George Despres, University Records Manager, Brandeis University
(The content in this blog reflects the opinions of the author, and not of Brandeis University)
One Size Doesn’t Fit All
There are many rich sources of information, and many great thought leaders, supporting the fields of Records Management (RM) and Information Governance. These resources provide solid arguments to justify and advocate for good records practices. However, a bulk of the writings and discourse in the profession assumes that the audience operates within highly-regulated, highly litigious institutions. Representatives from these institutions are prevalent at professional conferences. We think of (assume?) vertical industries like pharmaceuticals, finance, law firms, and public utility companies; we think of huge corporations churning out Fortune 500 record and litigation volume, and it is easy to envision round-the-clock hotbeds of high stakes record and data accountability. The nightmarish spoliation and botched eDiscovery news headlines, with their seven-digit fines, sanctions, and public humiliation, are evoked like cudgels against anyone who dismisses good record keeping in these hotbeds. This makes perfect sense for such institutions. Several years ago, I began my work in the RM field armed with my own “eDiscovery horror shows” PowerPoint slide, dedicated to this topic. And it didn’t work.
The problem was that I worked in a very private, government-funded, non-profit, R&D corporation. Sure, we had statutes like the Federal Acquisition Regulations that governed our record keeping. Yet my corporate counsel pointed out that “we only take one or two cases to court per year.” The same can be said for most small- to mid-sized colleges and universities that dot the map. Likewise, for small- and mid-sized businesses operating outside of the above mentioned hotbed industries. Granted, any records manager reading this can find good reasons for caring about the potential adverse impact of even one or two cases per year – low probability yet potentially high impact risk. But many senior leaders perceive this as a manageable risk: Witness the deflating results of the annual Cohasset Associates recordkeeping surveys. Most institutions are not doing RM, or they’re doing it half-baked. And, as an RM advocate in alternate industries, the negotiation challenge is greater: You simply can’t hang your hat on slam-dunk arguments that work for companies operating under Sarbanes-Oxley, continual lawsuit streams, and other such regulatory whips and chains.
Mining the Goldmine
So how do we advocate with a compromised litigation argument? The “good” news, at least from the standpoint of advocacy, is that records mismanagement abounds. While spoliation-specific headlines may not apply for many of us, other daily news headlines do. An effective combination of info security risk management and good business and info management arguments can be brought to bear using failure headlines to illustrate. This can serve as a useful promotional supplement for the hotbed records people, as well. The headlines are available in your daily newspapers; through the Twitter feeds and blogs of RM institutions, societies, and professionals; and certainly through the RM listserv, with Peter Kurilecz’s valuable postings therein. We can flexibly categorize these headlines while keeping an open mind for other categories to arise. Categories that I have created based on headlines from the past several months include:
- Application and electronic system failure
- Third party handling of personal or sensitive information
- Siloed information’s negative impact
- Inappropriate and embarrassing record exposures
- Careless over-retention or malicious destruction (not litigation-generated)
Application / electronic system failure: A solid example of this category is the failure last year of the Common Application, an online app that allows prospective college students to apply to over 500 colleges and universities through one interface. In 2013, applicants experienced problems, including browser incompatibility, which mis-formatted or failed to submit applications. Applicants panicked, and colleges had to delay their admissions deadlines to accommodate the error. While this might be considered “an IT problem” by some, it is very much a records problem – not just any records, but prospective student applications to colleges and universities. Furthermore, the deadline delay would affect the retention period for those colleges that define retention based on application submission date. Recent, parallel issues with the Affordable Care Act program, an Agriculture Department system failure that shut down meat inspection activities and forced reversion to paper records, and last year’s failure of the Massachusetts unemployment system illustrate that this category of mismanagement is not rare. Again, we must perceive these as records issues, not just technical ones, if we are to understand the full picture and impact. These aren’t just faulty systems; they are systems of record, and all institutions use systems of record.
Third party handling of personal or sensitive information: Good RM supports good information security, and every institution cares about information security. The RM discourse is rife with warnings about crossing the contractual t’s with third party vendors who handle private information, and headlines show why: The Boston Public Schools entrusted Plastic Card Systems of Northboro, MA with the creation of new middle and high school student badges. Information on 21,000 students was placed on a flash drive, which was lost by the vendor. And while Plastic Card Systems may have lost the flash drive, Boston Public Schools appeared in the news article – guilt by association. In a separate third party issue, a Colorado school superintendent seeking efficiencies found herself in a controversy with parents for placing student data on the cloud (somewhat behind closed doors). Almost all institutions engage third parties, the cloud is here to stay, and this category is all about records: Does your institutional leadership want to be in these types of headlines?
Siloed information’s negative impact: Some of you will recall a shooting last year in a Virginia Navy yard that left twelve people dead. The shooter, who had twice received U.S. Government classified security clearances, had an earlier record of gun violence in Texas: The dots between the criminal record and the clearance system were never connected. Information managers in general frown on siloed repositories, which can create much less violent, but still adverse, results for institutions. Look for examples in the headlines.
Inappropriate and embarrassing record exposures: While this story may also fall under the third party category, it reflects the dark side of flinging big data around: Mike Seay of Chicago received an envelope in the mail from OfficeMax. Under his name in the address field was the statement, “Daughter Killed in Car Crash.” He and his wife, had, indeed, lost their daughter to an automobile accident a year earlier. OfficeMax’s big data broker had somehow inserted this information upon a request for allegedly “non-personal” mailing list information. Between data volume and big data constituting a way of doing business for more and more institutions, the risk of plugging the wrong information into the wrong records increases. Enter records management.
Careless over-retention or malicious destruction (not litigation-generated): Adding to the recent NSA controversies regarding personal info retention, improper disposition and “digital hoarding” constitute another broad theme in the RM literature. The ACLU is fighting Connecticut law enforcement over five-year retention of data gathered from automatic license plate readers, including plate data unrelated to investigations. Conversely, an egregious email destruction case involved a Colorado school district directive instructing staff to delete all emails related to a particular student and his family. The parents were placing public records requests related to their autistic son’s behavior in class. The school district’s deletion motive was “to protect against” open records requests (!) This and other FOIA and open record cases remind us that there are many flavors of improper record destruction in addition to spoliation, while the over-retention argument is familiar to us all.
An abundance of rich news items illustrates the need for vigilant RM. Your internal audience can relate to headlines that touch everyday life, news, and experiences that we all share. Senior executives are wary of appearing in such headlines. The argument for solid RM is not constrained by lawsuits and intensive regulations. Records management and mismanagement touch many things, and this needs to be emphasized when we advocate for our institutions to do the right thing.