informationcontent.arma.org/imm/images/november-december 2011... · 42 business matters dodd-frank...
TRANSCRIPT
aR
Ma
Inte
Rn
atIO
na
l V
Olu
Me 4
5, n
uM
BeR
6InformatIon
Ma
na
ge
Me
nt n
OV
eM
Be
R/D
eC
eM
Be
R 2
01
1
Page 20
Rule 30(b)(6) Deposition Mystery Revealed
Page 27
Leveraging GARP® to Ensure Employee Engagement
Page 32
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 1
4 IN FOCUS A Message from the Editor
6 UP FRONT News, Trends & Analysis
20 Emergency! How to Build a Document Unit for Hazardous Incident ResponseJohn Kain
27 Rule 30(b)(6) Deposition Mystery Revealed: What Records Professionals Need to KnowStacy Jackson
32 GARP® SERIES Leveraging GARP® to Ensure Employee EngagementCharity Whan
36 RIM FUNDAMENTALS How to Avoid Disaster: RIM’s Crucial Role in Business Continuity PlanningVirginia A. Jones, CRM, FAI
42 BUSINESS MATTERS Dodd-Frank Act Puts Focus on Information GovernanceFred Pulzello, CRM, and Sonali Bhavsar
46 IN REVIEW Lifting the Fog on Cloud ComputingJulie Gable, CRM, FAI
47 AUTHOR INFO
48 ADVERTISING INDEX
DEPARTMENTS
FEATURES
SPOTLIGHTS
CREDITS
November/December 2011 VOLUME 45 NUMBER 6
20 27 32
Publisher Marilyn Bier
Editor in Chief Vicki Wiler
Managing Editor Amy Lanter
Associate Editor Nikki Swartz
Art Director Brett Dietrich
Advertising Sales Manager Elizabeth Zlitni
Editorial Board Barbara Benson, Director, Records Management Services,University of Washington n Alexandra Bradley, CRM, President, HarwoodInformation Associates Ltd. n Marti Fischer, CRM, FAI, Corporate RecordsConsultant, Wells Fargo Bank n Paula Harris, CRM, Director, GlobalRecords Management, Georgia Pacific n John Montaña, J.D., FAI, GeneralCounsel, Montaña and Associates n Preston Shimer, FAI, Administrator,ARMA International Educational Foundation
Information Management, (ISSN 1535-2897) is published bimonthly by ARMAInternational. Executive, editorial, and advertising offices are located at 11880College Blvd., Suite 450, Overland Park, KS 66210.
An annual subscription is included as a benefit of membership in ARMA Inter-national. Nonmember individual and institutional subscriptions are $115/year(plus $25 shipping to destinations outside the United States and Canada).
ARMA International (www.arma.org) is a not-for-profit professional association andthe authority on managing records and information. Formed in 1955, ARMAInternational is the oldest and largest association for the records and informationmanagement profession with a current international membership of more than11,000. It provides education, publications, and information on the efficient main-tenance, retrieval, and preservation of vital information created in public andprivate organizations in all sectors of the economy.
Information Managementwelcomes submissions of editorial material. We reserve theright to edit submissions for grammar, length, and clarity. For submission proce-dures, please see the “Author Guidelines,” at http://content.arma.org/IMM.
Editorial Inquiries: Contact Amy Lanter at 913.217.6007, or by e-mail at [email protected].
Advertising Inquiries:Contact Karen Lind Russell or Krista Markley at 888.277.5838(US/Canada), +1 913.217.6022 (International), +1 913.341.3742 (Direct), or [email protected].
Opinions and suggestions of the writers and authors of articles in InformationManagement do not necessarily reflect the opinion or policy of ARMA Interna-tional. Acceptance of advertising is for the benefit and information of the mem-bership and readers, but it does not constitute official endorsement by ARMAInternational of the product or service advertised.
© 2011 by ARMA International.
Periodical postage paid at Shawnee Mission, KS 66202 and additional mailingoffice.
Canada Post Corp. Agreement No. 40035771
Postmaster: Send address changes to Information Management, 11880 CollegeBlvd., Suite 450, Overland Park, KS 66210.
2 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
GET MORE ONliNE
INFORMATIONMANAGEMENT
www.ARMA.ORG
4 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
f more than 200 IT lead-
ers who responded to a
CDW “2010 Business
Continuity Straw Poll”
(www.computeruser.com), 25% in-
dicated that in 2010 they had ex-
perienced a significant network
disruption that lasted more than
four hours. CDW estimated these
disruptions cost those companies
$1.7 billion in profits, based on the
average number of days closed and
the average daily profits of U.S.
businesses.
The survey results also revealed
that 82% of the most significant
network disruptions could be re-
duced or prevented by implement-
ing a comprehensive business
continuity/disaster recovery (BC/
DR) plan. But, although the vast
majority of respondents indicated
they were taking steps to improve
their disaster recovery capabilities,
20% indicated they were not.
Information Management (IM)
readers, who, no doubt, are on the
proactive side of that group, will
find that ARMA International’s
recently published Emergency
Management for Records and In-
formation Programs, 2nd Ed,. is
an indispensable resource for beef-
ing up their business continuity
plans. (It is available for purchase
at www.arma.org/bookstore.) This
issue of IM also addresses the
importance of a BC/DR plan
for protecting vital records and in-
formation.
In his cover article, “Emergency:
How to Build a Document Unit for
Hazardous Incident Response,”
Charity Whan explains how her
law firm instituted a GARP® Em-
ployee Scorecard evaluation sys-
tem to get employees engaged in its
GARP® initiatives.
Speaking of GARP®, Fred Pul-
zello, CRM, and Sonali Bhavsar, in
“Dodd-Frank Act Puts Focus on
Information Governance,” explain
how implementing management
tools, such as GARP®, is an impor-
tant step in complying with the
act’s regulatory reporting require-
ments.
As always, if you have sugges-
tions or comments, please contact
me at [email protected].
Amy LanterManaging Editor
John Kain explains how a strong
records and information manage-
ment (RIM) program provides a
solid foundation for building a
highly skilled document unit to re-
spond to hazardous incidents.
RIM is important to all aspects
of risk mitigation, disaster re-
sponse, and disaster recovery, af-
firms Virginia A. Jones, CRM,
FAI, in “How to Avoid Disaster:
RIM Plays a Crucial Role in Busi-
ness Continuity Planning.” Often,
though, RIM is not included in the
business continuity plan; if not, it
will need to be part of subsidiary
plans.
A strong RIM program will also
pay off during litigation. In her
article, Stacy Jackson explains
the Federal Rules of Civil Proce-
dure Rule 30(b)(6) deposition
process. Because records profes-
sionals are likely candidates to be
deposed about how business in-
formation is created, stored, safe-
guarded, and disposed of, Jackson
clarifies their responsibilities and
provides strategies for preparing
for this deposition process.
A common thread through this
issue’s articles is how important
good information governance is to
business success. In this issue’s
Generally Accepted Recordkeeping
Principles® (GARP®) Series article,
Are You Ready? Getting Back toBusiness After a Disaster
A Message from the Editor
O
Correction: Our apologies to Julie Colgan, CRM, for mistitling her
article in the September/October 2011 issue of IM and omitting her bio.
See the online issue at http://content.arma.org/IMM for her correctly
titled article, “Stay Out of the Spotlight: Retention and Disposition
According to GARP®,” and her bio.
6 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
program called “SecureClean.”
Genger said he had been wor-
ried that unencrypted high-secu-
rity documents not related to the
case existed on the unallocated
space, so he had agreed with his
company’s technology consultant’s
recommendation to wipe it.
The Chancery Court had found
that Genger violated the Status
Quo Order and concluded that the
plaintiff wiped the unallocated
space not only to protect the high
security documents but also to
limit the information available to
the plaintiff. As a result, the court:
n Increased Genger’s burden of
proof from a “preponderance of
the evidence” to “clear and con-
vincing evidence”
n Ruled that Genger’s uncorrobo-
rated testimony would not be
permitted to establish any ma-
terial fact
n Awarded the plaintiffs $750,000
in attorney’s fees plus an addi-
tional $3.2 million in compensa-
tion for expenses stemming from
investigating and litigating
Genger’s spoliation
In upholding the Chan-
cery Court decision, the
Supreme Court noted that
Genger was not so much
sanctioned for failing to
preserve his unallocated
free space, but rather for tak-
ing affirmative steps to de-
stroy it. In fact, the court
indicated that the outcome
might have been different if the de-
fendant had had a data retention
policy that provided for regular
wiping of unallocated space for
business purposes.
News, Trends & Analysis
In a recent decision, the
Delaware Supreme Court indi-
cated that preservation duties
may extend to unallocated space on
computer hard drives.
Experts said the decision in
Genger v. TR Investors, LLC re-
veals the increasing level of sophis-
tication with respect to identifying
and preserving electronically
stored information (ESI) that
courts expect parties embroiled in
litigation to achieve – and that
courts nationwide are increasingly
imposing a higher level of sophisti-
cation and understanding when de-
termining e-discovery obligations.
In Genger, the Delaware
Supreme Court upheld severe
sanctions against a litigant who
knowingly and intentionally spoli-
ated evidence despite a court order.
The decision turned on the de-
struction of unallocated space on a
computer hard drive.
Every computer hard drive has
“allocated” space that is assigned
by the system to hold specific pro-
grams, documents, applications,
and other data. “Unallocated”
space is the part of the hard drive
that is considered empty be-
cause no data has been
purposefully stored there.
However, computers
use unallocated space for tem-
porary storage of transient data.
So when a file is intentionally
deleted by a user, the data is typ-
ically not erased from the hard
drive. The computer marks the
hard drive locations associated with
the file as unallocated space, which
makes the space available to be
overwritten with new data. That
means files that have been deleted
but not yet overwritten with new
data can often be recovered using
forensic technology.
In Genger, however, the defen-
dant intentionally wiped the unal-
located space of a relevant hard
drive – making it impossible to re-
cover those files even with foren-
sic methods – despite the
Delaware Chancery Court’s previ-
ous “Status Quo Order” that pro-
hibited both parties from
“tampering with or in any way dis-
posing of any related documents,
books or records.”
The plaintiffs subsequently
identified several documents
and/or e-mails that should have
been found, and there was evi-
dence suggesting that the unallo-
cated space of Arie Genger’s
(founder and chief executive offi-
cer of Trans-Resources, Inc.) work
computer had been wiped with a
E-DISCOVERY
Delaware Court Focuses on ‘Unallocated Space’
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 7
ment and staff needs, according to
Nextgov.com.
Unisys, which led the project,
said the GSA deployment exceeds
the data protection requirements
implemented by the 2002 Federal
Information Security Manage-
ment Act by providing two-factor
authentication. According to
Nextgov.com, the sign-in process
requires a password and a second
piece of identifying information.
Unisys said it had to transfer 60
terabytes of data, or about 30,000
million typewritten pages, for GSA,
which took about six months.
According to Nextgov.com, mov-
ing IT to the cloud is part of a fed-
eral effort to save $3 billion over
five years by closing 40% of the gov-
ernment’s more than 2,000 data
centers. About 195 are slated to
close by the end of 2011, and the
White House has announced it will
close 178 next year.
strong correlation between job se-
curity and the likelihood of stealing
sensitive data: employees who fear
losing their jobs are far more likely
to steal confidential information
(31%) than those who feel their jobs
are secure (18%).
IT professionals working for
smaller companies were more
likely to be uncertain
about the security
of their current
jobs, compared to
those working in larger
organizations, according to
the survey.
Fortunately, IT professionals
who abuse their administrative
rights are not in the majority. The
survey found that only 15% of UK
IT professionals and 9% in the
United States said they would use
their privileges to snoop around the
network for sensitive data, such as
personnel records, to try and find
out if their job, or a colleague’s job,
was at risk.
“Nothing is secret or private un-
less you establish systems and pro-
cedures to lock down data from
prying eyes and, according to our
study, most organizations don’t,”
said Philip Lieberman, president
and CEO of Lieberman Software.
CLOUD
GSA MovesE-Mail to the Cloud
Contractors said they have
moved all 17,000 General
Services Administration
(GSA) employees to a professional
version of Gmail, making GSA the
first of 15 federal agencies to move
to cloud-based e-mail, Nextgov.com
said.
Employees can access Google
Apps for Government anywhere
and from any device. GSA officials
said the $6.7-million project would
cut costs by half over the five-year
contract period by reducing equip-
DATA SECURITY
Survey: ManagersUnaware of ITData Access
Years ago, a company’s most
valuable secrets were locked
away in a filing cabinet with
only one or two key holders. Today,
in most firms, such information is
locked in a virtual filing cabinet –
and senior managers have no idea
how many people have keys.
According to a recent survey, a
company’s IT staff often has access
to the company’s secrets, and sen-
ior management is often unaware.
The survey of 500 U.S. and UK IT
professionals revealed that 42% of
IT staff can obtain unauthorized
access to their organization’s most
sensitive records, including the
bosses’ documents. Thirty-nine per-
cent said senior executives have no
idea what IT can or cannot access.
Four of five (78%) IT profession-
als said they could, if they wanted
to, leave the office with highly sen-
sitive data, and one-third said they
could access the same information
even after leaving the company be-
cause of lapses in security prac-
tices, the survey found.
The survey, commissioned by
identity management specialist
Lieberman Software, also reveals a
Also by year’s end, the Agricul-
ture Department will move the e-
mail of its 120,000 employees to the
Microsoft cloud, while the Com-
merce Department’s National
Oceanic and Atmospheric Admin-
istration will transfer 25,000 per-
sonnel to Google’s service in
December, Nextgov.com said.
8 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
CYBERSECURITY
Cyber BreachesHit 90% ofU.S. Firms
According to survey results
released in June 2011, 90%
of U.S. businesses had ex-
perienced at least one cybersecu-
rity breach during the 12 months
previous to the survey of 583 U.S.
IT professionals conducted by the
Ponemon Institute. More than
half (59%) experienced two or
more breaches during the same
time period.
The Juniper Network-spon-
sored survey also found that those
breaches cost 41% of businesses at
least $500,000 to address. Worse,
such breaches appear to be in-
creasing, with 43% of respondents
indicating a significant increase in
the frequency of cyber attacks over
the 12 months studied. Seventy-
seven percent said the attacks
have become more severe or diffi-
cult to detect or contain.
Businesses of every type and
size are vulnerable, the survey
shows. The most severe conse-
quences of any breach are infor-
mation theft and business
disruption, according to 59% of
survey respondents. More than
one-third (34%) of respondents
who suffered multiple breaches
said they have low confidence in
the ability of their organization’s
IT department to prevent a net-
work security breach.
“Our survey research provides
evidence that many organizations
are ill-equipped to prevent cyber
attacks against networks and
enterprise systems,” said Larry
Ponemon, chairman and founder
of the Ponemon Institute. “This
study suggests conventional net-
work security methods need to im-
prove in order to curtail internal
and external threats.”
Other key findings from the
survey include:
n Only 11% of respondents know
the source of all network secu-
rity breaches.
n Fifty-five percent of the identi-
fied breaches cost companies be-
tween $250,000 and $1 million.
n Almost half (48%) of respon-
dents cited complexity as one of
the greatest challenges to imple-
menting network security solu-
tions, with the same percentage
blaming resource constraints.
n Fighting cyber attacks can be
made more effective by stream-
lining or simplifying network se-
curity operations, according to
76% of respondents.
n Twenty-eight percent are ear-
marking more than 10% of their
budgets to security to address
these issues.
The survey also revealed the
most common ways for serious
breaches to attack a firm: employee
laptops (34%) and employee mobile
devices (29%).
FREEDOM OF INFORMATION
Illinois: Law Targets RecurrentRecords Requesters
Anew law signed by Illinois Gov.
Pat Quinn places restrictions on
residents who repeatedly file open-
records requests with their local govern-
ment, school district, and county.
For the first time, local governments
could consider anyone who files more than seven Freedom of Infor-
mation Act (FOIA) requests in one week, or more than 15 a month, as
a “recurrent requester,” according to the Chicago Sun-Times.
Current state law gives government entities five business days to
respond to a records request, with the option of a five-day extension.
But there is no deadline when a recurrent requester asks for infor-
mation.
Quinn was criticized by government watchdog groups for signing
the legislation into law. They said doing so has eroded the Illinois
FOIA.
“It is disappointing that Gov. Quinn, who once cultivated an image
of himself as an advocate of open government, has approved a bill that
takes Illinois’ FOIA law backward,” said Whitney Woodward, a policy
associate with the Illinois Campaign for Political Reform, which op-
posed the bill.
In a statement, the governor’s office did not directly address the
criticisms, but did say the law will speed up response times for most
requests by dropping a burdensome requirement established in 2009
that the attorney general’s office advise local governments whether
their planned denials on certain exemptions were proper, the Sun-
Times said.
The measure Quinn signed also allows local governments to im-
pose potentially expensive new retrieval fees on companies that seek
public records and no longer allows those businesses to appeal a
records rejection with the attorney general’s office, according to the
Sun-Times. The new law exempts the media, academics, and re-
searchers from the recurrent requester rule.
10 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
STATE RECORDS
Texas GrantsAccess to‘Archaic Records’
As of September 1, 2011,
records closed in Texas by
the Public Information Act
become open when they turn 75
years old unless they contain the
Social Security numbers of living
individuals.
Prior to that date, Texas re-
stricted access to public records ei-
ther by exempting them from
required disclosure or, on a case-by-
case basis, by declaring them confi-
dential in the statutes creating or
defining them.
The legislature and governor
have partially resolved the problem
by enacting SB 1907. In addition to
opening records that have reached
75 years old, another provision al-
lows the legislature to stipulate an-
other period for cases in which
someone identifies information
that should be closed longer than
75 years.
SB 1907 also reduces the time
that birth records and health
records are closed from 100 to 75
years. Other records affected in-
clude executive clemency records,
the Texas National Guard service
files, Confederate Women’s Home
resident files, and school records.
SB 1907 did not address some
175 record types deemed confiden-
tial by other statutes, including ju-
venile, grand jury, and adoption
records. But those who sought SB
1907 said they plan to seek legisla-
tion addressing those in 2013.
FEDERAL RECORDS
SEC Accused of Destroying Records
The U.S. Securities and Exchange Commission (SEC) has been ac-
cused of systematically destroying thousands of “matter under
inquiry” (MUI) documents related to investigations of Wall Street
misdeeds for almost two decades. MUIs are the SEC’s enforcement di-
vision’s preliminary look into potential violations of securities law at fi-
nancial institutions. These sometimes lead to formal investigations, but
the files in question had not become formal investigations and had been
closed.
SEC lawyer Darcy Flynn, who helped manage the commission’s
records, specifically said the SEC destroyed more than 9,000 MUI files
over a 17-year period, in violation of federal law. The destroyed files in-
cluded records involving Bernard Madoff and several major Wall Street
firms that later were scrutinized for their role in the 2008 financial cri-
sis, including Goldman Sachs, Lehman Brothers, Citigroup, and Bank
of America, according to The New York Times.
Flynn first made the allegations within the agency in 2010, which
spurred a July 2010 letter to the SEC from Paul Wester, the National
Archives and Records Administration’s (NARA) director of modern
records, about what appeared to be “an unauthorized disposal of federal
records.” The letter asked the SEC for a written report and to ensure
that no further destruction occurred.
Samuel Waldon, assistant chief counsel of the SEC’s enforcement
division, responded that the Division was not aware of specific instances
of the destruction of MUI records, but he couldn’t say with certainty that
none had been destroyed over the previous 17 years. Waldon’s letter also
assured NARA that no MUIs would be destroyed while the issue was
being reviewed.
In July 2011, Flynn’s lawyer reported the original allegations to Sen.
Charles Grassley (R-Iowa), invoking whistleblower protection for Flynn.
The Senate Judiciary Committee, NARA, and the SEC inspector general
have launched investigations into the SEC’s actions.
Initial inquiries have revealed that the commission apparently di-
rected its staff for years to purge investigative records once the cases
were closed. According to Rolling Stone, which first reported the wide-
spread document destruction, the enforcement division of the SEC even
spelled out the procedure in writing on its internal website. “After you
have closed a MUI that has not become an investigation,” the site ad-
vised staffers, “you should dispose of any documents obtained in con-
nection with the MUI.”
According to Rolling Stone, all the agency’s records – “including case
files relating to preliminary investigations” – are re-
quired to be maintained for at least 25 years under
rules agreed to a decade ago by NARA and the SEC.
In August 2011, NARA determined that the
SEC improperly destroyed the records in question,
in violation of the Federal Records Act. If any of the
investigations find that SEC employees willfully
violated the law, the matter may be referred to
prosecutors, the Wall Street Journal said.
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 11
India’s new privacy legislation,
Information Technology Rules
2011, requires organizations
in India and their intermediaries
to obtain written consent from cus-
tomers before using their personal
data.
The law says “consent” can
take the form of an e-mail, fax, or
letter prior to the collection of per-
sonal data. Similar to the proposed
European Union online privacy
legislation, the law gives Indian
consumers the right to review per-
sonal data being collected about
them and amend any inaccuracies.
Organizations also must get
consent from an individual before
transferring sensitive personal
data. The organization transfer-
ring data must ensure the receiver
maintains the same privacy stan-
dards, according to the legislation.
The law also requires organi-
zations to maintain a system for
disputes and resolving issues that
arise from the handling, process-
ing, and use of sensitive personal
data. If an organization has mis-
handled an individual’s personal
data or failed to
maintain an
adequate pri-
vacy policy, then
it must provide com-
pensation. The law does
not cap compensation limits.
Organizations that handle
Indians’ personal information are
subject to these privacy laws,
even if they are located in another
country.
Businesses have complained
that many aspects of the new law
are not clear. Kamlesh Bajaj, CEO
of the Data Security Council of
India, has said that clarification of
the legislation is forthcoming, but
in the interim, organizations say
they don’t really know how to pre-
pare for and comply with the law.
U.S. organizations that out-
source are protesting the new law.
For example, Google has expressed
its dislike of a provision that holds
intermediaries responsible for ob-
jectionable content deemed “ha-
rassing,” “grossly harmful,” or
“ethnically objectionable.”
.
HEALTH RECORDS
UK Ends £11BEHRs System
The United Kingdom’s plan to
create the world’s largest
single civilian computer sys-
tem linking all parts of its Na-
tional Health Service (NHS) and
creating a centralized database of
electronic patient records will be
scrapped, ministers have an-
nounced.
Part of the controversial 10-
year National Programme for IT,
billions had been spent on the
NHS system since it began in
2002. Its fate was partially sealed
by a report from members of a Par-
liament committee that concluded
that the £11.4-billion program had
proved “beyond the capacity of the
Department of Health to deliver,”
according to a report from The
Independent.
The Commons Public Accounts
Committee (PAC) said that, while
creating a centralized database of
electronic health records (EHRs)
was a worthwhile goal, a huge
amount of money had been
wasted. The program had hoped to
create an EHR for patients in Eng-
land and connect 30,000 doctors to
300 hospitals.
“The department has been un-
able to demonstrate what benefits
have been delivered from the £2.7
billion spent on the project so far,”
Margaret Hodge, PAC chair, said.
“It should now urgently review
whether it is worth continuing
with the remaining elements of the
care-records system. The £4.3 bil-
lion which the department expects
to spend might be better used to
buy systems that are proven to
work, that are good value for
money and which deliver demon-
strable benefits to the NHS.”
The Independent said the gov-
ernment has announced a new
strategy for IT in the NHS that
will abandon any attempt to link
up the NHS in a central system
while trying to integrate those
parts that have already been de-
livered. Now local health trusts
and hospitals will be able to de-
velop or buy individual computer
systems to fit their needs – with a
much smaller central server capa-
ble of “interrogating” them to pro-
vide centralized patient care data.
The NHS project – the biggest
civilian IT scheme ever attempted,
according to The Independent –
has had problems since its incep-
tion, including changing specifica-
PRIVACY
India Passes Data Privacy Rules
tions, technical challenges, and
clashes with contractors that have
all left it years behind schedule
and way over budget.
For example, in 2006, Accen-
ture, the largest contractor,
walked out on contracts worth £2
billion, writing off hundreds of mil-
lions of pounds. Just months be-
fore, U.S. software supplier IDX
also quit the project.
The report also criticizes the
contracts between the department
and suppliers – so far, £1.8 billion
has been paid. The government
said it is currently negotiating
with the original contractors to re-
cover as much money as possible
while avoiding expensive legal
challenges.
12 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
fornia lawmakers have passed
several bills aimed at amending
California’s breach notification
law to add a regulator notice pro-
vision and to require the inclusion
of certain content, according
to The Information Law Group.
However, former Gov. Arnold
Schwarzenegger vetoed the bills at
least three times. Earlier this
year, a Senate bill (SB 24) was in-
troduced to enact such changes,
and in August, current Gov. Jerry
Brown signed it into law.
SB 24, which takes effect Jan.
1, 2012, requires data breach noti-
fications to include a general de-
scription of the incident, the type
of information breached, the time
of the breach, and the toll-free tele-
phone numbers and addresses of
DATA SECURITY
Calif. AmendsData Breach Law
California passed the first
data breach notification law
in the United States in
2002 (SB 1386). Nearly every state
has followed with its own version.
Over the past few years, Cali-
California’s major credit reporting
agencies.
When a single breach affects
more than 500 Californians, SB 24
requires data holders to send an
electronic copy of the notification
to the California Attorney Gen-
eral. This adds California to the
list of states and other jurisdic-
tions that require some type of
regulator notice in the event of cer-
tain types of data security
breaches.
Other on that list include:
Alaska, Arkansas, Connecticut,
Hawaii, Indiana, Louisiana,
Maine, Maryland, Massachu-
setts, Missouri, New Hampshire,
New Jersey, New York, North
Carolina, Puerto Rico, South Car-
olina, Vermont, and Virginia.
German Court: Employers Can Review Employees’ E-Mails
The Higher Labor Court of Berlin-Brandenburg Germany has
ruled that an employer has the right to access and review an
employee’s work-related e-mail during his/her absence from
work.
The ruling makes clear that an employee’s right to use the com-
pany e-mail system for private communications does not preclude the
employer reviewing an employee’s business-related e-mail.
In the case, the plaintiff could not work due to a long-term illness.
The employer unsuccessfully tried to contact the employee to get her
consent so the employer could access and read her business-related e-
mails in order to respond to customers’ requests. After several weeks,
the employer circumvented the employee’s password and read and
printed the employee’s business-related e-mails. The employer did not
read or print e-mail labeled “private.”
The employee requested a court order prohibiting her employer
from accessing her e-mail account during any future absences without
her explicit consent but was unsuccessful. The court rejected the plain-
tiff’s reasoning that, because she and all other employees were per-
mitted to use the company’s computer system for private e-mail, her
employer should be considered a so-called “provider of telecommuni-
cation services” and thus be required to observe the “secrecy of
telecommunications” according to Germany’s Telecommunications Act
(Telekommunikationsgesetz).
The Higher Labor Court said allowing use of a company e-mail
system for private communication is merely a side effect of the em-
ployment relationship and does not fall under the scope of the
Telecommunications Act.
14 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
GOING GREEN
Data CentersUsing Less Power
Despite the fact that the
amount of data created in-
creases at an astronomical
rate each year, data centers are ac-
tually consuming fewer resources,
according to an independent report.
The report on data center power
use between 2005 and 2010 by
Jonathan Koomey, an engineering
professor at Stanford University,
found that the actual number of
computer servers declined com-
pared to 2010 forecasts because of
less demand for computing, the fi-
nancial crisis of 2008, the global re-
cession, and new power-saving
technologies, such as more efficient
computer chips and computer
server virtualization, which en-
ables fewer servers to run more
programs.
In the new study, prepared at
the request of The New York Times,
Koomey found that electricity used
by data centers worldwide grew
significantly, but it was an increase
of only about 56% from 2005 to
2010. In the United States, power
consumption increased by 36%, ac-
cording to the report, titled
“Growth in Data Center Power Use
2005 to 2010.”
Koomey said he could not deter-
mine which had a bigger effect on
data centers’ power usage, the re-
cession or power-saving technolo-
gies. At any rate, the report’s
results are surprising considering
that services that rely on data cen-
ters, such as cloud computing and
streaming music and movies, have
become popular during the time pe-
riod studied by the report. Data
centers are also used to process e-
mail and conduct web searches and
online transactions, as well as
banking transactions and corporate
sales reports, The Times said.
The Environmental Protection
Agency (EPA) issued an influential
report on data centers in 2007. It
predicted that energy consumption
by computer servers and data cen-
ters would nearly double from 2005
to 2010 to roughly 100 billion kilo-
watt hours of energy at an annual
cost of $7.4 billion, according to The
Times. The EPA estimated that the
centers’ demand for power in the
United States would rise from 7 gi-
gawatts, or about 15 power plants,
to 12 gigawatts of power in 2011,
equal to the output of 25 major
power plants.
Industry consultants and exec-
utives told The Times that the
slower growth shown in the report
may be just temporary. No one ex-
pects energy consumption to fall off
any time soon, and we are in the
midst of the largest build-out of new
data center capacity in the history
of the industry, according to The
Times.
Fueled by an insatiable demand
for new Internet services and a shift
to so-called cloud computing serv-
ices that are largely hosted in com-
mercial data centers and in the
large data farms operated by the
likes of Amazon, Apple, Google, Mi-
crosoft, and Facebook, there have
been worries about the growing
percentage of the U.S.’ electricity
that will be consumed by vast data
centers being constructed at a
record pace, The Times said.
But Koomey’s report indicates
that electricity used by global data
centers in 2010 remained relatively
modest. “Electricity used in global
data centers likely accounted for be-
tween 1.1% and 1.5% of total elec-
tricity use, respectively,” the report
states. “For the U.S., that number
was between 1.7% and 2.2%.”
PRIVACY
Florida Reaped$73 Million SellingPersonal Data
The state of Florida made $73
million between July 2010
and June 2011 by selling in-
dividuals’ driver’s license data to
private companies, according to the
Florida Department of Highway
Safety and Motor Vehicles. The
Miami Herald reported that state
officials have confirmed the sale of
personal information of Florida’s
15.5 million licensed drivers as a
source of revenue for the state.
Florida has sold the data,
which includes names, addresses,
birthdates, and genders, for years.
According to The Herald, the infor-
mation has been purchased by auto
manufacturers who need to tell
customers about recalls and insur-
ance companies that want the data
for underwriting purposes.
But others, notably the Ameri-
can Civil Liberties Union (ACLU),
are concerned about the transac-
tions and want the practice to end.
In a July 2011 letter, the ACLU
asked Gov. Rick Scott to terminate
the agency’s contracts with vendors
who receive drivers’ information.
The letter said the process lacks
oversight and violates Florida resi-
dents’ expectation of privacy.
But state officials contend
that the information is public
record, so if Florida
doesn’t sell it, it would
have to be given
away anyway.
Florida law
allows the sale
of such informa-
tion, as long as
it is sold to a
“legitimate” indi-
vidual or business.
$73,000,0
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 15
SOCIAL MEDIA
Agencies NeedBetter SocialMedia Rules
Because federal agencies are
increasingly using social
media to engage with the
public, better records management,
privacy, and security guidelines are
needed, a government watchdog
agency has warned.
The U.S. Government Account-
ability Office (GAO) examined how
23 key agencies are using social
media, such as Twitter for posting
news updates, YouTube for posting
videos of congressional hearings,
and Facebook for answering the
public’s questions.
All this activity poses new
records management, privacy, and
security challenges, and agency
progress in meeting these chal-
lenges has been mixed, according to
InformationWeek.
