All those new “records” we are creating during quarantine: why counsel should worry and what we can do about it
When I was a General Counsel, I worried a lot about the records that my organization was creating. I implemented programs to streamline these records and make sure that people were aware of what they were creating, what they were saving and for how long. The rules-of thumb were pretty basic. “Think first before creating a record.” “Pick up the phone before writing an email.” “Scrutinize your address lines to make sure you weren’t including more people than necessary.” “Don’t describe events inaccurately, even in the most casual email.” “Don’t offer your personal views about where the organization screwed up if there is any chance that such words could be used against the organization in an investigation or litigation.”
Working from home is changing the way organizations create records. We are more reliant on collaboration software such as Slack, Trello, Microsoft Office 365 and Google G-Suite tools. At my last general counsel gig, I was implemented records retention standards that I had inherited from a prior company and advocated that chat features enabled within the Office 365 Suite the organization was using should not be recorded by default for posterity. As I have collaborated over the past several months using enterprise collaboration tools and many, many Zoom, Hangout and BlueJeans meetings outside of work, I noted the option for an administrator to choose “record” in order to create an archive of the meeting or class for viewing by others who could not attend. The dangers of this should be obvious.
I am curious. How many Counsel among my contacts have updated their organization’s record retention policy to reflect how the organization is collaborating, now that 90% of white-collar work (the work that creates the lion’s share of records) is occurring outside the office? My guess is that the “temporary” nature of the quarantine and the extraordinary nature of the challenges our organizations face has pushed these concerns to the background. But some of these changes will be permanent. If organizations had bought but not used extensive collaboration platforms in the past, many are learning the value that can be tapped using these tools. The new “normal” will require that organizations adjust their record retention policies to reflect the way business is now being conducted. Counsel should review these policies in light of today’s circumstances and offer guidance on “careful communications” that refer explicitly to the new tools and new practices that are developing.
If you are counsel to an organization with influence over records retention policies, consideration should be given to the following:
1. Make sure that your organization’s policy defines records broadly to include information stored in electronic media. “Document” even “electronic document” may not be a sufficiently broad term for the kinds of records that are being created, given the amount of voice and video records that may be archived and shared from our collaboration sessions.
2. Make sure that you understand enough about the architecture of your organization’s IT system to know where records are stored and what technology exists for extracting the information for review and production. You might be surprised at what is being stored and the sophistication of modern AI tools (voice recognition, video recognition, textual analysis) that make these records a treasure trove of potentially inconvenient and damaging information. Default practice should be that voice, chat and video information not be retained beyond the minimum requirements for continuity and disaster recovery. A question posed to IT could reveal the defaults have been set to retain everything the system backs-up indefinitely.
3. Consider clarifying rules about who has responsibility for records created in shared environments, like Teams, Sharepoint, G-Suite and Slack. It used to be that 95% of records had been created by an individual user and that assignment of responsibility for maintaining records to that person as a default worked well enough. All the new tools for document sharing within collaboration software often means that so-called “shared documents” are in reality the responsibility of no one in particular. Rules should be crafted (with user teams’ input) about the archiving of a work-team’s output and the procedures decided for prompt destruction of early drafts. Counsel should not dictate work processes, but set broad guidance that is based on general principles of records management (“every record has an owner; each owner is responsible for not keeping records the organization does not need.”).
4. Employees are creating more records on home devices and backing them up to storage devices not owned or managed by the organization. Rules should be clarified about how documents should be stored when working from home. All employee work should be stored in Company-controlled systems and the use of personal equipment for storage be discouraged.
5. Issue guidance on recording video meetings and archiving them for future use. At a minimum, you should make clear that these recordings should be “owned” by the person convening the meeting (or their delegee) and that person be in charge of implementing organization’s record retention policies to ensure that these records are reviewed on schedule and deleted in accordance with the policy’s holding periods.
6. Consider offering on the spot “careful communications” training any time you are in a meeting with key influencers in the organizations. Business organizations with anti-trust risk should pay particular heed for the need to highlight the dangers of failing to correct statements by employees that enforcement agencies and courts have interpreted as evidence of a habit of illegal activity. Broker-dealers and proprietary trading operations need to consider what is being saved of old-style trading-room chat in collaborative media that can be readily searched for hidden jewels.
Our organizations are entering into a new era, where old work practices are thrown out the window and new tools are making collaboration across distance much more frictionless. Our records retention policies should be updated to keep up with this evolution. Litigants, courts and government regulators can be expected to adjust their approach to investigation and discovery. We should anticipate and plan ahead so that, when that day comes, our organizations can respond nimbly.