Technology

Cloud Computing And Social Media: Electronic Discovery Considerations And Best Practices

Introduction

Social media platforms, including applications like Facebook, Twitter and LinkedIn, are immensely popular. According to one source, 75 percent of people aged 18 to 24 have profiles on social networking sites like Facebook, while one-third of people aged 35 to 44, and nearly twenty percent of people aged 45 to 54, use social networking sites.[1] These sites have millions of users, with Facebook alone reporting over eight hundred million users.[2]

Social media platforms are a subset of a larger category of applications referred to as cloud computing. Cloud computing encompasses various platforms that users can access over the Internet, in which the storage of data is diffused across a potentially large number of sites.[3] Examples of cloud computing include free web-based applications like email accounts and document sharing provided by Google, as well as more complex cloud computing systems that are used by companies who are looking to reduce IT management and maintenance costs by using third-party service providers.[4]

Social media and cloud computing are widely used by companies and their employees. Companies increasingly utilize social networking sites to advertise, communicate with the public and recruit new employees.[5] Furthermore, other users may create profiles or pages for a company without that company’s knowledge or control. Even if companies themselves are not utilizing social networking sites, many employees are accessing these sites at work for personal purposes.[6]

Employers risk exposure to liability as a result of their own or their employees’ online conduct regarding social media sites.[7] By sending messages through social networking sites, employees may potentially misappropriate intellectual property or other confidential information. Additionally, employees may distribute materials, photographs or messages through these sites that could expose their employers to harassment or other charges.[8] Courts could interpret an employee’s use of a workplace computer for personal purposes, including the use of social networking sites, as being within the scope of employment. Liability could arise when “such use is reasonably expected in the modern workplace, and the possibility exists that the employer maintains control over use of the computer.”[9]

Businesses are increasingly concerned about discovery issues and obligations relating to social media. A recent survey conducted by Deloitte Forensic Center found that two-thirds of businesses worry about electronic discovery risks pertaining to social networks, and a majority of companies (58 percent) are not fully prepared to deal with those risks.[10] Furthermore, in many companies, executives lacked appropriate knowledge or awareness of the challenges of meeting electronic discovery requirements.[11]

The remainder of this paper is organized as follows. Part II examines the discoverability of data in the cloud. Data stored in the cloud will often be judged within the “possession, custody, or control” of a litigant and therefore potentially discoverable. Considerations of relevance, undue burden, and privacy, however, may affect whether courts will compel its production. Part III considers potential strategies and best practices for working with third-party providers of cloud data storage in order to anticipate potential demands of the discovery process. Part IV discusses strategies and best practices when dealing with the possibility of social media information that is not directly controlled by a company. Part V provides concluding remarks about the future of cloud-based discovery.

When Data In The Cloud Could Be Subject To Discovery

The Federal Rules of Civil Procedure recognize the essential place of electronic documents in the discovery phase of litigation.[12] Courts may consider information stored on the cloud, including private social networking information, discoverable.[13] The Federal Rules require initial disclosure to opposing parties of the location of information to be used in support of defenses or claims, under FRCP 26(a)(1)(A)(iii).[14] This could include information in the cloud. Under Rule 45 of the Federal Rules of Civil Procedure, third parties, including government agencies, may issue subpoenas for relevant data directly to the cloud provider, without providing notice to the litigant.[15] In such cases, a litigant may not even know what data is being produced, let alone be able to review that data for privilege or trade secrets before its production.

The existing framework of rules and practices relating to e-discovery do not adequately encompass discovery pertaining to social networking sites, as the technology has been outpacing the revision of existing rules and regulations.[16] Courts have indicated that information relating to social media may be relevant to litigation.[17] Courts have recognized that information contained in a person’s Facebook account, for example, could be subject to discovery in litigation and ultimately allowed for its discovery.[18] In doing so, one court acknowledged a previous decision, stating, “[t]he Court recognizes that the scope of discovery into social media sites ‘requires the application of basic discovery principles in a novel context,’ and that the challenge is to ‘define appropriately broad limits . . . on the discoverability of social communications.’”[19]

