Your single source for new lessons on legal technology, e-discovery, and the people innovating behind the scenes.

New Data: Employee Data Habits May Increase Corporate Legal Risk

David Horrigan

This article originally appeared on Law360.

In our daily work lives, we see a fair amount of anecdotal evidence indicating many of us engage in workplace behaviors that put our personal privacy and company data at risk.

But, how serious is the problem?

To find out, kCura recently commissioned a Harris Poll survey conducted between December 28, 2016, and January 18, 2017, included 1,013 U.S. adults age 18 and over who were employed full-time or part-time, working in a traditional office setting for at least 50 percent of the time (referred to as “employees” throughout) to get a better idea of just what employee behaviors may be putting corporate enterprises—and themselves—at risk.

To those of us who work in e-discovery law, the results probably come as little surprise. The news for the corporate enterprise is somewhat ominous: the era of big data for employees could lead to big risk for employers.

Phantom Policies and Procedures

Most information governance experts agree having written corporate data polices is one of the most fundamental necessities for mitigating big data risk. However, the data from the survey that was conducted by Harris Poll indicate most companies lack policies and procedures or, if they have them, their employees don’t know about them.

For instance, 63 percent reported their companies either have no written policy on checking personal email or other personal accounts while at work or if the company does, they don’t know about it.

In litigation, regulatory proceedings, or investigations, email retention can make or break the case. Companies have faced substantial litigation sanctions and regulatory fines for failure to preserve email, and the poll results don’t bode well for corporate risk here.

For example, in a 2016 decision, US District Judge Leonard Stark in Delaware sanctioned an electronics company $3 million in punitive sanctions plus costs for its unlawful deletion of email. In another case, a major airline faced multiple discovery sanctions, including court sanctions of $2.7 million in August 2015 for discovery failures.

Social media are an ever-increasing presence in the workplace, with social media data often becoming evidence in litigation. Unfortunately, the news for the American workplace isn’t much better here, with 56 percent of employees saying their companies either had no social media policy or they didn’t know about it.

Employee-grown Data

The amount of corporate data is growing exponentially due to advances in technology. For instance, the relatively tiny smartphones carried by many employees have more computing power than NASA’s Apollo spacecraft had. Not surprisingly, along with that greater computing power comes greater amounts of data.

However, it’s not just technological advances causing the big data explosion. Employee behaviors have a lot to do with it, too.

Over half of office workers (54 percent) say they email large groups of people at least sometimes when they are at work, while nearly a third (30 percent) concede that they at least sometimes “reply all” to an email when it needs only to be sent to the sender.

Employees report being copied on an average of 16 emails every day on which they say they didn’t need to be copied. Could this be a result of the somewhat trigger-happy use of reply all?

Personal Privacy and Legal Liability

The survey indicates just about everyone cares about privacy. In fact, 98 percent of employees said privacy was important to them. However, their actions in the workplace belie their apparent concern for privacy.

In the poll, 60 percent of office workers said they’ve done at least one of the following things on their personal devices while connected to their employers’ WiFi:

  • Sent personal emails (47 percent)
  • Used the internet for personal purposes (45 percent)
  • Sent personal text messages (40 percent)
  • Sent personal messages via messaging apps (23 percent)
  • Posted on social media (22 percent)
  • Sent personal photos (20 percent)
  • Sent personal videos (10 percent)

A substantial number of employees engage in office behaviors that put their most sensitive information at risk, including their medical histories, financial matters, and legal issues.

In most cases, disclosing information protected by the attorney-client privilege to a third party waives the privilege. Disclosing the information to an employer by putting it on a company device can waive the privilege. Although waiver of the legal work product doctrine requires more—usually disclosure to an adversary—communicating with your lawyer on company devices endangers the confidentiality of the information.

Why the Survey Conducted by Harris Poll Matters

Put bluntly, the kCura survey indicates that employees’ data habits could be putting their employers at risk.

For instance, a large majority of office workers reporting that their companies either don’t have an email retention policy or that they don’t know about it is alarming, especially for e-discovery lawyers defending companies in litigation and regulatory proceedings.

Modern e-discovery software can go a long way in mitigating the risks presented by big data in the workplace, but even the best software can only do so much if there’s no retention policy—or if no one knows about it.

Another major concern is the disconnect between the importance employees place on privacy and the actions they take that jeopardize their privacy.

The following four best practices can help address these problems:

  • Implement written policies that provide clear guidance on the use of personal email and social media accounts on work devices.
  • Ensure employees are aware that they may not have a right to privacy when conducting personal business on company devices. Implement a formal policy on employee privacy at work, and apply the policy consistently.
  • Create a legally defensible data retention policy, and make sure employees are aware of their responsibilities for email and other types of electronic data. Offer employees a shared drive to store files, and discourage use of an email inbox for file storage.
  • Consider growing your law department with legal operations specialists who can drive efficiencies through technology implementations, as well as management of vendors and outside counsel.

The kCura survey conducted by Harris Poll shows we have a long way to go in getting 21st Century technical education to the level of 21st Century technology. Employee data is putting employers at risk, and without sufficient information governance programs, the potential damage to the American workplace is substantial.

Method statement: This survey was conducted online in the U.S. by Harris Poll on behalf of kCura, makers of Relativity, between December 28, 2016 and January 18, 2017. The research was conducted among 1,013 adults age 18+ who are employed full-time or part-time, not a freelancer, and works in a traditional office setting for at least 50% of the time. Figures for age, gender, race/ethnicity, education, region, and household income were weighted where necessary to bring them into line with their actual proportions in the population. Propensity score weighting was also used to adjust for respondents’ propensity to be online.

David Horrigan is Relativity’s discovery counsel and legal education director. An attorney, award-winning journalist, law school guest lecturer, and former e-discovery industry analyst, David has served as counsel at the Entertainment Software Association, reporter and assistant editor at The National Law Journal, and analyst and counsel at 451 Research. The author and co-author of law review articles as well as the annual Data Discovery Legal Year in Review, David is a frequent contributor to Legaltech News, and he was First Runner-Up for Best Legal Analysis in the LexBlog Excellence Awards. His articles have appeared also in The American Lawyer, Corporate Counsel, The New York Law Journal, Texas Lawyer, The Washington Examiner, and others, and he has been cited by media, including American Public Media’s Marketplace, TechRepublic, and The Wall Street Journal. David serves on the Global Advisory Board of ACEDS, the Planning Committee of the University of Florida E-Discovery Conference, and the Resource Board of the National Association of Women Judges. David is licensed to practice law in the District of Columbia, and he is an IAPP Certified Information Privacy Professional/US.