By Jason R. Baron & Amy Ramsey Marcos of Drinker Biddle & Reath LLP
Hillary Clinton surprised many observers earlier this year by revealing that she had set up a private email network from her home in Chappaqua, New York, before she became US Secretary of State. She proceeded to use that network to send and receive email communications relating to the conduct of official State Department business during the entirety of her four years in office.
The ensuing controversy has succeeded in shining a spotlight on a newly emerging phenomenon in the workplace: employees (including corporate executives) using whatever applications they can get their hands on to conduct work-related communications, outside ‘approved’ channels. The existence of ‘shadow IT’ – the use of applications on any type of device that effectively go unmanaged by information technology staff – poses similar and in some cases overlapping issues to what is already the challenge of enforcing compliance in a world of bring your own device (BYOD) policies. In the latter case, employees are encouraged to use their own mobile devices to conduct business-related communications, where the devices also are used for personal communications.
In the case of shadow IT, staff are literally ‘left to their own devices’ to make business communications, which may include mobile but also may mean that employees might be logging into outside networks from the workplace desktop computer as well. From an information governance perspective, businesses need to be aware of executives’ use of shadow IT applications and the issues that ‘off the books’ communications raise, when balancing the legitimate need to exert institutional control over data against recognition that in a fast-paced world executives and staff need to efficiently transact business from wherever they may be.
As a recent survey in the US publication Government Executive points out, approximately 30 per cent of federal public sector employees in the United States are thought to use private commercial services, such as Gmail, at least occasionally for the conduct of official business. Former Secretary of State Clinton cited ‘convenience’ as her reason for carrying one device and using it for both personal and official business. Apart from her particular circumstances, surveys show that many employees choose to use non-approved IT applications due to the perception that they can more efficiently carry out their job duties through their own customised means (using apps familiar to them and easy to apply).
The recent history of business communications shows increasing complexity in the manner in which we conduct business in light of technological advances. Beginning in the early 1990s, executives and staff were given the opportunity to access the internet from their office desktops. By 2000, a wide array of commercial services proliferated, as well as new forms of devices (laptops and PDAs), often offering means of communication faster and more efficient than what might be offered at work. By 2010, the ubiquity of mobile devices presented institutions with the need to begin to define BYOD policies. So too by that date, the use of flash drives and the ability for workers to walk out of the building with (or upload) data increasingly was recognised as presenting new challenges to institutional ‘control’.
In 2015, commonplace use of such services as Google Docs, Dropbox and other cloud storage apps at zero or near zero cost to users have together made it the norm rather than the exception that business records may be found anywhere. With the coming of the Internet of Things, future states of communications will include the ability to create and receive data from new types of smart devices everywhere. The idea of straightforwardly exercising some measure of institutional control – even apart from the inevitable cyberbreach issues – appears increasingly elusive.
“From an information governance perspective, businesses need to be aware of executives’ use of shadow IT applications and the issues that ‘off the books’ communications raise”
Whatever means of communication the chief information officer (CIO) empowers employees to use and/or employees use themselves, one can safely bet that with it litigation and regulatory compliance issues will swiftly follow. Whether the end users are high-level corporate officials or simply average workers, the communications channels that users employ are all within scope of potential collection for purposes of meeting eDiscovery, compliance and audit demands. Although the use of shadow IT apps makes it potentially harder to find such communications, nevertheless, as a matter of law, those communications in most cases will continue to be subject to legal or regulatory process.
Whoever is the champion of information governance policies within the corporate suite cannot ‘solve’ the growing use of shadow IT applications on his or her own. A CIO, chief operations officer, chief financial officer or chief legal officer needs to acknowledge the potential existence of shadow IT and build clear policies and practices that are in line with the culture of the institution at issue. No two corporations are alike, including the degree of risk that the corporate suite wishes to tolerate.
Depending on what sector of private industry is involved, a corporation may be subject to heavy fines for enabling employees to communicate in ways that are not subject to the monitoring and preservation rules in place. This is especially true in the financial sector where special monitoring and archiving rules apply to certain communications depending on whether the sender or recipient is a covered person.
