This issue of RIM + IG Around the World is sponsored by TAB Canada. 

    A best practice template for your imaging project
    Get a helpful guide for creating a successful document imaging project plan.

    Outsourcing records management: what you need to know
    Learn why organizations are choosing to outsource, and whether it is the right option for you.

    Tips for managing your shared drive
    Learn how to maintain a well-organized shared drive, whether local or in the cloud.

    RIM + IG Around the World: September 2017

    Sep 13, 2017
    Spilled Coffee Alibi (Mostly) Prevails in Celeb Spoliation Decision
    A U.S. District Court recently denied pop star Taylor Swift’s motion to draw an adverse inference judgement against plaintiff David Mueller, despite the court’s “dim view” of Mueller’s actions and alibi, according to a summation on ediscovery.com.

    Mueller, a Denver disc jockey, had filed a false accusation suit against the celebrity because she claimed he’d made inappropriate contact with her during a photo shoot.

    During discovery, Swift’s legal team learned Mueller had recorded calls with his superiors upon his termination. Mueller provided his attorneys with edited versions, claiming the originals were pared to delete irrelevant content. Further, he said the original recordings were not available because coffee spilled on a laptop. 

    The court denied Swift’s motion for an adverse inference ruling, saying there was not sufficient proof the evidence was lost in bad faith. The judge did say the court took a dim view of Mueller’s actions and permitted Swift’s team to cross-examine him about the spoliation in front of the jury.

    Rapid Recovery to Breach Has its Downsides
    Because it had a solid back-up policy, a Kansas facility quickly bounced back from a ransomware attack in June. But the response was so rapid that evidence of the attack was lost, making it difficult to assess the damage and discern what data was actually compromised.

    At Salina Family Healthcare, data backups are performed nightly, servers are backed up weekly, and a system backup is done monthly. All content is encrypted and stored off-site. 

    “We were so intent on getting back online, we didn’t think about preserving evidence,” Rob Freelove, CEO, told Information-Management.com. Evidence was lost because the servers were scrubbed and rebuilt from the back-up tapes. The center could not dismiss the possibility that data had been compromised and therefore had to send notification letters to some 70,000 patients and offer a year of credit monitoring and identity protection services. 

    Many Enterprises Struggle with Payment Card Security Standards
    A Verizon report suggests that while enterprises are more likely to comply with the Payment Card Industry (PCI) standards, too many struggle to comply with the security controls.

    The Verizon 2017 Payment Security Report says that 55% of organizations complied with PCI when validated last year, a six percent boost from 2015. That means that roughly 45% of organizations continue to fall short of PCI expectations, opening the door to breaches. PCI requirements are focused on such measures as firewalls, data-in-transit controls, encryption, and authentication. The report says that of the companies that pass validation, about half of them fail to maintain that compliance for a full year.

    Best Practices for Building Your E-Signature Workflow
    An e-sign platform should offer flexible workflow options. This white paper explores those options by going step-by-step through the e-signature process. We explain why some options are better than others in delivering the best overall customer experience for a given use case, along with real-world examples.

    Employer May Have Violated Stored Communications Act by Accessing Personal E-mail
    A former marketing rep for Impact had brought a suit against the company for violating the Stored Communications Act (SCA) when it accessed personal e-mails on her mobile phone. The employee, Melissa Edwards, had bought a personal mobile phone through the company and paid for it with payroll deductions. After resigning, she turned in the phone, as demanded, but beforehand she deleted all e-mail messages that were stored on it. Impact later used the phone to access Edwards’ personal e-mail accounts that remained on the servers of those e-mail providers. Impact also reportedly deleted evidence that it had forwarded those e-mails to its legal counsel.

    In Levin v. ImpactOffice LLC, a federal court in Maryland ruled the employee’s claim regarding the violation of the SCA could proceed. As stated in the National Law Review article, “this case offers an important reminder to employers to think twice before accessing an employee’s personal e-mail account – even if it’s through a company-owned device.”
    More . . . 

    Xerox Files Patent for Records System Based on Blockchain Technology
    Information recently released by the U.S. Patent and Trademark Office shows that in February 2016 Xerox filed two patent applications for a method that uses Blockchain technology to securely revise electronic documents. 

