Womble Bond Dickinson’s The Evolving Dance thought leadership series continued with a look at current challenges involving data retention and e-discovery. In particular, the session looked at employee use of personal devices for business purposes, as well as a growing trend by digital messaging platforms to automatically delete messages shortly after they are delivered. This article is taken from that panel discussion. The speakers were:

Data retention is hardly a new concern for in-house counsel, but the complexity and burden of these demands continues to grow. The days of simply collecting emails are long gone—today’s data retention involves texts, instant messaging, social media DMs and numerous other platforms supporting electronic communications. Often, these messages are encrypted or deleted automatically for security reasons, making them even more difficult to collect. 

They also often are generated from personal cell phones, not company-owned devices. While Walton refers to this practice as “B.Y.O.D.—Bring Your Own Disaster,” it nevertheless remains common in many workplaces and adds yet another layer of complexity to the data collection challenge.

“What we’re seeing in practice is that all the ways you communicate on mobile devices are the same things we’re seeing in the corporate environment,” Walton said. “Your mobile phone is your lifeline to the world.”

A Wide Range of Tools = A Vast Array of Challenges

Employees now have many different platforms in which to communicate, both for official and personal use. For international business, WhatsApp is popular in Europe and South America, while many Chinese companies use WeChat. Other common messaging platforms include Slack, Microsoft Teams, iMessage, Signal, Telegram, and Reddit.

Then there is the subsection of messaging apps that employ ephemeral messaging. These messages only exist for a limited period of time, then are deleted automatically from the app. SnapChat famously pioneered this feature (much to the chagrin of many teenagers’ parents) but many other apps now employ ephemeral messaging. 

Sometimes, that deleted data still may be recovered, but that depends on the device, the type and version of the app and other factors. Privacy is an attractive feature to customers, Walton said, so manufacturers are working to make deleted messages unrecoverable.

“We’ve overcorrected in the other direction. Now, I hear people say, ‘We can always recover deleted data’ and that’s not necessarily the case. Sometimes, things are deleted and truly unrecoverable,” he said.

"I hear people say, ‘We can always recover deleted data’ and that’s not necessarily the case."

Clark Walton, Managing Director, Reliance Forensics

In-house counsel need to consider if ephemeral messaging apps should be used in a workplace setting since their messages may not be recoverable.

In addition, users may store company information on a cloud storage account. The panelists said this creates tricky data ownership questions: If the data is generated on a company device, but stored on a personal cloud account, who ultimately controls it? Does the company have the right to access it? Another consideration is that users may store sensitive company information on cloud accounts, exposing that data to potential theft or misuse.

So should companies simply ban employees from using any personal devices? Bortnyk said that genie is largely out of the bottle—and returning to a pre-personal device world may not be preferable, even if it was possible.

"Returning to a pre-personal device world in the workplace may not be preferable, even if it was possible."

Stephanie Bortnyk, Associate GC, Dassault Falcon Jet

“Companies sometimes experience extended disruptions in service where employees are not able to use their controlled devices,” she said. Business must continue and employees will use other devices or platforms to do so. Taking such a risk may perhaps be necessary for business and operational continuity even if suboptimal from a potential litigation or regulatory exposure.  Once the disruption ceases, employees should be directed to preserve all company records in the appropriate repositories and resume use of approved devices and channels. 

But using channels normally reserved for casual conversation to conduct business deals can create problems, too, including employee misconduct and loss of data.

The Sedona Conference has been a key thought leader in electronic discovery and data retention questions for more than 20 years and they have put together recommendations for ephemeral messaging. The Sedona Conference suggests that legal teams must balance the retention risks with the practical reality that such apps may advance key business objectives. 

“With the realization of the cloud-based, mobile world we’re in, they don’t come down on the side of ‘Thou shalt not,’” Stone said. However, companies using them should take affirmative steps to minimize risks including considerations of litigation hold obligations for sanctioned and non-sanctioned “consumer” products. Stone said companies should look at how systems are configured and how employees are advised before problems, or the threat of litigation, arise.

“It does depend a lot on what industries you’re in,” Henriques said. In highly regulated industries, such as financial services, using ephemeral messaging may create more compliance headaches than it solves, he said. But in other industries, where team members regularly talk through work issues on the phone or in the breakroom, using a self-deleting chat app is simply the digital equivalent of an informal conversation.

