One of the bombshells in the DeflateGate saga was the revelation that Tom Brady had his cell phone destroyed shortly before meeting with the National Football League’s investigators. According to the NFL’s written decision suspending Brady, Brady knew that the investigators wanted access to text messages on the phone he had when the AFC Championship was played. Even so, Brady instructed his assistant to dispose of the phone—just four months after starting to use it. The dubious circumstances surrounding the disappearance of the phone greatly hurt Brady’s credibility in NFL Commissioner Roger Goodell’s eyes, and was instrumental to his eventual decision to discipline Brady.
There are HR lessons to be learned from this story. An employee’s mobile device can contain information you need for an investigation or lawsuit. So what can you do to get access to the device or the data on it now that employees frequently use their personal devices for work?
Adopting a Bring Your Own Device (BYOD) work policy is a good start. At a minimum, a BYOD policy should reserve the company’s right to access any electronic device an employee uses for work, even if the employee owns it. The policy should also state upfront that employees have no expectation of privacy to data stored on their personal devices – that’s the tradeoff for letting them connect to the company network.
After establishing the ability to take possession of employee-owned devices, think through the steps for preserving data on the devices before it’s too late. One measure is to issue a “litigation hold” instructing employees not to destroy a device or delete data from it. Be specific about the kinds of data they need to preserve. A crucial element of a litigation hold is an instruction to suspend routine purging of data or equipment – much like Brady’s practice of destroying his old phone whenever he got a new one. The litigation hold should be issued as soon as you know that a lawsuit or investigation is coming.
Next, determine the kind of electronic information you want. Preservation and extraction methods differ depending on the kind of data. Text messages need to be preserved quickly because once they’re deleted off a phone or tablet, it’s difficult to find a copy of them elsewhere. As Brady learned when he tried accessing text messages on his missing phone through his wireless carrier, carriers don’t keep subscribers’ text messages on their servers for very long, and they typically delete the messages after delivery to the recipient. Emails have a longer shelf life, especially if they’re stored in a web-based account like Gmail or Yahoo or transmitted through company servers.
Be proactive and act quickly. Don’t let your hopes of getting the electronic evidence you need get deflated.
The Hawaii Judiciary is proposing amendments to the Hawaii Rules of Civil Procedure (HRCP) to address e-discovery issues. The deadline for submitting comments is April 17, 2014. The proposed amendments are available here.
Some of the more notable changes being proposed are:
- The addition of references to “electronically stored information” (ESI) to Rule 26 (general discovery provisions), Rule 30 (depositions), Rule 33 (interrogatories), Rule 34 (document requests), Rule 37 (discovery sanctions and motions to compel), and Rule 45 (subpoenas)
- Amended Rule 26 expressly permits discovery of ESI with the caveat that a party need not provide discovery of ESI from sources that are not reasonably accessible because of undue burden or expense. The party claiming undue burden or expense has the burden to make that showing. However, even if the showing is made, a court may still order disclosure or discovery of ESI for good cause.
- Amended Rule 34 allows document requests to specify the form in which documents or ESI are to be produced. The responding party may object to the requested form, and if it does so, it must state the form it intends to use. If a request does not specify a form for producing the requested documents or ESI, the responding party must produce the requested materials in the form in which they are ordinarily maintained or in a form that is reasonably usable. A party does not need to produce the same documents or ESI in more than one form absent showing of good cause.
- Amended Rule 37 prohibits a court from imposing sanctions for failure to provide ESI lost as a result of routine, good-faith operation of an electronic information system absent exceptional circumstances.
- Amended Rule 45 would address requests for, and production of, ESI in the context of subpoenas.
For more information on the proposed amendments, visit the Judiciary’s website. To submit comments online, click here.
Suppose an email from your company’s in-house attorney instructs you to preserve all documents relating to an ex-employee who is threatening to sue for wrongful termination. In the days before smartphones and cloud storage, this would have been a relatively limited exercise: paper documents would be set aside and files on the company server would be backed up. But work-related data can be stored in many places today, including personal devices of employees. Is a company required to preserve such data?
Costco Wholesale recently faced that issue in an employment discrimination and retaliation lawsuit. See Cotton v. Costco Wholesale Corp., 2013 WL 3819974 (D. Kan. July 24, 2013). The plaintiff asked Costco to produce text messages on the personal cell phones of two of its employees who mentioned the plaintiff or his allegations. Costco objected on the grounds that the discovery request required it to invade the privacy of its employees, and there was no indication that the employees sent inappropriate text messages or used their personal phones for work purposes. The court denied the request, determining that Costco did not have possession, custody, or control of the text messages.