    The released information also showed that the concepts filed by Xerox propose a network of nodes that can create and update documentary records. All the nodes in the network can share their data using Blockchain technology.

    The patent office has seen an increase of more than 50% in Blockchain-related patent applications this year. Many applications come from large technology companies, suggesting that major corporations may be making long-term bets on the technology that powers Bitcoin.
    More . . .

    NARA to Stop Accepting Non-Electronic Records Submissions by 2023
    The National Archives and Records Administration (NARA) has said it will stop accepting non-electronic records submissions from agencies by the end of 2022. In a step to assure a fully electronic archive, NARA released a draft of a strategic plan for public comment that said it will “no longer accept transfers of permanent or temporary records in analog formats and will accept records only in electronic format and with appropriate metadata.”

    A longtime federal records management expert, now with IBM, said the goals are “aggressive.” According to Don Lueders, “the government must understand that agencies will not be able to meet that deadline using the same records management methodologies they've deployed for the last few decades ... agencies will have to begin to fully invest in more innovative technologies, such as cognitive systems, content analytics and big data solutions, if they hope to meet that deadline."
    More . . . 

    Equifax Incident Marks Yet Another Substantial Breach of Personal Information
    As widely reported last week, the credit reporting agency Equifax experienced a massive data breach that may have compromised the Social Security numbers, birth dates, credit card numbers, and other personal information of some 143 million Americans. The breach apparently took place in the May to July time frame and was discovered on July 29. The agency did not inform the public until September 7. Equifax said the criminals exploited a U.S. website application vulnerability to gain access to certain files. 

    Equifax is suggesting its customers sign up for credit file monitoring and identity theft protection. It is giving free service for one year through its TrustedID Premier business, regardless of whether you’ve been impacted by the hack. To enroll or to check whether you were affected, visit www.equifaxsecurity2017.com and click the Check Potential Impact tab.
    More . . .


    European Court Says Employers Must Tell Staff of E-mail Snooping
    On September 5, the European Court of Human Rights (ECHR) ruled that employers must tell their staff if they are spying on their work e-mails and communications. As reported by Yahoo Finance, the final decision favored the case of a Romanian engineer who was fired 10 years ago after being presented with printouts of chats with his family. Judges found the company had violated the man’s right to privacy by not having told him in advance of the monitoring.

    The ECHR cannot establish laws, but its decision could impact how and when monitoring is acceptable. The judges even issued criteria that suggest probing the "degree of intrusion" into a worker's privacy on a case-by-case basis. 
    More . . .

    Survey suggests 68% of Info-Sec Chiefs Have Low Confidence in Digital Defense

    An IDG Connect survey, conducted on behalf of RiskIQ, finds that most information security executives have little or no faith in being able to manage digital threats. A survey of 465 IT information security decision makers in the United States and United Kingdom shows that 68% of organizations have zero to modest confidence in managing digital threats, and 70% have zero to modest confidence in reducing their digital attack surface.

    The survey also found that an average of 40% of organizations experienced five or more significant security incidents in the past 12 months. Among most cited external threats: malware, ransomware, phishing, domain and brand abuse, online scams, rogue mobile apps, and social impersonation.
    More . . .

    23 Million E-mails Containing Locky Ransomware Were Sent in Late August
    ZDNet.com reports that a recent e-mail siege has marked the resurgence of the Locky strain of ransomware. More than 23 million messages containing the strain were sent on August 28, with the attacks spiking in time to hit many workers as they arrived at work on a Monday morning.  The subject lines often said such things as “please print,” “documents,” and “scans.” The malware payload was concealed in a Zip file holding a Visual Basic Script (VBS) file.

    Victims were then presented with a ransom note demanding 0.5 bitcoin ($2,300/£1800) in order to pay for a decryptor to get their files back. ZDNet notes that if only a handful of the millions of messages are successful, the attackers stand to net significant revenues.
    More . . .

    Victoria Appoints its First Information Commissioner
    The Australian state of Victoria appointed Sven Bluemmel as its first information commissioner. Bluemmel will oversee the state's data protection laws, freedom of information regime, and the privacy of its departments and agencies. Special Minister of State Gavin Jennings said in a statement that the information commissioner would provide advice and improve how Victoria manages its data.

