June 25, 2020
The ‘new normal’ created by the COVID-19 pandemic has led to many employees working remotely from home, resulting in companies facing new challenges in how they manage information created and sent by their remote employees. This blog post examines several corporate policies related to document retention and cybersecurity that in-house and outside counsel should consider evaluating and potentially updating in light of the remote work trend.
Business Continuity: Even before the pandemic, many companies were integrating new forms of communication technology such as Microsoft Teams, Slack, Zoom, and others to streamline and improve corporate communications. Out of necessity, an increased remote workforce accelerated the integration and implementation of these tools to allow remote workers to maintain business continuity. However, the rapid integration of new technologies can also create problems for companies who do not properly vet the utility of the technology. Even under expedited timelines, we suggest investing time to evaluate how a particular technology could assist a business function before implementing it company-wide. Additionally, updating written approval policies and acceptable-use procedures concerning the use of new technologies, and training remote workforces on the tools and policies being implemented, can both prevent employees from misusing the technology and avoid privacy incidents.
Data Retention for Legal Holds: In addition to taking proper precautions when onboarding new communication technologies, companies should also consider updating legal hold and data retention policies to address the preservation and collection of information shared through new mediums. For example, if a particular topic or project is highly confidential, employees may need to be instructed to designate it as such and create a ‘private’ room or chat in the same manner that an in-person meeting would only include certain attendees. If minutes are ordinarily kept for certain meetings, continue to keep them rather than relying on recording functionality for a platform like Zoom. Discovery in litigation, particularly as applied to electronically stored information (ESI), continues to create potential risk for companies, and proper classification of information on the front-end can minimize disputes when that information is sought in future litigation.
Mobile Device Usage (BYOD): Growing remote workforces also may require companies to implement and/or revamp Bring-Your-Own-Device (BYOD) policies and acceptable use guidance. With so many employees now working remotely, there is a shifting use of personal mobile devices and laptops as a primary tool for work rather than as a supplementary device to complete work-related tasks and duties. As a starting point, companies can utilize mobile device management software to secure employees’ personal devices but, if unavailable or impractical, companies can implement strong policies directing employees to approved uses and applications to delineate between personal and work. Companies may also ask employees to submit device information including make, model, and serial number in the event information from the device is ever required for discovery in litigation or a government investigation
Privacy Incidents and Incident Response Plans: Data security companies have seen an increase in cyberattacks and phishing scams as a result of the pandemic. Beyond intentional intrusions from bad actors, the new remote work environment increases the likelihood that companies will face privacy incidents. An Incident Response Plan (IRP) remains a useful and critical roadmap for companies and individual employees in the event of a privacy incident. Many states and private contracts require various notifications and immediate remediation action when personal information is potentially exposed. Employees need to know who to call and what to do as a starting point in the event of an incident. Companies should consider sending physical copies of certain contacts and portions of the IRP to employees in the event of a company-wide outage. Now is the time to review the IRP and make any needed changes to account for a remote work force.
The pandemic has changed how many companies do business. While ensuring continued production from the workforce may be a primary goal, companies should also analyze applicable corporate policies to meet the needs of today’s changing landscape.
These materials have been prepared for informational purposes only and are not legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Internet subscribers and online readers should not act upon this information without seeking professional counsel.