Suppose an email from your company’s in-house attorney instructs you to preserve all documents relating to an ex-employee who is threatening to sue for wrongful termination. In the days before smartphones and cloud storage, this would have been a relatively limited exercise: paper documents would be set aside and files on the company server would be backed up. But work-related data can be stored in many places today, including personal devices of employees. Is a company required to preserve such data?
Costco Wholesale recently faced that issue in an employment discrimination and retaliation lawsuit. See Cotton v. Costco Wholesale Corp., 2013 WL 3819974 (D. Kan. July 24, 2013). The plaintiff asked Costco to produce text messages on the personal cell phones of two of its employees who mentioned the plaintiff or his allegations. Costco objected on the grounds that the discovery request required it to invade the privacy of its employees, and there was no indication that the employees sent inappropriate text messages or used their personal phones for work purposes. The court denied the request, determining that Costco did not have possession, custody, or control of the text messages.
Although the court in the Cotton case ruled that the employer had no duty to produce information stored on the personal devices of the employees in question, the outcome might have been different if the facts had changed even slightly. Courts in other jurisdictions might also have taken a contrary approach.
The law in this area is far from clear, but following the guidelines below will help a company address e-discovery issues in their policy on personal electronic devices. An easy way to remember the guidelines is to think of the acronym “APPS”:
- Access: Reserve the right to access personal devices that store work-related data. Access is crucial if the company is legally required to collect and produce data residing in the personal devices of an employee.
- Permission: Clearly specify what personal devices employees are authorized to use for work-related purposes, if any. Consider keeping a log of authorized personal devices and require employees to update the log whenever they start using a new authorized device or retire an existing one. Your company’s document retention policy should extend to authorized devices.
- Privacy: Notify employees that they should have no expectation of privacy to data stored on a personal device if they use the device for work purposes. This prevents the company from being liable for invasion of privacy should it need to search the contents of a personal device to respond to a discovery request.
- Segregation: If possible, segregate work-related content from personal content on personal devices. Segregation can be implemented with software solutions, but if that is not feasible, at a minimum, instruct and train employees who use a personal device for work on how to keep their personal information separate from work data stored on the device. For example, storage of work-related data in a personal cloud storage account should be prohibited.
Follow the above guidelines to avoid getting caught off-guard by e-discovery requests.
Single words and subject lines in electronic messages are “content” protected by the Stored Communications Act—Optiver Australia Pty, Ltd. v. Tibra Trading Pty. Ltd. & Ors., 2013 WL 256771 (N.D. Cal. Jan. 23, 2013)
Optiver sued its former employees in Australia for allegedly stealing its proprietary source code and using the code to start a competing company, Tibra. The Australian court allowed Tibra to conduct discovery of emails from Google after finding Tibra’s discovery responses inadequate. Optiver subpoenaed Google to produce documents relating to emails and Google Talk messages containing the terms “PGP” or “Optiver.” Tibra moved to quash the subpoena, arguing that the Optiver was improperly requesting the content of communications in violation of the Stored Communications Act (SCA).
Optiver countered with three arguments. First, “PGP” is the name of an encryption system, not content. Second, Optiver said that it wanted the documents not to discover the substance of the communications, but to locate communications that might be relevant to the foreign litigation. Third, if the email has been encrypted through PGP, Optiver cannot access the content without the proper encryption key and pass phrase, which it did not have. The court was unpersuaded. Content is content, no matter how insignificant, the court said. The words “PGP” or “Optiver” in the body of a message qualify as content that the SCA protects.
Optiver also argued that subject lines of email communications and Google Talk messages are not protected by the SCA and should be disclosed. Wrong again, the court said. The subject line is “nothing less than a pithy summary of the message’s content.” For support, the court pointed to the legislative history of the SCA.
Discovery of Social Media Content Relevant to “Mental State” — Reid v. Ingerman Smith LLP, 2012 WL 6720752 (E.D.N.Y. Dec. 27, 2012)
Plaintiff Karissa Reid sued her employer for damages resulting from alleged sexual harassment. The defendants in the case requested discovery of information and documents relating to Reid’s social media accounts. The defendants argued that the postings and photographs from the public portions of Reid’s Facebook account contradicted her claims of emotional distress due to her alleged sexual harassment and termination. The defendants asked for discovery of the non-public portions of Reid’s Facebook account.
