17 March 2017

“You’re My New Best Friend, Counselor”

Today’s Blog is sponsored by MER 2017, Cohasset Associates’ 25th annual educational conference on electronic records management, in Chicago, May 8-10.

Few records managers work solo.  Nor should they.

Today’s RIM requires expertise and contributions from a variety of disciplines beyond the scope and/or capabilities of any one person.  Not many RIMmers are technologically super-savvy, and few techies understand RIM.  Similarly, I have never heard of a law school class on RIM (although elements may be included in Discovery).  Nor are there many records manager with “JD” after their names.

The point is: no one can know everything, so our success depends on collaboration with other disciplines.  That’s easier said than done.

 Let’s talk about members of the Bar.  Many obstacles inhibit a natural cooperation between attorneys and records managers.  They have different backgrounds, training, perspectives, priorities, resources, status, budgets, salaries, and pain points that keep them up at night.  

There tend to be personality differences too.  Consider: many lawyers decide on their career relatively early in life.  They are survivors; their rigorous training weeds out the weak.  By the time they receive their Doctor of Jurisprudence degree, they are the elite.  And while stereotypes are always problematic, corporate lawyers tend to be risk-averse, non-committal extroverts (or over-compensating introverts) who are self-aware of their authority as members of the Bar.  They accept that, in corporate law, there are many ambiguities.  Nonetheless many have a need to be right, and the Law backs them up.

Records and Information Managers are in stark contrast.  They tend to enter the discipline in mid-career. Few have degrees in the area.  There are no RIM measures of expertise until one goes for certification.  In the corporate or governmental prestige pecking-order, RIMmers may not even make the top half.  Both their budgets and salaries are low, relative to lawyers.  On the personality scale, RIMmers tend to be introverts and/or perfectionists.

Records people usually know only as much law as they need to, perhaps Civil Procedures 26(b).  They may have heard of UBS v. Zubalake.  When it comes to contract law, intellectual property law, or other corporate law, most of us draw a blank.

General Counsels and their staffs generally know little about records retention schedules and taxonomies.  They have little or no experience in writing records management policies and procedures.  They know about declaring legal holds, but they may not know how to apply them effectively.  

Despite these significant differences, organizational success depends on law/RIM collaboration.  It improves litigation defense, and it guards against charges of spoliation.  Collaboration with a contract attorney protects records stored offsite, as well as information gathered online or by mobile apps.  Conversely, lawyers help validate RIM; the General Counsel’s office may even help fund records initiatives. 

Here are five key steps records leaders can take to improve collaboration between these disparate groups: 

  • ·       Get your basics down – hopefully committed to memory: 

o   If you’re not already, get conversant on the records portions of the Federal Rules of Civil Procedure and the derivative case law.
o   Avail yourself to the resources of The Sedona Conference (www.thesedonaconference.org), notably the Sedona Principles.  Sedona is a key intersection between records systems, the law, and the resulting implications
o   Go to MER 2017 (www.merconference.com) [the sponsor of today’s Blog post] and immerse yourself in the creative synergy that happens when some of the most perceptive minds in both records and the law come together.  If you can’t attend in person, sign up for remote access to the MER presentations.
o   Exploit ARMA’s estimable resources, including the Bookstore and Chapter libraries and meetings.

  •           Find an ally.  Ask how a Records/Legal collaboration can best advance your organization’s goals.  Who, within the Legal team, can collaborate to move the organization forward?  Check Legal’s organizational schema, including in-house counsel and outside counsel.  [Note that while employees of your organization are called in-house counsel, attorneys from independent law firms are never called out-house counsel.]  Who can best contribute to success?  Make that person your “new best friend”. 

o   Are Discovery issues most pressing?  Then your ally may be an eDiscovery attorney. 
o   Is the biggest issue unmanaged records outside the firewall?  Then your new partner may be a contract attorney. 
o   Is regulatory compliance difficult to prove?  Then you may want to befriend a regulatory specialist. 
o   If software doesn’t meet policy requirements (such as systems that can’t put holds on data), find the most tech-savvy attorney who can address it.

  • ·       Learn the parameters, frontiers, and basic vocabulary of your ally’s specialty.  A simple Web search will reveal many resources.  Each focus has its own publications.  Read a sampling.  When you see a reference to a salient legal case, find it on the Web and read the abstract.

  • ·       Meet informally.  I prefer a lunch where you can learn a bit about each other (family, interests, political leanings, and more), and also dispel preconceptions.

  • ·       Remember your differences and work to bridge the gulfs.  Seek points of congruence that emphasize shared concerns.  Ask questions that solicit legal opinions and, when possible, refer to seminal legal cases (see above) that relate to his/her opinions.

  • ·       Follow up: 

o   When you see a pertinent article or legal reference in a magazine, send your friend the link. 
o   If some new case or technology effects your work, ask your ally how they relate to your current legal situation. 
o   Have a second luncheon meeting, and a third.  Look for ways your collaboration can improve your organization and show those to the counselor. 
o   Be prepared to involve attorneys with other specialties.

Following these steps, I have found great openness and surprising acceptance.  That’s because records managers solve lawyers’ problems that they can’t solve for themselves.  It relieves stress and contributes to their success.  In appreciation, they might even pick up the tab for lunch.

The same principles extend to other groups, such as IT or Audit groups.  The personality types, pain points, publications, etc. change, but friendship always accelerates essential collaboration. 
Get to know a “new best friend” today.