Rule 34(a)(1) requires the production of documents and electronically stored information within a party’s “possession, custody, or control.”[20] Recent court decisions have indicated that while information stored in the cloud may not be within a party’s direct “possession” or “custody,” courts will likely view it as being within a party’s “control” and hold parties responsible for producing such data. In Columbia Pictures v. Bunnell, the court required production of data, finding that the defendant had control, since the defendant had rerouted data onto third-party servers from its own servers.[21] In Tomlinson v. El Paso Corp., the court found that an employer was in control of electronic data in actual possession of a third-party provider, since the employer was required by law to maintain the records in question, and could not delegate its duties to a third party.[22] In assessing control, many courts have applied a “practical ability” test, finding litigants to be in control of data in question, regardless of legal entitlement to that data, as long as the litigant had the practical ability to obtain it.[23] Some courts have used a “practical ability” test to evaluate spoliation claims, applying the test in the context of production and preservation obligations.[24]

This willingness to allow discovery from the cloud is not limitless, however. Considerations of relevance, undue cost, and privacy will influence whether discovery of social media and data in the cloud is appropriate. In Mackelprang v. Fidelity National Title Agency of Nevada, Inc., for example, the court denied a motion to compel production of private messages sent via Myspace, stating that Fidelity’s ability to compel should be limited to messages that directly related to Mackelprang’s employment.[25] In T.V. v. Union Township Board of Education, the court granted a protective order barring the defendant from seeking discovery from the plaintiff’s social networking profiles, on the basis of privacy rights and undue burden, yet the court acknowledged the possibility of allowing later discovery if the defendant could show sufficient relevance.[26]

On a closely related issue, Rule 26(b)(2)(B)[27] limits discovery of data within the party’s possession, custody, or control, when production of that data would impose an undue burden or cost on the producing party. If it would be too difficult or expensive to produce the data in a useable form, then the cost must be balanced against the production’s relevance to the case.[28] While there is no guarantee, courts may be sympathetic to litigants facing an undue cost or burden associated with preserving or producing data in possession of third-party cloud providers. In one case, for example, while the court did find that Proctor & Gamble had a legal right to obtain data located on a third-party server, the court also found it was an undue burden, as Procter & Gamble would have either had to purchase a costly mainframe or pay the third-party $30 million to obtain that data, which had been altered due to routine updates to the database.[29] While Rule 26(b)(2)(B) may present some hope to litigants, a claim that data located in the cloud is not reasonably accessible may be met with skepticism, given the relative ease with which certain cloud providers may be able to preserve or produce data.[30]

Finally, individuals’ privacy interests are another important consideration in discovery and production of data from social media accounts. The trend in case law suggests that individuals’ private postings through social media sites will not be afforded a great deal of privacy protection by the courts.[31] In EEOC v. Simply Storage Mgmt., the court stated that while privacy concerns may play into whether a discovery request is overly burdensome or relevant, a person’s expectation of privacy, with regard to social networking profiles, is not a “legitimate basis for shielding those communications from discovery. . . . [M]erely locking a profile from public access does not prevent discovery either.”[32] In McMillen v. Hummingbird Speedway, Inc., the court concluded that sites like Facebook and Myspace could access all user posts, private or public, and that the terms of service allowed those networks to disseminate postings when deemed appropriate, thus negating the expectations that a “private” posting would actually be private or confidential.[33]

Nevertheless, courts have offered contrasting views on whether to grant employers’ discovery requests relating to employees’ password-protected emails or social media accounts accessed from work computers. In McLaren v. Microsoft Corp.,[34] for example, the court ruled that an employee did not have a reasonable expectation of privacy with regard to personal password-protected emails, since he had stored those emails on a work computer. In contrast, the court in Stengart v. Loving Care Agency, Inc. did not allow employers to access an employee’s web-based email account that had been accessed from a work computer, stating that employers should only have access to communications that had an “impact on its business or reputation.”[35] Companies should therefore be aware that a court might still be reluctant to rule against an employee’s right to privacy.

In sum, courts have not arrived at a clear-cut consensus concerning the electronic production of data relating to social media. Each case will call for a balance of benefits and risks to the discovery of documents or data relating to cloud computing, including social media. In balancing these risks and benefits, legal considerations include relevance, cost and burden, and privacy.

