Now that the “new year, new you” ad campaigns have finally stopped, it’s a good time to look at some of the 2022 decisions impacting the discovery space, trends that continue to emerge, and issues to keep in mind as you approach discovery this year.
As with email in the early 2000s, the legal system is struggling to figure out how to handle data from messaging and collaboration apps that don’t map neatly to the existing structures in place to handle paper-like discovery. As a result, a number of decisions in 2022 addressed issues surrounding how parties handle data from applications like Slack, Microsoft Teams, and WhatsApp across the entire breadth of the EDRM — from issues regarding preservation through to production.
Control over data generation and preservation is key
Retention capabilities and preservation obligations with respect to messaging and collaboration applications resulted in some interesting decisions last year.
For example, in the 2022 case regarding Elon Musk’s purchase of Twitter, it was discovered that Musk used the application Signal to communicate with key individuals about financial matters that witnesses admitted would include the purchase of Twitter. After the plaintiffs presented screenshots of Signal communications regarding the transaction obtained from a third party, the Court concluded Musk failed to preserve these messages: “It is reasonable to infer from Defendants’ representations and the apparent lack of any Signal messages in their production thus far that Musk used Signal’s automatic deletion feature.”
While the discovery dispute was made moot by the eventual close of the transaction and Musk’s purchase of Twitter, this case highlights the need to understand how custodians communicate, how they’ve set up their communications tools to retain messages (especially if using technology that has the ability to set retention periods or automatically deletes content), as well as the options available to preserve data created in those applications, if such capabilities exist.
Another case, Drips Holdings, LLC v. Teledrip LLC, highlights the need for parties to examine not only the software they use but also the administrative setup employed to ensure they meet their preservation obligations. Here, the judge issued sanctions for the intentional destruction of ESI and the failure to preserve ESI because the defendant not only failed to put preservation efforts into effect in its Slack instance for 10 months after the filing of the lawsuit, but also because, after becoming aware of the possibility of litigation, changed its Slack retention policy from indefinite to seven days, resulting in the destruction of potentially relevant information.
Technology competency is critical for lawyers
Today, 38 states have adopted a duty on technology competence. However, it can be difficult to articulate what exactly that constitutes to comply with these obligations.
The 2022 decision in Red Wolf Energy Trading, LLC v. BIA Capital Management, LLC, et al highlights the serious consequences that may befall litigants and their attorneys who are not prepared with sufficient technological skills or knowledge to identify and ask the right questions to avoid problems in the collection, searching, and production of Slack communications. In this case, a judge issued the rarest and most severe sanctions for discovery mistakes — a default judgment in favor of the plaintiffs — as a consequence of multiple failures to produce Google Workspace and Slack data. Defendants tried to argue that they could not find or afford technology or consultants that would have allowed them to search and produce Slack and Google Workspace data more effectively, but the court rejected this argument.
John A. Sten of Boston-based Armstrong Teasdale, the plaintiffs’ lead attorney, said, “At the end of the day, we’re officers of the court. At some point if you realize your client is unwilling to or incapable of doing this right, it’s going to fall on you,”
The judge found that the defendants’ actions constituted “extreme misconduct.” He noted that the “[d]efendants seek to excuse their repeated failures to produce potentially important documents by blaming people they employed for purportedly inadvertent errors.” The judge further noted that there is reasonable evidence the defendants’ may have deliberately failed to produce some Slack messages, given that there were 87 folders in the 2019 Slack archive that contained no data and data from Slack customer support confirmed that a "folder," meaning a channel, could be empty because a message was deleted.
As companies continue to embrace Slack and other collaboration platforms to conduct business, their attorneys must consider how they will collect, process, search, and review collaboration data in the event of litigation or regulatory inquiry. Lawyers need to be aware of the importance of understanding the data, systems, and available technologies in their case, as well as how data can be retrieved, searched, reviewed, and produced from those systems. In addition, they must be able to analyze the data received from their clients to understand (perhaps with a consultant’s assistance) if any gaps exist and be able to understand what such gaps mean from a technical perspective.
