANAGEMENT

INFOCUS A Message from the Editor

Forging Stronger Relationships with IT and Legal to Advance Your RIM Program

by knowledge workers, and discuss ficiently, Corey writes. how RIM professionals can support Leverage your relationship with business processes by helping select IT to gain support for controlling au- the right tools, developing policies, to-updating software. In the “Tech and implementing the appropriate Trends” article, “Software Updates controls. May Be Compromising Your IG,” Sharing our second feature article author John Phillips, CRM, CDIA, with your in-house counsel will encour- FAI, uses the auto-updating features age him or her to take a more active of Windows 10 as an example of the role in working with you to promote dangers of this practice. the importance of information gover- Of course, strong relationships nance (IG), secure needed resources with all IG stakeholders are critical for IG, and drive collaboration among if you’re looking to implement any key IG stakeholders to reduce your major change, but particularly for organization’s risk profile. In “Five implementing or modifying a RIM Steps In-house Counsel Should Take program. Read our “Management to Mitigate Information Risk,” author Wise” sub-feature to learn the “3 Keys f you are a records and informa- H. Kirke Snyder, J.D., IGP, recom- to Managing Change for a Success- tion management (RIM) profes- mends: preparing for a U.S. Federal ful RIM Program Implementation,” sional who is looking for practical Rules of Civil Procedure’s Rule 30(b) by Melissa Dederer, IGP, CRM, and Iopportunities to work alongside (6) deposition, creating a data map, se- Aaron Swan. and increase your influence with IT curing financial and human resources, Please e-mail us at editor@ar- and legal, you will find support in this revising the records retention policy maintl.org to let us know the topics issue’s articles. and schedule, and modifying storage you want to read about in these pages. As the person most knowledgeable vendor service level agreements. We’re eager to provide the content about your organization’s information- When revising your retention you need to advance your professional handling processes, you are in a prime schedule, you should consider the ad- skills, your career, and your organiza- position to work with IT to integrate vice given by Tom Corey, J.D., CRM, tion’s RIM or IG program. your enterprise content management about “Minimizing the Use of Trigger Also, don’t forget you can browse (ECM) system with other business Events to Increase Records Retention archived issues going back to 2005 by solutions to enhance employees’ ability Compliance.” He provides practical clicking on http://content.arma.org/ to do their jobs and comply with RIM guidance for using straight retention IMM/online/Archives.aspx and the requirements. Patricia Franks, Ph.D., periods for six trigger events com- current issue at http://imm.arma. IGP, CRM, CA, FAI, tells you how in monly used in retention schedules: org. Even if you prefer the print ver- the cover article. expiration of contract, final resolu- sion, you’ll want to access the “Bonus Franks uses examples from Gart- tion, protection period, life of product, Content” found only online in each of ner’s 2016 “Magic Quadrant for En- superseded, and project completion. the issues published this year. terprise Content Management” to in- Making this change will allow your troduce three ECM systems, provide organization’s CMS to handle records’ Vicki Wiler examples of integrated solutions used disposition more effectively and ef- Editor in Chief

4 JULY/AUGUST 2016 INFORMATIONMANAGEMENT E-mail Management

Best Practices for Managing Electronic Messages (ARMA International TR 24-2013) This technical report provides current information for managing all types of text-based electronic messages or communication, such as e-mail, instant messages, and text messages.

A4938 $55.00 Professional members: $35.00 V4938 PDF $50.00 Professional members: $30.00

E-Mail Retention and Archiving: Issues and Guidance for Compliance and Discovery William Saffady, Ph.D. With its focus on the retention of e-mail to satisfy an organization’s legal, operational, and historical requirements, this book will help organizations avoid over-retention problems and simplify the discovery process.

A4965 $55.00 Professional members: $35.00 V4965 PDF $50.00 Professional members: $30.00

Policy Design for Managing Electronic Messages (ANSI/ARMA 19-2012) This American National Standard sets forth the requirements for a policy guiding the management of electronic messages as records throughout their life cycle – from creation to final destruction or disposition.

A4930 $60.00 Professional members: $40.00 V4930 PDF $55.00 Professional members: $30.00

Order online today!

www.arma.org/bookstore UPFRONTNews, Trends & Analysis

PRIVACY FCC Rules Would Restrict Use of Consumers’ Private Data nternet service providers (ISPs) each user goes and what services that provide broadband Internet are acquired upon arrival at their Iaccess service to consumers have Internet destinations, according to extraordinarily broad access “to very The New York Law Journal. That sensitive and very personal informa- is why the FCC adopted, by a 3-to-2 tion that could threaten a person’s vote, Notice of Proposed Rule Mak- financial security, reveal embar- ing (NPRM) that, if adopted, will rassing or even harmful details of address consumers’ rights to have medical history, or disclose to prying notice, choice, and security when eyes the intimate details of interest, their private information is used physical presence, and fears,” ac- by broadband providers. and whether and for what purposes cording to the Federal Communica- The FCC said in a statement ISPs may share their customers’ tions Commission (FCC). that the NPRM proposes rules that information with third parties. ISPs can follow their custom- would give broadband customers The FCC’s proposal allows for er’s Internet activity by collecting “the tools they need to make in- certain data collection that is neces- individualized data and develop formed decisions about how their sary to provide broadband services highly specific profiles of where information is used by their ISPs” and for marketing those services, as well as for public safety; this would not require customer consent PRIVACY beyond creation of the customer- GDPR, Privacy Shield Will Impact Businesses, ISP relationship. All other uses and sharing of consumer data would Survey Finds require “express, affirmative ‘opt-in’ consent from customers.” ccording to the “2016 EU GDPR The NPRM defines the data to and EU-U.S. Privacy Shield be protected as customer propri- ASurvey” by Baker & McKen- etary information, which would in- zie, 84% of privacy professionals who clude both “customer proprietary responded said they expect the new network information” and personal- General Data Protection Regulation ly identifiable information collected (GDPR) recently adopted by the EU to impact their organizations. by broadband providers through Of the 100 respondents surveyed, between 60% and 70% said their their provision of services. organizations will need to spend at least some or significantly more of Because there is no uniform fed- their budget in an effort to comply with the GDPR. The requirements eral breach notification standard, that will call for additional attention include consent, data mapping, the NPRM proposes that broadband and cross-border data transfer, according to the survey. providers notify affected custom- Lawyers say preparing for the GDPR and Privacy Shield regulations ers within 10 days of discovering calls for creating readiness plans and data maps, and the majority of a breach that triggers customer organizations do not believe they have the tools and solutions necessary notification requirements. The “to meet all of the requirements,” Theo Ling, an attorney at Baker & NPRM requires that the FCC be McKenzie, told Legaltech News. In fact, the survey revealed that 45% notified of all data breaches and of respondents said they either do not have the tools or could obtain that other federal law enforcement them only at significant cost. be informed of breaches that impact The good news is that more than 80% of the respondents said they more than 5,000 customers within are at least somewhat familiar with all of the major GDPR require- seven days of their discovery and ments. That’s good, because the GDPR allows non-compliance fines of three days before notification to up to €20 million ($22.79 million U.S.) or 4% of an organization’s total the customer, the New York Law global annual turnover. Journal reported.

6 JULY/AUGUST 2016 INFORMATIONMANAGEMENT PRIVACY •• Requires clear and affirmative in place in most EU countries. EU Approves GDPR consent, such as an EU citizen The GDPR was also passed with “ticking a box” on a website al- a new EU directive on cross-border lowing it to retain or process data processing and handling in he EU Parliament passed the his or her personal data criminal and judicial investiga- General Data Protection Reg- •• Gives EU citizens the right tions, Legaltech News reported. ulation (GDPR), overhauling T to data portability, which al- The directive sets minimum stan- the Data Protection Directive rules lows them to transfer personal dards for data processing by law established in 1995. The rules apply data between service providers enforcement agencies, defines EU to all organizations and businesses easily, such as moving contact citizens’ rights and data transfer targeting EU consumers, regard- information from one e-mail limitations in criminal or judicial less of their geographic location. provider to another processes, and enables cooperation According to Legaltech News, between member state law enforce- the legislation defines new data and ment agencies. privacy rights for EU consumers, regulates the transfers and processing of EU data, and establishes E-DISCOVERY more stringent enforcement of data EDRM Releases handling, allowing organizations to be fined up to 4% of its total world- E-Discovery Glossary wide revenue for violating GDPR regulations. DRM has released a free, GDPR is meant to replace the downloadable PDF version patchwork of EU member states’ Eof its EDRM Glossary, a com- national laws so that businesses ac- prehensive glossary of e-discovery cessing EU data will have only one terms. At more than 330 pages, centralized supervisory authority to the glossary is the industry’s most follow. The EU estimates that sav- comprehensive listing of electronic ings from this standardization will discovery terms. hit €2.3 billion ($2.6 billion U.S.) “Experienced legal and e-dis- per year, Legaltech News reported. covery professionals have devel- The GDPR is effective now, oped a fairly broad understanding but member states have two years of the processes and terms related to translate the regulations into to our craft,” says George Socha, their national laws. The UK and •• Requires clear, plain language EDRM co-founder, “but none of us Ireland will follow the regulation in Internet and business pri- knows it all, and the technologies on a limited basis because of their vacy policies and language surrounding e-discov- special “home affairs and justice •• Requires EU businesses and ery continue to advance. Our goal legislation” status. Denmark will providers to expedite notify- with the glossary is to provide a vote on the adoption of the GDPR ing their national supervisory tool that will enhance e-discovery within six months. authority of “serious” data knowledge and understanding, and The GDPR: breaches evolve with the industry.” •• Allows an EU citizen’s right •• Limits the use of “profiling,” First launched in 2006, the to be forgotten, which means which is collecting an individ- EDRM Glossary includes terms data controllers, processers, ual’s personal information in from specialized glossaries on col- and Internet third parties order to predict his or her be- lection, metrics, search, and in- must remove the personal havior, without the expressed formation governance, as well as data of an EU citizen upon consent of the individual, or glossary content on search and pre- request if there are no legiti- that of a law or contract dictive coding from Herb Roitblat mate reasons to retain such •• Requires parental consent for and from the Grossman-Cormack information, such as histori- children between the ages of glossary on technology-assisted cal, statistical, public health, 13 and 16 to open social media review. scientific need, a right to free accounts, although the exact The complete EDRM glossary expression, or legal or contrac- age varies among EU member can be downloaded at www.edrm. tual obligations states. Such laws are already net/resources/glossaries/glossary.

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 7 UPFRONT

PROFESSIONAL DEVELOPMENT Survey: U.S. Government Not Prepared for Future IM Requirements

any federal information “This survey provides an impor- mat management integration management (IM) profes- tant view into the state of federal (26%), and information and Msionals feel unprepared to records and information manage- data valuation assessment handle the future requirements ment, both where the government (24%) of their jobs, according to the re- is now in terms of capabilities and, The data suggests significant cent Iron Mountain survey report more importantly, where agencies gaps between the skills RIM pro- “Constructing the Next Generation need to focus their information fessionals currently have and what Information Management Profes- management practices in the fu- they believe they will need in the sional.” ture,” said Michael J. Lewis, vice future. As such, Iron Mountain Iron Mountain said it conducted president and general manager, said agencies should consider fo- the study to identify the govern- Iron Mountain Government Ser- cusing on the following in order to ment’s IM priorities for the next vices. close that gap: three to five years, share agency The survey of 200 federal em- •• Promote a more holistic ap- respondents’ feedback on where ployees identified some key focus proach to IM and sell it inter- gaps exist, and offer suggestions areas for future success, including: nally on how to improve on the necessary •• Areas for improvement: Risk •• Meet the demand for special- skillsets. management (34%) is most ized skills with a focus on The survey asked these profes- often cited, followed by elec- information security, quality sionals what skills would be re- tronic records retention (24%) management, and analytics quired for future effectiveness. More and RIM practices (24%). •• Focus on soft and technical than half (56%) said they believe •• Most desired skill sets: Risk skills in need of improvement information security and access con- management/security/data and understand why improve- trol will be in greatest demand from privacy (54%), analytics (42%), ment is needed IM professionals, followed by data and content/records manage- •• Leverage the knowledge and quality management (39%) and ana- ment (33%) mentoring skills of older staff lytics capabilities – including data •• Technical and soft skills in before they retire sourcing and integration (39%). demand: Information securi- •• Provide professional develop- In addition, projects related to ty (52%), innovative thinking ment training in the formats data privacy (34%), records and (39%), and fostering stake- employees most prefer information management (RIM) holder buy-in and delivering •• Create a forum for sharing (31%), and data analytics (30%) C-level and stakeholder com- ideas and best practices are thought to be in the greatest munications (15%) The report is available at demand over the next three to five •• Ensuring compliance (32%), www.ironmountain.com/NextGen years. physical and IT records for- IMPro.

8 JULY/AUGUST 2016 INFORMATIONMANAGEMENT NEW in the Bookstore

Records and Information Management Fundamentals of Professional Practice 3rd Edition

Records and Information Management: Fundamentals of Professional Practice,

3rd. Ed. William Saffady, Ph.D. William Saffady, Ph.D.

The new edition of this best-selling text has been thoroughly updated and expanded to include more international content and to cover topics not in previous editions, such as information governance and data protection. It is the “go to” book for newly appointed records managers; experienced professionals who want a review of specific topics; supervisors who oversee records management functions; decision makers who develop strategies and tactics for managing information assets; and for students in records management or allied disciplines, such as library science, archives management, information systems, and office administration.

