In Episode 132, our CEO and Founder, Kelly Twigger discusses the increasing role of employee’s mobile devices in ediscovery and the increasing importance of including those devices in exit interviews for employees especially when a duty to preserve exists in Wegman v. U.S. Specialty Sports Ass’n, Inc., 2023 WL 8599972 (M.D. Fla. 2023).
Introduction
Good morning and welcome to this week’s Case of the Week series brought to you by eDiscovery Assistant in partnership with ACEDS. My name is Kelly Twigger. I am the CEO and founder at eDiscovery Assistant, your GPS for ediscovery knowledge and education. Thanks so much for joining me today.
We are two weeks away from the 11th Annual University of Florida eDiscovery Conference, and we have a fantastic agenda and lineup of more than 50 speakers from across government, in-house counsel at law firms, and judges joining us this year. Plus, you can also receive up to 14.5 hours of CLE for attending, so please sign up and get registered right away. You can register here.
We will also be launching our 2023 Case Law Report from eDiscovery Assistant at the conference. That will be available to attendees and for download on our website. Huge thanks to Doug Austin at eDiscovery Today for partnering with us on that report this year. I’ll be headlining the case law panel as well as giving a talk on custodian interviews at the UF Conference, so please tune in. There’ll be a ton of really useful, practical content for you to take away.
Each week on the Case of the Week I choose a recent decision in ediscovery and talk to you about the practical implications — what does it mean for YOU. This week’s decision highlights the need to ensure the capture and preservation of mobile devices from an employee upon their departure or placement on administrative leave, as we’re going to see.
Let’s dive into this week’s case.
This week’s decision comes to us from Wegman v. U.S. Specialty Sports Ass’n, Inc., which we’ll refer to as USSSA. This decision is from United States Magistrate Judge Robert Norway from the Middle District of Florida from December 12, 2023 — just about a month ago. As always, we tag each of the issues in our case law database with our proprietary issue tagging structure, and this week’s issues include failure to produce, mobile device, and scope of preservation. Judge Norway has four decisions in our database from his seat in the Middle District of Florida.
This is a very short decision. I mean, four or five paragraphs. You could read it in about ten minutes. So, we’re going to combine the facts and analysis today and really get to what are the key takeaways from this case.
We’re before the Court here on a motion to compel the defendant, Donald DeDonatis, to return property and join copying, and for fees and costs.
Facts and Analysis
DeDonatis was an employee of USSSA who was put on administrative leave and asked to return his mobile devices to USSSA for imaging and preservation. Now, the opening quote from the Court here pretty much gives away the punchline:
Few things are certain in life or litigation. But given the representations made by his counsel at the recent hearing, DeDonatis could bet dollars to donuts that he has no choice but to turn over three electronic devices in his possession that belong to The United States Specialty Sports Association, Inc.
Prior to the hearing on the motion, the Court had denied DeDonatis’ motion allowing him to create forensic copies of the devices before returning them to USSSA. The Court summarily acknowledged in this motion that both parties were aware of the duty to preserve the information on the devices and that that duty to preserve attached to those devices in question.
The Court then really looked at whether or not the devices belonged to the USSSA such that they needed to be returned, and it found that they did. The Court noted that counsel for DeDonatis conceded the ownership by USSSA at the hearing, citing to the language of the employee handbook from USSSA, which stated that “[a]ll technology provided by USSSA, including computer systems, communication networks, Association related work records and other information stored electronically, is the property of USSSA and not the employee.” That’s important because that’s language directly from the employee handbook, and part of our takeaways are the steps you’re going to need to take to make sure that you have rights to access this information. Per the Court, DeDonatis’ retention of USSSA’s property prevented USSSA from fulfilling its duty to preserve the evidence, thereby prejudicing it.
