One of the most troubling technological developments over the past few years is the inability of organizations to manage mobile device data. This trend is evident from increasing sanctions requests in litigation for failures to preserve mobile data to the growing number of attacks by cybercriminals on smartphones.
Smartphones and Mobile Data in Litigation
In litigation, clients and counsel often seem unable (or unwilling) to preserve and produce discoverable information from mobile devices. According to Gibson Dunn & Crutcher’s 2016 Mid-Year E-Discovery Update, the cases involving sanctions for ESI preservation shortcomings most frequently involved failures to preserve text messages and other mobile data. The NuVasive, Inc. v. Madsen Medical, Inc. case exemplifies this trend.
In NuVasive, the court held that plaintiff failed to take adequate measures to preserve relevant text messages exchanged by its employees. While plaintiff issued timely litigation holds, it neglected to properly follow up with its employees to ensure that text messages were retained. For example, relevant text messages from one phone were lost because the employee twice upgraded his phone between the time the hold was issued and the time the phone was turned in for collection. Another employee “deleted relevant text messages” from his phone before providing it to counsel. A third employee failed to follow pertinent hold instructions, resulting in the destruction of relevant information:
In January 2014, NuVasive asked Stephen Kordonowy to bring his phone to San Diego for imaging. Kordonowy brought his current phone instead of the phone [with relevant data] that he used prior to MMI’s termination. His previous phone was sitting in his desk drawer, and later, in mid-2014, Kordonowy wiped the phone clean before giving it to his son.
Smartphones and Cybersecurity
NuVasive encapsulates the challenges that smartphones and mobile data present in litigation. However, the “mobile madness” confronting clients and counsel is not restricted to legal matters. Instead, cybersecurity issues surrounding employee smartphone use are also increasing. According to a recent article published by the Wall Street Journal, users are apparently “taking fewer precautions to thwart hacking on their mobile phones.”
The WSJ article referenced a survey, which reported that smartphone users neglected to periodically update their mobile operating systems as frequently in 2015 as they did in 2014. The survey also indicated that the number of users deploying “antivirus or antimalware software” dropped ten percentage points in 2015 from 2014. Finally, only 25 percent of smartphone users intermittently changed their passwords in 2015, down from 41 percent in 2014.
All of which could herald a new era of cybertheft. Indeed, the WSJ article observed that cybercriminals are now regularly deploying malware to “to steal banking credentials from unsuspecting consumers when they log on to their bank accounts via their mobile phones.”
With cyberthieves targeting smartphones, organizations can reasonably assume that trade secrets, financial information, and other sensitive corporate data could also be subject to misappropriation. This is particularly the case for companies that have either casually enforced “bring your own device” (BYOD) programs or that exercise little oversight regarding smartphones issued under traditional “corporate owned personally enabled” (COPE) plans where the enterprise owns and issues the mobile device.
Deploying Actionable Counter Measures
Despite the challenges presented by smartphones and other mobile devices, organizations are not powerless to address these issues. They can take actionable steps to prevent or otherwise mitigate mobile device mayhem for both litigation and transactional purposes. The Gibson Dunn report suggests a few of those steps, which include the following:
Enterprises can also step up audit and enforcement measures to better ensure policy observance and bolster their litigation hold processes. Any one of these steps – and certainly a combination of them – will likely do much to address the mobile device problems affecting organizations today.
 NuVasive, Inc. v. Madsen Medical, Inc., No. 13-cv-2077, 2015 WL 4479147, *2 (S.D. Cal. July 22, 2015) (emphasis added), modified in part, 2016 WL 305096, *1-2 (S.D. Cal. Feb. 1, 2016) (vacating adverse inference instruction due to the December 1, 2015 amendments to Federal Rule of Civil Procedure 37(e)).c