Friday, April 24, 2009

Are Your Tweets, TXTs and IMs Discoverable in Litigation?


“Uh oh! We’ve been sued!”
Even if it has never happened to your business or organization, you cannot ignore the potential for litigation any more than you would the prospect of fire damage. You likely have insurance for “covered perils” and even general liability, but that is just a start.

Most local government codes require businesses and building owners to establish and rehearse emergency evacuation procedures and everyone has been through a fire drill. But no one requires “lawsuit preparedness” drills. That means small businesses, especially, are generally unprepared when it happens.

In 2006, the federal courts adopted new rules and amendments to adapt to the real challenges of electronically stored information (ESI) in modern litigation. The old rules contemplated paper and commercial litigation was well beyond that. The first “one million document” cases had come in the 1980s, so it was about time.

“Quick! Start deleting everything!”

The first ESI challenges involved massive databases of documents and scanned images of millions of pages of paper files. As the usage of electronic mail grew through the 1990s, however, ESI discovery requests had to evolve as well, since so much information was never printed. An entire industry has now grown up around the electronic data discovery (EDD) needs on both sides of any large case.

But human nature is essentially unchanged. There are scores of stories about so-called “smoking gun” emails found before or during litigation that had significant effects on the outcome of each case. Remember the outcry in 1998 over the “independent” special master who was to preside over the Justice Department’s claims against Microsoft? (Story.) Oliver North’s emails—ones he was certain had been deleted—were recovered and used against him in litigation related to the Iran-Contra mess. In 2004, during a patent case by SCO Group against IBM over the Linux operating system, SCO found emails in the vast amount of data turned over by IBM that SCO said proved its case.

More recently, text messages have been used to unseat politicians and even initiate criminal prosecutions. Who can forget the Detroit mayor who was caught with his TXT down last year? (Story recap here.) He never imagined those messages still existed somewhere after he deleted them from his phone.

“That’s OK. I only use Instant Messaging.”
Technology has a way of changing faster than our laws and rules, but the present versions of those rules appear this time to adequately cover ESI no matter what software or communication system is used to create and send it. The rise of Twitter, FaceBook “Updates” and other social media systems for communicating outside a company’s firewall should cause most IT directors and risk management executives many sleepless nights. These systems are not under your control, the data is often not amenable to your internal backup and retention policies and, worst of all, they are almost always unencrypted, public communications.


“What should my organization do now?”

Let’s start with a recap of the definitions and rules:
□ ESI is any information stored in electronic form
□ All ESI is discoverable if relevant and reasonably accessible
□ Privileges and other exceptions to discovery can apply to ESI
□ ESI can be obtained from third parties (like your telco or hosting company)
□ At the outset of litigation, each party has an automatic duty to preserve ESI
□ Sanctions are available if a party is found to have intentionally destroyed ESI

The next task is to ensure you have appropriate policies and procedures in place and that you adhere to them as part of your normal course of business. If you back-up data every night, and keep those tapes for six weeks, for example, before recycling the media and overwriting each one, then the rules protect you from a sanctions claim for the data lost in that routine. That is, of course, until you get notice that a lawsuit has or is reasonably likely to occur. At that point, you must begin to save those media in a safe location with a clear chain of custody for each one.

If you do not routinely back-up and save ESI—such a the chat histories in your employee’s instant messaging programs or their Tweets on Twitter—there is enough ambiguity among the court decisions now that you are better off finding a way to do so the moment you learn that a lawsuit has been or is reasonably likely to be filed. This is going to present a challenge, of course, but consider the alternative: if the other party finds a way to get the data from a third party, would you want them to surprise you with it later in the litigation?

Other Resources

Here are some additional articles that I found useful:

“How Far is Too Far in e-Discovery?”, from Law.com’s “Legal Technology” section

“Messaging Mess”, from Inside Counsel

“The Conclusory Conclusion: Fourth Circuit Makes Seemingly Incorrect Evidentiary Ruling Regarding Admissibility Of Instant Messages”, from the EvidenceProf Blog

4 comments:

Carl said...

The discoverability of Enterpirse and Web 2.0 content is an issue far too many organization ignore - and shouldn't. See my blog post from Oct last year http://www.takingaiim.com/2008/10/km-e20-and-the.html

It discusses the issue along with a link to and article in The Economist - its bottom line is that for anyone who thinks that Enterprise 2.0 and Web 2.0 content is "personal", or in any way above the law - think again. In a class action suite between a group of families with daughters suffering from anorexia nervosa, and their medical insurance company, the courts ruled in favor of the insurance company, that any and all content posted by the daughters ("Facebook and MySpace profiles, instant-messaging threads, text messages, e-mails, blog posts and whatever else the girls might have done online") was discoverable. The plaintiff's objection that this violated the girls’ privacy was shot down by the court.

Lewis Kinard said...

Carl, thanks for the additional information and taking the time to comment. One reason I wrote this to the "non-lawyer" audience is because it has been difficult getting even IT director types to take this seriously.

I will share your blog post in a Tweet and grouplist post I am planning later today.

Thanks again!

wireyou said...

Once a petition is filed and an order to preserve is in effect does company policy protect it against what employees might IM, SMS, or Tweet on their own personal computing devices?

Are the employees personal computing devices eligible for discovery just like the companies systems?

Lewis Kinard said...

Depending on the scope and permissible reach of discovery in the case, you would not fare well relying on policy alone. Are you a "custodian" of that ESI under your jurisdiction's rules and appellate opinions? There is still enough unsettled in this area that policy alone is very risky.

Policies are easy to draft, harder to enforce and even harder to stand behind if the "custodians" of other ESI know of blatant acts that are intended to avoid the scope of EDD orders. I wouldn't want to be the one on the stand explaining why no one took any action after that order was signed....