More than half of office-based employees say their companies don't have written policies on data retention or personal use of work devices, or if they do, they aren't aware of them, a kCura survey found. In addition, 55 percent of office-based employees say they believe there is no harm to their companies when they use a work device for personal communications.
According to David Horrigan, e-discovery counsel at kCura and former data privacy analyst, the employee communication habits revealed by the study could put organizations at risk for increased data retention and discovery costs in today's increasingly litigious business environment. That's because laws, regulations, and rules, including the Federal Rules of Civil Procedure, which govern civil proceedings in U.S. district courts, have generally treated all data within the enterprise?even personal conversations?as potentially discoverable. "With so much data to organize, risk and costs can?and do?get out of control very quickly," said Horrigan. "Complete bans on the personal use of work devices would be difficult?if not impossible?to implement, and could be harmful to employee morale. However, companies do need to implement reasonable policies to mitigate risk."
A data retention policy is a must-have. The survey results reveal that 63 percent of employees don't believe their companies have policies on email retention or checking personal email and other accounts at work, or if they do, they don't know about them. A slightly better 56 percent say the same about written social media policies.
An overwhelming majority of employees (70 percent) also admit to using email/folders in their inbox as filing systems on the job ? a habit that makes it more difficult for enterprises to implement email retention policies without disrupting business, said Horrigan.
"Having a defensible data retention policy is one of the most fundamental necessities for mitigating risk in today's digital business environment," said Horrigan. "If a business faces a lawsuit or regulatory proceeding, it could face substantial sanctions for failure to preserve email."
For example, in a 2016 decision, U.S. District Judge Leonard Stark in Delaware sanctioned an electronics company $3 million in punitive sanctions plus costs for its unlawful deletion of email. In another case, a major airline faced multiple discovery sanctions, including court sanctions of $2.7 million in August 2015 for discovery failures.
Employees care about privacy, but compromise it anyway. Although 98 percent of employees surveyed said privacy was important to them, they engage in communications habits that put their privacy at risk. For example, 60 percent have done at least one of the following on a personal device connected to company WiFi:
- Sent personal emails (47 percent);
- Used the internet for personal purposes (45 percent);
- Sent personal text messages (40 percent);
- Sent personal messages via messaging apps (23 percent);
- Posted on social media (22 percent);
- Sent personal photos (20 percent); and/or
- Sent personal video (10 percent).
Additionally, employees use work devices for personal conversations. Thirty-eight percent use work email at least sometimes to send or receive personal/non-work related communications, while 28 percent sometimes or often use a work device to chat online with friends using services like Skype, Google Hangouts, or Facebook Messenger.
Employees said they have also used work devices for personal conversations that may contain particularly sensitive information:
- 32 percent with their physicians;
- 28 percent with financial advisors; and
- 18 percent with lawyers.
Communicating with a lawyer via email, text, or social media on a work device could pose the greatest risk, said Horrigan. By doing so, employees could be disclosing the conversation to a third party?the company?which could waive their attorney-client privilege.
If an employer fails to create or enforce policies on privacy, they may find that employees still have a reasonable expectation of privacy.
"Laws surrounding employee privacy are still developing," said Horrigan. "To protect themselves, employers must implement clear policies defining employees' expectation of privacy at work. For employees, the best bet is to keep work and personal communications separate. If you're wondering whether a certain communication or activity will remain private, you should assume that it will not."
Enterprise data volumes are skyrocketing. A 2016 survey by Osterman Research found that organizations stored a mean of 49.3 gigabytes of email data per user, and that total messaging-related storage during the previous 12 months had increased a mean of 18 percent. If growth continues at that pace, the data per user will reach 133 gigabytes by 2022.
Beyond conducting personal business at work, employees can contribute to growing enterprise data volumes by using digital platforms excessively to connect with colleagues in lieu of phone and face-to-face conversations.
For example, according to the survey, 54 percent of employees admit that they email large groups of people at work at least sometimes, while 30 percent concede hitting "reply all" when it's not necessary sometimes, often, or all the time. These habits may contribute to employees being copied on an average of 16 unnecessary emails per day.
"Workers today are more conscious about problematic habits such as printing unnecessary documents, but they don't think twice about sending an unnecessary email, IM, or Slack chat," said Horrigan. "The truth is, these digital communications leave footprints, too. When corporations don't take the steps to govern their information ? or at least have consistent, repeatable processes for handling large volumes of data ? they could face an array of legal headaches, IT frustrations, and high costs."
Source: Wolters Kluwer