More than half of “office-based employees” surveyed reported that their company does not have written data retention policies, does not have policies governing personal use of work devices, or reported if those policies do exist, they are unaware of them, according to information from the kCura survey.
The prevailing data-retention attitudes of many office-based employees could create complications during the discovery process in legal proceedings, though, said David Horrigan, e-discovery counsel and legal content director at kCura, developers of the e-discovery software Relativity.
“The greatest challenge facing legal professionals in advising their clients on office data issues may be the lack of information their clients’ employees have about information governance policies and procedures,” Horrigan says. He notes that 63% of employees reported their companies had “no email retention policy” or didn’t know about them, and said “corporate clients can be a challenge to advise” based on this information.
“Even with perfect attempts at compliance, with so many employees not knowing about policy and procedures, data errors are almost guaranteed,” Horrigan said. Further contributing to the companies’ challenges, 55% of office-based employees said they do not think there will be harm to their respective companies if they use work devices for personal communications, according to information from kCura.
This attitude contributed to employee communication habits and indicated employees could put organizations at risk for retention and discovery costs in “increasingly litigious business.”
Regulations, including those in the Federal Rules of Civil Procedure, generally treat all data within the enterprise, even “personal conversations,” as discoverable, according to information from kCura. "With so much data to organize, risk and costs can—and do—get out of control very quickly," said Horrigan.
"Complete bans on the personal use of work devices would be difficult—if not impossible—to implement, and could be harmful to employee morale. However, companies do need to implement reasonable policies to mitigate risk."
Even though 98% of employees asked said that privacy was important, many still engage in communications putting privacy at risk. According to information from kCura, 60% have either sent personal emails, used the internet for personal purposes, sent personal text messages, sent personal messages via messaging apps, posted on social media, sent personal photos, or sent personal video on a personal device connected to a company’s wireless internet connection.
Horrigan said one strategy companies can employ is to adopt internationally recognized safeguards, for example, such as those associated with attaining an ISO 27001 certification. The ISO 27001 was established by the International Organization for Standardization.
He also suggested companies adopt policies and procedures on information governance, establish training programs on information governance and make employees aware of their programs. ISMS Solutions, which offers guidance to the ISO 27001 certification process, suggests a three-part plan that includes initiating an information security management plan, simplifying risk management and then moving toward assessment and certification, according to information from ISMS.
The Harris Poll survey was conducted with 1,013 full or part-time employees who work in an office setting at least half the time and was conducted between December 28 and January 18 to determine which habits have contributed to the “explosion of unstructured data in the enterprise.”