For years now, litigants have been coming to grips with electronic discovery. Just when the legal community was getting more familiar with the feel of e-discovery, cloud computing continues to make the process more challenging. This article explores what is happening in lawsuits now, and makes some suggestions about how to deal with the still-developing changes.
Quick Reminder of Ground Rules
The most basic rule of discovery is that “[p]arties may obtain discovery regarding any non-privileged matter that is relevant to any party’s claim or defense.” Fed.R.Civ.P. 26(b)(1). A party may be requested to produce or permit inspection of any electronically stored information (ESI) in its possession, custody, or control. Fed.R.Civ.P. 34(a)(1). Importantly, however, “[a] party need not provide discovery of [ESI] from sources that the party identifies as not reasonably accessible because of undue burden or cost.” Fed.R.Civ.P. 26(b)(2)(B). The party who claims that ESI is not reasonably accessible due to undue burden or cost has the burden to demonstrate this to the court; and then the court is required to balance the respective interests. Id.
The take-away here is that there is no automatic right to all ESI. You need to know what might be subject to production or inspection. As the ESI source gets farther away from a user’s desktop computer or onsite server, you need to be prepared to possibly litigate (or compromise with opposing counsel about) the balancing test in Rule 26(b)(2)(B).
The Proliferation of Cloud Computing is Complicating E-Discovery
For several years, the literature has been full of warnings about how cloud computing was going to complicate e-discovery. My point is that the time for warnings is over. It happened. Cloud computing is here in full force and e-discovery is different now than it was even 12 or 18 months ago. That said, the use of off-site, third party computing platforms is still increasing. You can expect the difficulties in e-discovery to get more complicated before the legal community finds a good way to deal with ESI stored in the cloud.
In order to provide examples, here are some of the current issues faced with ESI in the cloud:
- Text Messages. Depending on the wireless company, an individual user usually can access his or her online account and print a list of numbers/dates/times text messages that were sent and received. In our experience, users may be able to obtain this information for at least a period of three to six months. However, often the body of the text messages is not available. It is often not clear whether the wireless providers keep records of the text messages (and for how long). The text messages cannot always be exported from an individual’s cell phone and transferred into a readable electronic format that can be produced.
- In-App Text Messages. There are many apps for smart phones in which a user can download and use the in-app texting feature. There are also several free text-messaging apps that are not connected to an individual’s cell phone number. Do the providers keep record of text messages? Are they able to be easily exported in a readable format?
- Voicemails. Phone systems often used in offices will record all voicemails as *.wav files and email them to a user’s individual email account. It seems reasonable to produce these recordings, assuming there is a data retention policy that saves the messages. However, it becomes more difficult for cell phone voicemails.
- Email and Calendars. Obtaining emails and calendars in their native format from a Microsoft Outlook account is relatively simple. However, obtaining email and calendar records from free or web-based email addresses that don't use Microsoft Outlook, such as Yahoo!, AOL, or Gmail, can be more difficult to obtain. Our experience is that different providers have different tools available. In some instances, there may be no option but having the user forward or print each message individually.
- Instant Messages. The ability to obtain instant message records also varies widely depending on what provider is used. With some providers, an individual can export the instant message conversation into a *.txt. or other readable electronic file. Some, such as the chat feature available via Gmail or Facebook, may be automatically saved in the user’s email or Facebook account.
- Video Chats and Free Conference Call Services. Over the past several years, video conferencing via programs such as Skype, Tango, or FaceTime has become increasing popular. Can the videos be preserved? Do video chat providers keep records of videos? Also, there are many free conference call services. Some provide the ability to record calls at the user’s discretion. Where are these saved? To whom would you send a subpoena?
- Privilege. When data is stored on the server of a third-party provider, one must ask whether it is within your possession, custody or control. One must also ask whether the user has shared privileged information with a non-lawyer by saving data with a cloud provider, and thus waived the privilege. You can google this topic and quickly see the scope of the debate created by this issue.
All of these issues share a common thread. Specifically, the cloud is making getting data more complicated. At the risk of giving away information to people who might sue me, aside from my work email account, I currently have accounts with Dropbox, Gmail (2), Skype, Google+, twitter (2), LinkedIn, and I regularly text message on my iPhone. Three years ago, I believe I had my work email account only. During the past several years, it has gotten substantially more difficult to capture my entire electronic footprint.
The explosion in the number of mobile devices since the advent of the iPad only exacerbates the challenges posed by the proliferation of cloud computing. In a recent edition of National Geographic, citing a study by Cisco, an article states that the number of mobile devices on the planet soon will exceed the human population. This increases the number of places where witnesses might be working on documents, navigating the internet, sending and receiving email, etc. This all contributes to a more complicated ESI landscape.
What do we do?
These developments indicate different action plans depending whether you are in the role of seeking ESI from others, or creating and storing large amounts of data in the course of your business. For businesses, it is easy to have your data retention policies become quickly out-of-date. That issue is fairly simple to address. It requires a comprehensive review of the systems by which your enterprise creates, stores, and uses data. For each system, you need a best practice that balances your business needs, any regulatory environment in which you live, and the practicalities of how to implement a litigation hold on data should one be necessary.
The more difficult issue for businesses right now is that even companies with a robust commitment to a solid data retention policy probably need to blend in an additional factor due to the advent of cloud computing. Specifically, until recently, the business has been the gatekeeper for all of the data. Typically, employees could not do their jobs without running all of their data through a machine owned by the company; therefore, data retention was a matter of mastering the machines owned by the company.
In many instances, that is no longer the case.
In my experience over the last year, there is a growing percent of employees that conduct at least part of their job through cloud computing platforms; Dropbox is just one example. A company ought to consider what it means to its data retention policy if an employee is storing data with a cloud computing platform. Is that data being preserved? Is it available for use by the business? Is it available in the event of litigation? Does the company even know whether it exists? This loss of control of a company’s data is manageable, but it raises questions about whether employees ought to be allowed to use these platforms, and what should happen should management become aware of the use of non-approved platforms. If you are on the other side, and are seeking the production of ESI, my advice is to expand your horizons about the types of ESI you seek, and the places you might look for it. You should also expect to face difficulties in seeking some types of ESI. One example is with text messaging. As discussed above, there can be a very short life span to effectively obtain any useful information from a provider. However, due to the balance required in Rule 26(b)(2)(B), and due to the time and cost to pursue this type of discovery, it might be difficult for a litigant to give a reasonable basis to believe that text messages would contain relevant discoverable information. Experience shows that it is a difficult tactical choice for a party to choose to invest the time and cost to pursue text messages that may not even exist any longer.
The impact of cloud computing on e-discovery will continue to evolve. It will be interesting to see how well the legal profession can keep up with the pace of change.