“That’s a reasonable and defensible position unless you are subject to a regulatory burden,” Henriques said.

Stone said, “We got so accustomed to all business being done via email. But before that, business was conducted over the phone and those records weren’t retained. We’re seeing a shift back to that with ephemeral messaging.”

“We got so accustomed to all business being done via email. But before that, business was conducted over the phone and those records weren’t retained. We’re seeing a shift back to that with ephemeral messaging.”

Sarah Motley Stone, Partner, Womble Bond Dickinson

Stone points to two recent federal cases involving instant messaging platforms for guidance—Williams v. UnitedHealth Group and King v. Catholic Health Initiatives. Before litigation arose, the companies set up their messaging systems with a default setting that instant messages would not be retained. In both cases, the courts found there was no violation on preservation or production when the companies were not able to produce those messages. 

But in Franklin v. Howard Brown Health Ctr., Stone said the defendant configured its system to retain messages for a two-year period. However, some messages from that time period couldn’t be produced, thus the court sanctioned the defendants for that failure to meet preservation and production obligations.

Compliance Considerations

The DOJ is taking a similar position to Sedona in that the agency wants controls around ephemeral messaging and personal communications platforms, while still realizing that these modern methods of communication have a legitimate business purpose. This message is outlined in the Foreign Corrupt Practices Act enforcement section of the U.S. Attorney’s Manual. 

Data retention issues also came up in a September 2022 SEC case against 15 broker-deals and an investment advisor. Employees at eight firms routinely communicated about business matters using text messaging applications on their personal device. The firms did not maintain or preserve the substantial majority of these off-channel communications, in violation of federal securities laws.

Bortnyk said, “The SEC found across all 15 organizations, employees had widespread, long-standing failures in communicating outside of approved communication chains.” The SEC levied combined penalties of $1.1 billion against the eight firms.

Bortnyk said the action underscores a statement by SEC Chair Gary Gensler, who said, “Since the 1930s, such recordkeeping has been vital to preserve market integrity. As technology changes, it’s even more important that registrants appropriately conduct their communications about business matters within only official channels, and they must maintain and preserve those communications. As part of our examinations and enforcement work, we will continue to ensure compliance with these laws.”

“This is a message that we will continue to hear, and it will only get stronger,” Bortnyk said.

Stone said similar guidance is coming out from the Financial Industry Regulatory Authority (FINRA).

“FINRA found in a 2019 report that firms were communicating outside of approved channels and suggested that organizations have an obligation to look for red flags indicating impermissible use of alternate channels and to take corrective action,” Bortnyk said. “Approved channels for communications must be reported and employee communication outside those channels prohibited.”

Privacy & E-Discovery Tensions

Privacy considerations and the need to preserve electronic data for discovery naturally work at cross purposes and can create conflicts within an organization’s legal department. “The (Brooks Sports, Inc. v. Anta (China) Co., Ltd.) trademark infringement case really highlighted this tension,” Stone said. 

In the case, executives at Anta, who were based in China, used WeChat for business communications. Anta declined to provide those messages in discovery, citing Chinese privacy law. But the court said that foreign privacy laws cannot shield a litigant from the responsibility to meet U.S. e-discovery requirements. Instead, the court found that the company had a responsibility to set up a communications system that would comply with U.S. requirements.

In a published opinion, the Court stated, “Anta clearly knowingly allowed its employees to use WeChat for substantive business communications through only their personal accounts and devices.… Anta should not be able to conveniently use Chinese law to shield production of communications responsive to discovery requests when it could have set up Anta-controlled WeChat accounts for its employees’ use which would not have the same issues regarding Chinese privacy laws.”

The Court ultimately recommended sanctions including a possible default judgment against the defendants.

But companies certainly need to be aware of international privacy requirements. In particular, the GDPR requirements in the European Union and China’s extensive privacy requirements can create regulatory concerns for U.S. businesses. Companies must solve these issues while still being able to meet document production requirements in potential U.S. litigation.

Even if communications don’t cross international boundaries, they still may create significant preservation and collection challenges, Stone said. Some of those issues include:

  • The data is decentralized. Companies often have to go through both personal, potentially confidential messages as well as business-related ones;
  • Exporting data in a reviewable format may be difficult;
  • Attachments, such as PDFs and photos, may not be preserved, even if the message itself is retained; and 
  • Chats can be very long with slang, emojis, topic changes, etc.

