Mobile Computing Holds Compliance Risks

Mobile Computing Holds Compliance Risks
Steven C. Bennett and Cecilia R. Dickson
New York Law Journal
October 02, 2008

Mobile computing is commonplace for much of corporate America. Employees routinely use cell phones and PDAs, enabling them to work beyond the physical confines of their offices. These ubiquitous devices, however, represent only a fraction of the innovations used by modern companies to facilitate working anytime, anywhere. Improved connectivity infrastructure in the residential sector, virtual conferencing capabilities and paperless offices are just a few of the recent mobile computing innovations that allow an "office" to be completely mobile, with employees deployed globally at a moment's notice.

Mobile computing has forever changed the workplace landscape. It has given rise to alternative work arrangements; indeed, some employees now work exclusively "out of the office." Many companies have drastically reduced their office space and encourage their employees to work on the road or at home.

Mobility is such a far-reaching change in workplace behavior that the characterization of mobile computing as a trend does not do justice to the changes rapidly taking place. By 2009, an estimated 14 million workers will be telecommuting or, perhaps more aptly phrased, teleworking.[FOOTNOTE 1] Others have estimated that as many as 22 million people today already work one or more days a week in nontraditional locations.[FOOTNOTE 2] With at least 27.5 percent of the working population estimated to participate in teleworking arrangements by 2009,[FOOTNOTE 3] teleworking is a phenomenon that cannot be ignored.

The consequences of decentralization of the modern workplace, however, may complicate administration of a business. As those attuned to the electronic discovery revolution of the past decade can attest, decentralization introduces a complex data and communication environment that companies must address to ensure compliance with document retention obligations and litigation discovery demands. As difficult as compliance with these obligations can be, the challenge can mount further when there is not one location for all servers, when documents are scattered across various electronic media (including personal computers, iPods, and flash drives owned by employees) and no one monitors compliance with data management regulations at the various "work sites."

Discovery rules in general assume the existence of stable, centralized data. The advent of mobile computing introduces ever-expanding decentralization of data.

Companies have become accustomed to issues such as multiple versions of documents stored electronically, duplicates whizzing through cyberspace as attachments to long e-mail strings, e-mail and instant messaging archiving and metadata concerns. But addressing retention issues with all these applications can become even more difficult when computers are not synced up to corporate servers, individual employees work "off-line" and then upload only certain work-product, and employees use personal e-mail accounts, bypassing the corporate servers and infrastructure that monitor and maintain the institution's e-mail and other documents.

The number of sources and locations of electronically stored information almost always increases as employees work from several locations on multiple computers. Remote access to office-based servers and computers allows teleworkers to access, modify and download files from a centralized "homebase" repository nearly anywhere in the world. Consequently, an assessment of the creation, modification, storage and destruction of information becomes critically important to companies that permit mobile computing. Deficiencies and litigation risks associated with mobile computing may demand solutions as dynamic and innovative as these new, nontraditional data and communication structures.

Companies must face these issues and address them as they may arguably be held "on the hook" for documents generated by the employees in the scope of their employment, even if those records are not created or maintained at the company. Rule 26(a)(1) of the Federal Rules of Civil Procedure requires disclosure of the identities of individuals "likely to have discoverable information," along with "a copy -- or a description by category and location -- of all documents, electronically stored information, and tangible things that the disclosing party has in its possession, custody or control" relevant to the claims or defenses of any party.

To date, many cases assessing the scope of "possession, custody or control" have addressed the obligation of a litigant to secure records physically maintained by a third party. These same principles may also apply to a company's own employees, even though the employees may create documents entirely off the company's network.

IMPOSED OBLIGATIONS

Courts have often considered how far companies must go in preserving and producing records stored outside of the company by third parties. Many courts have recognized an obligation to preserve such data, reasoning that third-party documents may be in a company's "control."

For example, in Keir v. UnumProvident Corp., 2003 WL 21997747, the U.S. District Court for the Southern District of New York found that the defendant failed to communicate in a timely manner or meaningful way regarding the potential preservation obligations of its third-party provider of e-mail and other computer services.

Similarly, the court in In re Triton, 2002 WL 32114464 (E.D. Texas), held that it would have been prudent and within the spirit of the law for the defendant to instruct its outside directors to preserve and produce any documents in their possession, custody or control. Moreover, the Triton court held, failure to implement a suitable document preservation plan, to communicate that plan effectively to outside directors and to follow up to ensure that the directive was followed, created holes in the document preservation plan through which discoverable materials may have been lost.

In PML North America v. Hartford Underwriters Insurance, 2006 U.S. Dist. LEXIS 94456 (E.D. Mich.), the court granted the plaintiff's motion to compel and ordered production of a specifically identified hard drive, a thumb-drive (a small, removable data storage device) and a nonparty employee's home laptop computer. Although the defendant disavowed possession, control and even knowledge of the whereabouts of some of the equipment, when the equipment produced failed to match the equipment identified, the court entered judgment by default as a sanction.

