WikiLeaks Disclosures … A Wakeup Call for Records Management

Earlier in my professional career, I used to hit the snooze button 4 or 5 times every morning when the alarm went off. I did this for years until I realized it was the root cause of being late to work and getting my wrists slapped far too often. It seems simple, but we all hit the snooze button even though we know the repercussions. Guess what … the repercussions are getting worse.

For years, the federal government has been hitting the snooze button on electronic records management. The GAO has been critical of the Federal Government’s ability to manage records and information saying there’s “little assurance that [federal] agencies are effectively managing records, including e-mail records, throughout their life cycle.” During the past few administrations, similar GAO reports and/or embarrassing public information mismanagement incidents have reminded us (and not in a good way) of the importance of good recordkeeping and document control. You may recall incidents over missing emails involving both the Bush and Clinton administrations. Now we have Wikileaks blabbing to the world with embarrassing disclosures of State Department and military documents. This is taking the impact of information mismanagement to a whole level of public embarrassment, exposure and risk. Although it should not be surprising to anyone that this is happening considering the previous incidents and GAO warnings it has still caused quite a stir and had a measurable impact. Corporations should see this as a cautionary tale and a sign of things to come … so start preparing now.

Start by asking yourself, what would happen if your sensitive business records were made publicly available and the entire world was talking, blogging and tweeting about it. For most organizations, this is a very scary thought. Fortunately, there are solutions and best practices available today to protect enterprises from these scenarios.

Implement Electronic Records Management: Update your document control policies to include the handling of sensitive information including official records. Do you even have an Information Lifecycle Governance strategy today? Start by getting the key stakeholders from Legal, Records and IT involved, at a minimum, and ensure you have top down executive support. Implement an electronic records program and system based on an ECM repository you can trust (see my two earlier blogs on trusting repositories). This will put the proper controls, security and policy enforcement in place to govern information over it’s lifespan including defensible disposition. Getting rid of things when you are supposed to dramatically reduces the risk of improper disclosure. Although implementing a records management system has many benefits, including reducing eDiscovery costs and risks, it is also the cornerstone of preventing information from falling into the wrong hands. Standards (DoD 5015.02-STD, ISO 15489), best practices (ARMA GARP) and communities (CGOC) exist to guide and accelerate the process. Records management can be complimented by Information Rights Management and/or Digital Loss Prevention (DLP) technology for enhanced security and control options.

Leverage Content Analytics: Use content analytics to understand employee sentiment and as well as detect any patterns of behavior that could lead to intentional disclosure of information. These technologies leverage text and content analytics to identify disgruntled employees before an incident occurs enabling proactive investigation and management of potentially troublesome situations. They can also serve as background for any investigation that may happen in the event of an incident. Enterprises should proactively monitor for these risks and situations … as an ounce of prevention is worth a pound of cure. Content analytics can also be extended with predictive analytics to evaluate the probably of an incident and the associated exposure.

Leverage Advanced Case Management: Investigating and remediating any risk or fraud scenario requires advanced case management. These case centric investigations are almost always ad-hoc processes with unpredictable twists and turns. You need the ad-hoc and collaborative nature of advanced case management to serve as a process backbone as the case proceeds and ultimately concludes. Having built-in audit trails, records management and governance ensures transparency into the process and minimizes the chance of any hanky-panky. Enterprises should consider advanced case management solutions that integrate with ECM repositories and records management for any content-centric investigation.

This adds up to one simple call to action … stop hitting the snooze button and take action. Any enterprise could be a target and ultimately a victim. The stakes are higher then ever before. Leverage solutions like records management, content analytics and advanced case management to improve your organizations ability to secure, control and retain documents while monitoring and remediating for potential risky disclosure situations.

Leave me your thoughts and ideas. I’ll read and respond later … after I am done hitting the snooze button a few times (kidding of course).

9 thoughts on “WikiLeaks Disclosures … A Wakeup Call for Records Management

  1. Thanks for a most interesting post. By way of introduction, I am a federal historian and a former archivist with the National Archives and Records Administration (NARA). I spent much of my career at NARA screening Richard Nixon’s White House tapes to see what required withholding for national security, privacy, and other restrictions and what could be released to the public. I have looked at records creation from the perspective of a creator of statutorily controlled records; a screener for disclosure of archival records; and a user of records. Although I’m not a RM, I follow enough RM forums to be able to make my way through most of its jargon and to superficially understand its culture.

    You make your points well. I would add one additional one, which is perhaps more pertinent in the governmental world more so than the corporate, where risks sometimes are assessed differently. My advice to RMs? Maintain good ties with internal end users of records. Keep eye out for conditions that can affect the records on which they rely.

