The previous column discussed the many forms and locations of electronically stored information (ESI) within today’s typical enterprise, and the challenges posed by unmanaged, employee-created ESI. The explosive growth of such uncontrolled data poses potential risks to the corporation. The first step in tackling this problem is promulgating a comprehensive data policy.
Data retention (or perhaps more aptly, destruction) policies are commonly used within corporations to describe categories of data, including: paper records, tapes and other backup media and other ESI. The policies also specify retention periods for different types of data within these categories. For example, you could instruct employees to retain sales invoices in paper form for five years and electronic sales invoices for seven years.
Typically, retention policies explicitly require destruction of data following the retention period, but in some cases, data must be moved to offsite storage or archived in a different format, such as microfilm. These policies are usually requested and produced in litigation, but rarely in issue unless the policies are not followed.
Policies that only specify retention of these well-defined categories of data do not adequately address the unmanaged ESI problem. A new, more comprehensive type of policy is needed, one that delineates how corporate data is stored and managed, in all forms and from all sources. Data, particularly ESI that does not meet the requirements of the data policy is prohibited, with violations subject to discipline or possibly termination, as with other conditions of employment.
So what would such a data policy cover? It should certainly enumerate what forms of ESI are permitted in terms of media, the department or person(s) responsible for managing each type, controls for registering and tracking portable ESI, such as USB thumb drives, hard drives, recordable CD and DVD discs, and what data types are permitted on portable ESI. For example, confidential data (and more sensitive classifications) might be restricted to specially labeled and numbered USB drives that are encrypted by a company-approved program, with the encryption keys generated and maintained by the IT department.
The key questions to be answered for each form of employee-generated ESI are:
- How the confidentiality of corporate data will be ensured
- How the employee-owned or portable ESI will be registered and tracked for identification in litigation
- What types of data are allowed on portable ESI media
- How compliance with the policy is verified and audited
- What retention period is appropriate, and the disposition of the data upon expiration.
The data policy should likewise specify what systems are never to be used for company data, such as Short Message Service texts, instant messaging systems, file sharing services and personal email. The IT department can prevent access to certain of these systems through firewall rules blocking their associated network ports. Other systems use network ports with legitimate uses such that blocking them is impractical.
Frequent updating of the company data policy is essential, as it must be flexible enough to evolve to meet the ever expanding forms of ESI, as well as the state of the law on e-discovery.
The next column will address prudent steps to take regarding data when the company is sued, such as timely issuance of litigation holds.