The previous column discussed the many forms and locations of electronically stored information (ESI) within today’s typical enterprise, and the challenges posed by unmanaged, employee-created ESI. The explosive growth of such uncontrolled data poses potential risks to the corporation. The first step in tackling this problem is promulgating a comprehensive data policy.
Data retention (or perhaps more aptly, destruction) policies are commonly used within corporations to describe categories of data, including: paper records, tapes and other backup media and other ESI. The policies also specify retention periods for different types of data within these categories. For example, you could instruct employees to retain sales invoices in paper form for five years and electronic sales invoices for seven years.
The key questions to be answered for each form of employee-generated ESI are:
- How the confidentiality of corporate data will be ensured
- How the employee-owned or portable ESI will be registered and tracked for identification in litigation
- What types of data are allowed on portable ESI media
- How compliance with the policy is verified and audited
- What retention period is appropriate, and the disposition of the data upon expiration.
The data policy should likewise specify what systems are never to be used for company data, such as Short Message Service texts, instant messaging systems, file sharing services and personal email. The IT department can prevent access to certain of these systems through firewall rules blocking their associated network ports. Other systems use network ports with legitimate uses such that blocking them is impractical.