In organizations today, paper records can be as absent as Dictaphones and fax machines. In their place lie complex digital ecosystems, constantly churning and being updated. These ecosystems often cross continents. Within this transformed landscape, records and information management professionals must also adapt. Retention schedules built around documents, even digital ones, are no longer enough to keep organizations compliant with retention and disposition laws. If a digital system can generate a regulated record on demand—or even if it merely contains regulated data—then the system itself must be part of the retention equation. In other words, retention decisions that ignore digital systems create false confidence in your RIM compliance.

The job of RIM professionals now requires data management.

Key Takeaways:

• Traditional RIM focused on static objects; modern RIM focuses on dynamic digital ecosystems.
• Process-driven retention manages the systems and data flows that generate records, not just the records themselves.
• Keeping underlying transactional data while deleting a record creates a “false confidence” in compliance.
• Success requires RIM professionals to master data mapping, system architecture, and cross-departmental collaboration.

The Future of Retention is Process-Driven

It’s helpful to think of computing systems as factories and records as the products being manufactured. It doesn’t matter if you’ve disposed of the end product when the raw material is still on the factory floor and can be used to create another same or a similar record. Under a process-driven retention approach, RIM professionals must focus on how data flows through systems and business processes, recognizing that records are often generated, regenerated, or reconstructed from underlying data long after a record is deleted. Process-driven retention shifts from managing documents to managing the processes and systems that process regulated content.

If an organization determines it must delete a financial report or a customer statement, but it keeps the underlying transactional database, the risk driving the disposition decision has merely been taped over.  In other words, you cannot claim compliance at the record level if the underlying data ecosystem still exists to recreate, substantially reconstruct, or functionally reissue the record.

Process-driven retention builds around the fact that data doesn’t stay in a static state. It’s instead constantly changing. Process-driven retention also appreciates that datasets are often dependent on other datasets to be meaningful. Accordingly, the process-driven RIM professional must recognize that retention outcomes must be determined by system behavior, not just by deleting isolated datapoints. A modern RIM program must be as much about how data systems behave as it is about how long records are kept.

Process-Driven Retention Requires RIM Professionals to be Curious

To adopt a process-driven retention mindset, RIM professionals must elevate their understanding of computing systems and technologies. They must learn new skills and domains. These include data mapping, IT system architecture, and data lifecycles. RIM professionals must begin thinking in terms of the retention implications of computing system event logs, audit trails, system metadata, data pipelines, and even “machine memory” in AI systems.

Process-driven retention also requires creating closer partnerships with privacy, IT, product and engineering teams, and cybersecurity professionals. In a process-driven retention world, these are the RIM professionals’ new cross-collaborators. RIM professionals must be the glue that binds these diverse fields to help their organizations achieve retention and disposition compliance.

New Questions for a New Era of Retention Management

The distinction between “Data,” “information,” and “record” was long an object of worship in the RIM field. Unless the object was a record, RIM professionals need not have been concerned. Such thinking is outmoded. In the process-driven retention age, RIM professionals must think fluidly, thinking through the retention implications of data in all of its forms.

RIM professionals must also shift their focus from classification to system comprehension. Instead of merely asking, “Is this a record?” the RIM professional’s most important question must now be “Show me how this works?”

Additional Resources

To learn more about Zasio’s approach to records retention management, check out our February 2026 Virtual Coffee Webinar with Jennifer Chadband, Warren Bean, and Rick Surber, as well as this written compendium.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post How Process-Driven Retention is Changing Records and Information Management appeared first on Zasio.

One has become rooted in organizational culture. Well-vetted and highly operationalized, it is enthusiastically supported at all levels. The other barely exists beyond its dust-covered charter. Its policies and procedures are scattered among the ROT (redundant, obsolete, trivial) data in which they lie. Some question whether these policies were even formally approved. And the mere thought of an audit causes program owners to cringe.

Why do some IG initiatives succeed while others fail? Perhaps the reason lies in how well their founders understand stakeholder management.

Why Information Governance Stakeholder Management Matters

IT, legal, risk, compliance, privacy, security, impacted business units, and information asset vendors form the essential lineup of stakeholders in any IG initiative. The IG professional is the coach who must ensure this diverse team performs well together on heavy issues like how to simultaneously respect each other’s often divergent interests while ensuring information assets are put to their highest and best use. There’s also the essential task of managing for risk and compliance.

It’s a weighty undertaking, and stakeholder coordination and collaboration can easily consume the IG professional. But get stakeholder management right, and your IG program stands a much better chance of reaching enduring success.

The IG professional must correctly identify each stakeholder and their interest relevant to their IG program. To do this, whether for the first time or when updating your stakeholder inventory, it can be helpful to think of each stakeholder as belonging to one of four categories:

• Approval: Those whose formal endorsement is required for all or any portion of your initiative.
• Support: Those who control the resources you’ll need.
• Consult: Those whose advice or expertise will shape your approach, whether immediately or in the long term.
• Inform: Those who should be kept in the loop, even if they’re not directly involved.

 Approve, Support, Consult, Inform: ASCI, for short.

Categorizing stakeholders under this approach can lead to a more comprehensive and intentional IG strategy. It helps IG professionals avoid common pitfalls like overlooking key voices and reducing risks related to program resistance or conflicting expectations.

Let’s break down each category:

Those from Whom You Need Approval

These are your decision-makers, such as the executives or governing bodies whose formal backing is essential to move your initiative forward.

Examples:

• The C-suite (especially the CIO, CISO, and legal department)
• Governance committees
• Budget and finance officers

Strategy: When approaching “approval stakeholders,” be sure to present a compelling business case that lines up IG goals with organizational priorities like risk reduction, compliance, and operational efficiency. Use metrics and communicate in a language they’ll understand, such as describing things in terms of ROI, quantifying risk reduction, and specifically identifying cost savings.

Those from Whom You Need Support

“Support stakeholders” are your active bench of players; your operational decision makers. For example, if you’re adjusting a retention period, these are your authorizers. They may not have the authority to approve your initiative, but their active involvement and advocacy are crucial. They help implement and sustain the program.

Examples:

• Department heads from impacted business units
• IT, security, and privacy teams
• Records managers and data stewards
• Outside stakeholders like information asset vendors.

Strategy: Approach them early, listen to their concerns, and show how your IG initiative supports their goals. Empower them as agents of change. Also establish a streamlined process for policy and other IG updates. Their buy-in often determines whether the initiative gains traction or flounders.

Those You Should Consult

These individuals have valuable insights, experience, and technical knowledge that can shape your initiative’s success. While “consulting stakeholders” may not be directly involved in your initiative, their input can provide you with critical perceptions.

Examples:

• Frontline employees
• Legal and risk advisors
• External consultants

Strategy: Create structured feedback opportunities like interviews, workshops, and pilot programs. Make  their input visible. Consultation builds trust.

Those You Need to Keep Informed

These are stakeholders who don’t need to be involved in decision-making or implementation but still should be kept up to date of your IG initiative’s goings on. Keeping them informed helps ease frictions, avoid resistance, issue spot, and manage risk.

Examples:

• Some customers.
• Marketing and public relations.
• Anyone else not already involved as a stakeholder who might influence perception and adoption, or champion your initiative from the sidelines.

Strategy: Use clear, concise communication to explain what’s happening, why it matters, and how it will affect the organization. Transparency builds credibility and helps prevent confusion or misinformation.

Final Thoughts

No one factor determines the success or failure of an IG initiative. But using the ASCI method as part of your stakeholder management can help ensure you haven’t left anyone out and are engaging the right people in the right way. It is a simple step that can be critical to building IG program momentum and long-term sustainability.

