Peter Mojica, Long-Term Archival Preservation Records Management Legal Discovery Compliance
Skip to content

How did you mitigate legal issues around setting up an enterprise wide (global) collaboration platform?

Rating: +0

Positive Negative

Think about export compliance, access and restrictions (e.g. non US-citizens), IP, privacy etc. that come in play whit global collaboration platforms (e.g. social networking, knowledge sharing).

This was selected as Best Answer

Eric,

A good start might be to check out what other global networks use as their safety guidelines. If you read through the guidelines for Myspace and Facebook, although these are consumer oriented sites, if you read between the lines you can start to pick out things that can be applied to users in a corporate setting.

The next thing to consider is to build an “Attestation System”, just like the often ignored button when you install software that says you agree to the Terms & Conditions, etc. and everyone clicks OK w/o reading a word. These clicks of the OK button serve 1 purpose, contractual in nature and covers the “what if” scenario if things wind up in the hands of lawyers and a legal matter ensues. The fact that you clicked that OK button, can come back to haunt you if you violated any software policies, because you can't say you "didn't know".

The same goes for your Global Collaboration Platform, have your end users regularly (quarterly or every X login), attest online to having read and understand the usage policies by clicking a "mandatory" button, make it part of the login, no ticket no shirt approach, they should attest that they have read and understand your guidelines for using the system, which should contain proper use, privacy, cross-country privacy, etc. etc. Now as for the logs of the attestations (ipaddress, mac address, date, time, etc.) keep the logs of the attestations in a system that you can prove to be authentic, so in the event that you need them down stream someone can't come back and say that you altered them to serve your purposes. These days, that means to archive them and use a WORM technology on the storage end. That covers mostly people oriented processes.

You can't stop people from either misbehaving online or intentionally doing things that they shouldn't, so you have to protect your organization to ensure that you can prove that everyone is informed of how to use the system, what’s right, wrong, acceptable, etc.

To this end, I would recommend that you also create & post training snippets on proper use, possibly make them also mandatory, force end users to attend and use 2 online training session per quarter for example. This protects you from creating a policy that no one can understand because you didn't provide training. A training video or FAQ might cover someone posting something of a personal nature and the pitfalls for doing so.

From a black and white regulatory perspective you would also need to understand some of the specific regulations (government or industry specific) that apply to your company. I would imagine that you probably have a “duty” to not just mitigate but "prevent" things that you can control from a systems perspective that are black and white via regulations that might affect your particular use case or industry.

For example, in the health care industry in the US there are many regulations around transmitting or sharing personally identifiable information related to a patient’s medical data. If your corporate collaboration group contains physicians, I would say that you have a ”systems" responsibility over and above a written policy to ensure that patient information is not transmitted. There are any number of use cases, but if the technology exists to prevent something, you may have a duty to implement that technology.

To another end, you may want to archive all communications (emails, posts, etc.) that are transmitted through the system and apply a retention policy so you can have a repository that can be used for legal discovery. An archival system can also be used to supervise content, based on policies, (for example, any communications that contain foul language), warnings can be sent to end users, which violate this policy, this shows that from a corporate perspective you are “minding the farm”.

Lastly, confer with internal legal counsel and get written advise from outside counsel for transparency.

Good Luck,
Peter
Links:

* http://www.facebook.com/safety/
* http://www.myspace.com/index.cfm?fuseaction=cms.viewpage&placement=safety_p...
* http://www.csi1000.com