Even if you haven't caught the Twitter bug, some of your colleagues are likely hooked on it. Mostly what they're saying on Twitter is innocuous, like "I went to eat in Chinatown." But some may be naming names and writing things like "Smith & Smith law firm is evil" or "We're working on a case that'll put Acme Corporation in a market tailspin."
Twitter, for the uninitiated, is a free micro-blogging service that allows its users to exchange updates on their current doings—otherwise known as “tweets,” which are text-based posts of up to 140 characters in length. The posts are displayed on the user’s profile page and delivered to other users who have signed up to receive them. You can learn more at http://twitter.com.
But for our purposes, here’s the immediate question: Is a tweet done on firm resources a “record” for purposes of retention requirements and ESI preservation or production? Well, that’s a thorny question. All experts agree it is discoverable, but whether it is a record requiring retention may depend on whether it is a corporate tweet or a personal one.
For a while, record managers thought they had the online universe pretty well covered with company-approved programs for employees’ e-mail usage. But now tools like blogs, Twitter and online social networking sites are giving almost everyone a Goliath-size headache. Whether you are thinking in terms of your own law firm or your clients’ organizations, you’ll want to get clued in to the retention issues involved in these new technologies.
The Danger in a Little Tweet
By current industry estimates, nearly 3.5 million unique visitors hit Twitter each month—a number that is growing exponentially. Many among that vast group, of course, don’t realize that those little 140-character tweets can go anywhere and create a permanent record. Add to that the fact that, like IMs and e-mails, these quick electronic messages may be composed when someone is angry, frustrated or even under the influence of too much wine, sometimes leading them to display poor judgment in their posts.
Douglas Winter, who heads the electronic discovery unit at Bryan Cave, stresses that tweets are no different from letters, e-mails or text messages (see the December 22, 2008, National Law Journal article, “Beware:Your‘Tweet’ on Twitter Could Be Trouble”)—they may be damaging and discoverable, which is especially problematic for companies that are required to preserve electronic records, such as the securities industry and federal contractors. Yet another compliance headache is born.
Twitter is by no means the only micro-blogging service. There is also Yammer and present.ly (no, that’s not a typo), and surely many more to come. Also, enterprise versions are beginning to emerge, but there is currently precious little policy to govern them. For the most part, micro-blogs are being treated as blogs from a corporate policy perspective.
But just what does that mean, when policies on employees’ blogging remain much less than perfect?
What’s in a Blog Policy, Anyhow?
The fact is, as blogs have exploded in number and popularity over the past few years, so have cases in which employees have disclosed trade secrets and insider trading information on their blogs. Blogs have also led to wrongful termination and harassment suits. Blogs, clearly, can be a Pandora’s box.
Organizations should, of course, have written policies about blogging at work or, probably more importantly, about work. One case, Nickolas v. Fletcher (2007 U.S. Dist. LEXIS 23843 (E.D. Ky. Mar. 30, 2007)), has suggested that employers may have the right to prevent employees from accessing blogs while at work. But the blogosphere has become so ingrained in the Web culture, and has so many varied business uses, that blocking access to blogs in the workplace probably isn’t realistic for many organizations.
So where blogs are allowed at work, here are some general guidelines to follow. The organization needs to maintain archives where retention of work-related posts is mandated under the relevant laws or regulations. Blogs do indeed create a “paper” trail, for better or worse. Corporate blogging versus individual employee blogging presents different challenges—one clearly speaks for the corporation. The other may or may not, depending on the circumstances.
Also, enterprise blogs require security and authentication and audit trails. Likewise, it should be possible to search them, issue reports and the like. Control over enterprise blogs can be appliance based, through an enterprise application or through software as a service (SaaS). In addition, an enterprise will certainly want to consider who it will allow to post comments on the blog!
Audit trails should capture all changes, including new posts, changed or deleted posts, and comments and discussion. They should capture con-text, including who posted, or commented, what posts are read and what posts are “trackbacked” (i.e., when Web authors are notified if someone links back to one of their writings).
Overall, we advise following this very simple corporate blog policy that one wit has suggested: “Don’t be stupid.”
Tackling Social Networking
As popular as blogging is, the virtual lifeblood of many employees resides in online social networking sites, including MySpace, Facebook, LinkedIn and Plaxo. There are abundant potential risks on these sites for businesses that don’t monitor employees’ use of them—which would be most businesses—so therefore all the risks associated with blogs apply here. Some experts believe that companies are well advised to use filters to block access to all social networking sites at work. At the very least, this action will keep the posts from being company records.
On the other hand, genuine business usage of these sites has grown tremendously. (See Doug Cornelius’s Legal Web 2.0 installment in the January/February Law Practice for more on this.) Plus, it may be very difficult to allow business usage for things like professional networking and researching and then forbid personal usage, no matter what a company’s policy may say.
However, checking the social net-working profiles of potential employees may be wise, as you may get some sense of trouble brewing in the future with a prospective hire, such as a lack of discretion, angry entries, a TMI (too much information) proclivity or the like.
But what about employers monitor-ing their current employees through social networking sites? Is this really happening in the wild? To check the pulse on this, the authors did an ad hoc online survey. Although everyone said an employer has a right to monitor, no one actually knew of an employer that was monitoring personal sites. Likewise, others in the field have not yet been able to cite a case where social networking was involved to the detriment of the employer, but the consensus is clear—just wait a bit, it’s coming.
So what to do for now? These emerging technologies are fluid (changes on social networking sites, comments on blogs, ever-expanding discussions on wikis and so forth). How do you manage something that isn’t static and that has multiple authors? Snapshots are one method. Periodic archiving is another possibility, though it is a headache to schedule it. Training and education could be particularly helpful. Employees need to understand that (1) they may be creating “records” when they use these technologies and (2) they must think before they create potential records, bearing the risks of what they create in mind.
When Technology Leapfrogs Ahead
The law relating to emerging Web technologies (and we haven’t covered wikis, unified messaging or VoIP, among others) is vastly underdeveloped, which presents a formidable challenge to records managers. It’s a brave new world, and most corporations and law firms are having a heck of a time dealing with it. It can involve huge costs, business disruptions, public embarrassment and, gulp, legal liability.
Management of Web 2.0 records is limited at best, often chaotic and duplicative. If you have any guiding principle, make it this: Content, not form, drives retention requirements. Policies governing records in your law firm or business should address all forms of communications—and you’ll need to review these policies at least annually in light of newly evolving technologies.