Slashdot Mirror
Employees in the Dark About Data Retention Policy (betanews.com)
An anonymous reader shares a BetaNews article: A new study reveals that over half of office-based employees say their companies don't have written policies on data retention or personal use of work devices, or if they do, they aren't aware of them. The study conducted by Harris Poll for e-discovery company kCura reveals communication habits that could put organizations at risk of incurring increased data retention and discovery costs in today's increasingly litigious business environment. "Complete bans on the personal use of work devices would be difficult -- if not impossible -- to implement, and could be harmful to employee morale. However, companies do need to implement reasonable policies to mitigate risk," the report adds.
When given 'a stack' to sign, simply write 'didn't read, don't agree' on the signature lines. They _never_ check.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
I've worked for a lot of different Fortune 500 companies in Silicon Valley. The one company that had any kind of data retention policy was eBay/PalPay when I worked there on different contracts. If an employee left the company, the hard drive from their PC got sent over to legal for them to create a backup image for future reference.
Before I left a horrible place I made sure source code and documentation was all checked into the shared repo and then I wiped everything local; my mail db, drives, unsubscribed from services, reset passwords for everything, y'know the works.
They didn't say boo about it while I was there or even through the exit interview but I found out after through the grapevine that apparently they wanted crap like that around and were in a huff about it, there were no formal policies they just expected people not to give a fuck when they left.
To this day I can't think of anything of value that might have been there or why anybody would get their panties in a bunch over it.
Anyway because of me there's a bullet point in their exit policy (-:
...Except legal, even though they created them they are always asking us to miracle up something that is over a year beyond the limit of our retention policies.
I've crossed out sections of text I disagreed with and put in my own versions. Only once did it get bounced to legal. I spent an hour with the attorney that drafted the document going back a forth on each item. In the end, I got him to remove stuff that was overly general when I came up with a use-case key to my job that would make me violate that clause. But this was the first time I ever encountered an arbitration clause in a contract here in Silicon Valley. I refused to accept it. He gave me two choices -- agree to arbitration anywhere in the US or litigation in the state of North Carolina where the company is located. Given what I wanted to learn out of the contract, I accepted arbitration. He dumped the non-compete clause without argument. Some requirements I won't accept -- drug testing being the major one, 1099 the other. Intel and HP still require drug testing for ALL people, contractors and employees, so I won't work for them. YMMV
Management's policy process lack's the knowledge and (ugh, sorry) "agility" to adapt what they want to the ever-changing landscape of what and where data is and how it's accessed.
Whatever policy is on paper is likely woefully vague or out of date relative to technology. Much of the time the organization itself is willfully non-compliant as various centers within the company store and access data in various public clouds, social media sites, on personal or hand-held devices, and so on.
Even when everyone kind of has their shit together, the technology industry is subverting "corporate data" by turning themselves into personal technology companies, like Apple and now Microsoft, where they've figured out that if you sell to the individual end users as consumers you can essentially *make* corporations support (and sometimes buy) your product.
They probably don't have those policies and procedures written up because they can't end up having that meeting, or at least one that comes up with a solution. Head Honcho wants everything deleted after 6 months because of possible liablities and reveal. Low down managers don't want anything deleted because they are looking to cover their asses in possible liabilities and reveals. IT states they only have enough of a budget to store everything for one year. Workers point out that many of their projects last longer than one year and even go multiple years and they'll need all that information well past those timelines just to get the job done and support it. Legal is going to pop up and explain that things can be deleted after 6 months, except for these three corner cases they know about where they are legally obligated to hold information for up to ten years to forever, and there might be more such cases, and dependancies due to contracts. By the end of several hours, they have several conflicting policies demanded by different parts of management and half a dozen problems that need to be looked at with legal and economic issues as to why they can or can't adhere to any policy. Eventually, the day long meeting ends with another, similar meeting scheduled in another few months.
A friend works for a computer forensic recovery and analysis company that many big companies and three-letter agencies use to crawl through a company network, audit each machine it finds (either by breaking in or being given access), and scans for various types of files. It vacuums them up for review by a human. It's used for litigation discovery and spying. My friend is very proud that his company is partially responsible for bringing down some very highly placed Pillbilly Repugnican operatchiks for corruption and sexual escapades.
I read it. I've never seen a retention policy that had to be signed. Instead I hear about a policy and we're expected to follow it.
Two most common rationales I see:
"we might be sued or audited, so don't permanently delete emails"
versus
"we might be sued or audited, so delete your old emails"
Generally I see that old emails are kept, until IT complains about being low on disk space or the user gets an angry warning about being out of allocated server space.
If you put your data on their device, they can copy it at any time. At that point, it's a question of trusting not only the company policy but also the staff with privileged access---most of whom you will never meet or even know by name.
A lot of places are doing HTTPS decryption and packet inspection at the perimeter, so even "secure" or "private" connections on these devices are not trustworthy. Any privacy you have is either an illusion or a convenience at best.
The bottom line: If you're not OK with it being printed and handed out, don't put it on an employer-owned asset.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Nothing digital ever dies. As Clinton found out when using Bleachbit. Of course, she was lauded and not prosecuted. Anyone else would be given thumb screws doing what she did.
Doesn't matter. Even if they don't find a smoking gun they will find something else. The engineer from BP found that out by getting accused of obstruction for deleting text messages. Which nearly everyone does anyway on a routine basis. But it looked bad at that moment in time.
Delete, don't delete, they will hang you for it anyway. It's what prosecutors do. They don't want you in court, they want a plea bargain from a scapegoat. Keeps those percentages high and makes their elected boss look good.
My company has so far resisted any attempts for us to get them to create a data retention policy. I think they don't want to admit that there's a time when it's okay to throw things away. So far technology has kept up, so that we've just continued being able to hold on to things forever. I've got to think at some point that'll give, though.
The Quirkz Handbook of Self-Improvement for People Who Are Already Pretty Okay
Most of the people who go on about policies have no idea what actual data retention is, or how backups work, or which "critical files" and logs are maintained.
Or are lawyers, so they just lie to you anyway.
-- Tigger warning: This post may contain tiggers! --
"Fuck Employees"
That sounds great on the surface of things, but in the end it often proves problematic.
Do not look into laser with remaining eye.
My work doesn't even require the employee to sign the workplace policies and procedures form. That wouldn't work. It's thousands of pages. Instead we sign an "awareness of workplace policies and procedures" document that states that the document is available to be reviewed.
It's so long, I expect that it's got mutually contradictory passages all over the place to the point that it's probably close to meaningless when it comes to enforceability.
Do not look into laser with remaining eye.
Generally I see that old emails are kept, until IT complains about being low on disk space or the user gets an angry warning about being out of allocated server space.
I just checked, and the oldest email in my work inbox is almost 17 years old. LOL
These days, any cutting down on personal use of computers or phones just means employees will spend more time on their personal cell phones. Telling them they can't use cell phones will just typically be ignored or result in them using their work computers against policy. Either way, it's just going to cause headaches for the managers because they aren't going to use either against an employee unless they want them fired and need a policy to present as a clear cut reason, which hits morale of all the other employees because everybody is doing the same thing that other person got fired. Policy comes up for review and probably gets reversed till the next person gets fired and the cycle repeats.
This is why I've been clicking on multiple pizza links and coupons on their device, just to make sure those people inspecting the data can feel the excitement before lunch. I do wonder if this is what made the pizza delivery boy coming in almost every lunch hour.
The only week it stopped is when I clicked on some links about sausage factories and rats eating rotten meat.