February 1, 2008

Instant Messages as Business Records

Instant Messages as Business Records-A Common Sense Approach to Instant Messaging and Electronic Document Retention Policies

By Cary J. Calderone, Esquire

January 7, 2008

The motivation for this article occurred few weeks ago. I was sitting in the audience of a continuing legal education seminar on patent strategies. One topic that was of interest to me was a discussion of document retention policies and electronic discovery related to patents. A panelist, a senior attorney for a very large technology company, addressed email management as it related to litigation discovery. I raised my hand for clarification and asked, “When you say email, are you including instant messages in that definition or will you discuss them separately?” One of the most well regarded and experienced patent litigators in Europe, who was sitting nearby, leaned over and whispered to me, “excellent question!” The panelist however, rolled his eyes and said quickly, “we just don’t believe IMs are business records and don’t treat them as such.” My jaw dropped. According to the most recent Federal Rules of Civil Procedure (“FRCP”), instant messages certainly can and should be considered ESI “electronically stored information.” (See, FRCP Rule 26(f).) What constitutes a “Business Record” is defined by its content as well as its form and industry business practices. Current email retention policies were developed because using email to conduct business became a standard operating procedure. Similarly, use of facsimiles to create binding legal agreements developed over time. Although IM is not yet at that level of acceptance, some industries (just talk to your friendly stockbroker) already specifically track and retain IM to remain compliant with SEC and other regulations. In fact, many email applications track or “journal” instant messages in the same manner as email and in the same in-boxes.

I approached the panelist at the lunch break. He recognized me and quickly said, “maybe I misspoke.” He claimed that his company had just set a policy to not conduct any business via IM so they would not have to worry about managing or retaining IM messages for compliance and litigation purposes. This raises an important question: Is banning or severely limiting IM usage the best way to avoid having to manage it for document retention and legal discovery purposes? I don’t think so and here’s why:

IM is becoming more prevalent in research and development, marketing, sales and customer service. In fact, there are those who would argue vehemently that IM is becoming the most important business productivity tool within corporate enterprises. Perhaps you do not believe that IM is important to your organization. Here is a quick test. Have your legal department send an email to your department heads requesting comments on whether you should just discontinue or severely limit the use of all Instant Messaging applications on your corporate network given the complexity of the document retention and potential legal issues. A General Counsel I know did just that. Within 30 minutes responses indicated the regular use of 10 different IM applications, in addition to the company provided and managed application -- and that it would be very disruptive, if not impossible to prohibit IM use. These emails responses were real eye openers. Her reply was, what if we just did not have an IM policy, and we let people use whatever they desired and just told them nothing was to be used for official business and nothing should be saved. (In essence treating IM chat sessions just like a phone call, and when you hang up from a phone conversation, there is no written record.) Not even considering that the likely response from your IT director and other employees responsible for network security would want to quit their jobs rather than try to manage security for your new “open” (read exposed to viruses and security breaches) network, there is an overriding problem that IM deletion is not under the sole control of your organization. Trying to prohibit the use of IM to avoid having to manage IM does not work in the real world. The use of 3rd party IMs through, Yahoo, AOL, and Microsoft are a potential loophole to this type of IM policy because stopping their use is incredibly difficult (think about trying to control all applications on all network computers, laptops, smartphones, and PDAs) and data and journals for these IMs can also be stored on the 3rd party servers. This data can be brought in as evidence via a 3rd party subpoena. Moreover, the other parties to the IM chat, whether a co-worker from your organization or someone outside your organization, can save the IM chat thread to their local hard drive. As one very experienced and technology adept litigator friend of mine likes to say about his cases, “If there is an IM out there, we will find it, and we will get it admitted into evidence.” (This highlights issues in my next article: the too often neglected practice of scrubbing or wiping server and local hard drives so computer forensics will not be able to easily “undelete” even properly deleted IM and other electronic data. Perhaps I should title it, “Don’t Worry About Monitoring Deleted Stuff -- The Easy Route to Losing a Lawsuit or Being Invited to Club Fed.”) Based on these issues, you will be best served by an IM policy that considers realistic corporate employee IM usage and a plan for effectively managing that policy.

