Red Teaming Your Information Governance Program

July 13th, 2017

George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

About Red Teaming

Have you deliberately challenged your own program plans and procedures recently? With a book on the topic, Bryce Hoffman defines red teaming as:

“ a… way to stress-test strategies, flush out unseen threats and missed opportunities, and execute more successfully…. [by] making critical and contrarian thinking part of the planning process.”

Red teaming (RT), with origins in the military, involves thinking differently and more objectively about your program, looking under rocks, and grasping alternative views of the way things are. “Murder boarding,” or grilling an idea or presenter before actual product delivery, is a similar approach to cleaning up planning and execution. However, RT acts upon live environments, not just rehearsals. And while Six Sigma identifies errors and deviations in programs, RT goes beyond this by also surfacing alternative and novel ideas, observations, and ways for improving things.

Our mission is greatly challenged by the dynamics of info generation and by rapid changes to info environments. Faced with these challenges, it is easy to fall into real-time, project-to-project, status quo thinking without thoroughly questioning where we are and where we are going. Program successes can render us dangerously comfortable. Professional or departmental groupthink can likewise soften our ability to evolve in changing environments. We must beware subtle complacency by stopping and kicking the tires in order to harden our programs.

RT philosophy is familiar to the cyber security community, which employs penetration (pen) testing and white hat, self-hacking activities. However, RT has applications across the IG spectrum, beyond info security. The following focuses on applying RT to these other areas of IG.


The Psychology of It All, or the “I’m Objective” Fallacy

Drawing on decision psychology research, Hoffman outlines categories of bias and natural thinking frameworks that can impede our view of actual situations, including:

  • Confirmation bias, where we give greater credibility to info that supports what we already believe (think politics).
  • Anchoring bias, where an initial value or offer ($50,000) narrows the range of possibilities (think Shark Tank).
  • Automation bias, where we fail to question automated system output after relying on it–this threat increases in our data analytics world.
  • Outcome bias, where we assume a positive outcome resulted from the right decision rather than from luck and other factors.
  • Status quo bias, which shouldn’t need any explanation here.

There are other types of bias, and RT brings a rigor and detached analysis that helps us to overcome them.


Executing Red Team Lite, or Lean Red Teaming

How do we apply RT to our programs? The solutions depend upon our resources, and I’ll assume that most of us don’t have much. Hoffman notes a range of possibilities, from hiring consultant teams or RT facilitators, to dedicated executive or rotating teams, to ad hoc RT using bits of red team philosophy. Participant selection should balance the needs of impartiality with enterprise and industry savvy. While whole standing teams are ideal, I’d suggest that “RT lite” or “lean RT” may be more realistically employed with scant resources. This can be performed through devil’s advocacy.

Devil’s advocates have long been paired with RT exercises. In his book Originals, Adam Grant shows that effective devil’s advocates need to be legitimate and sincere in their assessment of, or opposition to, the status quo–they shouldn’t be phony role players. The good news: most of us are armed with legitimate devil’s advocacy. How? By using the pushback that our programs actually face from naysayers and outright opponents within our organizations. The pains in our behinds–our biggest detractors–are actually doing us a favor and feeding us RT ammo.

The following are pushback comments that I and some of my colleagues have actually been confronted with. You will recognize them. Think up some of your own and add them to the list.

  • Digital storage is cheap. We’re good.
  • Why should we invest so much money in e-discovery preparedness when our business only takes one or two cases to trial per year?
  • Big data can make all sorts of correlations that we can’t imagine today. We need to keep all of our data lake content to be able to harness its potential value. Data that looks useless now could be critical in the future and pay off big time. There’s a baby in the bathwater.
  • [Senior executive:] You can’t expect me not to use WhatsApp when I’m doing business on the road.
  • We have plenty of locked basement spaces on our corporate campus. Why do we need to pay more for offsite vendor storage?
  • So you’ve published the retention schedule. Is everyone really implementing its policies consistently?
  • [IT manager:] We don’t need your input on the new ERP system. This is a technology solution.
  • My department’s (generic) file share is much easier to use than the document management system, which I hate.
  • We have cyber security in place. Why should we worry about other info management functions? Sounds like a “nice to have” that we can’t afford.

Now, take some time with smart colleagues and respond to each of these with respect to your IG or RIM program. Capture your responses, state each problem, brainstorm alternative possibilities, and thoroughly review them with your group. Draw up and assign actions based on this review.

Hopefully, this serves as a modest starting point for you to apply more red team thought and approaches to your specific program. There’s further RT reading, such as Hoffman’s book (never met him) and, that can help you to apply it in a more thorough manner if resources allow. At the very least, question your IG program, belief system, and biases often. This will reduce the possibility of getting blindsided. The passive perish and the complacent crumble.

What Is Our Professional Future?

September 19th, 2016


George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

Like most people, I prefer to have a reasonable sense of job security, as long as my interest is engaged. I hope and need to remain in the workforce for many more years. At the risk of sounding alarmist, I have concerns about the records management profession’s long-range future. We are members of a resilient and passionate profession, given the challenges we face in an exponentially growing and complicated digital world. While this posting will pose some observations, I hope that it is received as more of a thought- and answer-provoking question–what will our professional future look like?

Chaotic, Counter-Control Culture 

A recent futurist reading binge has been an exercise in masochism, or deer-in-the-headlights simulation, or emperor’s new clothes realization. In The Inevitable: Understanding the 12 Technological Forces That Will Shape Our Future, Kevin Kelly, co-founder of Wired, traces the current and future evolution of our digital culture, and by culture I mean the way most people are interacting, and will increasingly interact, with information. He argues that, looking back from the year 2050, the first few decades of the digital revolution that we’ve experienced as a sort of Phase I will seem marginal when compared with what’s coming in Phase II after 2016. Our profession has been playing catch-up all along during Phase I. If Phase II is even more disruptive, where will that leave us?

Flow of information (“extravagant dissemination,” “ad hocracy”), Kelly argues, is everywhere and inevitable. Mass duplication and the decrease of fixity are two considerable pieces of it; a perpetual state of becoming (i.e., continually and repeatedly adapting to the next, fast-moving technology) is another related, future factor, Kelly says. When we consider that fixed, controlled records following recordkeeping principles and information governance are typical objectives in our programs, it’s not unreasonable to get a little scared by this. Reading through Kelly’s book as a records manager or archivist is an exercise in marathon squirming. He lays out, in hard-to-contradict ways, how the evolving digital world is and will be contrary to (our) traditional goals of information control, accountability, protection, and validation, among others. IMHO, we should already get gold medals for braving it to date. It’s like trying to eat a big ice cream cone in 100-degree heat and keeping your hands clean.

While we’ve long talked about the challenges of “volume, velocity and variety,” fluidity has trumped and will trump fixity in many places. Stable artifacts are succeeded by glimpses, fragments, and streams of distributed information. Sequence reordering, common acceptance of raw info, snipping and morphing pieces of information assets and radically repurposing them, and personalized tweaking and re-tweaking across multiple formats, apps, and media without version control are ubiquitous and here to stay. Doesn’t sound like RIM/IG to me.

Trouble in the House

And then there’s organizational chaos (pardon the oxymoron): within most institutions, parallel, siloed information storage is here to stay. Our decades old dream of one controlled, master enterprise repository that all employees responsibly and diligently use is normally just that – a dream. Unless you are in a highly-regulated, Big Brotherish, org culture–and even then–employees will use their generic file shares, and Dropbox, and Sharepoint, and Box, and Google Docs, and 2 MB Gmail attachments sent to twenty people, and thumb drives, and home PCs, and unauthorized personal devices, and BYOD devices, and unsaved electronic white boards, and VR and augmented reality spaces, and cooked books, and any of hundreds of IM/file loading cloud apps, and other rogue silos, with many new ones on the way.

A recent Iron Mountain US government employee survey cited the skills gaps that need to be closed by tomorrow’s info pro. The ability to manage enterprise records “regardless of format” is still emphasized as one of them: we’ve long had “regardless of format” in our definitions, but most of us still haven’t corralled what our organizations have generated to date, according to bleak industry surveys (e.g., AIIM, Cohasset) and to the fact that Iron Mountain is still calling out basic digital format coverage as a problem.