Also, as your IG initiative grows, don’t forget the importance of maintaining stakeholder relationships across personnel and organizational disruptions. Organizations change, roles change, priorities shift, and people move on. Throughout this turbulence, the IG professional must ensure information governance stakeholder management engagement continuity. In an uneven landscape, the IG professional who maintains this flow across their stakeholder team helps ensure their IG program will endure.

Disclaimer: The purpose of this post is to provide general education on information governance software. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Winning Allies: How IG Professionals Can Use Stakeholder Management for Program Success appeared first on Zasio.

In a world of rapidly growing data volumes, complex regulations, and vexing data privacy and cybersecurity concerns, records and information management (RIM) professionals should adopt the same approach.

Structured problem solving offers a clear, logical framework for tackling intricate issues. In finance, it helps manage investment risks and optimize portfolios. In healthcare, it supports accurate diagnoses and effective treatment plans. Chess players use it to plan their moves and counter their opponents. For RIM professionals, structured problem solving can streamline the creation and revision of records management programs, ensuring they safeguard information and help propel the business forward.

One of RIM’s greatest challenges is a lack of structure. Poor RIM practices lead to important documents buried in email threads, outdated policies in forgotten drives, and retention rules being inconsistently, if ever, applied. A smarter approach treats RIM as a solvable problem, not a bureaucratic chore. Structured problem solving can transform RIM from a challenge into an opportunity, removing much of the uncertainty and complexity that surrounds creating or revising an organization’s RIM program. Let’s explore how to apply it in practice.

Applying Structured Problem Solving to RIM Program Challenges

At its core, structured problem solving involves five key steps. Think of it as your trusty five-step dance to turn RIM chaos into a well-choreographed performance.

Step 1: Defining the Problem

The first step in structured problem solving is to define the problem clearly. A well-defined problem lays the foundation for effective solutions, making the time spent on this step invaluable. Precision cuts through ambiguity, ensuring stakeholders stay aligned rather than talking past one another. Many RIM programs fail due to vague problems statements like, “we lack a structured system and disposal process for managing records and information, which is creating inefficiencies and compliance risks.” Such statements offer little clarity or direction. Contrast this with a more precise definition:

Without a centralized RIM framework, our organization faces inconsistent data governance, regulatory risks, and inefficiencies. Currently, 75 percent of departments manage records independently, causing duplication and retention gaps. Forty percent of employees struggle to find critical information, delaying decisions and increasing costs. Recent audits flagged compliance failures in multiple regions, exposing us to legal and financial risks.

A well-defined problem is a problem half-solved. By pinpointing root causes and quantifying their impact, organizations can more beyond vague concerns to targeted, effective solutions.

Step 2: Breaking Down the Problem

With a clear problem definition, the next step is to break it down into its logical components. Using our problem statement from step 1, we might identify the following sub-issues:

• Inconsistent governance practices. With most departments managing records independently, we face a governance issue. A master RIM policy to complement our retention schedule must be part of the solution.
• Knowledge and training deficiencies. Nearly half of employees are unable to locate information, pointing to a lack of training on records storage and retrieval practices. This deficiency must be addressed in our revised RIM program.
• Noncompliant retention processes. Audits have revealed retention gaps, suggesting our retention policies are not uniformly understood. We need to revise our retention schedule to ensure it’s comprehensive and up-to-date, particularly when it comes to evolving data privacy laws and industry-specific regulations.

By dissecting the problem into smaller, manageable pieces, you gain a clearer understanding of the root causes and how they interconnect. This approach helps ensure solutions are not only targeted but also comprehensive, addressing the underlying issue rather than only symptoms.

Step 3: Prioritizing Components

Once the problem is broken down, the next step is to prioritize which components to address first. For RIM, this involves evaluating each sub-issue based on its impact on compliance, operational efficiency, and data security. For instance, noncompliant retention processes might take precedence if they expose the organization to regulatory and legal risks. Inconsistent governance practices should be prioritized, as a lack of central oversight can cause inefficiencies and compliance gaps. Finally, addressing knowledge and training deficiencies will improve operational efficiency and information retrieval, but may be secondary to ensuring compliance and governance are firmly in place.

Prioritizing these sub-issues ensures efficient resource allocation, addressing the most critical areas first.

Step 4: Developing a Plan of Action

With priorities established, the next step is to develop a detailed plan of action to carry out your components. This plan should outline specific steps, required resources, and anticipate potential obstacles and solutions. Establishing a timeframe for each phase helps ensure the process remains on track and measurable.

For instance, updating the retention schedule will require collaboration with legal and compliance teams to confirm alignment with evolving data privacy laws and industry regulations. Department heads and subject matter experts will also need to provide input to ensure the schedule meets their areas’ unique needs. This process will involve legal expertise to ensure compliance and IT support to update the relevant systems. Project management tools will be helpful in tracking progress and ensuring everyone stays on task.

This phase should take about six to eight weeks, depending on the complexity of regulatory updates and how quickly departmental stakeholders can be coordinated. It’s important to set a clear deadline for completion to maintain momentum and avoid delays.

One obstacle to anticipate is resistance from departments that are accustomed to their own systems and practices. To overcome this, clearly communicating the updated retention schedule’s benefits—such as reduced compliance risk and greater operational efficiency—will be necessary. Framing change in terms of long-term advantages will help build buy-in and make the transition smoother. And collaborating with department SMEs along the way will help create allies who will champion your plan.

Step 5: Go Forward

With your plan in place, it’s time to move forward. However, it’s important to remember no project is ever perfectly linear. As you begin putting your plan into action, you will inevitably encounter obstacles or changes that require adjustments. The key is to stay mindful of what’s working and what isn’t, and to remain flexible as the process evolves.

Start by regularly reviewing your progress. This doesn’t just mean checking off completed tasks; take time to reflect on what you’ve achieved, what you’ve learned, and what still needs to be done. Also keep a close eye on the initial phases of implementation, as this is where many issues or inefficiencies often surface. A pilot phase is often helpful working out bugs.

Ultimately, the goal is not just to complete the tasks on the list, but to create lasting change that improves your RIM program. By staying mindful of progress, reflecting on lessons learned, and adjusting the plan as necessary, you will ensure the process is not just a series of steps, but a meaningful transformation. Your end goal is to embed change within the organization’s practices and culture.

From Complexity to Program Control

Managing an organization’s records and information is no small task. But by applying structured problem solving, organizations can shift from disorganized, inefficient systems to a well-defined, manageable records keeping software.

Ultimately, the key takeaway from finance, healthcare, and chess is simple: thoroughly defining your problems, breaking them down into manageable chunks, and creating a detailed plan of action is effective in many contexts—including RIM program development. With a structured approach to problem solving, organizations can better manage their information and remain more adaptable in an ever-evolving landscape.

Disclaimer: The purpose of this post is to provide general education on record retention software solutions. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Building a Smarter RIM Program Through Structured Problem Solving appeared first on Zasio.

And the best part? Your stakeholders are no longer bashful about asking you questions—a promising sign that organizational RIM awareness is on the rise. But just as you begin basking in your newfound success, a curveball arrives: “how do our retention periods affect records in backup and recovery systems?” a curious stakeholder asks. Suddenly, you’re adrift in uncertainty. Do retention periods cover backup records? What happens to ‘deleted’ data lingering in backups? And how do litigation holds apply to records and information in backups?

If you’re indeed unclear about how to answer these questions, consider yourself in good company.

