Industry surveys make it clear that the vast majority of businesses now allow the use of personal mobile devices, otherwise known as the Bring Your Own Device (BYOD) policy. Have your policies and business practices kept up with the flood of smart devices penetrating your firewall? Apple appears to have started this trend in 2007 when executives insisted on using their iPhones for corporate email. Alternatively, employees at corporations with heavy BlackBerry investments or regulatory monitoring requirements now routinely carry two mobile devices, actually expanding the potential sources of ESI. The ongoing eDJ Mobile Device Discovery Survey indicates that 60% of respondents have had to preserve or collect ESI from a custodian’s mobile device. When you dig into the details it becomes apparent that requests for ESI from smartphones and tablets are still the exception rather than the rule in civil discovery.
Mobile Device Discovery – Corporate and Law Firm Divided
We heard very different perspectives on mobile device discovery from our corporate vs. law firm peer group sessions. Both corporate and law firm practitioners agreed that mobile devices are a potential ESI source. However, the eDJ corporate working group was focused on upstream device management strategies and policies. In contrast, the law firm working group relied on custodian interviews to essentially exclude smartphones from collection based on relevance and redundant network sources. Our ongoing survey showed that while 60% of respondents have preserved or collected from mobile devices, only 12% indicated that mobile devices were a common civil discovery request. A much larger 45% said that mobile devices were only requested in special matters or custodians. One interpretation is that corporate counsel are focused on preservation risks while outside counsel are more concerned with downstream review and production. Surprisingly, proactive corporations with a heavy litigation profile seem to have accepted the need to preserve and manage mobile devices for discovery while even eDiscovery savvy outside counsel wished that they would just go away. Maybe this is because extraction and processing these devices has been limited to forensic specialists until recently.
Mobile Devices – Required for Agile Business
Again, Apple’s latest toy seems to be upsetting the discovery status quo as iPads trickle down from board rooms to the cube farms. Apple’s COO indicated that 65% of Fortune 100 corporations have either deployed iPads or are piloting iPad projects. The same Cylab report indicated that 63% of devices on corporate networks are also used for personal activities. This comingling of personal and business content raises the stakes for discovery issues, especially for global corporations with employees in Europe that are subject to data privacy laws. The recent updates to the EU Data Protection Regulation have upped the stakes for high revenue public companies that do global business. The maximum fine for ‘privacy violations’ (which can include U.S. style discovery) was raised to 2% of annual revenue for companies with over €50 million in revenue. This puts real teeth into the UK Data Protection Act and other EU data privacy laws when it comes to global corporations with a significant litigation profile. Moreover, 73.5% of survey respondents were familiar with the BP criminal charges regarding deletion of text messages and it raised concerns over mobile device discovery in 44.9% of respondents. Real corporate decision makers are becoming increasingly mobile as they convert from desktops to laptops or even tablets/netbooks. The shift from corporate IT infrastructure to outsourced cloud services and storage has accelerated this trend. As corporate ESI is increasingly accessible from hardware agnostic web browsers, the need for dedicated user computing hardware will plummet. IT will be able to shift back to user support and meeting business requirements instead of wrestling with large data centers or constantly upgrading thousands of user desktops. But this trend threatens retention, legal, discovery and compliance requirements unless those groups are thoroughly integrated into the IT road map process. Mobile devices introduce entirely new types and formats of ESI with unique preservation and collection challenges.
Mobile Device ESI – the New Frontier
The expansion of mobile device operating systems to support practically infinite Apps and store associated ESI was the pivot point for mobile device discovery. Relatively few civil discovery requests currently mandate or justify the collection of text messages, call logs, GPS location logs and other unique ESI from a cell phone. However, now that mobile employees are drafting/editing Office documents, instant messaging through multiple channels and effectively doing business online through their smartphones or tablets, how can we ignore ESI from iOS (Apple), Android and other systems? The eDiscovery market has just begun to see specialized preservation/collection offerings that tackle social media and other web content like X1 Discovery and Nextpoint. Now our dominant forensic players, AccessData and Guidance, are trying to make mobile device discovery more practical for the corporate eDiscovery market. Law enforcement and regulators have long since realized that mobile devices can be the only place to reconstruct a day in the life of key suspects or victims. That is why there are over 20 providers of forensic extraction tools specifically for mobile devices. However, the complexity and effort required for criminal forensic extractions can be intimidating to most corporate IT or litigation departments. At this time, mobile device discovery still involves a manual extraction process of attaching the devices to either a tablet-style kit or a laptop with special software. We need to see integrated solutions that combine forensic extraction functionality with mobile device management capabilities such as offered by Mobile Iron to make mobile device discovery a mature eDiscovery process.
So what can you do while we wait for these integrated solutions to appear on the market? Your first step is to review IT usage policies and business practices around mobile devices. Even if it is not a pretty story, you need to know what (if any) guidelines govern BYOD devices, apps, connected cloud systems and how real custodians are actually using their iPhones and Androids. Set the baseline and then look at your active legal hold language and practices. Have you named mobile devices as something to preserve? If so, have you given users a practical way to comply with their obligations? Most importantly, do your current discovery requests specify mobile devices explicitly or implicitly? If you have answered yes to any of these, then you may need to take steps to actively preserve or collect mobile content. Even if the tide of mobile device discovery has not reached your corporate shore, now is the time to prepare for it. Make sure that your IT department understands the potential impact of new ESI sources. Establish a team of stakeholders who can review proposed policy and IT initiatives before they happen. Get executive backing to put funding or teeth into preservation and compliance efforts. Take advantage of this early adoption period to define your usage and retention policies around these new ESI sources. Minimize the creation of records and unique content where preservation and collection efforts are problematic or weak. The federal criminal charges in the BP investigations are a warning shot across the bows of corporate eDiscovery tankers that can be leveraged for better information governance practices, but only if you are watching the trends and thinking ahead.
About Greg Buckles:
Greg Buckles is the co-founder and CTO for the eDJ Group. He is one of a new breed of working analysts providing strategic consulting while researching the rapidly evolving eDiscovery technology market. With over 22 years in discovery and consulting, Greg’s career roles span law enforcement, legal service provider, corporate legal, law firm and legal software development. This deep and diverse background combines with exposure to the discovery challenges of Fortune 500 clients to provide a unique industry perspective. He also provides market and product analyst services to top tier software and venture capital companies.