With remote and distributed work becoming the new norm, companies are faced with unique document retention and preservation challenges different than when employees are in the office. Some of these challenges include IT security, limits on the technology available to employees, different communication channels used by employees, and a change in company culture.
Consequently, companies must ensure that their document retention policies and document preservation protocols adhere to the same standards as if employees were in the office. Having an effective document retention policy goes a long way in meeting the obligation to preserve data as a litigant or when responding to a subpoena.
A distributed workforce presents several challenges to the obligation to preserve data including:
To address these data risks, companies should review existing data retention policies, device use policies, and legal hold procedures. Specifically, organizations should ask the following questions regarding their data security and legal hold policies: (1) do the policies address remote work-related concerns? (2) are the policies meaningfully enforced? (3) what technology does the company already utilize that can be leveraged to preserve data while employees work from home?
If a company’s current data security policies do not reflect the reality of a distributed workforce, they must change. For example, if employees are using collaboration tools more frequently, including direct messaging features (including ephemeral messaging), are adequate steps being taken to preserve the communications? For companies using Slack, it is worth noting that it has different rules on data export depending on the type of subscription. Companies with free or standard plans have limited ability to export data from private channels and direct messages.
Accordingly. with the new reality of distributed work and working from home, existing policies should also be examined. For instance, if company policy does not address post-termination data access, consider putting a procedure in place to automatically sever network access upon the remote worker’s date of termination. This will ensure that a terminated employees’ ability to alter, corrupt, or delete any data is restricted before their devices are returned.
Oftentimes, data security policies are in place but not enforced as written. For instance, a company may have a policy on device recycling that requires data on laptops to be backed up and wiped before the laptop is given to another employee. However, in a rush to cover the technological needs of its employees working from home, the company fails to back up information and wipes the data, including data about pending litigation. This failure to preserve relevant data could result in court-imposed sanctions due to the spoliation of evidence.
Further, many companies have existing technology that can be leveraged to assist with data preservation. For example, Microsoft 365’s Exchange Online, a popular business email service, has built-in eDiscovery features. These features include the ability to schedule the preservation of emails and place legal holds on emails without physically accessing a remote employee’s device. We help several clients leverage these Microsoft 365 tools to ensure legal holds are properly in place.
It is essential to know where your data “lives”. Fully understanding the nature and location of company data is critical because it will aid in locating relevant information when the need to collect and produce it arises. This means understanding the ins and outs of how the company’s data is stored, maintained, and accessed. The following are some useful questions to better understand data:
Many companies have servers, networks, cloud storage, and company-issued devices. These can include laptops, cell phones, and external drives. Additionally, a remote workforce may necessitate having company data stored on employees’ personal devices.
Knowing your vendors is as important as knowing your data because they may be able to assist with both the preservation and collection of data.
Many companies require that employees connect to the company’s network to use email and perform necessary duties to secure access to data.
If a remote employee accidentally damages their company-issued laptop, the company may have alternate means to access the data through backups.
Metadata is data that provides information about other data. For example, the “sent date” makes up part of the metadata of an email. If metadata is not stored, consider doing so because, among other things, it helps simplify data collection when producing relevant evidence.
If so, how is data preserved before the device is passed on to a new employee?
Finally, existing legal holds should be assessed to confirm that data from employees working remotely is properly preserved. Implementing simple safeguards can go a long way.
First, consistently remind remote employees under legal hold of their obligation to preserve data. This is especially true for employees who are allowed to use personal devices. For these remote employees, companies should encourage them to routinely migrate data from personal devices to the company’s devices, network, or storage.
However, whenever possible, it is best practice to have remote employees keep any relevant data within the company’s systems and not on personal devices. Storage of data on the company’s systems and off of personal devices or cloud storage will help avoid complex legal questions, such as whether evidence stored in an employee’s personal cloud storage is within the company’s possession, control, or custody. Finally, potentially relevant data should be collected early and often to prevent unintentional loss.
If feasible, software that automatically captures and retains documents on devices used by remote employees should be used. We have tools at Percipient to facilitate remote collections from your employee’s devices and can help you create an automated workflow to help preserve important data that would otherwise be lost. Automating document retention will help eliminate user error during data preservation.
Even when there is minimal chance for litigation, it is best to take precautions to ensure data is preserved for all employees, including those working remotely. A failure to do so could result in adverse rulings, evidentiary sanctions, or fines.
We can assist with your legal hold and data preservation needs. If you need help, get in touch with us.