The ways that businesses communicate have changed a great deal over the past twenty years. In the good ol’ days, most communicative dealings happened in a prestigious boardroom or over the phone, with no record of exactly what transpired other than a signed contract. Most negotiations were either captured in the form of hand written notes or not at all.  If a lawsuit transpired over a deal gone wrong, each party would go through their two or three bankers’ boxes of notes and other documents, make photocopies, and turn over what was relevant for the suit.  

Today, business works at a fast pace and on a global scale. Meeting in a boardroom is no longer practical with participants located in numerous countries. Business transactions are no longer limited to being negotiated in-person, over the phone, or even conducted by email. Parties can negotiate terms and agreed to them by text message, social media outlets, chat application (video and text), and even through exchanging instant messages. Using these different communication mediums can create a massive volume of data that may live outside the corporate IT environment on personal devices. So, what should be done when a deal goes wrong?

While the trend of conducting business outside of the corporate environment makes closing a deal easier, it makes the task of preserving data much more difficult. Businesses that allow transactions to be communicated via personal devices no longer have actual possession of the data, as they did with the bankers boxes. However, courts have all agreed that although potentially relevant data may not be in the physical possession of the organization, it is still in their control and must be preserved.

What Data is Under an Organization’s Control Even if Not Actually Possessed?

1. BYOD Data

   Implementing “Bring Your Own Device” (BYOD) programs allows employees to conduct business on their personal devices. Many organizations have these policies in place to save money. BYOD policies allow a business to not supply employees with expensive mobile devices, but still permit employees to conduct negotiations over text message, chat applications and other functions found on a mobile device.

   The courts have concluded that if there is a litigation, possession is not necessarily nine-tenths of the law. Although an organization may not literally possess the data, so long as there is a legal right to access data on an employee’s personal device, an organization effectively has possession of the data. The legal right to access data is established through a company policy or other written instrument that the employee signs. Therefore, if there is an obligation to preserve data, organizations must capture all data, even data that is outside its actual possession and control, or risk of sanctions.

2. Independent Contractors

   Many organizations hire independent contractors to work on projects. Although not technically employees, contractors may have the ability negotiate with other parties on behalf of the organizations. What happens when a contractor-negotiated deal goes wrong? While contractors are not considered employees and do not have access to the corporate infrastructure, courts have concluded that organizations are responsible for preserving relevant information produced and stored by independent contractors. If electronic data is requested in a lawsuit which an independent contractor holds (such as text messages, emails, or social media exchanges), an organization will be responsible for furnishing that data, even if the independent contractor is not a named party to the lawsuit or if the business relationship terminated (Ronnie Van Zant, Inc. v. Pyle, 2017 WL 3721777 (S.D.N.Y. Aug. 23, 2017)). To make this process easier, many organizations insert a clause into all contracts with independent contractors that clearly outlines what the organization considers as property. If there is an issue down the road, the contractor is on notice they will have to turn over that information.

3. Third-Party Data

   Other data that an organization may not actually possess but need to preserve is information that lives on a database owned by a third party. If a deal goes bad and data provided from a third party was relied upon, the organization must preserve the data. One example may be customer lists furnished from SalesForce. If that information is relevant, organizations must preserve it even though the organization has no actual possession of the information. Case law suggests that third party contracts grant organizations the legal right to obtain data logged by these separate entities (Williams v. Angie’s List, Inc., 2017 WL 1318419 (S.D. Ind. Apr. 10, 2017)). Some case law also suggests that parties are obligated to execute releases granting third-parties (like cell phone providers) permission to disclose records relevant to a case. This is especially true if a provider refuses document production in absence of a release and/or the party did not object to subpoenaing the provider. Several courts have ordered parties to either execute releases or obtain and produce the relevant document themselves because the party’s consent can determine who can access the data. Courts are split on this issue so attorneys must know where their jurisdiction stands before advising their clients or challenging court rulings (Hunters Run Gun Club LLC v. Baker, Civil Action. 17-176-SDD-EWD (M.D. Louisiana Feb. 7, 2019)).

4. Internationally Stored Data

   Since business is conducted on a global scale, data may live on servers all over the world. Even this data must be preserved, although an organization may not actually possess it.  To make it easier to obtain this data, Congress passed the “Clarifying Lawful Overseas Use of Data Act” (CLOUD Act) in 2018. The CLOUD Act makes the definition of “possession, custody, and control” inclusive of data stored on servers outside of U.S. borders. It allows for data to be subpoenaed from American companies even if the data is held on servers located outside the U.S.

Living in the digital era diminishes an organization’s capability to monitor and preserve business-related data. Investigating how your employees and business associates communicate deals is key. Policies should be drafted after communication trends within your organization are determined to address what types of data platforms can be used for work purposes, what is prohibited, when and how data should be backed up, and what should happen if the business relationship terminates. Review your policies and third-party contracts regarding electronic communication and preservation of data. If these are non-existent or outdated, create or amend these policies to reduce the risk of future legal exposure. Doing so will also help you be prepared when a deal goes wrong. If you found this blog informative, you may enjoy reading Top Five Mistakes Made When Collecting Data From Nontraditional Sources or The Epiq Angle Blog.