Proper records management—using sound, consistent procedures for storing, retrieving, and disposing of records throughout their lifecycle—is the key to information governance. It’s what keeps your organization compliant with the thousands of regulations it must follow every day, as well as making it easier for people to access the information they need.
Everyone knows compliance is important. But few like to dwell on the consequences of noncompliance, which can include data breaches, legal penalties, hefty fines, long-term regulatory scrutiny, and a huge black eye that customers won’t soon forget.
It may be hard to believe any of that could happen to you. After all, you have records management procedures in place. And they must be working, because nothing bad has happened to your organization…at least, not yet.
The companies we will describe in this article likely thought the same thing, right up until the moment they were hit with headline-generating citations and multi-million-dollar fines for violations they could easily have avoided by following good records management practices.
This is what the true cost of noncompliance looks like. Learn from these companies’ mistakes to keep it from happening to you.
Employees often like to chat about work on messaging channels such as WhatsApp, Signal, or personal texts. But if your organization doesn’t preserve these business records—and make no mistake, that’s what they are—you can find itself in hot water with regulators.
That’s what happened to Wells Fargo in 2023, when the SEC fined the bank for recordkeeping negligence. Several other banks were also charged in the probe, and combined they paid penalties of $289 million.
Lesson: You must implement and enforce strict policies on record retention and data security, including preserving all email and messaging systems content.
Meta (formerly Facebook) was slammed with a record $1.3 billion fine in 2023, surpassing Amazon’s $800 million penalty for the same offense two years earlier, for transferring the personal data of European Facebook users to servers in the U.S.
Europe takes its GDPR data privacy regulations very seriously, and judges were not moved by Meta’s purported ongoing efforts to improve controls.
Lesson: You must prioritize data protection and ensure compliance with all global and local privacy laws. It’s a tall order: U.S.-based companies are subject to 8,000 to 20,000 laws and regulations surrounding data retention, privacy, statutes of limitation, and other requirements. Keeping up with changing government and industry standards in every area where you operate is critical.
In 2022, Morgan Stanley was fined $35 million for failing to protect the personally identifiable information (PII) of 15 million customers. The bank had hired a moving and storage company with no experience in data destruction to decommission hard drives and servers. The company then auctioned off the devices online without removing the unencrypted personal data they contained.
Lesson: Secure disposal of records and IT assets is just as important as proper storage. Data stored in physical assets can be stolen or breached. Be sure to protect it—and vet your contractors carefully.
Join us as we break down the realities of AI, discuss practical steps to future-proof your governance strategies, and have some fun along the way. You’ll hear from experts who know exactly what’s happening (and not happening) in AI regulation,…
Anthem, the parent company of Blue Cross and Blue Shield Association now known as Elevance Health, disclosed in 2015 that it had been hit with a massive data breach affecting the data of 79 million customers. In addition to paying a $16 million fine, the insurer spent $260 million on related costs, including notifying customers, paying for credit monitoring, and improving its cybersecurity. It also suffered years of reputational damage.
Lesson: It’s essential to comply with data protection laws and implement strong cybersecurity measures—including access controls, security monitoring, and regular employee training.
Odom Industries, a manufacturer of fabricated steel products in Ohio, was fined over $90,000 in 2011 for violations that included failing to record illness and injury reports to OSHA. It was also found that the company intentionally erased information from past injury and illness logs.
Lesson: Even small and midsize companies in industries like manufacturing and construction must ensure proper recordkeeping and compliance with safety regulations to avoid penalties.
None of these expensive, reputation-damaging incidents would have occurred if the companies had implemented strong records retention policies and consistently followed regulations.
Security and compliance requirements often change, but keeping up has become much easier thanks to technology. AI tools can implement updates across systems. They can automatically enforce access controls, encrypt sensitive data, and monitor systems for signs of an attack, cutting off access to potential intruders and notifying the security team. AI can also monitor for compliance and provide auditors with objective evidence that you’re following the rules.
You should conduct compliance audits regularly, implementing any new rules and fixing any gaps. And be sure to provide employees with updated training on proper records management and data security. Taking these steps will help the organization build a culture of accountability.
As the companies we described show, the cost of noncompliance—exorbitant fines, legal trouble, and lasting reputational damage—are too high to risk. If you don’t want to take chances, consider working with compliance experts to stay updated on evolving regulations and implement risk mitigation strategies tailored to your unique business processes.
Contact us today and schedule a call with our legal and information governance professionals!
Schedule a call with our legal and information governance professionals!.
Share