Contributed by Rebecca Dobbs Bush, December 15, 2016
Almost as certain as death and taxes is the fact that technology is constantly changing. You regularly download windows updates and security patches. You regularly download operating system updates for your mobile phone and tablets. But, how often do you review your company’s data retention and email policies?
Record retention policies are incredibly specific to each business. A template policy seldom, if ever, does the job. Many businesses are subject to industry-specific record keeping obligations and, even with a single business, various departments have different considerations that need to be taken into account. Rarely is it appropriate for one company to store and maintain its data in a method that is identical to that of another company.
Furthermore, as technology evolves, so do the methods by which we store and use data. For example, consider the challenges with just mobile phones. More and more businesses are utilizing BYOD policies, often at the request of employees who don’t want to carry multiple phones or who have a preference for a specific type of phone. In many cases, this can create just as much, if not more, exposure as allowing employees to utilize their personal laptops for work. Think about what is stored on most mobile devices: company email and webmail, text messages, geographical location info and GPS history, documents and files copied from computers or received as attachments, internet and social media history, call logs and contacts, online banking transactions, calendar entries, “To-Do” lists and other tasks, photos and videos and more. Furthermore, photos and videos taken with mobile devices contain metadata that often details the time, date and location when they were taken. And this data does not reside on the phone alone. All of this data could possibly be stored on a SIM card, internal memory on the phone, and/or other devices and computers that the mobile device connects to or uses for storing backup files.
In most cases, it takes multiple individuals working together to create a policy that properly addresses both business needs and legal obligations. Such a policy typically requires the help of an attorney knowledgeable of the legal obligations at play within your industry as well as those issues that can arise in defending litigation. Additionally, crafting a proper and useful policy also requires detailed input from the person (or people) with the most knowledge of how data is used and stored within your business.
All too often, the problem of a lacking or outdated policy is not discovered until one of two instances occurs: 1) a company is facing the exorbitant expense of responding to electronic discovery requests in the course of litigation; or 2) an employee (or former employee) has misappropriated confidential and proprietary business information. Don’t wait until your operating system is infected with one of these viruses. Update your record retention and data policies annually.