A5026 $85.00 Professional members: $60.00 V5026 PDF $80.00 Professional members: $55.00

Order online today!

www.arma.org/bookstore UPFRONT

INFO SECURITY have to ask yourself how you’re part of changes he said will increase Tennessee Enacts Tough going to demonstrate that the bad confidence in the government’s re- guys” aren’t going to get access to cordkeeping. Data Breach Law certain information. Whereas in “If we are spending public every other state, “you just have to money then the public deserves to show that the data is encrypted,” know,” he said, adding that con- Stephen Embry of Frost Brown tracts, calendars, and scanned re- Todd told Corporate Counsel. ceipts for ministerial travel now will The law doesn’t require notice be routinely posted online. without question in all circum- De Jong said non-partisan civil stances, but experts say the law in servants will oversee the gather- Tennessee now makes a distinction ing and release of records from the between strong and weak encryp- partisan offices of cabinet ministers, tion that other states are not mak- and ministers won’t be able to delay his month, Tennessee becomes ing, Corporate Counsel reported. signing off on records for more than the first state to abolish the five days. T“encryption safe harbor” rule, GOVERNMENT RECORDS “If anything, what we are trying giving it the honor of having the B.C. Revising its Freedom to move to is a system that elimi- strictest data breach law in the nates entirely the political level of United States, according to data of Information System oversight particularly with respect privacy experts. to minister’s offices,” said de Jong. Encryption safe harbor requires ritish Columbia (B.C.) will The federal government recently companies who suffer a data breach revamp its Freedom of In- announced that it would eliminate to notify customers only if the ex- Bformation (FOI) system by FOI fees, charging only $5 per ap- posed data was unencrypted. Ten- releasing more documents proac- plication. De Jong said he’s ponder- nessee’s amended Identity Theft De- tively, restricting interference from ing how to reform B.C.’s fee struc- terrence Act of 1999, which became political staff, and better helping ture but is considering waiving all effective July 1, requires notifica- the public access important records, fees. The Vancouver Sun reported tion even if the breached data was according to B.C. Finance Minister that the B.C. government collects encrypted, according to a Corporate Mike de Jong. approximately $60,000 a year in Counsel report. The rule requires According to The Vancouver fees on an FOI system that costs notice of a data breach to be report- Sun, de Jong also suggested legis- $15.3 million to administer. The ed to affected individuals within 45 lation to force government officials government added an additional days unless law enforcement needs to better document their decisions, $3 million into the FOI system in more time to investigate. Only a and he left open the possibility of April, and de Jong said he’d like to few states have established a set eliminating FOI fees altogether as see faster FOI responses as a result. notification time period. Lastly, the bill amends the stat- ute to specify that an “unauthorized person” includes an employee of the information holder who is discov- ered to have obtained personal information and intentionally used it for an unlawful purpose. Accord- ing to the Jackson Lewis law firm, this amendment is likely focused on people who failed to provide notification of data breaches that resulted from improper access by employees. Some lawyers believe the revised rules will place an undue burden on companies. “If you’re a company with a lap- top stolen in Tennessee, you really

10 JULY/AUGUST 2016 INFORMATIONMANAGEMENT INFO SECURITY Distrust of Vendors Raises Security, Compliance Questions

any companies don’t trust firms trying to protect client in- vendor-related cybersecurity the vendors they share con- formation when sharing data with incidents increasing. Mfidential data with, accord- third parties, according to Legaltech •• Most companies find it difficult ing to a recent Ponemon Institute News. Companies surveyed have to manage vendor-related cy- survey. a vendor data risk management ber incidents, with 65% saying The survey of 600 individuals program and were asked to consider they “don’t have the internal across industries found that more only their outsourcing relationships resources to check or verify” than a third of U.S. businesses in which they share “sensitive or when evaluating vendors’ se- (37%) believe that their primary confidential information or involve curity and privacy practices. third-party vendors wouldn’t no- processes” that require vendor ac- •• 58% of companies said they tify them in the event of a security cess to that data. cannot determine whether breach involving “sensitive and The survey revealed difficulties vendor “safeguards and secu- confidential information.” In addi- with “mitigating, detecting and rity policies are sufficient to tion, 73% of respondents said that minimizing” risks posed by third prevent a data breach,” leav- fourth-party to “nth”-party [an un- parties handling company data. Ac- ing 41% who said they are suf- known number in a series of num- cording to the survey, companies ficient. bers] vendors – subcontractors or lack faith in outside data handling “The reliance solely upon con- indirect service providers employed and are not able to properly manage tractual agreements instead of au- by a third-party vendor – would it. The findings show: dits and assessments to evaluate “fail to notify” if a breach occurred. •• About half (49%) of companies the security and privacy practices The survey, “Data Risk in said they experienced a breach creates significant risk,” Margo the Third Party Ecosystem,” was caused by vendors, while 16% H.K. Tank, partner with Buck- commissioned by law firm Buck- said they weren’t sure if a ven- leySandler, told Legaltech News. leySandler and Treliant Risk Advi- dor was to blame. “Companies will need to establish sors to reveal the challenges facing •• 73% of companies said they see and track metrics regarding the effectiveness of the vendor risk GOVERNMENT RECORDS management program and establish vendor risk management com- U.S. National Archives Appoints mittees.” Permanent Chief Records Officer According to the survey, for many companies, information governance in vendor relations should aurence Brewer, the acting chief records be strengthened. For example, only officer (CRO) for the U.S. government, has 31% view their vendor risk man- been appointed to fill the position perma- L agement program as “highly ef- nently, Archivist of the United States David Brewer fective,” while 38% said they don’t Ferriero announced in late April. track metrics on their programs’ Brewer’s responsibilities include issuing federal records manage- effectiveness. In addition, the ma- ment policy and guidance; serving as a liaison to the Office of Man- jority (62%) admitted that “their agement and Budget, Congress, the Government CIO Council, and boards of directors do not require other stakeholders on records management issues; and serving as an assurances that vendor risk is being ombudsman between agencies and the U.S. archivist to ensure that assessed, managed, or monitored the National Archives and Records Administration (NARA) and the appropriately, or they are unsure.” agencies it serves meet their statutory mandates and records manage- “Companies must understand ment requirements. managing data risk is not merely a Brewer became the acting CRO in October 2015 when the previous compliance and contract issue but CRO, Paul Wester, left NARA to become the director of the U.S. National a fundamental strategic challenge Agricultural Library. He joined NARA in 1999 as an appraisal archivist in which personal data, intellectual and later worked as an electronic records policy analyst. He previously property and transactional records served as a records management consultant at the Environmental must be protected from third, fourth Protection Agency and the Virginia Department of Transportation. and nth-party risk,” Tank said.

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 11 UPFRONT

MOBILE DEVICES involved in security breaches said Holger Schulze, the founder of Security Issues May at their companies. About the 300,000-member Information 25% said these devices had Security Community on LinkedIn, Hamper BYOD Adoption connected to a malicious WiFi in a news release. network. nalysts are predicting that •• One in five organizations suf- the global bring your own de- fered a mobile security breach, Avice (BYOD) and enterprise mainly driven by malware and mobility market will hit $360 billion malicious WiFi. by 2020. While BYOD policies are •• Security threats to BYOD im- boosting employee productivity and posed heavy burdens on orga- flexibility, security issues may be nizations’ IT resources (35%) PRIVACY impeding their growth and imple- and helpdesk workloads (27%). Canada Joins Asia- mentation, according to a recent •• Despite increasing mobile se- survey. curity threats, data breaches, Pacific Privacy Regime Crowd Research Partners sur- and new regulations, only 30% veyed 800 cybersecurity profes- of organizations are increasing anada will join the Cross- sionals for the “2016 BYOD and security budgets for BYOD in Border Privacy Rules (CBPR) Mobile Security Report.” Around the next year; 37% have no CSystem, which requires Ca- three-quarters of those surveyed plans to change their security nadian entities doing business in reported that their companies budgets. Asia-Pacific Economic Cooperation implemented BYOD policies for The majority of respondents (APEC) member economies to com- employees, 23% allowed BYOD for (80%) said malware protection ply with minimum requirements contractors, and 16% set up their and the ability to log, monitor, and regarding cross-border data pri- policies on the company’s partners’ report devices were key require- vacy procedures. The requirements devices. In addition, 14% extended ments for confronting mobile se- are outlined in the APEC Privacy the service to their customers. curity threats. But just 63% said Framework, published in Decem- More than half of respondents they had password protections for ber 2005, which seeks to provide noted that BYOD policies at their BYOD devices, while fewer than clear guidance and direction to companies increased employee half had remote wipe capabilities businesses on common privacy is- mobility, satisfaction, and produc- (49%) or device encryption (43%). sues and their impact on the con- tivity, while just under half cited “While these threats can sig- duct of legitimate business. reduced costs as an added benefit. nificantly impact the success of APEC is a 21-country regional The survey also found, though, BYOD initiatives and place a bur- economic forum that seeks to pro- that security risks and mobile data den on IT support staff, this is also mote economic integration and breaches are increasing. It revealed an opportunity for organizations prosperity for the Asia-Pacific re- that 39% of employees are worried to implement effective cybersecu- gion. A joint oversight panel of the about BYOD security, and 12% have rity solutions to strengthen their APEC CBPR system submitted a concerns about the privacy of their security posture and capitalize on report in April 2015 confirming data. More than 70% of the cyberse- the promise of enterprise mobility,” that Canada met the conditions for curity professionals surveyed cited participating in the system. That data leakage or loss as their top report noted that Canada’s Per- BYOD concerns, while a little more sonal Information Protection and than half also cited unauthorized Electronic Documents Act contains access, user downloads of unsafe provisions relevant to the enforce- apps or content, and malware. ability of each of the 50 CBPR pro- The survey revealed additional gram requirements. key insights on BYOD adoption and The United States, Mexico, and risks, including: Japan have also been certified to •• Almost 40% of respondents participate in the system, and oth- noted that BYOD devices or er APEC countries are evaluating corporate devices have down- their ability to meet the system’s loaded malware, while 21% compliance and enforcement re- noted that mobile devices were quirements.

12 JULY/AUGUST 2016 INFORMATIONMANAGEMENT BUSINESS CONTINUITY and storage technologies at Kroll More Businesses Moving to the Cloud for Data Backup Ontrack. “And it’s not a ‘set it and forget it’ process. Backup health n increasing number of or- data, but challenges remain. requires regular testing and audit- ganizations are looking to “Maintaining a traditional ing to not only ensure the backup is Athe cloud to back up their backup solution takes time and working properly, but to confirm it company data, according to Kroll due diligence. For instance, think includes all the necessary media to Ontrack research. about the exponential growth in meet preservation and compliance Kroll studied the data backup data volumes that IT teams are requirements. It’s a huge balanc- practices of more than 500 compa- handling and backing up. That ing act, particularly for smaller to nies in North America, Asia, and growing volume translates into midsize organizations with limited Europe that have suffered data time – significant time,” said Todd IT support infrastructure.” losses. According to the survey, Johnson, vice president of data Interestingly, Kroll found that among companies with no data at the time of data loss, 14% of com- backup plans, 51% are still con- panies did not have a data backup sidering hard drives for primary in place. Perhaps not surprisingly, data backup, while 23% are con- 58% relied on external hard drive sidering moving their backup data solutions while about 16% used to the cloud. the cloud. Eleven percent said they When compared to the results used network-attached storage. of the same survey conducted in Of those without backup solu- 2015, Kroll found that business- tions, 54% said not having enough es are slowly moving away from time for administration and re- external hard drives (down 17% search was their reason for not from the previous year) and to- implementing a solution. Notably, ward cloud consideration, which fewer companies cited expense as has increased by 5%. a reason for not backing up data Most organizations have pro- than in 2015 – a 7% decline, ac- cedures in place to back up their cording to Kroll.

DIGITAL PRESERVATION Microsoft Experimenting with DNA for Digital Storage icrosoft said it plans still years away from a commer- to acquire 10 million cially viable product, but our early Mstrands of DNA from tests with Twist demonstrate that Twist Bioscience to use for digi- in the future we’ll be able to sub- tal storage experiments. Twist stantially increase the density and Bioscience is a San Francisco- durability of data storage.” based biology startup that Compared to traditional stor- makes synthetic, storage-ready age systems, the data density DNA, according to Tech Times. offered by DNA is significantly “As our digital data contin- higher. According to Tech Times, ues to expand exponentially, we 1 gram of DNA is equivalent to need new methods for long-term, nearly 1 billion terabytes (or 1 readable for between 1,000 to secure data storage,” said Doug zettabyte) of data. It also is far 10,000 years. Carmean, a Microsoft partner more robust than conventional Microsoft research estimates architect in its Technology and storage systems as is evidenced that 1 cubic millimeter of DNA Research organization. “The ini- by the fact that DNA fragments can store 1 exabyte, or 1 billion tial test phase with Twist dem- that are several thousand years gigabytes, worth of data, mak- onstrated that we could encode old can be sequenced successfully. ing the use of DNA for digital and recover 100% of the digital Another advantage of DNA is data archival a viable option data from synthetic DNA. We’re that it will stay unharmed and long term, Tech Times reported.

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 13 UPFRONT

EHRs U.S. Nears 100% EHR Adoption

inety-six percent of U.S. hospitals are using certified Nelectronic health records (EHRs), compared with 72% in 2011, revealed a survey released at the 2016 annual meeting of the Office of the National Coordinator for Health Information Technology (ONC) in Washington, D.C. “Data showing the nearly uni- E-DISCOVERY versal adoption of certified electronic health records are an indi- U.S. Appeals Court Allows Search of Old PC Files cation of how far we have come for clinicians and individuals since the n a closely watched case, a U.S. appeals court has ruled that HITECH Act was passed,” National federal agents acted in good faith when executing a warrant to Coordinator for Health Information Isearch records that had been seized two and a half years earlier. Technology and Acting Assistant The 12-to-1 decision by the Second U.S. Circuit Court of Appeals Secretary for Health Karen De- in New York restored a Connecticut accountant’s 2011 jury conviction Salvo said in a statement. and two-year prison sentence for tax evasion, Reuters reported. A Introduced in 2009, the Health three-judge panel had overturned both in June 2014. Information Technology for Eco- Stavros Ganias’ computer files were seized in November 2003 by nomic and Clinical Health (HI- U.S. Army investigators examining possible overbilling by a military TECH) Act has led to an increase contractor that had employed Ganias as an accountant, according to in the adoption of health IT, eweek. Reuters. But instead of purging unnecessary files, the government com reported. held onto them, and in April 2006 got a warrant to search them for According to the survey, just 9% evidence of unrelated tax evasion by Ganias. of non-federal, acute-care hospitals While the appeals court decision tested how long the government used basic EHRs in 2008, while 84% can keep a criminal suspect’s computer data, the court did not answer use them today; in 2011, 72% used the question of whether keeping the records for that long violated certified EHRs, and today 96% do. the suspect’s Fourth Amendment rights. Small, rural, and critical-access In the 2014 ruling that voided the jury verdict, Circuit Judge hospitals are not as up to speed; Denny Chin, who was the lone dissenter in the most recent decision, however, since 2014, small, rural said the government went too far by searching computer records it hospitals have increased their had long considered irrelevant for evidence of a new crime. adoption of basic EHRs by 14%, The majority, in its 60-page opinion, did not address that issue and critical-access hospitals have but did warn law enforcement to be more careful, citing “significant” increased adoption by 18%, eweek privacy concerns and Fourth Amendment issues arising when the said. government retains hard drives and other digital media containing The rate at which information vast troves of personal information, “much of which may be entirely – such as radiology reports, care irrelevant to the criminal investigation that led to the seizure,” summaries, and lab results – is Reuters reported. being exchanged has doubled since Chin, in his 40-page dissent, said the “cloud” that has hung over 2008, from 41% to 82% in 2015, the Ganias’ head for the last 13 years should be lifted. report found. And even between “The government did precisely what the Fourth Amendment 2014 and 2015, the percentage of forbids: it entered Ganias’ premises with a warrant to seize certain hospitals using, sending, receiving, papers and indiscriminately seized – and retained – all papers and finding key clinical informa- instead,” he wrote. tion “grew significantly,” from 23% Ganias’ lawyer said he was reviewing the decision and might to 26%. appeal to the U.S. Supreme Court.