Backup and recovery systems are often an overlooked but essential piece to any RIM program. In many organizations, backup and recovery systems have been the exclusive domain of IT departments. And while the technical complexity of backup systems requires IT’s expertise, RIM professionals must also have a seat at the table. This means understanding—and often helping establish and maintain—backup and recovery policies and practices to ensures consistency with your organization’s overall RIM strategy.

So, if you haven’t yet considered how backup and recovery fits into your organization’s RIM program, this article provides you some basics.

What exactly is a backup and recovery system?—Understanding your terms

A backup and recovery system stores a copy of your data for quick restoration if the primary data is lost. This loss can happen for many reasons, such as server failure, cyber-attack, or any number of human- or natural-caused disasters. That’s why you’ll also hear backups called disaster recovery systems. Having reliable backups can be a lifesaver if your organization ever loses access to its primary records and information.

Historically, backups were mostly stored on magnetic tape drives, a medium with both advantages and drawbacks. On the plus side, backup tapes require little storage space and their cost is only growing more affordable. On the downside, however, data on backup tapes is only searchable once fully restored, which prevents indexing or organizing their voluminous files. Finding individual records also often requires searching multiple tapes to recreate the multitude of documents existing when the backup was made. And the older the system, the more difficult restoration becomes. Given this, restoring backup tapes for retrieving individual files can get expensive, fast. Nowadays, most backups use cloud-based storage, significantly easing the identification and retrieval of specific records, although tape usage persists.

Backup versus archive systems—A distinction with a difference

Although backup and recovery is used interchangeably with disaster recovery, it’s incorrect to think of your backup system as a records archive—the two concepts serve different purposes. A true backup is concerned only with restoring records and information after an unplanned loss. On the other hand, an archive is where you store long-term records and information that must still be maintained in an accessible form, even if they’re no longer active or are only infrequently used. Vital and historically valuable records are commonly stored in archive systems, which should then be backed up in case the archive is lost.

Your RRS should already account for records relevant to a historical archive, as these records typically come from across the organization and have long-term business value or must legally be retained. Accordingly, once a retention period for a particular record has passed, it should be deleted from archive, even if it’s no longer stored in a separate, active system. Archived records, though, typically have longer retention periods, and many are “forever” records.

So how should I account for retention in a backup system?

Backups, by their nature, should be duplicates of other active or inactive record storage. And, traditionally, most retention schedules have not addressed backup retention. Instead, backup retention has been the domain of separate business continuity and disaster recovery policies. However, integrating backup retention into your RRS is an easy way to enhance its comprehensiveness and functionality.

Where an RRS addresses backups, it should be through one or more separate, dedicated record series. This approach ensures that all copies of a record, regardless of storage method, are removed you’re your organization’s collective systems.

Short retention periods for backups

Because backups are for restoration only, they generally should not be retained for substantial periods, and instead be regularly rotated and overwritten. In a system designed for disaster recovery, it shouldn’t be necessary to restore records and information that no longer exists in a primary system. But that’s not to say backups aren’t being retained longer—often much longer—pursuant to outdated legacy practices.

Owing to the portability and low cost of backup tapes, many organizations have historically retained backups for many years, sometimes indefinitely. Cloud storage compounds this problem for electronic records since there is a minimal physical footprint to backup storage. As tempting as it may be to retain backups indefinitely as a ‘way back’ machine for your organization’s records, perpetual backup storage can set up a direct conflict with your records retention schedule, as records intended for deletion may still exist within your organizational structure for long after. It can also create litigation and data privacy and security concerns, and undermine an otherwise thoughtful defensible deletion strategy.

Whether long-term backup retention makes sense is a conversation you should have with your organizational stakeholders. But unless there’s a compelling reason, the old justification of “just in case” is no longer persuasive when it comes to retaining backup systems indefinitely.

Regular and automated

Backups should be performed regularly and automatically to minimize the risk of data loss. The schedule should be appropriate to your data’s importance and how frequently it changes. Many systems operate on a schedule of daily, weekly, and monthly backups, with an appropriate retention period for each. The following is one example of how this might look in practice:

Daily backups: Retain for 7 days

Weekly backups: Retain for 4 weeks

Monthly backups: Retain for 12 months

Backup system managers often refer to your organization’s recovery point objective (RPO). This shows the maximum amount of data—as measured by time—that would be lost from a system failure, assuming restoration was possible from your most recent backup. For example, with the above backup retention strategy, your RPO would be 24 hours, meaning no more than 24 hours of data should be lost after successfully restoring records and information from the most recent backup.

Do backup and recovery systems affect litigation hold and discovery obligations?

Absent special circumstances, courts are generally reluctant to order the production of data found on backup systems. This is because restoring backup systems can be costly, and backups should ideally only duplicate information stored elsewhere. Thus, a litigation hold under ordinary circumstances should allow the regular rotation and overwriting of backup systems to continue under the established backup retention or policy.

But even with this general rule, context and nuance can drastically alter your preservation obligations—particularly where a backup contains the only copy of highly relevant data. This means it is critical to thoroughly consult with your legal and IT teams before making any decision regarding backups and legal hold or discovery obligations.

Conclusion—working together to ensure a healthy backup and recovery program

As a records manager, you have a duty to help ensure your organization’s backup and recovery systems are in good order and retention and backup and recovery policies are in agreement. Backups are one area where RIM and IT professionals should better understand each other’s roles and responsibilities. When a system failure leads to lost records and information, timely restoration from a backup is your only hope for recovery. Aligning these policies today may be a lifesaver for your organization’s critical work tomorrow.

Disclaimer: The purpose of this post is to provide general education on records management software topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Essential Insights: What Every RIM Professional Should Know About Backup and Recovery appeared first on Zasio.

From the CEO to the front desk assistant, most roles spend large parts of each day interacting in some way with the organization’s records and information. Altering how they collect, process, store, and dispose of this takes more than RIM subject matter expertise—it also takes project and people smarts.

This article discusses project and change management fundamentals that should be amply applied to any RIM initiative—whether you’re launching a new program or updating an existing one.

It All Starts With Planning

You’ve assembled your RIM coalition and have your executive sponsor. Now it’s time to create a consensus on what work will be done, how it will be done, and who will do it.

People often underestimate the amount of preparation an initiative requires—especially a RIM initiative. By some estimates, over 20 percent of all project work should simply consist of planning.

Estimating project work is difficult. Meetings, emails, and collaborative chats will help start developing your project’s scope and constituent parts. But that hard work often leads to unrealized goals if your project is not clearly and abundantly memorialized in your program documents.

These documents go by various names, but what you call them isn’t as important as what they contain. Your project documents should answer the project’s six Ws (Who, What, Where, When, Why, and How). If your RIM team were replaced tomorrow, your project documents should allow your substitutes to immediately understand and seamlessly continue the work.

Here are a few key documents your program needs to carry momentum. Feel free to consolidate documents for simplicity with your individual project.

Your RIM Project Plan. The project plan is your master document, letting the world—or at least your organization—know what your RIM initiative is all about.

This plan will guide all project phases. Because of this, your plan needs to be comprehensive— it establishes the project’s benefits, costs, who will be impacted, and how to measure success. It should explain all aspects of the work, guide any questions, and critically, establish what organizational goals the project will support.

RIM is often considered the mother of all collaborative efforts. This is also true for your project plan. You can have a lead document drafter, but your entire RIM project team should be heavily involved in the creation. You’ll also want to involve your project’s key stakeholders—those who will carry out the work and those who will be impacted. This is essential for managing expectations and sustaining support once work begins.

Focus on making the project plan accessible. Plain language writing, a heavy reliance on graphics, and good document design principles are fundamental. Above all, avoid inconsistencies and unclear requirements. Think of your RIM project plan as the essential tool to convince any skeptical outsider that your initiative’s success is inevitable.

