Why High-Value Records Are Critical

High-value records aren’t just records, they’re the lifeblood of your organization. They underpin legal compliance, operational continuity, financial stability, and even corporate history. Losing or exposing these records can trigger regulatory penalties, reputational damage, and operational chaos.

Examples include:

• Legal: Sarbanes-Oxley filings, patent applications
• Operational: Emergency response plans, just-in-time inventory systems
• Financial: Merger due diligence, customer transaction ledgers
• Intellectual: R&D logs, trade secrets, proprietary formulas
• Historical: Corporate archives, images, and artifacts

Understanding what qualifies as “high value” is the first step toward effective protection.

The Escalating Cost of Breaches

Data breaches are no longer rare. They’re routine, and their impact is staggering:

• 2,300 breaches in 2023 affected 343 million victims
• The average cost of a mega-breach in 2024 hit $375 million

Recent examples illustrate the risk:

• Tea App Leak: 72,000 selfies, IDs, and 1.1 million private messages exposed after promises of privacy were broken.
• Clorox Cyberattack: Poor authentication practices led to halted manufacturing, weeks of manual order processing, and $380 million in damages.

The takeaway? Breaches are expensive, disruptive, and often preventable.

Categorizing Security: Frameworks That Work

Not all records require the same level of protection. Security categorization ensures resources are allocated where they matter most. The process involves:

• Evaluating value and risk
• Considering regulatory requirements
• Aligning with business priorities

Leading frameworks include:

• NIST FIPS 199: Low, Moderate, High security levels
• ISO/IEC 27001: Public, Confidential, Restricted classifications
• Sector-specific standards: PCI DSS, HIPAA, HITRUST, SOC 2

These frameworks provide consistency and objectivity, helping organizations prioritize information management and security solutions.

Decision Tree for Smarter Protection

A structured approach simplifies decision-making. Ask:

• Is the information public?
• Could disclosure cause financial or reputational harm?
• Does it contain personal or regulated data?
• Is it vital for continuity or disaster recovery?
• Does it include intellectual property or trade secrets?

Answering these questions helps determine whether basic, moderate, or high-level security is appropriate.

Six Core Security Capabilities

Building resilience requires a layered defense. Focus on these essentials:

• Access Controls: From MFA and role-based access to biometric verification and real-time monitoring.
• System Hardening: Secure configurations, intrusion detection, and zero-trust architecture.
• Data Loss Prevention (DLP): Real-time alerts and automated responses to unauthorized transfers.
• Encryption: End-to-end protection using AES-256 and RSA standards, plus secure key management.
• Electronic Vaults: Tamper-proof, encrypted storage with geographic redundancy and audit trails.
• Disaster Recovery: Tested plans, offsite backups, and clear recovery objectives (RTO/RPO).

Each capability scales from basic to advanced, depending on the sensitivity of your records.

Deploying Resources Wisely

Security budgets aren’t infinite. Align spending with risk:

• High-value records demand advanced measures like encryption, biometric access, and comprehensive DLP.
• Lower-value records can rely on basic protections without compromising efficiency.

Industry benchmarks show cybersecurity spending averages 6–13% of IT budgets, varying by sector. Strategic allocation ensures maximum protection without overspending.

Final Thoughts

Securing high-value records isn’t optional. It’s mission critical. By identifying what matters most, applying categorization frameworks, and implementing layered security capabilities, organizations can stay ahead of threats and protect their most valuable assets.

Want to learn more? Watch the full webinar or connect with our experts at Zasio Consulting. Together, we can help you build a security strategy that’s proactive, practical, and future-ready.

Disclaimer: The purpose of this post is to provide general education on information governance consulting. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Securing High-Value Records in the Digital Age: Insights from Our Latest Webinar appeared first on Zasio.

Data security breaches continue to pose real threats to organizations, and with incidents continuing to trend upward, 2023 will likely be another record-breaking year for data security intrusions. The vast majority are preventable with the adoption of basic security practices, and a robust information cybersecurity program, which is now more than ever a vital component of an information governance (IG) and records and information management (RIM) program.

