How we miss the quaint times when text was just a quick way to chat with buddies. Today, these fleeting missives, now integral to so many work lives, amount to a multimillion-dollar corporate risk. Organizations sit largely unprepared while text messages replace e-mail as the digital smoking gun.
More on CIO.com
You know how it goes: On mobile devices, employees peck out details of their private lives, remarks about colleagues and, inadvertently or not, confidential business information. Things people would never say out loud or in memos fly around in text, often memorialized in digital archives that you don't control. It's juice for a legal adversary.
Text messages about employee firings and extramarital sex recently brought down Detroit Mayor Kwame Kilpatrick and his chief of staff, Christine Beatty.
Last year, three police officers sued the city and the mayor for wrongful termination, claiming they were whistle-blowers who had been retaliated against for discussing possible misconduct in Kilpatrick's administration. During the case, Beatty testified that one officer, Gary Brown, "was not fired." But text messages subpoenaed from SkyTel, which provides pagers to the city, said otherwise.
"I'm sorry that we are going through this mess because of a decision that we made to fire Gary Brown," read one of Beatty's texts to Kilpatrick, with whom, as other messages revealed, she was having an affair.
The officers won the case and $8 million. The city executives lost their jobs; Beatty resigned in January and Kilpatrick in September. In October, Kilpatrick was sentenced to four months' jail time.
Corporations are just as vulnerable. When all 100 of the Fortune 100 are involved in legal proceedings, you know you probably can't avoid e-discovery at some point in your career. And when your company gets hit with a lawsuit, you'll likely have to retrieve and reveal employee text messages relevant to the case, along with other newer forms of communication, such as instant messages and the words, pictures and video from social networking sites, blogs and wikis. But the way some CIOs are managing these technologies—sometimes by not managing them at all—makes that task harder and more expensive than it should be, says Alan Brill, senior managing director at Kroll Ontrack, where he founded the computer forensics and computer security functions.
CIOs dealing with e-discovery in a Web 2.0 world must learn new ways to limit the cost, business disruption, legal liability and potential public embarrassment from what employees say and where they say it. You have to plan for how you will collect data when you don't control it, whether it be text messages stored on the servers of your wireless provider or data in hosted applications from a software-as-a-service vendor. Even systems you may control contain information that may not be managed at present: unified communications systems that combine messaging, voice and video must also be brought into your record-keeping process.
So far, to his knowledge, no major corporate lawsuits involving evidence from social networking sites have emerged, notes Kroll's Brill. However, as in the case against the Detroit mayor, text messages are showing up in court, and these cases give us a taste of what's coming in e-discovery. "I worry about the CIOs," he says, "who don't even recognize the danger."
Think of the legal implications of, say, a Twitter post like this, from a proud employee: "To you naysayers, our disc brakes are fine. I'm an engineer on that product. We test to 5x tolerance on the label, so you can be rougher on them than you think. Don't worry." You've got potential product liability in 140 characters, warns Tom Mighell, a lawyer and senior manager at Fios, an electronic discovery consulting firm.
Rules? What Rules?
Since the late 1990s, arguments about whether and how electronic evidence should be produced have regularly bogged down civil lawsuits and IT departments alike. Broad discovery demands for, say, five years' worth of e-mail for dozens of employees somehow related to a given case are common. Along the way, parties protest what they see as undue burden and the multiple millions of dollars it can cost to retrieve electronic information. Again and again, judges find they must appoint special magistrates to preside over discovery fights before the meat of the case is tried.
The way one employee discrimination suit, against investment bank WestLB, played out, the parties spent almost three years fighting about the production of text messages and e-mail and just four months on the facts of the case. The suit, filed in 2004, concluded this summer—though not before the CIO was deposed by hostile attorneys. The plaintiff got many of the archived messages she demanded. She also got a favorable verdict and $1.9 million. Some companies are still winging e-discovery, even two years after amendments were made to address the process in the Federal Rules of Civil Procedure, which are the standards for trying civil lawsuits.
The rules call for the parties in a suit to meet early in the proceedings to disclose the kinds of electronic records available, whether they are "reasonably accessible" and in what time frame. The parties must create a discovery plan for electronically stored information of all sorts, including databases, e-mail, spreadsheets, data published on the Web, as well as text and instant messages.
