Managing Corporate Records Retention and Electronic Risk
Does your company hold on to too much data for loo long? Are your employees storing business records that you dont know about? Do your employees actually know what business records areand why they matter to the company?
These issues around document retention and the use of communication technologies can cost a lot of money when company records become subject to litigation. Which is why the Corporate Governance, Compliance, and Secure Communications: Achieving Balance panelists at Corporate Counsels 25th Annual General Counsel Conference on Thursday urged attendees to clean house ahead of time, and put policies in place that employees can understand.
Sure, its easier to keep things then to get rid of them, Robert Owen, a partner at Sutherland Asbill & Brennan, acknowledged. But, the more data you have, the more expensive your litigation is, he said.
In fact, Owen stressed, theres nothing wrong with taking steps to minimize the data volume at your company.
The important first step is creating a document retention policy. The time to do that is before a lawsuit hitsso it doesnt look as though the company suddenly decided to delete a bunch of records. Youre drafting your policy ahead of time, and youre doing it in good faith, Owen told CorpCounsel.com.
There are two categories of data and documents to hold onto: 1) those that your business requires, and no more, Owen said; and 2) what the law requireswhich can vary by industry and state.
Its also important to remember that not everyone readingor executingyour document retention policy is a lawyer, said Nancy Flynn, executive director of the ePolicy Institute in Columbus, Ohio. Start with a definition for your company of what is a business record, she told CorpCounsel.com.
Then, use the policy to explain to employees things like which documents should be kept, why, and for how long, as well as when legal counsel needs to be involved in a document retention issue.
Once a policy is in place and has been distributed, its crucial to apply the policy consistently. For example, if the company decides it will purge data every 90 days, adhere to that schedule. It cant be hit or miss, Flynn said.
If the company decides that certain documents will be destroyed on a regular basis, employees should be advised theyre not to hold on to their own copies. Be certain your employees arent squirreling away their own private archives, Flynn said.
While some employees retain or divulge confidential company data on purpose, most employees just dont understand they could get the company in trouble by not following the policy, Flynn said.
So heres how to break down the expectations around electronic risk management, using the ePolicy Institutes Three Es method that Flynn shared with the audience:
1. Establish written policy
Policies should be proactive, covering use of all electronic tools at the companys disposal: email, instant messages, texting, mobile devices, web-based communication, and even newer technologies like recordless messaging. But beyond that, companies should also think about the technology tools employees use outside of work.
For example, even if your company doesnt have a social media presence, you still need a social media policy, Flynn said. And even if you arent providing employees with smartphones, you need a mobile device policy. You need to stay on top of this.
Again, most employees arent lawyers, so aim for accuracy, brevity, and clarity in writing the policy. You have to make these very clear, very easy to understand, Flynn said.
2. Educate your workforce
That means making sure everyonefrom interns up through the C-suiteunderstands what electronic risk is. You want your senior executives to push those policies down the chain of command, Flynn said.
At the same time, you cant assume your employees have more knowledge than they dobe it what is mandated by regulation or what a business record is, Flynn said. You want to educate them on what are the risks, what are the rules, what kind of content is allowed, what kind of content is banned.
3. Enforce your policy
Put some teeth in those policies, Flynn said. Let your employees know, If you violate policy youre going to be disciplined and possibly terminated.
Flynn also recommended taking advantage of technologies that allow companies to manage content, automatically archive, and secure documents theyve chosen to retain.
Finally, Flynn reminded attendees that company-wide communication is key: Policy is essential, but a policy is no good if your employees dont know that you have one and dont know what it means.