The title of this posting is a question that I’ve posed to some of those who conduct “mock trial” events for ARMA International, and for some of the better known ECM vendors. My question arose again during some recent conversation with an Attorney General’s office in one of our larger states here in the
The Attorney General’s office in question contacted me…and I imagine a few others to ask about Records Management practices in a particular vertical industry. Among other things, they were interested in learning:
- What are or what should be the requirements for a Corporate Records and Information Manager
- What education and training such an individual should have, what kind of staffing levels should exist, based on the characteristics of this industry
- What training would be or should be provided to company employees, and
- What standards and best practices exist as it pertains to protecting “individual identifying information
The apparent reasons for the questions raised, were that the firm in question appeared to have a Corporate Records Manager, but one that did not happen to be a Certified Records Manager (CRM). The organization also had specific policies in place that all employees were to follow. However, it appears that in one particular instance, in the State in question, an employee of the firm disregarded those policies and failed to adequately protect that personal identifying information. Since the State had a statute in place designed to discourage such failures, and an Attorney General who took privacy protection seriously, legal action was taken against that firm.
While I do not know the specifics of the case, or the specifics of the alleged violation of statute, the message that I got from the discussion was as quite telling. That message is: that merely having a “Records Manager” is not apt to be enough to “inoculate” a firm against potential litigation, that a firm involved in such litigation is likely to have a serious probe of its Records Management program and policies become part of that litigation, that the qualifications of the Records Manager, the training of that Manager, and the support for that Manager will be considered to be fair game. Additionally, those involved in litigation will compare quite closely the practices that firms undertake, given existing standards today. It also demonstrated the potential damage and the potential issues that can arise, since so many employees actually handle such information today.
Is this a singular case that will not recur? My opinion is that it will not. States that take new Statutes regarding privacy seriously can be counted on to pursue those who disregard those statutes. Firms that pay lip service to Records Management, without taking such efforts seriously will be challenged and may pay high price for failing to mitigate the risks involved with mishandling information that contains personal identifying information of employees and customers.