Is There an App for That?
Protecting Corporate Records in a Mobile Communications World
In America, litigation often follows success, and the cost of being unprepared for e-discovery can be steep. While organizations are now more accustomed to traditional e-discovery, courts are beginning to expect the collection and production of data generated from corporate mobile devices, offering new challenges to records and information, IT, and legal professionals.
Canon Pence, Esq., and Meghan Podolny
Most large and mid-sized organizations are generally familiar with the expansive nature of document discovery in American litigation, extending to electronic documents (e.g., e-mail and word processing documents) as easily as traditional paper files. However, with increasing reliance on organization-administered mobile devices for work-related communications, courts have shown willingness to impose the same duties and obligations of preservation and production over these mobile devices and informal communications as any other document.
Courts are now turning up the scrutiny on litigants. Organizations, in turn, are slower to respond to these heightened obligations and generally aren’t equipped to track non-verbal, mobile-to-mobile communications, exposing vulnerability in litigation.
Overview of E-Discovery Requirements
American courts grant litigants extremely broad powers in discovery, allowing them to compel production of vast quantities of potentially relevant documentation. While discovery can take many forms (e.g., oral depositions, written interrogatories, and requests for admission), requests for production of documents typically cause the most grief.
While collecting and reviewing hundreds of boxes of paper documents is challenging, harvesting millions of e-mails and terabytes of electronic data, including non-traditional means of electronic communication (e.g., mobile devices and social media), can quickly elevate the challenge to a nightmare.
The scope of discovery is generally governed by the Federal Rules of Civil Procedure, which were amended in late 2006 to specifically address electronically stored information (ESI). Under this amendment, Rule 34 defines ESI as “data or data compilations stored in any medium from which information can be obtained” either directly or indirectly. In other words, all forms of recorded communications are potentially discoverable.
Two broad caveats of Rule 26(b)(2)(B) limit discovery of electronic data: relevance and burden. While relevance is ultimately gauged on a case-by-case basis, the general rule is that information is relevant if it’s likely to lead to the discovery of admissible evidence as stated in Rule 26(b)(1). When the information being sought relates to the claims and issues of the litigation, it’s typically considered relevant.
Generally, burden is also assessed on a case-by-case basis. To block discovery on such grounds, Rule 26(b)(2) requires the protesting party to show the information sought is “not reasonably accessible because of undue burden or cost.” If this threshold can be met, a court will allow the discovery to go forward only for “good cause.”
Good cause can be shown through a number of factors, noted the advisory committee, including:
- Specificity of the discovery request
- Quantity of information available from other and more easily accessed sources
- Failure to produce relevant information that seems likely to have existed, but is no longer available on more easily accessed sources
- Likelihood of finding relevant, responsive information that cannot be obtained from other, more easily accessed sources
- Predictions regarding the importance and usefulness of the further information
- Importance of the issues at stake in the litigation
- Each party’s resources
When preparing for discovery, all forms of electronic data maintained by organizations in the regular course of business are fair game unless a very strong argument is made for irrelevance or burden. Planning and preparing for e-discovery in litigation is particularly important because, as required by the 2006 amendments, litigants must hold a discovery conference at the beginning of the case in which they detail the location and category of the ESI they intend to use to support their claims, according to Rule 26(f).
From the time that litigation is reasonably anticipated, each party is required to enact a legal hold on any potentially relevant data within its possession, custody, or control. Failure to do so, as in, for example, Pension Committee of the Univ. of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., can be considered grossly negligent and make the party subject to sanctions.
As part of this hold, a party must identify and physically or electronically preserve such data, potentially including segregation into a separate repository. While Rule 37(e) provides litigants safe harbor from sanction where ESI is “lost as a result of the routine, good-faith operation of an electronic information system,” it does not excuse a party from taking specific steps to attempt to preserve potentially relevant information, as was the scenario in Arista Records LLC v. Usenet.com Inc.
Although systems to store and back up standard electronic files and e-mail are now commonplace, e-discovery and legal hold requirements can present particular challenges for data, such as that created by mobile devices, for which organizations may have no ready means of preservation.
Unique Communication Challenges
The fact that some relevant communications are transmitted through or reside on unanticipated devices or forms of media does not change this analysis of relevance and burden. The definition of ESI encapsulates voicemail, texting, chat applications, and social networking, just as it will cover future forms of communications. If it is relevant and does not exist in an identical form in a more accessible manner, then, considering burden and risk, it should be preserved.