14 JULY/AUGUST 2016 INFORMATIONMANAGEMENT 229 Strong. And Growing. Congratulations to these Certified Information Governance Professionals

Mitchell Abrams Lisa Marie Daulby Janice Hulme Stephen Murray Natalie Spano Elizabeth Adkins Nicholas De Laurentis Bethany Hynes Deborah Naas Brian Starck Angela Akpapunam Melissa Dederer Nicolas Inglis Joe Nadzam Jason Stearns Xavier Alabart G. Derk Leigh Isaacs Lindy Naj David Steward Anthony Allen Deborah Dotson Mary Janicik Peggy Neal Courtney Stone Pey-Jia Angell Christina Doyle C’Les Jensema Lee Nemchek Melissa Suek Christine Ardern Sandra Dunkin Chris Johnson Kurt Neumann Lisa Summers Deborah Armentrout Priscilla Emery Elizabeth Johnson Sheri Nystedt Paula Sutton DeAnna Asscherick Sarah Emes Kurt Johnson Shanna O’Donnell Marjorie Swain Randy Aust Sofia Empel Todd Johnson Carolyn Offutt Sheila Taylor Wendy Austin Tony Epler Deborah Jostes James Owens Robin Thompson Christie Baird Debra Farries Deborah Juhnke Eleanor Ozaeta Kathleen Timothy Robert Baird Elizabeth Farthing Soo Kang Lewis Palmer Louis Tirado Patty Baldacchino Carol Ann Feuerriegel Andrew Keller Jadranka Paskvalin Brian Tretick Salvador Barragan Clinton Field James Kennedy Alan Pelz-Sharpe Susan Trombley Christopher Beahn Glenn Fischer Anju Khurana Graham Pescod Nathan Troup Shawn Belovich Matt Fisher Ellie Kim Denise Pickett Brian Tuemmler Richard Berlin David Fleming Michelle Kirk Debra Power Martin Tuip Mike Biancaniello Mariel Fox Monica Kirsch James Presley Amy Van Artsdalen Margaret Boeringer Patricia Franks Tamara Koepsel Cindy Pryor Paul Van Reed Isabel Bracamontes Audrey Gaines Greta Krapac Fred Pulzello James Vardon Aaron Bryant Rhonda Galaske Peter Kurilecz Angel Ramos Katharine Voldal Susan Burd Caroline Gallego Tera Ladner Tony Ratcliffe Jennifer Watters Farley Kiji Burston Claire Galloway Jenkins Richard Lang Joshua Rattan Alexander Webb Doug Caddell Stephen Garner Ronald Layel Scott Raynes Katherine Weisenreder Stacie Capshaw Charles Garrett Anna Lebedeva Jessica Rickenbach Bridgett Weldner Melissa Carlis Irene Gelyk Gilles Legare Deborah Rifenbark Erik Werfel Diane Carlisle Celine Gerin-Roze Donnell Long Carol Rittereiser-Coritt Steven Whitaker Laurie Carpenter Sue Gerrity Howard Loos David Rohde Kristi Whitmore Elizabeth Carrera Kimberly Giertz John Loveland Donna Rose Jesse Wilkins Alexander Carte Susan Goodman Eric Lynn Shawn Ryan Marc Willemse Mark Carter Joshua Grisi Cindy MacBean Kathryn Scanlan Dylan Williams Peter Casey Komal Gulich Mark MacFarlane Danna Schacter Steven Williams Anita Castora Jocelyn Gunter Rudolph Mayer Tonia Schneider Natausha Wilson Elizabeth Castro Allen Gurney Brian McCauley Teresa Schoch Rick Wilson Tod Chernikoff Michael Haley Stephanie McCutcheon Terry Schrader Terri Wilson Carol Choksy Grace Hammar Cheryl McKinnon Karen Schuler Brett Wise Vicki Clewes Joshua Hargrafen Felecia McKnight Jason Scott Jennifer Witt Andrew Cogan Paula Harris James Merrifield Karen Shaw Kristin Wood Julie Colgan Julie Harvey Bruce Miller Mary Sherwin Robin Woolen Bud Conner Matthew Hebert Sandy Miller William Silvio Jeffrey Yawman Dani Cook Charles Herbek Dana Moore David Skweres Cheryl Young Russ Cottle Margaret Hermesmeyer Dermot Moore Doug Smith Margo Young Marvin Cross Caroline Higgins Rafael Moscatel Kathleen Smith Andrew Ysasi Kristen Crupi Gordon Hoke Linda Muller Michael Smith Ryan Zilm Becky Darsch Patricia Huff Jen Murray Kirke Snyder

Application deadline: November 12, 2016. Register today at www.arma.org/igp. UPFRONT

INFO GOV PROGRAMS Firms Must Focus More on Information Governance, Lawyers Say

irms just aren’t paying enough as the most pressing issues facing cording to the survey, another 26% attention to information gover- their firms: data security, cyberse- think their programs lack the re- Fnance (IG), according to corpo- curity, and privacy risks, including sources needed to be effective. rate in-house counsel interviewed the loss of personally identifiable The survey also found that 59% for Kroll’s 2016 Corporate Risk information. of lawyers reported that their orga- Survey. Almost half of respondents nization’s data breach or incident The 170 lawyers taking part (47%) said their companies do not response plans are inadequate or in the survey cited the following have an IG program in place. Ac- non-existent. Other findings include: •• Data security is “the most significant risk facing modern corporations.” Most (76%) in- house counsel said there are effective safeguards in place to protect their organization’s intellectual property, but only 41% said their company’s plan is regularly updated and tested. •• Two-thirds of respondents said their firms are more at risk of external fraud, while 33% believe their risk of internal fraud is higher. INFO GOV PROGRAMS •• For fraud, 85% of organizations conduct due diligence on Survey: Unstructured Data a Growing Challenge proposed business partners and 76% maintain internal re- hile most companies are aware of the importance of informa- sources to investigate fraud in tion governance (IG), many do not have insight or control the United States. But almost Wover employee-produced data, according to a recent survey two-thirds lack the internal re- from Acaveo and Osterman Research. sources needed to investigate They surveyed more than 100 organizations that stored an average global fraud incidents. 20 TB of unstructured data and found that only 37% of them regularly •• Organizations are using most audited the amount of data employees or business units produce. of their compliance budgets for Just 35% said they had a budget in place to deal with unstructured risk assessments and policy data challenges. creation and management. In- Overall, while many companies admitted to struggling with gov- house counsel said they want erning unstructured data, only half of the surveyed companies said to spend additional funds on they have an IG program in place to help deal with it. compliance training and tech- But they do understand the importance, as 70% cited regulatory nology systems to facilitate risks and 66% cited the need to avoid any data risks as reasons to compliance screening. adopt an IG program. In addition, 75% of respondents noted the sav- According to Kroll, the survey ings IG can bring to storage costs. Other findings include: shows that “organizations are •• 55% of organizations perform regular file share cleanup exercises. making noteworthy strides as a •• 40% of organizations have a “defensible deletion” program in place. result of the new risks facing the •• Of the companies that have an IG program, 75% justify the pro- enterprise. Nevertheless, the sur- gram based on storage costs. vey also reveals that organizations Notably, the survey predicts that the proportion of unstructured have additional room to evolve if data stored in-house will increase from 22% currently to 25% in just they seek to combat these modern two years, while cloud storage will comprise a bit less than half of an risks in an efficient, cost-effective organization’s information repositories in at least five years. manner.”

16 JULY/AUGUST 2016 INFORMATIONMANAGEMENT CLOUD COMPUTING are moving from theoretical ex- Are Cloud Security Concerns Overblown? ploration of cloud models to actual implementation.” Greatest Threats to Cloud Security According to Legaltech News, More than 2,000 professionals surveyed by Cloud Research Partners cited the following factors driving these concerns obstacles to cloud security: include the recently approved Unauthorized access 53% General Data Protection Regula- tion in Europe and cybersecurity Data leaking or loss 49% disclosure and data regulations, which require companies to consider where their data is being Data privacy 46% stored and processed. The full report may be downloaded at www. Hacking of accounts 44% crowdresearchpartners.com/port- folio_item/cloud-security. END Insecure interfaces/APIs 39%

External access and sharing data 33%

Percentage of Companies Storing These Data Types in the Cloud

CISCO® GLOBAL CLOUD INDEX Data Center Virtualization and hile security concerns dent, and 55% said they had not Cloud Computing over cloud adoption are had any cloud-related security is- Wthe greatest barrier to sues, the survey found. Growth adoption among businesses, a re- If the survey findings are any cent survey found that few have indication, respondents may be •• By 2019, 86% of workloads actually suffered a cloud-related confused about how secure the will be processed by cloud security incident. cloud really is. For example, 22% data centers; 14% will be The Cloud Security Spotlight of respondents said there was a processed by traditional data Report by Crowd Research Part- lower risk of breaches from the centers. ners surveyed 2,200 consultants, cloud compared to data hosted on •• Overall data center work- specialists, executives, IT, and premises servers, while 21% said loads will more than double other professionals across a variety the opposite, and 27% said they from 2014 to 2019; cloud of industries and found that more believed security for cloud and on- workloads will more than than half (53%) of respondents ex- premises storage was about the triple (3.3-fold) over the same pressed concern over the security of same. period. their data in the cloud, an increase Legal and regulatory compli- •• The workload density (that from 45% in 2015, Legaltech News ance concerns were also cited as a is, workloads per physical reported. barrier to cloud adoption by 42% server) for cloud data cen- Interestingly, however, when of respondents in 2016, up from ters was 5.1 in 2014; it will asked if they had suffered a cloud- 29% in 2015. The survey noted, grow to 8.4 by 2019. Tradi- related security incident, only 9% however, that “the rise in specific tional data centers’ workload said yes, while 36% could not dis- concerns about compliance and in- density was 2.0 in 2014 and close or did not know of any inci- tegration suggests that companies will grow to 3.2 by 2019.

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 17 FELLOWSFORUM

Integrated ECM Solutions: Where Records Managers, Knowledge Workers Converge

By using examples from Gartner’s 2015 “Magic Quadrant for Enterprise Content Manage- ment,” this article offers a brief introduction to three ECM systems, provides examples of integrated solutions used by knowledge workers, and discusses the contributions records managers can make to support business processes.

Patricia C. Franks, Ph.D., IGP, CRM, CA, FAI

here are numerous challenges to ensuring that and home; laptops, smart phones, and tablets; networked captured data is useful. As noted by former U.S. devices (i.e., the Internet of Things); digital copiers; remov- Magistrate Judge Ronald J. Hedges in a 2016 able media (e.g., disks, flash drives); and with third-party presentation, “The Positive Power of the Destruc- providers. Increasingly, content resides within an enter- tion of Data,” data is voluminous and distributed, prise content management (ECM) system – on premises, Tis fragile yet persistent, takes many forms, and is created in the cloud, or both – and is in continual use by knowledge and maintained in complex systems. workers, whose jobs primarily involve creating, distribut- Data can be found on personal computers at work ing, or applying knowledge.

18 JULY/AUGUST 2016 INFORMATIONMANAGEMENT The Need to Understand Content’s Value, Use By using examples from the Gartner report, this article Knowledge workers must understand the value of offers a brief introduction to three ECM systems, provides content to the organization and be able to handle it respon- examples of integrated solutions used by knowledge work- sibly regardless of their role within the information life ers, and discusses the contributions records managers can cycle – whether as creator, user, or manager. At the same make to support the business process. time, records managers must be able to provide access to the right content – regardless of its status as information Example 1: or record, its format, or its location – to the right person Social Media Solutions and ECM at the right time and in the right place. Microsoft is identified as a leader in Gartner’s “2015 The integration of an ECM system with other business Magic Quadrant for Enterprise Content Magic.” It has in- solutions establishes a point of convergence for knowledge corporated content management capabilities in SharePoint workers and records managers: for more than a decade. Although the capabilities of Share- 1. Having the ability to categorize content without refer- Point Online are not as complete as those of SharePoint ring to a records retention and disposition schedule On-premises, the cloud version best illustrates the point of allows knowledge workers to focus on their core busi- convergence for knowledge workers and records managers. ness function while complying with records management policies. 2. Understanding how the ECM system is being used The Office 365 Security enables records managers to design better rules and workflows to perform their tasks. and Compliance Center

ECM as the Basis for Integration allows the administrator to AIIM first defined ECM in 2000 and has expanded upon its description several times. Currently on AIIM’s add security and retention website, ECM is described as “the strategies, methods and tools used to capture, manage, store, preserve, and policies, search and deliver content and documents related to organizational processes.” investigate both content Anand Rao, in a 2007 white paper “Knowledge Man- agement using Enterprise Content Management System,” and audit logs, and wrote, “Content generated by the organization, once effectively tagged and stored for efficient retrieval, forms view reports. the knowledge bank of the organization.” This paper reinforces that ECM was not a new product Sharing Knowledge category, but an integrative force. Integration can take Office 365 and SharePoint Online comprise an easy- place between an ECM system and applications a ven- to-implement combination that can be used to create and dor already offers, creates specifically for the system, or manage content. Users can “like” a library document or acquires in order to differentiate its product from others add a “star” tool to indicate approval. They can use Yam- on the market. Integration also takes place between the mer, a private social network, to engage in conversations ECM and the products of other vendors. around projects and files. Gartner’s 2015 “Magic Quadrant for Enterprise Content Social features such as user profiles, blogs, wikis, and Management” ranked ECM vendors as leaders, visionaries, newsfeeds enable knowledge workers to communicate challengers, or niche players based on seven application and collaborate. The Ask Me About section of the user’s areas: profile provides a means to identify colleagues with specific 1. Document management expertise. Participation in community discussions can 2. Web content management result in points and badges to reward contributions and 3. Records management help build reputations. 4. Image-processing applications Knowledge workers can personalize content across Of- 5. Social content fice 365 from One Drive for Business, SharePoint Online, 6. Content workflow Exchange, Yammer, and more by using Office Delve as a 7. Extended components, including mobile applications, personal portal. When a document or board of interest is digital asset management, search, analytics, and found, it can be added to Delve as a favorite (see Figure packaged integration capabilities. 1 on page 20) so it can be returned to easily.

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 19 FELLOWSFORUM

Figure 1: Delve helps users discover information across Office 365.

