Information Management Cyber Attacks on the Rise and Legislative Responses

Cyber-attacks have grown increasingly frequent and severe in recent years. The landscape of modern business includes rising numbers of employees working remotely and ever more reliance on e-commerce. These facts introduce more opportunities for cyber-attacks. In addition, perpetrators of these attacks have an increasing number of sophisticated tools at their disposal including AI-assisted technologies. These data breaches come with numerous consequences for businesses from reputational harm to financial losses. According to a study performed by IBM, data breaches cost companies an average of $4.9 million worldwide and nearly double that figure in the United States.

In response to these threats numerous jurisdictions across the world have introduced legislation dealing with data security. In the U.S. alone, 49 states have introduced over 800 bills dealing with cybersecurity with more than 200 of these bills going on to be adopted. In particular, New York’s amendments to its regulations regarding cyber security recently came into effect.

What do New York’s Information Management Cybersecurity Regulations Require?

New York’s 23 NYCRR Part 500 applies to entities regulated by the state’s Banking, Insurance and Financial Services laws. The latest amendments became effective on November 1 and introduced robust cybersecurity measures:

• Annual risk assessments and compliance certifications
• Written cybersecurity policies
• Access privilege controls
• Mandatory multifactor authentication for external network access
• Asset inventory programs to track all information system assets
• Secure disposal of nonpublic information when no longer necessary for business operations

Potential Challenges of Compliance

These requirements ensure robust security and accurate tracking of information throughout its lifecycle, safeguarding data and retaining it for the appropriate duration. To comply with these requirements, businesses must not only adopt rigorous security measures but also have knowledge of what information the business has in its systems and where it is being stored. It also requires identifying all applications and information systems that store, transfer or process information including those of third-party vendors.

Even businesses not subject to New York’s Part 500 can adopt proactive measures to achieve best information management cybersecurity practices and avoid risk. Implementing access controls such as strong passwords and multifactor authentication is critical to preventing unauthorized access. Beyond technical solutions, ensuring that employees receive adequate phishing and cybersecurity awareness training helps strengthen an organization’s first line of defense against threats. Finally, businesses must create an incident response plan to ensure business continuity and recovery if the worst-case scenario does happen.

Final Thoughts

With cyber risks increasing in number and ranging from attempts to phish individuals to advanced ransomware attacks, cybersecurity for records and information management has become a business necessity.  However, these policies and procedures can be difficult to implement with existing information systems. Beyond adopting technical controls, businesses must have complete comprehension into what data it holds, where that data resides, and what applications process it. By adopting these measures businesses ensure compliance with regulations, reduced cyber risks, and greater consumer confidence in cybersecurity standards.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Adapting to Rising Cyber Threats: Lessons from New York’s Latest Regulations appeared first on Zasio.

From AI-driven automation to the growing demand for defensible disposition and digital preservation, the coming year promises big shifts in how businesses manage information.

In this blog, Zasio’s experts share their predictions for 2026.

Jennifer Chadband — Senior Consultant, CRM, IGP, CIPP/E, Licensed Attorney

Records and information software will continue to build momentum towards simpler, more connected ways of working. Evolving technology and tools that automate filing and disposal will make it easier than ever to manage information, freeing teams to focus on higher‑value work. A growing sense of urgency will also accelerate a big shift already underway: viewing records not merely as compliance requirements, but as resources to organize and use to improve decision‑making.

In 2026, this familiar goal will be more vital than ever: build programs that are easy to follow, reduce wasted effort, and maximize the value of the information organizations already possess.

Will Fletcher, General Counsel, CIPP/US/E, IGP

RIM and IG professionals will intensify their focus on capturing and retaining “records of compliance” across the increasingly complex landscape of data privacy and AI regulations.

For data privacy, critical records of compliance include transfer impact assessments, data protection impact assessments, and evidence of DSAR compliance. For AI, they include AI impact assessments, AI architecture documentation, retention and deletion logs for AI inputs and outputs, and the policies and standards that comprise an organization’s responsible AI governance program.

Organizations relying on digital systems and automation must also ensure these systems can produce record outputs on demand, and preserve them for as long as necessary, whether for regulatory investigations or legal defense.

