osgoode pdp e discovery certificate slides

Access to e-mails, text messages and other ESI – policy issues for organizations

Dan MichalukApril 16, 2003

Access to e-mails, text messages and other ESI

Outline

• Control over and access to information - ideal, reality and solution

• Policy issues for organizations• Employee privacy

• Bring your own device (BYOD)

• Social media

• Cloud computing


Mine Yours

Ideal – physical separation by purpose


Reality – intermingling and unclear purpose

• Personal use of work systems puts personal information side-by-side work information

• BYOD puts work information on personal devices• Corporate use of social media may put business

information on multiple accounts in multiple forms• Cloud computing puts your work system on a

computer with others’ work systems


Solution – Use policy to achieve the ideal

• Revert to a no personal use rule• Enforce a business tools for business rule• Restrict social media communications and

archive everything• Own all computers running business applications


Solution – Use law/policy to gain control

• Your personal use does not preclude our access• We have the following rights over your device• (Simply may not be possible for information

generated through social media applications)• Our service provider contracts must meet

requirements that ensure we control our business information


Policy issue #1 – Employee privacy

• You’re on for an employer in a harassment case. The applicant has claimed $100,000, but you assess the employer’s worst case exposure at about $25,000 to $30,000. The applicant has pleaded that senior management, including the CEO, was complicit in the harassment. You ask your client contact to advise the CEO that you’ll need a copy of the CEO’s e-mail container file to do a proper review. “Huh, she says?” “Um, what if I write you a letter?” you respond.



• Q: I’m not Charter bound, does Cole matter?• A: Yes

• REP engages Charter search protection

• Also a prerequisite to arbitral protection

• Also a prerequisite to tort production



• Q: Is the REP finding distinguishable?• A: Not really

• No indication a better policy framework would have

made a difference

• No mention of pictures of Cole’s wife or any unique

personal information

• An REP likely won’t prevail over an effective

prohibition on personal use – “reasonably expected”



• Policy implications of Cole• The Court says…

• …the expectation is low• … it’s based on one factor alone – personal use• … employee choice weighs against the expectation***

• This invites transparency as the prevailing policy

• Management should be able to reserve rights by putting

employees on notice

• The alternative is to recognize a right to employer-paid

confidential computing services (not plausible)



• Practically, what tactics can we use to overcome this barrier to access?


Policy issue #2 – BYOD

• Pharma One has numerous sources of potentially relevant electronic information due to the corporate policy of allowing employees to utilize their own smartphones and other PDA devices for work. There is no formal “Bring Your Own Device” policy in place.



• BYOD done right means• Achieving control through technology

• Achieving control through policy

• Via these means of control• Knowing what work information resides on the device• Knowing what work information resides only on the

device• Knowing how this information resides on the device

(to address security and access)



• Thoughts on policy• Highlighting the mutual exchange of benefits may

help enforceability

• Deal with security and access

• Create access scenarios to develop language

• Be very transparent about needs that will likely lead

to conflict


Policy issue #3 – Social media

• This should not be an e-discovery (access and control) problem for business

• Good social media governance is about separating business use from personal use

• Good social media governance is about controlling business social media accounts



• Good social media governance is about separating business use from personal use• You don’t speak for us unless we give you

permission

• If you’re not a communication pro, you’ll need to

apply for a license based on a project description

• Oh yes, include a disclaimer if there’s any risk

someone will think you’re speaking for us



• Typically, if you control the password you control the information. But…• Security vulnerability because many social media

applications don’t allow for administrator privileges

• Retention rules may change

• Special means of extraction may change

• Presentation of information may change



• Where we likely stand on plaintiffs claiming injury• Photos of physical activity will often be producible

• Production of photos of joy and happiness may often

be resisted successfully

• Counsel should focus on what data objects in a

social profile are producible, not the profile itself

• Comments associated with relevant photos and

videos should arguably be produced


Policy issue #4 – The cloud

• A threat to timely access to reliable information• Providers default to low cost and not service

• Investigations and e-discovery are afterthoughts

• Specialized forensic data capture services are rare

• Logs and other forensic data can be intermingled

• Proprietary software can make interpretation hard

• Access restrictions create a chain of custody issue

• Laws of other jurisdictions may be restrictive



• The solution is simple (in theory)• Outsourcing process: requirements definition,

vendor selection, contracting and due diligence

• Legal and security should insert themselves into

every step of the process

• Legal and security should be prepared to

compromise because the cloud is the cloud and

physical control is supreme



• The solution is simple (in theory)• Understand the system and the data it generates

• Create investigation/e-discovery scenarios

• Develop requirements

• Prioritize requirements

• Discuss requirements

• Ensure requirements can be met



• Key questions• In what jurisdiction(s) will the data reside?

• How is the data stored at application and system

levels?

• Can our data be extracted independently from

others’ data? What does extraction mean?

• What forensic data do we want? Will you make it

available to us? How?



• Key questions (con’t)• Will your employees give evidence to establish

chain of custody?

• How fast can you make all this happen?

• How much will all this cost?

Access to e-mails, text messages and other ESI – policy issues for organizations

Dan MichalukApril 16, 2003

osgoode pdp e discovery certificate slides

Business

solution use policy

thecorporate policy

solution policy issues

prevailing policy management

personal use rule

better policy framework

aboutseparating business

social media applications