Study Suggests Data Protection Education Lacking, but Hardline Policies are Unrealistic

    Apr 25, 2017

    A study conducted by Harris Poll, sponsored by e-discovery vendor kCURa, finds that when organizations have data policies in place, employees are often unaware of them or ignore them, as reported on

    It’s typical for data security vendors to promise that their systems will keep an organization’s information secured, but the best technology cannot protect that data from negligent employee behavior, especially around social media.

    The survey polled more than a thousand employees in traditional office settings. David Horrigan of kCura said the company wanted to get a sense of the trouble areas caused by policies or training procedures: "We wanted to get some hard data about what is going on in the corporate enterprise, most notably in the policies and in the procedures.”

    Of those polled, 63% said their organization had no written policy for e-mail retention or didn't know about it if the company did. An additional 56% said they did not have or know of any policies for using social media.

    Regarding the blurring of personal and private communications while on the company’s systems, 47% said they send personal e-mails, 45% report they do personal web surfing, 40% send personal text messages, and 22% report posting to social media from company Wi-Fi.

    The study finds that these practices are not exclusive to the emerging millennial workforce. While 42% of survey respondents ages 18-34 report using company tools for nonwork-related e-mails, 41% of those between 35-44 and 39% of those between 45-54 do the same.

    As e-mail, texting, and other communication technologies have become integrated into common business practices, employees have relaxed their personal standards for professionalism around these technologies. Of those polled, 14% said they regularly use work e-mail to make lunch plans with co-workers.

    "From a legal standpoint, those casual conversations can be among the riskiest," Horrigan said. "People let their guard down in casual conversations."

    An organization could create hardline policies that bar employees from any non-work-related communications, and to do so would help its attorneys rest better, but enacting those policies would be unrealistic, Horrigan believes.  

    "If the lawyers had our way, you'd have a lockdown without thumb drives, and data would never leave the office," he told LegalTechNews, "I can't stress enough that having an absolute ban on personal communications or on office devices is a nonstarter. It's just fiction; it's not going to happen."

    Accepting such a reality must be the starting point for designing effective governance policies around the use of such workplace systems. He said, "You really have to balance what the lawyers want and what IT wants and what is most productive for the business."


    © 2017, ARMA International