Lessons Learned from New Technology-Assisted Review Case Law
August 17, 2016
Case Study: Information Governance
September 12, 2016

Mobile Devices Continue to Roil Information Governance Measures

One of the most troubling technological developments over the past few years is the inability of organizations to manage mobile device data. This trend is evident from increasing sanctions requests in litigation for failures to preserve mobile data to the growing number of attacks by cybercriminals on smartphones.

Smartphones and Mobile Data in Litigation

In litigation, clients and counsel often seem unable (or unwilling) to preserve and produce discoverable information from mobile devices. According to Gibson Dunn & Crutcher’s 2016 Mid-Year E-Discovery Update, the cases involving sanctions for ESI preservation shortcomings most frequently involved failures to preserve text messages and other mobile data. The NuVasive, Inc. v. Madsen Medical, Inc. case exemplifies this trend.

In NuVasive, the court held that plaintiff failed to take adequate measures to preserve relevant text messages exchanged by its employees. While plaintiff issued timely litigation holds, it neglected to properly follow up with its employees to ensure that text messages were retained. For example, relevant text messages from one phone were lost because the employee twice upgraded his phone between the time the hold was issued and the time the phone was turned in for collection. Another employee “deleted relevant text messages” from his phone before providing it to counsel. A third employee failed to follow pertinent hold instructions, resulting in the destruction of relevant information:

In January 2014, NuVasive asked Stephen Kordonowy to bring his phone to San Diego for imaging. Kordonowy brought his current phone instead of the phone [with relevant data] that he used prior to MMI’s termination. His previous phone was sitting in his desk drawer, and later, in mid-2014, Kordonowy wiped the phone clean before giving it to his son.[1]

Smartphones and Cybersecurity

 NuVasive encapsulates the challenges that smartphones and mobile data present in litigation. However, the “mobile madness” confronting clients and counsel is not restricted to legal matters. Instead, cybersecurity issues surrounding employee smartphone use are also increasing. According to a recent article published by the Wall Street Journal, users are apparently “taking fewer precautions to thwart hacking on their mobile phones.”

The WSJ article referenced a survey, which reported that smartphone users neglected to periodically update their mobile operating systems as frequently in 2015 as they did in 2014. The survey also indicated that the number of users deploying “antivirus or antimalware software” dropped ten percentage points in 2015 from 2014. Finally, only 25 percent of smartphone users intermittently changed their passwords in 2015, down from 41 percent in 2014.

All of which could herald a new era of cybertheft. Indeed, the WSJ article observed that cybercriminals are now regularly deploying malware to “to steal banking credentials from unsuspecting consumers when they log on to their bank accounts via their mobile phones.”

With cyberthieves targeting smartphones, organizations can reasonably assume that trade secrets, financial information, and other sensitive corporate data could also be subject to misappropriation. This is particularly the case for companies that have either casually enforced “bring your own device” (BYOD) programs or that exercise little oversight regarding smartphones issued under traditional “corporate owned personally enabled” (COPE) plans where the enterprise owns and issues the mobile device.

Deploying Actionable Counter Measures

Despite the challenges presented by smartphones and other mobile devices, organizations are not powerless to address these issues. They can take actionable steps to prevent or otherwise mitigate mobile device mayhem for both litigation and transactional purposes. The Gibson Dunn report suggests a few of those steps, which include the following:

  • Establishing effective mobile device use policies that encompass BYOD environments as well as COPE programs.
  • Deploying mobile device management software including so called “sandboxes” to better secure, manage, and control access to company apps and data.
  • Mandating that employees use “enterprise texting apps” that enable journaling or that otherwise back up text messages on company servers.

Enterprises can also step up audit and enforcement measures to better ensure policy observance and bolster their litigation hold processes. Any one of these steps – and certainly a combination of them – will likely do much to address the mobile device problems affecting organizations today.

 

[1] NuVasive, Inc. v. Madsen Medical, Inc., No. 13-cv-2077, 2015 WL 4479147, *2 (S.D. Cal. July 22, 2015) (emphasis added), modified in part, 2016 WL 305096, *1-2 (S.D. Cal. Feb. 1, 2016) (vacating adverse inference instruction due to the December 1, 2015 amendments to Federal Rule of Civil Procedure 37(e)).c

Philip Favro
Philip Favro
Philip Favro acts as a trusted advisor to organizations and law firms on issues surrounding discovery and information governance. Phil provides guidance on data preservation practices, litigation holds, data collection strategies, and ESI search methodologies. In addition, he offers direction to organizations on records retention policies and the need to manage dynamic sources of information found on smartphones, cloud applications, and social networks. Phil is available to serve as a special master on issues related to electronic discovery. Phil is a nationally recognized thought leader and legal scholar on issues relating to the discovery process. His articles have been published in leading industry publications and academic journals and he is frequently in demand as a speaker for eDiscovery education programs. Phil is a member of the Utah and California bars. He actively contributes to Working Group 1 of The Sedona Conference where he leads drafting teams and serves as the Steering Committee project manager. Prior to joining Driven, Phil practiced law in Northern California where he advised a variety of clients regarding business disputes and complex discovery issues. He also served as a Judge Pro Tempore for the Santa Clara County Superior Court based in Santa Clara, California.
X