Winning the Battle Between Social Media and Electronic Discovery

It seems all too easy to poke fun at Charlie Sheen's antics of late. And, while they serve as cautionary tales in numerous contexts, his use of social media to launch his “tiger blood”-fueled rampage against his employer may actually turn into evidence someday (likely in a breach of contract action against his former employer). His public meltdown was surely a high water mark for social media as a window into the real-time (can't look away) train wreck that is now Mr. Sheen's career. After all, he now has over three million Twitter followers, and for those who don't expressly follow his now infamous rants (“#winning”), other media outlets stand by to repost and re-tweet every scintillating proclamation.

For those who think that they'd prefer to have less Sheen in their daily diets, let's use his 15 minutes of ber-fame to examine the impact of social media on the traditionally e-mail-oriented electronic discovery process we've all come to know and love. As a starting point, it's important to recognize that social media is a delivery mechanism, but the content drives the entire downstream discovery and compliance-oriented tasks. While it's easy to say that content is king, it's still hard not to argue that things really are different with this new, highly dynamic form factor. On balance though, while the e-discovery and regulatory issues are fundamentally the same, the social media genre does genuinely pose a range of tactical and strategic discovery challenges.

Accept Reality and Plan Accordingly

For many organizations, it's easy to exhale as they've finally reined in some of the e-mail chaos during the 2000s. But this small victory in the larger information management war has been eclipsed by new challenges posed by social media. The problem isn't just that the types (Twitter, LinkedIn, Facebook, Flickr, YouTube, etc.) are increasing at a mind-numbing speed, but the volume of produced data (one billion Tweets per week) are also proliferating wildly. A recent article published under the Sedona Conference's aegis, “The Impact of the Internet and Social Media on Records and Information Management: Unexpected Bedfellows Highlight the Need for Effective Information Management ' Now More than Ever” points out:

Most commentators agree that, if social networks in the workplace are inevitable, corporations must resign themselves to the inevitable and prepare accordingly. '
To combat these risks, companies must understand the interactions between IT and legal and how they intersect in the world of Records and Information Management. Companies must also employ a cross-discipline approach to issues in order to properly address access rights, digital security, Records and Information Management policies and programs, short and long-term data storage strategies, audit processes, enforcement protocols, incident and litigation response plans, and employee education programs.

The authors correctly state: “Hard decisions need to be made, and resources committed, but an ounce of current prevention now may certainly outweigh the inevitable pound of information loss.” This “pound” is most often paid out by organizations in response to e-discovery costs, which are axiomatically linked to the amount of electronically stored information (“ESI”) a company needs to collect, process, review and produce for the matter at hand.

So, like the first stage in the grief process (denial), organizations need to accept the reality of social media, understand the implications (cost, risk, information security challenges, etc.), and start to plan accordingly. Yet, the denial seems to be ever-present. In a recent survey by the Electronic Discovery Reference Model (“EDRM”), it was shockingly noted that “[w]ritten policies for social media are non-existent,” with 85% of industry professionals admitting that “no written policies existed within their organizations regarding the preservation of data for any of the wildly popular social networking sites.”

Deploy the Right
Information-Governance Policies

Step one in this challenging task, albeit a bit Sisyphean, is to rein in the authorized/unauthorized use of social media. This likely doesn't equate to the wholesale prohibition of all social media (which would be nearly impossible to enforce). Instead, the goal should be to define what is permissible via policies and procedures, and that in turn should be used to identify expectations of reasonable corporate conduct. This effort inherently should recognize that there are legitimate business purposes (ideally with defined corporate objectives), as well as individualized usages (which nevertheless may still be supportive of company goals) of social media. In all instances, it will be important to calculate the benefits of the social media activity (increased collaboration, real-time communication, ubiquity, etc.) with the risks (lack of information control, reduced productivity, etc.).

Organizations may also consider which of their own social media forays constitute a business record and whether or not they should be proactively archiving/capturing/preserving such ESI to create a viable document trail if social media ever becomes a factor in litigation. Unfortunately, as with a number of other quickly developing paradigms, such as cloud computing, there's often a “ready, fire, aim” approach where the legal, risk and compliance ramifications aren't well thought out prior to deployment.

