Bob Johnson, CEO, NAID
The headline reads “WSU gets costly lesson in theft of hard drive with more than 1 million people’s personal data.”
It then goes on to say how Washington State University (WSU) spent $150,000 as a result of the theft of information (a hard drive in this case) from an Olympia self-storage unit.
And so, we are once again reminded how far we still have to go in raising the Records and Information Management (RIM) practices of organizations across the country (and around the world).
Any competent records management or data security professional understands that it is inexcusable and irresponsible to retain records and information in self-storage unit.
- Managers and other people who work for there, who are usually unscreened, and definitely untrained on security with no fiduciary acknowledgment on file, often have full access to the storage units (legally I might add). This fact alone is a potential violation of regulations.
- It is difficult to image that records and information stuffed into a self-storage unit undergo any retention management… or even a basic inventorying. This sets an organization up for all types of regulatory and legal vulnerabilities that stem from retaining records unnecessarily.
- In the event of a lawsuit, all information and records are subject to discovery. Failure to produce a document germane to case because “no one knew it was there” almost guarantees an unfavorable outcome.
And the list goes on. There are at least a half dozen other reasons why stashing information and records into a self-storage is irresponsible… made all the more illogical by the simple fact that storing records in a professional records storage facility is an easy (actually easier) and inexpensive option.
The bottom line is there is no circumstance in which it is acceptable to store information or records in self-storage… and furthermore, there is no good reason to do it either.
The fact that a major university was burned because it left information in a self-storage should be a wakeup call for every organization. Don’t do it. It’s risky and foolish… and completely unnecessary.