This article appears in the Winter 2018 digital issue of DOCUMENT Strategy. Subscribe.

Image by: SIphotography, ©2018 Getty Images

Security breaches, privacy violations, and lawsuits are in the news every day. Today, it is a matter of when, not if, it will happen. When hackers breach your security, what will they do with your internal emails and electronic documents? Hold them hostage for ransom, leak them into the public domain, or delete them?

Alternatively, what about lawsuits? Organizations need to appropriately dispose of, retain, and manage their electronic records and information, which could be stored in shared network drives, emails, and data systems. If they don't, there could be significant court and civil penalties, sanctions, adverse judgments, and punitive damages on the horizon.

So, what can organizations do to better understand and minimize the risks associated with electronic records?

1. Conduct an Inventory

Today, automated tools can help organizations search, inventory, assess, and categorize their electronic records. For example, auto-classification software provides powerful search engines that can scan and crawl through electronic records stored within many different repositories of an enterprise, such as email, file shares, enterprise content management (ECM) systems, cloud storage, collaborative sites, backup tapes, hard drives, portable devices, offline storage media, mobile devices, social media, data warehouses, and data repositories. These tools can provide a real-time dashboard to visualize, analyze, and classify an organization's inventory of electronic records for risk assessment.

2. Assess Risk

Use the information gathered from your electronic records inventory to identify records that contain sensitive content, such as personally identifiable information (PII), including social security numbers, protected health information (PHI), confidential, or other sensitive data, that will pose a risk if security is compromised.

3. Inventory All Electronic Records Systems

Beyond building an inventory of your electronic records, it is also necessary to identify the number and type of electronic record systems in use. Begin by assessing the level of security/encryption provided and other functional capabilities, such as indexing, tagging, version control, permissions, search, retention, and disposition. Determine if these systems prevent electronic records from being intentionally or accidentally deleted, or kept longer than required, as compared to your organization's retention schedule.

4. Manage and Protect Records with the Highest Risk

For example, move high-risk records stored in email or shared network drives to an ECM system to improve search, security, and appropriate management of retention/disposition. Make sure that your organization's retention/disposition schedules are up to date and reflect current regulatory, industry, and organizational requirements.

5. Eliminate Electronic Records That Don't Need to Be Retained

Identify redundant, obsolete, and trivial (ROT) electronic records. You should develop a strategy to delete redundant documents (i.e., exact duplicates), obsolete documents (that can be deleted in accordance with an organization's retention/disposition policies and schedules), and trivial documents (transitory or temporary information).

6. Reach Out to Industry Experts

These resources can help with the development of a strategic electronic records plan; evaluations of auto-classification software tools; assembling and understanding electronic records inventory findings; updating records management (or information governance) policies, procedures, and schedules; evaluating electronic records management, email, and ECM systems in use; assessing new technologies available in the marketplace; and eliminating ROT.

Cindy Zuvich, CRM, is the Principal of Unigrated Global, an information governance consultancy and records management services company based in White Plains, New York. Contact Cindy at

George Dunn is President of CRE8 Independent Consultants, an information governance and technology planning company located in Seattle, Washington. Contact him at