Numerous apps are available for Office 365/SharePoint managing records in place provides control over content in Online to enable users to analyze and present data. When collaborative spaces. Documents such as wikis, blogs, web the ECM is integrated with web-based BlackCompass Vi- pages, and list items can be declared records while in use sualizer for SharePoint, for example, data can be presented to prevent deleting or editing. This can be accomplished as visual columns in lists and data points on maps. manually, through the use of a workflow, or according to the document’s retention period. Records can be managed Managing Records in Office 365/SharePoint Online across multiple sites, and automatic versioning of records SharePoint Online offers out-of-the-box records man- can be enabled. agement features. A dedicated records center site can be The Office 365 Security and Compliance Center allows created to serve as an archive, with documents copied to it the administrator to add security and retention policies, based on the retention policy. Records can be managed “in search and investigate both content and audit logs, and place” by declaring them records and applying security and view reports. SharePoint Online offers compliance with retention properties in their current location. Or a hybrid the Health Information Portability and Accountability Act approach can be taken. (HIPAA), the Federal Information Security Management If the records manager is responsible only for records, Act (FISMA), ISO/IEC 27001 Information technology – moving them to a records center is often the preferred op- Security techniques – Information security management tion. Metadata is used to manage records based on content systems – Requirements, the Family Educational Rights types, content organizers, and virtual folders. Hierarchi- and Privacy Act (FERPA), SSAE16, EU Model Clauses, cal file plans are used to manage retention and generate and U.S.-EU Safe Harbor framework out of the box. reports. Enterprise-wide taxonomies and content types SharePoint extenders provide additional features, such ensure consistency and context transfer between collabora- as case file management, event-based retention, and support tive spaces and the archive. for physical records management. Third-party extenders If records managers are responsible for all information, are available from Collabware, Gimmal, and Records365.

20 JULY/AUGUST 2016 INFORMATIONMANAGEMENT Example 2: E-mail messages, attachments, documents, and other Business Process assets can be dragged and dropped into a customer folder Management and Content Management in SAP-extended ECM without changing programs. Docu- OpenText is the second-largest ECM vendor in terms ments stored in SAP can be located using simple search of worldwide market share and is identified as a leader functions; for example, an invoice stored in SAP could be on the 2015 Magic Quadrant (Gartner, 2015). OpenText located by entering the invoice amount in Extended ECM. provides ECM solutions for cloud-based, hybrid, and on- premises deployments. The company’s focus on aggregat- The Records Management Perspective ing, managing, and sharing information to drive produc- The Open Text Extender for SAP Solutions adds data tivity illustrates a move from the view of document and and document archiving, imaging, document management, records management systems as a cost of doing business collaboration, U.S. Department of Defense 5015.2-certified to the realization that ECM systems can provide a means records management, and application-spanning virtual to improve productivity and control. views of related information to the SAP system. Improving the Business Process Through … because of the pre-defined Process-Centric Workspaces OpenText’s Cloud Accelerated ECM allows knowledge business workspaces and workers to manage content in the context of their business processes. The centralized repository uses a variety pre-built metadata, of devices to provide users with access to content when needed from almost any location. Rather than focusing classification of content is on documents or records, it focuses on the operational problems the organization faces by providing collaborative, transparent to knowledge process-centric workspaces with pre-built taxonomy, built- in metadata, and compliance capabilities. A knowledge workers and allows retention worker can set up a new business workspace to aggregate content and people. Information flows can automate the policies to be applied to creation, review, approval, publishing, and storage of content. related content. Transforming the Business Process: Open Text Extender for Records managers play a vital role in executing strat- SAP® Solutions egy, but because of the pre-defined business workspaces An alternative to working within the ECM environment and pre-built metadata, classification of content is trans- is the ability to access content stored within the ECM from parent to knowledge workers and allows retention policies within a business solution. The OpenText Extender for to be applied to related content. SAP Solutions integrates the ECM with the SAP Business Records managers create a file plan and manage reten- Suite to allow the knowledge worker to “access the right tion schedules without interfering with any department’s information at the right time in the right place.” The right line of business. Once the system is configured, users place in this case means while working within SAP. continue to carry out business activities while records The SAP Business Suite contains businesses processes managers control ultimate file indexing, archiving, and – including case management, vendor invoice management, disposition. and HR processes – that deal with large volumes of content in various formats that must be captured, managed, Example 3: preserved, and delivered to the user. Decision Making and Content Management A knowledge worker providing customer support, for Laserfiche is considered a niche player in the ECM example, could access the customer file to view both struc- arena. The majority of its customers come from the gov- tured and unstructured information about the customer’s ernment, financial services, higher education, and health past transactions. Documents like “contracts’” can be care. Laserfiche ECM solutions focus on document man- created using templates from within SAP. This solution agement, records management, imaging, and workflow connects unstructured content from within the ECM with applications. structured content within the SAP business process. The In addition to on-premises deployments, Laserfiche results are efficient customer service and increased em- offers public hybrid options and works with partners to ployee and customer satisfaction. offer dedicated (hosted) private cloud options. Laserfiche

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 21 FELLOWSFORUM

ECM has long provided packaged integrations to Sales- can be analyzed, shared via reports, and used to drive the force, SharePoint, and other applications. organization’s business strategy. Team members can see In 2015, it announced Laserfiche Connector to enable their own work and the activities of other team members in partners and developers to extend the functionality of the form of charts and graphs. Managers can gain insight Laserfiche with new actions that are context-specific. on workloads and staff performance to identify problems Laserfiche offers tools for information capture, mobile and take corrective action. Data can be overlaid on data access, integration, and analytics. from other sources, such as a city map.

The Records Management Perspective The reality is that both Laserfiche is a DoD 5015.2-certified records management application. As such, it provides automatic capture, paper and electronic transfer, storage, and disposition of new and legacy records; enables employees in different departments to records will be created as access records without navigating the master records structure; and automatically creates custom views of a normal part of daily records structures for auditors or compliance officers. Laserfiche applies retention and disposition schedules activities in some and rules to incoming records using metadata, creates record folders and moves documents into the appropri- organizations, resulting ate locations, sends document destruction notifications, enforces records management policies across all devices, in complex hybrid and generates reports to identify and locate records ready for disposition. record environments. The role of the records manager is a strategic one: to develop the policies and workflows that automate records Capturing Content management functions and are transparent to knowledge The reality is that both paper and electronic records workers so they can concentrate on their primary objective. will be created as a normal part of daily activities in some organizations, resulting in complex hybrid record environ- Integrated Solutions = Integrated Environment ments. Government services, for example, exist to support ECM systems have evolved from little more than docu- citizens in need of financial assistance, medical care, ment management systems to robust integration hubs. housing needs, child care, and more. Some client records Through the use of connectors provided by the ECM vendor are completed in physical form and must be scanned for or developed by others, ECM systems provide a means capture by the ECM. for knowledge workers to access unstructured content During the capture process, data can automatically residing in the ECM while remaining within the business be extracted from electronic, PDF, and scanned forms. application. Mobile apps for smart phones and tablets al- Photos can be uploaded from mobile devices and cameras low employees to conduct work while away from the office. directly into client files. Clients can submit information Records management functionality is present in most using e-forms with attached documents. Clients can sign ECM solutions, but the range of features varies widely. documents electronically to reduce processing time. Third-party solutions exist to extend records management functionality to meet governance and compliance Salesforce and Content Management standards. Salesforce is the world’s most popular customer rela- Integrated solutions provide an environment in which tionship management (CRM) solution. Most knowledge knowledge workers and records managers co-exist. Due workers spend their time in business applications like to the increased automation of records management func- Salesforce. But those applications don’t hold all of the tions within ECM systems and business applications, information the workers need. With Laserfiche’s Connec- records managers can assume a more strategic role by tor, Salesforce users have the ability to view associated developing policies, implementing controls, and select- and background information held in Laserfiche without ing tools for the governance of the organization’s digital leaving the primary application. Workers in Salesforce assets. END can scan documents into Laserfiche; metadata values are populated from the data in Salesforce. Patricia Franks, Ph.D., IGP, CRM, CA, FAI, can be contacted at Information stored in both Laserfiche and Salesforce [email protected]. See her bio on page 47.

22 JULY/AUGUST 2016 INFORMATIONMANAGEMENT NEW

Online with updated content Don’t miss these valuable articles featured in the newest Hot Topic:

•• Securing Confidential Customer Data and Gaining Content ClarityIsabell Berry •• Managing Legacy Data Through the Migration Process Soo Kang, IGP, CIPP/US •• In-House Elevated: Catching the Third Wave of E-Discovery Brad Harris •• Digital Preservation of Long-Term Records at the Associated Press Mike Quinn •• Bring Your Own Policy: How Corporations are Managing Mobile Devices for E-Discovery Kevin DeLong •• Information Governance: Don’t Move to the Cloud Without It Mark Daniel •• More Data Equal More Privacy Concerns: Is Your Organization Prepared to Handle Them Mark Daniel http://bit.ly/28LBEot Five Steps In-house Counsel Should Take to Mitigate Information Risk H. Kirke Snyder, J.D., IGP

In-house counsel need to collaborate with key information governance stakeholders to help resolve their sometimes-conflicting information management goals and ensure that the IG program has the executive support and resources needed for the organization to achieve its core mission while preventing or mitigating risks.

ecause of the risks associated with electronically Finally, business units, which are focused on data stored information (ESI), organizations need a accessibility and convenience, may utilize third-party strategic information governance (IG) frame- cloud data storage applications that put the organization’s work that addresses records and information information outside of the organization’s control, where it management (RIM), data privacy and security, may not be secure and cannot be managed properly – in Band e-discovery. If senior management fails to provide direct conflict with RIM, legal, and IT goals. the framework, each department’s perspectives will drive its data management goals. Their differing perspectives, though, can drive conflicting data management goals and can complicate or circumvent the organization’s ability to govern its information effectively.

Perspectives That Produce Conflicting Goals For example, the RIM perspective is driven by the records retention schedule, so one of its data management goals is to ensure that information is kept as long as – but no longer than – needed to meet legal/regulatory, fiscal, historical, and operational requirements. But, IT’s perspective is driven by the need to manage storage costs, so it may establish e-mail account volume limitations that lead to e-mail records being disposed of before their retention requirements have been met, in conflict with RIM’s goals. The legal department perspective is driven by the need to avoid judicial sanctions for spoliation, so it may issue broad legal holds that cause information that is not relevant to litigation or regulatory actions to be retained longer than it should be, in conflict with both RIM and IT’s goals.

24 JULY/AUGUST 2016 INFORMATIONMANAGEMENT This is why effective IG requires senior management due to lack of executive support for the RIM program to to collaborate with key stakeholders, hear all perspectives, be sufficiently staffed or funded. gain an understanding of how the organization should best manage its information to achieve its core mission while 5 Steps That Will Mitigate Information Risk preventing or mitigating risks, and to enlist executive While lawyers may hesitate to get involved in helping support for appropriate people and financial resources. resolve the issue of ungoverned information because they The chief legal counsel has a critical role to play in this. don’t feel trained or empowered to do so, they must roll up Because the American Bar Association’s Model Rule 1.1 their sleeves and step in – pre-litigation discovery. Once a requires lawyers to provide “competent” representation data breach has occurred or a legal hold of information that to clients – in this case their employing organization – should have been destroyed is in place, in-house counsel in-house counsel can’t afford to assume that IT and RIM will have to be involved, but at that point it’s too late to personnel will get all the legal intricacies right, given the save the organization from its poor housekeeping. Here potential legal and financial risks of unmanaged informa- are five actions they can take. tion. The insights and practical advice offered below could help legal counsel save their organizations millions in fees 1. Role Play a Rule 30(b)(6) Deposition and expenses. Rule 30(b)(6) of the Federal Rules of Civil Procedure (FRCP) and the corresponding state rules require an or- Trends That Stem from Flawed IG ganization faced with e-discovery to designate officers, Flawed IG is causing three disturbing trends that carry directors, managing agents, or other persons to testify significant legal and financial risk to corporate America, under oath as to matters known or reasonably available and in-house lawyers should not be sitting on the side- to the organization (e.g., information management and lines waiting for their number to be called. document retention). These 30(b)(6) depositions can be a nightmare for the unprepared. Growing Number of Data Breaches Don’t wait for the onset of litigation; identify the indi- The first trend is the theft of ESI. Data breaches oc- viduals who will be designated to testify for a deposition cur virtually every day (e.g., Sony, Target Corp., Home and play the role of a plaintiff lawyer by asking typical Rule Depot, JPMorgan Chase), with significant reputational 30(b)(6) questions about document management systems, and financial costs for organizations. According to the 2015 information management policies and procedures, and the “Cost of Data Breach Study: Global Analysis” conducted by data deletion process. This exercise will help prepare the Ponemon Institute and commissioned by IBM, the average “deposed” individuals and reveal a more accurate picture cost of a data breach incident was $3.8 million. of any RIM vulnerabilities. Counsel may find that many record types are not de- Rising Cost of E-Discovery stroyed according to policy and schedule, and that multiple The second trend is the rising cost of e-discovery, which copies of “records” are stored in the basement, offsite, directly affects an organization’s law department budget. on the shared network, in the e-mail application, within The 2012 report “Where the Money Goes: Understanding SharePoint sites, and on third-party cloud systems. Litigant Expenditures for Producing Electronic Discovery” by the Rand Corporation found that U.S. corporations 2. Challenge IT to Create a Data Map typically spend at least 70% of their litigation budgets on Under the FRCP, parties must cooperate to reveal ev- document review. erything about their ESI, including location, type, source, and format. In addition, litigators must come to the FRCP Exploding Volume of E-Records Rule 26 “Meet and Confer” with an understanding of the Part of the reason document review takes so much of nature, variety, and kinds of electronic storage media in- the budget is that it’s common for lawyers to sift through volved; how to retrieve data; the types of electronic data; documents and e-mail produced for discovery multiple the format in which the electronic data is stored; and the times. But this cost could and should be much lower, as the expense of collecting and preserving the data. In effect, vast majority of e-mail and documents collected, preserved, these requirements are tantamount to requiring the par- and reviewed is typically obsolete and should have been ties to produce a data map of their potentially relevant destroyed during the normal course of business in accor- information. dance with the organization’s records retention schedule. Without specialized technology, an IT department can Even when organizations have a formal written records exhaust significant resources creating a data map for a retention policy and retention schedules, they may not be single litigation. The map must consider listing the core fully implemented and are rarely audited, which may be records from important production systems and applica-