While many agencies have de-
veloped specific policies for using
social media in light of these chal-
lenges, the GAO found that only 12
– or about half – of the agencies
evaluated have created processes
and policies for identifying and
managing records generated by
their use of social media or updated
their privacy policies to detail
whether any personal information
is made available through social
media use. Also, only eight have
conducted privacy assessments to
identify potential risks that may
exist if personal data is leaked by
an agency.
In the area of security, the GAO
found that only seven of the 23
agencies evaluated have identified
and documented security risks and
controls associated with social-
media use.
SOCIAL MEDIA
German OfficialDislikes Facebook‘Like’ Button
AGerman official believes
Facebook’s “Like” button
may violate European (EU)
law.
Thilo Weichert, data protection
commissioner in the German state
of Schleswig-Holstein, has ordered
all institutions from the province to
delete their fan pages on the site
and remove any “Like” buttons in-
tegrated into their own
websites. He said the
feature allows Facebook
to collect data on users’
browsing habits ille-
gally.
According to We-
ichert, the Like button
breaches provincial, na-
tional, and EU law because Face-
book’s U.S. servers can collect data
about a user’s surfing habits by log-
ging the IP addresses of Internet
users whose visits result in Like
buttons being loaded.
Facebook confirmed that it
could see “information such as the
IP address” of users who visit sites
with a Like button, but said the
data was deleted within 90 days,
“in keeping with normal industry
standards.”
Websites in Schleswig-Holstein
must comply with Weichert’s order
to remove the offending Facebook
features from their websites or
they will face fines of up to €50,000.
Weichert is not the only one
who dislikes the “Like” button. Ire-
land’s Data Protection Commis-
sioner (DPC) is currently
investigating the legality of the fea-
ture in response to a complaint
from an Austrian-based lobby
group called Europe v. Facebook.
The group contends that the but-
ton allows Facebook to track the
online activity of any web user,
even those users who are not Face-
book members.
If the complaint is successful,
TheJournal.ie said, Facebook may
be forced to adopt radical changes
to the way it operates its Like fea-
ture – or potentially face court ac-
tion demanding that the feature be
disabled for hundreds of millions of
worldwide users.
By logging the IP addresses of
Internet users when they visit
pages that contain an embedded
Like button, Facebook could build
a profile of that user’s browsing
habits, and then use it to its com-
mercial advantage, according to
TheJournal.ie.
The DPC has al-
ready received com-
plaints that Facebook
retains data – including
status updates, chat
messages, photo tags,
and deleted friendships
– even after users re-
move them from their own per-
sonal profiles. The group also
argues that material posted by
users on others’ pages can be
shared in ways not known to them
and that third-party applications
installed by a user’s “friends” can
access their own personal data,
with no guarantee of privacy pro-
tection.
A Facebook spokesperson said
only that the company is aware of
the complaints being filed by the
Austrian group.
000
16 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
FEDERAL RECORDS
U.S. to ShredMillions ofCourt Records
About 10 million bankruptcy
case files and several mil-
lion district court files dat-
ing from 1970 to 1995 will be
shredded, pounded to pulp, and re-
cycled, the U.S. National Archives
and Records Administration
(NARA) has announced.
According to the Associated
Press (AP), U.S. officials said they
are destroying the millions of fed-
eral court records to save on storage
costs, but those who rely on the files
– private detectives, lawyers, and
historians – are incensed.
Federal archivists said they
have spent years talking to legal
scholars, historians, and others
about which files to purge after
learning that sorting and digitiz-
ing just the bankruptcy cases
would cost tens of millions of dol-
lars, the AP reported. None of the
civil or criminal case files sched-
uled to be destroyed went to trial,
and docket sheets that list basic in-
formation, such as names of defen-
dants and plaintiffs, will be saved
from each case.
NARA said thousands of files
designated as historically signifi-
cant will be kept in storage, in-
cluding all civil rights and
government corruption files, re-
gardless of whether they went to
trial.
By the end of the year, 140,000
boxes of civil case files – out of a
total of about 270,000 from the 25-
year period – will be destroyed,
Kabakoff said. In 2012, about
390,000 of the 400,000 total boxes
of bankruptcy case files from the
same period will be destroyed,
according to the AP. A smaller
number of criminal case files –
about 40,000 boxes – are sched-
uled to be destroyed later.
The federal court system, like
other government agencies, has
struggled to cut costs. According to
the AP, files created before 1995
present a problem as nearly all of
them exist in paper-only form.
Also, 1970 to 1995 was a time dur-
ing which litigation exploded, re-
sulting in mountains of paperwork
that could only be stored in boxes
at courthouses or federal archive
centers with limited space.
Critics of NARA’s decision to
destroy documents from this time
period argue that it is impossible
to know what records will be his-
torically significant 10, 50, or 100
years from now. They say a file
deemed inconsequential today
might one day shed light on some-
one who may become a presiden-
tial candidate or a murder suspect.
STATE RECORDS
Governor’sMissing E-MailsPrompt Probe
After taking office, Florida
Gov. Rick Scott instructed
his staff to limit use of
e-mails because they are public
records. Those individuals who
visit the governor’s website
(www.flgov.com) will see the fol-
lowing warning at the bottom:
“Under Florida law, e-mail ad-
dresses are public records. If you
do not want your e-mail address
released in response to a public
records request, do not send elec-
tronic mail to this entity. Instead,
contact this office by phone or in
writing.”
Scott also has increased the
price of records requests. Interest-
ingly, a political reporter found
that it costs more to get 1,100 e-
mails from Scott’s office ($784.84)
than it did to get 24,000 pages of
Sarah Palin’s e-mails ($725.97)
from the state of Alaska.
But some of Scott’s e-mail
records can’t be purchased because
they were deleted soon after he
took office, according to the St. Pe-
tersburg Times.
Chris Kise, the lawyer and
public records adviser for the tran-
sition, told the Times it was an
“oversight; the result, he said, of a
chaotic transition run by a largely
out-of-state staff still learning
Florida law and unfamiliar with
the technology that ran the e-mail
system.”
However, because Kise worked
in the Florida Attorney General’s
office under former Gov. Charlie
Crist, he presumably would have
been familiar with the state’s laws,
the Times noted.
The governor’s office has tried
to find some of the deleted e-mails
in staffers’ personal e-mail ac-
counts. They’ve turned over 69 e-
mails that Scott sent and 78 that
he received. Kise said 40 to 50 e-
mail accounts were deleted and al-
most everything was recovered.
According to the Times, Florida
law allows a maximum $500 fine
for violations of public records law
and more serious penalties, includ-
ing impeachment, for any official
who “knowingly violates” the
statutes.
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 17
For example, about one-third
of hospitals surveyed have de-
cided to scan all paper records,
even redundant or outdated ones.
Nearly half of larger hospitals
have completed scanning plans,
but only 23% of hospitals with
fewer than 150 beds have, Infor-
mationWeek Healthcare reported.
In addition, the survey found
that scanning and managing
paper records often is not well co-
ordinated with an EMR imple-
mentation. More than half of all
respondents did not know what
their scanning budgets were, and
only 5% knew their cost per
scanned image.
About three-fourths reported
having clear policies regarding
scanning, filing, and shredding of
paper records, but a small por-
tion of those had such policies
only for active records. About two
in 10 did not have any sort of pol-
icy, the survey found.
Rubin also told Information-
Week Healthcare that many hos-
pitals lack the right kind of staff
for record conversion. Full-time
file clerks do the scanning in
about 29% of the organizations
represented in the survey, but
Rubin said the majority of them
are not trained well enough that
they would be hired by a scan-
ning company.
FEDERAL RECORDS
White House Names New CIO
President Barack Obama
has tapped a former Mi-
crosoft executive to replace
Vivek Kundra as the new chief
information officer for the United
States.
Steven VanRoekel, who
joined the Obama administration
from Microsoft in 2009 as man-
aging director of the Federal
Communications Commission,
succeeded Kundra, who resigned
to take a position at Harvard
University, in early August.
Analysts say Kundra helped
move government agencies adopt
new, more efficient technologies.
According to The New York Times,
Kundra pushed agen-
cies to adopt new
technologies that can
improve efficiency, in-
cluding cloud comput-
ing and software,
which have reduced
the number of com-
puters and data cen-
ters needed. The
government plans to
close 800 of its 2,000
data centers over the next four
years.
The Obama administration
has also put all kinds of govern-
ment data on the web, mostly on
Data.gov. For instance, there are
now more than 389,000 data sets
online, and citizen programmers
have created more than 230 ap-
plications using the data.
As the government’s chief in-
formation officer, VanRoekel said
he plans to continue the work
Kundra began.
As hospitals transition to
electronic medical records
(EMRs), many are not ade-
quately planning for the in-be-
tween period when they might be
running dual paper and elec-
tronic systems, according to the
results of an Iron Mountain sur-
vey that were released in July.
Iron Mountain’s survey re-
port coincides with the first an-
niversary of the publication of the
final stage 1 rules for “meaning-
ful use” of EMRs.
According to the survey, 70%
of the 201 health information
professionals surveyed earlier in
2011 said their organizations will
achieve meaningful use by the
end of 2011. But only 14% expect
to be free of paper records within
a year. That means there will be
a fairly long transition period,
Ken Rubin, senior vice president
and general manager for health-
care at Iron Mountain, told Infor-
mationWeek Healthcare.
In the meantime, Rubin said
he sees kind of a “no-man’s land”
between paper and digital record-
keeping. The survey shows a hap-
hazard approach to scanning
paper records.
HEALTH RECORDS
Some Hospitals Stuck Between Digital, Paper Medical Records
VanRoekel
18 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
to your industry, and implement
policies to address regulations
that require retention of social
media content.
n Deploy an archiving solution that
automatically captures and re-
tains social media content, espe-
cially if the industry is highly
regulated.
n Implement a data loss preven-
tion solution for another layer of
protection to prevent confidential
and proprietary information
from leaking onto social net-
works.An April 2011 Symantec
flash poll of 1,225 IT execu-
tives in 33 countries found
that the typical organization expe-
rienced nine social media inci-
dents during the previous year –
including employees posting confi-
dential information publicly – that
cost businesses an average of $4.3
million. Ninety-four percent suf-
fered negative consequences, such
as damage to their reputations,
loss of customer trust, data loss,
and lost revenue.
Symantec said it’s more impor-
tant than ever for organizations to
put controls in place to capture so-
cial media information to ensure
compliance with open records re-
quests, industry regulations, and e-
discovery requests.
“Businesses know how impor-
tant it is to protect and preserve e-
mail, IM, spreadsheets, and other
unstructured information. Now
they need to recognize that infor-
mation flowing through social net-
works is equally important,” said
Greg Muscarella, senior director of
product management at Symantec.
According to Gartner, by 2013,
half of all companies will have been
asked to produce content from so-
cial media websites for e-discovery.
Social media e-discovery precedent
is “a patchwork,” Gartner said, and
there’s no reason to expect “clear
guidance from courts or regulators
in the near future.”
Gartner analyst Debra Logan
warned, “In e-discovery, there is no
difference between social media and
electronic or even paper artifacts.
The phrase to remember is ‘if it ex-
ists, it is discoverable.’”
The Symantec poll found that
82% of organizations are at least
discussing implementing archiving
solutions to collect, preserve, and
discover sensitive business infor-
mation transmitted through social
media, along with establishing so-
cial media usage policies and em-
ployee training programs. However,
less than one-fourth have actually
implemented such technologies and
plans.
According to Symantec, the top-
three social media incidents the
typical organization experienced
during the year previous to the poll
year were:
n Employees sharing too much in-
formation in public forums (46%)
n The loss or exposure of confiden-
tial information (41%)
n Increased exposure to litigation
(37%)
More than 90% of respondents
who experienced such mishaps also
suffered negative consequences as a
result. (See sidebar.)
Symantec offered the following
recommendations for how organi-
zations can avoid such problems:
n Define how to use social media
and train employees about what
content is appropriate to post.
n Identify and understand legal or
regulatory requirements specific
SOCIAL MEDIA
Social Media Mishaps Cost Firms $4 Million in 2010
What Does Social MediaCost Organizations?
According to an April 2011Symantec poll, the greatestrisks of corporate use of socialmedia include:
46%Sharing too much information
41%Loss of confidential information
40%Damaged brand
37%Risk of litigation
37%Malware
36%Compliance risks
Social media mishaps costfirms a lot in 2010:
Lost revenue: $619,360
Damaged brand: $638,496
Direct costs: $641,993
Litigation costs: $650,361Source: Symantec
You save more money when you start with Box 1.The Generally Accepted Recordkeeping PrinciplesApply (them) now and save.And it’s not just cost savings. When done correctly, information management is more than justevidence in a court of law. It can be a driving competitive edge in the marketplace. Shoring up thefirst box of the EDRM will save your organization headaches downstream. It’s as easy as applyingthe Generally Accepted Recordkeeping Principles® (GARP®).
A not-for-profit professional association, ARMA International is the global authority on managingrecords and information. Get information you can trust and answers based on business best practices.
Download a free whitepaper from former United States Magistrate Judge Ronald J. Hedges to learn howthe GARP® Information Governance Maturity Model can provide guidance in both investigations andlitigation.
Download the Free Whitepaper at www.arma.org/legal
Special thanks to our GARP® outreach sponsors:
®
Electronic Discovery Reference Model
Source: EDRM (edrm.net)
20 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
John Kain
EMERGENCY!How to Build a Document Unit forHazardous Incident Response
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 21
ost organizations in hazard-related industries,
such as natural gas pipeline organizations, chem-
ical manufacturers, waste processing plants, and
oil organizations, have examined their hazardous
incident risk profiles. As a result, they have put
together hazardous incident response policies
and procedures, designated and trained response personnel,
run hazardous response drills, and put a coherent response
program in place. They might also have identified a number
of third-party hazardous incident response organizations
and written procedures for rapid response deployment.
Many state and federal laws, as well as regulations in a
variety of industries, demand such preparedness. Yet, in
very few instances have organizations included their records
and information management (RIM) functions in the haz-
ardous incident response program, even though incident re-
sponse success and compliance with a variety of local, state,
and federal agencies are largely measured and tracked via
record-driven processes.
A relatively small fuel spill, for example, can create a
mountain of data through the response operations in the
field. Management and control of that data is essential – not
only for running efficient day-to-day response operations and
complying with the inevitable legal hold, but for mitigating
future risk.
It makes sound sense, then, for organizations to leverage
their RIM expertise as an integral part of their incident re-
sponse operations. The development of RIM incident re-
sponse processes will be the natural outgrowth of the RIM
infrastructure.
For organizations with less overt hazard profiles and no
existing incident response program, this article will provide
valuable guidance in exploring hazardous incident response
needs and the potential role of their RIM programs.
Using the RIM Program as FoundationThe cornerstone of a quality hazardous response pro-
gram rests, of course, on the strength of the RIM department
– its organization, the clarity of its policies and procedures,
the efficiency of its workflow processes, and the quality of its
record retention schedule.
An organization’s clear, concise, and comprehensive
record taxonomy and its associated retention requirements
that are fundamental to the organization’s success will also
support its input and management of hazardous incident re-
Msponse data. Likewise, the continuation of strong record
management workflows and procedures, with some adap-
tion, are important to an incident response.
For example, much of the incident response field data
can mirror, again with some adaptation, the functional
record categories in an organization’s established record re-
tention schedule. With a little extra work and foresight, a
template can be built for new types of incident response
records.
The U.S. Federal Emergency Management Agency’s
(FEMA) Incident Command System (ICS) documentation
discussed later in this article is an excellent resource for es-
timating response document types and records management
workflow. See the sidebar below for more information about
the ICS.
Establishing the Chain of CommandAnother integral structural process in establishing a suc-
cessful incident response program is defining a clear chain
of command. It’s essential to this process to have a top-down
organizational flow. Management, compliance, and legal
Though each industry has a unique set of data and operations,organizations can adapt general records and information manage-ment guidelines and procedures to use as the foundation for build-ing a highly skilled document unit to respond to hazardous incidents.
