It used to be that e-discovery could be conducted entirely within a company’s own servers — email archives and file directories provided a complete picture of corporate documentation. That’s no longer realistic in the modern business world. Corporate communications are tempered with, and sometimes even dominated by, social media, text messaging, instant messaging and more, making record keeping much more complex. Businesses must consider, and plan for, the inevitable requirement to collect electronically stored information from disparate data sources.
In particular, data retention policies can no longer ignore social media sites and the potentially relevant information they hold. In case after case, the courts have upheld the need to not only consider, but in fact review and produce, data from sources such as Facebook, Twitter and LinkedIn. The issue is no longer if social media should be collected, but rather how it can be collected.
This process begins with understanding how social media content is transferred and stored. It’s important, however, to remember that the standard for social media discovery is the same as any other digital media record under the Federal Rules of Civil Procedure. More often than not, data collected from social media includes verifiable metadata and text — and despite what you may think, it is reasonably accessible. In fact, many social media sites provide application programming interfaces (APIs) that interact with the social media source to capture data. These tools are essential during the collection and extraction process.
It is also important to remember that social media sites don’t just contain news feeds for an individual’s travel adventures or photographs of recent dinners out; these are just the colorful candy coating. Beyond that exterior lie person-to-person and group messaging features, holding a rich trove of potentially relevant content. Depending on the user’s settings, these messages may not be saved, and collection tools may not capture them by default. It is critical that the party collecting the data considers these issues during the interview and collection process.
In addition to the APIs available for the collection of social media content, fragments of information can often be reconstructed from the internet cache on an individual device. This leads to an important question regarding the type of data collection performed. A full forensic, or bit-by-bit, image of the original media is the only way to ensure you have the necessary file fragments to reconstruct easily recoverable deleted files or internet cache items. In comparison, a targeted acquisition will only capture the active data files; it does not capture deleted file fragments and may not capture the temporary internet cache. It is critically important that all efforts are made at the time of collection to capture potentially relevant data. If you don’t collect it, you don’t have the option to review it later.
While full images are the norm in the United States, in other countries, data privacy regulations limit the collection, “processing” and transfer of personal/private data. In these situations, it may be illegal for data collection to capture social media feeds or the remnants left behind as part of the internet cache, regardless of their potential relevance. Legal teams need to not only consider the potential risk of neglecting potentially relevant information but also the risk of not complying with the local data privacy regulations.
In the United States, the majority of businesses issue devices to their employees to be used during the course of their employment. The information security policies of these businesses (and, to oversimplify it, the data privacy laws of the United States) favor the companies’ right to the property over the individual’s right to privacy. This is not the case in many foreign jurisdictions, but in the U.S., if you’re using the company’s device or network to access a social media site or instant messaging service, you’ve waived your right to privacy and the company has the right to collect any information from that device/network. However, companies with bring-your-own-device (BYOD) policies complicate these issues even further. Regardless of location, in a situation where the company has a BYOD policy in place, employees own the device, and therefore the collection of data from that device will be limited.
You may be thinking to yourself, “Fantastic! I always consider these types of data sources and collection techniques at the time of collection; I’m covered!” Unfortunately, that may not be the case. It’s important to remember that just because the data was collected, it doesn’t necessarily mean it will make its way through to review.
In many instances, these new data sources — social media, text messaging, instant messaging, etc. — aren’t getting left behind at the time of collection, but are rather being filtered out during data processing. Different service providers employ different data processing “standards” (e.g., deleted file recovery, inclusionary file filtering) and potentially relevant content is often filtered out through the regular course of data “processing” because the file types are non-standard or not easily recognizable. Ultimately, the responsibility lies with the legal team to understand and confirm the data that is to move from the collected image, through processing, and finally to review.
Regardless of the type of investigation or litigation, counsel must stop thinking of social media, and other messaging services, as non-standard. They are the new standard and need to be incorporated into the ordinary data retention and ESI collection policy. For the corporation, this requires attention from both network administrators and in-house counsel to ensure policies and procedures are in place to address the challenges associated with these data collections. For outside counsel, this involves incorporating these data sources into the discovery process. The collection tools and methods may be more complex, but this is simply a reflection of the evolving ways in which businesses and people communicate.