Is Social Media in Your Records Retention Policy?
By Laurie Fischer
The use of social media has exploded, allowing organizations to nimbly and quickly publish and communicate information to their employees, potential and actual customers, and business partners. Organizations are realizing tremendous benefits from the communication immediacy that social media affords.
However, many of these same organizations may not be aware that by the end of 2013, half of all companies will have been asked to produce social media evidence in litigation or a regulatory matter, according to research firm Gartner. That means organizations must treat social media just like any other form of electronic evidence under the Federal Rules of Civil Procedure, as well as a number of agency regulations, depending on the industry.
Nearly half of business managers who responded to an Iron Mountain survey did not realize that they were legally accountable for retaining and producing this content during discovery or a regulatory audit.
Given the ever-increasing volume of social media content, it can be daunting to sort through this evidence to determine what should be retained. Therefore, a number of organizations simply save everything—a hoarding approach that needlessly increases costs and risks.
According to the Compliance, Governance and Oversight Council (CGOC) Summit 2012 survey, approximately 1 percent of corporate information is subject to a legal hold, 5 percent is covered by a category in a records-retention policy, and 25 percent has current business value. In other words, the remaining 69 percent of information has no current business or legal value.
Retaining useless information subjects organizations to greater discovery costs. Not only will they have more information to review, but they will also have more data to filter through to find responsive evidence.
Identifying and preserving social media content that has ongoing business value for the organization is only one concern. The actual creation of content—and what can and cannot be published and posted—should also be clearly defined in a social media policy, and the policy should be communicated to all employees.
Although an organization may have officially sanctioned and published social media content, employees may also publish content to sites that are not sponsored by the company, potentially creating significant liability for the organization. Educating employees on their responsibilities—and what is acceptable and not acceptable—helps reduce the risk of disseminating potentially harmful content.
Protecting Against Dual Risks
How can your organization benefit from the advantages of social media while protecting itself from the dual risk of inappropriate content and over-retention? Here are some suggested steps to get you started.
1. Determine the current use—official and unofficial—of social media. Start with your marketing, communications and public relations functions. Does the organization have a formal presence on any of the social media sites? If so, for what purpose, and who is permitted to publish content?
Is there a review and approval process for the content? How is the content currently being retained? Are there any internal social technologies in place? Speak to departmental representatives across your organization to determine whether and how they use social media. Are they using social media outside of company-approved sites to publish information related to the organization?
2. Develop and/or update your social media policy. Based on a determination of the organization’s position on the use of social media, develop a policy that clearly defines roles, responsibilities and acceptable use of social media.
3. Assess the social media content. Next, study the types of content your organization creates and publishes on social media sites. Does the content constitute a business record in accordance with the information management policy of the organization? Do existing categories on the records-retention schedule apply to this content, or does the retention schedule need to be updated to reflect social media records?
4. Establish a retention schedule. If you need to update your retention schedule with social media records, determine the appropriate length of time for retention based on your business needs and regulatory requirements.
5. Identify a centralized repository for storing social media. When possible, make the repository searchable, and assign appropriate metadata to social media records to improve your ability to find pertinent evidence rapidly in the event of litigation or a regulatory action.
6. Educate employees on proper use and retention of social media. Your policy should define the proper use of company-related social media, and should also advise employees of their responsibilities for retaining social media evidence under your records-retention protocol and in the event of a legal hold.
7. Review your social media and retention policies annually. Add any new types of social media to the policies and keep employees informed of any changes or updates.
Following these steps to incorporate social media into a records-retention program will allow your organization to achieve the combined goals of compliance, reduced risk and cost, and operational efficiency.
Laurie Fischer is managing director of the Huron Legal Consulting Group, with expertise in designing, developing and implementing records and information management programs for organizations. She is also a Certified Records Manager.