FEMA’s Incident Command System Overview
The Federal Emergency Management Agency’s (FEMA) Incident Command System (ICS) is a standardized, on-scene, all-hazardsincident management approach that:n Allows for the integration of facilities, equipment, personnel,
procedures, and communications operating within a commonorganizational structure
n Enables a coordinated response among various jurisdictionsand functional agencies, both public and private
n Establishes common processes for planning and managingresources
As a system, ICS is extremely useful; not only does it provide anorganizational structure for incident management, but it alsoguides the process for planning, building, and adapting thatstructure. Using ICS for every incident or planned event helpshone and maintain skills needed for the large-scale incidents.‘Editor’s Note: This information was excerpted fromwww.fema.gov/emergency/nims/IncidentCommandSystem.Find related resources at the FEMA ICA Resource Center:http://training.fema.gov/EMIWeb/IS/ICSResource.
22 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
units must be on board and understand the
value of incident response records manage-
ment and control.
Often in the initial frenzy to respond, an
organization’s focus narrows to a purely op-
erational mode. This is understandable, as
the main thrust should be to address the
issue as quickly, safely, and efficiently as
possible. However, initiating a two-pronged
response with an operational and RIM-
based document unit team (even in the
early hours of the catastrophe) is desirable
and certainly doable with the proper prepa-
ration. But, this cannot be done without the
cooperation and understanding of the orga-
nization’s key units.
Hazardous incident litigation, more
often than not, pivots upon the initial cause
of the mishap and then what occurs during
the early days (and, in some cases, even
hours) of the response. Having a records
manager onsite collecting, authenticating,
organizing, mapping, and backing-up re-
sponse documentation will help during the litigation process
and help mitigate future risk.
Building the Document Unit TeamResponse to a hazardous incident must be swift and de-
cisive, which means preparations need to be thorough.
Therefore, creating a go-ready document unit response team
is crucial.
The document unit is one of four primary units under
FEMA’s ICS. According to the National Incident Manage-
ment System Training Program manual, the ICS document
unit “… maintains accurate and complete incident files, in-
cluding a complete record of the major steps taken to resolve
the incident; provides duplication services to incident per-
sonnel; and files, maintains, and stores incident files for
legal, analytical, and historical purposes. This Unit compiles
and publishes the IAP [Incident Action Plan] and maintains
the files and records that are developed as part of the over-
all IAP and planning function.”
Organizing a document unit does not need to stretch the
organization’s budget. Depending on the size, industry type,
and complexity of the organization, leveraging in-house re-
sources can be negotiated easily. Or, locating a third-party
consultant document unit team that can handle the load will
suffice when in-house resources are unavailable.
Selecting Document Unit MembersEven if this function is outsourced, there should be at
least two in-house designees: a document unit lead and a
document unit IT specialist. Even if a third-party consultant
is used, the two designees will be needed
at the incident site as liaisons to help the
consultants navigate the organization’s
unique RIM terrain.
The document unit lead should have a
comprehensive knowledge of the organi-
zation’s RIM program, particularly the
records retention schedule, its composite
taxonomy, and the existing record man-
agement policies and procedures.
The document unit IT specialist will
have worked closely with the records de-
partment and have some savvy about
powering up remote location connectivity.
Both should be ready to travel at a mo-
ment’s notice, be inventive, and think
quickly on their feet. Incident sites can
pose innumerable challenges, so having a
flexible, resourceful character is a plus.
The two designees will be out of pocket
for large amounts of time, so thought
must be given to finding resources to take
over their day-to-day responsibilities in
their absence.
Larger organizations might have the resources to desig-
nate an entire document unit response team, including a
document unit lead, two or three RIM support staff, a cou-
ple of IT specialists, and a list of other third-party support
personnel. Smaller organizations might be hard pressed to
find the minimum in-house resources.
The key is to know what types of resources you’ll need
and where to get them. Know the key players’ strengths, as
well as their limitations. Perhaps an organization’s incident
response document unit “team” will simply be a binder filled
with response procedures, material punch lists, and names
and numbers of third-party consultants and vendors.
Meeting with OperationsAfter designating the team, set up a meeting with the
operations side of the organization’s incident response pro-
gram, including representatives from management and
legal. Prior to the meeting, the document unit should famil-
iarize itself with FEMA’s National Incident Management
System (NIMS) and, particularly, within the NIMS frame-
work, the ICS documentation mentioned earlier in the arti-
cle and sidebar.
The ICS forms and explanations and the NIMS infor-
mation can be found on FEMA’s website, along with other
useful resources. FEMA has standardized the NIMS, as well
as its requisite documentation, and these record types (used
by most hazardous incident response professionals/vendors)
will comprise the lion’s share of the records encountered on
an incident site. Typical records might include documenta-
Having a records manager
onsite collecting, authenticating,
organizing, mapping, and
backing-up response
documentation will help during
the litigation process and
help mitigate future risk.
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 23
tion of materials and personnel used, envi-
ronmental monitoring data, safety records,
and claims.
Meetings can accomplish a number of
things. It’s a great opportunity for the RIM
team to:
n Learn about the operations side of the
incident response program. In turn, op-
erations personnel can join in the dis-
cussion of the legal hold process (for
which the incident site will surely be a
candidate) and begin to understand how
a two-pronged response (operations and
RIM-based document unit) can function.
n Discuss existing RIM policies and proce-
dures in relation to response efforts and
modifications
n Examine taxonomy in relation to these
same efforts. A taxonomy structure can
possibly be preloaded to an FTP site –
ready for the input of data from the field
after a hazardous incident.
Operations can lend its experience from previous inci-
dents and perhaps present a more hands-on explanation of
the NIMS and ICS programs. If the organization has not ex-
perienced a hazardous incident, it should examine similar
industry incidents and responses.
Organizations without established hazardous incident
response programs would still be advised to hold a meeting
once or twice a year with the regular operations personnel to
explore “what if” scenarios. These meetings will also serve as
an initial team building exercise for all the incident response
stakeholders and give each department a more precise
overview of the incident response process.
Assembling Supplies for the Document UnitOnce the high-level processes and structures are in place,
discussion can turn to the go-ready document unit team,
namely determining what tools will be needed in the field.
Essentially a duplicate records management department
must be created at the incident site, and these are sometimes
in remote locations. Though incidents and circumstance will
vary widely in complexity and scope, the following is a short
list of essential items for the document unit response efforts.
n Construction office trailer (remote locations)
n Scanners, printers, and fax machines
n A bag of thumb drives
n Modems, routers, switches, cables, and other items
needed for connectivity
n Laptops
n A few external hard drives
n Document totes, clipboards, sharpies, highlighters, and
other office items, as needed
n Document boxes
n Flashlights (handheld and clip-on)
n Hard hats, steel-toed boots, and safety
vests (Document unit staff will be visit-
ing incident sites and will not be al-
lowed on the premises without these
items.)
n “Document Unit” labeled vests with one
labeled “Document Unit Lead” (Docu-
ment unit visibility is key; the more
your presence and the fact that you are
managing records are known, the bet-
ter for compliance.)
This list will be expanded as the inci-
dent unfolds, but it’s a good start. Add to it
by making your own punch list, and re-
search where these items can be had
quickly (include contact names and num-
bers) when the time comes. The team is
now ready – hopefully, never to be used.
Navigating the IncidentHazardous incidents vary greatly, and circumstances
can unfold in surprising ways. It is impossible to account for
all the variations and applications of incident response
processes. The following gives a sense of what can be ex-
pected and shows the bones of the procedures that could be
followed. The flesh of reality will add the rest.
Arrive at Disaster SiteThe team needs to arrive at the site as soon as possible,
outfitted with the required safety gear listed above. The
early days will be frenetic and general confusion will
abound, but the sooner document controls are in place, the
fewer headaches there will be down the road. The document
unit team will be working long hours, and there will be a
tendency for the document unit to be pulled into the opera-
tions process (e.g., “You need to go deliver this truck.”). It is
important not to let that happen.
Convey Team’s PresenceUpon arrival, organization response stakeholders should
be told the document unit lead is present and has started the
document control processes. The document unit lead should
begin to assess the amount of tools and personnel needed
and secure the required resources immediately. A liaison at
the home office should be designated to be responsible for
gathering what is needed by the document unit.
Obtain Incident Site Map and Vendor ListObtain an incident site map from operations, which
should have one available through its Incident Action Plan
(IAP), which is part of the ICS. The incident may encom-
Typical records might include
documentation of materials
and personnel used,
environmental monitoring
data, safety records,
and claims.
24 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
pass a square block or a dozen square miles, and the docu-
ment unit will need a map to show what is happening and
where.
For example, a large sewage release in a creek may have
dozens of cleanup staging areas and cleanup action loca-
tions, each producing a mound of records. Keep abreast of
the daily changes to the IAP because cleanup areas and op-
erations will be changing frequently.
A list of onsite vendors should be created with a descrip-
tion of their functions, which will assist the document unit
later in mapping record types. Vendors come and go with
great regularity and in larger incidents may be headquar-
tered in many different locations; keeping track of them is
often difficult. Keeping an up-to-date vendor list and site
map will help with the primary responsibility of the docu-
ment unit – locating, naming, mapping, and securing data
and data repositories.
Establish Document Unit OfficeThe document team should set up a document unit office
with a minimum of one laptop and a printer. First, print
legal hold announcement handouts detailing the site-wide
legal hold procedures, which reminds vendors and opera-
tions personnel not to throw away any documents or copies.
Second, print up demobilization procedure announcements
detailing the procedures vendors need to perform when they
are permanently leaving the site.
Vendors should check in with the document unit to en-
sure their data or records are accounted for or to have copies
of those records made. These announcements can be handed
out at the daily IAP meetings and during regular visits to
remote sites. The document unit should schedule regular
pickups of all document copies and box such records accord-
ingly under the legal hold procedures.
Map Site RecordsBegin mapping the incident site records by defining the
critical document set (i.e., records associated with the most
risk).
n Cleanup resource records (amounts of materials and per-
sonnel used at each location and staging area invento-
ries – ICS forms 214, 211, and 218)
n Records detailing how the hazardous incident was stopped
n Environmental monitoring data
n Wildlife rescue and processing documentation
n Safety records
n Air operation records with aerial and land site photos
n Claims records
The document team needs to collaborate with legal and
operations units to finalize the critical document list. Non-
critical records (e.g., accounts receivables, general human re-
sources, and payroll) can be mapped later.
Conduct InterviewsAs part of the record mapping process, the document unit
will need to interview operations personnel and vendors to
find out what type of records are being created, where they
are stored, the record’s chain of custody if applicable, and if
and where they are backed up.
Vendors’ records management expertise and complexity
will vary greatly. On one end of the spectrum may be a small,
local trucking company with little or no knowledge of the ICS
documentation protocols, and on the other end there may be
a professional incident response management company that
collects and organizes most of the EPA-mandated environ-
mental monitoring data and has all of the documentation
backed up on a remote home office server.
Each set of records needs to be mapped, creating a matrix
that includes:
n A list of vendors and operations department names (e.g.,
contact names, phone numbers, and dates of interviews)
n Record types that each creates
n Where records are stored or sent (e.g., an operations de-
partment could be sending data to an office in another lo-
cation)
n If and where they are backed up
This matrix could be duplicated on a large, visual map
display.
Thinkingaboutadvancing your career?ARMA International’sCareerLink has helped hundreds
of members find new and exciting
positions in the information
management profession.
The Job Board lists current
openings from companies around
the globe. You can find valuable
resources and tools to help your
career evolve.
Create your confidential profile
and get started today at
www.arma.org/careers
“It is one of the most cost effective
and time effective recruiting tools
we utilize.”
J.G., Ernst & Young
“ARMA has the best database of
records management professionals
in the industry.” T.E., InfoCurrent
“We will always post our openings with
ARMA, it gets us the best results.”
L.H., Kirkland & Ellis
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 25
ARMA International's Learning Center
Like Your Favorite Drive Thru …Only Better. Who has time between 9 to 5 to slip away for career development?
Us either.
ARMA International's online courses offer convenient and flexible training onYOUR schedule. From RIM and GARP® to professional development, our onlinecourses allow you to keep on top of your game and get ahead of the field, ata time and place that is most convenient for you. Slippers optional.
Open 24 hours a day, 7 days a week, 365 days a year.
See what’s available at www.arma.org
Protect Vulnerable RecordsWith the map in hand, the document unit will be able
to identify which record sets are the most vulnerable
(e.g., handwritten vendor notebooks and data on laptops
with no back up) and early-days records (the most criti-
cal). These sets can be noted and copied.
A document unit FTP site and taxonomy can then be
created (or a pre-existing one accessed) where vulnerable
and critical data can be uploaded. In cases where records
and data are well-managed, the mapping information
will be sufficient. The primary concerns are to know what
types of records exist, where they are located, and that
they are protected.
Evolving to Meet New ChallengesAs the records management process unfolds, policies
and procedures can be written to accommodate particu-
lar circumstances. Incident response operations and
processes can carry on for years, and each phase will
present different challenges. But, a solid RIM foundation
will be in place. The document unit team can then feel
confident moving forward during a hazardous incident
despite the response team members’ hopes that they will
not be needed again.
John Kain can be contacted at jkain@montaña-associates.
com. See his bio on page 47.
The Only 3 Letters That MatterIf you’re ready to take your career in information management to the next level,
there are only 3 letters that matter. Becoming a Certfied Records Manager shows
that you’re ready for today’s complex and changing information environment.
Stand Out The CRM designation shows a solid mastery of information management
Confidence You’ll prove your ability to apply records and information management knowledge
Career Opportunities It’s the well-known competitive advantage you need in business today
For more information, call 877.244.3128
or visit www.ICRM.org
®
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 27
itigation is no longer the unique domain of the legal
department. When organizations were paper-
based, it was relatively simple to organize files,
desk drawers, and boxes of information in ware-
houses. It was also easier to pull paper documents
relevant to the litigation at hand and give them to
the legal staff.
Now, organizations have complicated IT and docu-
ment management systems. Lawyers on both sides of
the litigation have to learn about these complicated
systems, in addition to reviewing the data that per-
tains to the substance of the case. E-discovery is now
a routine part of civil litigation, and more attorneys
are using the U.S. Federal Rules of Civil Procedure
(FRCP) Rule 30(b)(6) deposition as a way to
acquire information. As such, litigation is spilling
over into other departments, including IT and
records management.
E-discovery is forcing records professionals to
be actively involved in corporate litigation. They
are increasingly being called to testify as 30(b)(6)
witnesses, which are witnesses who testify about
the corporate operations and not necessarily the
facts of the case. While this process may sound
scary, 30(b)(6) depositions do not have to be.
LStacy Jackson
Rule 30(b)(6) Deposition Mystery Revealed:What Records Professionals Need to Know The legal department called. Your organ-ization is being sued, and the other partywants to depose a records manager –and that’s you. Now what? Don’t panic.Be prepared.
28 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
What Is a 30(b)(6) Deposition?Almost all civil litigation has a discovery phase – or
the time before the trial commences when the parties ex-
change information relevant to the case. There are many
ways to do this, but the primary discovery devices are:
n Interrogatories (written questions)
n Request for admissions (a written factual statement)
n Request for productions (written request to provide
documents and data)
n Depositions (out-of-court recorded testimony)
At times, the lawyers in a case need background in-
formation on an organization’s method of doing business,
as it pertains to the case, before they can zero in on the
exact subject of the litigation. When a party to a lawsuit
is a person, that person can be deposed. But, who speaks
for an organization? That’s where the 30(b)(6) deposition
comes into play. Under the FRCP (the rulebook that gov-
erns civil actions in the U.S. District Court), a represen-
tative can be designated to speak on behalf of the
organization about particular topics.
For example, an individual from IT may be called
upon to answer questions regarding data storage. A
records professional may be called upon to discuss how
data is created, stored, and deleted.
In the case of Re: Carbon Dioxide Industry Antitrust
Litigation, State of Florida, Ex Rel., et al., the plaintiffs
served 30(b)(6) deposition notices on defendants and
asked them to identify data maintained on the organiza-
tion’s computers, as well as the hardware and software
necessary to access the information. The court ordered
the 30(b)(6) depositions to take place because they were
necessary to proceed with the merits of discovery.
