Caitlin R. Gifford
Businesses are facing several new realities. Their customers and clients expect them to go beyond “traditional” forms of communication into social media. Their employees prefer or even expect to be able to communicate with family, friends and others via personal email, social media and instant messaging or texting while in the workplace. And the ubiquity of mobile devices such as tablets or smartphones has caused some companies to consider implementing “Bring Your Own Device” (BYOD) policies to cut costs and increase employee satisfaction.
This trend toward mobile devices and social media has effectively blurred the distinction between communications that are personal and private and those that companies control and have responsibility for. This changing digital horizon impacts corporate records retention, employee privacy, employee supervision and data collection for the purposes of electronic discovery. This article presents a practical approach to how companies can address privacy concerns while meeting their record retention and disclosure obligations.
Traditionally, during the course of discovery, parties first identify key custodians and potentially relevant subject matters related to their case. Following any mandatory record disclosures, which tend to be rather limited, they then proceed to propound numerous discovery requests seeking information relevant to the issues in their case. As technology has evolved, the types of data that parties routinely seek and the location of potentially relevant information has moved away from hard-copy documents residing in a company’s filing cabinet and now focuses primarily on electronically stored information (ESI) in the form of emails and other electronically created documents residing on active servers.
Increasingly, we are seeing litigants request their opponents’ Web history, voicemails, text messages or other more “novel” forms of ESI. However, under the Federal Rules of Civil Procedure and their state counterparts, parties generally have an obligation to identify and produce only potentially relevant documents and materials that are within their “care, custody or control.” Courts have interpreted this concept broadly by defining “control” as the legal right, authority or practical ability to obtain relevant information. Further, courts have emphasized that “control does not require that the party have legal ownership or actual physical possession of the documents at issue,” as in Bush v. Ruth’s Chris Steak House, Civil Action No. 10-1721 (D.C. June 18, 2012).
While companies are obligated to retain records that are necessary to ensure that their businesses function in the manner required by law, companies generally do not, as a matter of course, collect or retain their employees’ social media interactions or Web browsing. Companies must understand applicable retention requirements and develop policies that adequately address the evolving landscape of how and where corporate records are created on personal or mixed personal and business devices. In drafting such policies, companies may want to consider:
• The extent to which it is technically feasible to retain electronic communications other than email, such as instant messages, text messages, Internet activity (Web browsing), posting on blogs or social media sites and voicemail on mobile devices. If it is not, consider whether those communications that cannot be retained should be allowed.
• Alert employees that any information created on, residing on, sent from, received by, stored on, or otherwise part of the company’s information systems or company-supplied devices or storage media, is the property of the company and may be required to be disclosed to parties outside the company. Employees should have no privacy expectation with regard to any such information.
• Contemplate whether the policy should apply to any personally owned equipment (including home computers, PDAs and storage devices and media) to the extent such equipment is used to access the company’s systems or support business communications.
• Emphasize that users who wish to minimize the chance that their personal email accounts, computers, phones, PDAs and storage devices could be subject to discovery or disclosure in legal actions, investigations or audits must avoid storing any company data in or on their personal email, devices or equipment. This can be supported through the deployment of enterprise mobile device management technology.
In order to implement such policies, corporations may want to require their employees to participate in training designed to reinforce what constitutes a corporate record, employees’ privacy rights (or lack thereof), and the proper creation, storage and protection of corporate records and data.
Companies implementing BYOD policies often do so in recognition of the fact that most employees have a personal smartphone or tablet that is familiar to them and usually close at hand. Employees may prefer to use their personal devices for both business and personal reasons and companies would rather not procure and issue devices that are redundant. Where the company no longer procures the device, it has no contractual relationship with the service provider and loses the ability to select the devices to be used by employees, monitor the devices or have access to the communications sent to and from the devices.
The devices will be used by the employee for personal purposes and may even be used by other people not employed by the company, such as the employee’s family members. Employees may lose, damage or trade in the devices and may store third-party information on the devices, such as music, books, computer applications, etc. Finally, some employees will leave the company through an orderly, voluntary process, or they will leave (or be asked to leave) suddenly. When they leave the company, they will still have their devices and the company may not have an opportunity to collect, retain or delete data on the device.
Any BYOD policy must be clearly explained to all participating employees, with a focus on the employees’ reasonable expectations of privacy and the possibility that the employer may have to evaluate and remove or copy data from the device, temporarily take possession of it and require employees to execute what is essentially a release authorizing the company to request data from the service provider with which the company otherwise does not have any relationship or rights. In City of Ontario, Calif. v. Quon, 130 S. Ct. 2619 (2010), the Supreme Court provided some guidance in this area, but many questions remain regarding the relative privacy rights of an employer and an employee with respect to a device that is used for both personal and business reasons.
