Wednesday, April 22, 2009

The Purpose of Policies and Procedures (Key #1: Good Policies and Procedures) - Highlights of chapter 7 of the second edition of Information Nation

The first of the Seven Keys to Information Management Compliance is good policies and procedures. Organizations must develop and implement policies and procedures designed to ensure that its Information Management Compliance responsibilities are addressed and its obligations are met.

Policies and procedures have a critical role in an Information Management Compliance program. They provide clear guidance to employees as to what their IMC obligations are, which can be a significant challenge in large organizations. They affect the corporate culture and provide consistent guidelines for employee behavior that last beyond the residency of a particular manager or executive.

Good policies and procedures also make a statement to the world that the organization is committed to addressing Information Management issues. If an organization can demonstrate to an investigator, regulator, court or even the media that they had a policy in place and trained employees to follow the policy, then isolated failures are much more likely to be seen as individual accidents rather than organizational failures.

Compliant Information Management policies and procedures can also help organizations avoid liability for their employees’ actions. The second edition of Information Nation, available from John W. Wiley & Sons, contains several scenarios in which good policies and procedures can mitigate employees’ bad actions. For more information, see

Comments? Contact the author at

Tuesday, April 14, 2009

Sarbanes-Oxley and IMC: Highlights of chapter 6 of the second edition of Information Nation

The Sarbanes-Oxley Act of 2002 is a sweeping, complex piece of legislation with an enormous impact upon IMC. It goes to the heart of IMC by affecting the way that organizations must manage and control information. Sarbanes-Oxley is designed to improve the accountability and transparency of public companies. In turn, accountability and transparency depend upon trustworthy business records because trustworthy business records are the bedrock of accounting and financial reporting systems. As a result, compliance with Sarbanes-Oxley relies upon a foundation of Information Management practices designed to ensure the accuracy and trustworthiness of business records. In other words, Information Management Compliance.

Section 802 of Sarbanes-Oxley is one of its more disconcerting sections, as it imposes dramatic criminal penalties for the improper destruction or alteration of business records. Proper disposal of business records is as integral a part of Information Management as retention. However, organizations also have an obligation to suspend normal disposition practices in the face of anticipated or ongoing audits, investigations, litigation or other proceedings—including matters contemplated by Section 802.

The second edition of Information Nation, available from John W. Wiley & Sons, describes how organizations can put into place a mechanism to ensure that their employees properly preserve information when faced with proceedings of these kinds. For more information, see

Comments? Contact the author at

Friday, April 3, 2009

Notification Laws: a response to data breaches

As data breaches have become more prevalent over the last few years, states have required organizations experiencing data breaches involving consumers’ personally identifiable information (PII) to notify their customers. Since California’s data breach disclosure law (SB1386) became effective in 2003, a total of 47 states and provinces have passed laws that require consumer notification of a data breach involving PII. Currently, only Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota do not have a data breach notification law. A listing of state data breach laws is here.

Organizations need to be aware of the data breach requirements of the states where they conduct business and where their consumers reside. Notification and communication requirements can differ from state to state. Therefore, it is important not only to have knowledge about these state requirements, but to audit your applications to prevent data loss in the first place.