    Said Bluemmel: "The creation of the new commissioner is an excellent opportunity to bring together freedom of information, privacy, and data protection under a single regulator and I am looking forward to leading the new office."
    More . . .

    GDPR Maze, Fines Could Put Big Data in Big Peril
    In an opinion piece, a co-chair of the Europe, Middle East & Africa Strategic Advisory Council, speculates that the complicated laws and the harsh fines associated with the General Data Protection Regulation (GDPR) could lead companies to delete far more of their data than is necessary, thus shrinking the data pool that is essential to driving the digital economy. Yves LeRoux writes that “billions of pounds’ worth of valuable information could be lost forever before its economic benefits have been fully realised” and “companies could become reluctant to share their consumer information with third parties for analysis, inhibiting their ability to extract value from data.”

    According to LeRoux, at least one company, the British pub franchise Wetherspoon’s, will stop promoting itself through e-mail campaigns due to the GDPR’s strict data compliance laws and penalties. The company will begin to advertise its offers on its website instead, a dramatic change for a company that has long relied on e-mail blasts. 
    More . . .
    'Forgotten' Online – But Not in the British Library
    For decades and decades, if you wanted to learn more about a person, you had to pore through archives and public records. Of course, the Internet and search engines changed all of that. But now a proposed U.K. law may compel researchers back to the bookshelves, or at least to the British Library’s website. 

    While the British government plans to make it easier for people to delete embarrassing or erroneous information about themselves online, new privacy rules will exempt Internet archives maintained by the British Library. 

    In August, U.K. Digital Minister Matt Hancock said new privacy legislation would expand “the right to be forgotten” beyond search engine results to any personal data held by a third party. The law would bring the United Kingdom in line with the European Union’s existing General Data Protection Regulation, which takes effect in May. 
    More . . .


    “I have participated in customer meetings where the CIO was in the midst of outlining the company’s GDPR data strategy and the CFO actually took over the meeting because the cost benefits that are associated with retiring ROT data, migrating to the cloud and mitigating risk to noncompliance are seen as major cost savings for an organization.”
                David Jones, executive with HPE, in “Why the Convergence of Two Trends Will
                Alter the Way Businesses Manage Data,” an article on
    “If digital records cannot be readily prepared for transfer as public archives, this casts doubt on the effectiveness of their management prior to that point, when these records were needed to support current government business.” 
                New Zealand’s Chief Archivist Marilyn Little, in “Standards Push from Archives
                NZ,” an article on
    “In short, after relying on the company for years, in a blink of an eye everything they had created was gone. As more and more companies turn to similar cloud platforms to interact with their customers, those customers should keep in mind that at any moment everything they’ve invested in that platform could disappear before their very eyes.”
                Kalev Leetaru, in “When the Cloud Deletes Our Data: Who ‘Owns’ What We
                Upload?” – an article on
    “We’re a civilization in motion in terms of information, managing massive amounts of information that didn’t use to exist. We’ve changed the way government communicates to the extent the old ways are becoming obsolete about once a decade.”
               Montana Secretary of State Corey Stapleton, in “Montana moves toward better
               email preservation as leaders debate how much public should see,” an
               article on 

    “To avoid that fate – and having a law nicknamed after their company – organizations should implement a privacy-by-design philosophy. To be effective, that philosophy has to be applied organization-wide because so many departments have access to customer data. So it’s no surprise that Gartner predicts that by next year, half of business ethics violations will occur due to improper use of big data.”
                Gry Hasselbalch and Pernille Tranberg, co-founders of DataEthics.eu, in “Why
                organizations need a data ethics strategy – and how to create one,” their
                opinion piece on
    “Whether you belong to a watchdog group, serve clients interacting with government entities, or work within a government agency, this [metadata] is critical data. It serves as a digital fingerprint, which combined with other information, verifies circumstances or exposes discrepancies. Think about law enforcement body cameras: Personal narratives are far less credible than an actual video record. Yet, that data is not “hidden” like it is in written or digital documents.
                Anthony Edwards, in his opinion piece titled "Colorado Open Records Act Goes 
                'Native'," on
    © 2017, ARMA International