Mobile devices are an absolute necessity in our everyday life. It seems as if almost everyone around the globe carries a smartphone or tablet, and millennials have been using these devices from a very early age. Most of us own more than one device and check them several times a day. We use our friendly mini super computers for just about everything: communicate, drive, shop, work, learn, relax, etc.
When it comes to litigation (or potential litigation), our beloved devices are usually subject to discovery as they may contain information that is relevant to proving or disproving a case. As a result, when developing a data collection strategy, mobile devices must be considered. Mobile devices may now be as valuable as the more typical sources of information, namely personal computers and network locations, and with this newly-recognized discovery relevance comes a potential for trouble. (For information on preservation of mobile device data, check out my colleague Nicole Allen’s article, here).
As a Senior Project Manager working daily on complex e-discovery projects, I often provide guidance on the technical aspects of mobile device discovery, including where mobile data might exist, whether the data is accessible, how best to collect it, and how to review and produce it in a format that makes sense. In this post, I will explore the complexities of mobile device discovery and address some potential pitfalls.
1) Which devices are subject to discovery?
Any device that has relevant information (personal or company-issued) is typically subject to discovery. These devices can be owned by the employee or the company. Some people carry two devices to keep work and personal information separate while some companies have a bring your own device policy (BYOD) that governs how employees mix professional and personal content in the employee’s device (you can read more about BYOD policies and best practices in an article by my colleague, Russ Beets, here). Because of security and privacy concerns that are inherent in mixing personal and confidential business data, some companies are approaching BYOD in a new way with company owned but personally enabled (COPE) devices. These devices are company-owned and the personal and work contents are regulated by company policy. Users of COPE devices should carefully consider what personal communications they conduct, and what information they store, on these devices. Before any collection of mobile data begins, it is important that a practitioner understand and appreciate how many devices the employee has, who owns the devices (the employee or the employer) and how the employee uses them for work-related activities.
2) What content is subject to discovery?
In simple terms, relevant communications and files are discoverable. (Note that I will not be focusing on proportionality in this article, but you can read about it in my colleagues’ articles here and here.) Mobile devices may not be so simple, though, in terms of review and collection of relevant data. To the contrary, mobile devices can be complex information repositories because there are so many potential applications that employees can use to communicate, manage and track information. Mobile communications include emails, voice messages, texts, chats, SMS and MMS. In addition to direct communications, mobile devices are also the portal many people use to engage social media communities. I work in this field, yet I find that my own teenagers at home regularly teach me about new communication apps. The large storage capacity of mobile devices also allow users to store and edit photographs, notes, GPS coordinates, contacts, etc. Some of this data is only available by collecting it directly from the mobile device while some can be accessed via the web or cloud. All of this data could be relevant to your matter, so it will be important to ask what data exists, make sure it is preserved and determine the best way to collect it.
3) How can the relevant contents be retrieved?
Since mobile data is not conducive to standard collection methods, I’ve found that it is helpful to engage someone with specialized expertise in retrieving such data. With the use of specialized tools and experience, you can be more confident that the collection will be thorough, defensible and useable.
While there are varying options for collecting mobile data, I will focus on three here.
- Send Off: When extensive analysis is needed (or when there is a fear that important data may have been lost), it may be necessary to send the mobile device to a specialist (oftentimes, a forensic examiner). In these cases, the employee would be without their device for several days, something which many would find untenable. However, in some cases, it is the best collection option.
- In-Person Collection: In these situations, the specialist visits the employee in person and retrieves the relevant data. Note that in some cases, it is necessary to image an entire device in order to collect even a small subset of data. While the option is faster and the employee will not need to be without their device for an extended period of time, there are downsides. For example, this option can be expensive if the specialist needs to travel. In addition, some states that license these specialists require that the examiners be licensed in the jurisdiction where the data is being collected. Neither of these issues should stand in the way of conducting an in-person mobile device collection, but they should be taken into consideration.
- Self-Collection (aka, the dreaded self-collection): This option is fraught with peril since data can be altered or lost during the collection process if the person collecting the data doesn’t follow proper protocols and best practices. Self-collection can work, however, if it is done under the oversight of an expert and involves the employee backing up their mobile device to their computer or an online repository.
4) What are some potential pitfalls with collection from mobile devices?
- Mobile device collection can be expensive and time-consuming, so considerations of proportionality (see links above) should be front and center. Note that in my experience, it is critical to provide specific details regarding the estimated cost and time it would take collect mobile data in order to demonstrate that it would be unduly burdensome and any benefit gained would be minimal compared to that burden.
- Self-collections are almost never defensible on their own, so if you go that route, counsel will need to monitor, verify and audit the process.
- Backups for some mobile devices may not preserve all mobile data, including emails stored on the device or photos already stored in the cloud.
- Mobile devices can be backed up to locations that are encrypted or unencrypted. While an encrypted backup is more secure, the tools available to process an encrypted backup are limited.
- Some applications require user credentials to unlock their contents, so it is important to obtain those credentials from the employee.
- Some applications are self-deleting, meaning the communication sent via those applications deletes automatically when the communication is viewed or after a certain period of time. In my experience, discovery can become difficult when employees use these types of applications for work-related communications.
- With so many apps available (and more being added each day), different versions of apps and different mobile operating systems, the collection, processing and data mapping/organization of the contents of mobile devices can be incredibly complex.
Like it or not, the inclusion of both work and personal mobile devices as part of document management, collection, review and production is part of e-discovery reality. Including careful consideration of the handling of mobile device-based information at the earliest stages of litigation (or anticipated litigation) may make it easier to remain calm and turn over your phone.
DISCLAIMER: The information contained in this blog is not intended as legal advice or as an opinion on specific facts. For more information about these issues, please contact the author(s) of this blog or your existing LitSmart contact. The invitation to contact the author is not to be construed as a solicitation for legal work. Any new attorney/client relationship will be confirmed in writing.