AccessID
Relativity Login
AccessID
Relativity Login

Mobile Devices Continue to Roil Information Governance Measures

  • Published on Sep 1, 2016

One of the most troubling technological developments over the past few years is the inability of organizations to manage mobile device data. This trend is evident from increasing sanctions requests in litigation for failures to preserve mobile data to the growing number of attacks by cybercriminals on smartphones.

Smartphones and Mobile Data in Litigation

In litigation, clients and counsel often seem unable (or unwilling) to preserve and produce discoverable information from mobile devices. According to Gibson Dunn & Crutcher’s 2016 Mid-Year E-Discovery Update, the cases involving sanctions for ESI preservation shortcomings most frequently involved failures to preserve text messages and other mobile data. The NuVasive, Inc. v. Madsen Medical, Inc. case exemplifies this trend.

In NuVasive, the court held that plaintiff failed to take adequate measures to preserve relevant text messages exchanged by its employees. While plaintiff issued timely litigation holds, it neglected to properly follow up with its employees to ensure that text messages were retained. For example, relevant text messages from one phone were lost because the employee twice upgraded his phone between the time the hold was issued and the time the phone was turned in for collection. Another employee “deleted relevant text messages” from his phone before providing it to counsel. A third employee failed to follow pertinent hold instructions, resulting in the destruction of relevant information:

In January 2014, NuVasive asked Stephen Kordonowy to bring his phone to San Diego for imaging. Kordonowy brought his current phone instead of the phone [with relevant data] that he used prior to MMI’s termination. His previous phone was sitting in his desk drawer, and later, in mid-2014, Kordonowy wiped the phone clean before giving it to his son.[1]

Smartphones and Cybersecurity

NuVasive encapsulates the challenges that smartphones and mobile data present in litigation. However, the “mobile madness” confronting clients and counsel is not restricted to legal matters. Instead, cybersecurity issues surrounding employee smartphone use are also increasing. According to a recent article published by the Wall Street Journal, users are apparently “taking fewer precautions to thwart hacking on their mobile phones.”

The WSJ article referenced a survey, which reported that smartphone users neglected to periodically update their mobile operating systems as frequently in 2015 as they did in 2014. The survey also indicated that the number of users deploying “antivirus or antimalware software” dropped ten percentage points in 2015 from 2014. Finally, only 25 percent of smartphone users intermittently changed their passwords in 2015, down from 41 percent in 2014.

All of which could herald a new era of cybertheft. Indeed, the WSJ article observed that cybercriminals are now regularly deploying malware to “to steal banking credentials from unsuspecting consumers when they log on to their bank accounts via their mobile phones.”

With cyberthieves targeting smartphones, organizations can reasonably assume that trade secrets, financial information, and other sensitive corporate data could also be subject to misappropriation. This is particularly the case for companies that have either casually enforced “bring your own device” (BYOD) programs or that exercise little oversight regarding smartphones issued under traditional “corporate owned personally enabled” (COPE) plans where the enterprise owns and issues the mobile device.

Deploying Actionable Counter Measures

Despite the challenges presented by smartphones and other mobile devices, organizations are not powerless to address these issues. They can take actionable steps to prevent or otherwise mitigate mobile device mayhem for both litigation and transactional purposes. The Gibson Dunn report suggests a few of those steps, which include the following:

  • Establishing effective mobile device use policies that encompass BYOD environments as well as COPE programs.
  • Deploying mobile device management software including so called “sandboxes” to better secure, manage, and control access to company apps and data.
  • Mandating that employees use “enterprise texting apps” that enable journaling or that otherwise back up text messages on company servers.

Enterprises can also step up audit and enforcement measures to better ensure policy observance and bolster their litigation hold processes. Any one of these steps – and certainly a combination of them – will likely do much to address the mobile device problems affecting organizations today.

[1] NuVasive, Inc. v. Madsen Medical, Inc., No. 13-cv-2077, 2015 WL 4479147, *2 (S.D. Cal. July 22, 2015) (emphasis added), modified in part, 2016 WL 305096, *1-2 (S.D. Cal. Feb. 1, 2016) (vacating adverse inference instruction due to the December 1, 2015 amendments to Federal Rule of Civil Procedure 37(e)).c

Written by: Philip Favro

Philip Favro is a leading expert on issues relating to electronically stored information. Phil serves as a court-appointed special master, expert witness, and trusted advisor to law firms and organizations on matters involving ESI and electronic discovery. He is a nationally recognized scholar on electronic discovery, with courts and academic journals citing his articles. Phil also regularly provides training to judges on electronic discovery and ESI. He is a licensed attorney who in private practice represented organizations and individuals in litigation across the spectrum of business disputes. In addition to handling a range of complex and other discovery issues, Phil has extensive experience in the courtroom including summary judgment, preliminary injunction, and discovery motion practice, together with trial and arbitration experience.

View All Related Articles