This document discusses policy issues organizations face regarding access to electronic information like emails and text messages. It addresses four main issues: employee privacy, bring your own device policies, use of social media, and cloud computing. Regarding employee privacy, the document states that policies should achieve transparency by notifying employees about an employer's right to access work devices and information. For bring your own devices, it argues policies need to ensure an organization can control and access work information on personal devices. When discussing social media, the focus should be on separating business and personal use. And for cloud computing, requirements like data access and storage must be clearly defined and agreed to with cloud providers.
1. Access to e-mails, text messages and
other ESI – policy issues for
organizations
Dan Michaluk
April 16, 2003
2. Outline
• Control over and access to information -
ideal, reality and solution
• Policy issues for organizations
• Employee privacy
• Bring your own device (BYOD)
• Social media
• Cloud computing
Access to e-mails, text messages and other ESI
3. Ideal – physical separation by purpose
Mine Yours
Access to e-mails, text messages and other ESI
4. Reality – intermingling and unclear purpose
• Personal use of work systems puts personal
information side-by-side work information
• BYOD puts work information on personal devices
• Corporate use of social media may put business
information on multiple accounts in multiple forms
• Cloud computing puts your work system on a
computer with others’ work systems
Access to e-mails, text messages and other ESI
5. Solution – Use policy to achieve the ideal
• Revert to a no personal use rule
• Enforce a business tools for business rule
• Restrict social media communications and archive
everything
• Own all computers running business applications
Access to e-mails, text messages and other ESI
6. Solution – Use law/policy to gain control
• Your personal use does not preclude our access
• We have the following rights over your device
• (Simply may not be possible for information
generated through social media applications)
• Our service provider contracts must meet
requirements that ensure we control our business
information
Access to e-mails, text messages and other ESI
7. Policy issue #1 – Employee privacy
• You’re on for an employer in a harassment case. The
applicant has claimed $100,000, but you assess the
employer’s worst case exposure at about $25,000 to
$30,000. The applicant has pleaded that senior
management, including the CEO, was complicit in the
harassment. You ask your client contact to advise the CEO
that you’ll need a copy of the CEO’s e-mail container file to
do a proper review. “Huh, she says?” “Um, what if I write
you a letter?” you respond.
Access to e-mails, text messages and other ESI
8. Policy issue #1 – Employee privacy
• Q: I’m not Charter bound, does Cole matter?
• A: Yes
• REP engages Charter search protection
• Also a prerequisite to arbitral protection
• Also a prerequisite to tort production
Access to e-mails, text messages and other ESI
9. Policy issue #1 – Employee privacy
• Q: Is the REP finding distinguishable?
• A: Not really
• No indication a better policy framework would have
made a difference
• No mention of pictures of Cole’s wife or any unique
personal information
• An REP likely won’t prevail over an effective
prohibition on personal use – “reasonably expected”
Access to e-mails, text messages and other ESI
10. Policy issue #1 – Employee privacy
• Policy implications of Cole
• The Court says…
• …the expectation is low
• … it’s based on one factor alone – personal use
• … employee choice weighs against the expectation***
• This invites transparency as the prevailing policy
• Management should be able to reserve rights by putting
employees on notice
• The alternative is to recognize a right to employer-paid
confidential computing services (not plausible)
Access to e-mails, text messages and other ESI
11. Policy issue #1 – Employee privacy
• Policy implications of Cole
• The Court says…
• …the expectation is low
• … it’s based on one factor alone – personal use
• … employee choice weighs against the expectation***
• This invites transparency as the prevailing policy
• Management should be able to reserve rights by putting
employees on notice
• The alternative is to recognize a right to employer-paid
confidential computing services (not plausible)
Access to e-mails, text messages and other ESI
12. Policy issue #1 – Employee privacy
• Practically, what tactics can we use to overcome
this barrier to access?
Access to e-mails, text messages and other ESI
13. Policy issue #2 – BYOD
• Pharma One has numerous sources of potentially
relevant electronic information due to the
corporate policy of allowing employees to utilize
their own smartphones and other PDA devices for
work. There is no formal “Bring Your Own Device”
policy in place.
Access to e-mails, text messages and other ESI
14. Policy issue #2 – BYOD
• BYOD done right means
• Achieving control through technology
• Achieving control through policy
• Via these means of control
• Knowing what work information resides on the device
• Knowing what work information resides only on the
device
• Knowing how this information resides on the device
(to address security and access)
Access to e-mails, text messages and other ESI
15. Policy issue #2 – BYOD
• Thoughts on policy
• Highlighting the mutual exchange of benefits may
help enforceability
• Deal with security and access
• Create access scenarios to develop language
• Be very transparent about needs that will likely lead
to conflict
Access to e-mails, text messages and other ESI
16. Policy issue #3 – Social media
• This should not be an e-discovery (access and
control) problem for business
• Good social media governance is about
separating business use from personal use
• Good social media governance is about
controlling business social media accounts
Access to e-mails, text messages and other ESI
17. Policy issue #3 – Social media
• Good social media governance is about
separating business use from personal use
• You don’t speak for us unless we give you
permission
• If you’re not a communication pro, you’ll need to
apply for a license based on a project description
• Oh yes, include a disclaimer if there’s any risk
someone will think you’re speaking for us
Access to e-mails, text messages and other ESI
18. Policy issue #3 – Social media
• Typically, if you control the password you control
the information. But…
• Security vulnerability because many social media
applications don’t allow for administrator privileges
• Retention rules may change
• Special means of extraction may change
• Presentation of information may change
Access to e-mails, text messages and other ESI
19. Policy issue #3 – Social media
• Where we likely stand on plaintiffs claiming injury
• Photos of physical activity will often be producible
• Production of photos of joy and happiness may often
be resisted successfully
• Counsel should focus on what data objects in a
social profile are producible, not the profile itself
• Comments associated with relevant photos and
videos should arguably be produced
Access to e-mails, text messages and other ESI
20. Policy issue #4 – The cloud
• A threat to timely access to reliable information
• Providers default to low cost and not service
• Investigations and e-discovery are afterthoughts
• Specialized forensic data capture services are rare
• Logs and other forensic data can be intermingled
• Proprietary software can make interpretation hard
• Access restrictions create a chain of custody issue
• Laws of other jurisdictions may be restrictive
Access to e-mails, text messages and other ESI
21. Policy issue #4 – The cloud
• The solution is simple (in theory)
• Outsourcing process: requirements
definition, vendor selection, contracting and due
diligence
• Legal and security should insert themselves into
every step of the process
• Legal and security should be prepared to
compromise because the cloud is the cloud and
physical control is supreme
Access to e-mails, text messages and other ESI
22. Policy issue #4 – The cloud
• The solution is simple (in theory)
• Understand the system and the data it generates
• Create investigation/e-discovery scenarios
• Develop requirements
• Prioritize requirements
• Discuss requirements
• Ensure requirements can be met
Access to e-mails, text messages and other ESI
23. Policy issue #4 – The cloud
• Key questions
• In what jurisdiction(s) will the data reside?
• How is the data stored at application and system
levels?
• Can our data be extracted independently from
others’ data? What does extraction mean?
• What forensic data do we want? Will you make it
available to us? How?
Access to e-mails, text messages and other ESI
24. Policy issue #4 – The cloud
• Key questions (con’t)
• Will your employees give evidence to establish chain
of custody?
• How fast can you make all this happen?
• How much will all this cost?
Access to e-mails, text messages and other ESI
25. Access to e-mails, text messages and
other ESI – policy issues for
organizations
Dan Michaluk
April 16, 2003