A federal judge in Illinois recently ordered a large pharmaceutical company to pay nearly $1 million because when the business was sued, it failed to remind its sales representatives to preserve text messages. Last year, a Colorado judge was similarly unsympathetic when a firm sued for tortious interference, then claimed its president’s lost iPhone did not contain relevant evidence. For those on the courthouse steps, the question has become: “Do you know where your data went?”
Business records are created using computers, voice mail systems and other data that historically have been stored on company servers. But in today’s fast-paced world, employees are increasingly working off site, using mobile devices like smartphones, tablets and laptops. While this easy access promotes business, it means more pieces of company data are being created and stored across countless devices. This creates challenges in preserving evidence when litigation occurs.
Companies should rethink how they permit employees to use technology when conducting business. Here are proposed best practices to streamline preservation obligations.
Do You Know Where Your Data Went?
Most companies routinely back up business records on a computer server, including electronically stored information (ESI). When a company becomes involved in litigation, however, it must look beyond the corporate suite for its business data, even if the information resides on employee-owned personal devices or in the cloud.
When ESI resides in so many locations, potentially relevant evidence is more difficult to identify and preserve. But that does not change whether it is discoverable in litigation. While reasonableness and proportionality considerations may apply in some cases, electronic discovery expenses are considered the cost of doing business.
The Duty to Preserve: When, What and Where
State and federal laws require preservation of evidence. This duty has many corollaries. First, the company must preserve evidence when it learns about a potential claim, even before a lawsuit is filed. Second, the duty extends to all potentially relevant evidence — including less obvious types, such as text messages on smartphones or videos posted on social media. Third, the duty exists regardless of where ESI resides — whether on the company server, on employee personal devices or in the cloud. If there’s business data stored on personal devices, the company must notify employees not to delete it or replace or lose the devices. Since litigation can take years to resolve, this means the company’s preservation obligations may last long after employment ends.
Best Practices for Streamlining Preservation Obligations
• Adopt a policy requiring employees to use company-owned devices when conducting business.
• Require employees to back up company-owned devices to the company’s server.
• Consider whether to permit cloud storage because preserving ESI can be more difficult.
• Consider whether every employee needs access to business data while away from the office.
• If employees are permitted to use personally owned devices for business, require employees to provide the IT department with access to those devices.
• Adopt a protocol for how your IT department will collect and preserve all business data when employment ends, including identifying all locations where business data may be stored (e.g., smartphone, home computer, USB drive or personal external hard drives).
• Establish and enforce a retention policy for all business records, including ESI.
Given the increasing importance of ESI evidence, following these best practices may make the difference between winning or losing litigation.
KATHERYN BRADLEY is a shareholder at Lane Powell, where she is a member of the Labor and Employment Practice Group and the Electronic Discovery Technology and Strategy Practice Group. Reach her at 206.223.7399 or email@example.com.
LAURA MARQUEZ-GARRETT is a shareholder at Lane Powell and co-chair of the Electronic Discovery, Technology and Strategy Practice Group. Reach her at 206.223.6246 or firstname.lastname@example.org.