Employee status changes present constant opportunities for data that is subject to a legal hold to be corrupted, lost, or destroyed. Those who are not in the HR profession may be surprised to learn that 12-15 percent of organizations’ employees separate annually. When employees leave their departments or the company entirely, the demand for desktops and laptops is often so great that those devices are “recycled” almost immediately. Without a concerted, proactive effort to identify such data, the risk of spoliation or loss of intellectual property is enormous. While employee movements are a routine element of modern business life, they take on critical significance in the context of e-discovery, where failing to properly track employees can very easily result in data spoliation and severe sanctions.
In this article, we’ll discuss recent case studies of matters involving the management of employee data and practical advice on how to implement and maintain best practices for this specialized area of information governance.
Case Study—Double Deletion
When an employee’s status changes, accidental deletion of important information is surprisingly easy, as a recent example illustrates. In this case, a client-sensitive email message was inadvertently “double-deleted” by the lone recipient shortly before the employee departed the company. Double-deletion refers to the deletion of a mail item followed by the clearing of the item from the deleted items folder, where it then remains in a limbo-like space within Exchange referred to as a ‘dumpster’. Many companies have a deletion retention policy that generates a backup of dumpster content prior to full purging. In this case, however, the company did not have such a policy in place, and it was later determined the message was within the scope of a current legal hold. The company is now facing potential sanctions for not properly maintaining the hold.
Case Study—Department Transfer
As mentioned before, the average company has a 12-15 percent turnover rate, which is significant on its own. This does not account, however, for the additional percentage of the workforce that changes roles within the organization, and therefore may be subject to new security policies, access and regulations. For example, consider another case where an employee transitioned to another department. As part of the transition, IT transferred to this employee the documents (email and user-generated content) held by his/her predecessor. But when this was done, IT didn’t inform the transitioned employee of any inherited legal holds or other retention measures and additionally didn’t take steps to retain a copy of the predecessor data to offline storage, which caused a portion of sensitive predecessor content to be inadvertently deleted.
Case Study—Deletion Policies
In yet another matter, this time at a national oil and gas company, deletion policies alone proved inadequate. This company’s employee exit policies entailed ‘wiping’ of hard drives upon departure, along with purging of the departing employee’s mailbox. Wiping was enacted on key departing employees’ devices prior to confirmation of any legal holds or other sensitive content. When it became known that spoliation had occurred, the company sought a plan for recovering the data. Fortunately, the content was recoverable, and the exercise served as a lesson in implementing more appropriate exit policies. However, the cost of the recovery could have been avoided altogether had a sound information governance strategy been in place beforehand.
Considering the examples cited above, preventing spoliation may seem a daunting challenge, however there are a number of practical steps companies can undertake to proactively help prevent spoliation. A key element to any initiative is to first assess the needs of the organization by speaking to key stakeholders in legal, IT, HR, etc. This ensures up front that pertinent compliance measures, existing corporate policies and legal holds are identified. For example, the phenomenon of “bring your own device,” commonly referred to as BYOD, creates a vector for data loss that necessitates its own policy. Once the stakeholders clearly understand what needs to be retained, and how over-arching corporate policies defining treatment of business records and other electronic documents can be consolidated, the team can take the next step of creating a data map. A data map (or content map) of a company’s assets is a crucial foundational element to understanding what exists within the environment, and therefore what may fall within a compliance or legal hold specification.
The next step is to establish a means for keeping existing policies and procedures updated, either at specific intervals or when noteworthy changes to the organization or infrastructure occur. Clear communication of information governance policies is imperative in keeping employees aware of existing policies and the evolving nature of those policies. Exit interviews of departing employees can be a very helpful means for ensuring responsive electronic documents don’t find their way out the door along with the departing employee, inadvertently or otherwise.
Lastly, when the time comes for preserving and/or collecting employee data, companies should have a standard and streamlined process that takes into account updated policies and initiatives. Part of standard procedure should be awareness of scenarios that may require a neutral third party for collections or exit interviews, depending on the unique litigation or compliance needs of that matter. The goals are to minimize cost and time burdens that are associated with these efforts, and ultimately protect the company from sanctions that often come hand-in-hand with spoliation.
The solution to information governance problems driven by employee status changes is a combination of cross-organizational teamwork, establishment of company-wide policies, and processes that enforce those policies. While these efforts can represent a large investment by the organization, they offer a return of substantially reduced risk of loss of crucial data and associated judicial or regulatory sanctions, as well as protection of the organization’s brand and reputation.
Watch the clip below to hear Antonio and Scott discuss some of the e-discovery dangers associated with employee status changes and best practices for preventing data spoliation.