By Heather Rice Archives - Zasio

Hard Copy Resilience and Offsite Record Storage Trends: Why Physical Records Still Matter

Zasio — Mon, 12 Jan 2026 18:54:30 +0000

In the era of cloud platforms and paperless initiatives, it’s easy to assume that physical records have become obsolete. Yet, organizations across industries continue to rely on hard copy documents as a critical part of information management. As cyber threats rise and regulatory requirements tighten, the resilience of physical records – and the evolution of offsite storage solutions – has never been more important.

Despite the convenience of digitization, some records must remain in physical form. Whether for compliance, legal verification, or operational necessity, paper documents support business continuity. And when digital systems go down, physical records provide an essential backup.

The Value of Physical Records

Many industries require certain documents to be retained in their original form. Wet signatures, notarized contracts, and archival materials often carry legal weight that digital copies cannot replicate. Paper – when stored appropriately – can outlast many digital formats. File types, software systems, and storage devices become obsolete, but properly archived physical documents remain readable for ages.

Physical records may also be vital for disaster recovery. Offsite storage ensures that critical documents remain protected from localized threats and can be retrieved quickly if primary offices are damaged or inaccessible.

One threat to digital records is hacking. Hackers can compromise networks through various avenues, including phishing emails, outdated software, or weak or leaked credentials. Once inside, they may deploy ransomware that locks users out, halts operations, and holds data for ransom. This not only causes downtime and financial loss but also erodes customer trust. To help mitigate these risks, organizations should maintain a physical copy of their business continuity and disaster recovery plan onsite. This ensures your BCDR plan remains available if digital systems are compromised.

Risks to Hard Copy Records

Physical records are not without vulnerabilities. Physical records may be destroyed or damaged through natural disasters like fires, floods, and earthquakes. Environment also influences whether physical records remain safe. Humidity, mold, light exposure, and pests can degrade or destroy records.

Security threats aren’t limited to digital systems. Unauthorized access, theft, or tampering can affect physical records, as well. Locked cabinets may no longer be enough. Organizations should implement secure facilities with limited access policies and clear chain of custody procedures to prevent loss or manipulation.

Trends in Offsite Record Storage Solutions

Organizations are turning to advanced offsite storage providers to address physical records related risks. Key trends include:

Climate-Controlled Facilities and Design: Modern storage centers offer temperature and humidity regulation, fire suppression systems, and flood-resistant design to preserve document integrity and maximize longevity.
Access and Retrieval Services: Same-day delivery, rush retrieval, and 24/7 emergency access have become standard expectations that enable organizations to request and gain access to files quickly.
Digital Inventory Systems: Barcoding and digital portals allow organizations to view inventory, request services, and manage retention schedules without ever having to physically touch a box.
Hybrid Storage Models – Physical + Digital: Many organizations now combine physical storage with digital access, enabling remote retrieval of scanned documents while securely storing originals offsite for compliance or preservation needs.

Modernization in Physical Records Management

Advancements in technology are reshaping how organizations manage physical records, making the process faster, smarter, and more secure.

Location tracking and mobile apps allow organizations to monitor inventory in real-time. Boxes can be tracked and retrievals managed from anywhere, giving teams greater control over their records.

AI has also transformed indexing. Instead of relying on manual categorization, AI-assisted tools automatically tag, classify, and make records searchable. This is particularly valuable in hybrid storage models where physical and digital records coexist and need to be seamlessly connected.

Finally, certified shredding and destruction services provide a secure way to dispose of records and ensure compliance. These services offer auditable documentation, giving organizations confidence that sensitive information has been properly destroyed.

Technological innovations not only help unite physical and digital records systems–they also elevate records management into an integrated and automation-driven process.

Strategic Planning

When comparing offsite storage against onsite storage or digitization, a thorough cost analysis is a must. Some typical costs to consider are:

Pickup and transportation fees for moving boxes to the facility;
Monthly storage charges that may be calculated per box or cubic foot;
Retrieval and delivery fees – increased costs for rush retrievals; and
Destruction costs.

Offsite storage can deliver long-term savings and compliance benefits, but budgeting can be complicated by fluctuations with usage and unexpected expenses. Storage fees accumulate over time, making small monthly costs add up significantly. Pricing structures between providers can also vary widely, making comparisons tricky. Organizations also need to build flexible budgets to account for unpredictable retrieval and compliance costs.

Conclusion

With enhanced security measures, integrated digital tools, and modern offsite storage options, physical documents remain a vital part of a resilient information program. By embracing technological advancements while honoring regulatory requirements and preservation needs, organizations can build a balanced, future-ready record program that safeguards both physical and digital assets.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Hard Copy Resilience and Offsite Record Storage Trends: Why Physical Records Still Matter appeared first on Zasio.

The Sound of Records: Managing Audio as a Primary Record Type

Zasio — Fri, 27 Jun 2025 13:54:09 +0000

In today’s digital workplace, communication is no longer confined to written emails. Audio has become a preferred and powerful form of business communication, making managing audio records more important than ever. However, many organizations still overlook the importance of managing audio records, often treating them as secondary or temporary (something organizations often delete, ignore, or leave unmanaged).

