According to recent research, 85 percent of businesses use instant messaging.
Instant messages (IMs) are faster to send and receive than email because no mail
program needs to be opened to retrieve messages. As a result, the language in
instant messages tends to be conversational. Nevertheless, when done on company
time and on company computers, these messages belong to, and are the responsibility
of, the company, just like email.
As company property, instant messages and emails need to be managed, just
as other company documents, to comply with local, state and federal legislation
and to mitigate legal liability. Simply backing up company servers that hold
instant messages and emails, in case they need to be restored at some point
due to power outages or other disasters, is not adequate. The following are
five best practices for instant message and email record
management:
1. Creating a Written IM and Email Record Management Policy
A written IM and email policy should detail how documents will be tagged,
stored, and retrieved; how long they will be retained; and when they will
be destroyed.
A good rule of thumb when creating and carrying out a record
management policy
for instant messages and emails is to keep them only as long as legally
and operationally required.
Additionally, the policy should spell out company content ownership, right
to review, non-privacy, and unacceptable content (inappropriate language or
confidential information, for example). A policy should clearly state the consequences
of abuse of IM or email systems including the unauthorized destruction of records.
The instant message and email policy is generally a sub-section of an overall
record management policy and as such, should be consistent with the larger
plan. The simpler the policy, the easier it will be to execute.
2. Educating Employees
Every employee must be made aware of the IM and email policy before he or
she can be held accountable for adhering to it. Therefore, every employee
should
be required to sign the written policy, with the signed documents kept
in personnel files.
Those employees responsible for record
management tasks should be provided
with written training materials to ensure that they understand how to carry
out their duties. Some considerations include: aligning record management with
corporate passwords, encryption, and backup standards-and-privacy policies.
3. Consistent Execution
Having a written IM and email record
management policy does not mitigate risk
unless it is executed consistently. A simple plan carried out routinely demonstrates
compliance and therefore provides more protection than an elaborate plan
that is followed sporadically.
4. Instituting Hold Orders
When company email or instant messages are being audited or investigated, hold
orders should be issued against all pertinent documents. This means that
instant messages and emails would otherwise be destroyed according to the
published retention schedule are preserved. There is no defense for selective
destruction of records during litigation.
5. Reviewing Record Management Policy Annually
All businesses are subject to requirements from the Internal Revenue Service,
and many are subject to regulations from the Securities and Exchange Commission,
the Equal Employment Opportunity Commission, and others. These regulations
change frequently. An annual review of a records
management policy is one
more way to mitigate risk and show good faith.
Sources
Iron
Mountain (PDF)
Forrester (PDF)
Increase Text Size
Decrease Text Size