Social Media Use Cases Proliferate

In just the past few months, there have been numerous instances where social media has taken center stage in the e-discovery and compliance realms. Here are just a couple recent examples:

Facebook. In what's been called the Facebook firing case, the National Labor Relations Board (“NLRB”) jumped in to chastise an employer for allegedly firing an employee due to a Facebook post (where she allegedly called her boss a “mental patient”). The NLRB said that policy was in violation of the National Labor Relations Act, which gives employees the right to discuss “the terms and conditions of their employment with others.”

LinkedIn. In a recent breach of contract action, an employer claimed it had evidence of improper solicitation of its employees through the LinkedIn connections of one of the defendants.

Electronic Discovery Costs
Rise in Concert with Social Media

While “ESI is ESI” to some extent, there are tactical challenges with conducting e-discovery of social media. Using the EDRM model as a guide, the first main hurdle will be identification. In this stage, the challenge will be to identify (ideally through data maps and corporate policies) the instances of social media that are being legitimately used within an enterprise. This process is typically linked to key players, versus searching the entire data universe for specific key terms.

Once this thorny issue is confronted, the even bigger challenge involves how to manage the risk-laden preservation process. Here, the highly dynamic nature of social media stands in contrast to its e-mail counterpart, which in many ways was designed to be used in a linear, threaded format. The preservation of social media has two main challenges. The first is access, since the information may be private or semi-private. In this setting, the recent case of Romano v. Steelcase Inc. (N.Y. Sup. Ct. 2010) sheds light on some of the privacy issues:

[W]hen Plaintiff created her Facebook and MySpace accounts, she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings. ' Since Plaintiff knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy. As recently set forth by commentators regarding privacy and social networking sites, given the millions of users, “[i]n this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.”

Assuming the privacy issue can be overcome, the next issue is seen during the collection phase, since it will be hard to actually preserve social media in situ because the content is dynamic and at the whim of the user and the applicable site. Aside from a few recent developments, like Facebook's “Download Your Information” feature and the library of Congress' decision to archive all Tweets since March 2006, most social media ESI is fleeting and hard to collect. The current brute force methodology is to simply take screenshots of the relevant blog, Tweet or status update. The challenge with this approach isn't necessarily with admissibility (see below), but this static modus operandi makes it nearly impossible to utilize analytical tools to search and review the social media content. Assuming the use cases and volumes continue to proliferate at current speeds, then leveraging analytical tools becomes that much more important in the effort to control costs.

Over time, enterprises will attempt to funnel users into corporate social media platforms that have governance abilities built in, particularly regarding export functionality that will permit more advanced search and analytics from downstream, purpose-built applications. But, for now, the herding cats exercise will continue as the corporate community tries to keep up with the faster-moving user base.

Admissibility Is an Open Question

Not to be forgotten, the core underpinning to a successful collection of social media content is the ESI's admissibility, since the ability to use data in court is the sine qua non for conducting the e-discovery process in the first place. In the seminal case on the admissibility topic, Lorraine v. Markel Am. Ins. Co., (2007), United States Magistrate Judge Paul W. Grimm noted that “[v]ery little has been written, however, about what is required to insure that ESI obtained during discovery is admissible into evidence at trial.” He went on to note: “This is unfortunate, because considering the significant costs associated with discovery of ESI, it makes little sense to go to all the bother and expense to get electronic information only to have it excluded from evidence or rejected from consideration during summary judgment because the proponent cannot lay a sufficient foundation to get it admitted.”

While it's difficult to quickly summarize the authentication requirements for social media, it is an important aspect that can be achieved a number of ways (pursuant to FRCP 901, which only provides illustrations). The most likely course would be to utilize the “personal knowledge” approach, which permits authentication by testimony “that a matter is what it is claimed to be.” Other approaches, such as utilizing metadata (which works well for more static ESI), will be less applicable for social media since it is more ephemeral.

Conclusion

Many have proclaimed that social media will soon render e-mail obsolete as the primary form of corporate communication. While this remains to be seen, social media is quickly elbowing its way into the e-discovery conversation and this new kid on the block needs to be taken seriously, or the unwary practitioner may unwittingly find out that his case has been dismissed because of spoliation.

