Thursday, March 20, 2014

Legal Risks of Instant Messaging

, Corporate Counsel

As technology advances, corporations are increasingly discovering that employee gossip has migrated from the office water cooler to instant messaging platforms. IM programs can be internal or external. They allow employees to instantly exchange ideas and observations, or to collaborate with others. Unlike real-world conversations in corporate lunchrooms or around employee cubicles, however, instant messages can be captured, preserved and ultimately displayed in the courtroom. Both in-house and outside counsel should be aware of the potential legal risks surrounding IMs, as these instantaneous chat conversations can implicate regulatory requirements and/or electronic discovery obligations during litigation.

Instant Messaging in the Workplace

IM use continues to accelerate. A 2013 survey by Informa Telecoms [PDF] concluded that users sent nearly 20 billion IMs each day, overtaking traditional SMS text messaging. As a natural consequence, IMs are penetrating the workplace at an alarming rate. According to TechNewsWorld, an online technology news publisher, “80 to 90 percent of all companies have some instant messaging in use by employees,” and 80 percent of that IM activity takes place over external programs. This trend will continue as millennials dominate the workforce and demand access to technology used in everyday life outside of work (such as IM programs), and software companies introduce robust enterprise IM systems into the marketplace.
The rising popularity of instant messaging within the workplace is not surprising because instant messaging offers enterprises a number of benefits. First, IMs are instant. Unlike email inboxes that are becoming increasingly clogged with spam or other diminishingly relevant messages, IM programs allow employees to communicate in real time without distraction. Instant messaging technology is also flexible—it connects employees virtually anywhere on any device. Finally, IMs allow collaboration among multiple individuals, while allowing each user to easily distribute files to the entire work team without the limitations of single-message email systems.

Recognizing the Risks

Despite its advantages, instant messaging can expose a corporation to significant risks that should be addressed by the governance team. First, enterprise instant messaging creates potential security soft spots for the organization. External IM programs are hosted by third parties, and can expose highly sensitive corporate data or provide a portal for malware or unauthorized users to attack the corporate network. Even worse, when IM systems are managed by third parties, the corporation cannot monitor activity, control access, enforce document retention policies or prevent employees from accidentally or deliberately disclosing confidential materials to nonemployees.
Second, counsel should recognize that IM systems generate and store information that must be preserved and produced if litigation or investigations are imminent. The Federal Rules of Civil Procedure do not distinguish between information created by IM programs and information created by traditional methods such as word processors or email.
Indeed, a number of jurisdictions have expressly required parties to produce IMs responsive to discovery requests. Saliga v. Chemtura Corp., Case No. 3:12-cv-832 (RNC) (D. Conn. Nov. 26, 2013) (compelling IMs); UPMC v. City of Pittsburgh, Civil Action No. 13-563 (W.D. Pa. Oct. 25, 2013) (“Electronically Stored Information” includes “instant messaging”). More important, courts may sanction parties that fail to preserve relevant IM conversations. See Southeastern Mechanical Services, Inc. v. Brody, 657 F. Supp. 2d 1293, 1300 (M.D. Fla. Aug. 31, 2009) (data wiping); Convolve, Inc. v. Compaq Computer Corp., 223 F.R.D. 162, 177 n.4 (S.D.N.Y. 2004). The volume and disparate nature of IMs thus present significant challenges to an organization attempting to preserve and collect documents.
Third, the informal, “water cooler” nature of IM conversations can often result in highly damaging discovery information. Employees may not appreciate that their IM conversations are being stored and that their conversations may reemerge during future litigation or investigations. Further, the instantaneous nature of IM conversations may prompt an employee to provide a more candid and less reflective observation.

Mitigating the Risks

The question remains: How can a governance team mitigate the risks inherent in instant messaging within the enterprise?
Governance teams should not “fight” instant messaging if instant messaging communications are necessary to their businesses. Instead, organizations should set up their own, internal enterprise-class IM platforms and encourage employees to switch over. A central platform allows an organization to monitor employee usage, archive information in accordance with document retention policies and control access to the system. A central platform capable of storing all employee conversations also helps minimize headaches from document collection by eliminating the need to collect conversations from each employee’s devices (i.e., mobile phones).
Corporations should also revisit their IT policies. They should consider limiting the types of documents that employees can share over instant messaging, defining boundaries on the appropriate use of its IM systems and determining the type and scope of IM monitoring that must be conducted by the organization.
Companies need to educate employees on IM use. Although education will not solve every problem, keeping employees informed about corporate policies and appropriate use of IM programs will help minimize surprises if those IM messages later emerge in depositions during litigation. Employees are more likely to be mindful of what they say during chat conversations if they know those conversations are being logged and preserved. Likewise, employees should be counseled on the importance of not using third-party IM programs at the workplace.
Finally, companies ought to revisit document retention policies. Federal Rule of Civil Procedure 37(e) provides that “[a]bsent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.” Given the number of IMs exchanged each day between employees, the organization’s retention policies should pay special attention to IMs—in the same way that modern retention policies have been transformed to address other forms of electronic documents. Likewise, should litigation become imminent, the organization’s policies need to be clear on how it will suspend routine document management protocol. Failure to do so could subject the organization to sanctions.

The Bottom Line

For most enterprises, instant messaging will become more prevalent as time passes. Although this development may alarm in-house counsel, proactive management of instant messaging can mitigate risk and enable the organization to leverage the value of that platform for the business.
Seth Northrop and Li Zhu are trial attorneys at Robins, Kaplan, Miller & Ciresi. They are part of the firm’s intellectual property litigation and global business and technology sourcing practice groups, and they focus their practices primarily on large-scale disputes involving a variety of technologies.

No comments: