In principle, document retention should be a straightforward part of a responsible information management plan: you work out what you want or need to keep, archive it securely and destroy it in line with national guidelines. Job done, what’s next?
The reality couldn’t be further from the truth.
First of all, Europe is awash with complex document retention laws. There are different laws for different types of records ─ ranging from a few months to 20 years or more. These laws differ between countries and between industry sectors; and, most confusingly of all, keep changing all the time.
Documents that are kept for too long risk breaching data privacy and protection laws; documents that are destroyed too soon could put you in breach of e-disclosure law. So it is hardly surprising that 35 per cent of mid-market firms[i] in Europe have opted to keep all paper and electronic documents just ‘in case’. In terms of industry sector, 39 per cent of financial services firms and 45 per cent of manufacturing and engineering firms hang on to everything.
Nowhere is the impact of this widespread confusion and concern more apparent than in the case of digital communications such as emails, text messages and social media posts. In contrast to the approach above, many companies appear to be responding to these new record formats by not keeping track of them at all.
A recent study by global information trade body AIIM[ii], found that while around three quarters (73 per cent) of firms now include emails in their corporate retention policies, most rely upon manual processes for deleting them. In 55 per cent of firms, employees are left to save or delete emails as they see fit. Such an unmanaged, employee-led approach is particularly risky in view of the growing number of high profile law suits that have relied extensively on email evidence, such as the recent phone hacking scandal.
An additional problem with implementing retention strategies for electronic communications such as email is that multiple copies are likely to exist on desktops, mobiles and laptops – and it can be near impossible to track down and manage all of these.
It gets worse. What should a company do, for example, when the information they need was included in a text message exchange carried out on a work phone but then deleted when the employee left the firm?
For most firms, social media content management isn’t even on the radar. The AIIM study found that less than 15 per cent of organisations include external social media posts in their company retention schedules. This failure to treat social media as valid company records could be down to a number of factors, including a practical need to offset risk against resources. For many firms, however, the fast-moving world of social media can simply seem too difficult to track or capture.
Yet, of those firms which did treat social media posts as records, a third has made use of them. A small but significant 27 per cent had used them to resolve a customer complaint or dispute and 17 per cent had used them in staff disciplinary action – two areas of considerable reputational importance.
It is perhaps telling that, according to AIIM, a third of firms haven’t given anyone overall responsibility for the governance of instant messaging, mobile and external social media content. This lack of ownership suggests that the situation is likely to get worse before it gets better. This is extremely worrying in today’s increasingly litigious business environment, where both companies and consumers better understand and insist upon their rights.
Are we heading for a perfect storm as organisations are hit by more information yet insist on either hoarding or ignoring it so as not to fall foul of the constantly changing, complex retention laws? The fact that it is as dangerous to hold something for too long – such as personal data or unsuccessful job applications – as it is to destroy something too soon – such as email correspondence required for a lawsuit or details on health hazards – is clearly overwhelming many firms.
Legal organisations and information management firms have a duty of care to help companies navigate their way through this rapidly evolving landscape and seize control of all their information. The line between too soon and too late is a very fine one and we all balance better with something solid to hold on to.
Christian Toon | Risk and Security at Iron Mountain | @christiantoon
Christian Toon, has a wealth of experience in the industry and ensures that governance, risk and compliance requirements are met within both new and existing contracts from across the continent. These contracts include some of the industry leaders in business today. He enjoys the challenge that comes with interpreting customer problems and solving them with a risk-based approach, with strong interests in the causes of data breaches, identity theft and bring your own device.
[i] PwC research for Iron Mountain, 2013. PwC spoke to 600 senior business executives in the UK, Germany, Spain, Netherlands, France and Hungary.
[ii] Information Governance – records, risks and retention in the litigation age, AIM Industry Watch, 2013
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.