What Is Expected of the Deponent?As seen in the graphic above, the opposing party in
the litigation sends a subpoena, which must describe
with “reasonable particularity” the matters the attorneys
wish to learn more about. When the attorneys need to
know about records management, a records profes-
sional’s knowledge becomes essential. In fact, he or she
may be designated by the legal department to “speak on
behalf of the organization” at a deposition.
A records professional may be asked to testify about:
n Information known or reasonably available to the or-
ganization
n What information is related to the case
n What infrastructure the information is housed in
n How the information is retrieved
n How the information is safeguarded
A 30(b)(6) deposition “binds the organization,” mean-
ing it is “as if the organization said it.” It is evidence that
can be explained and contradicted at trial. It can be used
by the opposing party in the litigation for any purpose.
Most importantly, the organization will be bound by the
records professional’s lack of knowledge of any of the top-
ics explored.
There is no limit to the number of topics that can be
specified in a 30(b)(6) deposition no-
tice. Additionally, the topics listed in
the notice are a starting point, not an
ending point, for the deposition. The
legal department must make a good
faith effort to designate those who
have the knowledge of the matters
listed in the deposition notice.
An organization may elect to have
multiple representatives deposed in
response to a single deposition notice.
The legal department has a duty to
prepare all individuals so they can
completely answer the questions sur-
rounding the subjects in the deposition notice. In addi-
tion, documents and other resources will help prepare the
designated representatives. Preparation is crucial and
should be an exhaustive process. However, the deposition
is not a memory test. It is not reasonable for a person to
remember every fact, as seen in Equal Opportunity Com-
m'n. v. American Intl. Group.
If a witness is unprepared to testify about a subject
and cannot speak to it, then it could be considered a fail-
ure to appear. This may leave the organization vulnera-
ble to sanctions. If the 30(b)(6) witness does not know an
answer to a question, then the organization may be pre-
cluded from introducing that evidence at trial. This
would put the organization at a serious disadvantage.
In the case of Resolution Trust Corp. v. S. Union Co.,
Inc., the organization proffered two 30(b)(6) witnesses
who were inadequately prepared. The third witness was
deemed to be adequately prepared on the topics; however,
the organization was still sanctioned. The court stated:
Rule 30(b)(6) streamlines the discovery process. It
places the burden of identifying responsive wit-
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 29
nesses for a corporation on the corporation. Obvi-
ously, this presents a potential for abuse which is
not extant where the party noticing the deposition
specifies the deponent. When a corporation or as-
sociation designates a person to testify on its be-
half, the corporation appears vicariously through
that agent. If that agent is not knowledgeable
about relevant facts, and the principal has failed to
designate an available, knowledgeable, and read-
ily identifiable witness, then the appearance is, for
all practical purposes, no appearance at all. Id.
at 197.
After the organization becomes aware of the defi-
ciency, it has a duty to substitute an-
other deponent who can speak to the
subject. The legal department does not
have to proffer the witness with the
greatest knowledge on the subject, just
a witness who is prepared to answer
the subjects outlined in the deposition
notice.
Strategies of a 30(b)(6) DepositionGet the Lay of the Land
Depositions are used to flesh out a
topic so the opposing party in the liti-
gation can send more specific and tailored discovery re-
quests, such as interrogatories and document requests.
In the case of Alexander v. FBI, for example, the court al-
lowed depositions to learn about e-mail systems, acqui-
sition systems, as well as location and disposition of
computer equipment to guide substantive discovery on
the issues of the case.
Massive amounts of data that organizations create
and store add substantial cost to the litigation budget.
That cost involves identifying, collecting, reviewing, and
producing data to the opposing party in litigation. The
more attorneys can narrow the field of what to collect,
review, and produce, the more money they will save
their client. Therefore, the records professional is often
the first person the attorney visits to find out about the
types of data that are relevant to the litigation.
Narrow the ScopeThe 30(b)(6) deposition is a valuable tool for opposing
counsel to acquire information about an organization’s
data and systems. It’s also a valuable tool for the orga-
nization’s attorney as he or she will most likely seek to
narrow the scope of the information universe, which can
greatly reduce the litigation budget. A reduction in the
information universe can be accomplished by limiting
the number of departments or custodians, as well as the
geographic and temporal scope of the litigation.
Prevent a Fishing ExpeditionJust as the organization’s attorney seeks to narrow
the scope of information, sometimes the opposing party
seeks to broaden it. This can happen for a few reasons:
n It drives up the costs of the litigation, so the organi-
zation may settle the matter instead of pursuing a
trial on the merits.
n The more information provided, the more likely the
opposing party will find the ever-elusive “smoking
gun,” or data that illustrates corporate misconduct.
n The more information “in play” in the litigation, the
more likely the opposing party will spoliate, or lose,
destroy, or alter, something.
Put the Brakes on SpoliationIn the electronic era, some attorneys affirmatively
seek out sanctions against the opposition as a weapon in
litigation. If opposing counsel can prove that an organi-
zation intentionally lost, altered, or destroyed informa-
tion relevant to the subject matter of the litigation, which
is called spoliation of evidence, the organization could be
sanctioned. Sanctions could include monetary fines, dis-
missal of a claim or defense, or adverse inference in-
structions to the jury, which allows the jury to infer that
the missing, destroyed, or altered documents contained
unfavorable information.
Sanctions cases are on the upswing, which can mean
big money for the person who can prove that evidence
was destroyed, giving the attorneys an incentive to look
for data that is not there. The 30(b)(6) deposition can be
used to put together a spoliation case. Opposing counsel
will try to elicit information from the records professional
to demonstrate that data was not properly preserved, or
spoliated, and/or that an incomplete search for the data
was conducted.
In the Alexander v. FBI case, plaintiffs filed a Rule
30(b)(6) deposition notice on the Executive Office of the
President for information about the system of files, e-
mail systems, systems for recording devices, and White
House office databases. The government objected and
claimed that the deposition sought to inquire into the
If opposing counsel can prove that an organization
intentionally lost, altered, or destroyed information
relevant to the subject matter of the litigation ...
the organization could be sanctioned.
30 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
thoroughness of the searches conducted by the govern-
ment.
The court found the government’s affidavit regarding
the thoroughness of the searches had not been rebutted,
and plaintiffs were not allowed to inquire into the matter.
However, the court permitted a Rule 30(b)(6) deposition
to proceed to learn about:
1. The e-mail systems and the construction of user iden-
tification tables
2. The computer system containing a database of persons
who had contacted the White House
3. The system for acquisition, location, and disposition of
computers
It is common for multiple depositions to take place.
There are many areas where two types of depositions,
such as IT and records management, can have overlap-
ping substantive areas. Attorneys will make sure every-
one is singing from the same sheet of music, but be aware
opposing counsel may seek to use a divide-and-conquer
strategy. If records management says the backup rota-
tion schedule is this way and the IT person says it is that
way, then opposing counsel may be able to find a way to
use the inconsistency against the organization.
A Records Professional’s ResponsibilitiesBe Prepared
There is no such thing as over-preparing for a 30(b)(6)
deposition. Uniformed, overbroad, or imprecise testimony
can lead to increased litigation expenses as seen in the
case In Re CV Therapeutics, Inc. Securities Litigation.
As a records professional, you will be asked about the
types of information; the author or custodian of the in-
formation; the locations where the information is stored;
how it is stored; and any processes that may impact the
integrity of the data. Make it clear when speaking on be-
half of the organization or on behalf of personal knowl-
edge.
Be Careful with DemeanorIf the deposition is actually occurring at trial or being
videotaped, be aware that your demeanor may help or
hinder the case. The judge or jury can take into account
your demeanor and whether it makes the testimony more
or less believable. If you are nervous or jittery, it may re-
flect negatively, and your testimony may not be believed.
A calm and confident demeanor goes a long way toward
assuring the trier of fact that your testimony is credible.
Be FlexibleThere may be multiple witnesses called to testify for
a 30(b)(6) deposition, and the subject matter for each de-
signee may overlap with yours. Although attorneys will
do their best to prepare you for the deposition by going
over the topics in question, the deposing attorney may
still ask you questions beyond the scope of the notice.
Some courts allow this – so be prepared for those types of
questions and do not to be thrown off guard by them.
Be Ready to Practice, Practice, PracticeThe organization’s attorneys will likely practice with
the designated spokespersons. But it also helps to prac-
tice recounting the storage system and the basic organi-
zational chart, which describes the various functions of
the organization and what data each area is responsible
for. During the practice session, work on terminology to
make sure it is precise and cannot be easily misunder-
stood. The legal team may ask you to engage in a mock
deposition.
Take Cues from Your AttorneyAfter you are asked a question, pause before answer-
ing, which provides the opportunity for your attorney to
make an objection. Most likely, you will be instructed to
answer the question in spite of the objection. Take a mo-
ment and think about why the attorney objected and an-
swer the question accordingly.
Your role with regard to litigation has grown expo-
nentially in the electronic era. The 30(b)(6) deposition is
especially important in that the testimony binds the or-
ganization. It is incumbent upon you to be prepared for
your own 30(b)(6) deposition.
Stacy Jackson can be contacted at [email protected].
See her bio on page 47.
Topics that may be addressed at the30(b)(6) deposition.
n Your qualifications (e.g., education, training, andexperience)
n Organization structuren Steps taken to prepare for depositionn Corporate system(s)n Backup systems (e.g., tapes, hard drives, servers,
and e-mail system)n Disaster recovery proceduresn How data is created, stored, organized, and
deletedn Document retention policyn Litigation hold proceduresn Alternative sources for electronic information
This technical report will assist organizations with selecting anappropriate records center site and designing, equipping,staffing, operating, and managing a records center. Additionalsections discuss vaults, security, records center software, andcommercial records storage facilities. (For much more exten-sive coverage on commercial records centers, see Guidelinefor Evaluating Offsite Records Storage Facilities.)
It will be useful to records and information management prac-titioners and educators, archivists, consultants, informationtechnology professionals, and records center vendors.
This technical report was prepared by ARMA International andregistered with ANSI September 11, 2011.
NEW! Records Center Operations, 3rd Ed.ARMA International
ARMA Members SAVE $15!(Non-member price $50) $35
www.arma.org
Available online in the ARMA Bookstore!
Order your copy today!
32 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
GARP SERIES®
With the growing need to man-
age information and knowl-
edge correctly, best practices
in information management are no
longer key items for discussion among
only records and information manage-
ment (RIM) professionals.
Every employee now has the re-
sponsibility to understand and comply
with the principles of recordkeeping
that allow the organization to ade-
quately facilitate and sustain day-to-
day operations, consistently remain
compliant with applicable laws and
regulations, and effectively under-
stand what it has done in the past so it
can make better choices for its future.
Records are vital when these types of
decisions are being made, but there is
something that is even more critical –
the people that make them.
Employees are the most important
factor in whether an organization suc-
ceeds or fails. The ability of any single
employee to have an impact on an or-
ganization does not stop at decisions
made by a C-level executive, but con-
tinues on down through the very fibers
that make it up – the entry-level
clerks, the front-line managers, and
the full-time and part-time support
staff.
Taking this into consideration, the
question for many organizations has
been how they can attract and main-
tain employees who are loyal and ded-
icated to the sustainability of not just
their positions, but of the organization
itself.
Employee Engagement Is KeyThe answer for many has been to
improve employee engagement. In the
simplest of terms, employee engage-
ment is the extent to which employees
believe in the mission, purpose, and
values of an organization and demon-
strate that commitment through their
actions toward and attitudes about
their employer and customers.
An organization has high employee
engagement when employees’ state-
ments, conversations, and decisions re-
flect a natural enthusiasm for the
organization, co-workers, and its prod-
ucts or services. Intentionally instilling
a “natural enthusiasm” in an employee
may not seem like a natural process at
all, but research has shown that if cer-
tain conditions are in place, employee
engagement is not only possible, but
highly profitable.
Ensuring employee engagement re-
quires a total approach. Every aspect
of an organization’s processes and op-
erations has to be supportive and have
an encouraging effect. The starting
point for any organization is to nail
down the basics. The organization
must have three things:
1. A high-quality product or service
Leveraging GARP® to EnsureEmployee EngagementCharity Whan
that employees can support with
confidence
2. Adequate delivery systems that en-
sure commitments made to cus-
tomers are easily met by employees
3. Solid policies and practices, includ-
ing employee evaluation and recog-
nition systems that are honest,
straight-forward, and carried out
with dignity
Arriving at this point can be diffi-
cult, but the challenge of success can
be overcome easily when there is a
strategic foundation on which to build.
Gain Leverage Using GARP®In laying this foundation, organiza-
tions that have strong RIM programs
have an advantage over those that
don’t because they are likely imple-
menting the Generally Accepted
Recordkeeping Principles® (GARP®)
released by ARMA International in
February 2009.
These principles, which are based
on years of un-codified records best
practices, were created to assist or-
ganizations in implementing effective
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 33
modified to assess the strengths and
weaknesses of an organization’s per-
sonnel.
Furthermore, it can be utilized as a
framework for establishing an em-
ployee evaluation system that is ade-
quately suited to the standard of
conduct expected of employees and for
meeting one of the major requirements
of organizations seeking to fully en-
gage their employees.
Creating a GARP® Employee ScorecardIn 1992, Robert Kaplan and David
Norton began a ground-breaking arti-
cle in the Harvard Business Review
with this facile adage, “What you
measure is what you get.” Their intro-
duction of the “balanced scorecard”
began a new movement of tracking
employee performance metrics in
order to improve the performance of an
entire organization, department, or
even a small team.
According to the article, the score-
card includes “financial measures that
tell the results of actions already
taken” and “operational measures on
customer satisfaction, internal
processes, and the organization’s inno-
vation and improvement activities”
that drive future financial perform-
ance.
In 2011, the records management
team of Polsinelli Shughart saw a sim-
ilar opportunity to use this concept and
expand the use of GARP® by creating a
GARP® Employee Scorecard.
Managers can get bogged down by
using some performance measure ap-
proaches, but the GARP® Employee
Scorecard limits measurement to the
eight critical principles. By identifying
the key factors that contribute to em-
ployee and organizational information
governance success, the GARP® Em-
ployee Scorecard truly limits measure-
ment to what really matters.
The GARP® Scorecard in ActionWhat really matters at Polsinelli
Shughart is that the company, de-
partment, or team utilizing the
GARP® scorecard remains in compli-
ance with established RIM best prac-
tices, accomplishes over-arching
GARP® initiatives, and fully engages
their employees in these initiatives.
Polsinelli Shughart’s GARP® Em-
ployee Scorecard is a trait-focused per-
formance appraisal, utilizing the eight
GARP® principles as the desirable
traits sought in employees, as detailed
below:
n Does Not Meet – Performance falls
well short of standards for the posi-
tion. Deficiencies are significant
and may limit future progress.
n Requires Improvement – Perform-
ance falls somewhat short of stan-
dards for the position. Deficiencies
are noticeable, but with focus
should be correctable.
n Satisfactory – Performance meets
most of the requirements and stan-
dards set for the position. Deficien-
cies are rare. Longevity with the
position should allow for correction.
n Very Good – Performance fully meets
requirements and standards of
competency set for the position. De-
ficiencies are extremely minor and
will likely be overcome with addi-
tional experience and business ma-
turity.
n Outstanding – The employee dem-
onstrates high-quality, on-the-job
performance and consistently con-
tributes more than what is re-
quired.
On page 34 is an example that il-
lustrates how a GARP® Employee
Scorecard evaluation system would be
used in a RIM environment.
Samantha is a records clerk in a
law firm. Her daily responsibilities in-
clude maintaining and organizing
records systems and programs. To-
gether, the eight GARP® principles –
accountability, transparency, in-
tegrity, protection, compliance, avail-
ability, retention, and disposition – set
a standard of conduct deemed to rep-
resent sound information governance
policy and practice. (See www.arma.
org/garp to read the principles and
their annotations.)
Use the GARP® Information GovernanceMaturity Model as a Framework
In 2010, ARMA International fol-
lowed the release of GARP® with
the GARP® Information Governance
Maturity Model (GARP® Maturity
Model). Information governance is
often a complicated concept, but at its
core, it includes the processes, roles,
standards, and metrics that ensure
the effective and efficient use of infor-
mation.
In seeking to assist organizations
with short- and long-term RIM goals
to achieve this efficiency, the Maturity
Model defines five levels of increasing
competency for each of the GARP®
principles: Level 1 – Sub-standard,
Level 2 – In Development, Level 3 –
Essential, Level 4 – Proactive, and
Level 5 – Transformational.
Anyone who has used the many
maturity models in existence could
extol how extremely beneficial they
can be, but where they really add
value is in helping identify strengths
and weaknesses in different aspects of
a process and in creating a framework
in which decisions can be made.
Hence, this GARP® Maturity Model
enables an organization to target the
gaps between existing processes and
those best practices that will have the
most significant impact on overall per-
formance, including cost and risk.
It is at this point where it becomes
clear how and why GARP® can be used
to succeed in the employee engage-
ment arena. Just as the GARP® Matu-
rity Model can be used to assess
strengths and weaknesses in various
facets of a RIM program, it can be
Polsinelli Shughart’s GARP® Employee Score-card is a trait-focused performance appraisal,utilizing the eight GARP® principles …
34 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
files, sorting and delivering files to
the firm’s various practice depart-
ments, and supporting the records
supervisor.
Upon arrival in the department,
she was provided the annotated
GARP® principles, which she has
posted in her cubicle to remind her of
the department’s expectations. Al-
though she is relatively new, Saman-
tha quickly understands what her
tasks are and develops a schedule for
herself that includes three file runs
daily.
In addition, she organizes her desk
with clearly marked bins for incoming
and outgoing filing, and she main-
tains similar systems in file rooms.
While Samantha has not yet had the
opportunity to work on retention proj-
ects, she has reviewed the firm’s re-
tention policy. She still has questions,
and when they arise, she consistently
maintains communication with the
records supervisor and manager to
ensure that she is completing her
duties in accordance with department
policies.
Samantha represents a fully en-
gaged employee acting from day one
in the best interests of the company’s
GARP® information governance pro-
gram. In fact, when it came time for
her 90-day evaluation, Samantha had
quality feedback from her manager on
the GARP® Employee Scorecard and
was able to identify easily where she
had excelled in her time with the firm
and where she required improvement.
Samantha’s detailed schedule for
her workflow and her organizational
abilities earned her “Very Good” rat-
ings for accountability, availability,
and transparency. She also received
“Satisfactory” ratings for integrity,
protection, and compliance by work-
ing to ensure that her work product
was secure and consistently up to de-
partment standards.
Samantha received two final rat-
ings of “Requires Improvement” in the
areas of retention and disposition. At
her 90-day evaluation, her knowledge
of these more complicated areas was
still in development, leaving some de-
ficiency in her workflow.
The example above is but one that
illustrates where the GARP® Employee
Scorecard can be of use to managers.
The system can be used in one-to-one
monthly meetings or on a quarterly
basis to assess employee strengths and
weaknesses. It can also be used as a
yearly evaluation instrument or as an
aid to get a pulse check on employee
performance a few times a year.
The GARP® Employee Scorecard
can be utilized however a manager
sees fit, but it must be remembered
that establishing proper and consistent
evaluation procedures is only part of
the battle in fully engaging employees.
Recognizing EmployeesThrough GARP®
The desire to be praised for accom-
plishments, no matter how small, re-
ally doesn’t change that much after
childhood. Whether it’s a gold star on
the classroom wall, an encouraging
note written on a term paper, or a
plaque recognizing years of loyal serv-
ice, the need to be recognized contin-
ues throughout a person’s lifetime.
Some might find it surprising, but
recognition is the number-one factor in
successful employee engagement, sur-
passing many other motivational fac-
tors, such as adequate training,
relationships with co-workers, and ca-
reer growth.
Although recognizing employees
GARP SERIES®
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 35
seems fairly straightforward, more
structure and planning must go into a
successful recognition program than
many may realize. It is a wonderful
thing to tell someone he or she has
done a good job; however, it makes a
great difference how, how often, and
for what an employee is recognized.
To meet these criteria, the
Polsinelli Shughart’s records manage-
ment team implemented the GARP®
Recognition Program to correspond
with the GARP® Employee Scorecard.
On a quarterly basis, one employee
from each of the records department
regions – Western and Eastern – is
chosen based upon his or her contri-
butions to GARP® initiatives and
evaluations against the scorecard.
Recognition is not based solely
upon a single contribution to a GARP®
initiative, but rather on contributions
as a whole to daily GARP® initiatives,
such as remaining transparent in
workflows, and to special GARP® di-
rectives, such as electronic onboarding
and retention projects.
These aspects describe the “what”
and “when” of the recognition pro-
gram. For the “how,” the team turned
to research about effective employee
recognition and determined that cele-
bration and visibility were – by far –
the two most important aspects in any
recognition program.
At Polsinelli, GARP® award recipi-
ents are presented with a traveling
trophy and a recognition certificate,
often in a celebratory environment.
The winners and their accomplish-
ments are also announced via e-mail
to the records department staff and in
Polsinelli’s monthly firm-wide internal
newsletter, the PS Perspective.
This visibility part of a recognition
program cannot be underestimated,
particularly in a law firm.As a support
department, records is often secondary,
or even tertiary, to the many key play-
ers, such as attorneys and paralegals,
who are the lifeblood of the organiza-
tion. By recognizing accomplish- ments
within the records department, man-
agement reinforces the fact that work
done by records employees is essential
and contributes to the high-quality
service the company provides.
Ensuring Success with GARP®
The employee evaluation and
recognition strategies developed at
Polsinelli Shughart described here
are essential elements for any organ-
ization seeking not only to be fruitful
in its GARP® initiatives, but also to
support and sustain quality employ-
ees who desire to produce valuable
results.
This is only a single measure of the
benefits awaiting organizations that
buy into the fact that while the
GARP® principles and Maturity
Model are not in and of themselves
metrics for employee performance,
they do lay the groundwork for a sim-
ple system that is capable of ensuring
employee engagement in information
governance activities and processes.
The challenge of getting employees
engaged in an organization’s GARP®
initiatives requires far more than just
strong willpower and talent. It re-
quires strategic, sophisticated insight
based upon a deep understanding of
what drives employees to change and
how that change can be beneficial to
organizations that recognize its
worth.
If there is one lesson to be learned
here, it is that accurate employee
evaluation is the main driver in pur-
poseful employee recognition, and
purposeful employee recognition is the
main driver in successful employee
engagement. With GARP® in hand,
organizations can go forward with the
knowledge that they hold the key to
these vast treasures.
Charity Whan can be contacted at
[email protected]. See her bio on
page 47.
HAVE A BURNING RIM QUESTION?
ASK THE EXPERT!Be sure to check arma.org for the monthly topic.
Submit your most pressing questions and get
answers from top industry thought leaders.
Visit now! www.arma.org/ate
36 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
RIM FUNDAMENTALS
With the large number of
high-profile disasters of the
past decade, it is not sur-
prising that the “2010 AT&T Busi-
ness Continuity Study” of 530
organizations showed that 83% of
the business executive respondents
indicated their organization had a
business continuity plan (BCP).
However, 12% indicated they did not
have a plan, and 5% were not sure.
While most organizations are
aware that a BCP is necessary to
keep their business operational dur-
ing and immediately following a dis-
ruptive event, not all agree on what
the plan is or what it should include.
Understanding the BCPBusiness continuity planning is
part of a business continuity man-
agement (BCM) process that identi-
fies potential risks and vulnerabili-
ties and their impacts on an organi-
zation. It provides processes and
procedures for mitigating risks and
effectively responding to a disruptive
event in a way that safeguards the
interests of the organization’s key
stakeholders, reputation, brand, and
value-creating activities. To be suc-
cessful, BCM must be fully inte-
grated across the entire organization
as a required management process.
BCM includes business continuity
planning, which focuses mainly on
incident response and, depending on
the organization, can include records
and information security and risk
management processes.
According to the Contingency
Planning Guide for Information
Technology Systems from the Na-
tional Institute of Standards and
How to Avoid Disaster:RIM’s Crucial Role in Business Continuity Planning
Technology, a BCP is the documen-
tation of a predetermined set of in-
structions or procedures that
describes how an organization’s
business functions will be sustained
during and after a significant dis-
ruption. It functions as a roadmap
that can be followed when a disrup-
tive event occurs.
BCP GoalsThe goal of business continuity
planning, as identified by the U.S.
Federal Emergency Management
The world has experienced a great deal of natural
and man-made upheaval and destruction in the
past few years, including tornadoes, hurricanes,
earthquakes, tsunamis, floods, fires, uprisings, ter-
rorist attacks, deliberate and accidental data
breaches, and cyber attacks. Any organization that
believes it is safe from loss due to a natural or
manmade disaster is denying reality.
Virginia A. Jones, CRM, FAI
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 37
A BCP concentrates on the core
business functions – manufacturing
processes, customer relations, client
or patient interactions, research fa-
cilities, information technology in-
frastructure, and so on. Records and
information management (RIM) are
rarely included as separate entities.
Often, the RIM procedures that
should be considered, such as infor-
mation technology incident re-
sponse, recovery procedures, and
vital records protection, are not in-
cluded in the overall plan and may
need to be part of subsidiary plans.
However, RIM has an important role
in all aspects of risk mitigation, dis-
aster response, and disaster recov-
ery.
RIM’s Role in the BCPRIM impacts an effective BCP in
several ways:
n Records and information are a crit-
ical resource throughout the or-
ganization, not only as part of
ongoing business processes, but
also as a resource during a dis-
ruptive event.
n A current records and information
inventory, including information
systems and electronically stored
information, is essential to imple-
menting and maintaining a suc-
cessful plan to identify and
protect records.
n A documented records classifica-
tion and retrieval system, with or-
ganized and well-indexed records,
is critical to timely and efficient
resumption of operations follow-
ing a disruptive event.
n A documented and established
vital records program is essential
for the protection and recovery of
mission-critical records and for
identifying those records required
during a disruptive event.
n A manual that includes all RIM
policies and procedures, including
for records retention and disposi-
tion, is an important reference for
use throughout the organization.
Preparing to Write a BCPSome preparation and data compi-
lation must take place before a plan
can be written and implemented.
BCM relies on critical business
process identification and risk man-
agement results to determine the var-
ious priorities, tasks, and procedures
to include in the plan.
Preliminary preparation for busi-
ness continuity planning includes:
n Conducting a business impact
analysis (BIA)
n Developing and implementing a
risk mitigation plan
n Developing and implementing a
vital records program (to identify
and safeguard vital records, which
are “fundamental to the function-
ing of an organization and neces-
sary to continue operation with-
out delay under abnormal circum-
stances,” according to Glossary of
Agency (FEMA), is to reduce the con-
sequence of any disruptive event to a
manageable level. The specific objec-
tives of a particular organization’s
continuity plan may vary, depending
on its mission and functions, its ca-
pabilities, and its overall continuity
strategy.
In general, according to FEMA,
continuity plans are designed to:
n Minimize loss of life, injury, and
property damage
n Mitigate the duration, severity, or
pervasiveness of disruptions that
do occur
n Achieve the timely and orderly re-
sumption of essential functions
and the return to normal opera-
tions
n Protect essential facilities, equip-
ment, records, and assets
n Be executable with or without
warning
n Meet the operational requirements
of the respective organization.
Continuity plans may need to be
operational within minutes of ac-
tivation, depending on the essen-
tial function or service, but
certainly should be operational no
later than 12 hours after activa-
tion.
n Meet the sustainment needs of the
respective organization. An or-
ganization may need to plan for
sustained continuity operations
for 30 days or longer, depending
on resources, support relation-
ships, and the respective continu-
ity strategy adopted.
n Ensure the continuous perform-
ance of essential functions and op-
erations during an emergency,
such as pandemic influenza, that
require additional considerations
beyond traditional continuity
planning
n Provide an integrated and coordi-
nated continuity framework that
takes into consideration other rel-
evant organizational, governmen-
tal, and private sector continuity
plans and procedures
Some preparation and data compilationmust take place before a plan can bewritten and implemented. BCM relieson critical business process identificationand risk management results todetermine the various priorities, tasks,and procedures to include in the plan.
38 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
Records and Information Manage-
ment Terms, 3rd Ed.)
n Determining the recovery time ob-
jective for records and information
n Identifying and analyzing business
processes to best determine those
that are mission-critical
Business Impact AnalysisThe BIA looks at critical processes
and considers the operational, finan-
cial, and other impacts and exposures
for each part of the organization if a
serious disruption to those processes
occurs. It identifies those processes
that must be resumed urgently and
those that may be resumed later. It
can determine potential loss to the or-
ganization if a BCP is not in place and
present recommendations to reduce or
mitigate these losses, so it is an im-
portant step in the risk mitigation
process.
The BIA should also identify the
minimum financial, human, and infor-
mation resources needed to support
the elements of the proposed plan. The
ranking of the business processes also
affects the records and information
necessary for these processes and
plays an important role in the vital
records identification process.
Risk MitigationBCM focuses on mitigating risks –
defined by Dictionary.com as the ex-
posure to the chance of injury or loss
– that the organization cannot absorb.
Since it is a very expensive and re-
source-draining process to protect and
recover everything, the organization
must decide what cannot be fully pro-
tected, duplicated, or saved following
an event.
The cost of mitigating the risk of
records and information loss must be
weighed against the value of the in-
formation to the organization. This is
done by determining the vulnerabili-
ties of the records and by comparing
the costs associated with the loss of
the records and information against
the cost of protecting or reconstruct-
ing them.
Some organizations may want to
expend only the minimum resources
to mitigate risk to one or more critical
processes and accept the risk to the
rest of the business. Other organiza-
tions may want to reduce as much
risk as possible, no matter the cost.
To achieve a cost and resource bal-
ance in risk mitigation, the organiza-
tion must set its risk tolerance level,
which is the maximum exposure to
risk (for a given type of risk or across
all exposures) that is acceptable based
on the benefits and costs involved, ac-
cording to Managing Risk for Records
and Information by Victoria L.
Lemieux, Ph.D. The organization
should link its risk tolerance and risk
objectives to its business goals and ob-
jectives.
Vital Records ProgramA records and information disas-
ter results in the loss of records and
information essential to the organi-
zation’s continued operation. Conse-
quently, a business continuity plan
for records and information must in-
clude clearly identified vital records
to best allocate resources for their
protection and recovery.
Accurate identification of vital in-
formation is critical because this in-
formation establishes the legal status
of the organization as a business en-
tity, documents the assets and liabili-
ties of the organization from a
financial perspective, and documents
the operations of the organization,
which enable production processes or
other work to be accomplished, ac-
cording to Information and Records
Management, by Mary F. Robek, Ger-
ald F. Brown, and David O. Stephens.
In “Snap, Crackle & Pop,” a 1985
Records Management Quarterly arti-
cle, Richard E. Wolff wrote, “An effec-
tive vital records management
program includes descriptions of all
vital records necessary to protect as-
sets and ensure continuity of business
operations, documentation of proce-
dures and practices followed to pro-
tect and restore these records, and
adequate operating instructions to
permit the effective use of selected
records in an emergency.”
The vital records program should
be incorporated as part of the overall
BCP.
Types of PlansOne other preparation for devel-
oping a BCP is determining the
type(s) of plan(s) to be implemented.
Some organizations include all the
policies, processes, and procedures in
one general plan.
Others prepare a general policy
and plan that references subsidiary
plans for specific types of incidents
or for specific core functions, such as
information technology. Specific
plans more fully address response
and recovery for different types of in-
cidents, such as radiation leaks,
earthquakes, floods, fires, server
crashes, power outages, data
breaches, or hurricanes.