Certain types of communications have special implications associated with their use and preservation.
For example, California Civil Local Rule 16-9 issued by the courts of the Northern District of California requires that parties “take steps to preserve evidence relevant to the issues reasonably evident in this action, including ... erasures of e-mails, voicemails and other electronically-recorded material.” This suggests that in addition to
suspending any automatic e-mail deletion program on custodian mailboxes, parties litigating in that court must carefully evaluate whether the custodians likely have relevant voicemails that risk being deleted.
A more troublesome issue arises when the communications occurs on mobile devices. Texting and chat applications are used by employees on both organization and personal devices. While certain forms of communication can be disabled on organization-owned devices, there is no technolog-ical work-around to prevent employees from using personal devices to communicate business information.
Mobile devices also present issues for those trying to comply with preservation obligations because they do not reside in a space that allows for much retention. For example, an outbound short message service (SMS) text, which is a message sent from one cellular phone to another, may be retained for only a short duration on the cellular service providers’ servers; the length of time depends on the service providers involved.
Another example is a PIN-to-PIN text, which is a realtime, two-way conversation addressed to the unique personal identification number of the parties’ smartphones. These brief messages do not reside for any duration on any server, according to Wikipedia. In BlackBerry for Dummies, the authors explain that a PIN-to-PIN message “does not reside in a mailbox and is instead sent directly to the Blackberry without delay ... Unlike sending a standard email, when you send a PIN-to-PIN message, the message doesn’t venture outside…in search of an email server and (eventually) an email box.”
If the content of the message sent to or from a device using either SMS or PIN-to-PIN is relevant to the subject matter of the litigation, and is not available elsewhere, then that message must be preserved on the device, regardless of whether it’s transmitted from a corporate or personally owned device.
Since it’s unlikely that either SMS or PIN-to-PIN messages will reside on a server long enough to allow an employer to preserve the messages, organizations should consider a policy that strictly prohibits the use of texting options for business communications.
Social Networking Sites
Social networking sites have recently garnered much spotlight in their relevance to proving facts in a case. Once the relevance of network site content is shown, it often proves invaluable to its proponent, as referenced in United States v. Villanueva and People v. Franco. While the potential use of social networking data may be readily apparent, how to handle it when facing litigation is not necessarily easily.
Organizations need to understand how their employees are using social networking, then design and distribute guidelines on what information can be posted on organization sites. Organizations should incorporate social networking site data into their formal document retention policies and employee usage policies, and they should question employees about such sites when conducting witness interviews regarding relevant ESI.
If relevant social networking data is found, it must be preserved. Once found relevant and preserved, counsel for the proponent organization must prepare to meet requirements to authenticate the networking data and render it admissible. For example, counsel could use the data in a deposition or ask the other side to authenticate the data in a request for admission. Either method, although not exhaustive options, would provide a solid foundation to ensure the data will be admissible at trial.
The Broker-Dealer Angle
Organizations that either are considered to be broker-dealers or employ broker-dealers, as defined by the Securities
Exchange Act, suffer a heightened obligation for communication retention, regardless of the medium through which it is transmitted.
Pursuant to the Security Exchange Commission’s (SEC) Rules 17 C.F.R. §§ 240.17a-3 and 17a-4, a brokerdealer is obligated to retain and store certain identified categories of documents for specified periods of time, including order tickets, trade confirmations, communications with customers, and other sent or received communications that relate to the broker-dealer’s “business as such.”
In most cases, the covered documents must be preserved for defined periods of time in an “easily accessible place” that will satisfy SEC requirements that they can be quickly accessed and reviewed upon request as stated in Rule 17a-4(a)-(d).
Rule 17a-4 does not limit the form of the documents that are covered, but rather focuses on the content of such messages to allow for audit of securities transactions. To avoid SEC investigation, broker-dealers must ensure all communications and categories listed under these provisions are preserved, regardless of the transmittal medium.
Combine this requirement with the guidance issued by the Financial Industry Regulatory Authority (FINRA), which states that members of FINRA are expressly subject to the preservation requirements of SEC Rule 17a-4, and a broker-dealer organization’s heightened obligation is confirmed. In 2007, FINRA issued Notice 07-59 (2007) on the “Supervision of Electronic Communications,” which although focusing more on supervision than preservation obligations, echoes the view that the communication preservation requirements are content-based rather than format based:
[A] member firm’s obligations to supervise electronic communications are based on the content and audience of the message, rather than the electronic form of the communication. Consequently … FINRA expects a firm to have supervisory policies and procedures to monitor all electronic communications technology used by the firm and its associated persons to conduct the firm’s business.