The Rise of the Machines (and Software)

As Alec Ross suggests in The Future of Industry, enhanced artificial intelligence (AI), in combination with blockchain technology, threatens to remove intermediary and gatekeeper roles in several industries, even out-Ubering Uber through pure peer-to-peer ride agreements and mesh networks. AI covers the thinking and blockchain covers evidence fixity through distributed crowd-witnessing (public ledgers). Massive information analysis, tagging, metadata assignment, and classification are a few of those roles that smart machines, once trained, may cover completely: many on the legal side of our profession have already experienced this through technology-assisted review. There are dissenters to the blockchain growth argument. However, the technology has been around for seven years, new applications are emerging, and many huge companies are spending lots of money on blockchain technology development in new sectors while providing blockchain-based services today, despite bitcoin hacks and ransomware incidents in the financial arena.

The “public ledger” role and “smart contract” applications of blockchain already in existence sound suspiciously familiar to our turf, and they’re handled by encryption keys and code, not by people. As expert Vicki Lemieux and her U of BC team simply put it, “Blockchain technology is fundamentally a recordkeeping technology.” No red herring here. Given what some tech assessments portend (and I hope they’re wrong), the only remaining human task for RMs may one day be to manage residual paper files and press the “Are you sure you want to delete?” button – if we still want to rely on any human intervention at all. So, not only is what we are trying to control becoming more uncontrollable and chronically changeable; the very technical solutions to these control and validation challenges will either radically redefine our work or put us out of work. But don’t jump off the bridge yet.


Our job isn’t going away tomorrow morning. We still have big paper footprints and offsite storage arrangements with vendors, who are still adding warehouse space to accommodate growing customer deposits. Organizations don’t want ugly headlines, and some actually do something about it through our services. We can also partner with technology in the near term to mitigate the chaos-for example, using R programming tools to mine text, categorize, cluster, and de-duplicate unstructured data collections. As a profession, we must closely follow blockchain and other relevant technology developments, from CRM, IGP, and CIP exam content, to our conference sessions, to our social media feeds. Gaining analytics skills can also enable us to continue our work into the next-gen environment. The Iron Mountain survey referred to above states that analytics skills are a key proficiency in closing info pro gaps between now and the future.

Perhaps we’ll assume more of a track, analyze, report, and consult responsibility and less of a custodial one. Perhaps we will monitor massive data grid activity. Perhaps cloud brokers will offer some sort of information control as a service (ICaaS). Perhaps we will all just work in information security. But as the machines mature even more, can we continue to use new technology advances to redefine our job, rather than being gobbled up by the technology? And can we keep up with emerging IoT (Internet of Things) platforms, where almost every object will be a substrate covered with sensors, chips, and monitors fire-hosing data all over the place? Big data being managed today is but one dimension of a much more complex future environment. Maybe we will rise to the bigger challenges, despite a rather slumbering digital precedent.

I don’t have any good answers yet, but would pose the following questions to my good colleagues, many of whom are much more tech and industry savvy than yours truly: how will we adapt to manage and control liquid information that is always in flux? What level of information control must we concede in a digital culture of independence and flow? With information lifecycle analysis increasingly covered by AI machines like Watson, where will we come in, or not come in? What will our jobs look like in 10-15 years, and how much will we need human intervention for information control?

The Information Management Umbrella

July 28th, 2016


George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

A colleague at another university recently polled a listserv group of records managers in Higher Ed. The survey probed the records management programs’ locations within the organization. The last “extra credit” question was whether or not we would recommend our current organizational locations. Your industry may dictate your relationship with your library people, if you even have a relationship with them. In academia, records management tends (not exclusively) to be grouped organizationally with library and archival units.

I recently presented an RM program review to my Brandeis library colleagues and noted this rather strange RM fit: humanities research, cultural heritage, instructional design, open scholarly access, and… RETENTION SCHEDULE?! In one sense, we are the Charlie Brown of an academic library department. A business suit among tie-dyes and flip-flops. On the other hand, I hope to show that we’re ultimately unified.

In her excellent Domesticating Information (p. xix), Carol Choksy distinguishes the “two cultures of understanding” between records management and library science. Records management, she states, “is pragmatic, utilitarian and rigorous; library and information science are creative and open to exploration.” While I wouldn’t contend that library and info science is never rigorous, that RM can’t be exploratory—it must be—and that information science is the exclusive domain of the library, Choksy’s “two cultures” point is correct.

