An employee, excited about a new product the company is developing, mentions it on Facebook. Due to his privacy settings, a competitor gets wind of potential trade secret information. In another situation, a disgruntled employee sends a negative Tweet about his company to hundreds of followers, including company shareholders.
These scenarios sound innocuous, but they happen and can put your organization at risk. While most organizations have repeatable processes in place to manage potential risks associated electronically stored information, or ESI, as part of a proactive e-discovery strategy, many still lack processes to collect, preserve and produce social media.
Social media is discoverable under Rule 26(b) of the Federal Rules of Civil Procedure (FRCP). With Facebook membership exceeding 800 million users and Twitter now approaching the 300 million mark, attorneys, litigation support and e-discovery practitioners, IT and other business units are concerned about how to address social media as part of a repeatable e-discovery process.
The Challenges of Social Media in E-Discovery
Unlike other forms of ESI, social media is ubiquitous and viral, has business and personal uses, and is ever-expanding in volume. Unlike e-mail and other forms of ESI (Word documents and spreadsheets) social media comes in many different forms (Facebook, Twitter, YouTube and LinkedIn), is transient (messages are fleetingly posted and deleted and often not stored by the publisher), is conversational in tone (slang and abbreviations are difficult to search), is often anonymous, and is not physically stored on the user’s computer or the organization’s servers.
These characteristics raise access issues (how does one acquire items that are held by a third party instead of the employer?), privacy rights (where is the line drawn between an employee’s privacy rights and an organization’s requirement to retain and produce data, and a publisher’s privacy policies?) and technical challenges.
9 Steps to Developing a Repeatable Social Media Litigation Readiness Plan
Despite the complexities, one can master social media challenges by incorporating practical steps into an organization’s overall litigation readiness plan.
1. Understand how your organization uses social media.
Social media is increasingly part of a strategy around brand protection or promotion, connecting a brand with customers or strengthening the organization’s internal communities -- including investors and employees. Work with your legal team, business units, records management and IT to take an inventory of what social media sites are being used and for what business purposes.
2. Develop policies and procedures that consider social media in the context of the organization’s business goals.
Banning social media is not realistic; like e-mail and texting, it has become essential to communications, both personal and professional. Collaborate with in-house and outside counsel to design policies that document use of social media as part of your organization’s particular strategy, and fashion employees use of social media sites to reflect these policies.
3. Educate and train employees on social media policies.
With little protection on social media sites (lack of encryption), information can quickly go viral. Work with your organization’s human resources or training personnel and counsel to develop employee communication and training programs to help ensure that use of social media does not expose your organization to unnecessary risk.
Set forth expectations on appropriate versus inappropriate use, and stress the importance of customer privacy and protection of trade secrets and confidential and privileged information. Incorporate this training into your organization’s overall training and compliance program to ensure policies are documented, confirmed by and accessible to employees.
4. Enforce social media policies by incorporating them into current compliance programs.
Social media should be incorporated into your organization’s compliance program and employee monitoring and enforcement processes. Organizations should determine to what extent employees can use company-wide sanctioned and personal social media sites.
Some examples of where to consider social media usage related to compliance programs include breach of security and/or confidentiality, internal and external communications that take place using your organization’s hardware or via its network, personal use of your organization’s resources, use of copyrights, trademarks and patents and employee Internet usage.
5. Create a topography of social media sources.
IT must map the social media data types and sources to departments and custodians and account for their respective retention policy and existing litigation holds. The process of responding to e-discovery questions is further enhanced if your organization comprehends the unique legal and regulatory requirements introduced by such sources.
For traditional sources of ESI, a network diagram of an organization’s IT infrastructure that records what data sources, systems and storage exist, what types of information are stored and who to contact for answers can help counsel identify relevant and accessible data when a matter arises -- the same goes for social media.
6. Incorporate social media into your organization’s broader information management strategy.
Managing social media risk requires incorporating it into the larger implementation and enforcement of records retention and disposition schedules so organizations are not storing vast volumes of information not required for business purposes, compliance or legal holds. Records management, IT and other stakeholders should implement policies and processes that govern how to retain social media for the period of time determined by a well-thought-out retention schedule. Social media makes information management more complex since the data is stored and managed by third parties and should be subject to scheduled review and purging.
7. Leverage evolving tools to overcome the technical challenges associated with social media acquisition.
Traditional e-discovery collections tools are not designed to work with social media. The equivalent of a full disk image of the hard drive in the cloud is effectively impossible because social media data resides within very large third-party shared databases. Screen captures, printouts or archiving RSS feeds are highly manual and time-consuming.
In addition to being difficult and costly to search, these tools omit metadata critical in authenticating specific message streams that may be important in a matter. Additionally, most social media sites lack functionality for defensible data acquisition.
Collaborate with IT to leverage collection tools designed for social media and learn best practices around use of such tools to address the technical challenges associated with social media acquisition. If employed as part of a thoughtfully crafted process, such tools can establish authentication and chain-of-custody, capture metadata, perform automated searching and indexing across multiple accounts and sources (including linked content) and acquire the data in a searchable and producible format.
8. Proactively preserve social media data.
Organizations are obligated to treat social media like any other ESI and assume it is potentially discoverable under FRCP Rules 26(b) and 34. Understand other regulatory requirements that require social media to be preserved, including FINRA, SEC and FDA compliance obligations that may apply. Adherence to these requirements should be part of your organization’s existing information management protocols. Failing to preserve social media can leave you unprepared for producing it during discovery.
In implementing a preservation strategy, understand how you want to preserve data and know the ramifications of any decision. For example, when someone replies to a post on an employee’s Facebook page, should that response be preserved? What about if it is linked to another organization’s website? Does that other organization need to preserve that message? Or if an employee in your organization Tweets about another business, does that other organization need to preserve the Tweet? Consider these questions in light of your organization’s social media policies and objectives.
9. Ensure electronic data from social media sources is in a format compatible and useable with standard e-discovery review tools.
Like other ESI, social media must be acquired in a searchable and producible format to satisfy discovery obligations. Utilizing best practice tools can ensure that social media data is maintained in a searchable native format so that relevant data can be culled through, tagged and exported to document review platforms, thus ensuring that when it is produced in litigation, it will contain the original extracted text.
Social Media is Here to Stay
Counsel, e-discovery practitioners and other stakeholders are instituting comprehensive social media policies that govern employee usage in accordance with organizational goals. Organizations must implement processes for determining and auditing what data should be retained as part of the information governance lifecycle (including technology to ingest and archive social media), and incorporate a strategy for executing legal holds and quickly accessing social media in the event of a regulatory inquiry or litigation.
At each stage of the process, documentation and audit trails are critical, should you need to defend and explain your processes and decisions down the road. All of these elements must be repeatable business processes that are part of an organization’s broader e-discovery strategy. The prevalence of social media and its potential risks will continue grow, so make sure your organization is prepared to address it.