eDiscovery101

I ran across an interesting mobile phone application the other day called Tiger Text (also called the cheating spouse app). Tiger Text is an app that bills itself as a tool to help people “cover their tracks”, in this case tracks that are left when sending traditional text messages from phone to phone.  What Tiger Text does is enable a user to send text messages back and forth to others also using Tiger Text and not worry about the text message being found by someone else, because messages sent via Tiger Text will essentially self destruct within a specified timeframe.

When you send a text message using Tiger Text, the content of your message is never sent to the recipient’s phone as it does when you send a standard text message.  Since the message doesn’t reside on the recipient’s phone, but rather stored on Tiger Text’s servers, you are given full control when the messages are deleted from Tiger Text’s servers.

As you can see from the screen shots above, once the messages are gone, they are gone.  You can set messages to ‘Delete on Read’ or set your own time limit such as 2 hours, 4 hours, etc. Keep in mind that both sender and recipient must have the Tiger Text application installed for the capability to work (there is a free reader if the other person doesn’t want to buy Tiger Text), and if a message is set to expire at a specified time period and it’s not read, then it’s gone forever. This “Delete” capability can be set from the menu shown below.

The actual content of TigerText messages are erased from the sender’s phone, the recipient’s phone and all servers when the message expires. TigerText does not allow the user to copy or save a message, however if someone really wanted to they could video capture your TigerText, take a screen shot, or take a photo of their phone. TigerText cannot promise that your messages will not be copied by some alternative means. Be smart! Anyone can take a picture of a phone.

Tiger Text is available for iPhones, Blackberrys, Microsoft powered mobile phones and Android phones.

What’s this got to do with eDiscovery?

With above description in mind, it occurred to me that this application could cause some problems for the eDiscovery process.

1. If a custodian is using this application while they are potentially a party to litigation and are using this app to send or receive information relevant to the case, are they guilty of destruction of evidence? In my opinion, absolutely!
2. How could you place and enforce a litigation hold on this data? The answer is you can’t.
3.  How would an organization collecting responsive data for eDiscovery even know to look for this capability? It all comes down to knowing the technology landscape and asking the right questions of custodians such as “do you utilize any applications or other processes on any computing devices including cell phones which automatically delete ESI?”
4. So what’s an organization to do? The only thing you can do is forbid installing these kinds of applications on any organization assets and audit to see that custodians are following the policy. You obviously can’t do anything about what employees do with their own non-company owned devices except to reiterate that company related business should never be conducted over non-company owned devices (and its always a good idea to remind employees that if they do use their own devices for company business this will open their personal computers, phones etc to eDiscovery).

The main point is to be aware of these capabilities and to look for them when in eDiscovery.

You can’t control what employees do away from work on their own time and using their own equipment but companies do have a right to control their brand and that includes how they are represented by their employees on social media sites. For that reason, every organization should develop, implement and enforce a corporate-wide social media policy for all employees (because if you don’t enforce it, then do you really have a policy?).

Gary MacFadden was kind enough to pose a great question in response to my last blog posting titled “Did you hear the one about the Attorney who thought social media was a dating website for singles over 40?”. Gary pointed out that it would be helpful if I could give examples of a corporate social media policy (what it involved) and what the employee education process would be to make employees aware of the policy. With that in mind, here are some aspects of a corporate social media policy:

1. A policy author with contact information in case employees have questions
2. An effective date
3. A definition of what social media is
4. A description as to why this policy is being developed (for legal defense, brand protection etc)
5. A description of  what social media sites the company officially participates in
6. A listing of those employees approved to participate on those sites
1. The fact that any and all approved social media participations will be done only from corporate infrastructure (this is to protect approved employees from discovery of their personal computers)
2. A description of topics approved to be used
3. A description of those topics not approved to be used
4. A description of any approval authority process
5. A description of what will happen to the employee if they don’t follow the approved process
7. A direct statement that unapproved employees that make derogatory remarks about the organization, publish identifying information about clients, employees, or organization financials, talk about organization business or strategy etc. in any social media venue will be punished in the following manner…
8. A description of how these policies will be audited and enforced

Once the policy is developed, it needs to be communicated to all employees and updated by legal representative on an annual basis. This education process could include steps like:

1. A regularly updated company intranet site explaining the policy.
2. A description and discussion of the policy in new employee orientation activities.
3. A printed description of the policy which the employee signs and returns to the organization.
4. An annual revisiting of the policy in department meetings.
5. The publishing of an organization “hot line” to your corporate legal department for real-time questions.

On a related topic, for legal reasons you should be archiving all approved social media participations much like many companies now archive their email and instant message content.

This practice will seem rather draconian to many employees but in reality the organization needs to protect the brand and always have a proactive strategy for potential litigation.

A sampling of various organizations social media policies can be found here. I was particularly impressed with Dell’s.

From a previous blog post titled ”Beware: your facebook posts could end up in court”

Social networking posters beware…your Facebook and other social media accounts may be seen by more than just your friends; in fact, what you post and tweet could become court evidence.

But many of us don’t consider these implications when tweeting and posting. Current employers, potential employers and, yes, even attorneys review social networking sites for information on workers, job candidates and litigants.

Individuals as well as organizations need to carefully consider what they post to these sites. In the personal injury case of McMillen v. Hummingbird Speedway, Inc., No. 113-2010 CD (C.P. Jefferson, Sept. 9, 2010), Hummingbird Speedway, Inc. sought access to plaintiff’s social network accounts, requesting an eDiscovery production of his usernames, log-ins and passwords.

The olaintiff objected, arguing that the information on those sites was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days. Additionally, the court ordered that plaintiff should not take steps to delete or alter the existing information on his social network accounts. The court said:

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.  In so holding, the court also noted the possibility that communications could be disclosed by friends of the account holder with whom the communications were shared.

Organizations need to establish and enforce employee social media policies to lower their risk and better protect their brand.

A definition of the term social media from Merriam-Webster states “forms of electronic communication (as Web sites for social networking and microblogging) through which users create online communities to share information, ideas, personal messages, and other content.”

Another definition of “social media” from online matters reads “Social media is any form of online publication or presence that allows end users to engage in multi-directional conversations in or around the content on the website.”

Examples of social media include facebook, myspace, LinkedIn, twitter, YouTube, and WordPress (free blogging site) among many, many others. Social media is not limited to desktop computers either. Cell phones, smart phones, PDAs, iPhones and iPads are popular examples of mobile devices which can be connected to social media capabilities.

How popular is social media these days?

Facebook: 750 million plus active users (July 2011). Users spend over 700 billion minutes per month on facebook.

Twitter: 175 million total Twitter accounts, 119 million Twitter accounts following one or more other accounts (March 2011) with 177 million tweets sent in one day on M arch 11, 2011

LinkedIn: 100 million users (March 2011)

Based on the above numbers, the social media phenomenon has become a major source of electronic data which in turn means a major target in litigation.

Social media content as a source of evidence in civil litigation has become a popular topic in legal magazines, blogs, twitter posts and other information sources. There are several challenges around social media content from the employee’s point of view and its use in litigation. Individuals tend to view social media content the same way they thought about emails and voicemails years ago – transitory, something that was private and didn’t exist for long anyway. People are shocked that potential employers are looking at the individual’s public facebook page, twitter postings or LinkedIn profile to get a better idea of a job candidate’s background or when police view the same content to help build a case against someone.

“Seriously officer, I wasn’t at that party where someone got shot…I was visiting my grandmother in Fresno”

“Really?… then how come there’s a picture of you at the party holding a bottle of Jack Daniels in one hand and a Glock 9mm in the other hand?”

Does an employer have a right to an employee’s social media content? Some qualifying questions to determine this  would be:

1. Has the employee mixed personal and business related content in their social media activity?
2. Was the employee’s social media activity initiated from within the organization’s infrastructure or using their equipment?