Unfortunately, it is often the case that executives, IG/RIM professionals, and other vital stakeholders are too far removed from cybersecurity processes and initiatives to devote the attention and funding that they require. This paradigm is quickly shifting, however, as information security is increasingly coming to the forefront of organizational priorities.

Join Rick Surber and Jennifer Chadband, senior analysts from Zasio’s consulting division, along with guest presenters Elizabeth Khan and Dr. Sin Ming Loo for a webinar that bridges this divide by providing an overview of modern cybersecurity best practices and standards along with actionable steps to shore up your organization’s security, while providing practical and regulatory context relevant to the RIM/IG industry. Don’t miss Zasio’s first Virtual Coffee with Consulting session of the year!

*Our Guest Presenters

Dr. S. M. Loo is the Cyber Operations and Resilience (CORe) program director. He leads the effort in offering asynchronous online cyber operations and resilience programs. He is also a professor of Electrical and Computer Engineering at Boise State University. He holds a joint appointment with Idaho National Laboratory.

Elizabeth Khan, M.S. CORE, ESC2 Certified in Cybersecurity is a successful entrepreneur. Elizabeth has launched, operated, and sold numerous successful domestic and international ventures in a wide array of forums, including talent consulting, professional research, and regulatory compliance.

She has relied upon intricate communication, networking, and organizational skills, as well as her training and education in sales and marketing, to grow and advance each of those endeavors. Recently, Elizabeth has expanded into the field of cybersecurity with a focus on governance, risk, and compliance having attained a master’s degree and various cybersecurity industry certifications and credentials. In addition to private consulting, Elizabeth works as a security auditor for a large healthcare organization and also freelances as an instructor for Boise State University’s Cyber Operations and Resilience program.

The post Virtual Coffee with Consulting: Cybersecurity – The Mile-High View for Records and Information Management Professionals appeared first on Zasio.

Two massive data breaches exposing the personal information of millions of Australians rocked the country—one in September and another in October— prompting Australia’s parliament to swiftly respond with dramatic increases to penalties allowable under its Privacy Act.

In September, telecom company Optus made public news of a cyber-attack that had compromised its customers’ data—9.8 million customers, to be more precise.[i] The data included names, addresses, phone numbers, and dates of birth. For some customers, more sensitive information was exposed that included driver’s license, passport, and even Medicare ID numbers.[1] Fortunately, for Optus and its customers—active and inactive—no login credentials or credit card details were exposed.

Optus initially described the breach as a sophisticated hack,[ii] though Australian officials have been publicly critical of this claim.[iii] Such skepticism may be partially due to a statement by the hacker claiming responsibility that the data was accessed through an API that was open to the internet, and with no authentication credentials needed for access.[iv]

The alleged hacker ultimately released the personal information of around 10,000 individuals to a forum frequented by the less reputable side of the internet. Oddly enough, the hacker then apologized several days later and removed the data, although this was too late to prevent others from copying and continuing to distribute it on some shadier parts of the web.[v] There’s still a risk the remaining data could be sold—although the hacker claims to have deleted their only copy—and many Australians have already obtained replacement identification, placed credit holds, and taken other measures to protect themselves.

Breach No. 2

Not to be outdone, hackers responsible for the October breach accessed and stole the data of 9.7 million customers from Medibank, an Australian health insurer. Current reports indicate the breach may have occurred using stolen credentials from someone with high-level access at the company. These credentials were used to access its systems and create backdoors through which the data was exfiltrated.[vi]

Medibank alerted the public in October of a cyber security incident but claimed it had seen no evidence customer records had been accessed or removed[vii] —a positive outlook that was quickly crushed when hackers contacted the insurer to demand payment to prevent their release of the stolen data. The hackers then began releasing samples of the information and continued to pressure Medibank to pay a ransom.[viii]

Citing expert advice that any ransom payment would likely not prevent the data’s release and would encourage further attacks, Medibank refused to pay.[ix] Subsequently, the hackers released all of the stolen raw data in dumps to the dark web.[x] Although Australians were again spared from having their login credentials and payment details exposed, the breach included health claims data for hundreds of thousands of individuals, including diagnosis and treatment codes.