After reflection on my academia colleague’s survey questions, I came to the conclusion that, while RIM/IG is a curious fit within the academic library and archives culture, I couldn’t think of another place in my organization where my program would perfectly align. Legal blesses final versions of the retention schedule before publishing, but that’s the primary touch point. I partner with our Chief Info Security Officer on projects and share his vigilance under the broader governance umbrella, but I am not responsible for endpoint detection and response, authentication protocols, malware interception, and honeypots. Interesting stuff, but beyond my job function. While we seek to influence good recordkeeping practices across the university, we also support client services (scanning, storage, shredding) that wouldn’t nestle under the COO office, either. And our legacy paper-based services, along with the business-side mission focus, preclude seamless IT departmental membership, though some academic RM programs are understandably going in this direction. We engage with stakeholders from all over the institution, with the objective of identifying, controlling, managing, purging, and facilitating optimal access to their information.

In a two-part series earlier in this blog, I covered some of the differences and similarities between records managers and archivists, who also tend to align with academic library units organizationally. Despite a somewhat parallel relationship history, the two professions have developed several nodes of integration over the last two decades, as I illustrated. The broader, shared information management responsibilities of records managers and archivists prove to be the connecting points for collaboration.

While I don’t seek to focus on the Info Governance versus RIM distinctions here, one commonality between IG and RIM (at least in the acronyms) is the “I.” We can add library professionals to this aggregation. The Info Management umbrella doesn’t detract from IGP, CRM, CIP, CA, CISM, MLS, or other related and specialized credentials.  It’s relatively accessible to the layperson. Information is not bound by format, covering structured and unstructured data, as well as complex multimedia products. News items toward the front of ARMA’s own Information Management publication cover a vast range of topics and disciplines. IM unites a broad consort of people who identify information, try to anticipate, organize, protect, and control it, and/or get it to people who need it, when they need it. All or most of us were caught flat-footed (to varying degrees) by the digital revolution and were slow to adapt to it. All of us value sufficient metadata and information context. All of us seek to sift out and steward good information and jettison the bad. All of us care more about the content value than the content vehicles, as IT does (not that we don’t care about the modes of transportation).

I am foremost an information manager. And united we stand—as a massive army for good information practice.

Establishing Records Management at Brandeis—The First Eighteen Months

May 28th, 2015


George Despres, University Records Manager, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

What a year and a half it has been! The Brandeis University Records Management (URM) program has much in front of it, but some solid foundational accomplishments behind it. As we know, developing and growing a records program is challenging:

  • most people don’t get our objectives despite the fact that records, their mismanagement, and associated risks are ubiquitous—witness the daily news.
  • “volume, velocity, and variety,” along with fast and fluid enabling technologies, make electronic records control or IG increasingly difficult—let’s be honest, we are reduced to mitigation (realist, not defeatist).
  • the many fronts that records touch within the organization make us feel like we need an army to even chip away at solutions. And of course, we’re all fully staffed, right?

While the inaugural eighteen months for the URM program here have not been perfect, a broad retracing of them may be helpful to others planning or beginning to execute programs at their institutions.

Learn the Institution

It begins with fact-finding: gathering information, learning the institution, meeting with stakeholders from various functions. We held over fifty stakeholder meetings between October of 2013 and April of 2015. These ranged from one-on-ones to a surprise fifty-person audience of administrators for an entire school (my meeting invitation indicated eight people attending, and I walked into a function hall—should have cased the joint). We were proactive with offers to present on the program at any venue. We made early acquaintances with Legal and Information Security leaders. Socializing the program, covered in an earlier piece, consisted of walking through stakeholder needs and processes and offering helpful services, so that our stakeholders were initially treated like clients, not delinquents. First impressions are everything and best made by offering assistance. Another point to consider is stakeholder busy seasons—I learned the hard way that it was unwise to request information from our registrar before commencement, when he is slammed verifying student credentials. An equivalent would be asking Procurement people to collaborate at the end of the fiscal year.

The institutional intranet is gold: manuals walk through key functions and records transactions; departmental service pages enable you to prepare for stakeholder meetings in advance and hit the ground running with targeted questions; organization charts tell you who is where and under/above whom while bunching institutional functions for the schedule; online forms enable you to begin compiling the document type inventory and to determine what paper forms can be replaced by electronic ones; policies and procedures trace processes, roles, governance, and how things should be done; and institutional mission and values help you to align the communication themes of your program. Books on institutional functions, like finance, law, student records, HR, advancement, etc., in higher education (substitute your vertical market) were invaluable not only in getting up to speed with the industry, but also in empathizing with various university functions and their professionals. It’s about points of view.

Services and Stakeholders

Our initial client service engagements—managed offsite storage and retrieval, secure document shredding, digitization, and, recently, electronic redaction—began in March of 2014. Since then, we grew to over forty-five service engagements with departments and people from across university functions, academic and administrative. Most of these engagements were outcomes of the initial stakeholder meetings, but several came to us by word of mouth. Many are ongoing. We’ve placed over 1,000 boxes in managed offsite storage, and we’ve sited twenty secure, sensitive-document shredding bins across campus, emphasizing the difference between these and open recycle bins. January customer satisfaction survey results, though modest in size (twelve respondents), showed that 100% would recommend our services to others in the university. Yes, my management chain is aware of this.

Supporting and maintaining these services has been clumsy at times. Visiting vendor drivers don’t know the Byzantine campus layout. I’ve frequently compensated by shoving boxes into my car and shuttling them to and from client buildings within the labyrinth (and losing my precious parking space). Substitute drivers from our shredding vendor (which, oh, by the way, just merged not seamlessly with another vendor) need to be manually escorted to all of the secure shredding stations on campus, since the directions couldn’t possibly be written or verbally communicated (“go by the big oak tree and kind of bear right… well, it looks like one building but there are really two named buildings within one….” etc.). In one case, we had an oversized vendor truck get stuck between a building, a ledge, and a tree for about twenty-five minutes. Another challenge has been queuing up boxes for vendor services—some of our clients have asked for services but lacked the resources to prepare their own records for storage or scanning services. We enlisted student assistant labor to address some of these instances, but there have been “we’re too-busy” bottlenecks delaying opportunities to get boxes out the door and to the vendors.

Electronic Stuff and Leadership Buy-in

I understand that all of this talk about boxed physical records will make many twenty-first-century records professionals cringe. So: with document scanning services, we were digitizing for clients, but then in some cases being asked what to do with the digital files. Alongside legacy Google Drive and Dropbox environments, Brandeis has established a Box environment as a competitively secure, yeoman’s, cloud-based file sharing and collaboration option, with some lightweight “document management” capabilities and architecture, like task assignment, open APIs, a growing app plug-in environment and a promising roadmap with respect to information lifecycle management.  ILM was absent from, false, or shabby in many last-generation electronic document and records management products.  And we communicate directly with Box product reps who will responsively speak with you even if you’re not part of a Fortune 500 company (no, I’m not on Box’s payroll, and much remains to be seen from them). Again, it’s mitigation, if not a 100% elegant solution.

In terms of program growth, a key turning point for us was a records program briefing to our senior leadership arranged by my CIO last June. We are very fortunate to be developing the program at a time when many changes are happening and are relatively well received by key decision-makers.  One highlight of the leadership briefing was a picture slide that showed a 1994 student paper headline about confidential records found in an open recycle bin. Next to this image was a photo of tumbled boxes from one of many basements we are surveying after fifty years of boxed records drop offs. The images won a collective gasp from the leadership team.

Any institution with decades of minimal records management will have similar photo ops, and no sane and responsible person wants to be associated with or dismiss these images. Pictures are powerful, and the outcomes were significant. Deans of the colleges were especially receptive—we initially thought that the independent academic units in a distributed institutional culture would be tougher to engage on the subject of records control—but I was almost immediately put in touch with people who gave me audiences in all of our schools, which now constitute half if not most of our service engagements. To be fair, some luck and right-place-at-the-right-time has assisted us in advancing the program. Full support from my management and a reasonable operational budget have also been key. We can’t assume that these pieces are in place at other institutions.

Communication Tools and Policy

Underlying communication tools were leveraged early in the game to support the program: a “LibGuide” (Library Guide) reference page with an overview of the program and guidelines, an email service account, a listserv, to which I push a highly selective and small subset of records management news kindly brought to us by Peter Kurilecz and many others, a more formal intranet presence, under construction, and this blog. All of these get the URM word out in one way or another. Others, like brief and bang-bang, YouTube-style training videos, are planned.