This mindset has become outdated. In fact, audio is not just a byproduct of communication. Depending on its content, it could be a primary record that must be governed with the same care as any other business record.

Why Managing Audio Records Is Now a Regulatory Priority

The growing regulation of audio recordings stems from its rising use in business communications and the legal implications tied to privacy and consent. As more conversations occur over voice calls, virtual meetings, and voice-enabled platforms, regulators are stepping in to ensure proper governance of these communications. Meanwhile, privacy laws such as the U.S. Wiretap Act (18 U.S.C. § 2511) and state-level consent laws are placing legal obligations on organizations to obtain proper consent before recording. Furthermore, industries such as finance and healthcare have specific mandates to retain and monitor audio communications for compliance and transparency. This evolving legal landscape emphasizes the importance of treating audio as a regulated business asset.

Why Audio Matters More Than Ever

The rise of remote and hybrid work has also made audio communication more popular than ever. For example, consider these common sources of audio records:

Meeting Recordings: Platforms like Zoom, Microsoft Teams, and Google Meet automatically generate audio files for recorded meetings.
Voicemail and Voice Notes: Mobile-first teams often rely on voice messages for quick updates or instructions.
Podcasts and Webinars: Many organizations produce internal or external audio content that contains strategic insights or training material.
AI Voice Assistants: Interactions with tools like Alexa for Business or Google Assistant may be logged and stored.

These audio files often contain critical business decisions or compliance-related discussions—making them just as important as written records.

The Challenges of Managing Audio Records

Audio records present unique challenges:

Searchability: Unlike text-based documents, audio files are not typically searchable.
Storage and Cost: High-quality audio files can be large. Over time, this can lead to significant storage costs.
Retention and Classification: Determining how long to keep an audio file—and under what classification—can be difficult. Is a recorded meeting a formal record?
Authentication and Integrity: Audio files can be edited or manipulated. Ensuring the authenticity of a recording and verifying who said what can be complex.

New Tools and Technologies

Modern records management platforms are beginning to integrate. These include:

Speech-to-Text Engines: Real-time transcription and captioning.
Voice Recognition: Identifying individual speakers in multi-person recordings.
Sentiment Analysis: Detecting tone, urgency, or emotional cues in conversations.
Audio Fingerprinting: Verifying the authenticity and originality of audio files.

AI Summary Notes: Balancing Efficiency with Privacy

Organizations are increasingly relying on AI to transcribe and summarize audio records. While these tools can improve the accessibility and usefulness of audio content, they also introduce risks if not used responsibly.

AI transcription and summarization tools often process sensitive information, including:

Client names and project details
Employee identities and internal discussions
Confidential business strategies or intellectual property

If mishandled, this data is fed into third-party AI platforms (especially those that store or use data to train their models) it can lead to unintended consequences, such as the unauthorized exposure of sensitive information, loss of control over proprietary business content, and vulnerability to regulatory non-compliance. These risks are exacerbated when organizations lack transparency into how the data is processed, where it is stored, and whether it is being reused beyond its original purpose.

To mitigate these risks, organizations should thoroughly consider the following safeguards:

Use Enterprise-Grade AI Tools: Choose transcription and summarization platforms that offer data residency controls, enterprise agreements, and no data retention policies. Organizations should also verify that the provider does not use your data to train their models or for any other purpose besides providing the services you’ve requested.
Anonymize Sensitive Information: Before processing, redact or anonymize names, client identifiers, and confidential terms.
Implement Internal AI Models: Where possible, deploy AI tools on-premises or within a private cloud environment to maintain full control over data flow and storage.
Update Governance Policies: Include records management and data governance policies to include AI.
Train Staff on AI Ethics and Usage: Make sure employees understand the implications of using AI tools and follow protocols for handling sensitive information.

Best Practices for Managing Audio as a Record

To effectively manage audio records, organizations may:

Transcribe and Index: Use AI-powered transcription tools to convert speech to text. This not only makes audio content searchable but also allows for easier classification and review.
Apply Metadata: Tag audio files with relevant metadata such as:

Date and time of recording
Participants or speakers
Meeting or event title
Department or business unit
Retention category

Metadata ensures that audio files are readily retrievable.

3. Define Retention Rules: Audio files should be subject to the same retention as other similar records. Retention should be based on content and purpose, not format.

4. Secure Storage and Access Controls: Store audio files in secure, access-controlled environments and use encryption to protect sensitive data.

5. Standardize Formats: Convert audio files to widely supported, long-term formats like MP3 or WAV. Avoid proprietary formats that may become obsolete or difficult to access in the future.

Final Thoughts: Listening to the Future

The next time you hit “record,” ask yourself: Is this just a conversation—or is it a record that needs to be managed? By embracing the sound of records, you ensure that your governance program is not only comprehensive but ready for the future.

The post The Sound of Records: Managing Audio as a Primary Record Type appeared first on Zasio.