Strategies And Best Practices For Companies Regarding Third-Party-Contracted Cloud-Computing Services

The relationship between a company and its cloud provider can greatly impact that company’s ability to comply with discovery obligations to preserve and produce data during litigation. While some third-party cloud services providers may expressly outline obligations related to electronic discovery, others may have contracts limiting their obligations, which could cause problems for a company during litigation.[36] In situations where third parties may be in possession of data that is relevant to litigation, the primary company or individual involved in the litigation may still face electronic discovery obligations to preserve and produce that data.[37]

Litigants should be aware of heightened discovery issues pertaining to data stored in the cloud. In this section, I highlight nine key issues.

First, companies should assess the total costs and benefits of cloud computing. While the cost of storing data in the cloud may be lower, it could actually result in much higher production costs. Lower initial costs could lead to the retention of more data over a period of time, which would result in higher costs to review larger volumes of data during the discovery process. Additionally, complexities in the preservation and collection of data could further increase discovery costs.

Second, in situations where companies are contracting third-party providers for cloud computing services, it is important to consider various information management issues up front. What will the provider do to permit its clients to manage their own data? How will it comply with the different retention periods required for different record categories? Clients of cloud solutions should consider the relative difficulty they could have in meeting record retention obligations, as many cloud solutions do not include record functions. Companies should also consider whether the links between records and their metadata are adequately preserved.

Third, in selecting providers, companies must consider the third-party providers’ policies and practices with respect to routine deletion of data. Cloud providers may have servers that routinely delete or override data that a party may ultimately be responsible for preserving.[38] Companies should be aware of whether the cloud computing services include an automatic purge of data after a certain period of time, and whether the automatic purge function can be turned off entirely, or in a targeted fashion, if and when necessary for adequate retention. It may also be important to note who controls those functions, and to what extent. There may be no way for a party to preserve data and subsequently produce it when a nonparty provider has deleted it in the course of routine operations.[39] For this reason, companies should also make sure they understand the backup policies of the cloud providers, to make sure such policies are adequate.

Fourth, one should think carefully about putting anything in the cloud that one would not want a competitor or litigant to see. Once information is in the cloud, it may be difficult to control what information gets produced. This can result in the production of privileged, confidential or protected information. To minimize the risk of disclosure of a client’s data without any notice, clients of cloud service providers should also consider negotiating contract provisions obligating the providers to notify the clients, to the extent permitted by law, in the event that government agencies or other third parties directly subpoena cloud services providers for information. Such notice would provide clients with an opportunity to contest the production, if necessary.

Fifth, it may be necessary to separately retain data from high-risk personnel, such as senior management, as well as possibly finance and legal departments. While companies may be able to encrypt potentially sensitive data from these sources in the cloud, cloud providers may be compelled to disclose relevant encryption keys.

Sixth, in order to mitigate the cost and size of document productions, companies may consider avoiding using the cloud for backups of certain unique data. This will reduce the likelihood of having to extract that data from cloud providers’ backups for discovery purposes.

Seventh, some cloud services have limited ability to preserve and extract data when necessary for litigation. Companies may consider using the litigation hold features of other software as an alternative, to ensure adequate preservation of documents. Companies can elect to use a “hosted email archiving service, as well as other platforms that allow users to retrieve relevant emails, like Google Message Discover and Microsoft Office 365.[40] It should be noted that, while these programs provide a way to preserve emails, it could be more difficult for companies to preserve and pull other cloud-based documents. Companies should be aware that they may face challenges accessing versions of documents stored in cloud-based applications, like Sharepoint and GoogleApps, for discovery purposes.[41]

Eighth, in the event that data collection is necessary, companies must consider who will be responsible for the data extraction. Procedures for data extractions should be incorporated into agreements with cloud providers, to the extent feasible, so that companies can ensure adequate coverage of their future needs. Companies should also seek to ensure that they incorporate procedures for data searching into their provider agreements, and account for costs of extraction and searches of data when making the decision of what to move into the cloud. Additionally, there should be a clear understanding of how confidential, trade secret and privileged materials will be protected. If the cloud provider cannot offer its clients an adequate solution, companies may need to use third parties to handle data extractions. If third parties will be assisting, companies should ensure that there are adequate quality control and chain of custody procedures in place.

