The Importance of Tracking Employee Movements for Legal Defensibility

We lose things. Keys, phones, remotes. And sometimes, when we can’t find them, there are consequences—some bigger than others. Corporate legal teams are no different when it comes to e-discovery. Either they produce the sought after data on their own or face punishment for spoliation—sometimes costing hundreds of thousands of dollars in a single case.

At every organization, employees frequently leave the company, change roles or take extended leaves of absence (e.g. maternity or medical leave). Organizations often respond to these events by recycling old systems, deleting email accounts and purging file shares. An everyday business reality, employee departures and status changes can present serious legal and compliance risks if critical information tied to business activities, legal matters or regulatory actions are not adequately protected. Antonio Rega, Managing Director at FTI Consulting, frequently advises his clients on creating processes to defensibly manage employee status changes. In this interview, Exterro's Mike Hamilton spoke with Antonio about the potential legal risks associated with employee status changes and how organizations can defensibly overcome them.

Mike Hamilton (Exterro): Large organizations' employees are constantly moving in, out and around the organization. As most HR managers and attorneys know, tracking employee movement can be difficult. What information governance and e-discovery concerns do these employee movements present?

Antonio Rega (FTI Consulting): Generally, a number of potential concerns exist and can vary depending on the organization's industry. For example, healthcare organizations are regulated by compliance and privacy rules, such as HIPAA (Health Insurance Portability & Accountability Act). HIPAA has firm legal requirements in place relating to the management, disclosure and/or transfer of confidential patient information or personally identifiable information (PII) by healthcare employees. The absence of controls can potentially lead to sanctions and litigation. As another example, biotech organizations are particularly sensitive to the retention and security of intellectual property (IP) or patents that are often maintained by employees. The loss or deletion of such sensitive documents would clearly be cause for considerable concern. In addition, legal holds in response to litigation or other investigations may be in place on data. If that data is deleted or altered, the company can potentially face sanctions or penalties.

Robust retention, controlled destruction, as defined by policy and company counsel, and backup policies specific to an organization's compliance and governance needs may substantially minimize the potential for inadvertent (or intentional) transfer or deletion of sensitive materials and documents subject to preservation obligations.

Hamilton: Why are these concerns (risk of deleting employee data without backing up, etc.) important to address on a timely basis? Do you see a lot of organizations facing this problem?

Rega: It's important to address these concerns in a timely manner to minimize the risk. Organizations that delete data under legal hold or required for regulatory compliance can potentially face fines, investigations, lawsuits, etc. There is also the risk of losing valuable information if data is inadvertently deleted after an employee departs an organization. We've certainly come across companies facing these types of organizational risks. By addressing these issues proactively and diligently, organizations can help minimize or even avoid costly recovery methods, if recovery is even an option. Although file deletion on a hard drive is potentially recoverable, data deleted from a file server or email environment can be harder to recover without proper backup processes in place. It should be noted that even if recovered, the costs to perform such recovery can quickly escalate.

Hamilton: Can you recall any specific examples of this occurring? What were the results?

Rega: We recently worked on an engagement with a biotech company where a senior sales executive with access to high-end client lists and pricing information gave notice. The company had an email archiving system that retained all email items including deleted messages. It also had a number of proactive policies in place, including limiting the locations for file storage and preserving employee hard drives and personal file server content upon departure. All of these factors helped to minimize the legwork – and resources -- that would otherwise be performed during the company's employee departure process. These policies also helped to ensure that valuable information stayed with the company.

In another example, an employee transitioned to a new or existing role in another department previously occupied by a predecessor or former employee. IT transferred the predecessor's documents – email and user-generated documents – within a directory of the newly transitioned employee's personal share directory, but didn't inform the transitioned employee of any of inherited legal holds or other retention and/or compliance measures (and additionally didn't take steps to retain a pristine copy of the predecessor data to offline storage), causing a portion of sensitive predecessor content to be inadvertently deleted.

Such a scenario could have been prevented by incorporating better policies during employee transitions that convey prompt communication of any inherited legal holds and/or other policies. These types of policies would also ensure that content pertaining to a predecessor that may still be within the confines of a legal hold or other retention policy are not spoliated.

Hamilton: How are you counseling your clients to fix or modify their processes to ensure that no data is accidentally deleted when employees separate from the organization?

Rega: We provide a number of recommendations, taking into account each client's environment and any existing internal controls in place. First, it's helpful to review current active legal holds, retention and deletion policies with internal counsel and appropriate enterprise managers to update and/or revise existing policies as needed, with a focus on procedures and policies for departing employees. This includes having an updated list of employees under active legal holds or those maintaining regulatory and/or sensitive documents so that they can be quickly flagged for retention upon employee departure. We also recommend having a standard process for handling and preserving departing employee data. Many clients also conduct exit interviews with departing employees to assist in identifying any potentially pertinent documents for retention.

Hamilton: In general, are companies monitoring employee movements in a reliable manner?

Rega: It's mixed. In some cases, companies are taking proactive measures to shore up and fortify their current retention and information governance policies. This helps ensure compliance with industry regulations and it can also help minimize the potential loss of valuable IP. That said, we also encounter many scenarios where companies are ill-prepared to protect their data and documents can be deleted or lost with relative ease. If you are unsure about the reliability of your own company's policies and practices, auditing and assessment services can give you greater peace of mind.

Hamilton: What benefit could your clients have if they automated their processes for detecting actionable employee status changes and have the ability to take immediate action to mitigate the risk of spoliation?

Rega: The benefits would be immediate and numerous. As mentioned above, a sound set of policies and actionable procedures can help dramatically minimize the potential for spoliation and prevent damaging sanctions. Investing the appropriate time and resources to fortify these policies and processes through automation can help dramatically reduce costs and risk in the long run.