Does Dunder Mifflin Have an Approved Records Retention Schedule? RIM Portrayal in Hollywood is … Interesting

Zasio — Wed, 23 Oct 2024 15:59:57 +0000

In the RIM profession, you may find yourself watching movies and television through a different lens. Pop culture has shown us that mishandling records leads to some comedic and, sometimes, catastrophic results. Whether it’s accidental destruction, improper storage, or security breaches, the way Hollywood characters manage (or mismanage) their records provides valuable lessons in real-world RIM principles.

Below are a few examples of where records management goes wrong—and what we can learn from it.

The Office – Michael’s “Special Filing Cabinet” (Season 1, Episode 1 – “Pilot”)

The pilot episode of “The Office” introduces viewers to the quirky dynamics of the Dunder Mifflin Scranton branch, setting the stage for the iconic series. In this episode, regional manager Michael Scott comedically introduces the “special filing cabinet,” AKA the trash can. After Pam receives a fax containing a meeting agenda for Michael and his boss, Michael dramatically tosses the agenda into the trash. This moment sums up the lighthearted incompetence Michael brings to his office, but also raises a serious point about the importance of proper records retention.

Does Dunder Mifflin have an approved records retention schedule? What is Dunder Mifflin’s disposition policy? Throwing documents into the trash is unprofessional and potentially dangerous for a corporation. In a real office setting, this kind of carelessness could lead to the loss of important data, legal liabilities, or compliance violations. A well-defined retention policy ensures that documents are stored securely and properly disposed when the time comes.

Breaking Bad – The Magnet Heist Episode (Season 5, Episode 8 – “Gliding Over All”)

This episode of “Breaking Bad,” features a memorable scene involving a massive magnet used to erase evidence stored at a police station. Walter White and his accomplices devise a plan to eliminate evidence against them using a giant magnet to erase the contents of a laptop. While their plan works, it raises questions about how records are accessed, stored, and secured.

The ease with which Walter and his team access and manipulate police evidence demonstrates a critical flaw in records management: secure storage of digital records. The magnet used in this episode may not be the most common threat to electronic records, but there are countless security risks ranging from cyberattacks to physical breaches. Organizations need robust security measures to safeguard and protect the integrity of sensitive data from unauthorized access, manipulation, and destruction.

Wolf of Wall Street

In Martin Scorsese’s “The Wolf of Wall Street,” one of the most unforgettable scenes involves a chaotic attempted cover up of illegal activities at Stratton Oakmont by shredding physical documents. Jordan Belfort’s actions highlight the legal implications of improper document management. In real-world scenarios, businesses must adhere to compliance requirements regarding record retention and destruction. Failure to follow these regulations can result in fines, penalties, and even criminal charges, like those faced by Belfort and his accomplices.

There are strict legal and regulatory frameworks governing how records should be destroyed, particularly sensitive ones. When organizations face a crisis, it’s crucial to follow established policies and protocols for document retention and destruction. Hasty actions can have legal repercussions. Organizations must have a defensible deletion policy in place to ensure records are destroyed in accordance with regulatory requirements and provide an audit trail proving compliance.

Office Space

In “Office Space,” Milton, the bumbling and disgruntled employee at Initech, is cast down to the basement along with stacks and boxes of documents. Milton’s frustrations result in his setting the office ablaze–chaos ensues. While this scenario is meant to be comedic, the film shows the importance of proper record storage and emergency preparedness for recordkeepers.

Did Initech have an emergency action plan? Storing records in inappropriate or insecure locations, such as a basement prone to flooding, fire, or other hazards, is a major risk that must not be overlooked. Organizations should have an emergency action plan for records management that includes disaster recovery, offsite backups, and risk assessments. A little planning ahead ensures that critical records remain safe, secure, and recoverable in an emergency.

Whether for laughs or as part of the plot, TV shows and movies provide some memorable lessons in records management. While the characters might be forgiven for their errors, and sometimes we even cheer them on, in the real world such actions can lead to severe consequences. “The Office,” “The Wolf of Wall Street,” “Breaking Bad,” and “Office Space,” teach us that there’s a lot to learn about how to manage records effectively—and what can happen when we don’t.

The post Does Dunder Mifflin Have an Approved Records Retention Schedule? RIM Portrayal in Hollywood is … Interesting appeared first on Zasio.

From Seed to Harvest: Cultivating Your Records Life Cycle

Zasio — Mon, 24 Jun 2024 17:39:48 +0000

The arrival of warm weather brings many people outdoors to tend their gardens. Much like a gardener, a records manager tends their records and information. The records life cycle is like a garden’s natural life, with records being the seeds that must be carefully planted, nurtured, and harvested for their value.

Create: Planting Seeds

Each seed has the potential to grow into something valuable. Records managers choose what information may be valuable to the company, much like a gardener carefully chooses which seeds to plant. After the records are chosen, they are “planted” in the company’s filing system and await germination.

Organize: Growth and Maintenance

Once planted, seeds must have the right conditions to sprout and grow into mature plants. Similarly, records must be properly organized and stored for easy access and retrieval. Having a well-designed filing and records management system is like having good soil—it allows your records to sprout and grow to maturity. At this stage, records may be indexed or classified so employees can easily access and retrieve them.