Adding to the headache suffered by the millions of impacted Australians, scams using the Optus and Medibank breach responses as a pretense to steal more sensitive information have exploded. These show no sign of stopping anytime soon.

The massive scale of the breaches, coupled with a lack of personal information safeguards and the public’s ire appears to have given Australia’s parliament momentum to pass amendments to the country’s Privacy Act. The legislation made it through both houses of parliament in just over a month and became law on Dec. 13, 2022. The amendment contains a drastic penalty, which is sure to haunt the nightmares of businesses across Australia.

Privacy Act Penalty Increases

Previous penalties for “serious and repeated interferences with privacy” maxed out at about $2.2 million AUD; however, that’s only if a court imposes a provision of the Crimes Act that allows penalties against a corporate body up to five times the maximum penalties allowed against a natural person. For natural persons, the prior penalties maxed out at about $444,000 AUD.

Under the new law, natural persons may be fined up to $2.5 million AUD. Corporate bodies are subject to MUCH steeper penalties, which can reach $50 million AUD or more.

Unfortunately, for those looking for a comeuppance for Optus and Medibank, the new penalty provisions will only apply to violations that happen after the amendments went into effect.

Other Changes to Australia’s Privacy Act

The amendments also broaden the powers Australia’s information commissioner has to obtain information and documents relating to data breaches, as well as provide broader information-sharing abilities between government authorities to facilitate better data breach responses.

It is unlikely that changes to the Privacy Act will stop there with amendments, though. The Australian attorney general has been conducting a review of the law since 2019, with a final report due by the end of 2022. The impact of the two breaches is likely to add support for any further recommended changes, particularly if they relate to enforcement or data subject rights. The breaches may also prompt support for the addition of a private right of action for individuals damaged by a failure to protect their personal data.

Conclusion

Australia’s privacy law has and may continue to see some significant changes, and businesses subject to it would be well served to take stock and ensure their own privacy practices and policies are defensible, practical, and compliant.

[1] Medicare is Australia’s publicly-funded universal health care insurance system.

[i] Optus “Latest updates & support on our cyber response” https://www.optus.com.au/support/cyberresponse/#latest

[ii] Sydney Morning Herald “’Sophisticated attack’: Optus hackers used European addresses, could be state-linked”, September 23, 2022

https://www.smh.com.au/technology/sophisticated-attack-optus-hackers-used-european-addresses-could-be-state-linked-20220923-p5bkfn.html

[iii] Ibid.

[iv] iSMG “Optus Under $1 Million Extortion Threat in Data Breach” Jeremy Kirk, September 25, 2022 https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142

[v] The Guardian “Alleged Optus hacker apologizes for data breach and drops ransom threat” September 27, 2022

https://www.theguardian.com/business/2022/sep/27/alleged-optus-hacker-apologises-for-data-breach-and-drops-ransom-threat

[vi] Australian Financial Review “Revealed: how crooks got inside Medibank” October 24, 2022

https://www.afr.com/technology/revealed-how-crooks-got-inside-medibank-20221024-p5bsg4

[vii] Medibank “Cyber event timeline”, Update at 11 a.m., Thursday, 13 October, Update at 10:30 a.m., Friday 14 October, and Update at 9:30 a.m., Monday 17 October.

https://www.medibank.com.au/health-insurance/info/cyber-security/timeline/

[viii] “Cyber Security Hub “IOTW: Everything we know about the Medibank data leak” November 10, 2022

https://www.cshub.com/attacks/news/iotw-everything-we-know-about-the-medibank-data-leak

[ix] Medibank “Cyber event timeline”, Update at 9 a.m., Monday 7 November

https://www.medibank.com.au/health-insurance/info/cyber-security/timeline/

[x] Id., at Update, Thursday 1 December

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Recent Data Breaches Prompt Big Changes in Australian Privacy Penalties appeared first on Zasio.