The Court also found — and this is key — that “Organizations know what their employees know” and that DeDonatis was once USSSA’s CEO. Now that he’s on administrative leave and his relationship with USSSA has soured, those devices contain evidence that the organization needed to determine what he knew, when he learned about it, what he did about it, and who was involved. DeDonatis’ failure to return USSSA’s devices frustrated the organization’s collection efforts, according to the Court, stymied its investigation into the events that formed the basis of plaintiffs’ claims, and thwarted the preparation of the organization’s defenses. All of those led to the prejudice and the need for the return of the data. The Court then required DeDonatis to return the unaltered devices within three days and not to access, copy, or tamper with any of the ESI on the devices.
Things that are not included in the facts of this decision are: 1) when DeDonatis was placed on administrative leave, and 2) how long he’s held those devices without providing them to USSSA. We know that at least there was one previous motion where DeDonatis had asked the Court to allow him to make forensic copies and to give those forensic copies to USSSA rather than the actual devices themselves and that motion was denied.
Takeaways
What are our takeaways from this very short but really important decision? I picked this one today because mobile device discovery is huge right now. It’s everywhere, we’re having discussions about possession, custody, or control. When do organizations have the ability to get data from an employee’s personal device? Does that employee use the device for work? What if they don’t use it for work? There’s so much analysis going on in this area right now that it is of vast importance for you and your clients to understand what their obligations are with regard to data on mobile devices and what steps they need to take to be able to ensure the preservation of that data when they have a duty to preserve.
As I just mentioned, employees use of mobile devices to conduct business is rampant. Covid pushed us all in that direction very quickly. But the advent of new technologies and now the prevalent need to respond instantly make the use of mobile devices very necessary for business. We’ve steered away a lot from BYOD policies where companies were providing devices and company business was to be conducted on those devices. More of what is in the market now — and it’s not exclusive, there are certainly industries that are regulated that have multiple devices — but a lot of what we see is employers that know that their employees are using their mobile devices to conduct business, and that’s going to subject them to discovery. All of that means that mobile devices are a prime source of evidence in discovery and that you need to be thinking about how to acquire and preserve evidence from them out of the gate when you’re talking about litigation.
As I read this short decision in Wegman, the immediate issue that came to mind was what data could be lost as a result of USSSA’s not reclaiming the devices from DeDonatis prior to him going on leave. We’ve seen so many examples of devices being lost, dropped in the ocean or a lake accidentally, being stolen from cars. Just about every excuse that you can think of as to why they no longer exist. If you want a good summary of some examples, you can look at the Hunters Capital, LLC v. City of Seattle case that we covered on Case of the Week in 2023. All of that case law in this area tells us that having a plan for preserving data from mobile devices is crucial.
In order to emphasize what data can be lost for failure to act quickly, I reached out to a couple of colleagues on the forensic side to confirm what I already know – that actions taken on data and on a cell phone often cannot be undone or located by an expert.
Ryan Frye, who is a forensics expert with Mode One, who have designed software for the remote collection of mobile devices, identified multiple areas of concern for consideration when a user’s device is not preserved right away. The most obvious is when it’s lost, stolen or damaged, as we just talked about.
The next is user deletion — that the user specifically deletes bubbles or entire threads of conversations. That’s important because the deletion recovery window from iOS devices is roughly 30 to 40 days for user-deleted messages. Some of that changed in the new operating systems from iOS. It’s different for Android, so you need to understand which system you’re dealing with.
The next is automatic deletion of ESI through settings, where message retention is set to automatically delete messages after 30 days or one year. Those are two options that exist aside from the default, which is forever. So if a user has specifically set their messages to roll off at a certain period of time, that will impact the ability to recover them. We actually saw that in the Hunters Capital, LLC v. City of Seattle case.
According to Ryan, without a deep dive forensic collection — which is expensive and requires an in-person process — recovering older user-deleted messages or automatically deleted messages is extremely challenging, and there’s a very low probability you’re going to get that data. Proving user deletions are also very challenging in court without the other side’s transcript of the text thread or messaging, whatever it means for that particular application. So, remember that for texts and instant messages you’ve got on the device where the message is sent from and the device the message is sent to. Sometimes if the application has a desktop app as well, you might also have information that way. So the question is, is it available from another source? It’s easier to piece that together, but it’s going to cost a lot of time and money to do so. So that’s a consideration.
