RIM Standards, Best Practices, Training and Litigation – How Soon Will This Become a Key Issue?

The title of this posting is a question that I’ve posed to some of those who conduct “mock trial” events for ARMA International, and for some of the better known ECM vendors.  My question arose again during some recent conversation with an Attorney General’s office in one of our larger states here in the U.S.  My belief is that best practices and standards are very soon to be made the subject of litigation, especially where States may be brining action for the violation of some of the more recent privacy protection legislation that has been enacted during the past four or five years.


The Attorney General’s office in question contacted me…and I imagine a few others to ask about Records Management practices in a particular vertical industry.  Among other things, they were interested in learning:

  • What are or what should be the requirements for a Corporate Records and Information Manager
  • What education and training such an individual should have, what kind of staffing levels should exist, based on the characteristics of this industry
  • What training would be or should be provided to company employees, and
  • What standards and best practices exist as it pertains to protecting “individual identifying information

The apparent reasons for the questions raised, were that the firm in question appeared to have a Corporate Records Manager, but one that did not happen to be a Certified Records Manager (CRM).  The organization also had specific policies in place that all employees were to follow.  However, it appears that in one particular instance, in the State in question, an employee of the firm disregarded those policies and failed to adequately protect that personal identifying information.  Since the State had a statute in place designed to discourage such failures, and an Attorney General who took privacy protection seriously, legal action was taken against that firm.


While I do not know the specifics of the case, or the specifics of the alleged violation of statute, the message that I got from the discussion was as quite telling.  That message is: that merely having a “Records Manager” is not apt to be enough to “inoculate” a firm against potential litigation, that a firm involved in such litigation is likely to have a serious probe of its Records Management program and policies become part of that litigation, that the qualifications of the Records Manager, the training of that Manager, and the support for that Manager will be considered to be fair game.  Additionally, those involved in litigation will compare quite closely the practices that firms undertake, given existing standards today.  It also demonstrated the potential damage and the potential issues that can arise, since so many employees actually handle such information today.


Is this a singular case that will not recur?  My opinion is that it will not.  States that take new Statutes regarding privacy seriously can be counted on to pursue those who disregard those statutes.  Firms that pay lip service to Records Management, without taking such efforts seriously will be challenged and may pay high price for failing to mitigate the risks involved with mishandling information that contains personal identifying information of employees and customers.

You can leave a response, or trackback from your own site.

2 Responses to “RIM Standards, Best Practices, Training and Litigation – How Soon Will This Become a Key Issue?”

  1. Patrick says:

    I guess I see this slightly differently. while privacy is an issue for organizations, I’m not sure that it is necessarily the responsibility of the records manager.

    I agree with your premise in terms of litigation issues relative to spoliation or inability to produce evidence at trial.

    In my organization, I’ve become part of the Information Security function, but I don’t carry responsibility for privacy. I do have litigation support responsibilities as well as the core records responsibilities.

    Now if someone got hold of records that they shouldn’t have that were ostensibly under my control, that might be an issue. But if someone snags information from some other source, it is a lesson learned for me, but arguably not my accountability.

    some may suggest that I am passing the buck, but in my organization, we’re able to staff a variety of infosec positions which have focus on those other areas. I support them and do my part, but I would be shocked to find that I am accountable for privacy breaches.

    In an overall information security program, there is certainly room to capture both security classification and records classification. Those classifications can be related directly — and certainly captured and acted upon at the same time.

  2. Doug Allen, CRM, CDIA+ says:

    Patrick, thanks for the comment! I would agree that Records Managers are not necessarily responsible for privacy protection. When it comes to proper disposition practices, however, I would suggest that Records Managers are involved. In the particular case that I mentioned, the firm involved brought their Records Manager out in an apparent attempt to innoculate themselves from litigation.

    They key for me in my discussions was that it was clear that probing the issues of standards, the qualifiations, education and training of the Records Manager, and the RIM Program’s training program for employees were all subject to a high degree of scrutiny.

Leave a Reply

Subscribe to RSS Feed Follow me on Twitter!
FireStats icon Powered by FireStats