Author: Heather Rice

Senior Research Analyst / Certified Paralegal

The post ‘Tis the Season… for a Data Breach appeared first on Zasio.

Most RIM practitioners can build a strong case for a good records management and retention policy – it can help avoid litigation, save on discovery costs, and limit the impact of a data breach. But what about using RIM as a way to elevate your company in the eyes of customers? One way to achieve this is through obtaining advanced certifications developed by the Industry Standards Organization (ISO).

The ISO develops “families” of internationally recognized standards companies can use to develop and certify their business processes. Two ISO standards that rely heavily on RIM are the ISO 9000 family on quality management and the ISO/IEC 27000 family on information security management. Both have stringent document information requirements.

Let’s start with the ISO 9001 Certification
ISO 9001, one of the more well-known ISO standards, is the only standard in the ISO 9000 family to which a company can be certified. This certification is available to any organization, regardless of size or industry, and is based on quality management principles like having a strong customer focus, top-tier management, and a business plan showing an approach and process for continual improvement.[3] Currently, there are over one million companies in over 170 countries that have achieved the ISO 9001 certification. Certification can be one of the most effective ways to alert consumers that your quality management system is consistent and products and services are good-quality.[3] This in turn brings business. So, to the millions of companies not yet 9001 certified, you may be wondering how to achieve such certification and how RIM plays into this process.

Achieving ISO 9001 Certification
To earn ISO 9001 certification, you must implement an ISO 9001 quality management system. Once you feel ready, you may select an external registrar to audit the performance of your organization. Upon earning a passing review, the registrar will issue the ISO 9001 certificate, which is good for three years. [4] Now, here’s where having a strong RIM program is beneficial, if not essential.

A Strong RIM Program Is Key to ISO 9001 Certification
For the audit, your organization will need to create, maintain, and retain certain documents to show, on paper, how its quality management system follows the ISO 9001 standards. These records must adhere to the documented information requirements of ISO 9001 clause 7.5 which outlines the following document types you must maintain:

• The scope of the quality management system (clause 4.3).
• Documented information necessary to support the operation of processes (clause 4.4). Examples include organization charts, process maps, process flow charts and/or process descriptions, procedures, work and/or test instructions, specifications, documents containing internal communications, production schedules, approved supplier lists, test, and inspection plans, quality plans, quality manuals, strategic plans, and forms.
• The quality policy (clause 5). The quality objectives (clause 6.2).[5]

Clause 7.5 also identifies the following document types that you must retain:

• Documented information to the extent necessary to have confidence that the processes are being carried out as planned (clause 4.4).
• Evidence of fitness for purpose of monitoring and measuring resources (clause 7.1.5.1).
• Evidence of the basis used for calibration of the monitoring and measurement resources (when no international or national standards exist) (clause 7.1.5.2).
• Evidence of competence of person(s) doing work under the control of the organization that affects the performance and effectiveness of the QMS (clause 7.2).
• Results of the review and new requirements for the products and services (clause 8.2.3).
• Records needed to demonstrate that design and development requirements have been met (clause 8.3.2).
• Records on design and development inputs (clause 8.3.3).
• Records of the activities of design and development controls (clause 8.3.4).
• Records of design and development outputs (clause 8.3.5).
• Design and development changes, including the results of the review and the authorization of the changes and necessary actions (clause 8.3.6).
• Records of the evaluation, selection, monitoring of performance, and re‐evaluation of external providers and any and actions arising from these activities (clause 8.4.1).[5]

That is a lot of information!