Warren Bean — VP Technology & Product Development, CRM, CISM

• AI agents will require management similar to human users to control identity and access management. This includes which agents can access specific data repositories, what actions they can perform, and how to verify their authenticity.
• Governance frameworks will expand to include human oversight of AI systems and validation of LLMs and inference outcomes.
• Archivists will have to rethink the concept of ‘provenance’—the history of records and information, including their movements and transformations–-in light of AI deepfakes.

Rick Surber, Senior Consultant, CRM, IGP, Licensed Attorney

As AI growth accelerates in 2026, phishing and other information security intrusions will become more convincing and successful. This will cause data breaches to become more common as attackers use AI to automate social engineering and scale their efforts. In response, solid information governance will matter more than ever.

Clear retention rules, continuity planning, strong information security practices, and well-defined response processes will be essential—not to prevent every incident, but to limit impact, speed recovery, and prevent disruptions from escalating into expensive, long-lasting problems.

Stephanie Martin, Vice President of Product Management & Support

Privacy, security, cost, and accuracy concerns will continue to slow adoption of new AI agents, especially for smaller organizations. Large infrastructure costs and regulatory demands without parallel profits will likely accelerate the price of AI services. However, the benefits of AI will be limited if records lack quality, consistent metadata, or proper organization, making data hygiene a prerequisite for success. Accordingly, successful records management will still depend on record quality.

Navigating the Future of Records & Information Management in 2026

Preparing for 2026 requires a strategic alignment of policy, security, and high-quality metadata. Zasio’s enterprise-grade records management software is specifically designed to handle these complexities, offering the automation and defensible disposition tools necessary to stay ahead of the curve.

Contact Zasio today to learn how our experts and technology can help you audit and optimize your RIM program for the future.

Disclaimer: The purpose of this post is to provide general education on information governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post What’s Next for RIM and IG? Zasio Experts Share 2026 Trends & Predictions appeared first on Zasio.

Understanding the Root Cause of RIM Pushback

Employee pushback often stems from three factors: limited awareness, fear of change, and concerns about added workload. Many employees don’t grasp the strategic importance of RIM, particularly in compliance, risk reduction, cost savings, and efficiency. Because RIM touches every department, employees often view it as an IT or legal responsibility rather than a shared organizational responsibility.

Changes to established workflows can also create discomfort and a sense of lost control. Employees may view RIM as an administrative burden without immediate benefit. Misconceptions grow when employees misunderstand the time and effort needed to classify, store, or dispose of records. While implementation can feel cumbersome, most RIM processes become streamlined or automated, reducing manual effort over time.

Strategies to Overcome Resistance

Overcome resistance to RIM starts with communicating its value, early stakeholder involvement, small steps, and adaptability.

• Communicate the Value: Employees support RIM when they understand its impact. Share real-world examples—such as data breaches or compliance failures—to illustrate the benefits of an effective program.
• Early Wins Build Momentum: Launch a pilot program in one department to test and refine your approach. Recognize champions who support the initiative. This encourages broader buy-in.
• Stay Flexible and Responsible: As organizational needs evolve, new requests will arise. Respond promptly to encourage collaboration.

 Metrics to Track Adherence

 Finally, organizations should track key metrics to measure success and maintain long-term compliance. Consider these indicators:

• Classification Accuracy: The percentage of records correctly classified, reflecting user understanding and reducing misfiling risks.
• Disposition Compliance: The volume of records disposed of according to retention policies.
• Audit Findings and Remediation: Track audit outcomes and resolution speed to evaluate control effectiveness and responsiveness.
• Training Coverage: Tracking the number of users trained on RIM policies and tools highlights the reach and effectiveness of educational efforts.

These metrics provide valuable insights that informs decision-making and drives continuous improvement.

Final Thoughts on Resistance to RIM

Employee resistance to RIM-driven change is natural but not unstoppable. By identifying the root causes such as limited awareness, fear of change, or perceived workload increases, organizations can apply targeted change management strategies that build trust and collaboration. Clear communication, phased rollouts through pilot programs, and celebrating early successes are essential for gaining support. Pair these efforts with adherence metrics to monitor progress and ensure alignment with organizational goals. With a deliberate, inclusive approach, resistance can be transformed into lasting buy-in—allowing your organization the full benefits of a robust RIM program.

Disclaimer: The purpose of this post is to provide general education on information governance software. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Psychology of Change: Why Employees Resist RIM—And How to Overcome It appeared first on Zasio.

That said, here’s the catch: if you’re still relying on a template or a one-size-fits-all solution, you’re not managing your records—you’re babysitting them.

