Lax Employee Communications Policies Open the Door to Lawsuits

When it comes to unstructured data and the dangers of employee carelessness, a lack of policies surrounding employee communications can lead to data governance and legal risks.

According to a survey from kCura, more than half of office-based employees say their companies don't have written policies on data retention or personal use of work devices, or if they do, they aren't aware of them. The poll also found that 55% of office-based employees believe there’s no harm to their companies when they use a work device for personal communications. The firm noted that this is a habit that makes data governance extremely difficult, with a number of risk factors ranging from privacy implications to risk for increased data retention and discovery costs in today's increasingly litigious business environment.

According to David Horrigan, e-discovery counsel at kCura and former data privacy analyst, laws, regulations and rules, including the Federal Rules of Civil Procedure that govern civil proceedings in US district courts, have generally treated all data within the enterprise—even personal conversations—as potentially discoverable.

"With so much data to organize, risk and costs can—and do—get out of control very quickly," he said. "Complete bans on the personal use of work devices would be difficult—if not impossible—to implement, and could be harmful to employee morale. However, companies do need to implement reasonable policies to mitigate risk."

The survey results reveal that 63% of employees don't believe their companies have policies on email retention or checking personal email and other accounts at work, or if they do, they don't know about them. A slightly better 56% say the same about written social media policies.

An overwhelming majority of employees (70%) also admit to using email/folders in their inbox as filing systems on the job—a habit that makes it more difficult for enterprises to implement email retention policies without disrupting business, said Horrigan.

"Having a defensible data retention policy is one of the most fundamental necessities for mitigating risk in today's digital business environment," said Horrigan. "If a business faces a lawsuit or regulatory proceeding, it could face substantial sanctions for failure to preserve email."

For example, in a 2016 decision, U.S. District Judge Leonard Stark in Delaware sanctioned an electronics company $3 million in punitive sanctions plus costs for its unlawful deletion of email. In another case, a major airline faced multiple discovery sanctions, including court sanctions of $2.7 million in August 2015 for discovery failures.

Employees also can contribute to growing enterprise data volumes by using digital platforms excessively to connect with colleagues in lieu of phone and face-to-face conversations. For example, according to the survey, 54% of employees admit that they email large groups of people at work at least sometimes, while 30% concede hitting "reply all" when it's not necessary sometimes, often, or all the time. These habits may contribute to employees being copied on an average of 16 unnecessary emails per day.

"Workers today are more conscious about problematic habits such as printing unnecessary documents, but they don't think twice about sending an unnecessary email, IM or Slack chat," said Horrigan. "The truth is, these digital communications leave footprints, too. When corporations don't take the steps to govern their information—or at least have consistent, repeatable processes for handling large volumes of data—they could face an array of legal headaches, IT frustrations and high costs."

What’s Hot on Infosecurity Magazine?