Part 1 of 2
Times of downsizing can create significant legal vulnerabilities. Downsizing does not relieve a company of its responsibility to keep proper records. We explore 4 different types of records and documentation that should be kept in mind.
1) Email, calendar, and shared folders
For sites that are Microsoft – have you preserved all required data for litigation, regulatory books, and records? (See Microsoft https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-archiving-service-description/compliance-and-security-features (Jan 8, 2020) that says “In-place hold and litigation hold currently do not apply to emails sent using POP or IMAP clients, or by custom applications that use the SMTP protocol.” ) Check your site-specific settings and configurations!
For sites that are web mail based – do you know how to centrally grab up all this information and retain what you need? If not, then talk to your provider today!
2) For data at rest
For many sites important data may be encrypted by local users. PGP keys, BitLocker encryption, and backup software may all require passwords/keys that aren’t kept centrally. Business partners’ links, digital signing keys, and financial operations usually require keys or security procedures known to people and roles doing the work – but not always to enterprise IT or legal. Check with inhouse staff if the mobile app was done by a contractor for the signing/release procedures.
Individual users or groups may use “cloud backups” that are tied to emails or username logins. Make sure that these are found and access kept to them. And, make sure the ‘backup encryption’ keys/passphrases are kept.
3) Keeping workflow and role records
Enterprises in regulated industries in multiple jurisdictions around the globe are subject to all sorts of rules. These require specific notification, message flows, and designated roles. Many of these rules have been encoded as mail routing, workflow passages, and telephone extensions known to internal and external authorities. The people responsible to check the email or voicemail boxes are known—their backups may not be. If the people change due to termination, reassignment, or, terribly, death – these responsibilities have to be covered immediately.
Part 2 coming tomorrow
Comments