Another example of how business and personal purposes blend together is employees’ use of social media. More and more organizations establish a social media presence and then designate authorized representatives to post on social media websites such as Facebook, Twitter or Google Plus and develop policies that provide such representatives with guidelines on how to represent the company in the online world. Not surprisingly, courts are likely to hold that postings by authorized corporate representatives on the corporation’s social media site are within the corporation’s care, custody and control.
The issue is not so easily resolved when employers allow their employees limited use of social media websites at the workplace. Many organizations will develop social media policies to define the acceptable and prohibited uses of social media as it relates to company business and personal purposes. Often, these policies address and prohibit employees from implying endorsement from the company or using company, proprietary or client information in personal posts on social media sites.
While the company may decide to periodically spot-check what employees are posting on their personal accounts to validate or verify compliance with its corporate policy, companies do not retain such information. One exception is the requirement in FINRA Regulatory Notice 11-39 regarding broker-dealer compliance with Rule 17a-4 under the Securities and Exchange Act of 1934 that a “firm must be able to retain, retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.” In some jurisdictions, if faced with a discovery request for an employee’s personal social media account, an employer may argue that it is unlawful for an employer to ask for a current or prospective employee’s social media account information. (See, e.g., SB 433, HB 964 (Md. 2012).) In jurisdictions without such laws, an employer can still make a strong argument that an employee’s log-in information for his or her social media account is outside the employer’s care, custody and control.
Where discovery is sought directly from an employee who is a party to the lawsuit or is subpoenaed for relevant information, both federal and state courts have held that social media content can be discoverable because any intrusion from discovery is fairly minimal. The user typically has made his or her information available to a wide variety of social media contacts who have no legal obligation to keep the information confidential. (See, e.g., EEOC v. Original Honeybaked Ham Co. of Georgia, No. 11–cv–02560–MSK–MEH (D. Colo. Nov. 7, 2012); Trail v. Lesko, No. GD-10-017249 (Pa. Com. Pl. 2012).) Nevertheless, a party requesting access to information existing on a user’s social networking profile must first demonstrate that relevant information is likely to exist on the user’s profile before a court is likely to grant access to social media content. (See, e.g., Offenback v. LM Bowman, No. 1:10–CV–1789 (M.D. Pa. June 22, 2011); EEOC v. Simply Storage Management, 270 F.R.D. 430 (S.D. Ind. 2010).)
In addition, organizations use numerous types of storage media that may be subject to retention requirements and discovery obligations. For example, companies must determine how to retain voicemails that are considered company records or those that are relevant to reasonably anticipated or pending litigation. Some companies choose to avoid defining voicemails as corporate records and instead explicitly define voicemails as transitory information for which there is only a short-term or temporary business need and recommend that voicemails should be disposed of as soon as practicable. There is an inherent danger in retaining voicemails for extended periods of time. In addition, the collection, review and production of voicemail files can be much more difficult, time-consuming and expensive. Many companies have their IT departments set up the automatic deletion of voicemails after a specified time period.
Similarly, some companies permit their employees to use instant messaging programs throughout the work day. Such companies may or may not log the instant messages, but most do not. There are occasions, however, where instant messages may constitute business records and could reflect potentially relevant and discoverable information. Companies are thus faced with a Hobson’s choice: spend vast amounts of money to retain instant messages that may not be relevant to reasonably anticipated or ongoing litigation or risk facing sanctions for failing to retain instant messages. Perhaps the best solution is for companies to develop policies that prohibit the use of instant messaging for discussing anything relevant to pending or anticipated litigation or investigations — and/or to prohibit use of messaging entirely for critical business communications.
Companies that incorporate these new forms of communication into their employee and records retention policies will be best positioned to identify and retain corporate records, respond to requests for discovery and demonstrate respect for employee privacy interests. Regular
discussions among the legal, compliance, technology and human resources teams
will help to ensure a prudent risk-versus-benefit approach to making best use of these technologies. •
David R. Cohen is the practice group leader for Reed Smith’s global records and e-discovery practice group. He has more than 25 years of commercial litigation experience in a variety of subject matters. He can be reached at email@example.com.
Timothy J. Nagle is a member of the firm’s data security, privacy and management practice group. He can be reached firstname.lastname@example.org.
Caitlin R. Gifford is an associate in the firm’s e-discovery and records management group, where she provides advice regarding e-discovery, records management and records retention research matters. She can be reached at email@example.com.