E-discovery isn't all about email.
The list of electronic records that must be retained for
regulatory compliance and litigation continues to expand, and
information technology executives must create and enforce policies
that take this into consideration.
During the IT Compliance Institute Conference in Washington,
D.C., Priscilla Emery, president of e-Nterprise Advisors, a
Longwood, Fla.-based enterprise content management consultancy,
told attendees that email is still the prime target for legal
discovery in litigation. However, other forms of electronic records
are also becoming applicable.
Emery cited an ePolicy Institute survey that revealed 24% of
responding organizations said they had received a subpoena
requesting employee email in 2005. Fifteen percent reported that a
lawsuit had been triggered by an employee email. She said these
numbers will continue to rise.
These numbers underscore the importance of having an effective
records retention policy and an acceptable use policy for a wide
variety of electronic media, not just email.
That same ePolicy Institute survey found that 58% of employees
send personal instant messages at work.
"Most organizations do not allow instant messages," Emery said.
"But a lot of financial services companies and broker dealers use
instant messages to communicate internally and with customers. You
need to keep those records. If you don't save your instant
messages, someone else might do so without you knowing it."
Tony DePalma, CIO of Mineral Technologies Inc., a New York-based
$1 billion manufacturer of mineral whiteners and other products,
said his company has an email retention technology in place, but it
has yet to start archiving instant messages.
"We do have an email archiving process," DePalma said. "Other
areas are to be planned."
DePalma said his company allows employees to use AOL Instant
Messenger for business communication. He considers other instant
messaging platforms to be less secure, so their use within the
business is restricted. However, the company has not yet started to
archive instant messages. He hopes to have a strategy team in place
soon to develop an archiving plan.
Blogs are also subject to record retention requirements. These
include blogs on corporate Web sites, but also personal blogs might
become subject to legal action if an employee posts corporate
information on it. Emery said companies need to create policies
around what can and cannot be posted on a blog. They also need to
scan personal blogs to ensure that employees are complying with
policy.
Companies must also capture information on their Web sites in
their original formats as a record of communication. If sales or
pricing information appear on a company's Web site, that
information needs to be retained since Web sites can change on a
daily basis. A company needs to be able to prove what information
was on its Web site in case it has to defend itself in court.
Emery said personal digital assistants (PDAs) are also becoming
"problematic." She said very few companies have policies in place
that make sure all PDAs synchronize to one server. Without such a
policy, email retention polices can be undermined.
Even text messages on mobile phones and PDAs can be used in
legal proceedings. Few companies retain text messages sent and
received by its employees, but all mobile phone service providers
retain them.
"A service provider retains those records, and if they are
subpoenaed, they will turn them over," she said.
Emery said companies should set standards for formats and usage
for each of these media. She said employee training is
critical.
"People are your biggest challenge" to installing a records
retention policy, Emery said. Training should be done routinely,
not just once. And CIOs should take steps to make sure compliance
to a records retention policy is easy.
"Do not create more interfaces," she said. "If it takes more
than five seconds for employees to figure out where to put
something, you aren't getting anywhere."
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer