osgoode pdp e discovery certificate slides
DESCRIPTION
Presentation on control of corporate information in light of recent challenges delivered in an e-discovery certificate program.TRANSCRIPT
Access to e-mails, text messages and other ESI – policy issues for organizations
Dan MichalukApril 16, 2003
Access to e-mails, text messages and other ESI
Outline
• Control over and access to information - ideal, reality and solution
• Policy issues for organizations• Employee privacy
• Bring your own device (BYOD)
• Social media
• Cloud computing
Access to e-mails, text messages and other ESI
Mine Yours
Ideal – physical separation by purpose
Access to e-mails, text messages and other ESI
Reality – intermingling and unclear purpose
• Personal use of work systems puts personal information side-by-side work information
• BYOD puts work information on personal devices• Corporate use of social media may put business
information on multiple accounts in multiple forms• Cloud computing puts your work system on a
computer with others’ work systems
Access to e-mails, text messages and other ESI
Solution – Use policy to achieve the ideal
• Revert to a no personal use rule• Enforce a business tools for business rule• Restrict social media communications and
archive everything• Own all computers running business applications
Access to e-mails, text messages and other ESI
Solution – Use law/policy to gain control
• Your personal use does not preclude our access• We have the following rights over your device• (Simply may not be possible for information
generated through social media applications)• Our service provider contracts must meet
requirements that ensure we control our business information
Access to e-mails, text messages and other ESI
Policy issue #1 – Employee privacy
• You’re on for an employer in a harassment case. The applicant has claimed $100,000, but you assess the employer’s worst case exposure at about $25,000 to $30,000. The applicant has pleaded that senior management, including the CEO, was complicit in the harassment. You ask your client contact to advise the CEO that you’ll need a copy of the CEO’s e-mail container file to do a proper review. “Huh, she says?” “Um, what if I write you a letter?” you respond.
Access to e-mails, text messages and other ESI
Policy issue #1 – Employee privacy
• Q: I’m not Charter bound, does Cole matter?• A: Yes
• REP engages Charter search protection
• Also a prerequisite to arbitral protection
• Also a prerequisite to tort production
Access to e-mails, text messages and other ESI
Policy issue #1 – Employee privacy
• Q: Is the REP finding distinguishable?• A: Not really
• No indication a better policy framework would have
made a difference
• No mention of pictures of Cole’s wife or any unique
personal information
• An REP likely won’t prevail over an effective
prohibition on personal use – “reasonably expected”
Access to e-mails, text messages and other ESI
Policy issue #1 – Employee privacy
• Policy implications of Cole• The Court says…
• …the expectation is low• … it’s based on one factor alone – personal use• … employee choice weighs against the expectation***
• This invites transparency as the prevailing policy
• Management should be able to reserve rights by putting
employees on notice
• The alternative is to recognize a right to employer-paid
confidential computing services (not plausible)
Access to e-mails, text messages and other ESI
Policy issue #1 – Employee privacy
• Policy implications of Cole• The Court says…
• …the expectation is low• … it’s based on one factor alone – personal use• … employee choice weighs against the expectation***
• This invites transparency as the prevailing policy
• Management should be able to reserve rights by putting
employees on notice
• The alternative is to recognize a right to employer-paid
confidential computing services (not plausible)
Access to e-mails, text messages and other ESI
Policy issue #1 – Employee privacy
• Practically, what tactics can we use to overcome this barrier to access?
Access to e-mails, text messages and other ESI
Policy issue #2 – BYOD
• Pharma One has numerous sources of potentially relevant electronic information due to the corporate policy of allowing employees to utilize their own smartphones and other PDA devices for work. There is no formal “Bring Your Own Device” policy in place.
Access to e-mails, text messages and other ESI
Policy issue #2 – BYOD
• BYOD done right means• Achieving control through technology
• Achieving control through policy
• Via these means of control• Knowing what work information resides on the device• Knowing what work information resides only on the
device• Knowing how this information resides on the device
(to address security and access)
Access to e-mails, text messages and other ESI
Policy issue #2 – BYOD
• Thoughts on policy• Highlighting the mutual exchange of benefits may
help enforceability
• Deal with security and access
• Create access scenarios to develop language
• Be very transparent about needs that will likely lead
to conflict
Access to e-mails, text messages and other ESI
Policy issue #3 – Social media
• This should not be an e-discovery (access and control) problem for business
• Good social media governance is about separating business use from personal use
• Good social media governance is about controlling business social media accounts
Access to e-mails, text messages and other ESI
Policy issue #3 – Social media
• Good social media governance is about separating business use from personal use• You don’t speak for us unless we give you
permission
• If you’re not a communication pro, you’ll need to
apply for a license based on a project description
• Oh yes, include a disclaimer if there’s any risk
someone will think you’re speaking for us
Access to e-mails, text messages and other ESI
Policy issue #3 – Social media
• Typically, if you control the password you control the information. But…• Security vulnerability because many social media
applications don’t allow for administrator privileges
• Retention rules may change
• Special means of extraction may change
• Presentation of information may change
Access to e-mails, text messages and other ESI
Policy issue #3 – Social media
• Where we likely stand on plaintiffs claiming injury• Photos of physical activity will often be producible
• Production of photos of joy and happiness may often
be resisted successfully
• Counsel should focus on what data objects in a
social profile are producible, not the profile itself
• Comments associated with relevant photos and
videos should arguably be produced
Access to e-mails, text messages and other ESI
Policy issue #4 – The cloud
• A threat to timely access to reliable information• Providers default to low cost and not service
• Investigations and e-discovery are afterthoughts
• Specialized forensic data capture services are rare
• Logs and other forensic data can be intermingled
• Proprietary software can make interpretation hard
• Access restrictions create a chain of custody issue
• Laws of other jurisdictions may be restrictive
Access to e-mails, text messages and other ESI
Policy issue #4 – The cloud
• The solution is simple (in theory)• Outsourcing process: requirements definition,
vendor selection, contracting and due diligence
• Legal and security should insert themselves into
every step of the process
• Legal and security should be prepared to
compromise because the cloud is the cloud and
physical control is supreme
Access to e-mails, text messages and other ESI
Policy issue #4 – The cloud
• The solution is simple (in theory)• Understand the system and the data it generates
• Create investigation/e-discovery scenarios
• Develop requirements
• Prioritize requirements
• Discuss requirements
• Ensure requirements can be met
Access to e-mails, text messages and other ESI
Policy issue #4 – The cloud
• Key questions• In what jurisdiction(s) will the data reside?
• How is the data stored at application and system
levels?
• Can our data be extracted independently from
others’ data? What does extraction mean?
• What forensic data do we want? Will you make it
available to us? How?
Access to e-mails, text messages and other ESI
Policy issue #4 – The cloud
• Key questions (con’t)• Will your employees give evidence to establish
chain of custody?
• How fast can you make all this happen?
• How much will all this cost?
Access to e-mails, text messages and other ESI – policy issues for organizations
Dan MichalukApril 16, 2003