Caitlin R. Gifford
Businesses are facing several new realities. Their customers and clients expect them to go beyond "traditional" forms of communication into social media. Their employees prefer or even expect to be able to communicate with family, friends and others via personal email, social media and instant messaging or texting while in the workplace. And the ubiquity of mobile devices such as tablets or smartphones has caused some companies to consider implementing "Bring Your Own Device" (BYOD) policies to cut costs and increase employee satisfaction.
This trend toward mobile devices and social media has effectively blurred the distinction between communications that are personal and private and those that companies control and have responsibility for. This changing digital horizon impacts corporate records retention, employee privacy, employee supervision and data collection for the purposes of electronic discovery. This article presents a practical approach to how companies can address privacy concerns while meeting their record retention and disclosure obligations.
Traditionally, during the course of discovery, parties first identify key custodians and potentially relevant subject matters related to their case. Following any mandatory record disclosures, which tend to be rather limited, they then proceed to propound numerous discovery requests seeking information relevant to the issues in their case. As technology has evolved, the types of data that parties routinely seek and the location of potentially relevant information has moved away from hard-copy documents residing in a company's filing cabinet and now focuses primarily on electronically stored information (ESI) in the form of emails and other electronically created documents residing on active servers.
Increasingly, we are seeing litigants request their opponents' Web history, voicemails, text messages or other more "novel" forms of ESI. However, under the Federal Rules of Civil Procedure and their state counterparts, parties generally have an obligation to identify and produce only potentially relevant documents and materials that are within their "care, custody or control." Courts have interpreted this concept broadly by defining "control" as the legal right, authority or practical ability to obtain relevant information. Further, courts have emphasized that "control does not require that the party have legal ownership or actual physical possession of the documents at issue," as in Bush v. Ruth's Chris Steak House, Civil Action No. 10-1721 (D.C. June 18, 2012).
While companies are obligated to retain records that are necessary to ensure that their businesses function in the manner required by law, companies generally do not, as a matter of course, collect or retain their employees' social media interactions or Web browsing. Companies must understand applicable retention requirements and develop policies that adequately address the evolving landscape of how and where corporate records are created on personal or mixed personal and business devices. In drafting such policies, companies may want to consider:
The extent to which it is technically feasible to retain electronic communications other than email, such as instant messages, text messages, Internet activity (Web browsing), posting on blogs or social media sites and voicemail on mobile devices. If it is not, consider whether those communications that cannot be retained should be allowed.
Alert employees that any information created on, residing on, sent from, received by, stored on, or otherwise part of the company's information systems or company-supplied devices or storage media, is the property of the company and may be required to be disclosed to parties outside the company. Employees should have no privacy expectation with regard to any such information.
Contemplate whether the policy should apply to any personally owned equipment (including home computers, PDAs and storage devices and media) to the extent such equipment is used to access the company's systems or support business communications.
Emphasize that users who wish to minimize the chance that their personal email accounts, computers, phones, PDAs and storage devices could be subject to discovery or disclosure in legal actions, investigations or audits must avoid storing any company data in or on their personal email, devices or equipment. This can be supported through the deployment of enterprise mobile device management technology.
In order to implement such policies, corporations may want to require their employees to participate in training designed to reinforce what constitutes a corporate record, employees' privacy rights (or lack thereof), and the proper creation, storage and protection of corporate records and data.