Slashdot Mirror

← Back to Stories (view on slashdot.org)

Employees in the Dark About Data Retention Policy (betanews.com)

Posted by msmash on from the troubling-situation dept.

An anonymous reader shares a BetaNews article: A new study reveals that over half of office-based employees say their companies don't have written policies on data retention or personal use of work devices, or if they do, they aren't aware of them. The study conducted by Harris Poll for e-discovery company kCura reveals communication habits that could put organizations at risk of incurring increased data retention and discovery costs in today's increasingly litigious business environment. "Complete bans on the personal use of work devices would be difficult -- if not impossible -- to implement, and could be harmful to employee morale. However, companies do need to implement reasonable policies to mitigate risk," the report adds.

40 comments

  1. Fuck Employees by Anonymous Coward · · Score: 0

    Fuck data retention.

    Burn the motherfuckers down.

    1. Re:Fuck Employees by TWX · · Score: 1

      "Fuck Employees"

      That sounds great on the surface of things, but in the end it often proves problematic.

      --
      Do not look into laser with remaining eye.
    2. Re: Fuck Employees by Anonymous Coward · · Score: 0

      I agree! At large financial companies institutions employees are kept in the dark about all policies due to information silos.

  2. Well.... by Anonymous Coward · · Score: 0

    With how few employees actually remember what they sign I'm not amazed that most are not aware of them. Most people barely even remember reading the IT orientation packets they get on the first day let alone something they agreed to months or years ago.

    1. Re:Well.... by HornWumpus · · Score: 4, Interesting

      When given 'a stack' to sign, simply write 'didn't read, don't agree' on the signature lines. They _never_ check.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    2. Re: Well.... by Anonymous Coward · · Score: 0

      You fiend! Every time you do that several lawyers cry for all their wasted effort.

    3. Re:Well.... by Anonymous Coward · · Score: 0

      I can tell you that I did. It was part of my job as assistant to the Benefits Manager waaay back when. If a signature was missing, or the doc was marked up, the HR Director would deal with it. I was only a minimum wage office assistant not getting paid enough to get into those wrangles with new hires.

    4. Re:Well.... by vilain · · Score: 1

      I've crossed out sections of text I disagreed with and put in my own versions. Only once did it get bounced to legal. I spent an hour with the attorney that drafted the document going back a forth on each item. In the end, I got him to remove stuff that was overly general when I came up with a use-case key to my job that would make me violate that clause. But this was the first time I ever encountered an arbitration clause in a contract here in Silicon Valley. I refused to accept it. He gave me two choices -- agree to arbitration anywhere in the US or litigation in the state of North Carolina where the company is located. Given what I wanted to learn out of the contract, I accepted arbitration. He dumped the non-compete clause without argument. Some requirements I won't accept -- drug testing being the major one, 1099 the other. Intel and HP still require drug testing for ALL people, contractors and employees, so I won't work for them. YMMV

    5. Re:Well.... by Anonymous Coward · · Score: 0

      Gotta smoke dat crack! SMOKE DAT CRACK, BABY! When you is a high flying nerd in silicon valley, you needs your CRACK! SMOKE SMOKE SOME CRACK!!

    6. Re:Well.... by Darinbob · · Score: 2

      I read it. I've never seen a retention policy that had to be signed. Instead I hear about a policy and we're expected to follow it.

      Two most common rationales I see:
      "we might be sued or audited, so don't permanently delete emails"
      versus
      "we might be sued or audited, so delete your old emails"

      Generally I see that old emails are kept, until IT complains about being low on disk space or the user gets an angry warning about being out of allocated server space.

    7. Re:Well.... by Quirkz · · Score: 1

      My company has so far resisted any attempts for us to get them to create a data retention policy. I think they don't want to admit that there's a time when it's okay to throw things away. So far technology has kept up, so that we've just continued being able to hold on to things forever. I've got to think at some point that'll give, though.

      --
      The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
    8. Re:Well.... by TWX · · Score: 1

      My work doesn't even require the employee to sign the workplace policies and procedures form. That wouldn't work. It's thousands of pages. Instead we sign an "awareness of workplace policies and procedures" document that states that the document is available to be reviewed.

      It's so long, I expect that it's got mutually contradictory passages all over the place to the point that it's probably close to meaningless when it comes to enforceability.

      --
      Do not look into laser with remaining eye.
    9. Re:Well.... by bmk67 · · Score: 1

      Generally I see that old emails are kept, until IT complains about being low on disk space or the user gets an angry warning about being out of allocated server space.

      I just checked, and the oldest email in my work inbox is almost 17 years old. LOL

  3. How are the concepts related? by Anonymous Coward · · Score: 0

    What does data retention have to do with BOYD at work?

    1. Re:How are the concepts related? by Anonymous Coward · · Score: 0

      It has to do with discovery and legal hold. True (not-MDM covered) BYO means no company access to your device, which means to access to do discovery or put hold on local documents

    2. Re:How are the concepts related? by Anonymous Coward · · Score: 0

      Is that like having a bunch of lawyers get your student records sealed?