Our retention schedule is one area in which I am disappointed with our progress. We’ve populated a few items, but other program activities have occupied the bulk of our time expenditure, and some collaborators have, with reason, delayed the process. We will be focusing on filling it out over the next phase of our work, as retention policy and getting people to follow it is core to the program. Collaborating with stakeholders to build their respective departments’ policies will help to ensure compliance, since they sign off before final legal review, and our services have already established bonds with many of them. The bottom line is that we can’t do everything, especially when our dedicated staff consists of one part-time student assistant and me. But retention policy is one area to catch up in order to keep the evolving program balanced.

The Way Forward, and a Challenge to Colleagues

Other next steps include forms management, especially eradicating paper forms; knowledge management guidance; TAR/text mining to cluster legacy content for disposition; Gmail curation; and developing needs assessments, requirements, and use cases for electronic document and records management systems, piloting with our Advancement department (vendors: please hold off for now). Our approach is obviously to plan but to also look for relatively quick, point-to-point wins that don’t require lots of posturing, hot air meetings, rabbit holes, plans of the plans, and 100% perfect conceptual frameworks that are never realized.  This approach has served us well to date.

So, that’s where we are. I hope that some of this will resonate with, if not help, colleagues fighting the same battles. I believe that we need less generic “Big Data!” “BYOD!” “ROI!” sales-type and corporate-heavy rhetoric and more institutional case studies and stories in the open RM literature (and outside of the expensive RM conferences). We need more tales from the trenches that can scale or be adapted to other institutions, including modest ones. What are we doing now, on the ground? Where are YOU at?

Promoting Records Management, For the Rest of Us

April 1st, 2014


George Despres, University Records Manager, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University)

One Size Doesn’t Fit All

There are many rich sources of information, and many great thought leaders, supporting the fields of Records Management (RM) and Information Governance. These resources provide solid arguments to justify and advocate for good records practices. However, a bulk of the writings and discourse in the profession assumes that the audience operates within highly-regulated, highly litigious institutions.  Representatives from these institutions are prevalent at professional conferences. We think of (assume?) vertical industries like pharmaceuticals, finance, law firms, and public utility companies; we think of huge corporations churning out Fortune 500 record and litigation volume, and it is easy to envision round-the-clock hotbeds of high stakes record and data accountability. The nightmarish spoliation and botched eDiscovery news headlines, with their seven-digit fines, sanctions, and public humiliation, are evoked like cudgels against anyone who dismisses good record keeping in these hotbeds.  This makes perfect sense for such institutions.  Several years ago, I began my work in the RM field armed with my own “eDiscovery horror shows” PowerPoint slide, dedicated to this topic. And it didn’t work.

The problem was that I worked in a very private, government-funded, non-profit, R&D corporation.  Sure, we had statutes like the Federal Acquisition Regulations that governed our record keeping. Yet my corporate counsel pointed out that “we only take one or two cases to court per year.” The same can be said for most small- to mid-sized colleges and universities that dot the map. Likewise, for small- and mid-sized businesses operating outside of the above mentioned hotbed industries.  Granted, any records manager reading this can find good reasons for caring about the potential adverse impact of even one or two cases per year – low probability yet potentially high impact risk.  But many senior leaders perceive this as a manageable risk: Witness the deflating results of the bi-annual Cohasset Associates recordkeeping surveys. Most institutions are not doing RM, or they’re doing it half-baked. And, as an RM advocate in alternate industries, the negotiation challenge is greater: You simply can’t hang your hat on slam-dunk arguments that work for companies operating under Sarbanes-Oxley, continual lawsuit streams, and other such regulatory whips and chains.