Let’s break down why a customized retention schedule is, hands down, the best approach, including why templates may be unnecessarily increasing your exposure.

Generic Retention Schedules: Why Your Business Is Not a Fill-In-The-Blank Exercise

Just plug in your name, industry, and voilà—instant compliance, right? However, that’s incorrect.

Every business has its own cocktail of legal, regulatory, and operational considerations. Whether you’re governed by HIPAA, GDPR, SEC, or just trying to keep the auditors happy, a customized retention schedule speaks your businesses’ native language, or more precisely, it’s specific dialect. It doesn’t just check boxes—it translates the rules into actions that make sense for you.

Templates give you vague generalities. Customized schedules give you peace of mind.

You Can’t AI Common Sense

Sure, a template might tell you to keep invoices for seven years. But what if you operate in three countries with different tax laws, or in California? Or your finance team relies on certain records to model future trends?

A tailored schedule digs into the nitty-gritty:

• What does your business actually produce?
• Who touches the records?
• How do workflows and processes vary by department?
• What will work for users so it can be implemented?

Templates don’t know about details like the implications of storing electronic pay slips in France, or that your HR Management application can’t delete information about active employees. Custom schedules do.

Hoarding Is Not a Compliance Strategy

A one-size-fits-all approach almost always errs on the side of “keep longer,” because generalizing prohibits detailed accuracy. But that bloated database full of stale, unnecessary records is a ticking liability creating:

• Bigger breach target
• Time-consuming searches
• Pricier storage
• Slower systems
• Painful e-discovery
• Privacy sanctions

A customized schedule knows what to keep, what to toss, and when to do it—no guesswork, no digital junk drawers.

Your Business Changes. Your Schedule Should Too.

Maybe you’ve merged, expanded globally, gone paperless, or started using AI to enhance processes. Your operations evolve—and a static template won’t evolve with you.

A custom retention schedule can be agile and is more durable. It covers more initially, and grows with your systems, people, and compliance requirements. Think of your customized records retention schedule as a living document, not a relic gathering dust in your shared drive.

People Actually Use Things That Make Sense

Let’s be honest: no one’s reading that 80-page generic retention policy with joy in their heart. If you want employees to follow it, it has to feel relevant. And employees who help build it are natural champions for it.

Custom schedules:

• Use your org’s terminology
• Fit into your actual systems and processes
• Make it easy to understand who’s responsible for what
• Lower a top hurdle- implementation
• Already have buy-in and promotion from those who collaborated to create it.

If your retention rules are intuitive, they’ll be followed. If they’re written in legal groupings from 2015, or by AI, they’ll be ignored—it’s as simple as that. And we all know that having a policy that’s ignored creates unnecessary risk, as there is documented proof that you know better.

Bottom Line: Templates Are for 3D printers. Not Compliance.

If you want your records retention strategy to be more than a liability—if you want it to reduce risk, cut costs, and support your business long-term—you need a customized records retention solution. Not a borrowed template with your logo slapped on it.

Don’t settle for sub-average and un-implementable. Your records (and your legal team) will thank you.

Want help designing a retention schedule that actually works for your organization? Zasio can help. We’ll build something that fits like a glove—and keeps your digital house in order. Zasio’s Consulting experts leverage their top industry certifications combined with legal licensures and decades of experience to efficiently collaborate with stakeholders to collect information and build customized records retention schedules specifically designed for each client.

Disclaimer: The purpose of this post is to provide general education on Information Governance solutions. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Template Schmemplate: Build a Customized Records Schedule That Actually Works appeared first on Zasio.

Like getting kids to clean up their mess, encouraging employee compliance with records software can be challenging. In the 2023 ARMA IG Maturity Index survey, 45.1% of respondents believed their organizations lacked the essential components of an information governance program. A key element to increasing your records management program’s maturity is engaging employees and making them active participants. And a great way to engage employees is to make learning and compliance a game.

Com-pliance Starts With Com-petition

People naturally want to contribute to a team’s success and love to compete and win. Suppose you want to improve your organization’s success with your records management program. In that case, you can leverage that competitive nature by creating a friendly competition that focuses on the organizational goal of records management compliance. Creating a “gamified” training experience will develop a culture of compliance throughout your organization.