A gardener needs to water, fertilize, and prune their plants to help them thrive. As records grow, they require maintenance, an important part of the records life cycle. Maintenance helps preserve the integrity, accuracy, and relevance of the records management system. Just as a gardener tends to their beds, a records manager must constantly monitor, update, and protect the company’s records and information. A records manager needs to observe the company’s “weather” and adjust as business and technology needs evolve.

Use: Harvest

Harvest season is when you reap the benefits of your labor. The records that you’ve organized and stored are now ready for harvest and use. A well-maintained records management system makes retrieval and use of these records a breeze.

Retention: Storage and Compost

The records life cycle doesn’t end at harvest. Like your vegetables and fruits, records have different storage lengths. Company policies and procedures and laws and regulations all influence the lengths of your retention periods. Proper records storage ensures that they can be accessed when required.

David Stephens, one of the founders of Zasio’s RIM consulting division, compared a record’s life cycle to compost—if retained too long, it begins to rot. At the season’s end, gardeners may compost what’s left of their harvest. Similarly, when a record has reached its full potential and has met all the proper retention requirements, you must identify and pull those that are no longer needed. The disposition process may include deletion, disposal, or archiving depending on company policy or regulatory requirements.

Conclusion

The life cycle of a record resembles the growth of a garden beginning with a tiny seed to the harvest and storage of valuable information. A well-cultivated records management system may yield great rewards for those who tend it with care.

The post From Seed to Harvest: Cultivating Your Records Life Cycle appeared first on Zasio.

What is a Data Leak?

Heather Rice — Tue, 27 Jun 2023 20:17:23 +0000

Refresh your news feed and you will often see yet another company has become the victim of a data leak. Today, most companies are storing sensitive information electronically, making data leaks a major concern. Information security is becoming more important than ever.

Data Leak vs. Data Breach

So, what is a data leak? Data leaks and data breaches both involve exposure to sensitive information. The main distinction though, is data leaks are caused internally, usually unintentionally. Data breaches, on the other hand, are intentionally caused by external actors. The most frequent causes of both, however, are a lack of employee training and poor information security.

Because they involve external bad actors intentionally breaching a system to attack your data, data breaches are more nefarious than data leaks. But, just because a data leak isn’t as sinister in origin doesn’t mean its consequences are any less severe. Criminals often use information from data leaks for data breaches.

You may recall from your newsfeed earlier this year when Samsung became one of the higher profile examples of a company suffering a data leak.[1] In Samsung’s case, employees shared sensitive source code with ChatGPT to have the generative AI app check for errors. Employees also tried using ChatGPT to convert a recording of a meeting into notes. This information is now available on the internet. ChatGPT is becoming increasingly popular for summarizing documents, which becomes a concern, particularly for privacy professionals worried about exposing personal information.

Types of Leaks

Confidential Information: These leaks can include a company’s financial data, trade secrets, and other proprietary business information.
Intellectual Property: These leaks involve a company’s patents, trademarks, copyrights, and trade secrets.
Personal Information: These leaks include customer and employee information. This data type typically includes names, addresses, or credit card information.

All types of leaks can have devastating consequences, including damaging a company’s reputation, loss of customers, legal fees, and revenue loss, to name a few.

Data Leak Prevention

It is important to be proactive to prevent data leaks from happening. Here are some things companies can do:

Monitor Network Traffic: Increase your network traffic monitoring. Increased monitoring may help identify suspicious activity and pinpoint security vulnerabilities.
Restrict Access: Sensitive or confidential data shouldn’t be accessed by those that don’t require it. Companies should only grant access to employees that require access to sensitive information and are trained to safeguard this data.
Multifactor Identification: It is always a good policy to have strong password requirements for company employees. Implementing multifactor identification ensures that password leaks themselves don’t cause a breach.
Training: Employers need to train employees to recognize the tricky tactics cybercriminals use, particularly for email phishing. Suspicious emails should be reported to your company’s security team. Regular security training keeps security top-of-mind for employees.
Vendor Risk Assessments: Unfortunately, your vendors may not take cybersecurity seriously. Risk questionnaires can be used to determine third-party security risks. Companies should evaluate each vendor’s security risks and ensure they comply with regulatory standards.

[1] Mashable SEA. Whoops, Samsung Workers Accidentally Leaked Trade Secrets via ChatGPT. April 6, 2023.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post What is a Data Leak? appeared first on Zasio.

Utah Becomes Newest State to Adopt Consumer Privacy Law

Zasio — Fri, 20 May 2022 19:16:53 +0000

On March 24, 2022, the Utah Consumer Privacy Act (UCPA) was signed into law by Governor Spencer J. Cox, making Utah the fourth state, behind California, Virginia, and Colorado, to pass comprehensive consumer privacy legislation.

The UCPA’s Applicability

The UCPA applies to entities that:

conduct business in Utah or produce products and services that target Utah residents;
have an annual revenue of $25 million or more; and
either controls or processes the personal data of at least 100,000 Utah residents or derives 50% of its revenue from the sale of personal data and controls or processes the data of over 25,000 Utah residents.