  4. Or Noncompliant Staff by Anonymous Coward · · Score: 0

    Like the manager I dealt with (not a direct report, thank goodness) who simultaneously:

    1). Insisted she needed the data;
    2). The data was in violation of the data retention policy;
    3). Refused to change the policy or in any way initiate a policy review, get a policy exemption, or address the policy implications.

  5. Only one company ever cared... by __aaclcg7560 · · Score: 1

    I've worked for a lot of different Fortune 500 companies in Silicon Valley. The one company that had any kind of data retention policy was eBay/PalPay when I worked there on different contracts. If an employee left the company, the hard drive from their PC got sent over to legal for them to create a backup image for future reference.

  6. Gate swings both ways by Anonymous Coward · · Score: 1

    Before I left a horrible place I made sure source code and documentation was all checked into the shared repo and then I wiped everything local; my mail db, drives, unsubscribed from services, reset passwords for everything, y'know the works.

    They didn't say boo about it while I was there or even through the exit interview but I found out after through the grapevine that apparently they wanted crap like that around and were in a huff about it, there were no formal policies they just expected people not to give a fuck when they left.

    To this day I can't think of anything of value that might have been there or why anybody would get their panties in a bunch over it.

    Anyway because of me there's a bullet point in their exit policy (-:

    1. Re:Gate swings both ways by __aaclcg7560 · · Score: 1

      On some contract jobs I routinely erased the system before returning it. Most of the time the system would get re-imaged and deployed to someone else anyway. I've never gotten blowback for doing it.

    2. Re:Gate swings both ways by WarJolt · · Score: 1

      That's what they do on classified stuff. Nothing enters or leaves the room. No cables to the outside. Only a very select group of people get to take things out of the room. When you're done with the room everything stays there and gets wiped very carefully.

  7. Our retention policies seem to be known by all... by Anonymous Coward · · Score: 1

    ...Except legal, even though they created them they are always asking us to miracle up something that is over a year beyond the limit of our retention policies.

  8. Essentially none by swb · · Score: 2

    Management's policy process lack's the knowledge and (ugh, sorry) "agility" to adapt what they want to the ever-changing landscape of what and where data is and how it's accessed.

    Whatever policy is on paper is likely woefully vague or out of date relative to technology. Much of the time the organization itself is willfully non-compliant as various centers within the company store and access data in various public clouds, social media sites, on personal or hand-held devices, and so on.

    Even when everyone kind of has their shit together, the technology industry is subverting "corporate data" by turning themselves into personal technology companies, like Apple and now Microsoft, where they've figured out that if you sell to the individual end users as consumers you can essentially *make* corporations support (and sometimes buy) your product.

    1. Re:Essentially none by Anonymous Coward · · Score: 0

      "the technology industry is subverting "corporate data" by turning themselves into personal technology companies"

      LOL, you don't want to see this trade magazine I just got. How to scoop up data on your PATIENTS legally. You can infer a LOT even if you can't ask... Even medical folks want in on it :/ Your doctor can read your pacemaker, see you're having more sex and it's taking longer, and suggest...umm...assistance. Why let all the spammers make the bucks :O

  9. Haven't Had that Meeting Yet by painandgreed · · Score: 4, Interesting

    They probably don't have those policies and procedures written up because they can't end up having that meeting, or at least one that comes up with a solution. Head Honcho wants everything deleted after 6 months because of possible liablities and reveal. Low down managers don't want anything deleted because they are looking to cover their asses in possible liabilities and reveals. IT states they only have enough of a budget to store everything for one year. Workers point out that many of their projects last longer than one year and even go multiple years and they'll need all that information well past those timelines just to get the job done and support it. Legal is going to pop up and explain that things can be deleted after 6 months, except for these three corner cases they know about where they are legally obligated to hold information for up to ten years to forever, and there might be more such cases, and dependancies due to contracts. By the end of several hours, they have several conflicting policies demanded by different parts of management and half a dozen problems that need to be looked at with legal and economic issues as to why they can or can't adhere to any policy. Eventually, the day long meeting ends with another, similar meeting scheduled in another few months.

    1. Re: Haven't Had that Meeting Yet by Anonymous Coward · · Score: 0

      I see we attend the same meetings.

  10. Ignoring data retention is good for the lawyers... by vilain · · Score: 2

    A friend works for a computer forensic recovery and analysis company that many big companies and three-letter agencies use to crawl through a company network, audit each machine it finds (either by breaking in or being given access), and scans for various types of files. It vacuums them up for review by a human. It's used for litigation discovery and spying. My friend is very proud that his company is partially responsible for bringing down some very highly placed Pillbilly Repugnican operatchiks for corruption and sexual escapades.

  11. Policy Doesn't Matter by EndlessNameless · · Score: 1

    If you put your data on their device, they can copy it at any time. At that point, it's a question of trusting not only the company policy but also the staff with privileged access---most of whom you will never meet or even know by name.

    A lot of places are doing HTTPS decryption and packet inspection at the perimeter, so even "secure" or "private" connections on these devices are not trustworthy. Any privacy you have is either an illusion or a convenience at best.