Get In the Game

Creating a game out of training and compliance makes it seem like it’s not even work, which makes it extremely effective. Professional services firm KPMG developed a “gamified training tool” and used it with both leaders and employees to provide a better understanding of available products and services. Researchers found that the gamified training helped to increase collected fees by 25%, the number of clients by 16%, and opportunities from new clients by 22%.

You don’t have to build a complex tool from the ground up to enjoy similar benefits. Find minor ways to “gamify” your RRS training. For instance, you could develop a contest between departments related to RRS compliance with the following competitions to earn points:

• Audit random record series related to separate departments and determine which series has the lowest percentage of incorrectly assigned records in the past quarter.
• Distribute a pop quiz to test individuals’ understanding of the RRS and see which department returns the highest average score.
• Measure the volume of records pending disposition and determine which department has the lowest percentage of outstanding records.
• Send an email asking to identify the correct record series for a well-known organizational record and see who responds first.

Make sure to provide a fun prize! The engagement rate with your training competitions increases when employees understand there is something to be won.

Bonus Prizes: Increased Attention to Records Management and Metrics

These smaller-scale interactions are more individually engaging than large-scale training presentations, and you can leverage that engagement by sneaking in additional training. Mix general training or informational messages with contest-related ones so your employees will eagerly anticipate all messages from the records management department.

You can also specifically design competitions to provide a secondary benefit of gathering metrics for your program. Tracking correctly identified records or disposition efforts provides information on accountability that you can use to find weaknesses or strengths and to understand where to focus upcoming training and improvement projects.

In It to Win It

As you gamify your records management training for your employees, you will find increased engagement and compliance, leading to a more successful records management solution. Considering the benefits of higher compliance, increased attention to your program, and valuable metrics, it’s definitely a game worth playing.

Disclaimer: The purpose of this post is to provide general education on information governance software topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Play Your Way to Records Management Compliance appeared first on Zasio.

Data privacy law compliance is in large measure about showing your work. Five years into the swell of new comprehensive data privacy laws, privacy teams are getting used to ensuring their organization’s personal data activities are well documented. This means creating records—often lots of them. And for records managers, this means sorting out retention practices for all these new records.

This article identifies some key privacy law compliance records that records managers will likely encounter, and discusses how to apply classic retention principles to determine appropriate retention periods.

Types of Privacy Law Compliance Records

Article 30 of the GDPR requires organizations to maintain detailed records of their processing activities. This necessitates creating written documentation of processing activities and making them available to data protection authorities. Under CCPA, as well as a growing number of U.S. state privacy laws, organizations must analyze the risks associated with their processing activities through privacy impact assessments. Other records frequently generated through privacy law compliance include data transfer impact assessments before transferring personal data across borders, responses to data subject rights requests, breach assessments and notifications, personal data audits, and privacy-by-design assessments, to name a few.

Privacy law compliance records tell your organization’s story with respect to its personal data processing activities, such as its commitment to the letter of the law, thinking through privacy risks, respecting data subject rights, and curing defects.

Applying Basic Records Retention Principles to Privacy Compliance Records

By now we’re well acquainted with the storage limitation principle in data privacy—keep no longer than necessary. This has sent records managers scrambling to reduce retention periods for personal data. However, applying such aggressive deletion practices to data privacy compliance records can land your organization in regulatory trouble. For these, the tried-and-true general rules of identifying applicable legal requirements, and balancing risk with business need, are still largely your best practice.

Express Legal Retention Requirements

While less common than for other record types, there are still a number of express legal retention requirements that apply to data privacy compliance records. Breach investigation and notice records is a good example of where some of these can be found. Under Canada’s Breach of Security Safeguards Regulation, organizations must keep breach records for at least two years after the breach.[1] In Iowa, state law mandates a five-year retention period for records documenting an organization’s determination that consumer notice of a breach is not legally mandated.[2]

Another area for express legal retention requirements is under laws governing requests by data subjects to exercise data privacy rights. Under CCPA regulations, for example, an organization must maintain records of consumer requests for at least 24 months.[3] Colorado’s Privacy Act regulations obligate controllers to retain records documenting responses to their consumer data rights requests for the same period.[4]

While the GDPR does not specify retention periods for records of processing activities under Article 30, the subject is not without legal guidance. In 2017, the Belgian Data Processing Authority recommended keeping Article 30 records of processing activities for five years after termination of the processing activity.

But don’t let your search for legal retention requirements stop at data privacy-specific laws and recommendations. Retention periods in broader regulatory requirements can encompass records in your privacy compliance program, and where those are longer, they should be followed.

