As none of us can forget, the COVID-19 pandemic forced companies to close their brick and mortar offices with little time to adequately prepare their employees for a remote work environment. All of a sudden, in-person meetings were replaced with virtual conferences via Microsoft Teams, Zoom, and Amazon Chime – each leaving a new data trail. Many IT and Legal Departments were similarly unprepared for the impact of an all remote workforce on the creation, collection and preservation of business-related documents. IT departments were overwhelmed by employees defaulting to the use of unauthorized personal devices and cloud-based applications like Dropbox and GoogleDocs to complete assigned tasks, create, share, and store data, without IT vetting or coordination. Personal communications platforms such as IMessage, Facebook Messenger, and WhatsApp with untracked or no standardized retention policies replaced or supplemented enterprise instant message and chat functions, complicating the identification, preservation and collection of data.
A remote work environment has become the new normal for many companies. This abrupt change in the way companies conduct business requires commensurate changes in E-Discovery processes. To help meet this challenge, we discuss three key steps to mitigate potential preservation and spoliation risks occasioned by the shift to remote work environments.
- Collaboration between IT and Legal Departments regarding technology/platform usage policies and protocols for document preservation, retention policies and litigation hold notices.
- Communication with employees regarding approved, and prohibited, locations and platforms to communicate, create, save, and share company-specific information and documentation.
- Compliance monitoring for remote employees regarding retention and preservation of data and legal holds.
Implementing the “Three Cs” will aid companies in avoiding discovery hurdles in the future.
1. Collaboration between IT and Legal Departments
IT and Legal Departments must collaborate to understand and contain insurgent preservation risks from remote working. Companies cannot preserve what is outside of their control and vision. First, they should restructure document retention policies and litigation hold notice language to address the creation and storage of data in a remote environment. These should specifically address where and how documents should be preserved from an employee’s home office. The next step is to identify and provide standards regarding the use of company approved technology for the creation, sharing and storage of data remotely. Without guidance, employees tend to default to the most familiar or accessible technology – which may not meet company requirements. Companies should also review their policies regarding employee use of personal devices and apps that are not centrally managed. For some companies, a BYOD approach is a requirement of doing business, necessitating flexible management consistent with legal obligations. For example, companies may provide employees instructions regarding retention settings or the collection of information for business or legal requirements for non-company systems, as well as training on appropriate use. On the other hand, in certain highly regulated industries, the use of communications streams, collaboration mechanisms or repositories that are not onboarded presents an intolerable risk even in the work-at-home environment. Strong policies and technical controls – e.g., restricting access to company devices or remote desktops – may be appropriate in those situations. Many companies, however, must walk the line between these two extremes. Consultation on the front end with counsel versed in these issues may save significant trouble down the line.
2. Communication with employees regarding the preservation of data
In addition to collaboration between the IT and Legal Departments, companies must routinely train and communicate with their remote employees about the rules, risks and precautions associated with working remotely. Maintaining the confidentiality of business data as well as properly preserving information when required are major concerns. Untrained or unmotivated employees may discard information which should be preserved, or inadvertently risk the security of information by saving it to a personal communication device or other software platform rather than to a secure, company approved location.
Companies may consider virtual training sessions as a standard offering and when particular actions are needed. They can also make available electronic copies of updated usage, preservation and document retention policies for relevant employees, consistent with maintaining privilege and confidentiality. The training and policies should identify approved locations and technology platforms to use to create, store and share business data, along with explicit instructions regarding where documents should not be saved (i.e., personal drives or communication devices) and a mechanism for enforcement to show this is not just a paperwork exercise. It is also important to provide guidance regarding physical records printed at home for a business purpose (hint: minimize printing; keep it in a secure location; and shred anything not required for preservation as soon as the business need expires). Employees must be reminded of their duty to secure and preserve business data when litigation is or should be reasonably anticipated.
3. Compliance with document retention and preservation obligations to avoid spoliation
Monitoring compliance with document retention policies and legal holds is a pivotal requirement in managing a remote workforce. Internal policies and procedures should be updated to inform employees that relevant business data, whether generated at home or in the office, may be discoverable and should be properly preserved when in the scope of a legal hold or discovery request. Companies should conduct routine compliance checks with employees to ensure awareness of data preservation obligations and the expectations of the company.
Companies should consider routinely (every three to six months, for example) reminding employees who are recipients of litigation hold notices of their preservation obligations. Such reminders may also be sent when case developments make it appropriate. In some situations, the change in working environment is so pronounced that a company may find it appropriate to send an updated notice expressly addressing the preservation of material generated remotely, including on personal devices and platforms.
In conclusion, the widespread shift to remote work environments is a changed circumstances that IT and Legal Departments should address in providing defensible policies and procedures to secure and preserve company data. Companies should ensure collaboration between the IT and Legal Departments and communicate regularly with remote employees regarding the preservation of data, and monitor compliance with document preservation and retention policies. Implementing the “Three C’s” will better position companies to get ahead of potential preservation issues and mitigate discovery hurdles going forward.