Sometimes, recovery procedures
are considered separate from the
general BCP and also have their own
referenced plans.
RIM FUNDAMENTALS
… a business continuity plan forrecords and information must includeclearly identified vital records to bestallocate resources for their protectionand recovery.
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 39
Creating a BCPOnce the preparations are com-
pleted, developing the plan can
begin. The process of developing a
BCP varies for each organization de-
pending on its business functions,
risk tolerance level, the types of plan
or subsidiary plans it is developing,
and the amount of resources it is
willing to assign to the process.
Steps to FollowIn general, the development of a
BCP should include the following
steps:
1. Establish a planning team. This
includes appointing an owner for
the plan and for each subsidiary
plan and includes representation
for all departments or core func-
tions.
2. Conduct a BIA.
3. Decide on the structure, format,
components, and content of the
plan, and determine the circum-
stances that are beyond the scope
of the BCP.
4. Identify preventive controls.
5.Create contingency strategies. De-
termine the strategies the plan
will document and what will be
documented in other plans.
6. Determine the response strategy.
7. Determine the recovery strategy.
8. Establish the vital records plan
and an information systems plan.
9. Gather information to populate
the plan.
10. Draft the plan.
11. Circulate the draft of the plan
for consultation and review.
12. Gather feedback from consulta-
tion process.
13. Amend the plan as appropriate.
14. Review and update the plan.
15. Approve the plan and train per-
sonnel.
16. Test the plan.
17. Schedule ongoing exercises to
ensure that the plan is main-
tained and remains current.
Contents to IncludeEach BCP and any subsidiary
plans should include, at a minimum,
the following elements:
n A policy statement
n Roles and responsibilities – who
is responsible for doing each task
or group of tasks, what is the
chain of command and composi-
tion of the crisis team during an
event, and who is ultimately re-
sponsible for initiating the re-
sponse and/or recovery processes
n Continuity or succession of au-
thority – a clear statement of al-
ternates when key responsible
persons are unavailable
n Financial or funding information,
including personnel expenses, op-
erational expenses, material and
supply expenses, ongoing costs,
and contingency funding
n Task organization – what tasks
must be done and in what order
n Information distribution proce-
dures
n Results of the BIA and appropri-
ate elements from the vital
records program and the informa-
tion systems plan
n Response procedures
n Recovery procedures (if relevant
to the BCP)
n Training programs
n Testing procedures (used to re-
view and update procedures)
n Communications directory
n Damage assessment procedures
National and International Standards Provide a Foundation for Protection
International Organization for Standardization
n ISO 15489-1:2001 Information and documentation – Records manage-ment – Part 1: General
n ISO/TR 15489-2:2001 Information and documentation – Records man-agement – Part 2: Guidelines
n ISO/IEC 27002:2005: Information technology – Security techniques –Code of practice for information security management
National Fire Protection Association
n NFPA 232: Standard for the Protection of Records, current edition 2012
n NFPA 75: Standard for the Protection of Information Technology Equip-ment, current edition: 2009
n NFPA 909: Code for the Protection of Cultural Resource Properties – Mu-seums, Libraries, and Places of Worship, Current edition: 2010
n NFPA 1600: Standard on Disaster/Emergency Management and Busi-ness Continuity Programs, Current edition: 2010
ARMA International
n ANSI/ARMA 5-2010 Vital Records Programs: Identifying, Managing, andRecovering Business-Critical Records
40 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
Testing the BCPNo BCP is successful without test-
ing. The time to find out that some
BCP concepts do not work is not
while a disruptive event is occurring.
There are several methods of testing
plans, including two that are recom-
mended by FEMA:
Discussion-based exercises include
seminars, workshops, tabletop exer-
cises, and games. They highlight ex-
isting plans, policies, mutual aid
agreements, and procedures, and
they are tools to familiarize organi-
zations and personnel with an en-
tity’s current or expected capa-
bilities. Decision-based exercises typ-
ically focus on strategic, policy-ori-
ented issues. Conducting these
exercises do not create a large-scale
disruption of daily routine and pro-
ductivity.
Operations-based exercises include
drills, functional exercises, and full-
scale exercises. They are character-
ized by actual response, mobilization
of apparatus and resources, and com-
mitment of personnel, usually held
over an extended period of time. Op-
erations-based exercises can be used
to validate plans, policies, agree-
ments, and procedures.
Each test should include an evalu-
ation of the test results and identifi-
cation of weaknesses and lessons
learned. These, in turn, are used to
revise the plan. Once the organiza-
tion is comfortable with all revisions,
it can then approve and implement
the plan.
Maintaining the PlanA BCP is not a static document.
Changes in core business functions,
business locations, technology infra-
structure, and other circumstances
will require additional considerations
and revisions of the plan. The BCP
should be reviewed and tested at
least yearly, and attention should be
paid to any business elements that
have been added since the last re-
view. An organization’s annual test-
ing of the program, according to
FEMA, should include:
n Alert, notification, and activation
procedures – with recommended
quarterly testing of such proce-
dures – for continuity personnel
n Recovery of vital records (classi-
fied and unclassified), critical in-
formation systems, services, and
data
n Primary and back-up infrastruc-
ture systems and services (e.g.,
power, water, and fuel) testing at
continuity facilities
n Required physical security cap-
abilities
n Equipment to ensure the internal
and external interoperability and
viability of communications sys-
tems, through quarterly testing of
the continuity communications
capabilities (e.g., secure and non-
secure voice and data communica-
tions)
n Capabilities required to perform
an organization’s essential func-
tions
n Formally documenting tests and
reporting their results
n Internal and external interdepen-
dencies identified in the organiza-
tion’s continuity plan, with
respect to performance of an orga-
nization’s and other organizations’
essential functions
Arriving at the Best SolutionEach organization’s business con-
tinuity solution must rely on its
unique impact and risk analyses. The
“best” solution for business continu-
ity planning and management will
consist of the right mix of internal
controls and tools with outsourced
services that will meet the organiza-
tion’s requirements for managing the
physical, technological, legal, regula-
tory, and human resource aspects of
business continuity.
Virginia A. Jones, CRM, FAI, can be
contacted at [email protected]. See
her bio on page 47.
We provide complete
solutions for
EMBEDDED SYSTEMS
• ARM & x86 CPUs
• Single Board Computers
• Touch Panel Computers
• TS-SOCKET Modules
• PC/104 Peripherals
• Developments Kits
• Fastboot Linux out-of-the-box
Visit us at:
www.embeddedARM.comCurrent Job Opening:
Embedded Design &Information Systems Architect:M-F/9-6 40 hr. wk. Digital systems, schematic,PCB & FPGA design using silicon vendor data-sheets: hardware verification using digital analyz-ers & oscilloscopes; low-level board bring-up viabootloaders. Linux Kemel & drivers porting;develop fast boot flash-based OS distributions;develop int’l customer relations, incl. technicalwriting & support; project management, ERPimplementation & process reengineering; managecorporate information incl. security, privacy,availability & integration; support strategy aligmentvia BI & balanced scorecard; data analytics &mining to reveal high tech trends; managemarketing campaigns & develop E-Businessoperations w/press, customers & suppliers; profi-ciency in digital design, ARM &x86, FPGA tools,Verilog, Mentor Graphics tools. Assembly. C.Redboot/Uboot, Linux, GNU, Busybox, Debian,PHP, Server Admin, .NET, .XML, Webservices,MSProject, Visio, Epicor ERP, SQLServer, DataMining, graphical design, Req. M.S. in InformationManagement. Submit resume w/ad copy to:Dana N. Miller, HR Manager, TechnologicSystem, Inc., 16525 E. Laser Drive, FountainHills, AZ 85268.
RIM FUNDAMENTALS
RSD Announces RSD GLASS™ for Microsoft®
SharePoint® 2010
Microsoft SharePoint 2010 is a
rapidly growing content platform that
allows companies to create websites
to share information, manage docu-
ments, and publish reports. RSD GLASS™ works with SharePoint to govern the
information created, without having to migrate content to ECM solutions.
The RSD GLASS solution manages policy for retention/disposition, data pri-
vacy, declassification, and tier migration, addressing all phases of the enter-
prise information lifecycle. RSD GLASS helps organizations manage
corporate risk and improve operational efficiency as they achieve compliance
with regulations governing enterprise information. Visit www.rsd.com for more
information.
BULLETIN BOARDVendors, Products & People
Build Your Own Credible
Retention Program With
This ground-breaking service,
exclusively from GRM, lets you
quickly search and find relevant
industry and department-specific
regulations at the federal, state and
international levels. Continuously
updated, the GRMpedia knowledge
base provides only original citations
to deliver the latest, most credible
retention research results. Build
retention programs for your
organization, or other firms in need.
GRMpedia is highly affordable and
conveniently accessible online, 24/7,
from virtually any computer. Visit
www.grmpedia.com.
SpECiAl ADVERTiSiNG SECTiON
Fellowes
With over 90 years of experience
in records storage, the Bankers
Box® brand is recognized as superior in strength, convenience, and durability.
Delivering innovative solutions to common storage challenges ensures
Bankers Box® products offer a higher level of performance, whether you require
drawers, boxes, classroom organization or specialty items. Choose Bankers
Box® – the most trusted brand in the business for problem-free storage. Visit us
at www.bankersbox.com for details.
O’Neil Software
The Gap Between On-Siteand Off-Site Records Finally Bridged by O’NeilDataTech LLC
O’Neil DataTech LLC has announced
the release of RMBridge™, a series of
web services that enables end user
systems to simply, securely and
seamlessly manage both on-site and
off-site records. RMBridge provides
records management software
companies the ability to have an
integrated “real-time” interface,
which automates and standardizes
the access and management of
physical records stored in off-site
record centers utilizing O’Neil Soft-
ware’s RS-SQL® product suite.
For more information, contact
Zasio Enterprises, Inc.
Versatile Retention International ™ 8
Expand your team with Zasio’s software
and consulting services for an overall
solution to your global retention
schedule and management needs.
Helping multinational companies
expand the scope of their records
management and retention programs
throughout the world — that’s the
business of Zasio Enterprises, Inc. and
its global consulting practice. Call Zasio
Sales at 800.513.1000, opt 1 to
learn more.
42 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
Major financial reform legisla-
tion that was signed into law
in 2010 will profoundly im-
pact organizations’ records and in-
formation management practices for
years to come. The Dodd-Frank Wall
Street Reform and Consumer Pro-
tection Act (Dodd-Frank) was cre-
ated “to promote the financial
stability of the United States by im-
proving accountability and trans-
parency in the financial system; to
end [the creation of large firms that
have such an impact on the nation’s
financial stability that they are] ‘too
big to fail’; to protect the American
taxpayer by ending bailouts; to pro-
tect consumers from abusive finan-
cial services practices, and for other
purposes.”
As a result of Dodd-Frank, the Se-
curities and Exchange Commission
(SEC), the Commodity Futures Trad-
ing Commission, and the Federal Re-
serve will create more than 200 new
rules. Dodd-Frank also established
new agencies, including the Finan-
cial Stability Oversight Council,
which defines jurisdiction of bank
holding companies and non-bank fi-
nancial companies and provides rec-
ommendations on setting prudential
standards on reporting and disclo-
sure, and the Consumer Financial
Protection Bureau. These two agen-
cies alone will create 80 new finan-
cial oversight and disclosure rules.
Implementing the act’s reforms
will take years because many of its
significant provisions have extended
implementation periods and delayed
effective dates. In addition, financial
regulators will continue making
rules for the next six to 18 months.
Dodd-Frank Act Puts Focus on
Information Governance
Fred Pulzello, CRM, and Sonali Bhavsar
As a result of the Dodd-Frank Act, many organizationsshould consider revising their current business and compli-ance practices to satisfy regulatory reporting requirements.
Dodd-Frank to Reduce‘Systemic Risk’
One of the major sections of Dodd-
Frank is meant to provide better over-
sight of systemic risk (a risk that
affects the entire financial market),
and, for that purpose, it established
the Financial Stability Oversight
Council mentioned above. The council
includes 15 members from the Federal
Reserve, U.S. Department of the
Treasury, U.S. Commodity Futures
Trading Commission, Federal Deposit
Insurance Corporation, SEC, the Con-
sumer Financial Protection Bureau,
and the Office of Financial Research.
It also re-instates the “Volcker
rule,” which requires banking compa-
nies to implement a robust compliance
regime and measure compliance effec-
tiveness by performing quantitative
analysis to detect potentially imper-
missible propriety trading. While most
of the impact of Dodd-Frank will be
felt by financial services firms, any or-
ganization doing business in the fi-
nancial, capital, and credit markets
will also be affected. (See sidebar “Or-
ganizations Affected by Dodd-Frank.”)
Compliance with Dodd-Frank can
be accomplished only by organizations
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 43
ited to manual processes and
workarounds, which are error prone
and, from a regulatory point of view,
increase business risk.
ECM tools allow recurring report-
ing oversight that is system-generated
and reflects transaction details, which
enables firms to better control trades
they execute. Strong recordkeeping
rules that are aligned with business
processes facilitate document retrieval
and expedite internal and external au-
dits. They also help make the report-
ing process more transparent and
informative, ensuring accurate disclo-
sure.
Enterprise Content ControlToday’s recordkeeping tools offer
capabilities that enable businesses to
go paperless and provide efficient
mechanisms and powerful search fea-
tures that allow electronic content lo-
cated in disparate locations across the
enterprise (e.g., e-mail, files, source
code, and customer account informa-
tion) to be managed, located, and pro-
duced on demand. Even though these
tools enable quick access, they also
provide security and control over that
access and safeguard customers’ sen-
sitive information.
Data Loss PreventionEvents like the November 2010
WikiLeaks case that exposed sensi-
tive U.S. government cables to the
entire world, emphasize the impor-
tance of guarding sensitive informa-
tion, whatever industry sector an
organization is in.
A WikiLeaks scenario can be
averted by installing good data loss
prevention tools. These tools use in-
depth search algorithms to monitor
who accesses specific information.
They alert appropriate authorities if
someone is trying to download intel-
lectual property, allowing suitable ac-
tion to be taken before the data is
leaked or used for malicious intent.
Dodd-Frank provides an additional
incentive for compliance officials,
record managers, and security person-
nel to build trust among employees
and prevent intellectual property from
leaking: it includes a whistleblower
bounty program that pays whistle-
blowers 10% to 30% for cases that re-
sult in returns of more than $1 million,
incenting employees to report security
breaches to the government rather
than to the organization so corrective
action can be taken. Organizations can
meet this challenge by:
n Creating security provisions to pro-
tect enterprise content without
hampering business functions
n Giving due diligence to supervision,
monitoring internally and exter-
nally shared enterprise content and
conducting random checks
n Defining steps to mitigate risks, out-
lining worst-case and what-if sce-
narios
Management Tools Are Also Required
Implementing management tools,
such as the Generally Accepted
Recordkeeping Principles® (GARP®), is
an important consideration in today’s
volatile financial market because they
help organizations evaluate their cur-
Organizations Affected by Dodd-FrankAny organization doing business in thefinancial, capital, and credit marketswill be affected by Dodd-Frank. Non-financial industries that participate inthese markets include:n Energy companies (e.g., supermajors,
independent oil and gas, and refiningand marketing)
n Electric and natural gas utilities
n Chemical
n Mining and mineral
n Airlines
n Agribusiness
n Consumer products
that implement the appropriate man-
agement, business tools, and technol-
ogy.
Focus Is on Information Governance
Dodd-Frank increases the focus on
recordkeeping for all business docu-
mentation, making it essential for or-
ganizations to invest in establishing
information governance programs,
which include recordkeeping policies,
practices, and technology tools to im-
prove control of their ever-growing en-
terprise content (e.g., e-mail, files,
source code, and customer account in-
formation). Those who do so will be in
the best position to adapt quickly to
the new rules and regulations.