Although the court in the Cotton case ruled that the employer had no duty to produce information stored on the personal devices of the employees in question, the outcome might have been different if the facts had changed even slightly. Courts in other jurisdictions might also have taken a contrary approach.
The law in this area is far from clear, but following the guidelines below will help a company address e-discovery issues in their policy on personal electronic devices. An easy way to remember the guidelines is to think of the acronym “APPS”:
- Access: Reserve the right to access personal devices that store work-related data. Access is crucial if the company is legally required to collect and produce data residing in the personal devices of an employee.
- Permission: Clearly specify what personal devices employees are authorized to use for work-related purposes, if any. Consider keeping a log of authorized personal devices and require employees to update the log whenever they start using a new authorized device or retire an existing one. Your company’s document retention policy should extend to authorized devices.
- Privacy: Notify employees that they should have no expectation of privacy to data stored on a personal device if they use the device for work purposes. This prevents the company from being liable for invasion of privacy should it need to search the contents of a personal device to respond to a discovery request.
- Segregation: If possible, segregate work-related content from personal content on personal devices. Segregation can be implemented with software solutions, but if that is not feasible, at a minimum, instruct and train employees who use a personal device for work on how to keep their personal information separate from work data stored on the device. For example, storage of work-related data in a personal cloud storage account should be prohibited.
Follow the above guidelines to avoid getting caught off-guard by e-discovery requests.
Social media can be risky business. Whether an organization embraces or ignores social media, it or its employees probably already have a presence on a social network. That simple reality can be costly for an organization without proper measures in place to deal with the risks of social media misconduct. Readers of this blog are familiar with cases where business saw their reputations marred by employees who post embarrassing photos online about work mishaps or found themselves in legal trouble for firing an employee who vented on Facebook about a co-worker.
To help organizations manage the risks of social media activity, I’m proud to introduce SM Safety, a new line of services offered by my law firm. The approach of SM Safety can be summarized in three words, each corresponding to a level of service that meets a particular need: checkup, plan, and audit.
A SM Safety Checkup is a low-cost way to ensure that an existing social media policy is legally compliant and effective.
A SM Safety Plan is for organizations who need assistance with preparing a new social media policy or enhancing an existing policy.
A SM Safety Audit is a comprehensive review of an organization’s overall presence in the social media space to identify exposure to legal risks due to social media use.
Each SM Safety service is offered for a flat fee. To learn more about SM Safety or to obtain a quote, visit the SM Safety Services page on this site.
FC 250 Grand Marshal, Paula Deen (Photo credit: Bristol Motor Speedway & Dragway)
Lisa Jackson’s discrimination and sexual harassment lawsuit against Paula Deen settled last Friday, but not before Deen tried to remove Jackson’s attorney, for publicly disparaging her on social media. A court order filed hours before the settlement reveals that in March, Deen’s lawyers filed a motion for sanctions against Matthew C. Billips, the lawyer who represented Jackson (read the motion here). The motion alleges that Billips made offensive remarks about Deen on Twitter. Some of the more eyebrow-raising tweets included:
“I’ve been doing Paula Deen, in a strongly metaphorical sense”
“I plan on undressing [Deen]” (in reference to an upcoming deposition of Deen)
“Now talk about fun, suing Paula Deen is a hoot!”
In another Twitter conversation about Deen’s diabetes, Billips allegedly referred to Deen’s food with the hashtag #buttercoatedbuttercookies.
Based on Billips’ tweets and his discovery practices, Deen’s lawyers asked the court to disqualify him from continuing to represent Jackson. As the August 23 court order shows, the judge declined to disqualify Billips, but it was open to imposing some form of sanctions against him. The judge has indicated that the settlement will not stop the court from sanctioning Billips despite Deen’s lawyers attempt to withdraw their sanctions motion in light of the settlement. Billips has 20 days as of Friday to show why he should not be sanctioned.
This cautionary tale that teaches litigants (and their attorneys) not to discuss pending cases on social media. Posts on social networks like Facebook and Twitter can be publicly accessible, are potentially discoverable, and can be the basis for a defamation lawsuit. There’s little to be gained and much to lose by talking about a lawsuit online. For that reason, lawyers now commonly instruct their clients in their retainer agreements not to discuss the case with anyone on social media, even family and friends. Lawyers would do well to follow their own advice.