The Legal Brief
Data Creation and Retention Challenges with a Remote Workforce
March 20, 2020
By: Evan R. Kime
During this unprecedented time of crisis, where the new normal is “social distancing” and forced isolation, we find ourselves being pushed into new ways of meeting our personal and professional needs. The COVID19 pandemic will not only have a significant impact on our personal lives, but business operations, too, for the foreseeable future. The challenges ahead over the next few months will force nearly all businesses to make significant efforts to support a remote workforce to carry on company business. For companies that have not already embraced the distributed “work-from-home” model, chances are the COVID19 pandemic has forced a sudden adaptation. All organizations forced to adapt to this new way of working should understand that a remote workforce poses unique risks associated with the control of sensitive company information. Every company, and every IT system, has its own characteristics and capabilities, but businesses that are forced to quickly empower their employees to carry on company operations from the home should take into consideration the following issues.
CONTROL: It is imperative to ensure that data creation and storage takes place within the business’s IT architecture. When the workforce becomes more remote, preferred communications and data creation methods tend to develop in widely varied forms. As work environments become more distributed and fluid, it may be easier and quicker for employees to make notes or edit documents on an unsecured personal device, or use personal text messaging or other means, instead of approved company communications channels. Data created outside the company’s architecture is likely unsecured and out of the company’s control. This not only creates obvious security risks, but data created outside of normal company channels prevents the routine destruction of company data and/or critical preservation of data when litigation is threatened or may be in progress.
COMMUNICATE: Inform employees of the company’s guidelines regarding data creation and retention for a remote workforce. If an employee creates a message, note, drawing, document, recording, or any kind of data in the course of his or her work, and in furtherance of company business, that data must be created and stored within the company’s IT system or sphere of control. Businesses ramping up the remote workforce in their efforts to combat the global pandemic should consider developing and distributing a remote workforce best practices guide that communicates to employees what, when, where, and how, company data is to be created and stored. Every company and every system, will be different - make sure employees know where the company’s data security lines are drawn, how to stay within them, and consequences to the company for noncompliance.
CLARIFY and MONITOR: New habits take time to form. It is human nature to slip back into the former status quo and seek the path of least resistance. After an initial push to establish data creation and storage guidelines for a remote workforce, companies should periodically remind employees of their obligations and encourage everyone to promote compliance.
Clear guidance and reinforcement to remote workers regarding the basic principles surrounding its sensitive data is critical, but this effort should be considered an ongoing and permanent process. No ad hoc solution or company guidance created in the first week or two should be considered written in stone. The workforce changes now being forced upon some companies by necessity will no doubt pay dividends well after this crisis is over.