Finally, in situations where there is no contractual remedy, where the provider refuses to comply, or where the data is subject to statutory protections, it may be necessary to subpoena the providers for the data.[42] Companies should carefully document any and all attempts to preserve or produce data that is stored in the cloud, as a way to try to avoid or mitigate any court sanctions for spoliation of relevant data, in the event that third parties in possession of the data prove uncooperative.[43]

Strategies And Best Practices For Companies Regarding The Use Of Social Media Platforms

Companies may have even less control over information stored in the cloud that is outside of the realm of contracted third-party cloud services providers. Information in the cloud as a result of the use of social media platforms presents additional difficulties in managing document production and data extraction, processing, and analysis. In contrast with contracted cloud service providers, companies may have a very limited contractual relationship with providers of free social media services such as Google applications or Facebook, where the only contract between the parties is that service’s standard terms of agreement.[44]

Companies should therefore have policies set in place in order to mitigate liability with regard to an employee’s use of social media sites. Companies should also be sure to clearly notify all employees of these policies, in order to reduce potential complications surrounding the issue of employee privacy.

First, companies should consider banning any personal or objectionable use with workplace computers. Employers may also limit the use of social media on workplace computers by blocking certain sites and should have carefully crafted policies in place prohibiting the use of a company’s official email address when registering on external social media sites. Employers should limit employees from using certain trademarks or logos without prior approval, from posting business documents or other business information that has not been publicly released, and from posting information about customers or suppliers without their prior permission. Employers can also have policies in place requiring individuals who create social media sites relating to the company to include a disclaimer that the site is not an “official company site.”

Second, companies should consider making clear to employees that they will monitor an employee’s activity on any workplace or company computer and email, which can be accomplished through monitoring and time-stamping software tools. When a company has such policies in place, a court may be more likely to take the view that an employee’s expectation of privacy is diminished. For example, in In re Asia Global Crossing, Ltd., the court, in assessing an employee’s expectation of privacy, considered whether the corporation maintained a policy banning personal use, whether the company monitored the use of the employee’s computer or email, whether the employee was aware of any monitoring policies, and whether third parties had a right to access the computer or emails.[45]

In developing policies for employees, however, a company must be careful not to overstep legal boundaries. While companies may wish to limit the types of information disseminated by employees on social networking sites, companies must recognize that certain types of communications may be protected by law. For example, Section 7 of the National Labor Relations Act (the “NLRA”) restrains employers from interfering with, restraining, or coercing employees in exercising their rights to self-organize, form, join, or assist unions.[46] For example, employers may not discipline employees for continuing, in an online forum, concerted activities that began at work.[47] Employers should also be cautious about enacting or enforcing any overly broad social media policies, as they may draw the attention of the NLRB, and may violate Section 8(a)(1) of the NLRA.[48]

Conclusion

Companies increasingly face electronic discovery issues pertaining to cloud computing and social media. As cloud computing and social media grow in popularity, so will the likelihood that a company will face electronic discovery demands as a result. Companies should be aware of potential issues and responsibilities, and do whatever possible to address potential problems before they arise. Otherwise, companies may later find themselves facing expensive discovery problems or even court sanctions as a result of difficulties arising from the preservation and production of data from the cloud.


[1] Jay E. Grenig, Jeffrey S. Kinsler & Lucia Nale, Social Media, 10 Ill. Prac., Civil Discovery § 23:75 (2011).

[2] Walking the Tightrope, The Economist (Nov. 29, 2011), available at http://www.economist.com/blogs/babbage/2011/11/facebook-and-privacy.

3 David D. Cross & Emily Kuwahara, E-Discovery and Cloud Computing: Control of ESI in the Cloud, EDDE Journal, Spring 2010, at 2, available at http://www.crowell.com/documents/e-discovery-and-cloud-computing-control-of-esi-in-the-cloud.pdf).

[4] Id.

[5] Aaron Blank, Comment, On the Precipe of E-Discovery: Can Litigants Obtain Employee Social Networking Web Site Information Through Employers?, 18 CommLaw Conspectus 487, 487-88 (2010).

[6] Id. at 488.

[7] Id. at 491.

[8] Id.

[9] Id. at 492 (discussing Booker v. GTE.net LLC, 350 F.3d 515, 516-17 (6th Cir. 2003)).

[10] Social Networks Pose E-Discovery Risks, Techweb, June 17, 2010, available at 2010 WLNR 12370605.

[11] Id.

[12] See FED. R. CIV. P. 34 advisory committee's note (2006).