There are also a number of exemptions under the UCPA, including, government agencies, institutions of higher education, non-profit corporations, and entities regulated under the Health Insurance Portability and Accountability Act (HIPAA).

What Rights Do Consumer Have Under the UCPA?

Utah residents have the following rights under the UCPA:

Access: Right to confirm whether a controller is processing the consumer’s personal data and access to that data.
Deletion: Right to delete the personal data provided to the controller.
Portability: Right to obtain copies of the personal data provided to the controller in a format that is portable, usable, and transmittable.
Opt-Out: Right to opt-out of the processing of personal data for targeted advertising or sale of personal data.

Responsibilities for Processors and Controllers

The UCPA specifies the following responsibilities for processors and controllers:

Contracts between processors and controllers shall be established before processors begin processing information on behalf of a controller. The contract should provide the instructions for processing personal data, the purpose, type of data being processed, the duration, and the rights and obligations of the parties. The contract should also ensure confidentiality by the processor in relation to the personal data being processed. Any subcontractors must also enter into a contract and abide by the same obligations as the processor.
Controllers shall provide consumers with a privacy notice that includes:
categories of personal data processed by the controller;
purpose of processing the personal data;
how consumers may exercise their rights;
categories of personal data that are shared with third parties;
categories of third parties with whom the controller shares personal data; and
the manner in which consumers may exercise the right to opt-out of the sale of personal data or processing for targeted advertising.
Establish data security practices to protect the confidentiality of personal data and reduce the risk of harm to consumers in relation to the processing of their personal data.
Controllers may not process data collected from a consumer without providing notice and the opportunity to opt-out of the processing.
Controllers may not discriminate against consumers for exercising their rights by denying goods or services, charging different prices to consumers for goods or services, or providing the consumer with a different quality of goods or services.

UCPA Enforcement

The Utah attorney general has the exclusive right to enforce actions under the UCPA (i.e., consumers do not have a private right of action against business for UCPA violations). Violators of the law have a 30-day cure period upon receipt of written notification before the attorney general initiates any actions against the controller or processor. Uncured or continued violations are subject to penalties up to $7,500 per violation and may be responsible for payment of damages to the attorney general to be deposited into the Consumer Privacy Account.

The UCPA’s Effective Date

The UCPA becomes effective on December 31, 2023, giving businesses a grace period to adjust their operations. While this may seem far off, don’t underestimate the amount of time it can take for a business to adjust its practices to be legally compliant. Instead, contact Zasio to find out how you can help bring your business into compliance with this new law, as well as other comprehensive state privacy laws.

Author: Heather Rice

Senior Research Analyst / Certified Paralegal

The post Utah Becomes Newest State to Adopt Consumer Privacy Law appeared first on Zasio.

Meet Our Team! Heather Rice, Senior Research Analyst, Certified Paralegal

Zasio — Fri, 04 Feb 2022 19:52:58 +0000

What excites you about Zasio’s products and services?

What excites me about our products and services is our customization. Every company’s records and information management needs are different, and our ability to provide a custom experience sets us apart from others in the industry. Zasio strives to stay up-to-date with the latest laws and regulations, trends, and industry standards. We also take pride in providing top-notch customer service.

Tell us about your role at Zasio.

I joined the Research Division at Zasio in July of 2018. As a Senior Research Analyst, my role is to conduct research for Zasio’s legal research database and also provide assistance to the Consulting team.

How did you get into Information Governance research and why do you like it as a career field?

Before joining Zasio, I worked as a paralegal and developed a love for the law. My work as a paralegal helped establish some of the skills necessary for Information Governance (IG) research, namely attention to detail and reading and interpreting complex legal documents, laws, and regulations.

While working in litigation, I assisted attorneys to, in essence, gather all the puzzle pieces together to provide a solution to a particular client’s legal issues. Records and information management (RIM) is much like a puzzle, and IG research is one of the puzzle pieces needed to put together a records retention schedule. Working in the IG research field allows me to search for these missing pieces, gather them together, and work with a great team to provide solutions for our client’s RIM questions. Laws and regulations are ever-changing, making IG research a challenging career that I enjoy very much.

What are the most important things you recommend people keep in mind about RIM?

Don’t forget about paper records. In a world where everything is electronic, businesses may often forget about their physical records. Onsite records are sometimes shoved into basements or storerooms and may be vulnerable to security risks due to break-ins or damage by several things, including insects, fire, flooding, etc. Frequently, physical records stored offsite are forgotten. It’s important to have a document tracking system, such as file indexing, so that businesses always know where their records are.

What is something you would like to learn?

Portuguese! In 2018, my husband and I hosted an exchange student from Brazil. It was by far one of the best experiences of my life. Getting to learn her culture and share ours was unforgettable. One of my most cherished memories was learning to make the Brazilian dessert, Brigadeiro. Brigadeiro is a special treat, similar to chocolate truffles, traditionally served at parties and weddings. It is meant to be shared with the people you care about. She and I still share laughs about her first few days with us as we learned to communicate with each other. During her time here, she taught me some Portuguese, and listening to her talk to her family and friends across the globe made me fall in love with the language. It is a difficult language to master, but I hope to be able to speak the language when we visit her family in Brazil one day. I highly recommend hosting an exchange student! Becoming a mentor and learning from each other at the same time was a rewarding experience. She truly became a member of our family, and we still talk daily.