Where No Legal Retention Requirement Applies

When a record isn’t subject to an express retention requirement, records managers must balance business needs and legal risks to determine an appropriate retention period. To do this, records managers must ask how long their organization may need to justify its practices. This can mean turning to applicable statutes of limitation for guidance.

While statutes of limitations are not legal retention requirements, they’re a good measure of the time you may be called on by data privacy regulators or consumers to show compliance. Under the CPPA, administrative actions must generally be commenced within five years. The Illinois Supreme Court also in February clarified the general statute of limitations for civil claims under the state’s Biometric Information and Privacy Act (BIPA) is five years. But oftentimes, business need necessitates retention for longer than any regulatory or legal need, so whether to use an applicable statute of limitations as your retention benchmark must be evaluated on a case-by-case basis.

Conclusion

When setting retention periods, it’s crucial to understand the types of records your organization generates and which laws apply to these records. But knowing an organization’s specific regulatory and jurisdictional retention requirements, as well as balancing business needs and risk to determine retention periods, is something records and information management professionals have plenty of experience doing. For data privacy records compliance, it’s a matter of applying some trusted and familiar tools to a new set of records.

As privacy regulation expands, expect a lack of comprehensive privacy compliance recordkeeping to be a big part of regulatory actions. As a RIM professional, you can play a crucial role in ensuring your organization isn’t among those involved in these actions.

[1] Breach of Security Safeguards Regulations (SOR/2018-64) (amended Nov. 1, 2018): https://laws-lois.justice.gc.ca/eng/regulations/SOR-2018-64/page-1.html#h-858504

[2] Iowa Code 2023, Section 715C.2(6): (https://www.legis.iowa.gov/docs/code/715C.2.pdf)

[3] Cal. Code Regs. tit. 11 § 7101(a).

[4] 4 CCR 904-3-6.11.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Navigating Retention of Data Privacy Compliance Records appeared first on Zasio.

Common Risks

Because these IM applications are so easy to use, it can be easy to ignore the legal and cyber threats they pose. A few of the most common risks include eDiscovery difficulties, vulnerability to hackers, sharing of confidential or sensitive information, and noncompliance with workplace policies.

1. Electronic Discovery

In the event of litigation, companies without IM retention policies may have to search through a large amount of information that isn’t easily searchable. If companies can’t separate these messages, they might be required to produce everything, including non-relevant or non-discoverable information, presenting the organization with many unknowns and potential exposure to additional risk. Fortunately, many of these IM tools allow companies to customize their eDiscovery settings to define what data should be stored and extracted.

2. Workplace Conduct and Compliance

Because the IM interface is visually similar to text messaging interfaces with scrolling message threads, users tend to associate the two and use them interchangeably. This can lead to employees sharing personal conversations, inappropriate content, and sometimes hostile language through IM. Not only does this decrease productivity, but it can also result in harassment and misconduct lawsuits. Companies can create strict content policies and provide training in order to prevent these workplace liabilities. Great memes and GIFs come with great responsibility.

3. Security Threats

IM software is easily susceptible to malware, viruses, and hackers. Employees will often use IM to share documents, client data, or other sensitive company information that then becomes susceptible to these hackers. This could lead to information falling into competitors’ hands or even personal data breaches affecting employees and clients. Fortunately, companies can increase IM security by installing anti-malware software, encrypting any data sent via IM, and creating policies for information transactions.

One example of an IM security breach occurred in March 2015 when Slack was hacked. They were quick to reset the passwords of the impacted users and all went back to business as usual. 4 years later, in July 2019, Slack discovered that a number of user accounts linked to the 2015 hack had been compromised by a keylogging code that hackers used to read passwords as users entered them. Slack has addressed the situation and said that just around 1% of users fell into this category.[1] Although this breach was relatively small, it shows just how long security breaches can go unnoticed.

The information shared via IM applications is not just vulnerable to hackers but also to anyone on outside networks. IM is available to users on mobile devices and personal computers that fall outside of company firewalls and protections. If an employee accesses the IM mobile application on a public network, the information becomes overwhelmingly vulnerable. Companies should create workplace-only policies and remind employees that IM should be used for business purposes only and nothing personal. If an employee needs to communicate with the workplace while they are out of the office, they should use email, not IM.