The Project Schedule. Keeping your RIM initiative on track is vital. A detailed, realistic, and well-thought-out project schedule  considers all project work and its dependencies is indispensable. A good schedule also makes changes, which are bound to occur, easier to navigate.

Your Milestone Chart. In addition to your schedule, you’ll need to define project milestones. To help sustain project momentum, build a concrete milestone early on in your work. Having a tangible result you can advertise as progress—a victory!—near the front of your RIM program implementation reminds your team and the organization that your project is worth their continued support.

Clearly Define Roles and Responsibilities. Spend considerable time defining what roles will support your RIM initiative and establishing the contours of their responsibilities. This clarity will help your team develop ownership over their duties and avoid conflict when team members share overlapping and often nebulous responsibilities.

Budget: This can be a constant struggle for RIM initiatives. What RIM stakeholders want must often be reduced based on budget constraints. Being clear-eyed and detailed about your costs, and ensuring they match the ingredients you’ve expressed in your project plan will help make sure your initiative is feasible.

Change Procedures. Change is an inevitable part of any project. Including a robust set of change criteria and procedures in your project documents is necessary. Good change procedures will ensure project alterations are managed efficiently and communicated broadly.

Let’s take your project plan, for example. You’ve made it as comprehensive as possible, and once work begins, you may find some details that aren’t feasible, or priorities may change. This is okay, and should be anticipated. The best approach is to remain flexible. By developing procedures for handling inevitable changes to your project’s scope and parameters, you’ll help your RIM initiative reach its destination.

Change Management: Communicate, Communicate, and I’ll Say it Again—Communicate!

With your project documents in order, it’s time to get to work. Effective communication is the bedrock of project and change management. You must communicate relentlessly with your executive sponsor—keeping them apprised of your project’s progress, hurdles, budgetary needs, and changes. Stay in constant contact with your team. Nothing saps morale like a team member feeling like they aren’t up to speed on what’s happening. And, just as important, you must communicate required program changes to the rest of the organization, including those whose daily interactions with the organization’s records and information will be most altered by your initiative.

For all communications, keep in mind the four Ps:

Purpose: Constantly reinforce the need for change. The old ways of doing business are familiar and comfortable so go back to your “why” frequently. Remember, RIM is about more than reducing risk, it’s about improving how people interact with information.

Picture: Put effort into describing what things will look like as your program is put in place. What you describe should be relatable and understandable, not abstract. Allowing people to envision what the future will look and feel like will reduce some anxiety inherent in any change.

Plan: Reference the steps in your project plan document. Reinforce how your initiative will unfold.

Part: This is crucial. During implementation, communicate what each person’s role is in affecting the change. Remind them often what they must do to sustain the changes.

Finally, as your RIM initiative gets underway, make every effort to communicate to all parts of the organization how the new ways are an improvement over the old. Give them the narrative you want to hear— you might not like the one they come up with on their own.

Proper Project and Change Management Helps Your RIM Initiative Succeed

RIM programs can fail for any number of logistical, budgetary, or structural reasons. But sometimes, they are just rushed and lack planning. Your RIM initiative may be decades overdue, so it’s tempting to push something into place just to say now you have one—and rationalize that you can always expand or fix it later. That would be a mistake. The risk is that even if your half-developed program is implemented, it’s like a tree with shallow roots—it won’t weather the winds and storms of organizational pressure. With proper project planning and good communication, however, you can help ensure your initiative will not only be completed but grow and bear fruit for many years.

Disclaimer: The purpose of this post is to provide general education on information governance solutions. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Successful RIM Initiatives Invest in Project and Change Management appeared first on Zasio.

As the CCPA’s enforcement memo highlights, data minimization reduces the risk of unintended data access, is part of good data governance, and businesses can reduce risk exposures by regularly evaluating how they collect, use, retain, and share personal information. The memo further provides a few thought exercises to help organizations examine and apply the data minimization principle in some common consumer data rights requests contexts. Questions organizations should often ask include: Do we really need more information than we already have to achieve our purpose? What are the possible negative impacts from collecting and using the information we control? And what additional safeguards are available to help address the potential for negative impacts?

At Zasio, we help organizations make data minimization a foundational part of not only their personal information processing, but throughout their records and information practices. Good information governance requires organizations think about how they collect, use, retain, and share not just personal information, but all records and information.

Good information governance requires organizations to frequently ask themselves questions like (i) are your business units being precise or overbroad in their records and information collection and retention, (ii) what records and information in your domain no longer have business or legal value and are ripe for disposal, and (iii) what additional safeguards can we apply? Having a well-vetted and consistently followed records and information management policy and records retention schedule, routinely updating these documents, and ensuring functions like IT, security, and privacy, are all fundamentally represented in your IG program, will help make data minimization an intrinsic part of your organization’s information governance.

Consistently following the data minimization principle is integral to managing records and information risks, allowing it to spend more time on producing the innovations that will allow it to thrive.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Data Minimization is Good Information Governance appeared first on Zasio.

In another email, you learn an engineer realized they accidentally sent two large customer files early last week…to the wrong customer. Follow-ups to the recipient and their team have gone unanswered. A third email mentions someone from recruiting managed to check out several hard copy HR files the day before being terminated for cause. The files were not returned. Emails to the former employee’s personal address are bouncing, and they are believed to have started some travel abroad.

It’s looking to be a fun week, and some questions start to race into your mind:

• Are any of these incidents a data breach?
• Was customer confidential information exposed? What about sensitive personal information or company trade secrets?
• Does your organization have any notification obligations, and to whom?
• What policies were in place relevant to these incidents and how were they violated?
• What mitigation measures must the organization immediately take?
• What should the organization do now to help prevent these types of things from happening again?
• Managing records and information means keeping them secure. And these are a few of the questions that you—a records and information management professional and member of your organization’s information governance team—would need to help confront should any of these hypotheticals occur.

For RIM professionals, information security is an undeniable part of the job. But for the non-security professional, learning information security can be intimidating. Fortunately, knowing a handful of basic principles will help you get a good start.

What is Information Security?

It helps to understand exactly what information security means. At its core, information security is about protecting your organization’s records and information from loss. Technologically complex, external threats like malware attacks tend to occupy headlines; however, RIM professionals should not discount the risks posed by internal actors, including by mere carelessness. By many estimates, insider threats—including carelessness—are the primary cause of data breaches. Even temporary and seemingly inconsequential unauthorized access or use of information can easily constitute a data breach under most definitions, which may trigger legal and contractual notice obligations. The errant hypothetical email in this article is one way information security can be compromised by accident.

Where does information security start?

It is helpful to think of information security as bundles of threes. The first bundle consists of the three types of security safeguards—physical, technical, and administrative, which are also commonly called controls.

1. Physical, technical, and administrative safeguards (PTA).

Physical safeguards are things such as closed-circuit surveillance, alarms, locks, as well as physical walls and fences. While the digital age puts IT security at the front of most peoples’ minds, it’s important to not overlook your physical security controls—particularly when it comes to physical records, as strong physical safeguards are among the best protections against loss.

Then there are technical safeguards, such as encryption, firewalls, security information and event management tools (SIEM), anti-virus software, and firewalls. Technical safeguards tend to be the domain of your IT security experts; however, it’s necessary for RIM professionals to have a healthy understanding of technical safeguards, how they work, and how they interact with the records and information you manage. Information governance is the mother of all collaborative efforts, so knowing your technical safeguards will only improve your ability to partner with the IT security members on your information governance team.