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 25 tions, along with data stored in the cloud, data from the •• Act upon a group of selected files (e.g., copy, move, computers of individual employees, data from applications delete) that are no longer in use, and even the contents of CD- •• Discover the department (or employee within the de- ROMs and backup tapes. partment) that created or owns the data Don’t wait for litigation to prompt learning about the •• Identify duplicate or near-duplicate documents and ability of IT and RIM to create a litigation data map. As move the final record copy to a secure location with the mock 30(b)(6) depositions, give the IT department Enterprise records management software provides a date range, a list of key employees, a description of topics manual or systematic storage and retrieval of documents and key words, a specific deadline, and an evaluation of its and e-mail with record value. It makes records widely work product. This preparation is not “busy work.” It will available at any location as a searchable repository for save the organization 10 times the investment. shared knowledge, compliance, and litigation support. Such To cost-effectively manage its data assets (both proactively and in response to a legal action), the organization must have the technology to easily identify, copy, move, protect, and destroy ESI throughout the enterprise. 3. Convince Senior Management of Resource Needs a central records repository for the important documents Armed with insights acquired from the mock Rule 30(b) will allow IT to apply an automatic document deletion (6) deposition and the data map exercise, counsel can begin schedule to non-record (transitory) data stored on shared convincing senior management that a legally defensible servers and e-mail. The records repository application will RIM program is not optional. Senior management must protect records from accidental deletion or modification understand that the improved RIM program may require and allow file-level audits, encryption, user access, and new computer hardware, software, and training. Special- version control. ized technology tools will help lock down records in a safe place and identify files with personal data for encryption 4. Revise the Records Retention Policy and Schedule or destruction. Many “for profit” business organizations in the United Too often, the RIM and IT departments lack the budget States have a records policy and retention schedule that are to acquire the very tools that could save the organization not enforced or audited. Many of the policies and schedules millions by mitigating the likelihood of a data breach or were written before the explosion of e-discovery, e-records, litigation e-discovery. To cost-effectively manage its data and e-mail. The modern records policy and retention sched- assets (both proactively and in response to a legal ac- ule must be updated with an emphasis on identifying and tion), the organization must have the technology to easily storing electronic records. Consider modifications in the identify, copy, move, protect, and destroy ESI throughout following areas. the enterprise. Format. Based on the sheer volume of e-mail, docu- One such tool is storage resource management software ments, and other ESI being generated every day, the orga- that “crawls” the storage objects to collect and store infor- nization’s policy must state that records will be maintained mation about those objects in an informational database. in electronic format only. The organization won’t eliminate The database could be searchable by metadata only (e.g., hard copy documents, but it will eliminate hard copy re- file type, creation date, size) or by the metadata and the cords. In the end, this key policy will also lower the cost full text of every stored file within the enterprise. of identifying, collecting, and reviewing materials related Such applications typically come from vendors selling to e-discovery. information security, litigation e-discovery, or network Storage Location. One of the greatest challenges will storage management applications. These applications can: be to distinguish records from non-records if both are stored •• Identify documents with personal information for dele- in the same application, drive, or folder. The new policy tion or encryption should specify that the official “record copy” of a document or •• Identify documents or e-mail with key words or con- e-mail will be stored within a centralized record repository cepts application, not in Outlook or on a shared network drive. •• Determine the age of the documents or e-mail (by the Ownership. The new policy should specify who iden- date created, received, or last edited) tifies the records. The legal department will know if a

26 JULY/AUGUST 2016 INFORMATIONMANAGEMENT particular document type should be saved only relative normal course of business, but it can create nightmares to its regulatory requirement. RIM won’t know which of for RIM and the e-discovery process. the various near-duplicates of a document is the official The legal department can directly reduce the risk by record copy. Only the business unit has the subject matter reviewing proposed or existing cloud contracts for red expertise to manage its own records. Therefore, the new flags and asking a few pointed questions to identify the policy should state that each business unit is responsible contracts for terms and conditions that need to be negoti- for its own records. ated or renegotiated, such as the following: Legal should assist business unit leaders by providing a •• The right to use data and metadata spreadsheet of minimum statutory and regulatory retention •• Ownership of data and copyrights requirements for their own department’s record categories. •• Physical location of stored data Each business unit leader should identify an experienced •• Changing of terms or assignments without consent The legal standard that will be used to judge the defensibility of the RIM program is “reasonableness.” It is not reasonable to issue a legal hold notice and not follow up on it. team member to help the organization’s records manager •• Notification of subpoenas finalize the department’s records retention schedule. •• Responsibility for e-discovery costs Mandatory Audit. The last but most critical compo- •• Destruction and auto-delete procedures nent to add to the new records retention policy is an audit •• Compliance and audit rights imperative. The legal standard that will be used to judge •• Data portability the defensibility of the RIM program is “reasonableness.” •• Procedures for security, business continuity, and di- It is not reasonable to issue a legal hold notice and not saster recovery follow up on it. The audit (or compliance) department will Counsel should ask about the nature of the data being propose an audit schedule and methodology to ensure that stored in the cloud and the philosophy concerning its stor- records and non-record information are being maintained age management. For example, ask if the documents are in accordance with the department’s retention schedule. to be managed as records or are they considered transitory Ultimately, the audit process will document that the or- data, with the final record version to be transferred and ganization’s RIM program is legally defensible. managed within the in-house records repository applica- In addition to revising the retention policy, the legal tion. Ask who will identify and preserve records as well department must re-think the logistics of the retention as turn off any auto-delete function in case of a legal hold. schedule. Most schedules are confusing because they have too many “retention buckets.” A schedule that counts on us- Involvement That Bucks the Trends ers to classify a document or e-mail based on a spreadsheet Organizations greatly benefit when inside counsel take of hundreds of document types is doomed. The answer is an IG leadership role. First, by using common-sense litiga- to simplify the classification process. tion preparedness exercises to gain valuable insights into For example, some documents and e-mail are important the strengths and weaknesses of the current IG processes enough to be saved forever. With little training, users can and protocols, counsel will not only satisfy ABA Model typically identify this type of document. Most e-mail and Rule 1.1 that requires lawyers to provide “competent” documents can be deleted within a few months. With just representation, the organization will emerge with a data one more bucket – say, one that specifies a 10-year reten- map and staff members that are prepared to be deposed tion – the simplified retention schedule would be easier about the RIM program. to understand and easier to audit. Each department must Second, by advocating to the organization’s executive train its own users with the retention rules and exceptions. leadership the importance of funding the required resources for IG, litigation e-discovery costs can be reduced or avoided 5. Modify Storage Vendor Contracts because the volume of stored data will be diminished. END Many organizations are utilizing a third-party file host- ing service with cloud storage for file synchronization and H. Kirke Snyder, J.D., IGP, can be contacted at kirkesnyder@gmail. data sharing. Cloud storage can be cost effective during the com. See his bio on page 47.

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 27 NOW SHOWING WEB SEMINARS

What’s Your Type?

Management Skill Level Core Skill Series IGgenius Level Series Series

Government Strategic Symposium Skill Level Series Series

Regardless of how you define yourself, there’s a web seminar series for you! Visit the ARMA Bookstore to catch up on what you missed at ARMA Live! Conference 2015. Reg: $479 Pro: $349

View online now!

www.arma.org/bookstore Click on “Web Seminars” or search for ARMA 2015 28 JULY/AUGUST 2016 INFORMATIONMANAGEMENT Minimizing the Use of Trigger Events to Increase Records Retention Compliance

It can be difficult to comply with records retention requirements that are based on trigger events, so many organizations are seeking to replace them with straight retention time periods. This article outlines approaches for doing this for six trigger events that are commonly used in retention schedules.

Tom Corey, J.D., CRM

hen records manage- for the disposition of that record be- Today, employees create most re- ment primarily ad- gins. People kept files, and when they cords electronically, storing and sav- dressed paper records, completed a project or a contract ending official records and non-record it was manageable to ed – which triggered the retention information in multiple locations, comply with retention period to begin – they evaluated the including on hard drives, flash drives, Wperiods that included event codes, or records, removed what they did not shared drives, laptops, personal de- trigger events, which are requirements need, kept what they needed, and vices, tablets, e-mail accounts, and the that must be fulfilled before the time cleared up space for future records. cloud. In this electronic environment,

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 29 using trigger events in a retention monly used in retention schedules. By tion chooses to keep an insurance schedule is much more difficult for following these approaches, a records contract for 10 years after expiration, organizations to manage. manager can create a schedule that it should just assign it an 11-year For example, if the trigger event restricts trigger events to those that retention period. The organization for a record is “termination of employ- are necessary, allowing an ERMS to will have the same result – and it will ment plus three years,” the employee work more efficiently and the organi- be able to manage the disposition of must have been terminated before zation to be in better compliance with that record in its system. the calculation of three years begins. its retention requirements. Final Resolution While some conflicts result in If the performance of a contract is lengthy litigation, most are resolved, or the parties agree to disagree, with- completed within a year, the records in a short period. “Final resolution” as a trigger event for these types of retention schedule … should merely records is inefficient because it is difficult to determine when a conflict is state the number of years to retain actually resolved unless it is settled by a third party, such as a court, me- that contract and the information diator, or arbitrator. Second, this trigger is unnecessary related to it. because the record retention issue can Then, someone must notify the person Expiration of Contract be resolved by adding a reasonable responsible for managing that record The most common trigger event amount of time for the resolution to about the termination to ensure that in a records retention schedule is “ex- the retention period. For example, if the retention clock starts ticking, piration of contract,” and too often it the desired retention period is three wherever that official record lives. is used unnecessarily for what are years after resolution, simply add This is actually an easy example essentially transactional contracts, two years and make it a five-year re- because most organizations can put such as purchase agreements, ship- tention period. This approach works a date on when an employee leaves. ping contracts, and short-term ser- well for customer service call center But, when does a contract expire or vice projects. records or records addressing employ- is a policy superseded? If the performance of a contract is ees’ minor complaints. Some organizations’ electronic re- completed within a year, the records This approach does not necessarily cords management systems (ERMS) retention schedule should not use apply to litigated matters, which must efficiently address trigger events, “expiration of contract” as a trigger be retained through final resolution. while others struggle to create clear event. The schedule should merely But that is manageable because “final rules for handling trigger events. If state the number of years to retain resolution” has a clearly defined date. the organization struggles with this, that contract and the information an ERMS will not provide the solu- related to it. Protection Period tion, proper disposition of the records Some contracts do require longer Many schedules use “protection will not occur, and the organization durations to perform, such as financ- period” as a trigger event for intel- will have compliance issues. ing, long-term leases, or construction lectual property. For the most part, To resolve this, many organiza- contracts. A trigger event may be patents have a set protection period tions are seeking ways to eliminate necessary in those cases, but these of 20 years under 35 U.S.C. § 154, retention times based on trigger would then be a separate category and most countries also use 20 years events and are using instead straight in a schedule. as their standard. retention time periods, in which the There is also no reason an insur- Therefore, instead of using the time for calculating the disposition of ance contract should contain “expira- trigger event, the organization – even a record begins at its creation. tion of contract” as a trigger event. if it is global – can simply add 20 Insurance companies limit the dura- years to the desired protection period. Trigger Events to Be Minimized tion of their contracts, typically to one So, for example, an organization that The following sections outline ap- year, so they can review and adjust wants to keep patent records for 30 proaches for eliminating or minimiz- their risk frequently and regularly. years after the protection period ex- ing six trigger events that are com- This means that if an organiza- pires can use the 20-year standard for

30 JULY/AUGUST 2016 INFORMATIONMANAGEMENT the protection period and make the Superseded Straight Time Benefits retention period a straight 50 years. For many organizational policies Taking this approach offers records The same can be done with copy- and plans, the retention schedule managers an opportunity to minimize right protection by adding 95 years uses “until superseded” or “after the use of trigger events in their re- to the desired retention period after superseded” as a trigger event. If a cords retention schedules, but it will the protection period (see 17 U.S.C. § policy or plan has an indeterminate not eliminate trigger events entirely. 302). For example, if the organization or long life, that may be necessary. In some cases, trigger events are nec- wants to retain its copyrighted mate- But many plans and policies are up- essary or are the easiest way to man- rial for five years after the copyright dated regularly. Each revision and age retention – for example, for annual protection period, it can simply make update creates a new policy or plan. reviews, contracts with long perfor- the retention period 100 years. (This For example, organizations may mance periods, final resolution of liti- approach does have limitations with update compliance programs annu- gation, life of property or equipment, trademarks, which can be renewed. ally to ensure that they comply with life of plan for pensions, superseded See 15 U.S.C. § 1058 and 15 U.S.C. the latest regulations and case law. policies with indefinite durations, and § 1059.) Yet, they use “superseded” (instead of termination of employment. one year) plus the desired retention Where it is possible, minimizing Life of Product time for these company plans and the use of trigger events in records Manufacturing categories often policies in their retention schedules. retention schedules by deferring to a refer to “life of product” for quality The same applies to non-pension straight retention time for most of its and engineering files.Life of product, benefit plans and policies. If these are records will allow an organization’s or model life, is commonly considered updated annually, the schedule could ERMS to more effectively handle to be the estimated duration of a prod- delete the term “superseded” and add the disposition of electronic records uct from the moment of its entry into one year to the desired retention time and greatly increase compliance with the market until its withdrawal. since the revised and updated policies retention requirements. Compliance In most cases, a manufacturer can are essentially new records. with retention requirements will en- predict this duration. For the purpose of records management, the organization must define the life of product …minimizing the use of trigger because employees will otherwise apply inconsistent durations or will events in records retention never dispose of the records. To determine a standard product schedules by deferring to a straight life, an organization’s records manager should work with its engineers retention time for most of its to understand the product’s reasonable life expectations and with legal records will allow an organization’s counsel to ensure it complies with any product life standards established ERMS to more effectively handle through regulations or liability considerations. Once an organization the disposition of electronic records. establishes a product life, it can use that product life, plus any additional Project Completion sure regulatory observance, reduce time it requires, and have a straight Many records are tied to projects, discovery costs, make records easier to retention time instead of one based and many retention schedules reflect find, and mitigate the risk of security on a “life of product” trigger event. these records by using “project com- breaches. Minimizing the use of event People sometimes cite examples pletion” as the trigger event. But are codes on the retention schedule is a of products that have outlived such these projects so long in duration that tool to achieve those benefits and al- predictions, but for the purposes of they actually need this trigger event? low the retention schedule to function records retention, the goal is to have If the project is normally completed properly. END a standard that’s based on reasonable within a year, or even two years, it expectations of the product life, not a would be easier to add that time to the Tom Corey, J.D., CRM, can be contacted guarantee that the product will never desired retention period and elimi- at [email protected]. See his bio on exceed that duration. nate the trigger. page 47.