IM Management to Mitigate Risks

There is no doubt that IM applications have many benefits. Companies just need to make sure that they are taking reasonable precautions and are prepared in the event of legal and cyber issues. Two of the most important defenses are record retention policies and training.

As a matter of policy, companies can restrict the information that may be shared or communicated on these tools. For example, they may create a prohibition on conducting business, communicating with clients, and sharing proprietary or confidential information via IM. This will force users to keep most records outside of the IM system. The remaining content in IM should then be evaluated to determine what can be categorized as a record. Once the record content has been defined, companies can alter their eDiscovery and retention settings within the IM tool. These records should be kept in accordance with the company’s records retention schedule. This will help decrease the amount of secure information stored in the application, reduce the message clutter that results from message threads, and prevent workplace litigation by improving the eDiscovery process. Most IM applications have general settings for retention policies that allow you to purge all information after a specified amount of time. This specified period should be kept as short as possible. If companies require a more detailed retention policy, they should consider incorporating specific provisions as part of their electronic records management policy.

However, none of these practices will be beneficial unless the company trains its employees. Companies should implement IM policy training upon hire, as well as annually or semi-annually to ensure that it sticks. Employees need to understand how to use IM appropriately, where to use it, and why it matters. They must understand that in today’s digital age, workplace gossip has moved from the water cooler to IM and this can be dangerous for everyone. When in doubt, don’t send it out. Utilizing all of these practices and precautions could save the company money, time, and stress. Never underestimate the power of an IM record retention schedule.

For assistance with IM record retention schedules, contact Zasio today.

[1] Whittaker, Z. (July 18, 2019). Slack resets user passwords after 2015 data breach. Tech Crunch. Retrieved from https://techcrunch.com/2019/07/18/slack-password-breach/

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Instant Messaging in the Workplace and Mitigating Risks appeared first on Zasio.

It occurred to me that organizations have a similar hoarding problem when it comes to documents, which is amplified by the number of employees who keep copies and versions regardless of what kind of archival tools or records retention program is in place. After putting hours of effort and consideration working on, let’s say, a 35-page assessment and formal proposal, you can bet that most folks tuck an extra copy away on their hard drive or a file share somewhere…and probably print out a paper copy too, just to be safe.

Employees often have hoarder’s mindset, keeping copies and versions regardless of what kind of archival tools or records retention program is in place.

Sense of Ownership

That sense of ownership and the desire to avoid reinventing the wheel makes perfect sense, but all those hoarded documents have a downside because the information can pose an unseen risk to the organization. And the liability grows when people have a “keep everything” approach to records management, especially as the volume, velocity, and variety of content that every organization must manage continues to grow and evolve in this age of Digital Transformation.

Just Keep Everything

While digital transformation may seem like it’s all about collecting more and more data, the truth is not all data is good data and there is a great deal of liability for the company when it over-retains. For example, not having visibility into what an employee saves is a cause for concern, because you don’t know what type of information is being preserved by the employee and whether or not it falls within a proper retention schedule. And if they are holding onto a record for a longer period of time than they need to – regardless of the company retention policy – that information is still subject to disclosure through discovery, or any type of compliance audit, or other types of regulatory and legal proceedings.

You Don’t Know What You Don’t Know

Information security and data loss prevention (DLP) is also a pressing matter, especially as the number of cyber incidents continues to rise. If documents are hoarded by employees, organizations lack visibility into critical facts such as what is being over-retained, where it is being stored, who has access rights, and the appropriateness of the security applied to the content. If past incidents played out before the public is any indication, the hidden information represents a treasure trove of data for hackers looking for security loopholes.

Costs and Risks

The costs and risks are substantial, including fines for over-retention of certain documents and information (e.g., personal data). There are litigation costs that come into play through e-discovery, and very real exposure in court by virtue of what you are now compelled to disclose. Additionally, the harm to the organization’s reputation, loss of public trust, and impact on current and future business opportunities cannot be discounted.

Best Practices

It’s one thing to point out a problem and another to do something about it. Here are three best practices to consider:

Communication

The first step is communication and putting records management top of mind with every employee. It is important to set the expectation that everyone will follow through with the retention schedule and preserve documents according to the records management and other related corporate policies and guidelines. It is important to review corporate policies and guidelines from different departments (e.g., information security, IT, privacy, etc.) and assure alignment to address potentially conflicting information.