Specific to iPhones, Ryan also noted that there are iCloud concerns. Many think that iCloud can be the source of truth for device collections, and the risk there includes multiple things — authority, incompleteness, and security issues. With regard to authority, if the custodian uses their personal iCloud account, the company may not have the authority to get access to those contents. That specifically usually relates to text messages. And that’s exactly what we saw in the In re Pork Antitrust Litig. case, where the court held that there was no availability for the organization to have possession, custody, or control over the text messages because of the way they had engineered their devices for employee use.
The second thing that Ryan noted is incompleteness. Depending on the configuration of the iCloud, a message may not even be included in the iCloud backup. Many companies enforce policies to not even allow phones to backup to iCloud, since it is Apple’s public cloud and they can’t control or manage that. So, relying on the iCloud backup has a lot of defects to the thought process.
The final one is security. Advanced data protection, recently released for the iPhone, means access to iCloud data by commercial products ceased to work. And if and when they catch up, it still requires the device to provide consent based on access to the decryption keys that are no longer managed by Apple. So, you’ve got another consent issue there to be able to gather information from the iCloud.
All of that came from Ryan Frye. I appreciate you weighing in there Ryan, thanks very much.
Another forensic professional that I talked to provided additional considerations and advice for both employers and employees.
First, employees utilizing company-owned devices should exercise data hygiene and segregate their personal activities and work activities on different devices. That doesn’t happen very often in what we see with mobile device discovery. This expert noted that almost every forensic examiner you meet will carry two devices, one from the company where they work where activity occurs for work and one that they own themselves where non-work activity occurs.
Next, this person noted that any use of a personal device for work may subject it to discovery, and we’ve talked about that multiple times here. The standard from the courts is whether or not relevant data exists on the device. There is, of course, the issue of possession, custody, or control, which I mentioned earlier, but the courts have been leaning towards requiring production of devices even where they are not company-issued but where there is relevant data and the company was aware that the employee was using the personal device for work.
Next, from this expert, many, many more phones are being surrendered by employees in factory reset mode. And when that happens, forensic tools are unable to recover data from a factory reset mobile device. Apple and Android devices cannot be physically imaged. An advanced logical or full file system pull is about the best that a forensic expert can do short of getting the forensic bitstream image, which is the gold standard for preservation purposes. So, essentially, we can’t do what we need to do to meet that gold standard from a forensic perspective if the phone is set to reset to factory settings. That needs to be considered in your exit interviews with employees where you either have a duty to preserve or you think there’s a potential that a duty to preserve may arise. Remember, not only are you trying to meet your own obligations to preserve, but you want to keep ESI that may be beneficial to your case.
Fourth, from this expert — cloud synchronization, collaboration, and automatic backups offer an alternative to a direct image in circumstances where the custodian refuses to cooperate. Again, we have the limitations that Ryan Frye noted from this issue. This expert notes that it takes skill — which means a lot of time and money as we’ve talked about — to reassemble the puzzle pieces, giving the access that corporate IT has to these alternative sources. It’s possible, but it’s going to be costly.
A good IT posture assumes that the employee ultimately doesn’t return all the devices that they’ve been issued. Remote working has made the offboarding process for those devices much more difficult, as this expert notes. A thoughtful offboarding process should kick in well before the final day of separation and increases the odds that data is returned to the corporation. So, get your exit process in line for your remote workers. Include mobile device data and include language that the information/device is going to be returned to you so that you can review it prior to the last day of employment for that employee.
Thanks to my colleagues for providing all of that information on why timing is crucial in preserving mobile devices. We’re going to keep an eye on the Wegman matter to see if anything untoward arises following the return of the devices.
Conclusion
That’s our Case of the Week for this week. Thanks so much for joining. We’ll be back again next week with another decision from our eDiscovery Assistant database. As always, if you have suggestions for a case to be covered on the Case of the Week, drop me a line. If you’d like to receive the Case of the Week delivered directly to your inbox via our weekly newsletter, you can sign up on our blog. If you’re interested in doing a free trial of our case law and resource database, you can sign up to get started.
Thanks so much. Have a great week.
