‘Siri®, How Much Discoverable ESI is on My Smartphone?’
'Siri®, How Much Discoverable ESI is on My Smartphone?'
As anyone who has collided with someone staring at their smartphone and not where they are walking knows (known in Yoga circles as the "downward-facing pedestrian"), mobile device usage has exploded in just a few years, becoming an integral part of how we communicate, both personally and professionally.
This sudden ubiquity of smartphones and tablets has created another rich source of ESI and another set of e-discovery opportunities and challenges. The data even gets its own acronym: mESI (which stands for "mobile Electronically Stored Information" for the acronymically challenged).
Those of you who have thumbed, pecked and swiped your way through your smartphone looking for a phone number, address or your client's children's names, you know full well the enormous volume of sensitive information stored there. It's a wonder we let them out of our sight. And when we do, many of us feel mobile separation anxiety.
This should be no surprise to anyone. A smartphone alone contains your emails, voice mail messages, call history, contact list, text messages, photos, videos, calendar, Web browsing history, passwords, search history, data stored in applications, and access to social media accounts. And that doesn't count how many times you have listened to your Lady Gaga playlist.
"As of November 2011, a staggering 71 percent of Americans own either an iPhone® or an AndroidTM based smartphone. And millions of applications are downloaded to these iPhones and smartphones everyday. The use of these devices has created a treasure trove of hidden [ESI] that most users may not even know exists-and that could be discoverable," wrote Troutman Sanders attorneys Lindsey Mann, John Hutchins and Alison Grounds in a recent post on the LexisNexis® Emerging Issues Law Community.
The Troutman Sanders attorneys point to a Wired.com report that says IBM® has become so worried about the types of data being collected on smartphones that it has disabled the ubiquitous Apple® voice-recognition "Siri" application on its networks. (Siri, does that hurt your feelings?)
"For example," Mann, Hutchins and Grounds wrote, "Siri, Apple's 'personal assistant,' collects and uses Voice Input Data, which includes audio recordings, transcripts, and related diagnostic data, to process requests and understand commands. Siri also collects and uses User Data, which includes address book contacts, labels assigned to email accounts, and names of songs and playlists in the user's collection. And iPhones aren't the only ones collecting this data. Other smartphones contain dictation features that collect and use things like audio recordings and address books."
Watch Your Apps
Information is also collected by apps, the Troutman Sanders attorneys explain. GPS apps, for example, collect and use data like the name and address of the owner, his or her friends, and even his or her bank, they warn. They also point to the increased use of digital voicemail, which sends users transcripts of their voice mail.
"These devices are likely to contain both personal and business-related information," the Troutman Sanders team wrote. "In addition to disabling certain devices or applications, companies can also limit the exposure associated with this hidden ESI by having clear use policies that address issues such as how to preserve such data if required. If text messaging or instant messaging is necessary for a business function, companies may want to consider options that give them more control over usage, storage, and retention of such data. As iPhone and other smartphone usage continues to skyrocket, companies need to be proactive in adopting policies to manage the data associated with iPhone and smartphones. Without a policy in place, companies may be unwittingly storing huge caches of potentially discoverable information that can be extremely expensive to produce."
Get to Know the IT Department
It bears repeating that attorneys and their clients can be sanctioned for failure to properly supervise discovery of electronic information. In 2004, a New York federal court imposed a new responsibility on attorneys to supervise e-discovery by communicating directly with a client's IT department (Zubulake v. UBS, (229 F.R.D. 422 [S.D. N.Y. 2004]). In other words, attorneys now have to make an effort to understand what IT people are talking about.
Zubulake, also known as Zubulake V, requires attorneys to identify and preserve clients' ESI that is relevant to litigation by placing it on hold. Until recently, this requirement focused on ESI generated by computers but is now being applied to information generated by mobile devices as well. This means attorneys must acquaint themselves with clients' document and data retention policies and systems.
"At minimum," said Lori M. Tyler, marketing director for e-discovery at LexisNexis Technology Solutions, "find out what information is stored, how, and where, and how information will be retrieved in the event of a discovery request. Educate IT contacts on the kind of information requests they can expect to receive. Collecting mobile ESI through discovery may be a relatively new responsibility, but the bottom line is, attorneys do not want to plead ignorance of the technology or these issues when they get to court."
Left to Their Own Devices
"Discovery of electronic information on mobile devices requires practical policies on the preservation, extraction, and review of ESI," Tyler adds. "The reality is these issues raise more questions than answers, so attorneys will want to stay current on risks and seek guidance from courts and organizations that analyze and advise on e-discovery."
A key concern for attorneys is clients that allow their employees to use their own mobile devices for work. It seems like a good idea because it saves the company money. And, employees often own better equipment than their employer would provide.
A 2012 survey by Dell Inc. found that employees at 87 percent of the companies polled have employees who use their own laptops, smartphones and/or tablet computers at work. Survey respondents confessed they are unable to effectively ensure these employees' compliance with company policies to protect proprietary data and intellectual property.
Smartphones Will Come and Go, But Data Is Forever
"Another troubling issue is this: what happens to an employee's personal mobile device when he or she decides to discard it for a new one? Erasing sensitive data from a device doesn't mean it's really clean," Tyler said. "Not by a long shot."
Owner of the magazine PCWorld® purchased refurbished smartphones from a variety of sources who had told the magazine that the devices' memories had been wiped clean. However, later inspection found that contact information, voicemails, and text messages belonging to the previous owners were still on some of the devices.
The problem? Many people don't realize that smartphones have at least two sources of memory-both a SIM card and the device's internal memory-and fail to properly erase the internal memory after removing the SIM card. But PCWorld, in a July 2011 article, cautioned, "Even if you do everything right, and you wipe the phone exactly according to the directions, you might want to reconsider passing the handset along."
"Until there is a easy and reasonable way to wipe a mobile device clean with 100 percent certainty, consider taking a hammer to it," Tyler suggested.
Finally, attorneys must consider their own practices when it comes to using mobile devices. According to the American Bar Association's 2012 Legal Technology Survey Report, 89 percent of attorneys reported using a smartphone for work while away from the office. Thirty-three percent said they used a tablet computer for work while out of the office.
"Fundamentally," writes consultant and eDiscovery Journal editor Greg Buckles, "the expansion of mobile device operating systems to support practically infinite apps and associated ESI is the pivot point for mobile device discovery. Relatively few civil matters currently justify collection of text messages, call logs, GPS location logs and other unique ESI from a cell phone. However, now that mobile employees are drafting/editing Microsoft® Office documents, instant messaging through multiple channels and effectively doing business online through their smartphones or tablets, how can we ignore ESI from iOS (Apple), Android and other systems?"
Ignore ESI on iPhone and Android systems? If she hasn't been disabled, Siri would likely say: "You can't. Would you like me to show you why?"
- Rethink giving away your old smartphone. Consider destroying it.
- Consider disabling certain applications.
- Establish and review data preservation policies for mobile devices.
- Educate your teams on the risks associated with mobile technology and the proper protocols for protecting data.
- Find out what information is stored and on what devices.
- Encryption, encryption, encryption.
For more information about LexisNexis products and solutions, connect with us through our corporate site.