    A Cold War historian captured some such competing dynamics well, when he described how as a state official, he and his colleagues felt the chilling effect of disclosure laws. They stopped writing down much of what they once had freely exchanged amongst themselves in writing. Why? They believed in their policy goals and were determined to create nothing that would be used against them by opponents. When he later joined the Library of Congress, he saw the other side as a researcher and acquirer of records. He observed a few years ago that government record keeping has been affected by pre-emptive sanitization by records creators.. (Others have pointed to an increasing tendency to sacrifice candor for writing in “discoverable language.”) He concluded, “records not created are not available, ever, for research.”

    Cables are permanent records. The government depends on the distribution to policy makers of reliable, candid, comprehensive, and not pre-emptively sanitized data. I often see RMs write in different forums much as you did when you said, “Getting rid of things when you are supposed to dramatically reduces the risk of improper disclosure.” But rarely do they speak of deliberative information which was exchanged orally and never was written down and preserved, for whatever amount of time, in the record keeping system. Although some NARA officials have expressed concern about the chilling effect on presidential record keeping, there are many areas where taking conversations off the record, such as in diplomatic reporting, simply isn’t an option.

    In entities with a high risk of litigation, lawyers often would be fine with oral deliberations and might even encourage it. In other organizations where records are used within a culture of learning and knowledge sharing, more may be created and retained. The federal world has elements of both high and low risk record keeping cultures which are nearly impossible to reconcile. Executive branch officials work with high stakes issues in an environment which mixes policy making with a political culture which sometimes relies on oppositional framing and other elements. As historian Russell Riley pointed out (“For History’s Sake, Nothing Like a Paper Trail”) investigations by Independent sometimes affect how creators view record keeping. The very difficult challenge then, much more so than for many corporate officials, is how to balance the competing dynamics.

  2. Thanks much for posting my comment and the nice tweet. Sorry about the error in the next to the last sentence, I meant to write Independent Counsels or Special Prosecutors.

  3. Craig,
    Nice post, interesting questions and issues abound!! Data Governance is critical. Records management is critical. Identity management is critical. Watermarking documents and tagging them for access management purposes seems logical.

    The scope, scale and diversity of the WikiLeaks content indicates that the checks and balances of a competent Data Governance practice have not been considered, or executed properly. Obviously an inside job. Even more revealing if it turns out not to be an inside job. All entities must consider breaches of any and all kinds. Many things have gone terribly wrong here. The magnitude of the consequences are not quantifiable.

    Proper Data Governance requires a combination of many things including many different technologies, operational excellence, process management excellence, and trust in people, to name a few.

    I agree with your advice. This is a loud wakeup call for all entities, public and private, with critical confidential data. Guard your data. Protect it with due care. Establish a Data Governance infrastructure, and implement an ECM program. Trust but verify.

  4. I wrote about Information Risks in the Wikileaks Era a few weeks back for IDC, echoing many of the comments above, but also calling again (and again and again) for information managers to get back to basic principles – records management principles codified by a whole industry and decades of records management research. The principles, rules, standards are all right in front of us – but we can’t seem to get consistent and defensible implementations. I say drop all the Data Governance this, and ECM that, and get back to tying management performance to the success or failure records management principles.

  5. Michael, Great point. I agree. It gets down to accountability. In the case of this set of incidents with LikeLeaks, it will be very difficult to pinpoint the group(s) and individual(s) that should be held accountable. I surmise that few of the current leaders were responsible for the security architectures that have been breached. Many, if not most have been in place for decades.

    My points are that Data Governance, ECM, ILM, Records Management, Identity Management etc… are the tools and processes that need to be used to execute data security structures and architectures as they relate to both Public, and Private entities.

    Back to Craig’s premise… This truly is a wakeup call for a review and refresh of the state of records management.

    1. Goods points all.

      The manner in which any technology is deployed and administrated will matter a great deal. If anyone has access, or the security is poor, of if auditing is turned off, or if the wrong rights are assigned … any or all of those things can make it easier to gain access to sensitive information if one is so inclined.

      These viral technologies that can be deployed wthout the support of IT are of even more concern as they tend to be very thin (or non-existent) on system and content governance. Having the right govenance model is clearly a critical success factor.

      Michael – Feel free to post a link to your content. I for one would like to read it.

  6. I am not so sure what lessons there are to learned from the wikileaks saga from a purely RM perspective. I am an ex-military communications specialist who works in ECM / KM. From all I have read the failure here is one of end point physical IT security. Private Bradley Manning used the permissions assigned to him within whatever email management / content management / records management system that was in use to download the “cables” (emails) to an unsercure end-point laptop, that is one with a CD burner. Apparently he should not have been able to do that, but he did. He did not ‘hack’ any systems as far as I am aware, and digital water marking probably would not have made any difference once he had downloaded the content. Some digital Information Rights Management technology that would have made the emails ‘self destruct’ if removed from the system probably would have saved all the embarrassment though. Therefore I will contradict myself, and say that there probably are some lessons to be learned for the corporate sector…. !

Leave a Reply

%d bloggers like this: