One of the bombshells in the DeflateGate saga was the revelation that Tom Brady had his cell phone destroyed shortly before meeting with the National Football League’s investigators. According to the NFL’s written decision suspending Brady, Brady knew that the investigators wanted access to text messages on the phone he had when the AFC Championship was played. Even so, Brady instructed his assistant to dispose of the phone—just four months after starting to use it. The dubious circumstances surrounding the disappearance of the phone greatly hurt Brady’s credibility in NFL Commissioner Roger Goodell’s eyes, and was instrumental to his eventual decision to discipline Brady.
There are HR lessons to be learned from this story. An employee’s mobile device can contain information you need for an investigation or lawsuit. So what can you do to get access to the device or the data on it now that employees frequently use their personal devices for work?
Adopting a Bring Your Own Device (BYOD) work policy is a good start. At a minimum, a BYOD policy should reserve the company’s right to access any electronic device an employee uses for work, even if the employee owns it. The policy should also state upfront that employees have no expectation of privacy to data stored on their personal devices – that’s the tradeoff for letting them connect to the company network.
After establishing the ability to take possession of employee-owned devices, think through the steps for preserving data on the devices before it’s too late. One measure is to issue a “litigation hold” instructing employees not to destroy a device or delete data from it. Be specific about the kinds of data they need to preserve. A crucial element of a litigation hold is an instruction to suspend routine purging of data or equipment – much like Brady’s practice of destroying his old phone whenever he got a new one. The litigation hold should be issued as soon as you know that a lawsuit or investigation is coming.
Next, determine the kind of electronic information you want. Preservation and extraction methods differ depending on the kind of data. Text messages need to be preserved quickly because once they’re deleted off a phone or tablet, it’s difficult to find a copy of them elsewhere. As Brady learned when he tried accessing text messages on his missing phone through his wireless carrier, carriers don’t keep subscribers’ text messages on their servers for very long, and they typically delete the messages after delivery to the recipient. Emails have a longer shelf life, especially if they’re stored in a web-based account like Gmail or Yahoo or transmitted through company servers.
Be proactive and act quickly. Don’t let your hopes of getting the electronic evidence you need get deflated.
Have you ever been tempted to delete a social media message you posted that exposes you or your company to liability? That post that seemed like a harmless joke but now could turn into evidence in a wrongful termination lawsuit. Or that photo that could cast you in an unflattering light. If it ever crossed your mind that no one will notice if you simply pressed the “delete” button, here’s a case illustrating why succumbing to the temptation doesn’t end well.
In Crowe v. Marquette Transportation Company, Gulf-Inland, LLC, 2015 WL 254633 (E.D. La. Jan. 20, 2015), Brannon Crowe sued his employer, Marquette, for injuries he sustained due to an accident that allegedly occurred at work. Marquette discovered a Facebook message Crowe had allegedly sent to a co-worker in which he admitted injuring himself while fishing. This prompted Marquette’s lawyers to serve Crowe with a discovery request for a complete copy of Crowe’s Facebook history.
Crowe’s response to the request was that he didn’t “presently” have a Facebook account. When confronted in his deposition with a printout of a Facebook message that appeared to have been sent from an account with the username “Brannon CroWe,” Crowe claimed that he stopped having a Facebook account around October 2014, and that his account had been hacked. To substantiate his hacking claim, Crowe pointed out rather unconvincingly that, unlike the username on the printout, there’s no capital “W” in his name.
Crowe wasn’t entirely forthcoming. Although Crowe was technically correct that he didn’t have an active Facebook account when he responded to the request in December 2014, the truth was that Crowe deactivated his Facebook account four days after receiving the discovery request in October 2014. To make things worse for Crowe, data in a deactivated Facebook account isn’t deleted. A deactivated Facebook account can be reactivated at any time. Needless to say, the court was displeased with Crowe’s attempts to evade discovery. The court ordered Crowe to provide Marquette with his entire Facebook account history and the login information for all his Facebook accounts.
Although Crowe involved an employee who tried to hide unhelpful social media information, the lessons from the case apply equally to employers. Deactivating a social media account doesn’t necessarily shield information in the account from discovery because the information is probably still available. Deleting a social media account also doesn’t always mean the information in the account is gone forever. It’s not unusual for social media providers to store deleted user data in its servers before permanently deleting the information. And even if social media information is truly deleted, that in itself can be problematic. A person (or company) has a duty to preserve evidence that’s relevant to reasonably anticipated litigation. Violating the duty to preserve can lead to unpleasant consequences, including court sanctions.
Learn from Crowe’s example. The next time you’re tempted to dispose of an incriminating Facebook post, deactivate the temptation, not your Facebook account.
