Corporate Social Media | Civil Lawsuit E-Discovery

Log-on and Password to Opponent?

A few cases have required a social media user to give his password, user name and log in ID to an opponent for ediscovery.  In these cases, the user was an individual.   But what if the user were an enterprise?

In Zimmerman v. Weis Markets Inc., an employee claimed he suffered great injury from a workplace accident, so he sued his employer.   But the public portions of his Myspace and Facebook sites contradicted some of his claims.   His employer surmised that non-public portions of his social sites would reveal more information relevant to his injury.

No Expectation of Privacy?

The Pennsylvania court compelled the employee to give to the employer his Myspace and Facebook passwords, user names and log in names.  The court dismissed the employee’s claims to privacy, saying, “Zimmerman voluntarily posted all of the pictures and information on his Facebook and Myspace sites to share with other users of these social network sites, and he cannot now claim he possesses any reasonable expectation of privacy to prevent [his employer] from access to such information.”

What Do Social Media Privacy Policies Say?

The court went on to say, “All the authorities recognize that Facebook and Myspace do not guarantee complete privacy.  Facebook’s privacy policy explains that users post any content on the site at their own risk and informs users that this information may become publicly available.”

Although the privacy policies at those sites are very complex, the court did not engage in an in-depth analysis of the precise words in those policies.

Access to Email and Chat Messages?

Further, the court did not consider that those log-on credentials will grant access to the content of private, one-on-one chat or email messages, or messages that are the equivalent to private email.

Historically, in civil ediscovery, it has been more common to require an email user to turn over relevant messages -- one-by-one –- not to turn over his log-on credentials so the opponent can access all messages in his email account.

The configuration of social media sites is complex, and privacy for particular bits of information can often be adjusted with a fine degree of precision.  For example, in Google Plus, a user can “post” information on his page, but make it viewable by only one friend.  In effect, the “post” is analogous to a private email message to that friend.


Enterprise Data in the Cloud

Could the logic of Zimmerman be applied against an enterprise in a civl lawsuit?  Could it lead to a requirement that an enterprise turn over full administrator access credentials for a social networking facility the enterprise uses with its employees and select trading partners such as vendors and customers?

It is becoming common for firms to use services like Yammer or Chatter, third-party, cloud-based services, to provide “internal” social networking.

Imagine this scenario: The opponent of a corporation shows a court that public postings of the corporation, sent in connection with a service like Yammer, are inconsistent with claims the corporation makes in litigation.   The “internal” part of the service shares information among the corporation, its employees and selected “business associates.”  In the “internal” service, varying degrees of access are granted to different people for different bits of information.

Further imagine that the confidentiality terms of the service provider do not guarantee absolute confidentiality under all circumstances. (A service provider cannot make such a guarantee.)

Under the logic of Zimmerman, I can imagine the corporation’s opponent arguing that it should be given powerful log-on credentials so it can broadly view the part of the service used “internally” by the corporation.

Non-Disclosure Terms

What is a corporation using services like Yammer to do?   One step would be to liberally post terms and banners requiring users of the internal service to agree that the contents of the service are confidential and shall not be disclosed.   That step will not defeat all of the Zimmerman logic, but it will help to distance this corporate scenario from the facts of the Zimmerman case.  In Zimmerman, the employee did not post a notice on the private portions of his social sites requiring viewers to maintain confidentiality.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related Post: Social Network terms of service applicable to forensic investigation?

Subpoena Facebook

Locating Social Network Legal Evidence

[See latest update 2014 on how to get subpoena results.]

If you seek to cause Facebook to disclose the content of communications to or from a Facebook user, remember that the user's home or business email account may contain much of the information you seek.  (The same goes for LinkedIn, Foursquare, Yelp, Skype, Groupon or online dating sites and services.)

The email account may contain some of the messages the user posted on Facebook.  Facebook allows a user to submit, via email, updates for publication on his or her Facebook Wall.  See my records management discussion about the Facebook-update-by-email feature.

