17 Jun Managing Corporate Records Retention and Electronic Risk

Original article from https://www.law.com

By Catherine Dunn

Does your company hold on to too much data for loo long? Are your employees storing business records that you don’t know about? Do your employees actually know what business records are—and why they matter to the company?

These issues around document retention and the use of communication technologies can cost a lot of money when company records become subject to litigation. Which is why the “Corporate Governance, Compliance, and Secure Communications: Achieving Balance” panelists at Corporate Counsel’s 25th Annual General Counsel Conference on Thursday urged attendees to clean house ahead of time, and put policies in place that employees can understand.

Sure, it’s easier to keep things then to get rid of them, Robert Owen, a partner at Sutherland Asbill & Brennan, acknowledged. But, “the more data you have, the more expensive your litigation is,” he said.

In fact, Owen stressed, “there’s nothing wrong with taking steps to minimize the data volume at your company.”

The important first step is creating a document retention policy. The time to do that is before a lawsuit hits—so it doesn’t look as though the company suddenly decided to delete a bunch of records. “You’re drafting your policy ahead of time, and you’re doing it in good faith,” Owen told CorpCounsel.com.

There are two categories of data and documents to hold onto: 1) those that your business requires, “and no more,” Owen said; and 2) what the law requires—which can vary by industry and state.

It’s also important to remember that not everyone reading—or executing—your document retention policy is a lawyer, said Nancy Flynn, executive director of the ePolicy Institute in Columbus, Ohio. “Start with a definition for your company of what is a business record,” she told CorpCounsel.com.

Then, use the policy to explain to employees things like which documents should be kept, why, and for how long, as well as when legal counsel needs to be involved in a document retention issue.

Once a policy is in place and has been distributed, it’s crucial to apply the policy consistently. For example, if the company decides it will purge data every 90 days, adhere to that schedule. “It can’t be hit or miss,” Flynn said.

If the company decides that certain documents will be destroyed on a regular basis, employees should be advised they’re not to hold on to their own copies. “Be certain your employees aren’t squirreling away their own private archives,” Flynn said.

While some employees retain or divulge confidential company data on purpose, most employees “just don’t understand they could get the company in trouble” by not following the policy, Flynn said.

So here’s how to break down the expectations around electronic risk management, using the ePolicy Institute’s “Three Es” method that Flynn shared with the audience:

1. ESTABLISH WRITTEN POLICY

Policies should be proactive, covering use of all electronic tools at the company’s disposal: email, instant messages, texting, mobile devices, web-based communication, and even newer technologies like recordless messaging. But beyond that, companies should also think about the technology tools employees use outside of work.

For example, even if your company doesn’t have a social media presence, “you still need a social media policy,” Flynn said. And even “if you aren’t providing employees with smartphones, you need a mobile device policy. You need to stay on top of this.”

Again, most employees aren’t lawyers, so aim for accuracy, brevity, and clarity in writing the policy. “You have to make these very clear, very easy to understand,” Flynn said.

2. EDUCATE YOUR WORKFORCE

That means making sure everyone—from interns up through the C-suite—understands what electronic risk is. “You want your senior executives to push those policies down” the chain of command, Flynn said.

At the same time, “you can’t assume your employees have more knowledge than they do”—be it what is mandated by regulation or what a business record is, Flynn said. “You want to educate them on what are the risks, what are the rules, what kind of content is allowed, what kind of content is banned.”

3. ENFORCE YOUR POLICY

“Put some teeth in those policies,” Flynn said. “Let your employees know, ‘If you violate policy you’re going to be disciplined and possibly terminated.’ ”

Flynn also recommended taking advantage of technologies that allow companies to manage content, automatically archive, and secure documents they’ve chosen to retain.

Finally, Flynn reminded attendees that company-wide communication is key: “Policy is essential, but a policy is no good if your employees don’t know that you have one and don’t know what it means.”