In a 2010 US District Court decision, Equal Employment Opportunity Commission v. Simply Storage Management, L.L.C. and O.B. Management Services, the defendant, Simply Storage, sought to discover from  two employees claiming sexual harassment against their supervisors, all photographs and videos posted to their Facebook and My Space accounts, electronic copies, or alternatively hard copies, of their profiles which includes updates, messages, wall comments, causes/groups joined, activity streams, blog entries, blurbs, comments and applications. The EEOC objected to production on the grounds that the request was overbroad, not relevant, unduly burdensome, and improperly infringed on privacy and compliance would harass and embarrass the claimants. Simply Storage defended the request arguing that the claimants’ had put their emotional health at issue implicating all their social communications.

The Court ruled that the EEOC must produce relevant Social Networking Sites (SNS) communications in accordance with its guidelines noting first that SNS content is not shielded from discovery simply because it is locked or private.

In another case, TEKsystems, Inc. v. Hammernick et al., No 0:10-cv-00819, filed in the United States District Court for the District of Minnesota, is the first-known restrictive covenant lawsuit regarding allegedly unlawful conduct via social media (in this case, LinkedIn).

When Hammernick’s employment with TEKsystems ended, she went to work for Horizontal Integration, Inc., also an IT staffing firm. The complaint alleges that, after her employment with TEKsystems ended, Hammernick unlawfully communicated, on behalf of Horizontal Integration, with at least twenty “Contract Employees” via LinkedIn, the premiere social networking website used for business and professional purposes.

The allegations against Hammernick list, by name, the sixteen Contract Employees that she allegedly “connected” with on LinkedIn, in violation of her employment agreement with TEKsystems. This case raises the legal question whether merely “connecting” with professional contacts via professional networking websites constitutes a violation of a restrictive covenant prohibiting such “solicitation” or “contact.” Does the mere existence of a network of professional contacts equal solicitation? Will compliance with a non-solicitation restriction require individuals to “disconnect” or “de-friend” colleagues, customers, or clients of former employers until the non-solicitation period expires?

Smartphones are a super highway into your private social media content

Recently, California’s Supreme Court reached a controversial 5-2 decision in People v. Diaz (PDF), holding that police officers may lawfully search mobile phones found on arrested individuals’ persons without first obtaining a search warrant. The court reasoned that mobile phones, like cigarette packs and wallets, fall under the search incident to arrest exception to the Fourth Amendment to the Constitution.

Do you have a Twitter app or LinkedIn app on your smart phone? Does it automatically enter your logon and password when you start the app? If they do then law enforcement could take a look at you private facebook, LinkedIn or Twitter accounts.

Also be aware, if you voluntarily disclose or enter your mobile phone password in response to police interrogation, any evidence of illegal activity found on (or by way of) your phone is admissible in court, regardless of whether or not you’ve been Mirandized.

Its obvious social media is a new speed bump in the eDiscovery landscape. Employers need to create policies to address their concerns and educate their employees about these policies and the consequences of not following them.

Effective early case assessment is dependent on a complete data set.

On the average 97% of data generated within businesses is electronic. The average employee generates and receives up to 20 MB of email and potentially hundreds of MBs of office work files per day. Litigation is a huge problem these days for businesses. A huge amount of the cost of litigation is the cost of finding and reviewing electronically stored information (ESI) for both early case assessment as well as eDiscovery request response. ESI can hide anywhere in the corporate infrastructure; custodian workstations, network share drives, USB thumb drives, CD/DVDs, iPods etc. A centrally managed and fully indexed archive can speed the collection and review of potentially responsive records for early case assessment as well as more fully control and insure the placement of litigation holds.

No matter the case, the first question when you’re faced with litigation is whether the case has merit. If you haven’t prepared a case assessment strategy ahead of time, it will be difficult to quickly and effectively determine your strategy going forward; should you settle or fight…

An early case assessment capability provides you with four obvious benefits:

• Provides an early indication of the merits of the case – do you have any actual liability.
• Can suggest the proper strategy going forward.
• Can provide you an estimate of the cost of defending the case and the time required.
• Will help you plan for the discovery process and prepare for the “meet and confer” meeting.

Let’s look at some scenarios.

Scenario #1

You’re the General Counsel of a publicly traded software company in the state of California.

It’s a Friday near the end of summer and you’re sitting in your office thinking about your Hawaiian golf vacation which begins tomorrow.

You’re checking the last of your mail before you leave for 3 weeks.

