Over the past two decades, email has evolved from a novel method of communication to the primary form of correspondence used by businesses around the world. Discovery of emails and other electronic documents has followed this trend to become a fixture of commercial litigation, with its own set of ever-improving methods and tools familiar to inside and outside counsel. Recently, short and multimedia message service (SMS and MMS, better known as text messaging) has exploded in popularity across all categories of users, including businesses, leading to a glut of less formal (and less cautious) "instant" communications as a supplement to, or replacement of, traditional email. While SMS e-discovery is in its relative infancy, numerous recent court decisions should put all organizations on notice: Texts are discoverable, and failure to plan accordingly may result in damaging admissions, adverse inferences or worse.
Several related factors have kept SMS e-discovery from becoming a commonplace practice to date: unfamiliarity with SMS data management, fear of reciprocal demands for SMS data and the general objection that it presents an undue burden under discovery principles of proportionality and reasonableness. With the expanding use of SMS, however, such excuses are going by the wayside. The growing number of decisions on this issue illustrate that plenty of litigants are willing to open this door, and that courts are unlikely to accept a blanket objection based on undue burden. In light of these trends, organizations are best advised to develop strategies and procedures to manage texting practices, to preserve information on SMS devices, and to develop procedures for SMS data management in the civil discovery context.
An organization's well-defined mobile device policy will provide the foundation for managing the use, and preservation, of this ubiquitous form of communication. There are essentially three categories: company-owned-personally-enabled (COPE), bring-your-own-device (BYOD), or a hybrid approach that gives some or all employees the option between COPE and BYOD. While a COPE policy gives organizations the most control over the mode and storage of instant messages, such uniformity presents significant costs and overhead. For large and complex organizations, a hybrid approach is often preferred because it allows increased flexibility at a reduced cost; however, the great diversity of devices and operating systems adds further complexity in preserving and managing the underlying data. For example, while a typical Android or iOS mobile device preserves text messages for some period of time after a user deletes them, both operating systems have data volume limits and hidden automatic functions allowing permanent deletion unless backed up elsewhere or re-configured and actively managed by IT professionals. There are additional usage-based variables that can be impacted by the database rules and architecture of each system, which are compounded by carrier-specific device configuration, as well as cloud-based and other personal storage options. While a growing number of manufacturer-specific and third-party software platforms are being developed to manage data retention on individual devices, there is no industry-standard enterprise solution. These factors tend to make management, data holds, backup and retrieval a case-by-case challenge.
Company-owned and managed-texting applications, or "apps," provide a particularly interesting option to lessen the obstacles presented by the multitude of mobile hardware and software systems, along the lines of an enterprise email server for instant messages. These apps provide a texting platform separate from the "factory installed" applications on iOS, Android, or other operating systems, allowing enterprise-level data retention and deletion policies to be implemented, without the cost of a traditional COPE policy. One potential shortcoming of this category of apps is that they may only support texting between devices that have the app installed, limiting their use to internal SMS communication. Nonetheless, the cost and security benefits of enterprise-level management of enterprise-managed texting apps are apparent.
While this remains a developing area of law, inside counsel and their IT counterparts can take a number of immediate steps to minimize risks associated with SMS:
• Adopt a formal, written texting policy defining the proper use of mobile devices and instant messages, including what topics may and may not be discussed by text;
• Educate personnel to apply the same caution to email and SMS correspondence; whether it is a company-owned or BYO device, all communications, including business and personal texts, may be subject to discovery in the event of litigation;
• Perform an audit of all employee mobile devices and messaging platforms to produce an active and dynamic picture of a company's user base, determining what employees use mobile devices for work, whether they are COPE or BYOD devices, manufacturer, model, and operating system of devices, and what security measures are in place on those devices;
• Develop realistic monitoring procedures, coupled with practical enforcement tools to maximize compliance;
• Consider a third-party internal texting app to provide enterprise-level management of SMS data; and
• Implement proportional and reasonable procedures governing the preservation and discovery of text messages, focusing efforts on key personnel or a control group subset from the entire universe of relevant mobile users. By taking proactive steps to identify the key actors and preserve their texts, a party lays the foundation to argue the steps it took were reasonable and proportional in the event of a discovery dispute.
Like email discovery before it, SMS discovery will evolve as the courts shape its parameters and as vendors and counsel develop the tools and procedures to meet this growing need. The organizations best prepared to deal with these challenges will be those that evolve their practices in tandem with these trends. An affirmative, integrated approach will minimize the risks when—not if—employees' text messages become key evidence.