Dodd-Frank Demands ECM Capabilities
It is important that enterprise con-
tent be measured based on lines of
business (broker/dealer, hedge fund,
commercial bank) and volume of
transactions to apply SEC and Finan-
cial Industry Regulatory Agency
(FINRA) supervision rules developed
by SEC and FINRA. These rules, such
as FINRA 10-06, FINRA 3010, and
FINRA 3110 are required to meet reg-
ulatory needs, and they complement
the Dodd-Frank rules on good record-
keeping.
For financial advisors to be able to
report on FINRA and SEC rules, it is
essential for organizations to have
workflow functionality that automates
standard business processes. Enter-
prise content management (ECM)
tools provide comprehensive automa-
tion capabilities for monitoring system
activity, auditing, and dashboard re-
porting capability, all of which make
regulatory compliance simpler.
Reporting OversightECM tools are essential to produc-
ing the comprehensive reporting de-
manded by Dodd-Frank and
regulatory agencies. Without these
basic capabilities, businesses are lim-
44 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
rent risk state specific to records, dis-
closures, compliance, and supervision
rules, as well as provide a roadmap to
mitigate the risk.
The eight GARP® principles (see
www.arma.org/garp) provide a robust
information governance framework
against which organizations can eval-
uate their recordkeeping practices to
determine their exposure and risks –
under Dodd-Frank, as well as under
other regulations like the Sarbanes-
Oxley Act.
As an example, Dodd-Frank’s “Title
VII – Wall Street Transparency and
Accountability” emphasizes the prin-
ciples of accountability and trans-
parency for recordkeeping:
The Commodity Futures Trading
Commission and the Securities
and Exchange Commission, in
consultation with the Board of
Governors [Federal Reserve’s],
shall engage in joint rulemaking
to jointly adopt a rule or rules
governing books and records re-
garding security-based swap
agreements, including daily trad-
ing records, for swap dealers,
major swap participants, secu-
rity-based swap dealers, and se-
curity-based swap participants.
Transparency and accountability
are also two of the GARP® principles.
By comparing itself to the characteris-
tics shown as typical for organizations
at each of the five levels of maturity in
the GARP® Information Governance
Maturity Model (see www.arma.org/
garp), an organization can assess how
transparent and accountable its
recordkeeping is. The five levels are
condensed and paraphrased below:
1) Sub-Standard – Recordkeeping
concerns are either not addressed
or are addressed in an ad hoc man-
ner.
2) In Development – The organiza-
tion is beginning to recognize the
impact recordkeeping has.
3) Essential – The organization is ad-
dressing the essential or minimum
requirements to meet its legal and
regulatory requirements.
Using GARP® to Assess ComplianceUsing GARP® as a basis, an organization can identify gaps between its actual and desiredstate of compliance and develop a roadmap for remediation.
Step One: Identify the key stakeholders:n Compliance – Compliance with legal and regulatory requirements is a key driver for the
information governance program, and these staff members have the best handle onwhat those requirements are.
n Legal – Legal staff understand the organization’s litigation profile and can provide in-sight into the types of litigation the company is most subject to. This will allow the rele-vant records to be identified and ensure that the information governance infrastructureaddresses them appropriately.
n Information technology – IT staff can contribute information about the technologyinfrastructure, including the capabilities and limitations of its software and hardware.
n Risk management – Risk assessments have an important recordkeeping component,including documentation of the risks and actions taken to mitigate them.
n Business unit line managers – These managers are on the front lines of business unitactivities that create records needed for conducting business and making decisions.
Step Two: Gather existing information, including:n Policies and procedures – These include retention schedules and other documentation
related to records disposition, legal holds, information privacy/protection, and Inter-net/social networking usage.
n Data maps – These identify what information is created/used by the organization,where it is located, and who manages it.
n Functional workflows – These describe how information is created internally or receivedand how it flows throughout the normal business processes.
Step Three: Measure against GARP® to identify gaps betweencurrent and desired practices.n Use the GARP® Information Governance Maturity Model to get an objective baseline of
your information governance program’s maturity relative to the GARP® principles.n In addition, consider using the new GARP® Assessment to evaluate a department, a
division, or the organization as a whole relative to 100 information governance attributes.n The GARP® Assessment can quantify information governance shortcomings to manage-
ment, prove qualitative return on investment from program improvements, or establishbenchmarks against which it can monitor improvement through repeated assessments.
Step Four: Prioritize gaps to be addressed.n Determine the organization’s risks related to its state of maturity (or immaturity). Common
risks are data loss, privacy violations, and unlawful or unauthorized destruction of records.n Determine which gaps pose the greatest risks, and prioritize the order in which they
should be addressed.n The prioritization process must include a cost/benefit analysis and take into considera-
tion organizational developments and activities to determine the most critical func-tional areas.
Step Five: Develop roadmap to reach the desired state.n Determine what actions must be taken to close each gap in priority order.n Identify resources and timelines.
Step Six: Measure progress against deliverables.Implement continual improvement by regularly reassessing to measure improvements andvalidate that they are having the desired effect.
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 45
4 Proactive – Information gover-
nance considerations are integrated
into the organization’s business de-
cisions on a routine basis.
5) Transformational – Information
governance is integrated into the
overall corporate infrastructure and
business processes to such an ex-
tent that compliance with program
requirements is routine.
Disclose to Go Beyond Dodd-FrankComplying with reporting require-
ments (e.g., transactional reporting, as
well as management reporting in
dashboard form) for measuring key
performance indicators are also
needed to ensure transparency within
an organization, build trust, and show
accountability with regulatory bodies.
These reporting tools, which show the
organization’s general health, help
management take corrective steps and
lower risks.
An April 2011 Knowledge@Wharton
article reporting the results of a Dodd-
Frank-related survey of middle to top
corporate management it conducted
jointly with the Enhanced Business
Reporting Consortium (EBRC) under-
scores the need for this type of report-
ing – beyond those required by
Dodd-Frank.
Enhanced Disclosures: KPIs and MoreSome 66% of survey respondents
said financial statements do not ade-
quately meet the needs of users; about
half said more enhanced disclosures
than those included in Dodd-Frank, in-
cluding key performance indicators,
value drivers, and intellectual assets,
are “important” or “very important” to
provide more transparency and pre-
vent future crises. (See Figure 1.)
Disclosing this type of information
not only helps build transparency, it
demonstrates good intentions to miti-
gate risk and simplify compliance.
Enhanced Corporate Governance Disclosures
The survey results also indicate
that enhanced corporate governance
disclosures beyond those required in
Dodd-Frank are “important” to “very
important” to the majority of respon-
dents. These disclosures relate to ex-
ecutive compensation (e.g., chief
executive officer and rank and file em-
ployee comparisons, prohibition of ex-
cessive executive compensation
arrangements, and executive claw-
back provisions in case of statement
provisions).
Various regulatory entities require
these types of disclosures be available
on demand, so they must be docu-
mented, recorded for efficient record-
keeping and retrieval, and kept
current. If they are not, the organiza-
tion may be subjected to higher risks
and questions regarding the executive
board’s workings in relation to corpo-
rate governance rules. Chain of cus-
tody and the data integrity of the
disclosures are also very important for
any e-discovery event or litigation
hold.
Enhanced Social DisclosuresSurvey respondents also said en-
hanced social disclosure beyond that
required by Dodd-Frank is important.
The social disclosure rule, which is a
new addition to Dodd-Frank, states
that all payments be disclosed that are
made on an annual basis to foreign
governments in connection with com-
mercial development of certain na-
tional resources in foreign countries.
Again, using GARP® as a manage-
ment tool can help organizations iden-
tify gaps between the current and the
desired state of transparency and de-
velop a go-forward strategy for all dis-
closures based on efficient and
effective recordkeeping to be better
aligned with Dodd-Frank.
Prepare for Rules Yet-to-ComeThere are still many uncertainties
about what compliance with Dodd-
Frank will eventually require, but
those organizations that proactively
invest in establishing information gov-
ernance policies, procedures, and tech-
nology to improve the efficiency of
their compliance programs will be in
the best shape to adapt quickly to the
new rules and regulations and manage
the risks associated with doing busi-
ness in this environment.
Fred Pulzello, CRM, can be contacted
at [email protected]. Sonali Bhavsar
can be contacted at sonali.bhavsar@
gmail.com. See their bios on page 47.
Figure 1: Importance of Measures for Providing Transparency and Avoiding Future Economic Crises
Source: Knowledge@Wharton. “Knowledge at Wharton/EBCR Survey: After the Crisis, Executives Believe the Dodd-Frank Act Is a
Tame Tiger,” April 2011. Used with permission.
46 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
The underlying assumption of
John Rhoton’s Cloud Computing
Explained is that the reader is
facing a critical decision: Does cloud
computing make sense for the organi-
zation or not? This book is for those
who need an in-depth understanding
of cloud computing’s many facets, in-
cluding consultants, architects, tech-
nologists, and strategists involved
with analyzing, planning, and imple-
menting new technologies.
Cloud Computing Explained pro-
vides excellent introductory material
about the types of clouds, the pros and
cons of their components, and their
similarities and differences, including
implications for managing information
in the cloud; however, it is not a
primer. Instead, it is a structured ap-
proach to assessment, design, selec-
tion, and implementation of cloud
technology.
The author’s overriding objective
is to provide a comprehensive picture
of cloud computing. He does this by
arranging 30 chapters under 10 head-
ings in the order they would arise in
the context of a project: define, assess,
design, select, integrate, implement,
operate, control, adapt, and evolve.
The first five chapters under “de-
fine” are relevant to all readers, in-
cluding a definition of cloud com-
puting, as well as an overview of how
cloud components fit together.
Rhoton explains the SPI software
model – which stands for software-as-
a-service, platform-as-a-service, and
infrastructure-as-a-service. He walks
through each layer of the SPI model
to give an introductory view of what
cloud architecture looks like.
Rhoton mentions specific products
as a means to reinforce the concepts
and explains how the cloud services
industry works, revealing, for exam-
ple, that one cloud service provider
may actually subcontract some com-
ponents from another, a fact that is
not immediately apparent to the ca-
sual observer.
The inclusion of material to help in
analyzing and thinking about the
technology from a broader perspective
gives the book much of its richness.
For example, Chapter 1 explains
the Gartner-developed hype cycle, a
chart showing the tendency of new
technologies to get high levels of inter-
est long before they are mature
enough to actually be implemented.
Chapter 7 on strategic impact
notes that cloud computing can affect
internal IT strategy, as well as exter-
nal competitive position, and it in-
cludes illustrations of analytical
frameworks for assessing potential
impact.
That the book is written by an in-
formation technologist is clear in the
parts on integration and implementa-
tion. The useful insight here is that
costs associated with migrating data
to the cloud may be overlooked.
The greatest disruption posed by
cloud computing is in its ongoing op-
eration, as noted in the chapter on
service management. Succeeding
chapters address administration and
monitoring of cloud-based services.
Most records professionals will be
disappointed to find that issues
around control appear in the chapter
on compliance near the end of the
book, where there is a terse discussion
of some applicable laws, data privacy
issues, e-discovery, and security
breaches. Succeeding chapters on risk
and governance provide models for an-
alyzing threats and for service con-
tracts.
Throughout the text, there are
many mentions of vendors and service
providers, and there is a substantial
appendix with profiles of many cloud
product offerings. Some product
information, though, is littered with
acronyms that will be meaningless to
those without programming exposure.
In places, the going gets tough for non-
technical readers.
Much of this book is repetition of
the benefits and drawbacks of cloud
computing, but there is ample depth of
analysis and many new insights. Parts
will be useful to records professionals,
information technologists, and others
who have a leadership role in weigh-
ing cloud computing’s potential for
gain and loss. It could make an excel-
lent resource for a project team
charged with examining the benefits
and pitfalls of clouds.
Julie Gable, CRM, FAI, can be con-
tacted at [email protected]. See
her bio on page 47.
Cloud Computing ExplainedAuthor: John RhotonPublisher: Recursive PressPublication Date: 2010Length: 483 pagesPrice: $39.95 ISBN-13: 978-0-9563556-0-7 Source: www.recursivepress. com
Lifting the Fog on Cloud ComputingJulie Gable, CRM, FAI
Contact Information
NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT 47
Bhavsar Gable Jackson Jones Kain Pulzello Whan
Building a Document Unit for HazardousIncident Response page 20John Kain works for Montaña & Associates, an informa-
tion governance consulting organization. He specializes
in records retention scheduling, foreign retention re-
search, and incident response documentation manage-
ment. Kain has been in the information governance and
retention scheduling field since 1999. He has authored
numerous articles for journals, magazines, and websites.
Kain can be contacted at jkain@montaña-associates.com.
Rule 30(b)(6) Deposition Mystery Revealed:What Records Professionals Need to Knowpage 27Stacy Jackson is corporate counsel with IE Discovery,
where she has managed the company’s legal services
team, working directly with client attorneys in charge of
cases and coordinating project management to ensure
quality deliverables. She has extensive experience in
medical malpractice, product liability, employment law,
government contracts, and affirmative cost recovery for
environmental matters. Jackson can be reached at
Leveraging GARP® to Ensure Employee Engagement page 32Charity Whan is records manager at Polsinelli Shughart,
where she has worked diligently supporting large-scale
records projects, including national supply inventory
tracking, offsite storage initiatives, and policy and pro-
cedure creation. Whan has eight years of records and in-
formation management experience, combined with a
master’s degree in management and leadership. Her spe-
cialties include project management, mentorship, and
leadership, as well as offsite storage maintenance. Whan
can be contacted at [email protected].
How to Avoid Disaster: RIM’s Crucial Role in Business Continuity Planning page 36Virginia Jones, CRM, FAI, is the records manager for Newport
News (Virginia) Department of Public Utilities. She has
more than 40 years of experience in records and information
management (RIM) operations, management, consulting,
writing, teaching, and training. An adjunct graduate course
instructor in the School of Library and Information Science
for Wayne State University, Jones has authored numerous
RIM-related books, as well as articles for national trade pub-
lications. She is an active member and a Fellow of both AIIM
and ARMA International, and she serves on the Institute of
Certified Records Managers’ Board of Regents. Jones can be
contacted at [email protected].
Dodd-Frank Act Puts Focus on Information Governance page 42Fred Pulzello, CRM, is a solutions architect in the informa-
tion governance practice at MicroLink LLC, a subsidiary of
Autonomy. Pulzello can be contacted at [email protected].
Sonali Bhavsar is a solutions architect in the information gov-
ernance practice at MicroLink LLC, a subsidiary of Auton-
omy. Bhavsar can be contacted at sonali.bhavsar@ gmail.com.
Lifting the Fog on Cloud Computing page 46Julie Gable, CRM, FAI, is president and founder of Gable Con-
sulting LLC. She has more than 25 years of experience spe-
cializing in strategic planning for electronic records
management, including business case development, cost-ben-
efit analysis, requirements definition, and work plan prioritiza-
tion. In 2003, she was named a Fellow of ARMA International.
Gable has authored numerous articles and frequently speaks at
national and international conferences. She holds a master’s de-
gree in finance from St. Joseph’s University and a bachelor’s
degree in management from Drexel University. Gable can be
contacted at juliegable@ verizon.net.
Contact Information
48 NOVEMBER/DECEMBER 2011 INFORMATIONMANAGEMENT
ReachYour Target: Information Management Decision Makers and InfluencersThere’s only one source you can count on to give you the impact you want:
41 Bulletin Board
5 Fellowes www.fellowes.com/save
13 GRM 866.947.6932 – www.grmpedia.com
9 Huron Legal www.huronconsultinggroup.com
IBC ibml www.ibml.com
26 Institute of Certified Records Managers877.244.3128 – www.ICRM.org
BC Iron Mountainwww.ironmountain.com/ARMA
3 NAID www.naidonline.org
IFC RSDwww.rsd.com
40 Technologic Systemswww.embeddedARM.com
A N A R M A I N T E R N AT I O N A L P U B L I C AT I O N
ARMA iNTERNATiONAl’S
MAGAziNEKaren Lind Russell/Krista Markley
Account Management Team+1 888.277.5838