Osterman Research has recently published a new report entitled, Best Practices for Archiving and Securing Social Media and Collaboration Platforms, which outlines the staggering penetration and growth in use of social media and cloud collaboration platforms in business environments. It shows that while there are a lot of irreplaceable benefits to leveraging social media and cloud collaboration platforms for business, there are also risks that, if not managed properly, leave organizations vulnerable to business and legal risk.
“It should come as no surprise that the use of social media and cloud collaboration platforms are proliferating virtually every business environment, and for good reason. The ability to freely communicate, access and share information is invaluable and critical to success in today’s digital economy,” said Michael Osterman, principal analyst and founder, Osterman Research. “However, for many organizations – whether public, private or government, the inability to effectively monitor, manage, capture, store and protect all data and communications puts it at serious business, legal and/or regulatory compliance risk,”.
In an exclusive interview with IPWatchdog, Osterman and Bill Tolson, vice president of Marketing at Archive360, shared why a vast majority of organizations lack effective data management and governance policies for social media and cloud collaboration platforms. There are steps that any IT, business, legal and regulations professional can take to protect their organization and their careers. Osterman suggests that the right amount of preparation will save a great deal of time, expense and headaches later.
The issue of ineffective data management and governance for social media and collaboration platforms is part of the larger problem of ineffective data management and governance for information in general. For example, a survey conducted by Osterman Research in December 2017 found that when asked to rate themselves on a scale of 1 (poorly) to 7 (extremely well), only 40 percent of mid-sized and large organizations indicated a 6 or 7 on the issue “all of our data assets are managed adequately”. Further, only 42 percent gave themselves a 6 or 7 on the issue “we have a complete inventory of our IT and data assets”.
He added, “Consequently, the issue is that many organizations do not have effective policies and practices for their data in general, let alone just the data related to social media and collaboration.”
According to Osterman, sometimes takes a significant event to drive decision makers to action in the context of good information governance. For instance, a lawsuit in which an organization is not able to adequately respond to an eDiscovery order, or a regulator’s request for information that cannot be properly satisfied, will often move information governance from the back burner to a properly funded and executed initiative.
“In the absence of this type of event, many organizations won’t take the proper steps to adequately protect and manage their data,” he explained. “At a conceptual level, just about every IT or information manager acknowledges the importance of archiving and managing their data properly, but it’s often tough to get funding for the proper solutions.”
Social media and collaboration applications are relatively new to the corporate world, so the growth has caught many IT, Records and Legal departments in a risky situation. As social media and collaboration applications have gained in employee acceptance, IT, Records, and Legal have been very slow to look at them as a piece of information that should be managed vs. treating it as a temporary data stream such as a phone call.
These days, many government regulations require any related social media activity to be treated as records and managed. For example, the SEC requires broker/dealer social media activity to be captured and stored in an immutable format. Per Osterman, another risk many companies face with social media is in legal situations. So, if a company anticipates upcoming litigation, they must be able to capture and archive all data that could be related to the case…including any social media activity.
“Most companies, outside the financial services industry, have not been faced with this need yet,” he said. “However, it’s only a matter of time.”
“Social media and collaboration applications are relatively new to the corporate world. Its growth has caught many IT, Records and Legal depart in a risky situation,” said Tolson. “As social media and collaboration applications have gained in employee acceptance, IT, Records, and Legal have been very slow to look at them as a piece of information that should be managed versus treating it as a temporary data stream, much like a telephone conversation.”
Today, social media and collaboration tools are increasingly used for normal business communications, such as sending files, responding to clients, and more. Just like email, all the business records in these platforms must be retained for the appropriate length of time and in the proper format so that they can be produced when needed. Moreover, many employees will use multiple tools for communication on a single issue.
“For example, they might receive a communication from a fellow employee via Slack to send files to a client, send the files to the client via the corporate email system, and then follow up with a text message from their personal smartphone,” explained Osterman. “To the courts and regulators, the mode of communication is becoming less relevant in the context of its retention and production, and so content from all relevant communication channels must be preserved and producible.”
On the regulatory side, per Tolson, the SEC, FINRA, and MiFID II regulations each spell out that in certain circumstances, social media and all other communications are subject to data retention requirements in each of the regulations mentioned above. On the legal side, in U.S. courts, all parties to the lawsuit are under an obligation to safeguard any data that could pertain to the case.
“This situation means that those employees that are a target of Discovery have a strict responsibility to capture the live social media streams under a litigation hold,” he explained. “The bottom line is if a company allows a form of communication, they are responsible for being able to archive content at any timer.”
So, what are some best practices that can overcome these issues?
First and foremost, Osterman says that decision makers need to understand where their data is and the importance of bringing it back under corporate control. In many organizations, IT does not have access to all communications and files sent via employees’ personal devices, personal file-sharing accounts, and the like, and so the company cannot retain this content properly. In many cases, IT does not even have full knowledge of where corporate data is located on company-managed systems. Second, appropriate policies must be implemented that will define what platforms can be used, how data will be retained, who will have control over it, etc. Third, organizations need to implement an archiving solution to retain relevant business communications and files, regardless of the platform in which they are stored and sent.
According to Tolson, IT should only allow social media and collaboration applications that they have approved to be installed by employees. Having company approved/installed applications will ensure they can also archive specific custodians when needed. In addition, they should block any applications not approved by IT – the legal department should work with IT to ensure that archiving can be enabled at any time and the capture and storage process is legally defensible.
He added, “The Records Management department should be knowledgeable about any specific regulations the company is responsible for and if social media is included. In many times, records are lost because the social media or collaboration application is not set up to capture data for archiving.”