Author: Heather Rice

Senior Research Analyst / Certified Paralegal

The post Meet Our Team! Heather Rice, Senior Research Analyst, Certified Paralegal appeared first on Zasio.

‘Tis the Season… for a Data Breach

Zasio — Thu, 02 Dec 2021 20:04:39 +0000

The leaves are changing color and falling to the ground, pumpkin spice is on nearly every store shelf, and the air is chilly—Yes, the holidays will soon be upon us. Before you start your holiday shopping or bring out the decorations, it’s important to remember that the holidays are prime time for data breaches and cyber theft.

The Cybersecurity and Infrastructure Security Agency (CISA) defines a data breach as the “unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.”[1] Each year, many large companies experience a data breach. You may not think this could happen to you, but the truth is that every company is vulnerable to hacking. According to Risk Based Security, a cyber vulnerability intelligence, data breach, and risk ratings company, the first two quarters of 2021 had 1,767 breaches. These breaches led to approximately 18.8 billion exposed records between January and June.[2] Data breaches can become very expensive. On top of ransom demands, you also have investigation, mitigation, and legal costs. But the biggest cost often is the loss of consumer confidence or closure of the business entirely.

So why do attacks often occur during the holidays? One reason is that companies often operate with a skeleton crew making it difficult to communicate with IT staff. This leads to longer response times in an attack, which allows damage to extend much further compared to an attack during normal working hours. These attacks can come in many forms so it’s important to know what they look like in the event you come across one.

Types of Data Breaches

Here are a few of the ways hackers may gain access to your information:

Phishing Scams. Phishing happens through emails or messaging applications that appear to be legitimate and attempt to exploit your trust. Examples of phishing include:

- Email phishing is one of the more well-known cyber-attacks. Attackers impersonate brands and send emails that lead victims to click on links or download malicious content that installs malware on the victim’s device.
- Spear-phishing is a targeted attempt by a person disguised as a trusted individual, such as a friend, co-worker, or family member, to obtain sensitive information (think account credentials, money, or financial information). Attackers often target their victims by looking at the victim’s personal information available on the internet, such as social media websites. The attacker requests the victim perform an unusual task hoping the victim has enough trust to perform the task without question.
- Whaling is similar to spear-phishing except it involves supposed “senior officials” at a company. In this type of phishing, scammers imitate a senior staff member after using the company’s website to obtain names and email addresses. These emails are sent to unsuspecting subordinate staff with a request, such as transferring money or reviewing a document that contains malicious content. If you don’t typically receive emails or messages from company higher ups, this should be a red flag.

2. Ransomware. Ransomware is malicious software that targets a company’s data by blocking access to their systems. According to Fortune.com, ransomware attacks grew by 150 percent in 2020. Given this increase, Fortune.com estimates damages from cybercrimes may reach $6 trillion in 2021. The FBI and CISA have noted that hackers are increasingly deploying ransomware during holidays when offices are often closed.[3] As the hackers’ thinking goes, holiday attacks maximize damage and companies caught off guard will have little choice but to meet their demands.

- Non-secure Wi-Fi Connections. Since many companies still have employees working remotely, connecting to secure Wi-Fi is especially important. You should warn your employees about using public Wi-Fi connections where cyber criminals can intercept communications or setup up Wi-Fi connections that appear legitimate, but are fake and used to steal information. Employees should be extra diligent during the holidays when accessing their email or company systems remotely.

How to Protect Yourself

The reality is that we are all at risk of data breaches and cybersecurity issues; however, there are some things you can do to protect yourself and your consumers. Here are a few key examples:

Education. Training your employees about the importance of cybersecurity is just as important as other IT maintenance and document management protocols. Set aside some time for employee refresher courses on the importance of not opening emails, attachments, or clicking on links from unknown sources, not sending sensitive documents through personal email accounts, using secure Wi-Fi connections, and keeping track of company devices.
Investing in cybersecurity software. The return on investment could be exponential. Also, keep all software up-to-date. Software that is out-of-date may contain weaknesses in which hackers may take advantage of. Software updates and patches work to repair these vulnerabilities and protect your data.
Implement a strict password policy. Strong passwords should be used by everyone, whether you’re an employee or a consumer. Do not reuse passwords or use passwords that contain information that can be public knowledge (for example, your birthday, a pet’s name, or a child’s name). Passwords should contain a variety of characters, numbers, and upper and lowercase letters.
Use two-factor authentication, especially for remote access. Two-factor authentication provides another security layer that makes it more difficult for hackers to login and use your accounts because the hackers will need another piece of information other than your username and password. This often comes in the form of an SMS code sent to your phone or a code provided by an authenticator app.

