This article was originally published in Law360 on June 16, 2023, and is republished here with permission.
In the modern workforce, employees are increasingly utilizing private messaging apps such as WhatsApp Messenger, GroupMe, Signal and Telegram Messenger, as well as interoffice apps such as Skype, Microsoft Teams and Slack, to discuss business transactions and operations.
The rise in popularity and use of these apps across various types of devices raises serious questions about the ownership, security and privacy of business and personal data, as well as the increasing costs associated with collecting these business communications in e-discovery, among other hurdles with chat-based e-discovery, many of which were discussed at a recent legal technology leadership conference, the Master’s Conference, hosted by Seyfarth Shaw LLP.
Below, we discuss several of these hurdles and suggest potential solutions.
Can the data still be accessed later?
Private messaging apps are marketed to the public as a more secure way to communicate than traditional text messages, particularly through their use of end-to-end encryption to protect the privacy of conversations.
Increasingly, employees are using such apps to conduct business transactions and communicate with each other and with their employer’s clients. Employees are often motivated by the privacy aspect of these apps while the employer’s interest often centers on data governance and information security.
If an employer finds itself in litigation and the data on a personal device is potentially relevant and responsive, the end-to-end encryption and security aspects of various apps may hurt and not help.
For instance, in situations where employees are no longer employed or noncooperative in litigation, their messages may be difficult to obtain if stored on encrypted servers or if an auto-delete feature is overlooked. Employees may not employ the same data retention procedure on their personal devices that their employer follows on company-owned devices, meaning messages transmitted via personal devices may not be stored long enough to be collected, potentially exposing employers to claims of spoliation or destruction of evidence.
On the other hand, apps that advertise end-to-end encryption lead many employees and/or employers to believe the content of a chat is never again accessible or recoverable. This is not always the case.
Private, confidential or even embarrassing chats that were believed to have been auto-deleted or “encrypted” may surface publicly during litigation once an e-discovery or digital forensics expert gets involved.
To increase the chances of avoiding this issue, employers may want to implement policies that prohibit employees from conducting business on specific communications apps that it may be difficult to retrieve data from.
Employers can also issue work communications devices to employees with a strict requirement that those devices will be returned to the employer upon separation, which reduces instances where the data walks out the door with the employee.
Increasing Litigation Costs
In many cases, private messaging apps that are viewed as secure, private or confidential can be a rich source of evidence of the unfiltered thoughts and opinions of relevant parties and witnesses.
For example, in an employment discrimination case, which requires proof of intentional conduct, private messages exchanged between managers about the complaining employee can be highly relevant to the employer’s intent.
However, the relevance of private messages in litigation is not always clear-cut and can require an extensive amount of time searching through very sensitive or privileged chats — think, texts between spouses — just to find one relevant conversation.
The sheer volume of data and metadata stored and tracked by electronic devices across an increasing number of personal messaging apps can make searching for relevant data in discovery exceptionally costly and intrusive of employee privacy rights.
In modern cases, the engagement of forensic experts to access the data and extract relevant information is more the norm than the exception, and the cost of forensic imaging is often conducted on a per device, per app and per hour rate.
To address these concerns, some jurisdictions have implemented rules and guidelines around the use of private messaging apps in litigation.
For example, the Federal Rules of Civil Procedure require parties to exchange relevant electronically stored information as part of the discovery process. This includes private messages exchanged through messaging apps. However, the rules also recognize that the cost of discovery can be a significant burden on the parties involved, and allow for the court to order cost-shifting or other measures.
One thing that employers concerned about their already stretched-thin litigation budgets can do is establish relationships and communications channels with multiple discovery vendors, which can accomplish two key benefits: (1) keeping costs down when those services are utilized, particularly if the employer identifies vendors willing to proceed on a flat fee arrangement and (2) providing concrete details on costs that are necessary to support a claim that the requested discovery is unduly burdensome.
Who Owns the Device and the Data?
Another serious issue today is determining who owns the device and who owns the data.
If an employee uses their personal device for work purposes, but the device was paid for by their employer, then the employer may have some degree of control over the device and the data it contains.
Similarly, if an employee uses a company-owned device for both personal and work purposes, then the employer may have some clear rights to access and control the data on the device.
The situation becomes far murkier when employees use their personal devices for work purposes and pay for the device themselves. In this case, employees may have a stronger argument to deny their employer access to the device and data stored on it, absent a subpoena or court order.
To avoid these types of conflicts, proactive employers establish clear policies around the use of personal electronic devices for work purposes. These policies should address issues such as data ownership, data security and the employee’s obligations to protect and limit use of company data.
By establishing clear guidelines around the use of personal electronic devices, employers and employees can avoid potential legal disputes and ensure that both parties understand their rights and responsibilities.
In a world of exponential advances in electronic technology and data tracking, gone are the days of locks on filing cabinets constituting adequate security.
Employers now more than ever need to be proactive in assessing the flow of business data across their employees’ electronic devices, establishing policies and procedures designed to manage litigation costs and control the access and ownership of proprietary data.