So, What is the Best Way to Manage and Retain All of These Records and Documented Information?
The first step is to figure out what you have, where it’s all located, and how it should be organized. Then, catalog it in a retention schedule so you can be sure you’re retaining the necessary records for your future ISO audits. You also must track the location and retention of the documents required by Clause 7.5 in a records management system and dispose of unnecessary information (since we know too much information can be a liability). Sounds simple enough, right?

Alternatively, you can reach out to Zasio. Our team of in-house consultants can review your records to identify what you have, develop a retention schedule for you, and deliver it in Versatile Retention, our leading retention management solution. Once you have your retention schedule, you can easily apply it to your physical and electronic records using one of Zasio’s Versatile records management solutions. Then, when it’s time for your ISO 9001 audit, your information will be at your fingertips, helping ensure your company aces the documented information requirement.

Now Let’s Jump to the ISO/IEC 27001 Certification
While ISO 9001 concerns quality management systems, ISO 27001 is all about information security management systems (ISMS). But similar to ISO 9001, companies must build a system and show how the system was established, implemented, and the processes for maintaining and continually improving it.[6]

The ISO 27001 standard not only ensures an organization has an ISMS, but through its requirements, it also certifies that companies are compliant with applicable laws and regulations.[8] Information security concerns every organization, so keeping up with ISO 27001 requirements is a great way to help stay compliant with current regulations. Further, should you ever face an information security incident, ISO 27001 certification can help demonstrate due diligence regarding regulatory compliance.

What Kind of Information Security Requirements are in the ISO 27001 Standard?
Information security requirements may vary depending on your industry but in general, the information security requirements you can expect to see include:

• A.18.1.1. – Identification of Applicable Legislation and Contractual Requirements.
• A.18.1.2 – Intellectual Property Rights.
• A.18.1.3 – Protection of Records.
• A.18.1.4 – Privacy and Protection of Personally Identifiable Information (PII).
• A.18.1.5 – Regulation of Cryptographic Controls.[8]

The ISO 27001 Audit Process
So how do you prove ISO 27001 compliance during a certification audit? ISO/IEC 27001:2013 (the most recent revision) has a documented information clause that is very similar to ISO 9001’s clause 7.5. Accordingly, clause 7.5’s process for document retention applies here as well.

Conclusion
Becoming ISO 9000 certified for quality management or ISO 27001 certified for information security is a great way to ensure your company is performing to the highest level of standards and regulatory compliance. It also shows customers your company is a trusted business partner. Plus, it’s a perfect excuse to review your company’s information and strengthen your RIM program which provides more benefits than just ISO certification. Just about all cybersecurity frameworks—such as NIST, CSA-CCM, SOC 2 Type II, and COBIT—require records retention, so a strong RIM program will help your organization achieve maturity in those standards, as well.

[1] https://techjury.net/blog/how-much-data-is-created-every-day/#gref
[2] https://www.ibm.com/security/data-breach
[3] https://www.iso.org/iso-9001-quality-management.html 
[4] https://the9000store.com/what-are-iso-9000-standards/what-is-iso-9001/
[5] https://www.iso.org/files/live/sites/isoorg/files/archive/pdf/en/documented_information.pdf
[6] https://www.iso.org/standard/54534.html
[7] https://www.standardfusion.com/blog/iso-27001-18-1-1-satisfy-legal-regulatory-contractual-requirements/
[8] https://www.isms.online/iso-27001/annex-a-18-compliance/
[9] https://www.isms.online/iso-27001/determining-the-scope-for-your-isms/

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post ISO Compliance and Cybersecurity Reporting – Yet Another Way to Strengthen Your Records and Information Management Program appeared first on Zasio.