Conclusion

Holidays are great; we all want to enjoy them. After all, who doesn’t love shopping and decorating while sipping on a hot pumpkin spiced beverage. But a data breach may put an end to your holiday spirit. Educating yourself and your employees about ways to prevent against cyber-attacks is not only the best defense against such attacks, but also the best way to and ensure peace of mind during the holidays and beyond. Contact Zasio today to explore the software and consulting solutions we offer, to address your information governance needs.

[1] Cybersecurity and Infrastructure Security Agency, National Initiative for Cybersecurity Careers and Studies, Cybersecurity Glossary, available at: https://niccs.cisa.gov/about-niccs/cybersecurity-glossary (accessed October 21, 2021).

[2] Risk Based Security. “2021 Mid Year Report.” 2021, https://pages.riskbasedsecurity.com/hubfs/Reports/2021/2021%20Mid%20Year%20Data%20Breach%20QuickView%20Report.pdf

[3] Alsever, Jennifer. “Why company hacks tend to happen over holiday weekends.”6 July 2021, https://fortune.com/2021/07/06/why-company-hacks-tend-to-happen-over-holiday-weekends/

Author: Heather Rice

Senior Research Analyst / Certified Paralegal

The post ‘Tis the Season… for a Data Breach appeared first on Zasio.

Spring Cleaning Your Records

Zasio — Mon, 26 Apr 2021 21:03:46 +0000

Spring is in the air–birds are chirping, flowers are starting to bloom, and the trees are starting to come alive again. The sun is out, it’s time to open the windows, bring out the cleaning supplies, and start spring cleaning. You clean and declutter your house come springtime, so why not spring clean your records?

April is Records and Information Management Month, a celebration of the value of organizing and maintaining records and data. But the end of April doesn’t mean that you should shove those records into a closet and close the door until next spring. It’s important to give your records attention throughout the year, but sometimes we all need that extra boost to get us motivated. Spring is an excellent time to review your organization’s approach to recordkeeping. Here are a few tips to kick your spring records cleaning into high gear.

Plan Ahead – Evaluate Your Organization’s Needs and Know Your Risk

Much like gathering the cleaning supplies you need to get the job done, it’s important to assess the situation before you take a deep dive and start tossing records with reckless abandon (or throwing them haphazardly into that filing cabinet down the hall). Assess your organization’s need for records management and call in reinforcements if needed. Does your organization already have a records retention schedule? Does this schedule work for your organization or does it need tweaking? Do you know if your schedule is compliant with local laws and regulations?

It is now easier than ever to create large amounts of records and data. Electronic records have further complicated records retention and opened organizations to new kinds of risk. The move to electronic records may have also pushed your organization to move their old paper records to offsite storage, where they are out-of-sight and out-of-mind. However, offsite records are still subject to discovery should your organization find itself in the middle of a lawsuit. Make sure to include offsite records in your evaluation.

Inventory – Everything Should have its Place

You have a game plan, now what? When you begin spring cleaning your home, you don’t just move stuff around on the shelf or simply take stuff out of one closet and put it into another. Pulling things out and taking inventory of what you have makes organizing much easier. Everything should have its place. Records management is no different. It is easier to move forward with a plan when you know exactly what you have.

Do you know what records you have? More importantly, do you know where they are located? Electronic records and the ability to work from anywhere allows us to create and save records everywhere, oftentimes in multiple places. Employees may keep these records in the most convenient, but not always the best, place to store them. Records need to be accessible to others who may need them. Not knowing where your records are stored may put them at risk for incidental deletion or destruction. Start by reaching out to all departments or business units to determine what types of records they have and where they are stored. It is also good practice to figure out how long a business unit may need a particular record (just be sure these retention periods are also in compliance with local laws and regulations). This inventory will make it much easier to map out a plan for where to store records so that they are accessible. It might also help to identify potential consolidations to your retention schedule by grouping similar records with similar retention periods.

Declutter – Top to Bottom

Spring cleaning can be an arduous task. Having everyone pitch in makes the project run much smoother, quicker, and more efficiently. When it comes time to implement your records management plan, it’s important to make sure that you have everyone in the organization on board, starting from the top. Creating inventories brings all business units together by letting each unit play a role in developing the inventory and creating a roadmap for where records are stored. Direction and support from the top of the organization gives employees permission to take time out of their day and play an active role in managing their own records. Decluttering and organizing records are no easy tasks and will take, in some cases, a great deal of time. Employees who help create a records management plan that works for them will likely be enticed to maintain their records and follow the plan.

So, open your windows up and take a breath of fresh air knowing that your organization’s records and information are well on their way to being organized and compliant. When there is a plan to have “a place for everything and everything in its place”, and no “clutter,” your organization will run more efficiently. If you need additional tips or help cleaning up your records, please reach out to Zasio.

Author: Heather Rice

Senior Research Analyst / Certified Paralegal

The post Spring Cleaning Your Records appeared first on Zasio.