You open a letter from an outside law firm addressed to you…

(Your secretary hears a string of profanities emanating from your office)

You immediately think to yourself; once this news gets out, your company’s stock will be hammered, your board of directors will want an update yesterday, your channel partners will want to be advised on their potential liability, sales that are in process will stop, your CEO will want to know if the case has merit…and your wife will want to know why you just cancelled the Hawaiian vacation she was looking forward to (she was staying home).

What to do first?

You call the plaintiff’s law firm of Tolson & Yonamine to determine what this case is based on…what’s driving it. The Partner managing the case can’t be reached but 2 hours later you receive a fax (a fax, really?) of a printed email that looks like it came from within your company…

What the…? Who, in their right mind would seriously consider something like this much less put it in writing?

Ok, first things first. Your next steps are:

• Find out who “Jennifer” is, who she reports to and what department she work in. Also find out if she is even still with the company
• Call the VP of IT and let her know what’s going on and verbally tell her to secure any infrastructure data from Jennifer or Bob
• Follow that up by sending an email to the VP of IT asking her to secure Jennifer and Bob’s email boxes, and any backup tapes for their respective email servers
• Send an email to Jennifer informing her of the litigation hold, her duties under it and the consequences if the directions are not followed
• Send an email to Bob informing him of the litigation hold, his duties under it and the consequences if the directions are not followed
• Instruct  the VP of IT via email to find the original of the email in question on the email servers or backup tapes

To complicate matters, the VP of IT calls back immediately to tell you that the company only keeps backup tapes of the email servers for 30 days and are then recycled. She also informs you that the company has a 90 day email retention policy meaning that employees must clear emails older than 90 days out of their mailbox or the company will do it automatically. Copies of those emails, if they exist, will only be available on the employee’s local workstations. You think to yourself; if that’s the case, how did the outside law firm get them?

You send one of your staff attorneys and an IT person to both Bob and Jennifer’s offices to look for a copy of the email on their local computers etc.

Later, you find that Bob has a 3 GB PST, local personal email archive, on his laptop where the email might exist but for some reason the IT guy can’t open it. IT calls Microsoft support and is told that the PST is too big and is no doubt irrevocably corrupted.

In the mean time, one of your staff attorneys spends 4.5 hours at Jennifer’s office and eventually finds a copy of the email in her local PST… the email really does exist…%$#@!!. She has no idea why she would have written something like that and there are no records of any other emails associated with that particular smoking gun email. Because the email in question is older than the company’s oldest email server backup tapes, your early case assessment is stopped dead for lack of data.

Now what?

After several months of negotiating with ABC Systems and their law firm, you settle for damages of $35 million and an apology published in the business section of the San Jose Mercury News.

In the preceding scenario, the available early case assessment process suggested that the case might have merit and should be settled before more resources were expended. In this case, the early case assessment was negatively impacted by a shortage of data due to retention policies that were put into place mainly for storage management reasons.

Having access to all relevant information early on can mean the difference between fighting a winnable case and settling the case early for hopefully much less then is being asked for. An early case assessment strategy with the right tools can improve the odds of a favorable outcome.

Early Case Assessment with Proactive ESI Archiving

Let’s look at the preceding scenario with one difference… the defendant has an ESI archiving system and a more common sense retention policy which in this case includes a 3 year retention policy for email.

You are the General Counsel of a publicly traded software company in California

It’s a Friday near the end of summer and you are sitting in your office thinking about your Hawaiian golf vacation which begins tomorrow

You open the last of your mail before you leave for 3 weeks

You open a letter from an outside law firm…

This can’t be real. This must be a joke from your $*@$!! Brother-in-law. After calling him and determining it’s not a joke you think to yourself; NOW WHAT?

You call the opposing counsel to determine what this case is based on. The partner managing the case can’t be reached but 2 hours later you receive a fax showing a printed email that looks like it came from within your company…

Next, you must place a litigation hold on all potentially responsive records

• Find out who “Jennifer” is, who she reports to and what department she work in. Also, is she even still with the company
• Call the VP of IT and let her know what’s going on

• Instruct one of your staff attorneys to query the email archive to determine if that specific email exists, and to provide the entire conversation thread around that email so you can review it for intent.