FINRA more recently issued Notice 10-06 (2010) regarding blogs and social networking sites, requiring the same heightened level of recordkeeping and supervision response.
Since a broker-dealer/firm must be able to properly supervise and review business-related communications for compliance purposes, it risks exposure to claims of records retention and failure to supervise violations by the SEC or FINRA if it cannot review electronic communications simply because the communications are on a mobile device.
Because of this, the FINRA notice suggests that broker-dealers prohibit, “through policies and procedures,” business communications using communications media that the broker-dealers are not “capable of supervising and retaining.”
Notice 10-06 (2010) also advises that “consideration should be given to taking technological steps to block or otherwise regulate” the internal and external use of the prohibited communications media. Organizations considered subject to Rule 17a-4 or FINRA should invest considerable time and resources into staying abreast of the newest technology used by their broker-dealers and other employees, and they should prohibit or block such use if these communications cannot be captured for supervision or litigation use.
General Best Practices
Organizations facing frequent litigation can follow a few concrete rules to guide them in managing the data subject to potential discovery and discerning what to allow their employees to have access to via corporate-owned technology and devices:
- Organizations should refuse to host blogs or other interactive Internet sites connecting with the public unless necessary for the business. They should also consider blocking access to social networking sites over the organization Internet connection or on a corporate-owned device.
- Organizations should disable text or PIN messaging on corporate devices. If not possible, they must determine whether these messages can be routed through the organization’s server. Although this method of retaining messages would be costly, it may be necessary for organizations that need to comply with Rule 17-a-4 broker-dealer communication preservation obligations.
- Communication networks should be mapped so all messages authored or received by a particular employee can be located upon short notice.
- While these guidelines serve as best practices to minimize unmanaged data in the abstract, once a duty to preserve is triggered by litigation, other best practices should be employed, including the following:
- Issue a written legal hold to all employees who are reasonably likely to have unique information or documents relevant to the subject matter of the litigation, track the responses, and send frequent reminder notices if the litigation extends. Incorporate into the content of the legal hold the instruction that all communications on mobile devices and social networking sites may also be subject to the preservation obligation.
- Determine how key document custodians communicate. After interviewing the key employees closest to
the subject matter of the litigation, it may be determined that no extra preservation steps for mobile devices
are necessary because all such communications route through the organization’s active servers somewhere
and are either duplicative or are easily located.
- Disable device messaging for the duration of the legal hold if the custodians do use mobile devices for texting or PIN messaging.
- Seek relevant records if held by another organization (e.g., mobile phone service provider) as soon as possible, for it is likely they will disappear after a few days or weeks, depending on the provider’s retention policies.
In light of the above considerations, organizations must have an electronic communications policy, as well as a systems usage and monitoring policy.
Any preservation or production of employee data from computers, BlackBerrys, and others, may also collect personal communications. If the organization’s policy does not put employees on notice that the organization has this authority, and monitoring does not dispel any employee notion of reasonable expectation of privacy, it can run the risk of facing invasion of privacy claims by employees. A comprehensive policy should:
- Specify that all communications using organization systems or equipment may be subject to monitoring, including personal e-mail accounts on organization equipment or on personal equipment used to access organization systems
- Describe the monitoring method the employer may use
- State that employees have no expectation of privacy in their communications using organization systems or equipment
- Be included in all employee handbooks or manuals
Most importantly, the usage and monitoring policies must be actively and uniformly enforced. Lack of enforcement can lead employees to assume the policy has no effect or to allege selective, arbitrary, or discriminatory enforcement, weakening the ability to use the policy as a defense against a claim of privacy invasion.
Return on Investment
Taking steps to prepare for e-discovery before litigation is pending can promote a relatively smooth and painless process of document retention and collection should a lawsuit arise. In addition to being able to coordinate e-discovery and conduct business as usual, a well-prepared team can actually strengthen an organization’s litigation strategy, helping it show that the opponent is, by contrast, slow and careless.
To maintain this competitive edge, RIM, IT, and legal professionals must regularly keep up with the evolving communication technology and the e-discovery environment. It’s an investment that will pay off in the long term.
Download the PDF version here.
Canon I. Pence, Esq., can be contacted at firstname.lastname@example.org.
Meghan A. Podolny can be contacted at email@example.com.
From January - February 2011