Lastly, administrative safeguards are things such as your company’s security policies and procedures, as well as employee training and education. Policies are often considered the bedrock of an information security program, and an area where you, as a RIM professional, can have significant influence when it comes to how these policies will intersect with the records and information you manage.

2. Confidentiality, integrity, and availability (CIA).

The purpose of information security is to preserve information confidentiality, integrity, and availability. Preserving confidentiality means protecting information from unauthorized access or disclosure. Information integrity means safeguarding its authenticity, accuracy, and completeness. And information availability means knowing it will remain accessible when needed to those who have been authorized to use it. Information CIA should be your goal when developing any records and information security measure, so think thoroughly through how each measure will maintain information CIA.

3. The three phases of information security.

Prevention, detection and response, and remediation is the last information security bundle of threes. Preventative security means taking steps to limit the risk of a breach. While it’s impossible to eliminate all risks, ensuring you have taken every reasonable step in light of the risks and the type of information you oversee is expected. Making sure your organization has proper CIA safeguards is key to ensuring your organization has adequate preventative measures. As a RIM professional, you’re most likely to be involved in the preventative side of security, but in this capacity, you may have many roles. Designing policies and procedures to protect records and information is one area where RIM professionals can contribute a lot. So is developing training and education to make sure record custodians know their security responsibilities.

Breaches will happen—that is a fact of life—so it is imperative you’re able to quickly detect security failures and mount an appropriate response. Essential to any detection and response strategy is having a well-vetted incident response plan. A good way to vet your incident response plan is to conduct tabletop exercises to work through scenarios like the ones in this article. Doing this will help expose flaws in your response plan, which allows you to improve it before it gets tested in real life. Your security team should be performing tabletop exercises at least annually. If you or a member of your RIM team does not participate in your company’s tabletop exercises, ask to be involved.

Finally, remediation means analyzing the cause of a breach and improving (again using CIA safeguards) security to make sure such a breach cannot happen again. Like prevention, remediation is an area where RIM professionals can play an important role, particularly when your organization is developing new policies and procedures, as well as educating employees on new security risks and prevention.

Understanding Your Information is Key to Knowing What Security is Appropriate

You’ve heard this before, but it’s worth repeating: to have any hope of securing records and information, you must know what information you have, where it’s located, and what it’s used for. A data inventory details what records and information an organization collects, stores, uses, and discloses—both internally and without outside parties. A proper data inventory will also cover both customer, proprietary, and employee data. And depending on the kind of information your organization handles, a data inventory may be legally required. Identifying data types and classifying information helps it get assigned the level of protection it needs, and in many cases, is legally required to have. Once assembled, make sure your data inventory gets regularly updated.

Conclusion

All of the hypotheticals at the beginning of this article could easily constitute a data breach. But with good information security, the likelihood they will result in harm, or even be able to happen in the first place, goes way down. As a RIM professional, your knowledge and skills can be a vital asset for developing and maintaining proper security for the records and information you manage.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Managing Means Securing: Information Security for RIM Professionals appeared first on Zasio.

Privacy, however, can be a puzzling topic to approach. Formal RIM texts frequently contain little privacy. And a RIM professional’s first experience many times involves jumping headlong into some involved issues, and without much exposure to the foundations. This can be like being handed a pair of scrubs and pulled into the operating room without completing a surgical residency, let alone medical school.

In the U.S., federal privacy laws are a potpourri of requirements that apply based on the market sector, type of entity, or type of data you’re involved with. Bringing in knowledgeable legal counsel is often essential to help navigate RIM-privacy issues. But it’s also helpful to step back and gain a greater understanding of privacy’s rich backdrop to bring your issues into sharper focus. More privacy fluency will lead to better conversations with your legal team and the departments whose records you oversee. Further, it will boost your ability to spot privacy issues in the first place.

With the right knowledge (and with a knowledgeable team), RIM-privacy issues can be one of the more rewarding parts of managing a records program. With this in mind, below we’ll explore some privacy fundamentals for RIM professionals.

So What is Privacy, Anyway?

Information privacy is the rules around the collection, use, and disposal of personal information. It’s the degree of control a person has over information about them, and thus, another’s obligations with that information.

There are a handful of types of privacy. These include special—often called territorial—privacy (think keeping the inside of your home free from prying eyes) or communications privacy (no eavesdropping on telephone conversations). But overwhelmingly, it is information privacy—also called data privacy—that concerns the RIM profession. Still, defining privacy only gets you part of the way there. The bigger challenge is recognizing what information must be treated as personal information.

So what is Personal Information?

What’s considered personal information is very broad. Generally, it’s any information that can be used to identify a specific person. There are the most apparent pieces of personal information, such as an individual’s name, telephone number, or physical or email address. Audio, photos, and video of a person also often constitute their personal information. These are examples of a single data piece that directly identifies a person (a direct identifier). Personal information, however, also includes multiple data pieces that individually don’t identify a person, but taken together, can reveal much about a person. This is referred to as an indirect identifier.

Many indirect identifiers will fall into another category of personal information known as sensitive personal information. Examples include religious or racial information, political beliefs, health information, genetic information, or sexual orientation. Privacy laws guard sensitive personal information much more closely. Public expectations on how sensitive personal information is collected, handled, and shared are equally strict.

Information’s status as personal information doesn’t have to be static. Personal information ceases to be such if it has been sanitized to no longer be able to identify an individual. There are a variety of techniques to achieve this. Information is anonymized if the process is irreversible—i.e., an individual can never again be identified using it. In contrast, deidentified data has only had the known direct and indirect identifiers removed. And pseudonymized data has had only the direct identifiers removed. For deidentified and pseudonymized data, the process isn’t permanent, so it should be treated accordingly. True anonymization is difficult to achieve, and information should never be presumed to be anonymized.

Information Privacy Has Been Around For a Long Time

Information privacy is a hot topic right now, which can make it seem like a relatively new concept. A privacy expert of 20 years might seem like an elder statesman in many circles.

In reality, information privacy has been around for a long time. Notions of information privacy show up in Aristotle’s writings in the 4th century BC.[1] The Bill of Rights completed all the way back in 1791, enshrines certain information privacy rights guaranteed by the government.

And it was in 1890 that a young lawyer named Louis Brandeis—still decades away from becoming one of the nation’s most influential Supreme Court justices—prophetically helped write that “Numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”[2]

To put information privacy’s age in further perspective, the Privacy Act of 1974, which broadly regulates the federal government’s use of personal information, is nearing its 50th birthday. It’s the technological advances of the last few decades, though, that have made privacy a top concern. Recent technological change has drastically increased the sophistication with which personal information is collected in our digital world and the degree to which information is used to influence human behavior.

Where Did Modern Privacy Laws Come From?—FIPs

Fair Information Practices (FIPs)—Also called Fair Information Principles, or Fair Information Privacy Principles (FIPPs)—are sets of principles on the collection and use of personal information. FIPs are not laws, but often form the backbone of information privacy laws. Many government agencies and intergovernmental organizations developed their own FIPs during the last half-century. FIPs attempt to capture consensus on the rights and obligations surrounding personal information.

One consistency in all FIPs is that a person retains a level of ownership of the information about them, even though they may have chosen to expose their information to another. When managing your records program, the best way to think about personal information is that you are merely a custodian—and have a limited right to use it, along with certain obligations that go along with that use.

FIPs’ incorporation into information privacy laws has given these laws many common elements; nonetheless, not all data privacy laws operate the same way. There are two basic but competing approaches to information privacy laws—the comprehensive approach and the sectoral approach; both of these are described in more detail below.

