The list of electronic records that must be retained for regulatory compliance and litigation continues to expand, and information technology executives must create and enforce policies that take this into consideration.
During the IT Compliance Institute Conference in Washington, D.C., Priscilla Emery, president of e-Nterprise Advisors, a Longwood, Fla.-based enterprise content management consultancy, told attendees that email is still the prime target for legal discovery in litigation. However, other forms of electronic records are also becoming applicable.
Emery cited an ePolicy Institute survey that revealed 24% of responding organizations said they had received a subpoena requesting employee email in 2005. Fifteen percent reported that a lawsuit had been triggered by an employee email. She said these numbers will continue to rise.
That same ePolicy Institute survey found that 58% of employees send personal instant messages at work.
"Most organizations do not allow instant messages," Emery said. "But a lot of financial services companies and broker dealers use instant messages to communicate internally and with customers. You need to keep those records. If you don't save your instant messages, someone else might do so without you knowing it."
Tony DePalma, CIO of Mineral Technologies Inc., a New York-based $1 billion manufacturer of mineral whiteners and other products, said his company has an email retention technology in place, but it has yet to start archiving instant messages.
"We do have an email archiving process," DePalma said. "Other areas are to be planned."
DePalma said his company allows employees to use AOL Instant Messenger for business communication. He considers other instant messaging platforms to be less secure, so their use within the business is restricted. However, the company has not yet started to archive instant messages. He hopes to have a strategy team in place soon to develop an archiving plan.
Blogs are also subject to record retention requirements. These include blogs on corporate Web sites, but also personal blogs might become subject to legal action if an employee posts corporate information on it. Emery said companies need to create policies around what can and cannot be posted on a blog. They also need to scan personal blogs to ensure that employees are complying with policy.
Companies must also capture information on their Web sites in their original formats as a record of communication. If sales or pricing information appear on a company's Web site, that information needs to be retained since Web sites can change on a daily basis. A company needs to be able to prove what information was on its Web site in case it has to defend itself in court.
Emery said personal digital assistants (PDAs) are also becoming "problematic." She said very few companies have policies in place that make sure all PDAs synchronize to one server. Without such a policy, email retention polices can be undermined.
Even text messages on mobile phones and PDAs can be used in legal proceedings. Few companies retain text messages sent and received by its employees, but all mobile phone service providers retain them.
"A service provider retains those records, and if they are subpoenaed, they will turn them over," she said.
Emery said companies should set standards for formats and usage for each of these media. She said employee training is critical.
"People are your biggest challenge" to installing a records retention policy, Emery said. Training should be done routinely, not just once. And CIOs should take steps to make sure compliance to a records retention policy is easy.
"Do not create more interfaces," she said. "If it takes more than five seconds for employees to figure out where to put something, you aren't getting anywhere."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer