7 Principles to Consider

At least 2.5 quintillion bytes of data are produced daily, from emails to documents and everything in between. As information used for daily business is converted into digital files at a rapid pace, organizations across industries have been driven to create policies that guide how information is managed. These frameworks help to effectively support record-keeping, answer compliance needs and ensure data availability for e-discovery in today’s digital world. Information governance is one such accepted discipline, ensuring a reasonable level of security for records and information that requires protection. Following these guidelines has become even more critical in today’s mobile age, where employees rely on texting for quick, easy business communication and collaboration – creating another form of business data.

Many business executives are overwhelmed by the management of mobile devices and the information they create. That does not have to be the case. In order to have effective information governance for mobile messaging, businesses need to first reference an accountability framework to define what elements of information management are most important to them. They can then develop relevant objectives and determine what tools fit their specific needs.

The Accountability Framework – Going Beyond What to Keep

Good information management may look different for a bank, hospital or law firm, but the questions and principles that guide their information governance program are the same. There are various frameworks available today, but the ARMA International Generally Accepted Recordkeeping Principles(the Principles) is the “standard” that businesses follow. There are eight principles in total: accountability, integrity, transparency, protection, compliance, availability, retention and disposition.

Accountability, and more specifically accountable executives, is necessary to the success of any endeavor. This applies for all information – not just mobile messaging. But organizations need to evaluate the other seven principles when looking to put information governance in place for mobile messaging and when selecting tools to support their initiative. Keep in mind that many of these principles go hand-in-hand.

1. Integrity: “An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability.”

The organization must consider how they can ensure the authenticity and integrity of data transmitted via mobile messaging. How can they guarantee where the information came from and who the parties involved are?

2. Transparency: “An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate interested parties.”

To operate in a transparent manner, businesses need to capture a record of all relevant data and provide a single source of truth for discovery, Freedom of Information Act (FOIA) requests and other searches. An organization must look at how it can capture a record of all communications, including text, with the right metadata.

3. Protection: “An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, essential to business continuity or that otherwise require protection.”

Businesses must determine how to accommodate what has become an accepted method of communication (texting), while maintaining protection of the information. Protection of information is often the number one priority for businesses’ information governance programs.

4. Compliance: “An information governance program shall be constructed to comply with applicable laws and other binding authorities, as well as with the organization’s policies.”

Organizations should know the breadth of regulations and laws impacting their business. For instance, HIPAA regulations require that health care organizations capture the right information for completeness of the patient record and store it in a secure repository. Knowing this, a hospital’s mobile messaging solution needs to be HIPAA compliant and enable all relevant text messages to be saved to a secure repository.

5. Availability: “An organization shall maintain records and information in a manner that ensures timely, efficient and accurate retrieval of needed information.”

Access is often the biggest hurdle for businesses when it comes to information and a huge concern when considering mobile messaging and mobility. Organizations must consider who needs access to information – internal colleagues, external parties or both. How can a business ensure the right people have access to it and information is not shared with the wrong recipients?

6. Retention: “An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational and historical requirements.”

The business must consider what mobile communications information needs to be retained and for how long. According to a recent study by Information Governance Initiative, 98 percent of information professionals have records that need to be kept for at least 10 years. Text communications are no exception. How can an organization retain relevant mobile communications that take place over corporate-issued devices as well as personal devices?

7. Disposition: “An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.”

Once an organization no longer needs a record of the communication, how can they securely dispose of it? Mobile communications should be treated no differently than any other information source.

By looking at mobile messaging and information governance through the lens of these principles, businesses can define what is important to them, set information management objectives for corporate mobile communications and put technologies in place to support their specific needs.

New Objectives and Apps for Secure Communication

Once a business has outlined priorities for its information governance program, executives should then enact guidelines that align. For instance, if the top principles of concern for a health care organization are protection, availability and compliance, some example objectives they may put in place are:

  • Do not use unsecure/native chat and text for business purposes.
  • Do allow enterprise text messaging via secure, encrypted texting application.
  • To meet HIPAA compliance standards, make sure to capture communications in a secure repository of record.
  • Facilitate easy communications. Make the deployment and access to messaging as simple as possible.
  • Make it easy for people outside the organization, such as a patient family member, to communicate and enable such communications.
  • Ensure that security policies do not remove content from the devices too soon for practical business purposes.
  • Make the information available only to the right people.
  • Enact all protections possible to guard against information propagation or leak.

To meet these objectives, the organization should leverage a secure enterprise messaging app. These apps offer the ease of use of consumer-based apps, but provide the security features that guarantee text conversations, including documents and images sent via text, are seen only by the intended recipient.

To support compliance, enterprise messaging apps should enable a set expiration date of messages to ensure that data does not live on the device or server, while also offering the ability to save necessary information to a secure repository of record such as an electronic health record system. Other controls should take security past the basics of encryption to ensure that messages cannot be forwarded, copied, saved or otherwise shared with an outside party, and offer screenshot protection, eliminating risk of information leak or propagation.

As mobile messaging continues to be a preferred mode of communication within business – quickly becoming the new email – organizations need to enforce information management policies and leverage tools that enable them to meet specific requirements for security and compliance. These apps offer secure, confidential and efficient mobile communications while ensuring all information needed for compliance is properly retained. With these tools in place, organizations will be able to effectively enforce information governance for mobile messaging and leverage information to meet their business goals.

Dr. Galina Datskovsky is CEO of Vaporstream®

She has also served on the board of multiple startups, assisting with strategy, and was formerly Senior Vice President of Information Governance at Autonomy, an HP Company. She served as Chair, President, President Elect and Director of ARMA International (2007-2013) and as a Fellow in 2014. Galina also served as Senior Vice President of Architecture at CA Technologies, where she was responsible for corporate-wide architecture and design initiatives; General Manager of the Information Governance Business Unit; and a Distinguished Engineer. Galina joined CA in 2006 with the acquisition of MDY Group International, where she served as Founder and CEO. Prior to founding MDY, Galina consulted for IBM and Bell Labs and taught at the Fordham University Graduate School of Business and the Graduate School of Arts and Sciences at Columbia University.

Galina is a Certified Records Manager (CRM) and is recognized around the world as an expert in information governance and associated technologies. She received her CRM certification in 2004 and earned doctoral and master’s and bachelor’s degrees in Computer Science from Columbia University. She is the recipient of the prestigious Leahy award and a Fellow of ARMA International. She has been widely published in academic journals and speaks frequently for industry organizations such as AIIM, ARMA International, ILTA, IQPC and Cohasset Associates/MER. She received the NJBIZ: Best 50 Women in Business Award in April 2010.

(Article originally published in Corporate Compliance Insites by Galina Datskovsky, Ph.D., CRM, FAI, November 04, 2016)