Date: May 21st

Time: 11:00 a.m. – 12:00 p.m. Mountain Time

Description:

The COVID-19 pandemic and “shelter-in-place” orders have upended offices across the country, forcing businesses and workers to rapidly adapt to our new remote work reality. Although lockdown restrictions are gradually easing, remote work is likely to remain a common feature of office life for the foreseeable future. But while working from home brings a new set of challenges and risks for employers and workers, it also presents an opportunity to reflect on how we work and find new ways to improve. Employers can help their workers stay productive at home without intruding into their private lives. Employees can still keep vital company data secure even when working from beyond the safety of the office. Organizations can still practice effective information governance even when their records and information reside on employees’ workstations located across the country. This webinar will provide tips and insights on how businesses and employees can protect their privacy and security while maintaining effective organizational records and information management, both during the current era of the “socially distanced” workforce, and beyond.

To attend, please register using the button below.

We look forward to seeing you there!

The post Working from Home: Privacy, Security, and Information Management Tips for a Remote Workforce appeared first on Zasio.

Author: Heather Houle, CRA

Senior Research Analyst / Certified Paralegal

The post The Evolving Impact of Company-Owned Devices in Records Management appeared first on Zasio.

In the fight against cyber breaches, companies are at a steep disadvantage for many reasons. First, the internet was not designed with security in mind. It grew out of an experiment to send messages between researchers’ computers over a network. And its users grew so fast that the network, established on a foundation of collaboration and trust, remained a platform where its users are largely on their own to defend against cyber-attacks.

Second, cybercrime is a low cost, high reward endeavor. Cybercriminals can operate from anywhere, and with impunity in many countries that tolerate and even encourage attacks against the West. Cybercrime is a profitable enterprise with a thriving marketplace for selling exploits (vulnerabilities that allow cyber criminals’ access to connected systems) as well as stolen personal information and trade secrets. To top it all off, well-funded, government-sponsored actors have been blamed for several high profile hacks.

Third, cybersecurity is expensive, constantly evolving, and complex, especially for established companies relying on antiquated technology. Industry researchers are in a race to identify and patch vulnerabilities before cyber criminals can exploit them. In the fight against cyber breaches, every employee and connected device is a potential access point.

Legislative Response – Sanctions

Legislators around the world have addressed the increased frequency of cyber breaches, often by slapping fines on companies they deem to have done too little to prevent them. Under Europe’s General Data Protection Regulation (GDPR), the UK regulator just proposed a fine of £99 million against Marriott in response to a cyber breach it reported in November 2018. [2]  The UK regulator also proposed a fine of £183.39 million against British Airways in response to a cyber breach it reported in September 2018.[3] Proposed new state privacy laws in the United States would, if passed, also increase the cost of incurring a cyber breach.

Cyber Security Efforts and the Value of Information Governance (IG)

As companies move to upgrade their systems to add levels of security to company information, their efforts will be diminished if they retain that information too long or if employees save copies of that information to unofficial locations. Cybercriminals that trick an employee into clicking on a phishing email may have an easier time accessing and removing company information from an employee’s unencrypted device than from an encrypted server. And if the cybercriminal successfully uses that employee’s credentials to access the encrypted server, the loss may be much greater if the company did not routinely dispose of unneeded information.

One tenant of good cybersecurity is good Information Governance (IG). Companies with good IG practices understand what data they have and are empowered to (1) destroy what they don’t need and (2) to protect and maximize the value of the information they do need. By identifying and destroying unneeded information (or information being kept without a legal or operational justification), companies reduce the amount of information that can be compromised. These actions also save companies money on storage and legal discovery costs and reduce legal exposure.

Good IG practices involve:

• establishing internal policies for managing what information is kept, where and how it is kept, and for how long;
• implementing the right technology to track, manage, and dispose of records effectively;
• establishing clearly defined roles for anyone creating, storing, sharing, or disposing of information; and
• establishing procedures that allow companies to meet legal and regulatory compliance by dictating how information should be managed, stored, shared, and disposed of.

Establishing and adhering to good IG practices is not easy, but it is increasing vital to the health and productivity of organizations in the age of the cyber breach.

[1] Data Breach Level Index, Gemalto (Last accessed July 16, 2019), https://breachlevelindex.com/.

[2] Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach, Information Commissioner’s Office (Last accessed July 16, 2019), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/.

[3] Intention to fine British Airways £183.39m under GDPR for data breach, Information Commissioner’s Office (Last accessed July 16, 2019), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post The Age of the Cyber Breach and the Value of Information Governance (IG) appeared first on Zasio.

It occurred to me that organizations have a similar hoarding problem when it comes to documents, which is amplified by the number of employees who keep copies and versions regardless of what kind of archival tools or records retention program is in place. After putting hours of effort and consideration working on, let’s say, a 35-page assessment and formal proposal, you can bet that most folks tuck an extra copy away on their hard drive or a file share somewhere…and probably print out a paper copy too, just to be safe.

Employees often have hoarder’s mindset, keeping copies and versions regardless of what kind of archival tools or records retention program is in place.

Sense of Ownership

That sense of ownership and the desire to avoid reinventing the wheel makes perfect sense, but all those hoarded documents have a downside because the information can pose an unseen risk to the organization. And the liability grows when people have a “keep everything” approach to records management, especially as the volume, velocity, and variety of content that every organization must manage continues to grow and evolve in this age of Digital Transformation.

Just Keep Everything

While digital transformation may seem like it’s all about collecting more and more data, the truth is not all data is good data and there is a great deal of liability for the company when it over-retains. For example, not having visibility into what an employee saves is a cause for concern, because you don’t know what type of information is being preserved by the employee and whether or not it falls within a proper retention schedule. And if they are holding onto a record for a longer period of time than they need to – regardless of the company retention policy – that information is still subject to disclosure through discovery, or any type of compliance audit, or other types of regulatory and legal proceedings.

You Don’t Know What You Don’t Know

Information security and data loss prevention (DLP) is also a pressing matter, especially as the number of cyber incidents continues to rise. If documents are hoarded by employees, organizations lack visibility into critical facts such as what is being over-retained, where it is being stored, who has access rights, and the appropriateness of the security applied to the content. If past incidents played out before the public is any indication, the hidden information represents a treasure trove of data for hackers looking for security loopholes.

Costs and Risks

The costs and risks are substantial, including fines for over-retention of certain documents and information (e.g., personal data). There are litigation costs that come into play through e-discovery, and very real exposure in court by virtue of what you are now compelled to disclose. Additionally, the harm to the organization’s reputation, loss of public trust, and impact on current and future business opportunities cannot be discounted.

Best Practices

It’s one thing to point out a problem and another to do something about it. Here are three best practices to consider:

Communication

The first step is communication and putting records management top of mind with every employee. It is important to set the expectation that everyone will follow through with the retention schedule and preserve documents according to the records management and other related corporate policies and guidelines. It is important to review corporate policies and guidelines from different departments (e.g., information security, IT, privacy, etc.) and assure alignment to address potentially conflicting information.

Training

Next step is training; not just at the time of new employee onboarding, but continuous refreshers along the course of the employees’ time at the company. As records management is reiterated and encouraged the tendency to hoard tends to fade from the mindset of the employees as it becomes second nature in the execution of their everyday tasks.

Make it Easy

Let’s face it, if the systems and procedures to properly save and archive records are hard to use, and people are not comfortable using and trusting the system, they will simply revert back to their old hoarding habits. Make it easy by using an automated process and reducing the number of steps for employees to follow where possible.

Moving Forward

When it comes to information governance and successful adoption, the focus needs to extend beyond just the technology and account for work culture and employees’ mindset. You can change that hoarding mentality through awareness, common-sense training, and implementing systems that make it easier for employees to comply with the organization’s information governance policies and guidelines.

For more information or to see how our Versatile technology solutions and consulting services can help manage and protect your records and ensure you comply with legal retention requirements, please fill out our Contact Form.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Tips to Prevent Hoarding of Documents appeared first on Zasio.

