Only about a third of the 840 respondents to the study say their companies have written E-mail-retention policies, and a similar number admit they don't know or are unsure what should be retained and what could be deleted. Of those governed by retention regulations, almost half admit to not complying with or being unsure if they're complying with retention rules. The number of respondents who really understand retention requirements and compliance is likely far lower than that of the self-reported here.
This shouldn't be a surprise, even if it's troubling. Lawyers have grappled with what to keep and what to dispose of for decades. Add electronic-communication-retention issues, technological developments, and the avalanche of new regulations to the mix, and you have a netmare!
Understanding the importance of a document to a future litigation is impossible, even for seasoned privacy legal professionals. Unless there's a rule governing a precise type of information, it's largely a case of Monday-morning quarterbacking. Because of this, most legal and risk-management experts decide in advance to take one of two strategies: keep everything or keep nothing.
If this choice is clearly articulated in a company's policies and adhered to consistently, it works. Companies get into trouble when they suddenly delete all E-mail archives on the morning they're served with a subpoena. Even if a written keep-nothing policy is in place, the company faces liability for deleting evidence unless it's followed consistently.
Most people in the survey--60%--say their employee E-mail hasn't been subpoenaed and that their company hasn't been involved in litigation because of employee E-mail. But reality may differ from perceptions. Companies are almost always involved in some type of litigation, and most cases now involve electronic evidence. Unless a survey respondent is directly involved, it's unlikely he or she would know the answer to these questions. Risk management might improve if employees were made aware of the legal significance of electronic communications.
It's also time to address instant messaging in the workplace. IM is harder to monitor, track, and retain than E-mail. It's rarely retained, unless one party has a reason to save it (which makes it even more dangerous). And IM is more like talking than writing, so normal written workplace-communication safeguards are often ignored.
How each company deals with that will differ, based on its workplace culture and technological capabilities. But it's much better to address the issue now than when looking down the barrel of a smoking E-mail or IM.
To find out more about Parry Aftab, please visit her page on the Listening Post.