Teaching opportunity

As 2013 approached its final days, Target Corp., Minneapolis, reported that 40 million of its customers’ debit and credit card numbers had been stolen in what has been described as the biggest retail hack in U.S. history.

As 2015 commenced, Indianapolis-based Anthem, the country’s second-largest health insurer, acknowledged that nearly 80 million current and former customers’ personally identifiable information (PII) had been exposed in a massive data breach.

Both breaches have resulted in numerous lawsuits filed by affected customers. The hacks have huge potential fines associated with them, and public awareness regarding the importance of data protection is now higher than ever, says Dave Bergeson, executive director of PRISM International. Chicago-based trade association PRISM (Professional Records & Information Services Management) International represents commercial records and information management (RIM) companies across the globe.

Bergeson says, “Not only have the potential fines associated with these events become enormous, but the awareness among the general public has increased tremendously regarding the need to secure data and, in particular, records.”

As this year progresses, Bergeson says leveraging the degree to which RIM customers’ records are safe and secure will become increasingly important. “We will see more data breaches, and the public will react,” he predicts.

Chad Sorrell, owner of Archive Logistics, Piney Flats, Tennessee, says data breaches will “only continue to snowball.”

He adds, “Data breaches have become a crippling PR piece; this stuff is important.”

Rob Alston, CEO of Livermore, California-based Access (profiled beginning on page 16 of this issue), the largest privately held RIM services provider in the U.S., says customers are increasingly aware of the value of protecting not only their information but also that of their clients’.

“With all the data breach and hacking incidents in the headlines, coupled with increased regulations around protecting and maintaining documentation, I think that recognition and the need to take more decisive actions to protect customer data will continue to grow,” Alston says.

As breaches continue to illustrate the significance of protecting clients’ information, Alston and other industry leaders explain in the following pages the trends shaping the RIM industry and how owners and executives of commercial RIM services companies are responding.
 

1. Compliance counts. Sorrell says that for many commercial RIM firms compliance has become a “robust” department and a growing client concern as a result of threats to private information. The security threats, he says, are not going away.

Bellefonte, Pennsylvania-based Automated Records Centre President Mike Sullivan says the threat of a breach is his company’s single highest sensitivity and priority. The risk of losing control of a client’s information is the No. 1 reason the RIM services provider is applying for the National Association of Information Destruction (NAID) AAA Certification.

Phoenix-based NAID is a nonprofit trade association for the secure destruction industry. The certification program establishes standards for a secure destruction process, including such areas as operational security, employee hiring and screening, the destruction process, responsible disposal and insurance.

While Automated Records Centre considered the certification a marketing opportunity several years ago, today the company sees it as necessary to assure regulatory compliance as well as for establishing checks and balances for the business, Sullivan says.

“In terms of business five to 10 years ago, we sold cost savings, ease of access and tighter efficiency as it relates to a company’s records,” he describes. “Now, while we still offer and sell that, we’re really selling compliance. We have to put our customer hat on: How do we extend ourselves to them to ensure they’re compliant?”

Sullivan says this has created opportunity for his company. In some cases, companies that think they are compliant are nowhere near where they need to be.

He explains, “Everyone wants to be compliant as long as it is a fair investment. Our goal as the pendulum swings is to get it in the sweet spot: If we’ve educated our clients effectively, they’re going to see the value in paying a little more to get the timely, quality service with attention to compliance. Now that compliance is so critical to us, the lack of compliance might be the biggest threat to our organization.”

Blaine Rigler, senior vice president, global solutions, at Iron Mountain, Boston, says whereas records managers might have been part of a company’s administrative group in years past, today they work within the compliance division.

Iron Mountain is a global provider of solutions in records, data and document management. The company stores and protects billions of information assets, including business documents, backup tapes, electronic files and medical data.

“Now they’re part of the compliance organization because I think companies are really starting to understand the role that they play in protecting information,” Rigler states.

Chris Kelley, CEO of COR365 Information Solutions, a Winston-Salem, North Carolina, company that offers hard-copy records management, secure tape vaulting, document imaging services and shredding services, says his company had to up its game to compete. COR365 added a security and compliance officer to its staff to handle facility audits, system audits and various types of training, from employee to Health Insurance Portability and Accountability Act (HIPAA).

“It is something that has become an extra expense, but we also use it as a marketing tool,” Kelley says of the company’s newly created compliance position.
 

2. Limit Liability. Additional expenses emerge when customers expect the latest and the greatest, Kelley suggests. “Our customers are asking for more and more and are not necessarily wanting to pay more,” he says.