Further, Facebook often emails a user with notices about and/or copies of content of messages posted by others for the benefit of the user.  For example, here is a screenshot of an email from Facebook:
















Hence, the user’s email account may contain the content and date/time of many desired Facebook messages, even those messages (ESI*) that have been deleted from Facebook.  

 

Records on Cell Phones

Another place to look for Facebook notices and content may be SMS records on the user’s cell phone. Facebook can be configured to send certain notices (with copies of FB message content) to the user’s SMS account. The types of notices that FB sends to SMS are not as numerous as the types that FB may send to electronic mail.

  Service Providers Resist

Normally, when handed a civil subpoena, such as in a divorce, infidelity or child custody investigation, a service provider like Facebook (or Hotmail or Google ) will resist disclosing the content of a user’s communications unless and until the user consents.  A common rationale cited for resistance is that the content is protected under the Stored Communications Act.

Compelling User to Cooperate

Often, law will compel the user to consent to the service provider releasing records of communications. Some recent cases have been compelling users to turn over, to their adversaries, their social media user ID and password.

Metadata and other Non-Message Content Data

See practical discussion on the retetion and disclosure of text and other messages by service providers.  Service providers may see a distinction between the content of messages and metadata about the messages, such as time of transmission.  Some service providers believe they can be compelled to turn over meta data but not message content.

An emerging class of social media services (Foursquare.com, Yelp, Gowalla) collect and store not just messages, but also  location information.  John was at the burger joint on May 11, 6:33pm, and at the ball park May 12 at 7:07pm.  This data will be the target of subpoenas.  The degree to which service providers will resist the subpoenas remains to be seen.

–Benjamin Wright

Mr. Wright teaches data law at the SANS Institute.  

*What is "ESI"?  ESI means electronically stored information.  It is a legal term of art applying to electronic information that is desired for legal purposes such as a lawsuit or an investigation.

See related post on deception in investigations on Facebook  and other social networks.

Related article: How to record what you see on Facebook or other online media.

Update 2013:  Facebook sent an SMS text to my phone telling me it will begin sending me a steady stream of text messages regarding FB activities of my friends and me . . . unless I opt out.  So the default at FB (at least for a user like me) is to send lots of text messages to my phone that refer to activity in my FB world.

Update:  Send a preservation letter to the subject of an investigation.

Tag Disclosed ESI | Privacy, Control, Security

Warn FBI, Auditor, Examiner, Adversary, Regulator, Investigator or Inspector General

Ediscovery Production Strategy-Services for Text, Email, Twitter, Facebook Google+ or Other Social Network Records

Subpoena . . . tax audit . . . court order . . . police raid . . . search warrant . . . criminal investigation . . . regulatory proceeding . . . administrative summons . . . grand jury inquiry . . . litigation discovery demand -- any of these could compel or motivate a party holding e-records to reveal or produce them.

But often the party that receives (or seizes) the records should be expected to safeguard them after they arrive.

Laws requiring the safeguarding of records are many and diverse.  One small example:  As a business discloses information to the federal government, it can (if justified) tag or annotate the information as a “trade secret.”  By so doing, the business warns government employees that they violate federal law (18 U.S.C. Section 1905) if they abuse the trade secret, such as disclose it to a competitor or to the news media.

Legally speaking, the tagging or annotating of records can be strategically powerful.  But when a large quantity of e-records (SMS, chat, e-mail, Web 2.0, iPhone, BlackBerry) is involved, manual annotation is laborious and expensive.

Emerging technology affords a solution.  Technology empowers producing parties to annotate (label, tag) records with ever-better precision and efficiency.

When records like instant messages are disclosed under law, it is becoming more common that they be disclosed in an electronic format that supports annotations, such as XML.

Electronic annotation (commenting) enables highly granular, specifically-targeted legal notices.  Targeted annotation can give the producing party an advantage.  The advantage is more apparent when large numbers of record are at issue and different records require different notices.

By long-standing practice, lawyers often mark disclosed records with warnings or reservations of rights. But historically these notices were expressed as general, blanket statements in transmittal letters. (See footnote.)