The Comprehensive Approach

The European Union’s Global Data Protection Regulation (GDPR) (2018) is the most well-known example of comprehensive privacy law; it declares information privacy a fundamental human right. Under the GDPR’s comprehensive approach, the same privacy rules apply across commerce. It doesn’t matter what industry or market you’re in, or what type of personal data you’re handling (whether it’s personal health data or financial information) a comprehensive privacy law imposes a baseline set of rules.

The GDPR applies to organizations in the EU; but it also operates as an ‘extra-territorial’ law—in other words, you don’t have to be in the EU for the law to govern your collection and use of EU personal information. If a commercial organization targets individuals in the EU—such as marketing to them through a website in the U.S. or monitoring their behavior through cookies—the organization is subject to the GDPR with respect to that personal information. The GDPR also regulates the transfer of personal information outside of the EU, meaning certain conditions must be met if your U.S. organization receives the personal information of people in the EU.

The Sectoral Approach and U.S. Privacy Laws

Unlike comprehensive laws, federal privacy laws in the U.S. are specific to different market sectors, entities, or data types. The following are five frequently encountered sectoral U.S. privacy laws:

HIPAA: Rules under the Health Insurance Portability and Accountability Act require that ‘covered entities (health insurance companies, most healthcare providers, and healthcare clearinghouses), must comply with a baseline set of privacy and security rules concerning personal health information. These rules also mandate that ‘business associates’ (e.g., a contractor handling personal health information for a ‘covered entity’) agree to certain privacy and security requirements.

Contrary to some popular perceptions, HIPAA regulates health information based on who possesses it (like your doctor’s office), and not across the board. As a result, while HIPAA requires your doctor’s office to safeguard your personal health information, it does not prevent a restaurant from requiring proof of your COVID vaccine and does not regulate your health data stored in a favorite health tracking app, like Fitbit.

FCRA: The Fair Credit Reporting Act regulates consumer reports like the credit report created when you applied for a loan, or the background check your employer ordered when you were hired. Under FCRA, your data in a consumer report must be accurate and relevant, and you have certain rights to access and correct this information.

GLBA: The Gramm-Leach-Bliley Act requires financial institutions to safeguard your financial information. It also requires financial institutions to notify you of their privacy policies, including what information is collected about you, with whom it is shared, and how an institution uses and disposes of it.

CAN-SPAM: This law with a stemwinder of a title (the Control the Assault of Non-Solicited Pornography and Marketing Act of 2003) regulates commercial email. The law requires senders of commercial emails to clearly and conspicuously inform you of how to opt-out of future messages and prohibits the sender from charging a fee for exercising this right. The law also regulates to a lesser degree commercial text messaging.

A blunt critique of the U.S.’s sectoral approach is it’s a “cluttered mess of different rules.”[1] Efforts have been underway for some time to enact a comprehensive U.S. information privacy law. The political challenges have been steep. While Congress this year has come closer than ever to passing a comprehensive privacy law, passage is still viewed by most as a long way off. Until a comprehensive privacy law happens, the nearest thing in the U.S. is the Federal Trade Commission Act (FTCA).

FTCA:  This law broadly prohibits unfair and deceptive commercial practices, including practices related to information privacy and security. The FTCA applies to a range of entities, from retailers to technology companies to pharmaceuticals, and even social media companies. The Act can be applied to any kind of personal information if the business entity collecting or using it is doing so in an unfair or deceptive way. The Federal Trade Commission (FTC) is the main enforcer under the FTCA, as well as a handful of other sectoral privacy laws, such as COPPA. The FTC maintains a website of its legal filings about conduct it considers unfair and deceptive. Regularly reviewing the FTC’s complaints and orders concerning other companies’ information privacy and security practices can be a good way to stay informed about what not to do with personal information in your organization.

State Comprehensive Privacy Laws

Absent a comprehensive U.S. information privacy law, an increasing number of states—which currently include California, Colorado, Connecticut, Virginia, and Utah—have since 2018 enacted their own comprehensive laws. The most notable is the California Consumer Privacy Rights Act  (CCPA). In 2020, California voters passed a referendum amending the CCPA known as the California Privacy Rights Act (CPRA), which will become enforceable in 2023.

Like the GDPR, the CCPA/CCPRA has an ‘extraterritorial’ effect, meaning non-California businesses with sufficient ties to California consumers are subject to it. The CPRA also requires businesses subject to the law to require their contractors and service providers handling personal information—even those not otherwise subject to the law—to follow a number of information privacy and security practices.

The CPRA brings California’s privacy framework closer to the GDPR’s; however, there are still numerous differences between them—as well as among all data privacy laws. Accordingly, compliance with one should never be presumed to be compliance with another, and each deserves detailed scrutiny before deciding on a compliance strategy.

The Bottom Line for RIM Professionals

If you’ve read this far you know there’s a lot to just scratch the surface on information privacy. Yet, despite an ever-changing privacy landscape, a few faithful takeaways exist to help you better incorporate privacy into your RIM practices:

• Neither the GDPR, the CCPA/CPRA, nor any other major privacy law set a retention period for personal information. Instead, these laws require your organization keep personal information only as long as necessary to accomplish the purpose for which it was collected it. This principle creates conflict with records retention laws that can set lengthy minimum retention periods. It also conflicts with many organizations’ habits of wanting to hold on to a lot of information, sometimes indefinitely. Ultimately, you must balance the need to preserve records with the need to delete personal information within the record.
• Define personal information in your organization broadly. When defining what personal information your organization possesses, remember that there are often numerous ways to combine data that would cause it to be able to identify someone. The safer approach—and often the legally required approach—is to generally define personal information broadly.
• Privacy requires a mindset change about what constitutes a record. With privacy as part of a records program, you must avoid thinking about records narrowly. It can be helpful to think of any information with more than a transient value as a record. Focus on managing all information rather than just documents.
• Privacy involves taking some educated risks. Many privacy laws have been on the books for decades; others, like the GDPR and the CCPA/CPRA, have sprung like a geyser in the past five years—and what they require remains uncertain in a number of contexts. For records programs, setting retention periods and handling requirements to records series can sometimes be done with a cut-and-dried approach. Accounting for privacy requirements, though, involves being comfortable with more legal ambiguities—a prime example of this often includes determining how long is no longer than necessary to retain personal information. This means setting a risk tolerance and being more comfortable with operating in gray areas.
• Inventory (‘Map’) your personal information. To have any hope of having a privacy-compliant RIM program, it’s essential to know what kinds of personal information you have and where it resides in your different electronic databases, paper files, records series, and elsewhere. It also means being able to access that personal information should a data owner exercise a right—such as the right to correction or deletion—under an applicable data privacy law.
• Isolate personal information as best you can. Keeping personal information in known, centralized databases wherever practicable is a good practice. Avoid creating unnecessary duplicates of this information. Restrict access to personal information to those whose job requires it. And where possible, keep personal information from being included in your records in the first place.
• Security. Security is fundamental to privacy, and you must keep security in the front of your mind when making any RIM-privacy decision. Data privacy laws generally require security appropriate to the records and the risks. However, there is no base security program spelled out in privacy laws, nor is there one appropriate to all situations. You must determine what appropriate security means in each situation.
• Keep Learning About Privacy. Data privacy laws will continue to grow and impact records and information management. How your organization gathers and uses personal information will also change. Accordingly, RIM managers will need to grow their privacy fluency in step to make sure legal requirements, not to mention public expectations, are properly reflected. But privacy can be enjoyable, and again, with the right knowledge and an informed team, will be one of the most rewarding aspects of RIM.