Your staff attorney quickly queries the archive and pulls up a copy of the email message with the entire conversation thread, puts the entire conversation thread on litigation hold and sends you the following email…

“Boss, the email in question was based on the following conversation thread starting with the CEO:”

“Based on the early case assessment using the email archive and the conversation thread capability, I found that the “smoking gun” email was taken out of context and can prove the case has no merit…We should talk to opposing counsel as soon as possible to end this now.”

You think to yourself; whatever person’s idea it was to get that email archiving system in place should be given a load of stock options…

You spend the next morning talking to the opposing counsel…the action is withdrawn a month later…

You continue with your golf vacation having only missed two days and your wife is especially happy you were able to go on your vacation (alone).

An important aspect of an early case assessment is to tell you if the case has merit. It’s difficult to make an informed assessment about a case without all the data…

From an article posted to the Infosecurity-us.com website yesterday:

When litigation-based data management isn’t taken seriously dire consequences will occur.

When it comes to electronic discovery, if you fail to protect potentially relevant data and it’s destroyed, no matter the excuse, you have deprived the other side of their right to all relevant evidence to support their case and subsequently put them at a disadvantage.

What are your responsibilities when it comes to securing data that could be used against you in a current or future civil lawsuit? Judges today have little sympathy for accidental or shoddy data handling practices when it comes to protecting and turning over data in litigation.

Controlling your company’s information at all times is crucial if, or when, you get dragged into civil litigation. What is eDiscovery? Well, it’s not an afterhours team-building exercise. Electronic discovery (also called eDiscovery or Discovery) refers to any process (in any country) in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. The eDiscovery process can be carried out offline on a particular computer or it can be accomplished on a corporate network.

Since the new amendments to the Federal Rules of Civil Procedure (FRCP) were adopted in December 2006, judges expect that organizations in eDiscovery have complete control of their organization’s data and can fully respond to an eDiscovery request in days or weeks, not months or years.

The entire article can be read here

In a recent blog posting titled “The coming collision of “free to the public cloud storage” and eDiscovery”. I mentioned some of the potential gotchas involved in storing your ESI with these cloud services. One of the cloud storage services I named was the Dropbox service.

On Friday the Dropbox cloud storage start-up announced changes to its policies, claiming it had rights to your data stored on its service.

The original section read: “You grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service.”

This message obviously started a major reaction so the company has revisited its terms again, being forced to update its blog twice in order to try and calm the storm surrounding its policy.

The last two blog updates are below:

[Update - 7/2] – We asked for your feedback and we’ve been listening. As a result, we’ve clarified our language on licensing:

You retain ownership to your stuff. You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

[Update 2 - 7/2] – An update based on your feedback:

One of the main reasons we updated our terms of service was to make them easier to read and understand. It seems we’ve mostly accomplished that, which we’re thrilled about.

Some of you have written us with very understandable concerns about the legal-sounding parts. In particular, our new TOS talks about the licenses we need to run Dropbox. We want to be 100% clear that you own what you put in your Dropbox. We don’t own your stuff. And the license you give us is really limited. It only allows us to provide the service to you. Nothing else.

We think it’s really important that you understand the license. It’s about the permissions you give us to run the service, things like creating public links when you ask us to, allowing you to collaborate with colleagues in shared folders, generating web previews or thumbnails of your files, encrypting files, creating backups… the basic things that make Dropbox safe and easy to use. Services like Google Docs and others do the same thing when they get these permissions (see, for example, section 11.1 of Google’s TOS).

We wish we didn’t have to use legal terms at all, but copyright law is complicated and if we don’t get these permissions in writing, we might be putting ourselves in a tough spot down the road. Not to bore you with the details, but please take a look at the license term in the TOS. We think it’s fair and strikes the right balance: “This license is solely to enable us to technically administer, display, and operate the Services.”

We want to thank everybody who wrote in, understanding your concerns helps us make Dropbox better.

Drew & Arash

It looks to me that they made a decent and honest attempt to come back from a really unsettling policy change. The main point here is that you have to understand the policies which manage your data on these services.