The court allowed discovery into the private portions of Reid’s Facebook account, finding that the publicly available portions of the account provided probative evidence of her mental and emotional state and could reveal the range of her activities—an important check against allegations that she no longer engaged in certain activities as a result of mental anguish. Although disclosure of Reid’s personal social media account could raise privacy concerns, the court ruled that privacy alone does not justify shielding information from discovery. The court cited the example of personal diaries, which are discoverable if they contain relevant information regarding contemporaneous mental states and impressions of parties. By analogy, the fact that Reid used privacy settings to allow only certain Facebook friends to see her postings did not give her a justifiable expectation of privacy as to the content posted on her social media accounts.
The court stopped short of ordering disclosure of everything in Reid’s social media accounts. The appropriate scope of discovery, according to the court, includes social media communications and photographs “that reveal, refer, or relate to any emotion, feeling, or mental state . . . [and] that reveal, refer, or relate to events that could reasonably expected to produce a significant emotion, feeling, or mental state.”
Court quashes subpoena to discover identity of anonymous bloggers after ruling that the bloggers’ statements are not defamatory — Somerset Development, LLC v. “Cleaner Lakewood”, 2012 WL 4370271 (N.J. Super. Ct. App. Div. Sept. 26, 2012)
This case shows how difficult it is to sue for statements made anonymously on the Internet. The plaintiff (Zucker) is the developer of a real estate project in the New Jersey township of Lakewood. Zucker learned through discussions with members of the Lakewood community that certain individuals anonymously posted statements on a blog hosted by Google’s Blogspot service. Zucker sued the blog operator and the anonymous individuals who posted on the blog. Zucker subpoenaed Google for information that would lead to the identification of the anonymous individuals.
The trial court quashed the subpoena, finding that the anonymous statements were not defamatory. The Appellate Division upheld the quash order. The court noted that Section 230 of the Communication Decency Act provides immunity to website operators who republish comments of others or block certain offensive materials. As for the anonymous posters, the court noted that there is a general, but not absolute, right under the First Amendment to speak anonymously. To balance the First Amendment right to speak anonymously against an individual’s right to protect its proprietary interests and reputation, the Appellate Division had set up a four-part test in Dendrite International, Inc. v. John Doe No. 3, 775 A.2d 756 (N.J. Super. Ct. App. Div. 2001):
1. The plaintiff must “undertake efforts to notify the anonymous posters that they are the subject of a subpoena or application for an order of disclosure, and withhold action to afford the fictitiously-named defendants a reasonable opportunity to file and serve opposition to the application.” Zucker satisfied this requirement by posting the subpoena on the blog under each offending post.
2. The plaintiff must “identify and set forth the exact statements purportedly made by each anonymous poster that plaintiff alleges constitutes actionable speech.” Zucker satisfied this requirement by highlighting the specific comments he alleged were defamatory in connection with posting the subpoena on the blog.
3. The court must determine whether the plaintiff has established a prima facie cause of action against the anonymous defendants. This is where Zucker’s effort to discover the identity of the anonymous poster gets stop cold. One of the elements of a defamation claim is that the statements at issue must have “defamatory meaning.” The anonymous posters had made statements like Zucker “short changed the taxpayers with millions”, “paved the way for the senior vote by stealing 6 million in tax dollars”, and “is behind all the anti hh propaganda going around[.]” Other commenters called him a “rip off artist” and “under the table crook.” As much as such comments were strongly-worded, the court ruled that expressions of opinion on matters of public concern and “rhetorical hyperbole” are not actionable.
4. The plaintiff should file a request for discovery with the court, along with a statement justifying the specific discovery requested and identifying a limited number of persons or entities who are likely to produce identifying information about the anonymous defendant. The court did not get to this prong of the test because Zucker could not meet the third prong.
The challenge presented by the Dendrite test, or at least in the way it was applied here, is that it pre-judges the merits of a case even before the plaintiff has a chance to serve the complaint on the anonymous defendant. Take the court’s ruling on defamatory meaning, for example. Yes, the question of whether a statement is capable of defamatory meaning is a matter of law for the court to decide. But courts usually rule on the issue in deciding a motion to dismiss or motion for summary judgment. Here, the court ruled that the plaintiff is a public figure (thus triggering the heavy “actual malice” requirement) and that the statements in question were not defamatory as a matter of law before the complaint was even served. Under the Dendrite test, the plaintiff would have to successfully litigate those issues just to get the information they need to serve the complaint. That seems a tad bit backwards.
Twitter will appeal the recent decision of a New York court ordering it to turn over the tweets of an Occupy protester being prosecuted for disorderly conduct. Twitter’s legal counsel, Benjamin Lee (@BenL) , announced the decision in a tweet (how appropos). Read the Wall Street Journal story here. We’ll follow the appeal.