There may be no area where businesses are more behind the curve than in managing their electronic information to keep them out of trouble. That is not a criticism of businesses. The area has changed, and continues to change, so incredibly fast (at least if you grew up before the 1990s), it is almost impossible to completely keep up.
Legally, old rules that were created for stationery documents are often much harder to follow when dealing with electronic records that can be published to millions of people in a split second.
For example, in litigation, parties are often expected to be able to produce electronic communications within a company that may reside on a variety of different devices. Or, in order to protect confidential information as a trade secret, a business must show that it took reasonable steps to protect the information from disclosure.
A quarter century ago, that probably meant locking the file cabinet and limiting the distribution of keys. Today, “locking the file cabinet” is much more complicated given the many devices on which the information may reside.
Managing electronic information is a daunting task and the solutions are ever changing as technology changes. It can be one of those tasks that just never gets tackled because it seems insurmountable. But to ignore the task puts your business at risk; there are too many ways you can be hurt by not managing electronic information.
It may be helpful to simplify your thought process in order to better manage this very complex topic. That may sound counterintuitive, but, in fact, the management of electronic information boils down in many ways to old fashioned and relatively straightforward principles. Focusing on these principles may make the hard part –applying the principles to ever-changing technology– easier.
Imagine a sealed envelope containing a document of the utmost importance to you. What are some basic rules you would follow for that envelope?
- • You would give the envelope only to the people who absolutely had to have it.
- • You would not leave the envelope in an unsafe place.
- • You would know where the envelope is at all times.
- • You would take care not to physically damage the envelope or its contents.
Depending on the particular circumstances (imagine it as part of a “Bourne” movie if that helps bring the concept to life), accomplishing these tasks may not be easy, but the rules themselves are clear.
Now think about electronic information in terms of these basic rules.
Give the information only to people who have to have it. Access to electronic information needs to be limited to those people who must have it for business purposes. This keeps the information secure and better enables the company to protect it in court if that becomes necessary.
Also, depending on your business, you may have obligations to other parties to keep the information confidential. There could be liability to employees, to customers, or to others if the information is disclosed without proper measures to protect it.
Do not leave the information in an unsafe place. This is just an extension of the first rule, but stories of information being lost because of a laptop or other electronic device being left on the seat of an unlocked car (or other clearly insecure location) are legion. If valuable information is allowed to be mobile, there must be procedures for ensuring that occurs safely.
For example, smartphones get lost. If there is valuable information on those devices –and there usually is– you need to have the ability to keep that information from falling into the hands of the person who finds (or steals) your smartphone, such as by programs that allow you to remotely wipe the device.
Know where the information is at all times. You must retain control over the information, as difficult as that may seem. Of course, the first two rules are a big part of that. Further, you should be able to identify where your information resides. This often comes up in litigation, where the other side may be entitled to review all communications within your business pertaining to a certain subject area, and the court will expect you to be able to find it on various electronic devices.
Somebody may have a personally owned smartphone, for example, but if that person is using it for business purposes, the business may be expected to produce that information in litigation. Therefore, you need to have procedures for what information may reside on personal electronic devices, and commit team members in writing to allowing the company access to that information when necessary. You cannot afford to have an employee holding your information hostage on a personally owned device.
Do not damage the information. Other than through an established records destruction procedure, destroying documents may put the business at risk. This is especially true in the litigation context, where not having a document you are expected to have can create a variety of negative consequences. This concept is not novel, certainly, but applying it to electronic evidence that is difficult to control can be problematic.
Breaking this complex subject down into this simplest form will not solve the challenges that come along with constantly changing ways of creating and storing information, but using this frame as reference may help your business better understand and respond to the important task at hand. Applying these rules one step at a time certainly is a better approach than ignoring the challenge altogether.