In any organization there is overlooked information that is never noticed and no one ever thinks about it. It includes, among other things, information captured in an image archive or document management repository, or it could be data housed in ERP systems, collaborative workflow platforms or any number of line-of-business databases. Even copiers and scanners hold cached images you may not know about. Things like social security numbers, financial and medical account details, addresses and phone numbers, are all found in these repositories, yet that information can be overlooked or hidden from view; especially as the volume, velocity and variety of information that must be managed continues to grow at unprecedented rates. This information can represent a treasure trove of opportunity for data hackers and cyber-thieves looking to steal sensitive and private data.

Can Your C-Suite Sleep at Night?

Data security and compliance are on the minds of C-suite leaders in all industries and it’s easy to lose sleep at night. It seems like every week there is yet another high-profile data security breach, and some of the world’s most tech-savvy companies are falling victim. Indeed, just recently Facebook, already facing scrutiny over how it handles the private information of its users, disclosed that an attack on its computer network exposed the personal information of nearly 50 million users. Some of the biggest victims in 2018 include T-Mobile, Quora, Google, and Marriott hotels, which recently revealed that hackers had accessed the information of an estimated 500 million customers.

At the same time, data protection regulations around the world are becoming increasingly strict. One prominent example is the General Data Protection Regulation (GDPR) that went into effect in Europe last year. The GDPR is an overarching data protection law that applies to all European Union residents and is designed to make companies more accountable for the way they process personal data. While the rule is European in scope, it influences compliance and liability for any organization dealing with the personal data of EU citizens.

For the first time, information security and compliance has entered the top three drivers for digital transformation..

Driver for Digital Transformation

For these reasons, data security and compliance are increasing drivers to organizational spending on digital transformation. In one AIIM International industry research report, “Governance and Compliance: A Real-World View,” organizations were asked to rank the top drivers for digital technology investment in their company. Improved process productivity (42%) and faster response (30%) remain at the top of common objectives, but for the first time information security and compliance has entered the top three drivers for digital transformation.

Costly Breaches

Is your organization at risk? Yes. Experts tell us that it’s not a matter of if your organization will be hacked, but when, and the chances that your organization will suffer a data breach this year are one in four. As the frequency of cyber-theft continues to grow, so too are the associated costs. One report from the Ponemon Institute reported that the global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year to $148. The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims.

The real impact, however, is found in the business that is lost and damaged goodwill in the market – both customers and Wall Street are wary after a breach. One good example is the archetypal breach at Target in December 2013, just weeks before the year-end holidays, which put the company in a tailspin. Five years later, the company still faces a number of government investigations and more than 80 lawsuits. Target incurred $61 million in costs associated directly with the incident at the time, but the total expense to the company is estimated to be between $500 million and $1 billion — and that’s on top of any sales lost as a result of customers avoiding its stores after the breach.

Tools to Battle Cyber-Theft

At Zasio, we’ve built some important tools to help battle cyber-theft, starting with Versatile Enterprise™, a complete records management solution that allows users to manage all corporate records (physical and electronic) in one system, and then apply consistent retention policies to those records. The system works in the background to automatically calculate disposition dates (or suspend them for retention holds) of relevant records according to retention schedules, and will notify you when they are ready for transfer or destruction. Versatile Retention™ is our application in which users can research retention and privacy laws, create and maintain up-to-date retention schedules that protect the security and efficacy of important, private and sensitive information.

Experts tell us that the chances that your organization will suffer a data breach in 2019 are 1 in 4.

It’s Not Always about Collecting More Data

The specter of security and compliance demands greater levels of information governance. And it’s not always about collecting more data…sometimes you need to get rid of data that is no longer providing value but may represent a great risk to the organization. That is where strategic records retention policies and practices make a real difference in reducing risk to your organization. Consider these aspects as you design your strategies. Look for tools like Versatile Retention and Versatile Enterprise that allow you to take the right actions to properly secure and protect private information.

Unsure if your company’s data security is where it should be? Talk to our experts! Contact us today for a free demo or assessment.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Is Redundant, Obsolete and Hidden Data Putting your Organization at Risk? appeared first on Zasio.