08 February 2017

Are Your Records Home by Curfew?

Today’s Blog is sponsored by MER 2017, Cohasset Associates’ 25th annual educational conference on electronic records management, in Chicago, May 8-10.

Sorry to be the one to tell you, but “secure information” is an illusion.  No records are really 100 percent secure.  We protect our information, but we only create improvement, not assurance.  If you think you can totally protect your information, forget it.  It’s a fool’s errand.

That said, we can manage the risk of imperfect security.  We can balance our protection efforts against the increasing cost of safeguarding our information.  Theoretically, we could buy a remote cave, control its environment, and put all kinds of protection and blockages to prevent the “bad guys” from getting it.  Two problems: it limits availability of the data, and the expense is out of proportion to the value of the information.  And, oh, one more thing: we can never be sure that the keeper of the keys has our best interests at heart.

I’m going to let the IT folks worry about whether the organization uses, McAfee, Norton or Kaspersky to protect digital information from hacks and infection.  But some of the aspects of digital security that Records Managers understand don’t occur to our colleagues in technology.  There are threats – both internal and external -- that are outside the training and awareness of the IT department, but are well within the RIM domain.  As RIMmers, we don’t necessarily have the tools to mitigate the risks, but we have the expertise to show IT the threats they may have overlooked.

Our immediate responsibility largely revolves around physical storage onsite.  (This includes electronic records on physical media, and I know legacy organizations that keep huge banks of WORM disks in various formats.)  Do we keep unauthorized workers out of the records repositories?  Do we have adequate check out/recall/check in procedures?  Are the records protected from fire, flood, and other calamities?  Is there a plan to safeguard physical records when disaster strikes – such as a backup repository or emergency remediation or shelter for records from a damaged building?

While we must prepare for those, accessibility is a more likely threat.  Lost records may as well be stolen, except that there are no competitors to benefit from them.  Of course, accessibility is one of the Generally Accepted Recordkeeping Principles [see the Limericks of GARP in the archives of this Blog] and if you follow best practices, you should be in reasonably good shape, for paper records. But there are some loopholes, or bases not covered, which concern security-minded RIMmers dealing with electronic records:

  • Do you really know what you have? Is your taxonomy consistent across the enterprise, and is it the same inside and outside the firewall?  Are all indices up to date and inventories current?  Is the metadata consistently recorded so searches are productive?
  • Do you regularly test for access to Electronically Stored Information (ESI), sampling the storage media for degradation and the files for corruption?
  • Is ESI regularly migrated so 1) File formats and operating systems remain current, and 2) There are compatible drivers to display and/or print aging files?
  • Does each structured data system have an active administrator who knows how to produce data and maintains the passwords/encryption keys?

To answer these questions in the affirmative, responsible RIMmers work closely with their technology people.  We defer to IT to deflect virus attacks, unauthorized downloads, and password or encryption hacks. But they may not know how to organize records with taxonomy, and, in my experience, they may not maintain legacy data systems.

There’s a whole other realm of security risks, outside the firewall.  RIM needs to alert IT, and the mitigation of those risks may require contributions from Legal Counsel. 
  • Security risks in the Cloud are explored in the previous post of PositivelyRIM.  Cloud storage is so easy to set up (and company policy may not regulate it) that Cloud accounts can up go ad hoc, with little attention to potential security gaps
  • Consider social mediaAre posts, Blogs, Tweets, comments, and other communiques records?  Do they need to be captured?  Technically, can they be captured and managed?  Can they be secured?  Can the records be removed and disposed, according to a retention schedule?
  • Consider mobile apps:  Do they collect and store records?  Can those records be managed and disposed at the right time?  If the records can be disposed, are they really scrubbed from the servers?  Can Legal Counsel help write contract language for the mobile app host to enable management of mobile records? 
  • In an era of Bring Your Own Device, IT is well aware of the security risks.  But do they understand what mobile-device records need to be captured, retained, and disposed?  The next Pirates of the Caribbean movie is entitled “Dead Men Tell No Tales”.  Does IT realize that “Dead Records Tell No Tales”?

We need a partnership between Records Legal, and IT.  And let’s bring in Internal Auditing, Human Resources (HR), and any other groups with a stake in keeping information safe, secure, and accessible.  That’s what I call Information Governance.

Re HR: the hiring process is a sometime-neglected security gap.  Any organization with information of value to “bad guys” must thoroughly vet all staff to reduce the risk of theft or espionage.  This applies whether the hiring is done through HR or a RIM Dept. hiring manager.  Close the barn door before the horses get out.

Three axioms:

  --  Know what you have, protect and manage it. 
  --  If you don’t know what you have, you can’t tell what is stolen.    
 --  Lost records are as useless as stolen records. 

Security is a never-ending quest.  Those “bad guys” are always probing for security lapses while they develop ever more insidious methods.  It’s a moving target, so it is vital to stay on top of the subject, trying to stay one step ahead of the threats.   

My favorite upcoming resource for that “step ahead” is the MER17 Conference this May in Chicago (www.merconference.com).  This year, a keynote speaker is Eric O'Neill, the former FBI operative who broke the Hanssen spy case.  He’ll be speaking about "Cyber Security in the Age of Espionage", with feedback from some of the best minds in the field.  I look forward to networking with many of you, gentle readers, because each of us has something to contribute.  The more we know, the better we are.   See you there.
n    -- 30