Training

Next step is training; not just at the time of new employee onboarding, but continuous refreshers along the course of the employees’ time at the company. As records management is reiterated and encouraged the tendency to hoard tends to fade from the mindset of the employees as it becomes second nature in the execution of their everyday tasks.

Make it Easy

Let’s face it, if the systems and procedures to properly save and archive records are hard to use, and people are not comfortable using and trusting the system, they will simply revert back to their old hoarding habits. Make it easy by using an automated process and reducing the number of steps for employees to follow where possible.

Moving Forward

When it comes to information governance and successful adoption, the focus needs to extend beyond just the technology and account for work culture and employees’ mindset. You can change that hoarding mentality through awareness, common-sense training, and implementing systems that make it easier for employees to comply with the organization’s information governance policies and guidelines.

For more information or to see how our Versatile technology solutions and consulting services can help manage and protect your records and ensure you comply with legal retention requirements, please fill out our Contact Form.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Tips to Prevent Hoarding of Documents appeared first on Zasio.

Digitizing paper records is not as simple as rolling in some scanners and hiring a team of data entry clerks. The complexities of preparing the documents, the intricacies of quality control, and the expense and expertise required for working with capture systems and equipment is often overlooked, especially when viewed from a strictly technology and storage point of view.

Shaping Up the Savings

The cost-savings of a ‘just scan it’ approach often fails to pencil out, even for large-scale scanning. One study conducted by Pinnacle Data Management in the UK estimated that one thousand document storage boxes could contain 1,000,000 sheets of paper, which if scanned at 10 cents per page would cost approximately $100,000 to scan. By comparison, storing those thousand boxes off-site in a warehouse would cost about $400.00 per month. The result is that it would take 20 years to recover the scanning investment.

Statutes and Compliance

A number of strategic concerns regarding information governance and compliance must be considered. Federal, State and International statutes all have stipulations regarding what you can or cannot digitize, for how long, and in what format. Depending on your industry, any number of additional standards come into play. These protocols may not always lend themselves to a digital-only approach. For example, Hong Kong’s Electronic Transactions Ordinance specifies a staggering array of documents that are exempt from electronic allowance. These include wills, trusts, powers of attorney, instruments requiring stamps or endorsements, negotiable instruments, and many more, that must be retained in paper form. Laws from other countries contain similar carve-outs.

Data Security

Factors surrounding data security makes digitizing paper records a much more complex issue than simply scanning pages and filing them away in image files. Information captured in an image archive or document management repository can represent a treasure trove of opportunity for computer hackers who are looking to steal sensitive and private data. Things like social security numbers, financial and medical account details, addresses and phone numbers, are all found in these archives that may, or may not, have an appropriate level of information governance applied. And the longer those files are held the more likely that they become redundant and obsolete to the organization while translating into great prospects and profit for cyber-thieves. A physical document may seem antiquated, but is easier to secure since it requires physical access to the record. Figurative “back doors” become real ones that you can lock and guard.

Best Practices

How can you determine when it’s a good idea to digitize your paper records? Here are a few important questions to ask as you plan your approach.

• Which documents should you scan?
• Do we need to digitize everything, or just the most important documents?
• What if we scanned everything from today forward, and left the rest on paper?
• Will “scan on demand” (as they are requested) meet most of my needs?
• How much effort will be required to prepare these documents for scanning?
• What about non-standard-size documents?
• How frequently are you going to need access to this document once digitized?
• Where will the information be stored?
• How sensitive is the information? What is the risk?
• Are there legal or regulatory stipulations associated with this document?

Moving Forward

“Just scan it” misses the mark for intelligent information governance. Maintaining effective information governance requires not only technology, but also thoughtful policies that allow you to meet legal and regulatory compliance while taking into account the hidden and often overlooked implications of digital transformation.

We can help. We’re experts in Records Management and Information Governance. Our premier software solutions do the heavy lifting, no matter the capacity of your records management and retention scheduling needs. And our personalized consulting and research services make us a global leader in information governance, records management and intelligent information management.

Find out more at Zasio.com or contact me directly at warren.bean@zasio.com, I’d be pleased to talk with you about how we can help.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post “Just Scan It” – The Pros and Cons of Digitizing Paper Records appeared first on Zasio.

Author: Frank Fazzio, IGP, CRM

Analyst / Licensed Attorney

The post CNIL Fines Google, Company Vows Appeal: Clarity, or Confusion? appeared first on Zasio.