Document Security and International Records Management
Stephens, David O., Records Management Quarterly
Most records managers, whether employed by domestic or global business corporations, have traditionally had relatively little to do with "document security," defined here as any measures instituted to prevent the unauthorized disclosure of confidential, proprietary or otherwise sensitive corporate information.(1) This small but vitally important area of corporate management is generally the province of corporate security departments. And yet it is critically important that records managers work with corporate security officials to help protect sensitive information from threats to its integrity due to access by unauthorized persons.
In a recent article, Information-week magazine referred to the status of corporate information security as a "facade."(2) In its annual information security survey of more than 1,300 information systems (IS) chiefs, information security officers, and other high-level technology managers, the magazine found that "measurable financial losses related to information security are appearing at a majority of organizations." Some 54% of the survey respondents reported that their company had suffered a loss related to information security within the past two years, and this figure excludes computer viruses! More than a quarter of the respondents reported losses of up to $250,000, and some companies reported measurable losses of $1 million or more. It is also interesting to note that almost half the larger companies cited malicious acts by inside employees, while 25% reported such acts by outsiders. While acts of industrial espionage were reported by less than 10% of the respondents, their occurrence tends to be much more serious (in terms of financial losses, competitive disadvantages, and other adverse business consequences) than other information security problems. Finally (and most significantly for our readers) the number of companies that include records management in their corporate security policies and programs (about 45%) decreased from 1995 to 1996!(3)
If the above statement is true for records managers employed by domestic enterprises, it is even more true for multinational businesses which conduct business in the global marketplace. Indeed, the risks associated with the loss of vital information from theft or industrial espionage are even greater for multinational businesses in this era of intense global competition. As we shall see, these risks exist in virtually every location where records are maintained, but they are particularly high for records kept at overseas locations.
THE LOPEZ AFFAIR: THE DOCUMENT SECURITY "CASE OF THE CENTURY"
In the spring of 1992, Mr. John F. Smith, the head of General Motors Corporation, made an appointment that would prove to be historic in the legal history of this, the world's largest, industrial company. Where document security is concerned, the "Lopez Affair" may aptly be called "the case of the century" (it even threatened diplomatic relations between the U.S. and Germany).(4) What, exactly, occurred to justify such a momentous legal action? Actually, it came down to twenty cartons of missing records! This tangled tale is summarized as follows:
Allegations of Missing Documents
Jose Ignacio Lopez de Arriortua, head of purchasing for GM-Europe, was promoted to the position of head of worldwide purchasing. Mr. Lopez's mission was simple: lower the cost of building a General Motors car. There is no question that he achieved tremendous success at this task. Indeed, he and a handful of his top assistants were widely credited with achieving billions of dollars in cost savings, mostly by negotiating highly favorable contracts with GM's suppliers of parts and raw materials used in the manufacture of motor vehicles.
However meteoric his rise and stunning his successes, Mr. Lopez's tenure in Detroit was short-lived. In March 1993, he resigned his position and accepted a senior executive appointment at the Volkswagen Group, the largest auto maker in Europe. …