EducationEducation Code: Code:

Enterprise Information Enterprise Information Management: Management:

Implementation StrategiesImplementation Strategies

Graham Riley

Manager of Account Services, Iron Mountain

EducationEducation Code: Code: FR02-2209

Learning Objectives

Upon completion of this session, participants will be able to:

* Explain the value of a compliant records and information management program

* Outline a process for implementing a compliant records and information management program in your organization

Session Outline* Background* Obstacles to a compliant records and

information management program* Areas of common ground* Foundation of a compliant records and

information management program* The compliant records and information

management program implementation process

Managing Compliance Proves Difficult

Changing Regulatory Environment

• Rule 26 of Civil Procedure• Sarbanes-Oxley• Gramm-Leach Bliley

• SEC Rule 17• MA Privacy Law• Patriot Act• HIPAA• FACTA

Convergence of Physical& Digital Records

Exponential InformationGrowth

Records & InformationManagement Professionals

RegulationAccording

4

Compounding the Problem: Rule 26

26(b)(2) Sets up provisions for “reasonably inaccessible” data

26(f)Mandates meet-and-confer sessions

26(a) Explicitly makes “electronic stored information” (ESI) a category of discoverable data

26(b)(5) Clarifies procedures for retrieval of privileged information that was produced inadvertently

Rule 26

Records Management

Information Technology

Recent History of Non-Compliance

December 2008: Large Entertainment Company Settles charges – Its Music Fan Websites Violated the Children’s Online Privacy

Protection Act

– Company Will Pay $1 Million Civil Penalty

February 2009: Retail pharmacy chain settles FTC charges– Failed to Protect Medical and Financial Privacy of Customers and

Employees

– Pays $2.25 Million to Settle Allegations of HIPAA Violations June 5, 2009: Large Insurance company named in security-breach

lawsuit June 2009: Large retailer to pay states $9.75M in data breach

settlement

Impact on Records Management

Held accountable for accessing records FAST

Forced to interpret communication between Legal and IT

Asked to do more with less

Doesn’t feel they have senior management support

Administer strict information disposal policies

RecordsManagement

Impact on Information Technology

Forced into reactive “fire-fighting” mode on discovery requests

Expected to understand records management processes, policies and retention

Struggles with what is acceptable to destroy and what is required to keep

InformationTechnology

Impact on Legal, Risk & Compliance

Also forced into “firefighting” mode

Asked to ensure compliance with little direct authority

Inadequate measurement systems

Trying to train employees but under-resourced to be effective

Legal, Risk & Compliance

And then there’s litigation!

PROBLEMPROBLEM

Nearly 1/3 had more than 20 lawsuits filed in 2008

43% of large organizations are forecasting an uptick in legislation in 2009

45% of are spending upwards of $1M on litigation—one in five are spending more than $10M

Consider the findings from organizations surveyed:

According to:

10

Litigation

In-ActiveRecords

ActiveRecords

Back-upTapes

ElectronicFiles

E-mail

EnterpriseSystems

EmployeeLaptops

PortableHard Drives

Voicemail EmployeeFiles

Litigation Can Surface the Friction

Legal & Compliance

ITManagement

Records Management

Litigation

In-ActiveRecords

ActiveRecords

Back-upTapes

ElectronicFiles

E-mail

EnterpriseSystems

EmployeeLaptops

PortableHard Drives

Voicemail EmployeeFiles

Litigation Can Surface the Friction

Legal & Compliance

ITManagement

Records Management

Disconnected Retrieval Process

Communication Breakdown

Wasted Time & Resources

The Way It Should Work…

Legal & Compliance

RecordsManagement

InformationTechnology

Legal Expertise

Process Expertise

Technology Expertise

Objections and Obstacles If it’s so important why isn’t everyone doing it?

Don’t understand the value proposition Don’t know where to start

– need clarity around HOW we do it?

Varying degrees or lack of organizational alignment Organizational “attitude” that compliance is optional Cannot get a straight answer specific for your

needs

Common Vision

Improve the profitability of the company by providing the Enterprise (location, division or department), with the ability to securely manage ALL information regardless of the

format or location, in a cost effective & compliant manner.