    The bottom line: If you're not OK with it being printed and handed out, don't put it on an employer-owned asset.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    1. Re:Policy Doesn't Matter by rtb61 · · Score: 1

      The old rule used to be get as much personal use of company devices as possible, the new rule is, leave them at work. The personal freedom you lose is not longer worth the perceived saving. That company phone is no longer a personal asset but a leash and collar used to control and monitor you. If they demand you carry it at all times, simply call forward to a personal device which they do not control.

      --
      Chaos - everything, everywhere, everywhen
    2. Re:Policy Doesn't Matter by Anonymous Coward · · Score: 0

      First of all, if my employer wants me to have a phone (or a computer) to use for work, they will provide it for me, along with a place AT WORK to store it when I leave the premises. They don't ever get to see my personal phone, as it will stay locked in my vehicle while I am at work, and will never be used for work purposes. I have no problem using the phones, computers, etc at work ONLY FOR WORK.

      I have no problem with only being given access to the company resources and equipment that I need to do my job properly, and nothing more.

      I believe in complete separation of work time and time off of work. If I work overtime it will be my decision to do so, and I charge triple for overtime work (that means anything over 40 hours a week, or 8 hours a day)!

      I am one of the best at what I do, so if an employer doesn't agree to my terms, there are always other opportunities that await.

    3. Re:Policy Doesn't Matter by Anonymous Coward · · Score: 0

      It does matter. The rather large corporate I work for spells out use of electronic devices very clearly - whats ok, whats not ok, and how to report problems, and who to goto if you're not sure about something, everyone is required to review this once per year and agree that they read it and understand it.

      Since I work in IT, I take the time (10 to 15 minutes once a year) to actually read over it all and understand it, and to refresh my memory on what's expected.

      What shocks me is most people do not read it, but agree to it, then blatantly break policies they agreed to - share logins, use 3rd party email apps on personal phones to circumvent having to get a company managed phone for mobile email use, using personal computers at home to do work, and so on.

      We occasionally and politely remind people of their obligations, and that for example, if through an unforeseen chain of events they wind up in front of a judge and the company lawyers find out they were breaking the rules, the company lawyers will not be on their side, and may in-fact go after them to protect the company.

      That aside, we also have a strict 60 day retention policy on email (if you need to keep something, there are plenty of options to file it into a wiki or onto a file server ) what matters is that people dont have years worth of information stored in email which is easily discoverable. Slack is also the same, 60 days and its gone.

  12. Re:Ignoring data retention is good for the lawyers by Anonymous Coward · · Score: 1

    Nothing digital ever dies. As Clinton found out when using Bleachbit. Of course, she was lauded and not prosecuted. Anyone else would be given thumb screws doing what she did.

    Doesn't matter. Even if they don't find a smoking gun they will find something else. The engineer from BP found that out by getting accused of obstruction for deleting text messages. Which nearly everyone does anyway on a routine basis. But it looked bad at that moment in time.

    Delete, don't delete, they will hang you for it anyway. It's what prosecutors do. They don't want you in court, they want a plea bargain from a scapegoat. Keeps those percentages high and makes their elected boss look good.

  13. Policy is not equal to Action by WillAffleckUW · · Score: 1

    Most of the people who go on about policies have no idea what actual data retention is, or how backups work, or which "critical files" and logs are maintained.

    Or are lawyers, so they just lie to you anyway.

    --
    -- Tigger warning: This post may contain tiggers! --
  14. Re:Ignoring data retention is good for the lawyers by Anonymous Coward · · Score: 0

    Hah! Pillbilly. I hadn't heard that one.

  15. would they know? by Anonymous Coward · · Score: 0

    Would all the employees know about an email retention policy or would a server just do it?

    and an awful lot of rambling on about personal stuff on company devices, vice-versa, and privacy policies regarding them as if there was any.
    If your ISP is spying on you and Microsoft is spying on you, you should assume the actual owner of the computer is spying on you too.

  16. Now We Have Phones! by painandgreed · · Score: 1

    These days, any cutting down on personal use of computers or phones just means employees will spend more time on their personal cell phones. Telling them they can't use cell phones will just typically be ignored or result in them using their work computers against policy. Either way, it's just going to cause headaches for the managers because they aren't going to use either against an employee unless they want them fired and need a policy to present as a clear cut reason, which hits morale of all the other employees because everybody is doing the same thing that other person got fired. Policy comes up for review and probably gets reversed till the next person gets fired and the cycle repeats.

  17. Re:Ignoring data retention is good for the lawyers by Anonymous Coward · · Score: 0

    He'll be very busy helping LE bring down the Bluepillbilly Democrap operatchiks for corruption and pedophilia then, or is he going to cover for them instead?

  18. Pizza by n329619 · · Score: 1

    This is why I've been clicking on multiple pizza links and coupons on their device, just to make sure those people inspecting the data can feel the excitement before lunch. I do wonder if this is what made the pizza delivery boy coming in almost every lunch hour.

    The only week it stopped is when I clicked on some links about sausage factories and rats eating rotten meat.

  19. Eh, I work in government. by Anonymous Coward · · Score: 0

    I'm sure someone four cubicles down is actually getting paid to do that for me anyway.