[1] See Swanson, Judith A. The Public and Private in Aristotle’s Political Philosophy (1992 Cornell University Press).

[2] The Right to Privacy, Samuel D. Warren; Louis D. Brandeis, Harvard Law Review, Vol. 4, No. 5 (Dec. 15, 1890).

[3] The State of Consumer Data Privacy Laws in the US (And Why It Matters), Thorin Klosowski, NY Times (published Sept. 6, 2021).

Zasio is an information governance software, SaaS, and consulting company based in Boise, Idaho. Zasio is not a law firm and does not provide legal advice or services. This material is for informational purposes only and not for the purpose of providing legal or other professional advice.

The post What is Privacy Anyway? A Brief Introduction for RIM Professionals appeared first on Zasio.

No doubt, becoming an IGP has considerably complemented what I’ve learned on the job about information governance. In studying for the exam, though, I was surprised by the extent to which the materials leapt past strict IG concepts—such as data mapping or developing backup and retention policies—into the realm of broader business leadership and management principles. High-level and strategic is right: building relationships across disciplines, managing both up and down, analyzing organizational risk, communicating effectively, understanding and employing financial terms and analysis, and driving change all are big themes in the subject matter. While I didn’t expect these principles would underlie so much of becoming an IGP, I’m glad they did. These aren’t niche topics limited to records departments; they are time-tested concepts that can help you achieve success at your organization well beyond creating an information governance program. And for that, I appreciate them.

So if you’re considering becoming an IGP, I’m sure you’ll learn many vital things about data repositories and classification schemes that you wouldn’t pick up as easily elsewhere. However, be prepared for—and prize—these larger lessons inherent in the IGP materials. Here are a few from my studies that stood out to me the most.

IG Means Understanding the Whole Organization

Like being an effective in-house attorney, being an IGP means getting to know your whole organization, not just your own tiny sliver. Distilled to its core, information governance is about how an organization manages and derives value from its ever-expanding stocks of information. The IGP exam focuses on the process of developing a comprehensive IG program, which sets the rules for how an organization handles the information it creates and consumes. As the IGP materials stress, developing an effective IG program requires working with many parts of your organization, such as privacy and security, risk and compliance, each business unit, and information technology.

To develop an IG program, you must understand the informational needs and goals of each part of the organization. This requires spending a great deal of time with each, which can be an eye-opening exercise. Something special happens to your thinking when you get to know how each component of your organization operates rather than staying siloed: You start to look at things from an organizational level, viewing your work as a part of a larger instrument. Such organizational thinking can be extraordinarily useful, and its use is not limited to IG. Training your attention on the organization rather than only your slice can lead you to think more creatively, innovate, and want to better cooperate with all of your organization’s different units.

IGP stresses getting to know your organization as a whole because an IG program, and the information it directs, touches every part of the business. Through studying to become an IGP, you’ll begin to gain a knack for this systems-level thinking. And once you can demonstrate your knowledge of the organization and systems-thinking, it may be only a matter of time before you’re asked to use them in organizational functions outside of IG.

IGPs are Generalists, and That’s Great

The IGP materials teach that, to prepare an effective IG program, you must first understand the areas involved in, and impacted by, the program—which, in most organizations, is practically every aspect of the organization. In other words, you must learn to start thinking like a generalist.

In the book Range: Why Generalists Triumph in a Specialized World, author David Epstein explores how top performers, particularly in complex and unpredictable fields, more often are generalists rather than single-subject specialists. For example, the best cellular biologists typically don’t become the best by studying only cellular biology (or from starting their cellular biology studies in kindergarten). Instead, they become the best cellular biologists by including things other than cellular biology in their life. As Epstein explains, having knowledge from many different areas (be it from sports, hobbies, athletics, or different professional or academic fields) allows a person to constantly draw from a broad base of understanding, which, it turns out, can prove pretty valuable. Being a generalist allows you to make connections and develop ideas that a specialist likely could not.

According to Epstein, a specialist’s knowledge is like a deep trench. Too often, single-subject experts are too focused on deepening their own trenches to look over at the trenches that surround them. The generalist remembers to look out over those other trenches. Drawing on a wide range of experiences leads to increased inventiveness and creativity and better problem-solving. In other words, developing a generalist’s knowledge base not only is key to creating a successful IG program, but also is a beneficial and broadly-applicable result of studying for the IGP exam. Becoming an IGP teaches you the value of looking over at surrounding trenches.

Get to Know the Money Side of Things

The IGP materials stress financial literacy. Becoming an IGP involves getting familiar with terms like return on investment (“ROI”), variable costs, payback period, generally accepted accounting principles (“GAAP”), and cost-benefit analysis. A tenet of the IGP materials is securing an executive sponsor to help ensure your IG program’s success. To get your executive team on board with an IG program, you need to learn how to make a business case for the program. Executives, and business cases, rely heavily on thinking in financial terms. And learning how to convince decision makers that you bring something of value—or, conversely, to talk them out of something by showing its lack of value—is yet another IGP principle and skill that is not confined to IG.

Just As In IG, In Life, There are  No Off-The-Shelf Solutions

Preparing for the IGP, you learn that developing an IG strategy can be difficult because there isn’t one prescribed plan to follow. Instead, you must create a strategy tailored to your organization’s circumstances. The way in which you put your IG strategy in motion must be equally tailor-made, and it must account for things like organizational culture and history.

Becoming comfortable with developing a solution without a guide, and with knowing that your solution may have some flaws that will require correction over time, is a good skill to develop for use not just in information governance, but in any domain. Once you’ve custom-made an IG program from the ground up, why wouldn’t you be able to do the same in any other domain?

Ch-Ch-Ch-Changes

Lastly, becoming an IGP is in large measures about managing change. Change is hard, and humans naturally resist it. But change is inevitable, and if the past two years have taught us anything, it is that disruption and uncertainty, and with them, rapid change, may be with us for the foreseeable future.

As an IGP, you’re tasked with convincing your colleagues to dispose of long-held information management practices (with flaws that maybe only you can appreciate). You must also convince them to adopt new practices that may have a significant impact on how they work, then likely to change these practices once again after your IG program enters its monitoring and improvement phase. Incorporating ever-increasing data privacy and security laws and regulations will only further the amount and frequency of change in your IG program.

The IGP [materials/exam] teach you to operate in an environment of regular, often disruptive, change. This may be, perhaps, the most valuable skill learned from becoming an IGP.

Conclusion

Reflecting on the path to becoming an IGP, perhaps the best part was discovering things I didn’t expect to discover. But I’m glad I did. It was a rewarding experience, and I look forward to putting my new knowledge and skills to use. For those considering studying for the IGP exam, know that what you’ll learn will reach far, and just may serve you well beyond information governance.

[1] www.arma.org/page/igp (accessed on April 13, 2022).

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post The IGP—A Master Class in a Lot More Than Information Governance (and Why You Should Become an IGP, Too) appeared first on Zasio.

Here Are Some Things to Consider

Even in heavily regulated industries, up to 40 percent of record series can lack legally mandated retention requirements. This still leaves records managers with a whole lot of records to figure out their useful business life. Where business requirements are short-lived, that nagging “in case we need it” voice often starts to speak up against a shorter retention period. To satisfy this voice, it can be tempting to find a statute of limitations to justify extending the retention period.

Tying a retention period to a statute of limitation will be lauded if the records later help you win or defeat a legal claim. But if a record that could have been lawfully destroyed lives past its useful business life only to become a liability for the company, your judgment is certain to be rebuked. Behold the business life-statute of limitations dilemma in records management.