So the question remains: can you implement an official IM policy where all IMs are deleted immediately and avoid any IMs from becoming a part of your business records -- In effect treating them like a phone conversation that isn’t worth the paper it isn’t written on? Possibly. But here are some of the arguments against taking this approach.

Firstly, I like to refer to IMs as “Instant Emails.” This is because if you print out an IM thread, it looks pretty much just like an email thread. You can readily identify the parties, the subject matter, and the time of the messages. Pretty good to excellent foundation for having that IM or a printout of it submitted as evidence in a legal proceeding, especially when it contains critical evidence (old trial lawyer taught me a valuable lesson for litigation, never lose sight of the forest for the trees -- Judges can really bend the rules in favor of just results.) Do you think your lawyer wants to stand in front of a judge and argue that the IM thread in question, which contains critical evidence to your legal proceeding, is not admissible because it was created and kept against corporate policy? The answer is no. And as more and more of our younger attorneys come on board experienced with IM technology, and more and more judges understand the use of IMs in the workplace, this argument to exclude IMs as evidence is going to be more and more difficult to win.

Secondly, even if the content would not be considered critical, or a smoking gun, and appears only moderately negative to your case, you now have a problem because you have made it look more important than it is. If you have submitted that your policy is to immediately delete all IMs, and a printout of an IM thread is submitted based on the fact that one of your employees or a third party thought it might be important enough to warrant saving on their hard drive, it will appear like you have a sham policy which can no longer be trusted. The evidence looks more damning because you tried to delete it, and someone saved it in spite of your efforts to keep it from the trier of fact. You have now opened the door to opposing counsel or investigators making a motion to expand the scope of discovery to examine more of your electronic data in search of material reasonably likely to lead to the discovery of admissible evidence because your electronic data disclosure cannot be trusted.

It is not hard for counsel to raise this issue. One simple deposition or interrogatory will ask if the answering party knows of anyone who perhaps saves IMs or emails that are supposed to be deleted. When, under penalty of perjury, someone answers yes, the door is nudged open, and additional discovery will likely be ordered. Your usual arguments in defense of limiting expanded discovery (i.e. it is overly burdensome and too costly) could be outweighed and defeated when to the judge it looks like you have either negligently or intentionally failed to produce requested materials that you should have. In the discovery battle, or as attorneys sometimes refer to it, the war within the war, you are now in a weakened position.

Lastly, IM technology is progressing and converging towards a single ubiquitous user interface. It will become more common that a single application will handle all your email, IM, phone chat and perhaps even video chat based on a simple click of a mouse on a tab on your computer screen. So eventually your counsel might be forced to argue, “well your honor, we agree that if this employee had been having an email thread, this information would be readily admissible and we would have needed to save and produce it to the other side, but because our employee had selected the IM chat button instead of the email button, this information is not admissible.” Good luck with that argument!

Now that you better understand why you need an IM policy, even if it is to strictly limit its usage, and can recognize the many pitfalls in implementing a sound policy, I will leave you with one last bit of free and non-legal-relationship-forming advice. It is true that IMs are more difficult to manage due to the variety of 3rd party IM applications, and the lack of management software designed to handle all the different options, but there are tools available that can help with this. The important thing to keep in mind is that in order for any good electronic document plan to be effective and provide your best protection, it must be created with attention to documentation, the people responsible for maintaining it, the technology tools you will use, and, your schedule to review and test your plan on a regular basis. Is this the best approach for managing IMs? Yes. On balance, even if the standards for your document retention plan are not specifically covered by the SEC, HIPAA, Sarbanes-Oxley or other industry-specific regulations they will still be controlled by the FRCP Rule 26(f) and general state or local discovery and evidentiary rules. These frequently include balancing tests based on standards of reasonableness. Therefore, as the technology to manage IM and the rest of your electronically stored information becomes easier, faster, cheaper, and more readily adopted, it will be less reasonable and more potentially dangerous for you not to manage it in a similar fashion. The last bit of good news is that your competitors, and potential litigation adversaries, will face this same burden.

No comments: