By John Unice, Esq., CEO
Well before the COVID 19 pandemic, many organizations were looking for technological platforms through which colleagues could communicate, share information, create work product, and convene meetings remotely. Particularly in larger entities, with employees dispersed amongst various time zones, countries, or even continents, the need to share and collaborate efficiently has only increased over time. These demands for cross-functional collaboration, coupled with technological innovation, gave rise to the popularity of tools such as Microsoft Teams and Slack. In these platforms, users within a department or group can chat via instant messaging, share and modify documents via links that are stored in a shared location (rather than by emailing multiple, redlined attachments), and upload files of multiple types to be viewed and accessed by those with the appropriate technical or group permissions. On their face, the tools make good business sense and can indeed improve the speed and efficiency by which employees create value for their respective organizations.
In our experience, many organizations, when rightfully responding to the technical demands of business colleagues, roll out collaboration tools without fully thinking through the manner in which these powerful platforms can inhibit record retention and disposal considerations, run afoul of corporate policies often aimed at how employees should communicate within the workplace, and increase litigation costs (and potentially litigation and information security risk). The rollout of these robust tools should, in our view, be accompanied by a holistic approach that accounts for legal and regulatory guidelines, record retention and disposal schedules, and existing corporate policies. While certainly no small feat, organizations would be wise to bring together the IT, legal, HR and business functions to help assess the manner in which collaboration tools should be implemented and used. Below are some key considerations we advise our clients to consider during the selection and rollout of such technology.
Record Retention Considerations
A viable record retention schedule spells out for the organization which types of documents qualify as official business records. Traditionally, files that have legal significance, substantive business value, regulatory import, historical significance, or financial value to the enterprise are more likely to qualify as a business record. Contrast these types with documents in the public domain, items personal to particular employees, and drafts or duplicates, which are normally classified as non-records. The next step in the process is to identify where business records can be stored, deemed “systems of record.” Typically, these systems are centrally controlled, have increased levels of security, and are not tied to any one employee’s account. (An Outlook email account, for example, will almost never be considered sufficient to serve as a system of record.)
With these thoughts as a backdrop, organizations should ask the collaboration-platform provider about the standard retention settings inherent the platform’s file storage and communication tools (e.g., instant messaging), and whether these settings can be modified. Teams chats, for example, by default are stored in the cloud indefinitely. (Read more about Teams in our January 2021 Insights post, here: https://insights.bit-x-bit.com/2021/01/.
In our experience, a common refrain from business colleagues is that every chat should be retained forever, just in case a topic discussed long ago resurfaces at some point in the future. The business need for permanent retention should be weighed against several factors, including the organization’s record retention policy and whether it classifies such content as a business record, as well as the organization’s comfort with employees conducting the entity’s “business activities” inside these informal modes of communication. All of these factors weigh in favor of working to implement formal company use guidelines as well as technical controls (e.g., size quotas or temporal storage limits) for collaboration tools.
Other key record-retention touchstones that should be considered include: Should business records be transmitted within the platform? Does the platform meet the organization’s definition of a system of record? What is the company’s recourse if an employee violates company policy and stores or shares records in a non-authorized system? There is no one-size fits all answer to these questions. But, if an organization convenes the right stakeholders out the outset of technological innovation, it will be far more likely to reduce risk, promote compliance, and increase efficiency.
As with any form of electronic media, organizations should assume that electronically stored information (“ESI”) created within tools used to conduct work could become subject to a legal hold or investigative demand. To those ends, before selecting and implementing a collaboration tool, ask the supplier what methods are available “out of the box” to preserve, target and collect ESI within the platform. And be sure to ask what technical limitations are inherent in those collection tools. Microsoft, for example, has methods by which to export data from sources such as Exchange (email), Teams and the other Microsoft 365 services; however, Microsoft’s standard collection tools cannot keyword search the content of documents within a zip file, or the text of a PDF that has not been converted using optical character recognition (“OCR”) software. This means that an “out of the box” collection using Microsoft’s built-in “content search” or “core eDiscovery” functions, using key terms, will not detect (and therefore will miss) documents within a zip file or non-OCR’d PDFs. See https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery?view=o365-worldwide.
For organizations who are already litigious or anticipate those challenges to be a significant part of the company’s profile, care should be given to how employees are trained to use these systems, and whether automated deletion cycles for files and communications within the platform (ideally tied to the organization’s record retention and disposal schedules) can be implemented. For example, chats within Teams can be configured to auto-delete after defined time periods. And employees should be trained, ideally by the legal and HR functions, about responsible communications. Examples of how carelessly worded texts and chats, and the negative import on the associated organization’s litigation risk, should be highlighted. A common rule of thumb we often promote is the “New York Times” rule: never chat or send a communication that you would be remiss to read on the front page of the New York Times. These lessons are even more critical in tools through which employees can quickly share files, send and receive communications, and upload a variety of file types.
Our team of experts can help organizations navigate these topics during the planning stages, or well into the litigation stages. Contact us at firstname.lastname@example.org or 412-325-4033.