Blurred Lines: Navigating Text Message Discoverability in the Era of Intermingled Data

As mobile devices continue to integrate seamlessly into our professional and personal lives, the boundaries between business and personal data have blurred significantly.  This evolution has introduced a host of legal complexities for companies, particularly in the realm of discovery.   

Government regulators, such as the Department of Justice (DOJ) and Federal Trade Commission (FTC), private plaintiffs, and courts have increasingly recognized that text messages, whether originating from company-owned devices or personal devices used for business purposes, are a key source of information in investigations and litigation.  For organizations, this trend underscores the importance of developing robust policies and practices for managing mobile device usage and preserving business-related communications.

The Legal Landscape of Text Message Discovery

Government regulators and courts will likely no longer accept at face value an organization’s representation that employees are not using their personal or company-issued devices to conduct substantive business activities.  Organizations cannot feign ignorance over their employees' mobile device usage for business purposes and do so at their own peril.  Courts and regulators are scrutinizing how organizations utilize mobile devices, including personal phones.  Text messages used for business purposes may need to be preserved and produced in litigation.  If an organization fails to preserve relevant business text messages, it could face fines and legal sanctions, including penalties or adverse inferences in court.

A few recent examples:

• In Miramontes v. Peraton, a federal court in Texas found that the employer had control over and a duty to preserve text messages on employees’ personal mobile devices because, “employees regularly conducted business on their cell phones.”

   

• In Westin v. Docusign, Inc., a federal court in California required the defendant to produce text messages from employees’ personal devices because, based on the employment agreement, the defendant had the legal right to obtain the text messages that concerned the defendant’s business.

   

• In Goldstein v. Denner, the Delaware Court of Chancery imposed sanctions on the defendants for failing to take appropriate steps to ensure the he auto-delete function was disabled on their principal head trader’s and general counsel’s personal cellphone after receiving multiple litigation hold notices, which resulted in the alleged spoliation of relevant evidence.  The court indicated that outside counsel should have reviewed the phones and given little weight to the general counsel’s representation that no one used texts because it was contrary to the company’s policy.

Challenges of Intermingled Data

One of the primary challenges in this space is the intermingling of personal and business data on mobile devices.  And employees also use their company-owned devices for personal communications and tasks.  This blending of data complicates efforts to segregate business and personal communications for preservation purposes.  In such cases, organizations may find themselves navigating privacy concerns, technical hurdles, and legal obligations to identify and preserve relevant data.  This creates a pressing need for clear policies and proactive measures to manage this gray area effectively.

The Role of Corporate Policies and Compliance Programs

To help mitigate risks, organizations can implement well-defined policies governing the acceptable use of mobile devices.  These policies should be tailored to the company’s specific risk profile and operational needs, as recommended by the DOJ.  Key considerations include:

1. Understanding the Use of Mobile Devices Across the Organization

   Organizations should understand how their employees are using mobile devices to communicate across different business functions and in the different jurisdictions in which the organization operates.  To do this, organizations could audit company-issued devices, distribute anonymous surveys, or conduct targeted interviews for the purpose of determining how employees communicate internally and externally for business purposes.  This will assist in developing an overall policy on the usage of mobile devices.
   

2. Governance of Business Communications on Personal Devices
   Organizations should establish clear guidelines around whether and how personal devices may be used for business communications.  Limiting or prohibiting the use of personal devices and certain texting applications for confidential or sensitive business matters can help reduce the risk of discoverability. 
   
3. Access and Preservation
   Policies should explicitly address the company’s ability to review business-related communications on personal devices and the steps employees must take to preserve such communications.  This includes requiring employees to use approved applications and ensuring that data retention protocols are in place.  Organizations should update their legal holds to specifically address the preservation of business messages in both personal and company-issued devices.
   
4. Employee Training
   Educating employees about the risks of using personal devices for business purposes and corporate-issued devices for personal purposesis critical.  Employees must understand that business-related communications—whether on a personal or company-owned device—may be subject to discovery in legal proceedings.  Employees should also be aware that their personal data might be collected from corporate-issued devices by the company in certain circumstances. 
5. Tailored Compliance
   A one-size-fits-all approach does not work for mobile device policies.  Organizations must assess their specific risks, operational needs, and regulatory obligations to create a compliance framework that aligns with their unique circumstances.  They should also audit and monitor compliance with their mobile device policies and take appropriate disciplinary action in response to violations.

Conclusion

In an era where personal and professional lives are increasingly intertwined, organizations must navigate the challenges of mobile device usage with care.  By implementing tailored policies, educating employees, and leveraging technology, organizations can reduce the risks associated with mobile device use and ensure compliance with discovery obligations.  Proactively addressing these challenges not only helps protect organizations in legal disputes but it can also help foster a culture of accountability and transparency.