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 31 TECHTRENDS

Software Updates May Be Compromising Your IG John Phillips, CRM, CDIA, FAI

nformation governance (IG) can- users just trust that Microsoft, Apple, offered an opportunity (through July not be thoroughly implemented in Google, and other vendors will not 29) to upgrade their current systems an organization that is operating release anything that will negatively to Windows 10 for free. This update, uncontrolled technology systems affect their systems. though, comes with intrusive data- I gathering demands, and it should and data repositories. Even when Another issue is that even though employees, contractors, and business downloading the latest innovations in generate concerns about reliability partners work diligently toward con- software releases and updates typi- and compatibility with a user’s cur- sistent IG practices, external forces cally requires users to click through rent software configurations. – namely, updates to cloud-based or a software license “acceptance,” they resident software on laptops, cell- are rarely read or understood. Spontaneous Downloading phones, and other digital business Organizations that allow end us- An additional concern is that the devices – can modify internal IT op- ers to download software and soft- Windows 10 operating system ap- erational activities in ways that vio- ware updates in this manner may face pears to already have been down- late compliance with IG expectations. grave consequences with respect to loaded to some computers sponta- This happens, in part, because software operations, privacy, security, neously without users initiating a vendors encourage technology users and compliance with IG mandates. request for it! As first announced to enable background, automated on the INQUIRER website in Sep- downloading of updates to software Using Windows 10 as tember 2015, some computer users to ensure that virus protection, hard- an Example who enabled automatic downloads of ware drivers, and bug patches are A good example of the ubiquitous Microsoft updates may have down- implemented. Unfortunately, because nature of software updates is Micro- loaded update KB3035583, which software updates are so frequent and soft’s Windows 10 operating system. automatically adds to the computer often seem minor, most non-technical Users of Windows 7 and 8 have been a hidden directory with up to 6 GB

32 JULY/AUGUST 2016 INFORMATIONMANAGEMENT of files comprising the components to receive updates that are intended and worldwide, use, save, record, necessary for Windows 10. for Windows 10 systems. Thus, users reproduce, transmit, display, com- Allegedly done to speed up the running Windows 7 or 8 may find municate (and on HealthVault de- eventual installation process, accord- themselves subject to many of the lete) Your Content. ing to media reports, the premature same intrusive functions associated 3. “To the extent necessary to pro- downloads were exposed when it with Windows 10, though they would vide the Services to you and oth- caused some users to momentarily prefer to avoid these functions. ers (which may include changing exceed their data volume allocation By imposing updates on users the size, shape or format of Your with their communications networks. without their knowledge or consent, Content to better store or display Although there is a way to delete Microsoft is damaging the trust that it for you), to protect you and the these files, it is not for the technologi- may exist between the company and Services and to improve Microsoft cally faint of heart. its customers. products and services, you grant

Effects Not Transparent Of more concern, Microsoft at the … users running Windows 7 or 8 time provided little information on how Windows 10 affected privacy may find themselves subject to and security, simply stating, “This update includes improvements to en- many of the same intrusive func- hance the functionality of Windows 10.” A user’s only reliable way to tions associated with Windows 10, determine the effects of the updates was to match the update numbers though they would prefer to avoid with information on the Microsoft Knowledge Base. these functions. Whereas in the past it was usu- Microsoft a worldwide and royalty ally possible to discern how an up- Troubling Service Agreement free intellectual property license date would alter functionality, it is In light of the many organiza- to use Your Content, for example, now more difficult to know what to tions that have been unable to pro- to make copies of, retain, transmit, expect. It is even more concerning tect the data they collect, customers reformat, distribute via commu- that updates are cumulative; every are increasingly concerned about how nication tools and display Your updated feature is expected to be Microsoft, Google, and other major Content on the Services.” updated again each time an update software vendors will respond to gov- It’s important to know that the is issued. Not installing any particu- ernment requests for private infor- content of the services agreement lar update could make a computer mation. Such concerns are perhaps may be changed without notice. In unstable. justified by statements found in the new Microsoft Services Agreement. addition, few people read these agreements because they are typically long Windows 7, 8 Invasion This agreement, which can be read and filled with “legalese” that would In fact, many of the functions that in full at https://www.microsoft. require consultation with professional are new to Windows 10 are also being com/en-gb/servicesagreement/ legal counsel. If printed, this Micro- applied retroactively to any Windows default.aspx, contains these trou- soft agreement would be more than 7 or 8 systems, which could impact bling statements that could impact an 100 pages long. Though most people IG compliance for systems running organization’s IG policy compliance don’t understand what they are sign- older software as well. expectations: ing when they accept an agreement, For instance, Windows 7 and 8 1. “By using the Services or agree- such “agreements” are generally sup- updates KB3075249 and KB3080149 ing to these Terms, you consent ported by the courts, which does not operationally deliver data to Micro- to Microsoft’s collection, use and leave an organization using a Micro- soft servers without any required disclosure of Your Content and soft product much leeway in config- user interaction. The first update Data as described in the Privacy uring a software system that avoids adds features that enable remote Statements. intrusive components. monitoring of operating system activ- 2. “When you share Your Content ities, and the second update enables with other people, you expressly Private Data Exposed older versions of operating systems agree that anyone you’ve shared Your Content with may for free Microsoft’s perspective toward

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 33 TECHTRENDS

protection. For example, users must Read More About It slog through 13 screens to decline participation in many of Microsoft’s Bott, Ed. “How to block Windows 10 upgrades.” ZDnet, 28 April, 2016. Available ongoing attempts to gather data. By at www.zdnet.com/article/how-to-block-windows-10-upgrades-on-your-busi- taking these steps, users can turn off ness-network-and-at-home-too/?ftag=TRE5369823. anything that seems concerning, but they may want to be careful about Meer, Alec. “Windows 10 Is Spying On You: Here’s How to Stop It.” Rock, Paper, accidentally turning off their access Shotgun, 30 July, 2015. Available at www.rockpapershotgun.com/2015/07/30/ to data they access frequently, such windows-10-privacy-settings. as calendars, while doing so. Among the other concerns is con- Merriman, Chris. “Windows 10 ‘updategate’: Microsoft stays tightlipped as the tinued surveillance from the cam- world rages.” The Inquirer, 15 September, 2015. Available at www.theinquirer.net/ era, microphone, speech, contacts, inquirer/analysis/2425886/windows-10-updategate-microsoft-stays-tightlipped-as- calendar, and messaging functions, the-world-rages. including Cortana, Microsoft’s speech-recognition function, which Microsoft End User Licensing Agreement. Available at https://www.microsoft. constantly “listens” for reasons to ini- com/en-gb/servicesagreement/default.aspx. tiate Microsoft’s Bing search engine to answer questions. Realistically, Microsoft Privacy Policy. Available at https://privacy.microsoft.com/en-us/priva- the act of opting out of any of these cystatement. functions is best performed by well- trained IT staff. Williams, Chris. “How to get a grip on your files, data that Windows 10 phones Much of this intrusive data gath- home to Microsoft.” The Register, 24 February, 2016. Available at www.thereg- ering is done so Microsoft can sell to ister.co.uk/2016/02/24/windows_10_telemetry. advertisers the ability to use more in- dividually targeted advertising. Some people like targeted advertising, but its customers’ privacy can be seen ing your content (such as the con- that does not mean the advertising in its privacy policy at https:// tent of your emails in Outlook. a user sees is always appropriate for privacy.microsoft.com/en-us/ com, or files in private folders on the moment when the ad pops up. privacystatement. It starts out by OneDrive), when we have a good For example, an employee might be saying “Your privacy is important to faith belief that doing so is neces- looking at ads for vacations in Ber- us. This privacy statement explains sary ….” muda while at her desk during lunch. what personal data we collect from Microsoft, like many corporations, Later, the ads might pop up on her you and how we use it.” It then makes mines user data by engaging in what screen at inopportune moments, such the following statements (see these some privacy experts call “spying.” as when her supervisor is in her office and others at the “Learn More” link It does so without making it clear for a visit. under the Microsoft privacy policy about what is taking place, relying section “Personal Data We Collect”): heavily on abstractions like “…when Reducing Impacts on 1. “We collect data about your in- we have a good faith belief that doing IG Compliance terests and favorites, such as the so is necessary.” Consequently, the The fundamental problem with team you follow in a sports app, murky nature of concepts like data Windows 10 and any other com- the stocks you track in a finance ownership and protection makes it mercially produced software is that app, or the favorite cities you add more likely that an organization’s users do not own the software and to a weather app. IG policies are being compromised, therefore must accept prescribed li- 2. “We collect data about your con- especially if that mined data crosses censing agreements. To refuse the tacts and relationships if you international boundaries. agreement could impair their busi- use a Microsoft service to man- ness processes, as migrating data age contacts, or to communicate Escaping Windows 10 to other software environments is or interact with other people or Surveillance costly, time-consuming, and can bring organizations. Opting out of many privacy- other unforeseen risks. Sometimes 3. “We will access, disclose and invading Windows 10 functions re- data migration results in a loss of preserve personal data, includ- quires effort and dedication to self- software support for critical business

34 JULY/AUGUST 2016 INFORMATIONMANAGEMENT components or an actual data loss. The practice of slowly retiring older applications or operating sys- Your Connection to RIM & IG Products and Services tems is nearing an end. For instance, though there are still some users of the Windows XP operating system and older Office suite applications, BUYER’S GUIDE ONLINE! Microsoft has ended support and maintenance for those versions. And, it may be impossible over time to continue using older systems if users are connected to the Internet and updates that interfere with the software operation are involuntarily downloaded. This means that ensuring compliance with IG guidelines is becoming even more challenging because IT staff will have to know all of the currently used technologies and how any updates will affect their operation. Users of today’s software systems can expect their communications content, travel agendas, business plans, and office location information to be increasingly subjected to data exchange during software updates in order for the vendor to ensure effective operation. For this reason, it is ideal to have IG-knowledgeable IT personnel monitor or manage all common software updates. It may be best to offer updates downloadable from a centrally coordinated IT server that monitors all devices to gauge how the updates affect the software configurations with respect to IG policy compliance. The most globally effective IG/IT approach to new technology threats will be to enforce a policy that all The 2017-2017 Buyer’s Guide for Records Management and software users must have permission Information Governance Professionals is the place to start from IT before installing any updates. To make this easier on users and to for software solutions, records centers, archiving supplies, have the least impact on IT staff, and more! ARMA International’s online listing of solution organizations could post for download on an accessible website those providers puts the power of purchasing at your fingertips! upgrades known to pose no dangers to IG policy implementation. END www.arma.org/buyersguide

John T. Phillips, CRM, CDIA, FAI, can be Want to advertise in the online Buyer’s Guide? contacted at john@infotechdecisions. Contact Jennifer Millett at [email protected] today! com. See his bio on page 47.

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 35 MANAGEMENTWISE

3 Keys to Managing Change for a Successful RIM Program Implementation Melissa G. Dederer, IGP, CRM, and Aaron Swan

hether implementing a new program, software application, or process, or Wsimply modifying something that is already in place, it is the execution of the change management process that will determine whether users adopt the change and the initiative can succeed. But, it can be a daunting task to get all those who will be affected by the change to understand how it will benefit them – from the C-level all the way down to the entry level and including contractors and third-party service providers. This article discusses the three change management elements necessary for the successful implementation of a records and information management (RIM) program: 1. Ensuring that the power employees, who are the owners, executives, and managers, understand and buy into the need for the program 2. Engaging and addressing the concerns of knowledge workers, who are those whose jobs primarily involve creating, distributing, or applying knowledge, according to the knowledge management expert Thomas H. Davenport 3. Respecting the inevitability of natural human behavior

Selling Change to Power Employees RIM professionals understand that there is a real risk to not implementing a RIM program, as minimizing risk is at the core of what they do. Yet, power employees often fail to see the risk and, consequently, to recognize the value such a program

36 JULY/AUGUST 2016 INFORMATIONMANAGEMENT provides. Getting them to fully com- prehend how a good RIM program User adoption can best result when mitigates risks, avoids costs, and provides other benefits to the orga- the power employees’ actions show nization is the first key element in ensuring user adoption of the program. they are not only supporting the Conduct an Analysis RIM program but that they also are Helping power employees understand the real risks of not having a allocating proper resources to it. RIM program may be as simple as explaining that there are rules and real adoption relies on getting the For example, knowledge workers regulations requiring the organiza- end user – the knowledge worker – to that have years of experience may tion to properly manage its informa- buy in. User adoption can best result be protective of the information they tion. But it can go even further. A when the power employees’ actions have. Though they may not say this strategic analysis, for example, can show they are not only supporting is the cause of their resistance, if they expose the shortcomings in a current the RIM program but that they also refuse to share or document the pro- RIM program. Recommendations on are allocating proper resources to it. cesses that are in their heads, it may how to correct those shortcomings can be. Without resolving this issue, the lead to a more optimal state. Selling Change to success of the change itself will be in ARMA International’s Generally Knowledge Workers jeopardy and their knowledge may Accepted Recordkeeping Principles® Knowledge workers get their cues be lost. (Principles) provide a good place to from the power employees, but if the start that analysis. The Principles knowledge workers do not completely Get Them Involved are derived from RIM and informa- buy into the change, the program It is vital to engage the knowledge tion governance best practices and will not work. workers early in the process because international standards. To evalu- their involvement will give them a ate a program against the Principles, Discover Their Perspective stake in the initiative’s success and use the ARMA-developed Next Level Understanding the knowledge help turn them into advocates. More Information Governance Assessment workers’ perspective about the importantly, they may be able to im- tool, which provides a risk-level map- change can enhance efforts to get prove and expedite the change initia- ping for each Principle. The assess- their adoption. Investigate to learn tive if they’re invited to take part and ment can provide valuable insights how they feel about the new program, have an investment in its success. as to what an organization is doing system, or process that touches their For example, a leading global in- well and where it needs improvement, world. For example, if they believe vestment firm had the following chal- allowing users to address deficiencies the new program will require them to lenge. Because of localized processes and thereby minimize risk. spend additional time on the change, and rogue software tools, data was With numerical, color-coded rat- giving them less time to fulfill what floating around outside the system, ings for the organization’s maturity they believe are their more important in such places as Excel documents level for each Principle, it presents responsibilities, they may be resis- and on employee desktops. The risk easily grasped, compelling results tant to the change. Knowledge work- was that over time this data could that help power employees see at a ers need to understand and believe become inaccurate, outdated, and glance that there is a real risk in not that the program will make their lost – potentially compromising cli- having a proper program in place, work less cumbersome, not more. ent transactions and resulting in fines as well as understand the benefits of and suspended licenses due to regula- having a proper program. Listen to Understand Their Concerns tory non-compliance. Knowledge workers need to have After partnering with a design Take the Next Step a voice and believe it is truly being research firm, the organization de- Surprisingly, many organiza- heard, appreciated, and consid- ployed design research teams to their tions stop at this crucial point and ered. Seek to understand what the offices worldwide to evaluate back-of- presume user adoption will be the employees are actually saying – be- fice processes, understand variability easy outcome of having gotten the yond their words – to get to the root across locations, and uncover hidden power employees to the table. But of any resistance. risks. Insights from this research led

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 37 MANAGEMENTWISE

Process

Figure 1 – Source: Electronic Ink; pictorial view of the “before” and “after” processes

the design team to create a secure, mentation of a RIM program is to skill and integrating it with process global application with a customiz- understand human behavior. Do not improvements, organizations can real- able user interface to accommodate design or invest in the process without ize tremendous results. the specific needs of each office. The understanding the culture and hu- new application provided greater con- man behavior of those it will affect. Concluding with a sistency, accuracy, and information For example, knowledge workers Successful Change security across the enterprise. may circumvent a process because it Although the word “change” has a The solution used a single, repeat- causes redundancies and bottlenecks negative connotation for many people, able process that eliminated the need that frustrate them. Even though it is possible to implement change for 11 duplicative applications. It their “workarounds” might waste positively. It begins with ensuring automatically and intelligently de- time and resources, negatively af- that power employees realize the need livered necessary information in the fect customer service, and increase for and benefits of the change. It pro- right format, to the right person, at risk, they continue the workarounds gresses by including knowledge work- the right time. The system eliminated because they naturally want to get ers in discussions about the change, rogue application data, and it reduced their work done in the ways that suit listening “between their words” to maintenance and training, databases them best. Without understanding understand their perspective, and and server requirements, and work- this natural human instinct, an or- demonstrating that their concerns flow steps by 66% (See Figure 1). ganization may continue to design are heard and considered. And, it All of these achievements were unrealistic processes. concludes successfully with a well- the result of a deep appreciation and A clear, unbiased view of the peo- designed solution that addresses their respect for the knowledge workers, ple who will use a system or process concerns and takes into consideration their individual roles, and their con- is critical. Many companies now re- the natural human behavior of those tribution towards a grander solution. alize that this key skillset has been who will be affected by it. missing and are looking for ways to Taking into Account develop it or are getting it by partner- Melissa G. Dederer, IGP, CRM, can be con- Human Behavior ing with groups that specialize in hu- tacted at [email protected]. Aaron The third element of a success- man behaviors and user experience. Swan can be contacted at absswanii@ ful change initiative for the imple- By leveraging this highly specialized gmail.com. See their bios on page 47.

