It’s 10pm on a Thursday. The kids are asleep, you’ve wrapped up dinner, and you’re sitting down for a quick Netflix viewing before bed. Then, a colleague texts you on your personal number, with an urgent request for some last-minute information they need for a meeting tomorrow. You put down your phone, fire up your home P.C., access your company files, and quickly pull together the info they requested. You send them the files over Slack, they read them on their personal tablet, and one Black Mirror episode later, and you’re off to slumberland.
Such scenarios are increasingly becoming the norm.
As the separation between work time and personal time has been blended, so too have the lines dividing work and personal devices. In the above example, no less than three primarily personal devices were used for work—four if you assume the colleague’s late-night text came from her personal phone and potentially many more if messages sync across multiple devices. Indeed, the proliferation of services and devices that allow you to work whenever, wherever are directly responsible for increased blending of work life and life-life. This blending also creates potentially thorny issues in the context of discovery.
Now, imagine all the ways the above scenario could end up as the subject of an investigation or litigation. Maybe the information you were sending a colleague included material, nonpublic information about your company and her meeting the next day just happened to involve some hot stock tips. Or maybe that information included corporate secrets that later leaked to the competition. Maybe your colleague filed a class action suit against your employer, alleging that she had wrongly been denied payment for her regular late-night work sessions. You get the idea.
Suddenly, each personal device is a potential source of discoverable ESI. But they are also largely personal devices, full of sensitive information that has no connection to the issues underlying the litigation or investigation. A battle over discovery could be on the horizon.
In such circumstances, would you be able to obtain discovery into the devices? The answer, of course, is maybe.
Data stored on personal devices is unquestionably ESI that can be subject to discovery under Federal Rule of Civil Procedure 34. A producing party cannot evade its discovery obligations simply because information is stored on non-corporate devices. Indeed, the Sedona Conference recently released draft commentary on BYOD policies, or “bring your own device” policies, under which companies permit or encourage the use of personal devices for work. In that commentary, the third BYOD principle states that “employee-owned devices that contain unique, relevant ESI should be considered sources for discovery.”
It is a characterization that courts have readily adopted. For example, in a recent opinion upholding a massive, $2.7 million discovery sanction in a $20,000 case, the Second Circuit did not hesitate to hold an employer responsible after its employees refused to allow access to their personal accounts. That the company “did not have a software usage policy in place requiring its employees to segregate personal and business accounts,” the Second Circuit explained, “was the company’s own error.”
That personal devices can contain potentially discoverable ESI doesn’t end the story, however. To determine whether such ESI can be subject to discovery, the Sedona Conference points to three factors: whether the employer has “possession, custody, or control” over the ESI, whether the ESI is unique, and whether discovery of such ESI is proportional to the needs of the case.
One of the threshold issues to consider when seeking discovery into information on personal devices is whether those devices are actually under the control of the producing party. Courts have developed three standards for determining whether ESI on third-party devices is within the possession, custody, and control of a producing party. These are the legal right standard, the legal right plus notification standard, and the practical ability standard.
Under the legal right standard, if a responding party has a regal right to obtain the ESI in question, then that ESI is treated as under their possession. They must in turn preserve, collect, search, and produce such documents. This standard has been applied in dozens of courts throughout the U.S., including in opinions by the Third, Fifth, Sixth, Seventh, and Ninth Circuits—and one Eleventh Circuit case from 1984.
The second standard adds an extra wrinkle to the legal right test. In the legal right plus notification standard, the discovery obligations are virtually the same, with producing parties facing an additional requirement to notify requesting parties about potentially relevant ESI held by third parties and outside of the producing party’s control.
Finally, the practical ability standard looks only at whether a party can obtain and produce ESI, regardless of whether they have legal entitlement to or possession of the information at issue. That is, the courts don’t look to whether a producing party has a legal right to information, but simply whether it can possibly produce that information. Under this standard, a court may require corporate parties to produce ESI from current or former employees—though more often the standard is used to require individuals to produce documents from non-party companies which they own or control.
To keep us on our toes, courts are not always consistent in which standard they apply, as a review by the Sedona Conference Working Group One shows. District courts in the Fourth Circuit have applied both the legal right plus notification standard and the practical ability standard, for example, while those in the Sixth have applied both the legal right standard and legal right plus notification standard. Courts in the Tenth Circuit, perhaps staying true to their Wild West origins, have applied all three standards.
