Bailey Kay is a co-author of this article.

The world of workforce communication looks vastly different from 2020, including an increased blur between personal and business communications due to remote work environments and access to instant messaging and collaboration-based tools (e.g., Teams, Slack, Google Chat). Outside of corporate-owned and controlled communication methods, employees may use third-party messaging applications (e.g., SMS/MMS, iMessage, WhatsApp, Signal), which employers and employees often see as personal, not business related. While these tools and applications have tangible benefits, they create new risks, particularly in forensic investigations and eDiscovery.

In today’s business environment, we must consider these as standard communication methods by individuals and organizations across various sectors. People often use these methods of communication for professional purposes, even if it isn’t their company’s policy to do so. For example, a client may prefer to send messages via WhatsApp, which typically is out of the company’s control, and the only location those messages would exist are on the two participants’ mobile devices.

What does this mean for eDiscovery? Previously, organizations typically relied on collecting only company-related emails. The universe of potentially relevant sources has expanded considerably. Additionally, access to those data sources can be challenging, given issues with encryption and built-in privacy protocols. The volume of data created alone broadly changes the scope of eDiscovery and investigations.

Here are six practical tips to help manage your company’s messaging protocols:

1. Discovery Requests.

When responding to a discovery request, provide custodial questionnaires that ask if the respondent used any messaging platforms for business communications, and if so, which ones. It’s also important to ask if the respondent stores documents in a cloud-based platform (e.g., Teams, Google Drive). Generally, it’s beneficial to provide questions assessing whether locations outside of the company’s control may have to be handled separately from the typical data collection processes put in place. Depending on the complexity of the data, it may make sense to hire an independent, third-party expert to assist with the collection efforts.

2. Break Down Silos.

Coordination between different departments is critical to fully understanding a company’s data landscape. For example, the technology function can provide background and knowledge about where the data lives and how to export it. Compliance can assist in identifying regulatory requirements and provide an understanding of data retention policies. HR can help work with legal departments and individual custodians to identify relevant data. By providing a 360-degree look at the business, organizations can be better prepared to meet their obligations and mitigate the risk of missing a critical component.

3. Documentation.

Keep an up-to-date inventory of data retention systems/platforms to help the organization respond to data requests quickly and efficiently. These requests often are under short deadlines, and understanding where data lives accelerates the process of locating and producing data in a timely fashion. Documentation on such platforms and systems should be easily accessible by all parties who need access.

4. Communication and Training.

Regularly communicate policies surrounding acceptable use of communication platforms. It is not enough to dust off the policy when something goes awry; organizations today must stay one step ahead. Often, employees using applications such as WhatsApp, iMessage, or basic SMS are not aware they may be non-compliant with company Acceptable Use Policies (AUP). Regular training on appropriate usage of communications channels can help inform and reinforce best practices and keep key internal stakeholders up to speed on changes in company or regulatory policy.

5. Annual Communications Policy Reviews.

Annual communications policy reviews allow organizations to ensure any changes in application usage (e.g., introducing Slack as a messaging platform) are reflected and identify blind spots that may have emerged over time. Policy reviews also ensure regulatory changes, e.g., data retention requirements, are properly evaluated and documented. Besides annual reviews, organizations should regularly keep their finger on the pulse of change and update in real time.

6. Personal Data Privacy.

Collecting data from personal devices used for business purposes generates discomfort for some custodians. Utilize third parties to ensure data is properly reviewed with privacy considerations in mind. For example, a third-party consultant can perform keyword and/or contact searches across the population of data post-collection and pre-production to individual counsel. Doing so focuses on the relevant, both reducing review time and eliminating potential personal data.

New communication methods stemming from changes over the last three years have certainly afforded clear benefits, but with new technologies come new considerations in the forensic investigation and eDiscovery worlds. Understanding where data lives is paramount to thoroughly responding to requests for information and ensuring all relevant data is captured at the outset. Doing so can help avoid headaches related to costs, tight timeframes, and incomplete data sets.

Posted In:


About the Authors

Daniel Fuller

Daniel Fuller

Daniel Fuller, a Managing Director at StoneTurn, brings more than sixteen years of experience to the Forensic Technology practice, assisting attorneys and corporate clients with all aspects of digital forensics […]

Read Bio