38 JULY/AUGUST 2016 INFORMATIONMANAGEMENT IS INFOR MATION YOUR ALLY OR YOUR ENEMY?

or ne ata olng te ear. An all t ne ata an eter el o or rt o. Fn ot at t ong or or oman t te Next evel Inormaton Governane Aement. oll over area o trengt an oortnte or mrovement. In te en o ll e emoere to nreae organatonal tranaren an ata ntegrt le ereang r.

Start turning information into an asset by visiting arma.org/nextlevel

IM JULY15.indd 19 6/19/15 9:17 AM 50THYEAR

– Records Management Glossary from the “first of its 50, 25, 10 Years kind” ARMA correspondence course developed by William Benedon.(See excerpt on page 42.) •• Charles Macbeth reviewed the following books: The Looking Back... Effective Executive by Peter F. Drucker, The Busi- ness Executive in a Changing World by William N. Mitchell, Technical Information Center Administra- tion edited by Arthur W. Elias, and Management Uses of the Computer by Irving I. Solomon and Laurence O. Weingart.

Advertising The first advertisers to appear inRMQ were: •• Kodak – “What’s new in microforms? Come to Kodak.” •• Remington Rand Office Systems (Division of Sperry Rand Corporation) – “Now… a one-stop source for all your Records Retrieval Micro-System needs!”

Twin City Chapter Conference, July 1967 April 1967. Records Management Quarterly Association News •• ARMA chapters have been formed in Pittsburgh and Orlando (Central Florida). •• ARMA exhibited at the National Microfilm Associa- tion Conference in Orlando. The booth was staffed by ARMA President Eunice Thompson, as well as Bill Benedon, Bruce Mowry, and Louise Merritt of the Greater Los Angeles chapter and Bruce Carswell from New Jersey. John T. Phillips (1992) also wrote Articles July1992 an article for this issue of IM. •• “Microfilm as a Management Tool,” by Richard E. Wolff Records Management Quarterly •• “Microfilm at North American Aviation – LAD,” by Association News Mark Keith •• “Microfilm in an Uncertain World,” by Genealogical So- •• The president of ARMA International is Patricia ciety of the Church of Jesus Christ of Latter-day Saints Dixon, CRM. •• “The Computer Programmer – A Helpmate to the Re- •• Others newly elected officers to the ARMA Board of cords Manager,” by Phyllis Lorek Directors are James Allin Spokes, president-elect, and •• “Paperwork: A Twentieth Century Dilemma,” by Bruce Michael P. Flanagan, secretary/treasurer. C. Harding •• “People and Records,” by Dr. Irene Place Articles •• Special features in this issue: •• “A New Look at Information Systems and Records – ARMA’s 12th Annual Conference program for Oct. Management,” by Guy H. Thomas and Dr. Mark 24-27 at the Roosevelt Hotel in New York. The reg- Langemo, CRM istration fee for the entire conference, including •• “The Value of Enhanced Service in Cost Justification,” luncheons and banquet, is $90 for members and by Ron Lacharité $100 for non-members ($10 of which goes to the •• “The Use of Transportation Methods to Achieve Effi- ARMA membership fee) ciencies in Data Placement,” by Robert H. Fireworker,

40 JULY/AUGUST 2016 INFORMATIONMANAGEMENT Ph.D, and Patrick Geier •• Records Improvement Institute – “IN-HOUSE WORK- •• “An Automated Solution to the Superfund Documenta- SHOPS” tion Problem,” by Sandra J. York, CRM •• Redweld – “Redweld Recycled Products…State Your •• “A PR Plan for Records Managers,” by Juanita M. Case.” Skillman, CRM •• TAB Products Co. – “Barcodes to control and manage •• Kenneth V. Hayes reviewed Personal Computer Sys- your sensitive documents” tems for Automated Document Storage and Retrieval •• Triadd Software Corporation – “ALL RECORDS by William Saffady, Desktop Image Scanners and MANAGEMENT SOFTWARE WAS NOT CREATED Scanning by Fred U. Wetzler, and All About Micro- EQUAL” graphics by Don Avedon and Rodd Exelbert.

Advertising •• Acorn Information Systems – “You LIE Like A Dog!?! If You Think We Are Lying When We Say RETRIEV- ER™ Is A FULL FEATURED Personal Computer Records Management System, And Sells For Only $595… Then Order The Demonstration System For Only $10 With The Above Coupon, And We Will Prove… RETRIEVER’s™ Bark Is As Strong As Its Bite!” •• Ames Color-File – “SQUEEZED FOR FILING SPACE?” •• Association of Commercial Records Centers – “How to get your records at midnight.” •• Assured Information Systems, Inc. – “Records Man- agement Software” •• Automated Records Management Systems – “Our cli- Access Sciences has been a long-time supporter. ents know a lot about records management.” April 2007 •• Borroughs, a Lear Siegler Company – “Record Hold- ers” The Information •• CASS – “SOFTWARE To Do: ∙ BOX TRACKING ∙ Management Journal FILE TRACKING ∙ DRAWING MANAGEMENT” •• Chase Technologies, Inc. – FAST-PACED SOLU- Association News TIONS FOR A FAST-PACED WORLD: CHASE •• The association is promoting the “Risk Profiler Self- TECHNOLOGIES, INC. Assessment” and the DVD training program “Keeping •• Commonwealth Films Inc. – “Buried Alive: The Criti- Good Company.” cally Acclaimed Document Retention/Records Man- •• ARMA International’s Standards and Best Practices agement Video.” Program has published The Digital Records Con- •• DSC Data Storage Centers – “OFFSITE STORAGE version Process: Program Planning, Requirements, WITH ONSITE CONTROL” Procedures (ANSI/ARMA 16-2007) and Guideline for •• Engineered Data Products – “The Filing Solution” Evaluating Offsite Records Storage Facilities. •• GBS Filing Systems (formerly VRE Inc.) – “ASK OUR ORGANIZATION TO TAKE OVER YOUR OFFICE” Articles •• Information Requirements Clearinghouse – “Protect •• “Blogs, Mashups, and Wikis – Oh, My!,” by Bruce W. Your Organization…Comply with the Laws Affecting Dearstyne, Ph.D. Your Records!” •• “Does Your RIM Program Need a Strategic Align- •• InfoTRAX – Increase Efficiency, Accuracy, and Pro- ment?,” by Alan A. Andolsen, CMC, CRM ductivity with InfoTRAX – The Records Management •• “Eight Tips for Working with a Consultant,” by Julie System for the 90s” Gable, CRM, CDIA, FAI •• Iron Mountain – THE IRON MOUNTAIN SYSTEM: •• “RIM Marketing Made Simple,” by Laurie Carpenter, YOUR RECORDS MANAGEMENT SOLUTION CRM •• Olsten Records Management Services – “Convert it. •• “Evidence Management Solutions for Mitigating Maintain it. Destroy it.” E-Records Risks,” by Rob Peglar

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 41 50THYEAR

•• Archiving Websites: A Practical Guide for Information Management Professionals was reviewed by Anselm Records Management Glossary Huelsbergen, CA July 1967 Advertising ARMA’s first glossary, which was part of its first •• Access Sciences – “Data Warehousing. Global Informa- records management correspondence course, tion Strategy. ComplianceKnowledge Management, included terms that are no longer familiar to most Records Management, Audit and Legal Support. Docu- records management professionals. Even a few of the ment Management. Access Sciences…Connecting the subject areas represented by the terms (and noted in Dots” parentheses after each term) may be unfamiliar: •• AIIM – “ready. aiim. learn. Learn how to implement electronic records management (ERM).” CFM – Correspondence and Files Management; •• Allegheny Paper Shredders – “SelecShred Adjustable FM – Forms Management; GRM – General Records Screen. Double your security at the touch of a button!” Management; M – Microfilm Systems; RC – Records •• Bankers Box – “IS YOUR STORAGE ROOM SHRINK- Center Operations; RM – Reports Management; RP – ING?” Records Protection; and RS – Retention Scheduling. •• BELFOR Property Restoration – “We listen. Clean How many of these terms do you know? and simple.” •• DACS – “THE PROVEN SOLUTION PUNCHDECK Can’t Finds: (RC-CFM): Materials which have been Open Area Corrugated Rack Deck” searched but not located. •• Dahle – “Save Money. Shred It Yourself!” Card-Tabulating (RS-FM): Heavy, stiff paper of uni- •• FileTrail – “Stranded by your RIM vendor? Get on form size and shape, adapted for being punched in board with FileTrail and never be left behind again.” an intelligent array of holes. The punched holes are •• Fujitsu – “Fujitsu scanners. You’ll see productivity sensed electrically by wire brushes, mechanically by everywhere you look.” metal feeders or by electronic circuitry. •• Iron Mountain – “Sally files it. Jack prints it. Jen Cushion Sheet (FM): A plastic sheet placed between downloads it… Fortunately, you can trust one com- the stencil and backing sheet when preparing a sten- pany to protect it.” cil master on a typewriter. The cushion sheet insures •• Leggett & Platt Store Fixtures Group – “Our records a clean, sharp copy. speak volumes about the experience and resources we bring to every project.” Duo (M): Recording of images on only one-half of the •• MBM Corporation – “Before a discarded document film width during one passage of the film. Film is then comes back to bit you…Shred it at the Source.” turned end-for-end and rerun to utilize the second •• OmniRIM – “Take Control of Your Records Manage- half of the film. The principle is both useful and economical when filming small documents at high ment.” degrees of reduction. •• O’Neil Software – “Scan. Store, Manage. Deliver.” •• Paige Company, The – “Ordinary boxes hold stuff. Head-to-Foot (FM): Also called “tumble-turn” and Ours are built to hold your future.” indicates printing the reverse side of a sheet upside •• Recall – “THEY SAY, ‘Nobody’s Perfect.’ WE SAY, down so that it can be read by turning the sheet over ‘How Hard Are They Trying?’” from top to bottom instead of turning it as you would •• Smead Manufacturing Company – “If only everything the pages of a book. worked together as well as our paper and electronic Pen Rule (FM): A method of printing lines only on records management systems.” columnar formats. The pen rule machine makes use •• SNIA – “Does your information put you at risk? Protect of “pens,” which come in contact with the stock yourself at Enterprise Information World.” traveling beneath them in a continuous web. •• Tower Software – “Enterprise Content Management. Riffle (CFM): To thumb rapidly through the edges of a Knowledge…where it needs to be.” stack of papers to loosen them for easy handling. •• Xerox – “ONE TOUCH. Put information you need right at your finger tips for under $500.” Unitized Film (M): Microfilm mounted in some “unit” •• Zasio – Point. Click. Save. “When it comes to managing fashion; usually film mounted in a film jacket, aperture your electronic records, you’d be happy if Point-Click- card, or film card – frames of microfilm instead of an Save were all it took. With Zasio, it is!” END entire role.

42 JULY/AUGUST 2016 INFORMATIONMANAGEMENT INREVIEW

A Primer for Corporate Librarianship and Information Management Melanie Sucha

topics in the book pertain to corporate library processes – that is, the A Handbook for Corporate management and dissemination of Information Professionals acquired published resources to sup- Editor: Katharine Schopflin port the business. Publisher: Facet Publishing Linda-Jean Schneider and Simon Publication Date: 2015 Barron’s chapter, “The hybrid librarian-IT expert,” is focused solely on the Length: 184 pages librarian perspective. This chapter Price: $125 (No. America); £59.95 takes a traditionalist view of both ISBN: 978-1-85604-968-9 the librarianship and IT disciplines, Source: www.alastore.ala.org perhaps unfairly criticizing IT depart- (No. America); www.facet ments as being overly imposing, and publishing.co.uk it lacks discussion on more contemporary topics, such as the need for information governance and the skills that ing the corporate intranet,” offers solid both IT and IM professionals have to strategic advice for content manage- offer in the governance domain. ment and governance of an intranet Anneli Sarkanen and Katy Stod- platform, as well as covers best prac- Handbook for Corporate In- dard’s chapter, “Training end-users tices and hot topics for those new to formation Professionals is a in the workplace,” is focused on the using intranets and related social concise, but thorough, com- search and usage of library resources, media features. pilation of contemporary top- without addressing use of internal Danny Budzak’s chapter, “Practi- A document management systems or cal knowledge management,” offers an ics in corporate librarianship. It covers practice areas such as corporate line-of-business information technolo- introductory level overview of knowl- intranets, marketing, taxonomies, gies. edge management, followed by practi- knowledge management, market This chapter demonstrates some cal advice on consulting with business analysis, electronic licensing, and outdated views, painting vendors clients to facilitate knowledge capture. end-user training. simply as salespeople and discourag- Helen Lippell’s chapter, “Building ing vendor collaboration for training a corporate taxonomy,” gives advice on Aimed at Corporate Librarians assistance – a point that runs contra- critical steps in this activity, such as While the broad term “information dictory to Tina Reynolds, Schneider, running stakeholder workshops and professional” is used in the title and and Fiona Fogden’s more progressive aligning to end-user language. by the various authors throughout the arguments in favor of a collaborative These chapters are excellent sum- text, the content is presented from the approach with vendors in their chap- maries for librarians exploring growth corporate librarianship standpoint – ter, “Working with suppliers and li- in and beyond their roles or for in- as opposed to the standpoint of other censing for e-libraries.” formation studies students exploring information management (IM) do- different career opportunities. mains, such as records management. A Focus on Growth, Exploration The primary audience becomes Other chapters are focused on Uneven Writing Quality readily apparent in Katharine Schop- growing the corporate librarian’s skill While the compilation covers a flin’s introduction, which is an articu- set to adopt broader IM duties relat- number of current and relevant top- late description on the history of cor- ing to managing the organization’s ics for corporate librarians, the quality porate librarianship and discussion internal information assets. of the writing varies throughout. Most of the discipline today. Many of the James Mullan’s chapter, “Manag- chapters are very clear and easy to ab-

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 43 sorb. For example, Shaunna Mireau’s change and transition,” has a vague training and strengths in other IM chapter, “Internal and external mar- title; the content is not so much a backgrounds (e.g., records managers, keting by information professionals,” change management overview so content analysts) to leverage this ma- gives very thorough coverage of the much as guidance pertaining to or- terial in a manner meaningful to their topic and includes a mix of theoretic ganizational layoffs. Some of the ad- roles. However, this book does provide explanation of metrics and service vice ignores the need to understand a vast breadth of topical coverage, delivery processes, balanced with il- unique corporate culture, and this so it could certainly be used by any- lustrative anecdotes. could have negative outcomes in ex- one to review an area of interest on a Other chapters are not so well- ecution. Taking his blanket advice chapter-by-chapter basis. written. Phillip Weinberg’s “Success- to leverage human resources teams With well-written and easily con- ful management of insight, intelli- but to use caution when approaching sumable chapters, it is also a quality gence and information functions in a managers would certainly have vary- resource text for its primary audience, global organization” contains many ing results depending on the organiza- offering many insights and up-to-date name-dropping references to other tion’s unique culture. information on performing informa- authors and field experts without ex- tion and library services in the cor- planation as to who these people are Some Usefulness for All IM Pros porate environment. END and what their views comprise. Since this text is aimed at one Andrew Grave’s chapter, “Success- type of information professional, it Melanie Sucha can be contacted at msu- fully managing your team through may be challenging for those with [email protected]. See her bio on page 47.