Kelley continues, “It’s not just more services, which they want, but the higher level of service, more digital-type services, higher levels of security, higher levels of insurance and liability coverage. I don’t think clients realize the slimness in the margins of what we do on a regular basis.”

Kelley says a challenge for the RIM industry going forward will be in determining who is responsible for what and limiting the liability of the service provider.

Kelley admits that COR365 is “spending a lot more money on legal fees these days because of fighting battles we didn’t used to have to fight when it comes to contract language.”

He adds, “When you look at what we have under our control, the challenge is educating the marketplace about what the laws really say about who is responsible and where those liabilities lie fairly.”

Access’ Alston agrees that this is the industry’s biggest challenge and urges strongly against signing anything with unlimited liability.

He explains how RIM service providers need to be able to defend their operations, processes and infrastructure. Managing risk and liability is critical, Alston says.

“We find that our clients are continually looking to push unreasonable amounts of liability on us,” he says. “In the industry we all need to understand why we cannot accept unlimited liability or even caps on the liability that are disproportionately high in comparison to the fees we are collecting for the services we are providing. Our clients need to have proper insurance in place and not expect us to provide that insurance,” Alston adds.
 

3. Digital and paper must coexist. Kelley’s company introduced a new service in January of this year. COR365’s digital enterprise content management (ECM) iCOR™ by M-Files™ service stores documents, MP3s and videos based on what they are, rather than where they are, creating a simpler, more intuitive system, according to the company.

The RIM industry continues to move in the direction of paper and digital files coexisting, Kelley says.

This is especially important, as more documents than ever before are originating as digital files, Bergeson says.

Kelley explains that the role of a commercial RIM services company is “helping people navigate the chaos that is paper to digital and how to marry the two effectively and efficiently with security and confidentiality in mind.”

Alston says this is the direction in which Access is heading. “We see longer-term opportunity in our digital offerings, like enterprise content management, Web hosting, security software and services and other products that would address other customer information management requirements, regardless of the form of the information,” Alston says.

Despite all of this digital talk, Kelley says his company still sees annual growth in the number of boxes it stores. He warns commercial RIM services companies not to overlook the value of a box on a rack.

Alston says he can attest that paper remains a “very important” part of the organizations Access serves.

Sullivan says Automated Records Centre still considers boxes to be its most valuable solution because of their profitability.

“There’s a significant amount of hard-copy business to be done in the marketplace. It’s still our primary focus,” Archived Logistics’ Sorrell says.

Each industry leader downplayed the idea of a paperless office, saying it has been threatened for decades, is subjective and based on location as well as market size.

While Rigler says “the paperless world will never happen,” he does recognize that Iron Mountain is “getting asked much more often how we can eliminate paper from the process.”
 

4. Certifications: Resources and not roadblocks. Another primary focus in recent years for RIM services providers has been earning industry certifications. Sorrell says certifications—like NAID’s AAA Certification, PRISM’s Privacy+ and the Statement on Standards for Attestation Engagements (SSAE No. 16) type I certification—are facilitating the standardization of best practices in security and compliance.

Third-party certifications are elevating the professionalism and seriousness of many industry players, Alston notes.

Bergeson says PRISM members are reporting more inquiries about Privacy+ from their clients.

“Security is important,” Bergeson says, “and its importance will grow. It is only natural that customers will be looking for some sort of measurable assurance that their documents and information will be safe, secure and accessible.”

This is why Sullivan says he sees certifications as resources, not roadblocks.
 

5. Buzz word: Information governance. Kelley says one of the principal “buzz words” in the RIM industry lately has been the term “information governance.”

He explains, “It’s something that is not geared toward storing a box or even building a workflow, it’s more of professional services to help develop records policies and procedures and best practices.”

Bergeson says information governance will continue to grow in importance.

Sullivan says he views information governance as both a challenge and opportunity for RIM services providers. “We need to continue to drive more conversations around information governance by bringing leaders together from different functional groups so there is clarity and alignment on how we receive information,” Sullivan says.

He adds that information governance, training and education are areas of focus for many clients of commercial RIM services firms, which translates to being focused on “data privacy, data security and cyber security.”

Data breaches have made companies and organizations more sensitive to the importance of safeguarding customer data. This creates an opportunity for RIM services firms to sell their expertise, regardless of whether the information in question is digital or hard copy.

The author is associate editor of Storage & Destruction Business and can be reached at mworkman@gie.net.