Information Governance Questions to Explore During and After Coronapocalypse (PART II)
Last week, we discussed how the increased number of employees working remotely created new challenges for companies’ information governance and record retention policies and practices (Part One). In this second installment of our three-part series, we focus or “zoom in” on some additional considerations.
Recognize the Potential Risks of New Technologies.
Most companies are doing whatever they can to keep business flowing. This has resulted in some companies adopting new technologies to make communications with customers and between employees easier or more like in-person exchanges. And some employees have – on their own – looked for work-arounds to get their jobs done in creative ways. For some, this has included the rapid adoption of tools like Zoom for video meetings, or MS Teams, or other collaborative web-hosted services or tools. It may mean employees turning to WhatsApp or other mobile device applications for functional ways to communicate with other employees or with clients. As companies adopt these tools, the organization should consider the impact on data security and information governance:
- Are all of these web meetings being recorded? How do we know?
- Are chat applications truly ephemeral – and if they are, what decisions and discussions should and should NOT be handled there?
- Does this cloud-based collaboration tool properly secure important or confidential client information?
- How can any of this information be saved for long-term record keeping?
- Is there something in that click-through agreement on the cool new phone application that violates our company policies?
- Who actually owns any information shared via this chat, and what happens if we need it for a litigation response?
It’s important for employees and organizations not to embrace these new and helpful tools without consideration of the risks, a close examination of the end-user licenses, and a review of the often hidden terms and conditions that govern exactly what happens to any information shared via these tools, apps, or web-sites. Who in your company is handling this function? And how are you going to learn which new tools or technologies your employees may be using in this dispersed environment?
Develop New Policies and Procedures.
It is incredibly important for SOMEONE in the organization to pay attention to all of these changes. If your company already has dedicated information governance (IG) personnel, that team should be taking the lead and contemplating what procedures or policies should be written or changed to keep up with all of the changes in how work is happening. If your organization does not have a dedicated IG team, then consider forming a cross-functional group that includes leaders from information technology, legal, and human resources. When considering what new policies or procedures should be implemented both in the short term, while the work world is disrupted by the pandemic, and in the longer term, for reopening and for changes that will remain even after people get off of the Coronacoaster, think about the following:
- Guidance on how to handle the commingling of business and personal information: Employees should be reminded of the basics of good company record-keeping. Do your employees know how to handle physical records at home? What are they printing, and where are they storing it? Do these files or records later need to be returned to the office, or can they be shredded? What can be recycled in regular neighborhood recycling and what should not be? What happens if the dog really does eat the file? Who is responsible for tracking any or all of this information?
- Tracking the technology and tools: Do your employees have permission, access, and ability to install and utilize new technology that could put the company’s confidential information at risk? Who should review requests for new phone apps? Who will track what new tools are being requested, reviewed, approved, utilized? Who should review end-user licenses? How will all of this happen effectively?
- Acceptable Use Policies: For any of these new applications or technologies that are being used, is there particular guidance for employees on their use? If ephemeral messaging cannot be retained, should it be used to make policy or procedural announcements? Are there labor considerations around the use of personal devices to conduct business? Should the company’s bring-your-own-device policy be altered temporarily or long term?
These questions and so many others should be carefully considered in the context of each company’s current information governance policies – and each company will need to determine what long-term changes or temporary amendments should be made to address the impact of the situation. And, of course, any changes that are made must be clearly communicated to all impacted employees.
Please visit our Coronavirus: Preparation & Response series for additional resources we hope will be helpful.
This information is provided by Vinson & Elkins LLP for educational and informational purposes only and is not intended, nor should it be construed, as legal advice.