Mining the Goldmine

So how do we advocate with a compromised litigation argument?  The “good” news, at least from the standpoint of advocacy, is that records mismanagement abounds. While spoliation-specific headlines may not apply for many of us, other daily news headlines do.  An effective combination of info security risk management and good business and info management arguments can be brought to bear using failure headlines to illustrate.  This can serve as a useful promotional supplement for the hotbed records people, as well.  The headlines are available in your daily newspapers; through the Twitter feeds and blogs of RM institutions, societies, and professionals; and certainly through the RM listserv, with Peter Kurilecz’s valuable postings therein. We can flexibly categorize these headlines while keeping an open mind for other categories to arise.  Categories that I have created based on headlines from the past several months include:

  • Application and electronic system failure
  • Third party handling of personal or sensitive information
  • Siloed information’s negative impact
  • Inappropriate and embarrassing record exposures
  • Careless over-retention or malicious destruction (not litigation-generated)

Application / electronic system failure: A solid example of this category is the failure last year of the Common Application, an online app that allows prospective college students to apply to over 500 colleges and universities through one interface. In 2013, applicants experienced problems, including browser incompatibility, which mis-formatted or failed to submit applications.  Applicants panicked, and colleges had to delay their admissions deadlines to accommodate the error.  While this might be considered “an IT problem” by some, it is very much a records problem – not just any records, but prospective student applications to colleges and universities. Furthermore, the deadline delay would affect the retention period for those colleges that define retention based on application submission date.  Recent, parallel issues with the Affordable Care Act program, an Agriculture Department system failure that shut down meat inspection activities and forced reversion to paper records, and last year’s failure of the Massachusetts unemployment system illustrate that this category of mismanagement is not rare.  Again, we must perceive these as records issues, not just technical ones, if we are to understand the full picture and impact. These aren’t just faulty systems; they are systems of record, and all institutions use systems of record.

Third party handling of personal or sensitive information: Good RM supports good information security, and every institution cares about information security. The RM discourse is rife with warnings about crossing the contractual t’s with third party vendors who handle private information, and headlines show why: The Boston Public Schools entrusted Plastic Card Systems of Northboro, MA with the creation of new middle and high school student badges.  Information on 21,000 students was placed on a flash drive, which was lost by the vendor.  And while Plastic Card Systems may have lost the flash drive, Boston Public Schools appeared in the news article – guilt by association. In a separate third party issue, a Colorado school superintendent seeking efficiencies found herself in a controversy with parents for placing student data on the cloud (somewhat behind closed doors).  Almost all institutions engage third parties, the cloud is here to stay, and this category is all about records: Does your institutional leadership want to be in these types of headlines?

Siloed information’s negative impact: Some of you will recall a shooting last year in a Virginia Navy yard that left twelve people dead. The shooter, who had twice received U.S. Government classified security clearances, had an earlier record of gun violence in Texas: The dots between the criminal record and the clearance system were never connected. Information managers in general frown on siloed repositories, which can create much less violent, but still adverse, results for institutions. Look for examples in the headlines.

Inappropriate and embarrassing record exposures: While this story may also fall under the third party category, it reflects the dark side of flinging big data around: Mike Seay of Chicago received an envelope in the mail from OfficeMax. Under his name in the address field was the statement, “Daughter Killed in Car Crash.” He and his wife, had, indeed, lost their daughter to an automobile accident a year earlier. OfficeMax’s big data broker had somehow inserted this information upon a request for allegedly “non-personal” mailing list information.  Between data volume and big data constituting a way of doing business for more and more institutions, the risk of plugging the wrong information into the wrong records increases. Enter records management.

Careless over-retention or malicious destruction (not litigation-generated): Adding to the recent NSA controversies regarding personal info retention, improper disposition and “digital hoarding” constitute another broad theme in the RM literature. The ACLU is fighting Connecticut law enforcement over five-year retention of data gathered from automatic license plate readers, including plate data unrelated to investigations.  Conversely, an egregious email destruction case involved a Colorado school district directive instructing staff to delete all emails related to a particular student and his family.  The parents were placing public records requests related to their autistic son’s behavior in class.  The school district’s deletion motive was “to protect against” open records requests (!) This and other FOIA and open record cases remind us that there are many flavors of improper record destruction in addition to spoliation, while the over-retention argument is familiar to us all.

An abundance of rich news items illustrates the need for vigilant RM. Your internal audience can relate to headlines that touch everyday life, news, and experiences that we all share. Senior executives are wary of appearing in such headlines. The argument for solid RM is not constrained by lawsuits and intensive regulations. Records management and mismanagement touch many things, and this needs to be emphasized when we advocate for our institutions to do the right thing.

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)