When numerous records are involved, blanket statements may not be as effective as specific, record-by-record annotations.   Suppose for example that five million email records are being produced.  Within those records are, say, 2137 that contain personally identifiable information (PII), which the producing party is obligated to safeguard.  The producing party may better fulfill its obligation by specifically annotating each of the 2137 with strong warnings, rather than with general notices covering the whole five million.  (Example:  “WARNING: This email may contain private data protected by law.  Access on need-to-know basis only.”)

Specific annotations can include any of a range of legal statements:  disclaimers, instructions, interpretations, cross references, self-serving language, reservations of rights, claims of privacy, contractual terms of use, designation as attorney work product and more.

According to Ranjit Sarai, e-discovery consultant at Messaging Architects, “Annotations can involve advanced services in e-record production.  Manual annotation of individual records can be very time consuming.  But we can recommend or develop routines for identifying relevant records and placing the prescribed annotations on them.  We can facilitate collaborative, team annotations.  We can also help bring the appropriate attention to annotations.  Some annotations should be understated.  Others should scream out in blinking neon lights.”

Update:  Tags and annotations can be inserted according to varying degrees of granularity, whether record-by-record, word-by-word, or something else.  US intelligence agencies are managing massive databases on terrorists by tagging each word, one-by-one.  A tag can show, for example, the level of security clearance an analyst needs in order to see the word.  Advanced search software can prevent an analyst from seeing information for which he does not have adequate clearance, while alerting him that the database may contain additional information relevant to his inquiry, access to which will require higher authority.   Siobhan Gorman, "How a Team of Geeks Cracked Spy Trade," Wall St. J., 4 Sept. 09.

–Benjamin Wright

Mr. Wright delivers education on cyber defense law under the SANS Institute.


Footnote:  A case known as Teachers Insurance(1) suggested that when a company discloses information to the Securities and Exchange Commission, it waives attorney-client privilege on that information, unless it explicitly reserves its privilege rights.  Applying that idea, a company in another case(2) attempted to make such a reservation of rights in the transmittal letter sent with documents disclosed to the SEC. 

(1)Teachers Insurance and Annuity Assn. of America v. Shamrock Broadcasting Co, 521 F. Supp. 638 (SDNY 1981).

(2)In re Subpoena Duces Tecum to Fulbright and Jaworski and Vinson & Elkins, 183 Fed. Sec. L. Rep. para. 99,505 (DDC 1983).

Recordkeeping for Social Networking Managers

Social Networks for Official, Commercial & Employment Transactions

By law, employers generally need to keep records of employment decisions.  So when the boss conveys a pink slip by way of Facebook, the employer needs a legal record of it.

What?  Fire someone by Facebook . . . a posting on a wall?  Would a manager do that?  Yes.  A spa in Canada (British Columbia) used Facebook to notify Crystal Bell of her job termination.

The history of electronic messaging tells a story about business records.  As each new form of message comes along, we initially doubt you can conduct business with such a flimsy thing.  Fax as a medium for transacting serious business?  No way, people thought in the early 1980s.  But as time passed –- and as court cases enforced fax contracts -- we grew more comfortable with fax as a business tool.  Today, fax is considered a responsible, even conservative medium for transmitting signed agreements and binding business records. 

Then, when electronic mail came into the workplace, conventional wisdom dismissed it.  Convention said e-mail was not a business record, said it could not (conveniently) be authenticated with a signature, and said it should be deleted quickly like so much water-cooler chitchat.  But naturally business people embraced e-mail as a tool for making obligations and delegating authority.  Today we see the law giving enterprises growing reason to store e-mail as business records.

I predict the same process will unfold for collaborative (Web 2.0 and social network) media like instant message, Facebook, Twitter and Myspace.  Old-fashioned folks will try to ban these technologies as methods for conducting important business.  They will, initially, ignore them as records to be kept.

But the outcome of the story is inevitable.  Busy people (like the boss in BC) will use the new channels to hire, fire, negotiate, agree and so on.

The managers of records need to plan for capturing the records of Web 2.0.  Those records can become the subject of a subpoena, an IRS taxpayer audit, an administrative summons or an internal investigation or the source of exculpatory evidence in defense of lawsuits.