Every Department Has a Stake

Records Manager

Global RecordsManager

Director ofCompliance

General Counsel

Director of IT

CIOBusiness Partner

Departments

Departmental Priorities

* Increase functionality & features

* Increase capacity* New equipment &

systems* Strategic focus* Investment* Price

Boom EconomyDepressed Economy

* Price

* Operational focus

* Optimize existing systems

* Increase efficiency

* Operate cheaper

* Consolidate

Compliance Steering Committee

Compliance Strategy

ComplianceProgram

Program-Centric Approach Yields the Best Results

Best Practice* Defined strategy

* Consistent and empowered steering committee

* Defined repeatable process

* Projects remain but are a part of a program

* Regular maintenance across entire program

Project D

Project C

Project B

Project A

Process

Storage

Capacity

Security

Cost

ComplianceRetention

Litigation

Privacy

Storage ControlDisposal

Service

Search

Retrieve

Accurate

Responsive

Reliable

Building On The Foundation

CRIMP

What Is a Good Process?

ORGANIZEDetermine

Scope

1

ASSESSExamine& ID Risk

2

MANAGETrain &

Communicate

5

IMPLEMENTImplement

Base Program

4

AUDITReview & IDDeficiencies

6 DEVELOPCreate RecordsClassification

Scheme

3

20

Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008.

Have you created and empowered a records management steering committee?

“Only 28% of US Companies surveyed have a Steering Committee.”

*Establish ownership- Executive sponsor- Dedicated CRIMP team- Steering committee

*Roles & responsibilities- Governance level- Implementation level- Administration level

*Determine program scope*Terminology

ORGANIZE

21

ASSESS

Have you identified and classified all records?

“with 65% of the sample rating their retrieval process as “quick,” it appears that strategic investments in indexing and tracking systems are providing good performance for organizations”. 

Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008

* Conduct a thorough records inventory.

* Evaluate your existing program; its strengths, limitations and capabilities.

* Determine the potential areas of risk and/or exposure to compliance regulations.

* Analyze your legal retention and access requirements.

* Build an overall master plan based on your assessments and all applicable compliance regulations.

22

DEVELOP

* Legally credible enterprise wide (media agnostic) retention schedule.

* Standardized enterprise policies (like vital records, legal hold, privacy, etc.)

* Keep in mind opportunities to measure via systemic embedded metrics – what do you want to measure in order to prove compliance and adoption.

Have you developed policies and procedures that address all physical and electronic records? Are your employees using them?

“Only 36% of companies have developed comprehensive programs that include training and employee acknowledgement. An additional 46% have some policies but struggle with implementing a program to standardize the use of the policies”.

 Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008 and recent Iron Mountain survey data

23

IMPLEMENT

Have you implemented an enterprise-wide records retention schedule?

“While 55% of organizations have implemented a retention schedule, over 70% of them report they have not updated it and over two years and only 30% of these retention schedules cover all media.”

 Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008.

Deploy I.T. systems.

Apply the retention schedule.

Assign standardized classification codes keyed to retention periods.

Routinely move records to secure offsite records storage.

Regularly review records to be destroyed. Destroy records whose retention period has expired.

Mark records related to pending or current legal matters as “held” to prevent destruction.

24

MANAGE

Are you providing the proper training for your program?

“Our 2008/09 responses show a 22% increase in the implementation of regularly scheduled records management training, though 57% of respondents are still doing nothing or simply offering informal occasional training.” 

Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008.

Manage the security, access and integrity of the data within the program.

Training is an event – education a process.

Enforce proper classification and disposal via reports, scheduled reviews, and other safeguards.

Maintain training and communication programs.

Ensure appropriate business unit oversight.

AUDIT

Are audit compliance procedures established and followed?

“Only 21% of respondents have a formal method to regularly audit the effectiveness of their records program implementation.” 

Source: Iron Mountain Compliance Benchmark Report: Best Practices for Records Management, 2008.

Formal review program frequently and identify deficiencies.

Ensure that all records including e-mail, are being properly indexed and managed.

Pay special attention to disposal practices. Ensure that records in all forms related to pending or current legal matters are being “held” in order to prevent their destruction until the legal matter has been closed.

Confirm that records whose retention period have expired and are not on “hold” are routinely destroyed.

26

Next Steps

Changing Regulatory Environment

• Rule 26 of Civil Procedure• Sarbanes-Oxley• Gramm-Leach Bliley

• SEC Rule 17• MA Privacy Law• Patriot Act• HIPAA• FACTA

Convergence of Physical& Digital Records

Exponential InformationGrowth

Records & InformationManagement Professionals

RegulationAccording

27

Your Response

I am improving the profitability of the company by providing the Enterprise

(location, division or department), with the ability to securely manage ALL information

regardless of the format or location, in a cost effective & compliant manner.

Enterprise Information Management: Enterprise Information Management: Implementation StrategiesImplementation Strategies

Graham RileyManager of Account Services, Iron Mountain

Graham.Riley@ironmountain.com612.490.0228

Please Complete Your Please Complete Your Session EvaluationSession Evaluation

EducationEducation Code: Code: FR02-2209