One practice I employ when using these services is to encrypt the data I upload to these services using applications such as TrueCrypt or PGP (see my blog on this topic). This practice does remove some of the capabilities such as indexing for search on the cloud service but the main reason I utilize these cloud storage offerings is to to be able to access my data anywhere from any computer.

One question I get asked a lot lately at webinars and seminars is; doesn’t Microsoft Exchange have all the tools I need to respond to a Discovery request? In other words can you rely on Exchange 2010 discovery capability for defensible search and litigation hold? Depending on who you talk to the answer can be yes or no.

Now don’t get me wrong, Microsoft has made great strides on its eDiscovery capability over the last several years with Exchange 2007 and 2010. But there is at least one major question to ask yourself when considering if Exchange 2010 has the capabilities, by itself, to respond to a eDiscovery request. That question is; can I respond to a email discovery request quickly and completely enough to satisfy the opposing counsel and Judge in a defensible manner?

One potential problem I’ve run across is a question of completeness of the eDiscovery search capability in Exchange 2010. Can you rely on it to produce the search results so that 1, all potentially responsive ESI can be found and placed on a litigation hold and 2, does the results set you eventually end up with contain all potentially responsive ESI?

Exchange 2010 comes with a default package of what Microsoft terms as iFilters. These iFilters allow Exchange to index specific file types in email attachments. This default iFilter pack (a description of which can be seen here) must be installed when Exchanger server 2010 is installed. This default iFilter pack includes the following file types:

.ascx, .asm, .asp, .aspx, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .doc, .docx, .dot, .h, .hhc, .hpp, .htm, .html, .htw, .htx, .hxx, .ibq, .idl, .inc, .inf, .ini, .inx, .js, .log, .m3u, .mht, .odc, .one, .pl, .pot, .ppt, .pptx, .rc, .reg, .rtf, .stm, .txt, .url, .vbs, .wtx, .xlc, .xls, .xlsb, .xlsx, .xlt, .xml, .zip

An obvious missing file type is the Adobe Acrobat .pdf extension. Many/most eDiscovery professionals will tell you that PDF files make up a sizable share of potentially responsive ESI in discovery. What if your IT department didn’t know about this limitation and never installed a separate iFilter for Adobe Acrobat files? What if your legal department didn’t know of this missing capability?

Your discovery searches would not be returning responsive PDF files causing major risk in both litigation hold and your overall discovery response.

Another question in reference to the Exchange 2010 Abobe Acrobat search capability is the effectiveness of the search. In a WindowsITPro article from last year titled Exchange Search Indexing and the problem with PDFs, Or “Why I hate Adobe with the Burning Passion of 10,000 Suns”, Paul Robichaux writes:

“This test provided an unsatisfying result. I don’t feel like I found or fixed the problem; I just identified it more closely. Telling my users, “Sure, you can search attachments in Exchange, unless they happen to be PDFs, but then again maybe not,” isn’t what I had in mind. I hope that Adobe fixes its IFilter to work properly; it’s a shame that Adobe’s poor implementation is making Exchange search look bad.”

Corporate attorneys in organizations using Exchange 2007 and 2010 as their email system should immediately ask their IT departments about their system’s ability to index and search PDF files.

Attorneys on the other side of the table should be asking defense counsel the status of their Exchange 2007/2010 Adobe Acrobat search and litigation hold capability.

Offenback v. L.M. Bowman, Inc., No. 1:10-CV-1789, 2011 WL 2491371 (M.D. Pa. June 22, 2011)

From eDiscoverylaw.com

In this case arising from a car accident which the plaintiff claimed resulted in physical and psychological injuries, the parties invited the court to conduct a review of Plaintiff’s social networking accounts “in order to determine whether certain information containedwithin Plaintiff’s accountsis properly subject to discovery.” Using Plaintiff’s log-in information, the court reviewed Plaintiff’s Facebook account, including “a thorough review of Plaintiff’s ‘Profile’ postings, photographs, and other information.” (Plaintiff’s MySpace account was not searched asit hadnot been accessed since November 2008 and Plaintiff could not locatethe log-in information.) The court then identified potentially relevant information to be produced, including, for example, photos and updates indicating recent motorcycle trips and “photographs and comments suggesting that he may have recently ridden a mule.” In finding that some of the “public information contained in Plaintiff’s account is properly subject to limited discovery in this case,” the court noted Plaintiff’s acknowledgment that “limited [relevant] ‘public’ information is clearly discoverable under recent case law.”