[13] For a specific example, see Order Regarding Plaintiffs' Motion for Protective Order Pursuant to Fed. R. Civ. P. 26(c) Regarding Subpoenas Issued to Facebook, MySpace, Inc., and Meetup.com, Ledbetter v. Wal-Mart Stores, Inc., No. 06-cv-01958-WYD-MJW, 2009 WL 1067018, at *2 (D. Colo. Apr. 21, 2009) (ruling that private social networking information is discoverable when the information is relevant).

[14] FED. R. CIV. P. 26(a)(1)(A)(iii).

[15] FED. R. CIV. P. 45.

[16] Blank, supra note 5 at 496.

[17] See, e.g., Romano v. Steelcase Inc., 2010 WL 3703242 (N.Y. Sup. Ct. Sept. 21, 2010) (granting a motion seeking data from Myspace and Facebook).

[18] Offenback v. L.M. Bowman, Inc., Slip Copy, 2011 WL 2491371, *3 (M.D.Pa. 2011), see also Barnes v. CUS Nashville, LLC, 2010 WL 2265668 (M.D. Tenn. June 3, 2010) (finding information from Facebook to be relevant to the case).

[19] Offenback, supra note 18. (quoting EEOC v. Simply Storage Mgmt., 270 F.R.D. 430, 434 (S.D.Ind. 2010)).

[20] FED. R. CIV. P. 34 (a)(1).

[21] 245 F.R.D. 443, 453 (C.D. Cal. 2007).

[22] 245 F.R.D. 474, 477 (D. Colo. 2007).

[23] See Cross & Kuwahara, supra note 3 at 3 (citing Golden Trade S.r.L. v. Lee Apparel Co., 143 F.R.D. 514, 525 (S.D.N.Y. 1992), as an example of courts applying the “practical ability” and Goodman v. Praxair Servs. Inc., 632 F. Supp. 2d 494, 516 n. 11 (D. Md. 2009), as a contrasting example of a court that rejected that test).

[24] See Cross & Kuwahara, supra note 3 at 3 (citing In re NTL, Inc. Securities Litigation, 244 F.R.D. 179, 195 (S.D.N.Y. 2007)).

[25] 2007 WL 119149, *8 (D. Nev. Jan. 9, 2007).

[26] See Evan E. North, Facebook Isn’t Your Friend Anymore: Discovery of Social Networking Websites, 58 U. Kan. L. Rev. 1279, 1293 (2010) (discussing T.V. v. Union Twp. Bd. of Educ., No. UNN-L-4479-04 (N.J. Super. Ct. June 8, 2007) (unpublished disposition)).

[27] FED. R. CIV. P. 26(b)(2)(B).

[28] Id.

[29] See Cross & Kuwahara, supra note 3 at 9 (discussing Proctor & Gamble Co. v. Haugen, 427 F.3d 727, 739 (10th Cir. 2005)).

[30] Cross & Kuwahara, supra note 3 at 12.

[31] Thomas I. Barnett & Kenneth R. Shear, The social media networks: Issues in communications disclosure and preservation, 1 Internet Law and Practice § 10:13 (2011).

[32] EEOC v. Simply Storage Mgmt., supra note 19.

[33] 2010 WL 4403285,*1-2(Pa. Com.Pl. 2010) (Trial Order).

[34] McLaren v. Microsoft Corp., No. 05-97-00824-CV, 1999 WL 339015, at *4-5 (Tex. App. May 28, 1999).

[35] Stengart v. Loving Care Agency, Inc., 973 A.2d 390, 399 (N.J. Super. Ct. App. Div. 2009).

[36] Cross & Kuwahara, supra note 3 at 2.

[37] Id. at 3.

[38] Regulatory language specifies that retention and preservation duties apply to certain social media. According to FINRA Regulatory Notice 10-06, any company that “intends to communicate, or permit its associate persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17-a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule 3110.”

[39] Cross & Kuwahara, supra note 3 at 7.

[40] Id.

[41] Id.

[42] Cross & Kuwahara, supra note 3 at 10.

[43] Id.

[44] Id. at 2-3.

[45] 322 B.R. 247, 257 (S.D. N.Y. 2005).

[46] 29 U.S.C. §157 (2000).

[47] 29 U.S.C. §158(a)(1).

[48] Id.

Published .