What is important is to have the conversation, starting with asking questions about how individuals at the highest levels of an organisation (the CEO and his or her deputies) are choosing to communicate and on what platforms. This tasking is accomplished by someone who has a high-level perspective on governance, who functions as a clearinghouse for a continuing corporate dialogue on where data resides, what its value is and to what extent individuals at all levels of the organisation know the rules operating with respect to the means by which they are to communicate. A good start would be appointing a task force chaired by a newly minted chief information governance officer, tasked with surveying the organisation and conducting in-depth interviews to shine a light on whatever shadow IT issues exist. With someone at a sufficiently senior level in charge of running the project, carrying out a survey and interviews may well assist an organisation to understand where its data is living and to assess whatever degree of risk is involved.
In short, inventorying and assessing the real-world practices of high-level executives as well as average employee practices represents a good first step in mitigating looming shadow IT issues. Beyond that first step is understanding that the use of shadow IT can impact an organisation’s ability to satisfy its data security, consumer privacy, and litigation obligations. The following best practices, designed to tighten information governance while still providing employees with flexibility to do their jobs, can help keep a company out of the headlines.
1. Develop a robust information governance policy that covers the emergence of shadow IT in the workplace Whether sanctioned or not, employees will use their personal devices for work-related purposes (under BYOD policies). They will also use non-sanctioned forms of communications for official business (e.g. commercial email accounts and shared applications in the cloud), from wherever they may be (in the office, at home, or on the road). Instead of fighting these trends, consider embracing policies that protect company information and outline appropriate use wherever the data may reside. The policy should address the dos and don’ts when it comes to handling company information (e.g. do encrypt emails with personal health information, don’t upload confidential company information to public cloud storage). The policy should also clearly state employees’ responsibilities for ensuring data security, protecting privacy and preserving information that is relevant to litigation.
2. Educate employees The best policies, put into practice, are only as good as the employees who understand them. Designate time to train employees on company information governance policies and make sure they understand the importance of following protocols, no matter what device or application they choose to use. Include some cautionary tales from the news to impress upon employees the potential implications of noncompliance. Provide updated training when major changes to policies are implemented. As part of training, require signed acknowledgements from employees that they understand their responsibility to adhere to company information governance policies, no matter where and on what device data resides.
3. Employ IT solutions to protect company information Applications can be installed on personal devices that allow for remote access to company systems, which keeps work product on company servers. Require passwords and screen timeouts for all devices used for work purposes to minimise the risk of unauthorised access in the event a device is lost or stolen (as an added bonus, these measures will also protect employees’ personal information). If the company utilises remote wiping capabilities, encourage employees to back up their personal information regularly to avoid losing their data. Be transparent with employees about how much access the company expects to have to their information if they install applications to access company information on their personal devices, or use any other forms of non-sanctioned applications for conducting company business.
4. Make company systems and devices easy to use Employees will take the path of least resistance when it comes to accomplishing day-to-day tasks. The best way to encourage use of company software, systems and devices is to make it easier for employees to use them than other available alternatives. Although the use of personal devices is inevitable, companies can encourage more use of company systems, apps and devices by adopting user-friendly technologies and providing secure access to company systems through desktop virtualisation. Companies should also provide employees with a dedicated helpline to resolve their IT issues.
5. Periodically reevaluate employee practices and company policies Companies don’t know what they don’t know. The use of shadow IT applications both by executives and employees will continue to evolve as new technologies enter the market and new capabilities are realised. Companies should periodically poll employees about the technologies they use and update company policies accordingly. Reserve the use of prohibitions for situations where use of personal IT necessarily compromises the security or privacy of company information. Look for opportunities to increase access to company information while still maintaining proper data protections.
6. Practice what you preach To the executives in the C-suite reading this: if you won’t do it, they won’t do it. Use your own shadow IT practices as a bellwether for what will work best with your company’s culture.
About the Authors:
Jason R. Baron is Of Counsel in the Information Governance and eDiscovery Group at Drinker Biddle & Reath, LLP, and serves as Co-Chair of The Information Governance Initiative. Jason is an author of scholarly research on the law of information retrieval, and is a frequent keynote speaker in international forums on the subject of the e-discovery and e-recordkeeping. In 2011 he was honored as the recipient of the international Emmett Leahy Award, for career contributions in records and information management.
Amy Ramsey Marcos is an attorney in Drinker Biddle’s Government and Regulatory Affairs Practice Group and assists on data management and information governance projects.