It seems all too easy to poke fun at Charlie Sheen's antics of late. And, while they serve as cautionary tales in numerous contexts, his use of social media to launch his “tiger blood”-fueled rampage against his employer may actually turn into evidence someday (likely in a breach of contract action against his former employer). His public meltdown was surely a high water mark for social media as a window into the real-time (can't look away) train wreck that is now Mr. Sheen's career. After all, he now has over three million Twitter followers, and for those who don't expressly follow his now infamous rants (“#winning”), other media outlets stand by to repost and re-tweet every scintillating proclamation.

For those who think that they'd prefer to have less Sheen in their daily diets, let's use his 15 minutes of ber-fame to examine the impact of social media on the traditionally e-mail-oriented electronic discovery process we've all come to know and love. As a starting point, it's important to recognize that social media is a delivery mechanism, but the content drives the entire downstream discovery and compliance-oriented tasks. While it's easy to say that content is king, it's still hard not to argue that things really are different with this new, highly dynamic form factor. On balance though, while the e-discovery and regulatory issues are fundamentally the same, the social media genre does genuinely pose a range of tactical and strategic discovery challenges.

Accept Reality and Plan Accordingly

For many organizations, it's easy to exhale as they've finally reined in some of the e-mail chaos during the 2000s. But this small victory in the larger information management war has been eclipsed by new challenges posed by social media. The problem isn't just that the types (Twitter, LinkedIn, Facebook, Flickr, YouTube, etc.) are increasing at a mind-numbing speed, but the volume of produced data (one billion Tweets per week) are also proliferating wildly. A recent article published under the Sedona Conference's aegis, “The Impact of the Internet and Social Media on Records and Information Management: Unexpected Bedfellows Highlight the Need for Effective Information Management ' Now More than Ever” points out:

Most commentators agree that, if social networks in the workplace are inevitable, corporations must resign themselves to the inevitable and prepare accordingly. '
To combat these risks, companies must understand the interactions between IT and legal and how they intersect in the world of Records and Information Management. Companies must also employ a cross-discipline approach to issues in order to properly address access rights, digital security, Records and Information Management policies and programs, short and long-term data storage strategies, audit processes, enforcement protocols, incident and litigation response plans, and employee education programs.

The authors correctly state: “Hard decisions need to be made, and resources committed, but an ounce of current prevention now may certainly outweigh the inevitable pound of information loss.” This “pound” is most often paid out by organizations in response to e-discovery costs, which are axiomatically linked to the amount of electronically stored information (“ESI”) a company needs to collect, process, review and produce for the matter at hand.

So, like the first stage in the grief process (denial), organizations need to accept the reality of social media, understand the implications (cost, risk, information security challenges, etc.), and start to plan accordingly. Yet, the denial seems to be ever-present. In a recent survey by the Electronic Discovery Reference Model (“EDRM”), it was shockingly noted that “[w]ritten policies for social media are non-existent,” with 85% of industry professionals admitting that “no written policies existed within their organizations regarding the preservation of data for any of the wildly popular social networking sites.”

Deploy the Right
Information-Governance Policies

Step one in this challenging task, albeit a bit Sisyphean, is to rein in the authorized/unauthorized use of social media. This likely doesn't equate to the wholesale prohibition of all social media (which would be nearly impossible to enforce). Instead, the goal should be to define what is permissible via policies and procedures, and that in turn should be used to identify expectations of reasonable corporate conduct. This effort inherently should recognize that there are legitimate business purposes (ideally with defined corporate objectives), as well as individualized usages (which nevertheless may still be supportive of company goals) of social media. In all instances, it will be important to calculate the benefits of the social media activity (increased collaboration, real-time communication, ubiquity, etc.) with the risks (lack of information control, reduced productivity, etc.).

Organizations may also consider which of their own social media forays constitute a business record and whether or not they should be proactively archiving/capturing/preserving such ESI to create a viable document trail if social media ever becomes a factor in litigation. Unfortunately, as with a number of other quickly developing paradigms, such as cloud computing, there's often a “ready, fire, aim” approach where the legal, risk and compliance ramifications aren't well thought out prior to deployment.