But when a lawsuit hits, some organizations struggle to answer such questions. Of 60 in-house corporate attorneys surveyed by Océ Business Services, a document management company, just four said their organization is "well prepared" to comply with a discovery request involving both paper and electronic information. Twenty-five of the 60 haven't implemented an internal e-discovery process. Why? "Too risky," "too expensive" and "takes too much time away from case- and business-related matters," respondents said.
Preparing for discovery is time-consuming and it does cost money. But going into court unprepared is more costly, according to the Institute for the Advancement of the American Legal System, a think tank of judges and lawyers.
Some legitimate cases make no financial sense to pursue if you must pay lawyers hundreds of dollars per hour to argue about whether and how to produce data, then pay outside consultants hundreds of thousands of dollars on top of that to get the data in shape for court, said James Bredar, a magistrate judge for the U.S. District Court in Maryland, in the institute's recent report urging e-discovery reform. "The just resolution of a dispute has little value to a party if bankruptcy was the price of its achievement," he said.
Even as e-discovery continues to vex, the pace of technology change compounds the issues.
Smoking Gun Versus Private Thought
This year, more than 600 billion wireless text messages will zip through the air worldwide, according to CTIA, an association of wireless technology providers. That's a 10-fold increase from 2005's 57 billion.
Instant messaging, meanwhile, seeps into companies unsanctioned and unpoliced by IT. Social-media technology, too, presents trouble. Facebook, LinkedIn and MySpace, for example, encourage their combined 280 million members to broadcast what they're doing and boy, do they—from work and home, from hotels on public computers, from trains and planes on cell phones. Users of these technologies move fluidly online between the personal and the professional, says Fios's Mighell.
So far, the way text messages are handled in court varies by district and judge. In Michigan, for example, the messages of a city official on a city-issued device are public record, as Detroit's ex-mayor now knows. But in June, judges in a California case concluded the opposite. They found that messages on a city-issued device are protected from an employer, at least when senior managers fail to enforce consistently their own governance policy.
In the 2006 case, police officers in Ontario, Calif., sued the city's pager provider, Arch Wireless, for violating their privacy by giving their bosses transcripts of their sometimes sexually-explicit chat, conducted on pagers provided by the city. Arch argued that the police department's computer usage, Internet and e-mail policy allows for the monitoring of users' content.
But police department officials didn't regularly monitor pager texts, according to testimony, and officers developed a "reasonable expectation of privacy," the court concluded. Unlike SkyTel in Michigan, Arch in California was wrong to provide the messages. CIOs looking for firm rules across regions about text as evidence are out of luck, says Nolan Goldberg, an intellectual property attorney at Proskauer Rose.
"There's general guidance, but not much case law," Goldberg notes.
Avoidance Won't Work
A CIO's smartest move then, says Kroll's Brill, is to work closely with company lawyers to set and manage employee expectations of privacy. For example, when you install a new technology, amend your existing policy to address it specifically, he advises, even if it is simply by adding the words "text and instant messaging" to the existing passage about e-mail. (See: "Managing the Social Networking Data Sieve")
Next—and don't get lazy about this—maintain a regular schedule of monitoring and keep records to prove you're consistent, he says. "Don't have a de facto policy. Have an affirmative policy," he says. Otherwise, the policy is open to interpretation and you may not get a judge who sees it your way.
From a technology perspective, companies should be ready to produce old text messages and IMs as soon as legal proceedings begin, says Steve Wharton, vice president of infrastructure at Dean Foods, a $12 billion dairy company.
A lawsuit, an inquiry from the U.S. Department of Justice or an audit by a regulatory body such as the Securities and Exchange Commission usually has a deadline attached, Wharton notes. Blowing it can result in fines, as well as ticking off the judge or investigator. He and CIO Art Fino watch discovery issues closely because, he says, as the biggest milk producer in the United States, Dean Foods receives two or three requests for information each year from the DoJ, which monitors dairy industry competition. "We're organized, yet it's quite a fire drill for 30 to 60 days," Wharton says.
While those inquiries are active, the company must retain all pertinent electronic data and retrieve, sort and search it to respond to DoJ requests. For IM and e-mail, Dean Foods is evaluating several outsourced archiving vendors, including AT&T, Google's Postini service, IBM and USA.net. They store messages by user for a yearly fee, but don't offer sorting and searching for e-discovery. Dean Foods will farm that out to another company when needed. Fino and Wharton haven't addressed wireless text messages yet, but considerations include how much it will cost to have telecommunications vendors or a storage service company archive the messages in a way that's searchable later.
"We've got a pretty good strategy for IM, and mobile will follow," Wharton says. At building materials manufacturer Owens Corning, the technology department wouldn't sanction IM until this year, waiting for better archiving controls and tools for keyword searches, says David Johns, CIO of the $5 billion company. "We have our [desktop software] image locked down pretty well, so it was difficult if not impossible to have employees bringing in their own" applications, Johns says. Owens Corning deployed IM in "a small pilot" this year, he adds, to study how it's used and whether IT can control it well enough. Johns says he's satisfied and will consider rolling out IM more widely during the next several months.
Johns is cautious, having lived e-discovery for his 14 years at Owens Corning as the company has navigated at least 2,141 asbestos lawsuits that led it to Chapter 11 bankruptcy protection in 2000. The company emerged in 2006.
Owens Corning has started its share of lawsuits, too, suing test laboratories for providing what it said in financial documents is "questionable medical evidence" in 40,000 individual asbestos cases. The company also sued tobacco firms in an attempt to get them to cover some of the $10.2 billion owed in damages to asbestos plaintiffs with lung damage.
A CIO must protect the company with policy and technology long before he's called upon to turn over data for a lawsuit, as a matter of best practice, Johns says. He also has outlawed .pst files, which are personal storage tables that users of Microsoft applications can create to, for example, remove data from their mailboxes and out of the sites of any automated deletion programs IT might run. He limits mailbox sizes to 100MB. "With us going through some of the legal challenges we had in the past, that's part of the reason we run things the way we do. It is more straightforward to manage."
Goldberg, the intellectual property attorney at Proskauer Rose, knows of companies that have let IM and other communications technologies creep into corporate use without a formal policy. Other companies don't archive IM consistently, leaving it up the users to turn on or off that feature at their desktops, he says.
Those are common situations that can lead to coming unprepared to court and risking fines or sanctions. "You have to know where this stuff is and how to retrieve and preserve from the system before a lawsuit arises," he says. "It's too late to figure it out under the heat of litigation."
My Data, Pretty Please?
But that's just it. Locating and getting your own data isn't as simple as it used to be. Some of the familiar techniques for making regular e-mail discovery-ready don't translate. With e-mail, for example, you can set servers to archive a snapshot of all employee accounts on a given day, at a given time, and save it for X-number of days. E-mail administrators can then move a designated snapshot to backup tapes and delete the rest. You can't do that with text messages because your wireless provider controls that data, not you. CIOs have to understand the vendor's retention and deletion policy and negotiate something different, if necessary.
Putting data in the hands of third parties this way adds a layer of complexity and expense to discovery that e-mail evidence doesn't usually entail. There are only two ways you can get that data back: ask for it or subpoena it. Which way it goes depends on what your contract says.
It's a best practice for a contract to specify which company controls the data, regardless of who stores it, Goldberg says. Ideally, the third party will comply with your data retention and destruction schedules, but that's something you must negotiate and, depending on how complex the rules are, pay extra to get. An individual text message is small. But a few thousand employees traveling with BlackBerrys can produce heavy and expensive volumes. "Do some cost shopping," he advises.
Prohibiting a particular Web 2.0 technology may not work because people will find a way to use it anyway, says Michael Harnish, chief technology officer of Fios and former CIO at the law firm Dickinson Wright.
"Experience has taught us that if there's an expedient way to further business, it will be done," he says, "whether it's condoned or not condoned."
With texting, Harnish says, if you equip employees with cell phones that block data, they will use their own. With IM, if you close the software ports used by AOL's AIM and Microsoft's MSN Web Messenger, employees can try Google Talk, Meebo, Skype, Yahoo Messenger and a list of other services. Or they might simply conduct company business on personal accounts. Sarah Palin did it. The Alaska governor and Republican candidate for vice president conducted state business on a personal Yahoo Mail account and is being sued by a political activist to reveal 1,100 messages withheld in a public records request.
Harnish says the key lesson for CIOs who pay attention to how text messages are fairing in the courts is this: Don't pretend employees aren't using text for business or in ways that could harm the business. Learn what employees are doing and get ahead of them, he says. Write a policy and train them on the practices and methods acceptable.
That awareness is critical, he says. When litigation starts, you'll have a much more detailed picture of the ground you'll have to cover to comply with e-discovery requests, saving time and money.
Fino, the CIO at Dean Foods, cautions fellow CIOs: "If we were thinking that the urgency of discovery would go away, we were mistaken. This will be the norm for a good, long time."