In another, more sensational case, the attorney for far-right radio host Alex Jones in a Texas defamation case brought by the families of victims of the Sandy Hook mass shooting inadvertently produced an entire copy of Mr. Jones’ phone via a link to a cloud-based storage system. After being alerted by the plaintiffs’ attorney that the link included what appeared to be confidential information and attorney work product from a related Connecticut case, Jones’ lawyer failed to properly claw back the initial link, provide a new link to the correct documents, or assert any specific claims of privilege over the information produced as required under the Texas rules of civil procedure and ethics rules. As a result, Mr. Jones was impeached on the stand, and his attorney not only faces a potential malpractice suit in Texas but also faced possible disciplinary action in Connecticut for potential violations of state and federal law by providing access to confidential medical records of the Connecticut plaintiffs in the Texas case.
This case highlights the need for attorneys to have the technical knowledge to competently protect client confidential information, the need to supervise the transmission of information to opposing counsel, in addition to the ability to investigate statements by their clients on the existence of certain data types before making representations to the court and parties. As the judge in the case noted: the text messages should have been disclosed years before the start of the trial.
Commingling personal and business communications create complications
Even regulators got in on the conversation around communications in messaging apps last year, particularly as it relates to the use of personal devices and unauthorized applications used to conduct business.
In a September 2022 memo from the Department of Justice, the agency sent a message to the business community that if they want cooperation credit, they need to be able to demonstrate they’ve implemented effective policies governing the use of personal devices and third-party messaging platforms for corporate communications. Specifically, “prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.”
Meanwhile, on September 27, 2022, the SEC published settlement orders against 11 leading financial institutions and their affiliates for record-keeping violations and the failure to supervise, resulting in civil monetary penalties that collectively exceeded $1.1 billion. On the same day, the CFTC ordered 11 swap dealers and futures commission merchants to pay a total of $710 million dollars in fines for similar violations.
What did these companies do that resulted in these penalties? The SEC and CFTC found that the financial institutions failed to control the use of unapproved methods of communication for business purposes — such as WhatsApp, personal email, text messages, and ephemeral messaging applications like Signal and Telegram — resulting in the failure to maintain thousands of business-related communications, including communications related to investment strategy, client meetings, and market activity.
On the civil side of things, having a defined bring your own device (BYOD) policy is critical to figuring out how to respond to requests for text messages and other data that may live on personal devices. In the In re Pork Antitrust Litigation case, the plaintiffs sought text messages from currently employed custodians, arguing the defendant had an obligation to image text messages from all of its custodians’ personal phones and cloud backups because their corporate BYOD policy required employees to use their personal phones for business purposes. The court disagreed, holding that there was no obligation for the defendants to produce the text messages as they did not have the legal right to obtain the text messages on personally owned cell phones. The judge found that plaintiffs misconstrued the defendant’s BYOD policy because nothing in the policy required any employee to use a personally owned phone to conduct business activities. Importantly the court noted that just because a defendant may have “a practical ability to demand” the employees turn over their personal devices doesn’t mean that the defendant had “control” over the devices for the purposes of discovery.
This case exemplifies the current minefield surrounding an employer’s possession, custody, and control of data generated on employees’ personal devices (or even the corporate data stored on those devices). While employers have legitimate concerns about violating privacy regulations by accessing employee devices to collect or preserve data without the right authorization, those seeking the data may still have a legitimate interest in the information. This push/pull highlights the need for corporations to have carefully crafted BYOD policies and for attorneys to obtain those policies early in the course of representation in order to fully understand the scope of the information under corporate control.
What do these cases all tell attorneys as we move into 2023? Understanding the rights of a corporation to access data, how employees communicate, and how data is stored (not to mention how you can collect, review, and produce the resulting data) can help immensely in preparing for meet and confer with opposing parties and help avoid costly discovery disputes.