Social Media Use Cases Proliferate

In just the past few months, there have been numerous instances where social media has taken center stage in the e-discovery and compliance realms. Here are just a couple recent examples:

Facebook. In what's been called the Facebook firing case, the National Labor Relations Board (“NLRB”) jumped in to chastise an employer for allegedly firing an employee due to a Facebook post (where she allegedly called her boss a “mental patient”). The NLRB said that policy was in violation of the National Labor Relations Act, which gives employees the right to discuss “the terms and conditions of their employment with others.”

LinkedIn. In a recent breach of contract action, an employer claimed it had evidence of improper solicitation of its employees through the LinkedIn connections of one of the defendants.

Electronic Discovery Costs
Rise in Concert with Social Media

While “ESI is ESI” to some extent, there are tactical challenges with conducting e-discovery of social media. Using the EDRM model as a guide, the first main hurdle will be identification. In this stage, the challenge will be to identify (ideally through data maps and corporate policies) the instances of social media that are being legitimately used within an enterprise. This process is typically linked to key players, versus searching the entire data universe for specific key terms.

Once this thorny issue is confronted, the even bigger challenge involves how to manage the risk-laden preservation process. Here, the highly dynamic nature of social media stands in contrast to its e-mail counterpart, which in many ways was designed to be used in a linear, threaded format. The preservation of social media has two main challenges. The first is access, since the information may be private or semi-private. In this setting, the recent case of Romano v. Steelcase Inc. (N.Y. Sup. Ct. 2010) sheds light on some of the privacy issues:

[W]hen Plaintiff created her Facebook and MySpace accounts, she consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings. ' Since Plaintiff knew that her information may become publicly available, she cannot now claim that she had a reasonable expectation of privacy. As recently set forth by commentators regarding privacy and social networking sites, given the millions of users, “[i]n this environment, privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.”

Assuming the privacy issue can be overcome, the next issue is seen during the collection phase, since it will be hard to actually preserve social media in situ because the content is dynamic and at the whim of the user and the applicable site. Aside from a few recent developments, like Facebook's “Download Your Information” feature and the library of Congress' decision to archive all Tweets since March 2006, most social media ESI is fleeting and hard to collect. The current brute force methodology is to simply take screenshots of the relevant blog, Tweet or status update. The challenge with this approach isn't necessarily with admissibility (see below), but this static modus operandi makes it nearly impossible to utilize analytical tools to search and review the social media content. Assuming the use cases and volumes continue to proliferate at current speeds, then leveraging analytical tools becomes that much more important in the effort to control costs.

Over time, enterprises will attempt to funnel users into corporate social media platforms that have governance abilities built in, particularly regarding export functionality that will permit more advanced search and analytics from downstream, purpose-built applications. But, for now, the herding cats exercise will continue as the corporate community tries to keep up with the faster-moving user base.

Admissibility Is an Open Question

Not to be forgotten, the core underpinning to a successful collection of social media content is the ESI's admissibility, since the ability to use data in court is the sine qua non for conducting the e-discovery process in the first place. In the seminal case on the admissibility topic, Lorraine v. Markel Am. Ins. Co., (2007), United States Magistrate Judge Paul W. Grimm noted that “[v]ery little has been written, however, about what is required to insure that ESI obtained during discovery is admissible into evidence at trial.” He went on to note: “This is unfortunate, because considering the significant costs associated with discovery of ESI, it makes little sense to go to all the bother and expense to get electronic information only to have it excluded from evidence or rejected from consideration during summary judgment because the proponent cannot lay a sufficient foundation to get it admitted.”

While it's difficult to quickly summarize the authentication requirements for social media, it is an important aspect that can be achieved a number of ways (pursuant to FRCP 901, which only provides illustrations). The most likely course would be to utilize the “personal knowledge” approach, which permits authentication by testimony “that a matter is what it is claimed to be.” Other approaches, such as utilizing metadata (which works well for more static ESI), will be less applicable for social media since it is more ephemeral.

Conclusion

Many have proclaimed that social media will soon render e-mail obsolete as the primary form of corporate communication. While this remains to be seen, social media is quickly elbowing its way into the e-discovery conversation and this new kid on the block needs to be taken seriously, or the unwary practitioner may unwittingly find out that his case has been dismissed because of spoliation.