Statutes of limitations are important to think about when setting retention periods. They are not legal retention requirements, though, and there are other, vital considerations to work through in tandem. In addition to creating liability risks, misplaced reliance on statutes of limitation periods can lead to over retention and unnecessary costs. The “in case we need it” approach to records management is long gone, and advice to retain records until any risk of litigation has ceased should be viewed with skepticism. For a balanced approach to evaluating statutes of limitation when setting retention periods, here are some of the chief considerations.

What exactly are statutes of limitations, anyway?

A statute of limitation (often abbreviated as an SOL)[1] is a law that sets a time limit to bring a legal action for a particular type of claim. The legal action can be a civil lawsuit, government investigation, an administrative proceeding, arbitration, or even a criminal case. As a records manager, SOLs you’ll likely encounter include those for tax liability, intellectual property, personal injury, contract, design and construction defect, and employment-related claims (such as wage, worker’s compensation, and discrimination). In the U.S., statutes of limitation found in both federal and state laws, and at the state level, can vary quite a bit across state lines. For example, in Colorado the statute of limitations for breach of a written contract is three years from the date of the breach;[2] a lawsuit filed more than three years after a breach would be dismissed as untimely. In Illinois, the limitation period for written contracts is 10 years, providing an extra seven years to file suit for the same type of claim.

Statutes of repose are a close cousin of statutes of limitations and often get lumped into the same category for records retention purposes. A statute of repose sets a deadline from a particular event for initiating a legal action (rather than being tied to a plaintiff’s injury or knowledge of the injury). For example, a statute of repose for a construction defect claim may be 6 years from the date of occupancy. This means if a building doesn’t show signs of a defect until 7 years from occupancy, the claim would be time-barred before it even existed. This kind of certainty makes statutes of repose easier to work into your retention schedule management.

Statutes of limitations have been around for thousands of years. They’re built on the idea that a legal claim should be promptly prosecuted so both the claim and defense are not reliant on stale physical evidence and faded memories. Where a claim can be brought too far after-the-fact, the result tends to hinder rather than promote justice.  It’s no surprise then that courts are notoriously firm when applying statute of limitation periods. It won’t take much legal research to find examples of courts, without hesitation, dismissing lawsuits that were filed only a day after the limitation period. After all, “a complaint or petition filed one day late. . . is untimely, just as if a year late.”[3]

Challenges with tying retention periods to SOLs

In their details, statutes of limitations can get complicated. This can make lining up retention periods to an SOL period less than reassuring. A careful review of a jurisdiction’s case law is often necessary to understand how a particular SOL must be interpreted and applied. Tolling provisions for minors can result in much longer periods to file a legal action when compared to adults. In professional malpractice claims, the limitations period may not begin to run until a plaintiff has begun to suffer damage, which may be years from the date of the wrongful conduct (think of the accountant who prepares flawed tax returns; it may be years before the IRS begins levying sanctions against the client). Also, since limitations periods are coupled to a person’s conduct or an event, calculating the retention period from the record’s creation provides little help if  you aim to keep the record only as long as there’s a possibility of legal action. And figuring out which state’s statute of limitations must be applied gets litigated more often than you might think. Given all this, having confidence that any risk of litigation has passed is not always easy.

Statutes of limitation for fraud are particularly difficult to use as a retention period since the aggrieved’ s knowledge of the fraud most often is the trigger for starting the limitations period. This can be decades after the fraud is alleged to have begun. For this reason, most RIM professionals agree that SOLs for fraud should not be a driver for setting retention periods.

Reasoning through SOL retention considerations

 Whether to apply a statute of limitations as a retention period is an exercise in risk analysis. The default rule in your RIM practice should be to dispose of records once they no longer have a business purpose or are subject to a legal retention requirement. However, you may determine the potential need for certain record types to pursue or defend against a legal claim is enough to warrant their retention for a longer SOL period. Where an organization is regularly involved in or faces a higher risk of certain types of litigation, this practice makes sense. In another context, you may decide the overall litigation risk is small enough that retention for the SOL period is outweighed by the cost of over retaining an entire category, and sometimes multiple categories, of records.[4] In this situation, it may be ideal to rely instead on a sturdy legal hold process to flag any remaining records from destruction upon learning of a claim. Creating carve-outs within a record series to retain only certain documents for a longer, SOL period is yet another option.

Retention cost is another key consideration. Most courts adhere to the rule that the mere (or ever-present) possibility of litigation (such as being a large company that has been involved in previous lawsuits) does not translate into a duty to preserve records for the statute of limitations period.[5] Accordingly, where records have a low litigation risk but a high cost of storage, hanging on to those records just to satisfy a SOL period is hard to justify.

Finally, deciding what records might be relevant to support or defend against a claim easily becomes a fraught process that ends with thinking just about any record can be relevant to one claim or another. Records managers should avoid this “every conceivable contingency” mentality when considering statutes of limitations and instead focus on the most practical risks.

Whatever your approach to setting retention periods, there is no one-size-fits-all solution. How your organization treats SOL periods in its records retention program must be tailored to your organization’s individual needs, cost considerations, and risk appetite. Above all, having a well-vetted, approved, and consistently followed records retention schedule to show that records are destroyed in the regular course of business is the best defense against a spoliation of evidence claim (meaning that a party has intentionally or even negligently destroyed or altered evidence connected with a case).

But regardless of what your retention schedule says, you have a duty to preserve evidence once litigation is reasonably foreseeable.

Duty to preserve evidence in pending or reasonably foreseeable litigation

Once litigation is pending or reasonably foreseeable, a party must not destroy or alter relevant evidence. This means, even if a record is scheduled for deletion under your retention policy, it must be preserved until the legal matter has been resolved. A robust legal hold process is necessary to make sure this happens. Destroying records relevant to litigation can land you in a lot of trouble with the court, even if the destruction was not intentional. Sanctions can include fines, attorneys’ fees, or adverse inference instructions to the jury (instructing the jury to presume the destroyed document would have been damaging to the party who destroyed it). In particularly egregious cases, the court can even order the matter dismissed or a default judgment against you. Evidence destruction also can lead to criminal charges. Under the Sarbanes-Oxley Act, 18 U.S.C. 1519, it is a federal crime to destroy evidence in contemplation or anticipation of an investigation.

Conclusion

Establishing what statutes of limitation are relevant to each record series in your schedule is important. SOLs provide valuable information as you evaluate retention periods. But they must also be considered along with legal retention requirements, business needs, storage costs, the risks from maintaining or not maintaining the records, and the likelihood that the records will actually become relevant in a legal claim.

As a general rule, be careful not to over-rely on SOLs as a retention driver. At the same time, records managers must be careful to avoid giving any appearance that a retention period has been set short to try to target unfavorable evidence in case of litigation or a government investigation. Above all, given the legal complexities associated with retention requirements, always consult with counsel before setting retention periods—particularly where statute of limitations periods are being considered. If you have any questions about setting retention periods, please contact Zasio.

[1] Internationally, SOL equivalents often are referred to as a longstop period, period of prescription, or limitation of action.

[2] C.R.S. § 13-80-101(1)(a).

[3] Turner v. Singletary, 46 F.Supp.2d 1238, 1240 (N.D.Fla. 1999).

[4] And if you’re using a big approach to categorizing records, the overretention effect can be amplified even further.

[5] Example, Ramirez-Cruz v. Chipotle Servs., LLC, 2017 U.S. Dist. LEXIS 128149 (D. Minn., May 11, 2017).

Disclaimer: The purpose of this post is to provide general education on Information Governance software. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Do Statutes of Limitations Make Good Retention Periods? appeared first on Zasio.