Yet perfection in retrieval of information from third parties is not the standard by which companies should be judged. In Phillips v. Netblue, 2007 WL 174459 (N.D. Cal.), the court recognized that potential evidence must be in a party's "possession, custody, or control" for any preservation duty to attach. As the court reasoned, "[o]ne cannot keep what one does not have." Thus, the question facing companies inclined to adopt mobile commuting policies is how to determine whether electronically stored information created and/or stored outside of corporate facilities is considered evidence within the "possession, custody, or control" of the company, and how company IT staff can ensure that such information is retained or purged in accordance with a defensible, routine protocol designed to limit storage costs. All these goals, moreover, must be accomplished in a prudent, cost-effective fashion.

So, how can a company reasonably comply with these potential obligations? Particularly where a mobile work force institutes its own retention systems, working on various computers and retaining records in their own idiosyncratic way, companies must strive to make good faith efforts at document control, but are left questioning how much is enough.

Rule 34(a) of the Federal Rules of Civil Procedure requires a party to produce -- and therefore take steps to preserve -- any responsive document, electronically stored information or tangible thing within its "possession, custody or control." Some courts "require production if the party has practical ability to obtain the documents from another, irrespective of his legal entitlement to the documents." See Prokosch v. Catalina Lighting Inc., 193 F.R.D. 633, 636 (D. Minn. 2000) (quoting United States v. Skeddle, 176 F.R.D. 258, 261 n.5 (N.D. Ohio 1997)).

Other courts require parties to produce only those documents they have a legal right to obtain. See, e.g., Chaveriat v. Williams Pipe Line Co., 11 F.3d 1420, 1427 (7th Cir. 1993) ("But the fact that a party could obtain a document if it tried hard enough ... does not mean that the document is in its possession, custody, or control"). The more information a company manages, and the more physical locations of information it oversees, the more expensive it becomes to discover all relevant information, especially where automated programs may save information in a manner that leads to redundancy. Cost of retrieval also rises significantly when all these materials must be gathered on a tight deadline, and no background information as to locations of data has been maintained.

In addition, the burden faced by an institution may be judged in terms of what the company itself has done to encourage mobile computing. Rule 26(b)(2)(B) provides that a "party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost." Thus, a company probably cannot distribute data widely for business purposes and still claim an undue burden in collecting information from the same distribution chain.

KEYS TO DATA PRESERVATION

In the face of data mobility, what steps should a company consider to satisfy its potential obligations to preserve and produce information in discovery?

The following is a nonexclusive, nonmandatory list of steps to consider:

• Recognize the risks and costs of discovery in litigation and realize that it is unreasonable, expensive and inefficient to retain all documents indefinitely, especially where such documents (even if largely irrelevant) may become a burden in litigation. The best practice is not necessarily to force employees to save everything. Rather, companies must invest time in developing policies and training their work force as to how to document business transactions and what guidelines to follow in retaining data.

• Define a realistic document retention and destruction policy based on the company's risk threshold, industry standards and existing law. The policy should, if possible, address mobile computing and should be tailored to the unique business practices of the company. It should serve as a living document, regularly updated to reflect business technology and legal changes over time.

• Maintain a list of acceptable work locations and equipment and enforce an organizationwide mandate of compliance with that list. Employees must know which locations are acceptable for work, and which are not. Written guidelines, as well as enforcement mechanisms, will help employees adapt to changing work environments. Companies should consider practical needs for employee flexibility, in tailoring protocols that do not stifle their ability to complete tasks. There simply is no one-size-fits-all data management policy.

• Learn how employees work by monitoring their compliance. Take steps to ensure that proper management of electronic records occurs on an ongoing basis. Beyond emphasizing proper procedures, the company should define clearly the reasons for the policy and individual employee responsibilities in implementing the policy. Conduct training programs to help employees understand and "buy in" to the policy.

• Retain a list of, and communicate with, employees and others who may be considered in "possession, custody or control" of electronic information. For companies that permit or encourage mobile computing, the scope of such an effort may be quite burdensome, due to multiple sources of electronically stored information. In some instances, even the number of sources may be difficult to quantify. Better record-keeping employed by a company, including some form of "data map," should make compliance with discovery demands easier.

• Ensure that departing employees turn over records and information concerning the locations of their work-related data, before they leave.

• Establish a plan to document the company's preservation and collection efforts in the event of litigation.

CONCLUSION

Electronic discovery concerns need not present insurmountable problems for companies that foster mobile computing so long as certain unique issues are addressed head-on. Ineffective policies, with no recognition of the mobile computing environment, may exacerbate the difficulty and cost of satisfying e-discovery obligations. Employees working from home or the road must recognize their potential ownership and control of records generated in relation to work performance, even when those records are not directly linked to company servers.

Companies should manage data as best suits their needs, so long as data management policies are not designed to evade discovery obligations. As with the choice of corporate structures, companies must retain the flexibility to design document retention solutions that fit the company's unique data and information needs, and that they ensure compliance with retention and discovery obligations even where employees connect to work only in cyberspace.