Is Social Media in Your Records Retention Policy?

By Laurie Fischer

The use of social media has exploded, allowing organizations to nimbly and quickly publish and communicate information to their employees, potential and actual customers, and business partners. Organizations are realizing tremendous benefits from the communication immediacy that social media affords.

However, many of these same organizations may not be aware that by the end of 2013, half of all companies will have been asked to produce social media evidence in litigation or a regulatory matter, according to research firm Gartner. That means organizations must treat social media just like any other form of electronic evidence under the Federal Rules of Civil Procedure, as well as a number of agency regulations, depending on the industry.

Nearly half of business managers who responded to an Iron Mountain survey did not realize that they were legally accountable for retaining and producing this content during discovery or a regulatory audit.

Given the ever-increasing volume of social media content, it can be daunting to sort through this evidence to determine what should be retained. Therefore, a number of organizations simply save everything—a hoarding approach that needlessly increases costs and risks.

According to the Compliance, Governance and Oversight Council (CGOC) Summit 2012 survey, approximately 1 percent of corporate information is subject to a legal hold, 5 percent is covered by a category in a records-retention policy, and 25 percent has current business value. In other words, the remaining 69 percent of information has no current business or legal value.

Retaining useless information subjects organizations to greater discovery costs. Not only will they have more information to review, but they will also have more data to filter through to find responsive evidence.

Identifying and preserving social media content that has ongoing business value for the organization is only one concern. The actual creation of content—and what can and cannot be published and posted—should also be clearly defined in a social media policy, and the policy should be communicated to all employees.

Although an organization may have officially sanctioned and published social media content, employees may also publish content to sites that are not sponsored by the company, potentially creating significant liability for the organization. Educating employees on their responsibilities—and what is acceptable and not acceptable—helps reduce the risk of disseminating potentially harmful content.

Protecting Against Dual Risks

How can your organization benefit from the advantages of social media while protecting itself from the dual risk of inappropriate content and over-retention? Here are some suggested steps to get you started.

1. Determine the current use—official and unofficial—of social media. Start with your marketing, communications and public relations functions. Does the organization have a formal presence on any of the social media sites? If so, for what purpose, and who is permitted to publish content?

Is there a review and approval process for the content? How is the content currently being retained? Are there any internal social technologies in place? Speak to departmental representatives across your organization to determine whether and how they use social media. Are they using social media outside of company-approved sites to publish information related to the organization?