Any look into personal devices risks intruding on the producing party’s privacy. Consider, for example, the amount of sensitive information our phones contain, from text messages and email, to health information collected by standard apps to GPS data that can pinpoint your location at almost all times. If devices need to be turned over in order for the data to be extracted, there is also additional cost and inconvenience to be considered. Thus, courts have expressed reluctance in some cases to allow intrusive discovery into the private devices of employees.
A recent case out of the Southern District of Indiana offers an illustrative example of how privacy and proportionality concerns can outweigh the traditional, liberal approach to pre-trial discovery. In Crabtree v. Angie’s List Inc., No. 1:16-cv-00877-SEB-MJD,2107 BL 28193 (S.D. Ind. Jan. 31, 2017), U.S. Magistrate Judge Mark J. Dinsmore denied defendant Angie’s List’s motion to compel production of data from employees’ personal cell phones.
Angie’s List, facing an FLSA lawsuit from senior sales representatives who alleged they worked 10-to-12-hour days but were paid only for eight, sought GPS information from the sales representatives’ phones. That information, Angie’s List asserted, would show whether the plaintiffs had left for the day or taken unpaid breaks, even when signed in to their work Salesforce accounts. The information could then create a more accurate depiction of their work hours. To support its motion to compel, Angie’s List marshaled several cases in which parties were able to obtain similar discovery into personal devices or GPS data.
The court wasn’t convinced. Angie’s List was “overlooking a clear distinction,” the court explained: “Plaintiffs’ privacy interests.” The GPS data was particularly sensitive, the court explained, as it “would track Plaintiffs’ locations at every moment of the day for a year.” Further, similar information sought by the defendant was available from less expensive, less burdensome, and more convenient sources, from sources such as badge swipe data and work computer login data.
Since Angie’s List had not demonstrated that GPS data would be more probative than other forms of data already in its possession, the court concluded, “the forensic examination of Plaintiffs' electronic devices is not proportional to the needs of the case because any benefit the data might provide is outweighed by Plaintiffs' significant privacy and confidentiality interests.”
Proportionality concerns can also play a significant role when seeking discovery of personal devices when multiple devices and custodians are at play. Collecting, reviewing, and producing ESI from a host of cell phones, tablets, and personal computers, spread across potentially dozens of custodians and a broad geographic area, can easily expand the potential burdens of discovery. That, in turn, can bolster producing parties’ claims that such discovery requests are not proportional to the needs of the case. (As always, eDiscovery software that can speed up time to review, improve ease of search, and automate slow, costly discovery processes, can greatly reduce the burdens of such discovery. But we digress.)
Another barrier to accessing data from personal devices can arise when the requested data is duplicative of data in other sources. This is particularly true when the insights sought cannot just be determined from less burdensome discovery, as in Angie’s List, but when the data is entirely duplicative of data available elsewhere.
Even when ESI on a personal device is relevant and within the producing party’s possession, it may not be discoverable from that device if it can be collected from a more accessible source. Consider, for example, emails sent from personal smartphones that are simultaneously synchronized with the company’s computer, such that the same files are present both on personal devices and the corporate email server.
If a company stores all messages sent through the company’s email addresses or chat programs and if there is no independent value to the duplicate copies, personal devices would likely not be subject to discovery for that information, given that the same ESI could be obtained less intrusively.
Despite the complications discovery into personal devices can raise, one thing is clear: As the walls between work life and personal life erode, discovery into personal devices becomes increasingly unavoidable in a wide range of legal disputes. The days of limiting discovery to corporate email are quickly coming to a close, their demise caused by the diversification data sources, from smartphones to backyard drones, and a growing range of data types, all holding information that could be potentially relevant to litigation.
Faced with sometimes inconsistent approaches by courts, conflicts between privacy and liberal discovery, complicated and high-stakes discovery processes, increasing client demands and increasingly short court deadlines, it’s no wonder so many practitioners feel like they’re in eDiscovery hell.
Thankfully, a new generation of discovery technology is available to offer some semblance of salvation. Instant Discovery technology can’t ensure that courts are consistent in their treatment of personal devices, or that company BYOD and information governance policies are consistently applied. But it can allow you to start project a project in minutes, rather than weeks. It can automatically process and dedupe data from a wide variety of sources, be they mobile devices or corporate email servers, allowing you to find relevant information as easily as searching through Google. And it can automate thousands of steps that would otherwise be vended out to expensive third parties.
As our discovery process becomes more data intensive and spreads across more and more data sources, legal professionals who adopt a nimbler, more innovative approach to discovery will be at a distinct advantage—while their more flat-footed colleagues are left feeling like they’re swimming through a lake of fire.