Other Considerations for Compliance

So what do in-house counsel and corporate leaders need to do to ensure they remain in compliance with document preservation and production requirements, while still running a functioning business? 

Walton said, “It comes down to being thoughtful on the front end.” Companies may think they are saving money by simply having employees use their own devices, but that decision can create far bigger problems down the road. Companies also may want to invest in technology to extract data from mobile devices, if and when the need arises, he said.

“I’ve had several lawyers say that if you are using a phone for personal and business use—and you don’t have the management software to segregate the data—that really is high risk,” Henriques said. “The reality is that in litigation, someone is going to look at all that stuff.”

“I’ve had several lawyers say that if you are using a phone for personal and business use—and you don’t have the management software to segregate the data—that really is high risk.”

Mark Henriques, Partner, Womble Bond Dickinson

Bortnyk said that companies “must have good policies in place, and those policies need to be reviewed and refreshed.” 

But those policies are just the first step. “Probably the worst thing you can do is to have a thoughtful policy in place and then not follow it,” Walton said.

Other considerations and best practices for in-house counsel include:

  • Reviewing the company’s document retention policies regarding messaging apps;
  • Creating a plan for implementation of litigation hold;
  • Considering disabling auto-deletion functions deactivated and perhaps banning the use of ephemeral apps that can’t archive messages;
  • Requiring employees to agree to access their personal devices if they are used for business. Also, the employee’s device should comply with the company’s policy about using auto-delete functions.

The organization’s IT department also plays a critical role, Bortynk said. “Employees need tools that are easy to use, because if they don’t have them, they are going to find their own tools that are easy to use,” she said.

“Employees need tools that are easy to use, because if they don’t have them, they are going to find their own tools that are easy to use.”

Stephanie Bortnyk

Mobile device management (MDM) software can help companies control data when it is used on an employee’s personal device. Such software may be able to mandate encryption and strong passwords on devices containing sensitive communications, restrict user’s ability to factory reset or “wipe” device, restrict the user’s ability to back up information on a private cloud account, and even allow locking and/or unlocking of devices.

“MDM is a wide suite of products that can do range of different things, but it is a useful thing to have,” Walton said. 

Finally, knowledge is one of the best tools an employer can utilize in avoiding data retention problems. Companies should know what apps team members are using, and investigate collection issues devices long before they need to retrieve that data for litigation purposes.

Additional Cases for Guidance 

  • Waymo LLC v. Uber Tech., Inc., 2018 WL 646701 (N.D. Cal.)—In this case, group texts and Slack messages were deleted at Uber and the plaintiff argued that Uber had a reasonable assumption of litigation. Since Uber didn’t take steps to retain those messages, the judge ruled that the plaintiff would be able to tell the jury that Uber didn’t take reasonable steps to protect the information. “Jurors often expect to hear about a ‘smoking gun’ email or text, so you can imagine how this could be viewed very negatively by a jury,” Stone said.
     
  • Herzig v. Ark. Found. for Med. Care, Inc., 2019 WL 2870106 (W.D. Ark.). This case involved age discrimination claims against a hospital. When it came time to produce documents, the plaintiffs provided screen shots of text messages. However, the hospital also learned that the plaintiffs were using the Signal app to communicate, and those messages self-deleted and weren’t provided in discovery. The hospital argued that the plaintiffs had acted in bad faith in doing so and while the case was dismissed before this issue could be decided, Stone said it certainly is a reasonable possibility that the court would have agreed.
     
  • Kixsports, LLC v. Munn, 2019 NCBC 61. This case involved two companies in the soccer equipment industry. A discovery dispute arose, and Walton’s company conducted a review. They discovered that messages had been deleted by two specific parties after they knew those messages should have been preserved. The violators were not held in contempt, but they were sanctioned by the court. These sanctions included an “adverse inference jury instruction” and financial reimbursement to the defendants. In a sharply worded opinion, the court wrote, “given the substantial number of relevant communications revealed by the forensic inspection, the only reasonable conclusion is that, contrary to their affidavits, (the parties in question) made inadequate efforts to locate responsive communications, failed to preserve them, or refused to produce them.  (The parties) have never explained, corrected, or retracted their false, sworn statements.”