The Vital Role of Confidential Document Storage in Your Records Management Program
January 11, 2012
Do you have the right systems in place to protect sensitive records—especially if your industry has tough confidentiality regulations?
No business owner, whether a Main Street clothing store or big-city law firm, wants to have to call a client to say, “Your personal information has been stolen.”
And if you’re in a business that’s subject to federal, state or industry regulations, a breach can bring about investigations, fines, legal headaches and even criminal sanctions. Avoid these business-crippling events by collecting, managing, housing and protecting confidential data—paper-based or digital—with an industry-compliant information management program.
Become a Policy Wonk
The first thing to do is develop your information management policies. Though your company may already have confidentiality policies in place governing your records, the plan may be outdated.
The days of merely dumping manila folders bursting with documents into the garbage or tossing old cellphones, disk drives and broken USB devices into black trash bags and carting them out to the curb are long gone.
Your new set of policies should:
- Consider how rapid growth, doing business in new geographical locations or failing to address e-files may have curbed your plan’s effectiveness.
- Pay serious attention to increasingly prevalent real-time data-retention practices and security measures.
- Detail disposal methods for old files and unneeded information. For example, which paper files can you recycle, and which must you shred?
- Account for the disposal of old disk drives that may hold data, even if they’ve been wiped.
- Address data including tweets, Facebook posts and blog entries, including oft-overlooked communications stored on mobile devices. These are just as much of a record as your customer-service files or sales reports.
Get to Know the Law
The Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX) and the Fair and Accurate Credit Transaction Act (FACTA) are three federal regulations to which your business operations may be subject—even if you don’t think that’s the case. It’s critical to stay updated on both federal and state regulations.
On the federal level, the financial crisis has brought about the Dodd-Frank Act, a far-reaching piece of legislation that addresses issues of consumer protection and corporate governance. Also of great importance is the Federal Trade Commission’s recent Red Flags rule, which calls for enhanced identity theft prevention programs.
Most every state addresses the retaining and handling of sensitive data and how to deal with security breaches. (Only Alabama, New Mexico, Kentucky and South Dakota have no such legistlation on the books.) Notable legislation in this area includes the California Security Breach Information Act (SB-1386) of 2003, which was the first set of regulations to address data-disposal security. At least 45 additional states now enforce similar regulations. More recently, Massachusetts’ Data Privacy Law 201 CMR 17 stipulates rules on the proper handling of confidential paper records.
Man Your Plan
Though it might make sense to have an internal project manager supervise your plan, what happens if he or she gets seriously ill or just takes a weeklong trek to Machu Picchu, well out of cellphone range? Brace your organization for these possibilities by designating another employee who’s just as skilled and knowledgeable about your policy and confidential data practices to jump in as needed.
That is, if someone can spare the time. Remember, you won’t need to develop such contingencies if you team with an outside partner.
Another management option: Set up a team of accountable staffers who monitor the company’s compliance levels and assist employees who need advice about proper data management processes.
Become a Master Builder
Once policies are in place, it’s time to build and implement your overall information management plan. Iron Mountain recommends a six-step strategy: organize, assess, develop, implement, manage and audit.
Prioritize tasks, and then phase them in. For example, you may delve into current data storage requirements only to find that tapes should be supplemented with other technology to meet a certain regulatory rule. It’s easiest to do such things as you build a plan rather than after the system is built. It also helps in maintaining a project’s true cost accounting.
Done? Move Forward
The “work” never really ends when the topic is confidential data management. Ongoing tasks include:
- Testing controls and protections
- Conducting random checks to ensure that your office and its third-party partners are employing proper file disposal techniques
You also need to inventory records to account for new platforms. For example, consider the unauthorized workplace use of tablet devices. Since these may house confidential data, you’re better off not including them in your system development.
Keeping the Faith, Every Day
Review and update your data retention, storage and management efforts at least once and preferably twice a year. It’s also wise to run a few what-if scenarios to determine whether everything is working well.
By taking this ongoing management approach, you’ll know that your business can respond to and meet legal and regulatory demands when and if they crop up. And just as important, you can assure your customers and clients that their confidential information is in good hands.
Do you have more questions about your firm’s records management options? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s consulting services team. You’ll be connected with a knowledgeable product and services specialist who can address your information management challenges.
Most Businesses Require Holistic Approach to Records Management
How Records Management Could Protect Against Lawsuits
The Why and How of Creating an Entirely New Role in Your Organization to Master Records Management