The court closed this opinion with a footnote expressing its “confusion” as to why its assistance was required in this instance and reasoning that because Plaintiff was most familiar with his own account, “it would have been substantially more efficient for Plaintiff to have conducted this initial review and then, if he deemed it warranted, to object to disclosure of some or all of the potentially responsive information.” The court acknowledged that the “scope of discovery into social media sites ‘requires the application of basic discovery principles in a novel context’” and that “the challenge is to ‘define appropriately broad limits … on the discovery ability of social communications,’” but reiterated its point that (subject to a properly narrow request) “it would have been both possible and proper for Plaintiff to have undertaken the initial review of his Facebook account to determine whether it contained responsive information” and to thereafter involve the court if a dispute remained as to whether that information was subject to production.

The full opinion can be see here

In my blog “The coming collision of “free to the public cloud storage and eDiscovery” posted on June 23, I talked about these new free cloud storage options and how they could become a problem in the litigation/eDiscovery process. While researching that blog, I found an interesting capability with Microsoft Outlook and the various cloud storage offerings.

It is called a email folder URL redirect. Microsoft Outlook includes the capability to associate an email folder with a Web page. You can set up this association so that when you select the email folder, the Web page appears or the contents of the folder appear.

This capability can be useful when you want to include internal instructions or news about the organization. Another example would be a redirected folder pushed out to all in the organization announcing a litigation hold and answering questions about the hold, expectations, target content etc.  Although this capability provides the opportunity to create powerful public folder applications, non-approved scripts can be included on the Web page that access the Outlook object model, which exposes users to security risks so users should not be adding redirected email folders without IT’s approval.

So how does this capability, email folder URL redirection, relate to cloud storage? All four of the “free to the public cloud storage” offerings mentioned in the blog include a web page where files can be uploaded, viewed and downloaded. This means, for example, the Amazon Cloud Drive service could be a redirection target for an Outlook email folder.

Use the following steps to create and associate an e-mail folder with a Web view:

• If you don’t already have a folder list showing in your Outlook front end, click on the View menu, then click Folder List.
• Create a new folder in the folder list called Amazon Cloud by right clicking on the top most folders where you want to create the Cloud folder under. Then type in the new folder name Amazon Cloud

Figure 1: Create a new email folder called “Amazon Cloud”

• In the Folder List, right-click the folder that you want to associate with a Web page, and then click Properties on the shortcut menu.
• In the Property dialog box, click the Home Page tab.
• In the Address box, type the URL for the Amazon Cloud drive web page.
• Click to select the Show home page by default for this folder check box if you want the Web view active.

Figure 2: Input the URL address of the Amazon Cloud drive webpage

• Click OK.

Now, by clicking on the new email folder, you will see the Amazon Cloud drive sigh in webpage.

Figure 3: Access and sign in to your Amazon Cloud drive webpage

Figure 4: You now have full access to your cloud storage from within Outlook

Some things you can now do include being able to open files from within your Amazon Cloud Drive. Once opened, data can be copied and pasted to a new email you might be creating.

Some things you can’t do directly include saving an email attachment directly to your cloud drive, dragging a file in your cloud to an email. For both these capabilities, an interim step is required. Namely coping files to your desktop first.

If that’s the case, is this capability useful? That depends… If you utilize a “free to the public cloud storage” service then you may want a more direct capability to view content in your cloud from within Outlook. This is somewhat of a stretch but you never know.

The main reason I’ve highlighted this capability is to illustrate how difficult the eDiscovery collection and litigation hold processes are getting when custodians have all these different options for storing (hiding) potentially responsive ESI.

There has been nagging questions surrounding SharePoint and its ability to allow complete and effective eDiscovery searches of all potentially responsive content in the repository. The below description is from the Microsoft Enterprise Content Management (ECM) Team Blog.

From the Microsoft blog:=================================================================