The Hawaii Judiciary is proposing amendments to the Hawaii Rules of Civil Procedure (HRCP) to address e-discovery issues. The deadline for submitting comments is April 17, 2014. The proposed amendments are available here.
Some of the more notable changes being proposed are:
- The addition of references to “electronically stored information” (ESI) to Rule 26 (general discovery provisions), Rule 30 (depositions), Rule 33 (interrogatories), Rule 34 (document requests), Rule 37 (discovery sanctions and motions to compel), and Rule 45 (subpoenas)
- Amended Rule 26 expressly permits discovery of ESI with the caveat that a party need not provide discovery of ESI from sources that are not reasonably accessible because of undue burden or expense. The party claiming undue burden or expense has the burden to make that showing. However, even if the showing is made, a court may still order disclosure or discovery of ESI for good cause.
- Amended Rule 34 allows document requests to specify the form in which documents or ESI are to be produced. The responding party may object to the requested form, and if it does so, it must state the form it intends to use. If a request does not specify a form for producing the requested documents or ESI, the responding party must produce the requested materials in the form in which they are ordinarily maintained or in a form that is reasonably usable. A party does not need to produce the same documents or ESI in more than one form absent showing of good cause.
- Amended Rule 37 prohibits a court from imposing sanctions for failure to provide ESI lost as a result of routine, good-faith operation of an electronic information system absent exceptional circumstances.
- Amended Rule 45 would address requests for, and production of, ESI in the context of subpoenas.
For more information on the proposed amendments, visit the Judiciary’s website. To submit comments online, click here.
Cyberbullying. Employer social media password requests. Crowdfunding. Those were some of the hot tech topics that the Hawai‘i State Legislature grappled with this session. (See my post on Internet related legislative proposals in the 2013 session). The bills addressing those topics didn’t pass, however. In fact, none of the bills listed in my chart of Internet Related Legislative Proposals survived. The closest to passing, perhaps, were two bills prohibiting employer requests to employees to disclose their personal social media account information, but the bills got stuck in committee.
That’s not to say that the 2013 session was completely devoid of tech. I’ve prepared a chart of all the bills related to electronic, digital, and information technology that the Hawai‘i State Legislature passed this session. (Many thanks to the Legislative Reference Bureau for providing the summaries that are incorporated into the chart). Governor Neil Abercrombie has already signed some of the bills into law. Others are pending a decision from the Governor. To summarize, the legislature this year addressed:
- Adoption of the Uniform Electronic Legal Material Act
- Portable electronics insurance
- Clarification of relationship between Uniform Commercial Code Article 4A and Electronic Fund Transfer Act
- Licensing requirements for telemedicine practitioners employed by the U.S. Department of Defense
- Duties of the State Chief Information Officer
- Electronic posting of reports of Department of Health inspection of state licensed care facilities
- Availability of State open data
- Approval of broadband related permits
- Tax credits for film and digital media industry
- Ban on use of mobile electronic devices while operating a motor vehicle
For summaries of all the bills that passed this session, read the full LRB report. For even more information visit the Legislature’s website for the full text of bills, committee reports, and testimony. I’ll update the chart after the Governor’s veto deadline has passed, so check back in a while.
Single words and subject lines in electronic messages are “content” protected by the Stored Communications Act—Optiver Australia Pty, Ltd. v. Tibra Trading Pty. Ltd. & Ors., 2013 WL 256771 (N.D. Cal. Jan. 23, 2013)
Optiver sued its former employees in Australia for allegedly stealing its proprietary source code and using the code to start a competing company, Tibra. The Australian court allowed Tibra to conduct discovery of emails from Google after finding Tibra’s discovery responses inadequate. Optiver subpoenaed Google to produce documents relating to emails and Google Talk messages containing the terms “PGP” or “Optiver.” Tibra moved to quash the subpoena, arguing that the Optiver was improperly requesting the content of communications in violation of the Stored Communications Act (SCA).
Optiver countered with three arguments. First, “PGP” is the name of an encryption system, not content. Second, Optiver said that it wanted the documents not to discover the substance of the communications, but to locate communications that might be relevant to the foreign litigation. Third, if the email has been encrypted through PGP, Optiver cannot access the content without the proper encryption key and pass phrase, which it did not have. The court was unpersuaded. Content is content, no matter how insignificant, the court said. The words “PGP” or “Optiver” in the body of a message qualify as content that the SCA protects.
Optiver also argued that subject lines of email communications and Google Talk messages are not protected by the SCA and should be disclosed. Wrong again, the court said. The subject line is “nothing less than a pithy summary of the message’s content.” For support, the court pointed to the legislative history of the SCA.