New Changes to the European Union’s Medical Device and In Vitro Diagnostic Device Regulations

Zasio — Mon, 12 Oct 2020 21:51:30 +0000

On May 26, 2020, the European Union enacted new regulations concerning medical and in vitro diagnostic devices—a move that should cause manufacturers, clinical trial sponsors, investigators, and other regulated parties involved in medical device development, manufacture, and distribution in the EU to take notice. These new regulations replace existing directives and bring about many changes, including important changes to records retention periods.

Medical Device Directive 93/42/EEC has been replaced by Medical Device Regulations (EU) 2017/745. This regulation applies to both implantable medical devices and non-implantable medical devices.

In Vitro Diagnostics Regulations (EU) 2017/746 replaces In Vitro Diagnostic Medical Devices Directive 98/79/EC. Although this new regulation is not fully effective until 2022, certain articles are already in force.

Below is a summary of the changes to the retention periods and new requirements that are included in these regulations.

Details of Changes to Retention Periods

Medical Device Regulations (EU) 2017/745:

Technical documentation, declarations of conformity, and any relevant certificates: For manufacturers, authorized representatives, or importers of medical devices, the retention period for these documents has been increased from 5 to 10 years after the last device has been placed on the market. When these documents relate to implantable devices, the retention period is 15 years after the last device has been placed on the market (the same as under the prior directives).[i]
For persons combining medical devices with other devices: The retention period for records compatibility, packaging, and internal monitoring verification statements has been increased from 5 to 10 years after the last device has been placed on the market, or 15 years after the last implantable device has been placed on the market, whichever period is longer.[ii]
Economic operators (including manufacturers, authorized representatives, importers, and distributors) of medical devices: These parties are responsible for keeping supply chain records for the same 10-year and 15-year requirements described in Article (10)(8) of the new regulations.[iii]
(Annex IX)(7) and (Annex X)(7) require manufacturers (or their authorized representatives) to keep EU declarations of conformity, quality management system documentation, data and records which arise from procedures for monitoring, verifying, validating, and controlling design, technical documentation, and similar records for a period of 10 years after the last device has been placed on the market. This retention period also applies to decisions and reports from the notified body. This is an increase of 5 years to the retention period. These same documents, as they relate to implantable devices, must be kept for 15 years after the last device has been placed on the market.
(Annex XI)(9), (10.5), (17) and (18.4) require a 10-year retention period for medical devices and a 15-year retention period for implantable medical devices for the following records: EU declarations of conformity, quality management system documentation, post-market surveillance system documentation, decisions and reports from the notified body, manufacturing process documentation, and EU product verification certificates, among other similar records.
Manufacturers or authorized representatives of custom-made devices must retain statements containing specifics which identify the device, the intended use of the device, characteristics of the product (as indicated by prescription), and general safety and performance requirements, along with similar information, for 10 years after the device has been placed on the market. This same information must be kept for 15 years if it relates to implantable devices.[iv]
Lastly, sponsors of clinical trials for medical devices must retain documentation, including application forms, investigators’ brochures and performance study plans, for 10 years after the device’s clinical investigation has ended. If the device is placed on the market, these documents must be kept for 10 years after the last device has been placed on the market. The retention period for implantable devices is 15 years.[v]

In Vitro Diagnostic Regulations (EU) 2017/746:

Technical documentation, declarations of conformity, and copies of all relevant certificates: Manufacturers, authorized representatives, and importers of in vitro diagnostic devices must now retain these documents for 10 years after the last device has been placed on the market. This change increases the retention period by five years.[vi]
Economic operators (including manufacturers, authorized representatives, importers and distributors) of in vitro diagnostic devices are responsible for keeping supply chain records for the 10-year retention period noted in Article (10)(7) of these new regulations.[vii]
(Annex IX)(6), (Annex X)(6) and (Annex XI)(6) require manufacturers (or their authorized representatives) to keep the following records for 10 years after the last device has been placed on the market:
- any EU declaration of conformity;
- quality management system documentation;
- documentation of procedures and techniques for monitoring, verifying, validating and controlling design;
- technical documentation;
- copies of EU type-examination certificates; and
- certain similar documents.
Lastly, (Annex XIV)(Chap II)(3) requires sponsors of clinical trials for in vitro diagnostic medical devices to keep application forms, investigators’ brochures, and performance study plans (along with similar documents) for 10 years after the end of any clinical performance study. If the device is placed on the market, the retention period becomes 10 years after the last device has been placed on the market.

Impacts from These Changes

If you are regulated by the European Union, be sure to update your retention periods for the relevant categories of records. If you need assistance in setting up or updating your retention schedule, contact Zasio.

[i] Medical Device Regulations (EU) 2017/745 (10)(8), (11)(3)(b) and (13)(9).

[ii] Id. at (22)(5).

[iii] Id. at (25).

[iv] Id. at (Annex XIII)(4).

[v] Id. at (Annex XV)(Chap III)(3).

[vi] In Vitro Diagnostic Regulations (EU) 2017/746 (10)(7), (11)(3)(b) and (13)(9).

[vii] Id. at (22).

Author: Heather Rice

Senior Research Analyst / Certified Paralegal

The post New Changes to the European Union’s Medical Device and In Vitro Diagnostic Device Regulations appeared first on Zasio.