February 12, 2013 Articles

Mobile Devices as Discoverable Data

The "new kids on the block" represent a wildly underestimated source of key information for civil matters.

By Kate Paslin

Just as American litigators have begun to accept and even embrace the legal, ethical, and technical requirements of today’s discovery process, yet another key source of discoverable information has emerged. For some, the addition of one more data source to an already extensive list of potential targets, now commonly compiled by a well-trained internal discovery team, poses no great problem. But for most, the complicated process of collecting enough data to defend one’s efforts—while demonstrating enough restraint to defend one’s costs—continues to give rise to debate and migraines in a community whose formal education exposed them to little more technology than word processing and overhead projectors.

An increasingly vital—and wildly underestimated—source of key information for civil matters comes in the form of mobile devices. Technically, mobile devices are defined as any handheld computing device, typically lightweight, highly portable, and equipped with Wi-Fi, Bluetooth, Global Positioning System (GPS), and any number of data-storing applications, or “apps.” In plain English, mobile devices include the millions of cellular phones, smart phones, iPads, tablets, and laptops contributing immeasurable amounts of personal and corporate data to the digital universe.

The Effects of Blending Work and Personal Devices
Central to the relevance of these devices is the mobility itself: The combination of portability and web access removes previous barriers to posting, downloading, and general sharing of information, both personal and professional, at any time and from virtually any location. Mobile devices carry with them a dramatic change in social norms. For example, traditional “work hours” have given way to the mobile office in most employees’ pockets. Cultural boundaries between the personal and professional blend as round-the-clock use of email, texting, and networking sites became first socially acceptable, then the workplace standard.

So what is the good news for lawyers? First, the rules of civil discovery for mobile devices parallel those of any other information source. All considerations of preservation and proportionality remain the same. Second, the practicalities of accessing the data—as well as the cost of doing so—have already been addressed and resolved to an impressive degree by our legal and technical colleagues in the criminal space. To meet the dual goals of proper preservation (in essence, demonstrating a good-faith effort to share required information with the opposing party) and proportionality (demonstrating to both the court and client that all informed decisions and competence lead to the most reasonable budget for the matter), lawyers must know (1) to ask for it, (2) where to find it, (3) who can collect it, and (4) what tools can provide a defensible and cost-effective collection.

The Benefits of Mobile-Device Discovery
The well-established inclusion of mobile devices under the definition of discoverable data bears repeating, as do the warnings about the plethora of regulatory and ethical rule violations that could result from failure to assess and preserve key data on these devices. But the practical benefits almost outweigh the legal obligation or threat of reprimand. Despite years of criminal investigations pioneering these efforts, eliminating many of the cost or convenience barriers in the process, the fact-gathering performed in civil matters commonly fails to recognize the sheer volume and evidentiary value of the information on these devices. Email, call history, contacts, text messages, photos, voicemail, audio recordings, video, calendar appointments, tasks, notes, web browsing history, chat logs, data stored in social media and other applications, GPS location data and directions, and even descriptive data, such as the frequency of texts, all commonly sit on a mobile device’s internal memory.

More important, some of this data often sits only on these devices, completely unattainable from any other source. Many litigants falsely assume that common communication or file types subject to discovery will surface in other locations. But in reality, few companies employ mobile device management (MDM) systems that cover more than company-issued BlackBerrys, and even those cannot pull back the intended data without installing MDM software on each mobile device as well. That physical limitation means that most personal devices used today contain information that exists nowhere else. In sum, absent the voluntary, physical syncing of the device by its owner to a home or work computer, or similarly inconsistent cloud-based backup efforts, it is unlikely that all key information exists anywhere but on the mobile device itself.

The Corporate-Policy Response
The benefits of a happy, productive, mobile workforce continue to inspire ‘Bring Your Own Device’ (BYOD) policies in offices large and small. Although these policies complicate records management efforts—for example, the heightened risk of commingling personal and workplace data—their popularity arguably and inevitably results from the cultural near-necessity of juggling personal and work matters at all hours.

To balance the utility of these devices with the risk they pose to an organization’s data map and disclosure capabilities, many companies adopt “acceptable use” policies, hinging device support on the employee’s written consent to allow the company to access, copy, back up, or delete potentially commingled data upon demand. Employers and their counsel should be wary, however, of inconsistencies between their standard retention policies and BYOD practices, as well as variation in the enforceability of such agreements around the world.

Regardless of the rationale for adopting BYOD or “use” policies, two trends are clear: Organizations need policies that accurately reflect and accommodate real-world behavior, and their counsel needs to understand the technical basics of where and how to find that information when necessary.

Recommendations
Given the realities of mobile-device data and its underrepresentation in today’s civil litigation, counsel who are hesitant to jump into the world of mobile data might start with the following tips.

An acceptable use policy aimed at greater control over compliance and discovery issues should mirror the elements of any strong retention policy, including (1) consistency with actual practice, verbal policies, and employee behavior; (2) frequent updates to encompass changes to the data map or device turnover; and (3) ongoing training to ensure that current and new employees understand the purpose and importance of the policies in place. Include specific rules for security, such as required complexity for passwords and rules that specify what company data may never be stored on the device. The portability of mobile devices makes the inclusion of audit rights and capabilities especially important, as well as consideration of international data privacy rules and other regulatory requirements.

Public resources, like the National Institute of Standards and Technology (NIST) Guidelines for Mobile Device Security (Draft), guide legal and information technology (IT) departments alike to technical and policy-based solutions they may not have previously considered. Discoverable data from mobile devices span such a huge universe of potentially relevant messages, photos, documents, addresses, plans, and a person’s general behavior on any given day that lawyers must take an open-minded approach to fact-gathering. Consider, for example, not only the parameters of network access to email and other systems from a personal device but also the ways a mobile device can physically capture data without permission (e.g., a photo of a corporate document or computer screen).

Conclusion
Civil litigators and their clients need not fear the discovery process for mobile devices. Simple, affordable technology already exists to find relevant information in a quick, inexpensive, and forensically sound manner. The traditional route of hiring a forensic collection specialist can cost an average of $800 per custodian (depending on the type of device and amount of data stored on it), quickly multiplying to $8000 for 10 persons of interest or $50,000 or more for large-scale collections across a large company or multiple offices. But with the advent of modern, powerful software applications designed to make mobile device collection easy, IT personnel—provided they have been appropriately trained in forensic acquisition and documentation—can perform forensically sound collections using the same technology consultants and specialists use. Some of the top applications are offered for as little as $3000 total, no matter how often it’s used or how much information is recovered.

Mobile devices, while still an underestimated source of key information in civil cases, stand to take the lead among essential sources of relevant and discoverable data. The legal community has a legal, ethical, and practical obligation to recognize and embrace current practices, and adjust their discovery process accordingly.

Keywords: litigation, technology, mobile devices, discovery, data security, ethics, mobile-device management


Copyright © 2013, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).