How the Hybrid Information Environment Is Transforming Libraries, History, Scholarship Mary Broughall technology on information services. Focusing on the issues surrounding Is Digital Different? How the transition from an analog to a information creation, capture, digital environment, contributors ex- preservation and discovery are amine whether analog practices and procedures are still valid and if they being transformed shape or distort those in the digital Editor: Michael Moss and realm. Barbara Endicott-Popovsky, One of the co-editors opens the with Marc J. Dupuis book with a brief overview entitled Publisher: Facet Publishing “What is the same and what is dif- Publication Date: 2015 ferent,” which is a fitting summary of where the compilation starts and Length: 360 pages where it’s going. Despite the title, the Price: $95 (No. America) £49.95 assumption is that digital is different ISBN: 978-1-856-04854-5 and the various authors take us on a ource: www.alastore.ala.org tour of “How information creation, (No. America); www.facet capture, preservation and discovery publishing.co.uk are being transformed,” a very apt s Digital Different?, edited by Mi- subtitle to the manuscript. chael Moss and Barbara Endicott- “stuff” (yes, it is different) and how the Popovsky, is a collection of essays Finding Stuff scattered nature of the now and future that brings together global experts Chapter 2, “Finding stuff,” explores “stuff” finding is consumer driven. It I the ways in which we now search for discoursing about the impact of digital also marks a change, they argue, in

44 JULY/AUGUST 2016 INFORMATIONMANAGEMENT how “stuff” is consumed. and predicts that standardized tools and formulas, makes this particu- Chapter 6, “Finding archived re- and rules will emerge to govern the lar essay a bit formidable. However, cords in a digital age,” is a synopsis of real-time feedback mechanisms that if this is a topic of interest to you, the method that the UK National Ar- govern interaction decisions. the discussions are valuable, lucid, chives in London employs in address- and contain plenty of references and ing the statement that “Preservation Untangling the Web notes. The author concludes “…with and findability truly go hand in hand Chapter 3, “RDF, the Semantic an admonition about how we should – what real value does an archival col- Web, Jordan, Jordan, and Jordan,” think of ourselves and our activities lection have if it cannot be effectively dissects the novelties of the emerg- online in order to stay reasonably used and interpreted?” They delve ing semantic web in the context of safe.” into their rich history of the problems its continuities with the old textual and solutions to finding things, all the web. The author takes a refreshing Wrapping It Up while keeping in mind the “…ability approach to the discussion by starting Chapter 9, “From the Library of to find/understand/access the archive with a definition of the semantic web, Alexandria to the Google Campus: are inexorably intertwined…” then breaking down the definition has the digital changed the way we do research?,” is a lovely concluding … one of the problems we face… going article. Whereas the opening chapter assured us this new digital age is forward is that everything is networked. different, the ending chapter assures us this is a hybrid environment that Interacting with People phrase by phrase to show how this is built on the printed page – that Chapter 4, “Crowdsourcing,” is next step is the logical progression it doesn’t throw out everything that straightforward conversation about as well as why it’s important. This has come before. We are at the dawn the power of the people. Anyone who tactic is commendably educational, of a golden age, they assure us, with has seen or heard of the uses (and especially if you are not familiar with our new-found abilities to transform abuses!) of sites like Wikipedia and the concept of the semantic web. libraries, history, and scholarship. GoFundMe will be familiar with the Chapter 8, “Rights and commons: topic. The author comments on break- navigating the boundary between Embracing Diversity ing down barriers, and this dovetails public and private knowledge spaces,” The fun thing about any anthology nicely with the Chapter 2 assertions points out that one of the problems is the diversity of voices and percep- about the consumer-driven consump- we face now and going forward is that tions. The global perspective (this tion of information. She concludes everything is networked. The trust book is published by a UK publisher) that while it may not be the answer implicit in the act of accessing infor- reflects the increasingly universal to such things as staff shortages, it mation not in your custody is at the considerations we as information can be very useful in surprising ways, heart of this essay. The Australian management professionals face. such as engaging consumers in a way authors present three informative The publisher describes the tar- that they feel like they have a voice. case studies that “…explore the new geted readership as “…students, par- Chapter 5, “Pathways to integrat- public-private frontier...”and conclude ticularly those on information studies ing technical, legal and economic con- with a proposal to “…move away from programs, and academics, researchers siderations in the design, develop- ‘restriction’ being the guiding prin- and archivists globally.” Given that ment and deployment of trusted IM ciple, to the recognition and codifica- we are all students in some form or systems,” is by far the longest chapter. tion of obligations and responsibilities another, this book has something to The authors posit that a single condi- that a user should sign up to before offer everyone. The fact that each tion, the lack of agreement by stake- getting access to archival material.” chapter does not build on the one be- holders, is the source of most of the Chapter 7, “Security: managing fore means you can read these in any challenges within networked systems. online risk,” written by a co-editor, order, and even NOT read chapters if They go on to argue that “…focus on bravely takes on the topic of electronic you choose. However, they all expand technology alone does not adequate- security. It employs the most scholar- our understanding of our progres- ly address the system operational ly and technical approach of all of the sively intertwined profession. END variables that arise from human be- essays, drawing on cognitive psychol- haviours engaged in by IM system ogy, systems dynamics, and criminal Mary Broughall can be contacted at stakeholders.” The ensuing discussion justice. The use of research, including [email protected]. See her bio addresses the complexity of the issues the attendant mathematical models on page 47.

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 45 Visualize It! The Key to Driving Better Business Decisions Robert Bailey, Ph.D., CRM

•• Generate insights and make more informed organizational decisions The Visual Organization: Data •• Discover and identify nuanced Visualization, Big Data, and the issues and ask better questions Quest for Better Decisions about existing processes Author: Phil Simon Publisher: Wiley Profiles Visual Organizations Publication Date: 2014 Simon writes that too many organizations “rely on old standbys [like] Length: 240 pages bar charts, simple graphs and the Price: $50 ubiquitous Excel spreadsheet. And ISBN: 978-1-118-79438-8 their business decisions suffer as a Source: www.wiley.com result.” He explains clearly how visualiza- ing, but the commonality between tion tools and strategies are being the two is the purpose they both also used successfully in organizations share with data mining, business in- every day, featuring profiles of some telligence, analytics, and enterprise of the organizations who get it – like reporting: to lead organizations to a Netflix, Autodesk, and eBay. For ex- better understanding of their informa- he author of The Visual Organ- ample, Netflix’s data-centric mindset tion assets and drive more informed ization, Phil Simon, indicates is captured in its three-part credo: business decisions. that it is not a book about how 1. Data should be accessible, easy Tto do data visualization – or to discover and easy to process Applies to All dataviz, as he calls it. Rather, it’s a for everyone. This is a book that every records book about becoming a visual organi- 2. The longer you take to find the manager should read. Data visualiza- zation, one that is “composed of intel- data, the less valuable it becomes. tion is now mainstream, and records ligent people who recognize the power 3. Whether a dataset is large or managers need to understand its best of data” and who “routinely uses con- small, being able to visualize it practice and how it applies to their temporary, powerful, and interactive makes it easier to explain. roles. It will certainly help them il- dataviz tools to ask better questions lustrate to upper management the and ultimately make better business Parallels with RM bridges between data, records, and the decisions.” Netflix’s credo is not much differ- organization’s decision-making needs. These interactive and robust tools ent from any good records manager’s In fact, it applies to all employees, as allow an organization to analyze its view. The important additional el- they also can use data visualization data, records, and information, as ement of Netflix’s formidable data to improve their work. well as their relationships, to discover capabilities is data visualization. As the volume of electronic records trends, diagnose technical issues, and Simon also stresses metadata, or continues to grow, the challenge will, unearth valuable insights about its data about data, which records man- too, but as this book makes apparent, customers and services. agers also recognize as critical to what the types of tools available to handle According to Simon, because every I call the five rights: getting the right this challenge will also continue to organization has data, all can benefit information to the right person at the improve. END from data visualization, including to: right time at the right place in the •• Understand past events and why right format Robert Bailey, Ph.D., CRM, can be contacted they happened Certainly data visualization goes at [email protected]. See his bio •• Monitor current activities well beyond everyday recordkeep- on page 47.

46 JULY/AUGUST 2016 INFORMATIONMANAGEMENT Contact Information AUTHORINFO

BAILEY COREY DEDERER FRANKS PHILLIPS SNYDER SUCHA SWAN

Integrated ECM Solutions: Where Records Document Imaging Architect, and Fellow of ARMA Interna- Managers, Knowledge Workers Converge Page 18 tional, Phillips can be contacted at [email protected]. Patricia Franks, Ph.D., IGP, CRM, CA, FAI, coordinates the Master of Archives and Records Administration program in 3 Keys to Managing Change for a Successful RIM the iSchool at San José State University. She is the author Program Implementation Page 36 of Records and Information Management, co-editor of the Melissa G. Dederer, IGP, CRM, is a records and information Encyclopedia of Archival Science, and team lead of Implica- governance consultant with more than 20 years of experience tions of Web-based Collaborative Technologies in Records in records and information management, project management, Management (ANSI/ARMA 19-2011) and Using Social Media and automation experience and is a former member of ARMA in Organizations (ARMA TR21-2012). She is also a member International’s Board of Directors. A certified Information of the InterPARES Trust research team. Franks can be Governance Professional and Certified Records Manager, contacted at [email protected]. Dederer can be contacted at [email protected]. Five Steps In-house Counsel Should Take to Mitigate Aaron Swan is vice president of client strategy at Electronic Ink, a research and design consultancy located in Philadel- Information Risk Page 24 phia. He prides himself on being a creative self-starter with H. Kirke Snyder, J.D., has more than 25 years of consulting an entrepreneurial spirit. Swan has advised companies on experience with law firms, corporate law departments, and the value of planning strategic initiatives and the impact of court administrators. He is an expert in records retention, launching initiatives that require enormous investments. information management, and e-discovery issues and an He can be contacted at [email protected]. adjunct professor of law and ethics at Regis University School for Professional Studies in Denver, Colorado. Snyder can be A Primer for Corporate Librarianship and Information contacted at [email protected]. Management Page 43 Melanie Sucha is team lead, Information Management Poli- Minimizing the Use of Trigger Events to Increase cies and Standards, at Suncor Energy Inc. She holds a mas- Records Retention Compliance Page 29 ter’s degree in library and information sciences and teaches Tom Corey, J.D., CRM, is an attorney and Certified Records information management in the Faculty of Information and Manager focusing in the area of records and information Media Studies at the University of Western Ontario. She can management for Consilio LLC. This includes developing be contacted at [email protected]. records retention schedules that comply with domestic and international requirements. Corey received his juris doc- How the Hybrid Information Environment Is Transforming tor degree from the Charlotte School of Law, is licensed to Libraries, History, Scholarship Page 44 practice law in North Carolina, and is an active member in Mary Broughall is a records specialist for Tri-State Genera- the local bar association and the American Bar Association’s tion & Transmission Association Inc. Previously, she did Administrative Law and International Law Section. He can Records and Freedom of Information Act work with the U.S. be contacted at [email protected]. Department of Energy. She can be contacted at mbroughall@ tristategt.org. Software Updates May Be Compromising Your IG Page 32 Visualize It! The Key to Driving Better John T. Phillips, CRM, CDIA, FAI, has made a major difference Business Decisions Page 46 in the ability of individuals to remain knowledgeable about Robert Bailey, Ph.D., CRM, is records program administrator changing information management methodologies and tech- and EMC project leader at McCarran International Airport in nologies for many years. He is a consultant with Information Las Vegas. Previously, he was records manager advisor in the Technology Decisions, author, and educator, and his work Office of Chief Information Officer, St. Johns, Newfoundland illustrates how information management professionals can and Labrador, Canada. He is an active consultant, speaker, grow as their professional activities increasingly include and seminar leader at numerous national conventions. Bailey electronic records. A Certified Records Manager, Certified can be contacted at [email protected].

JULY/AUGUST 2016 INFORMATIONMANAGEMENT 47 ADINDEX CONTACT INFORMATION

IBC Baypath graduate.baypath.edu

BC NAID Information http://directory.naidonline.org Management 3 Institute of Certified Records Managers magazine is 518.694.5362 – www.ICRM.org the resource for IFC, 39 Next Level information www.arma.org/nextlevel governance professionals.

With a circulation www.arma.org of over 27,000 (print and online), this audience reads and refers to IM much longer IM MAGAZINE

than the month of distribution.

Talk to Jennifer about making a Is Your splash. Resumé Ready? Advertise today! ARMA International’s CareerLink is the only job bank specifically targeting records and information governance professionals. Post your resume today and search a database of available positions. Jennifer Millett Sales Account Manager +1 888.279.7378 It makes job hunting easy! +1 913.217.6022 Fax: +1 913.341.6823 careers.arma.org [email protected] ADVERTISE IN

48 JULY/AUGUST 2016 INFORMATIONMANAGEMENT