How we miss the quaint times when text was just a quick way to chat with buddies. Today, these fleeting missives, now integral to so many work lives, amount to a multimillion-dollar corporate risk. Organizations sit largely unprepared while text messages replace e-mail as the digital smoking gun.
More on CIO.com
You know how it goes: On mobile devices, employees peck out details of their private lives, remarks about colleagues and, inadvertently or not, confidential business information. Things people would never say out loud or in memos fly around in text, often memorialized in digital archives that you don't control. It's juice for a legal adversary.
Text messages about employee firings and extramarital sex recently brought down Detroit Mayor Kwame Kilpatrick and his chief of staff, Christine Beatty.
Last year, three police officers sued the city and the mayor for wrongful termination, claiming they were whistle-blowers who had been retaliated against for discussing possible misconduct in Kilpatrick's administration. During the case, Beatty testified that one officer, Gary Brown, "was not fired." But text messages subpoenaed from SkyTel, which provides pagers to the city, said otherwise.
"I'm sorry that we are going through this mess because of a decision that we made to fire Gary Brown," read one of Beatty's texts to Kilpatrick, with whom, as other messages revealed, she was having an affair.
The officers won the case and $8 million. The city executives lost their jobs; Beatty resigned in January and Kilpatrick in September. In October, Kilpatrick was sentenced to four months' jail time.
Corporations are just as vulnerable. When all 100 of the Fortune 100 are involved in legal proceedings, you know you probably can't avoid e-discovery at some point in your career. And when your company gets hit with a lawsuit, you'll likely have to retrieve and reveal employee text messages relevant to the case, along with other newer forms of communication, such as instant messages and the words, pictures and video from social networking sites, blogs and wikis. But the way some CIOs are managing these technologies--sometimes by not managing them at all--makes that task harder and more expensive than it should be, says Alan Brill, senior managing director at Kroll Ontrack, where he founded the computer forensics and computer security functions.
CIOs dealing with e-discovery in a Web 2.0 world must learn new ways to limit the cost, business disruption, legal liability and potential public embarrassment from what employees say and where they say it. You have to plan for how you will collect data when you don't control it, whether it be text messages stored on the servers of your wireless provider or data in hosted applications from a software-as-a-service vendor. Even systems you may control contain information that may not be managed at present: unified communications systems that combine messaging, voice and video must also be brought into your record-keeping process.
So far, to his knowledge, no major corporate lawsuits involving evidence from social networking sites have emerged, notes Kroll's Brill. However, as in the case against the Detroit mayor, text messages are showing up in court, and these cases give us a taste of what's coming in e-discovery. "I worry about the CIOs," he says, "who don't even recognize the danger."
Think of the legal implications of, say, a Twitter post like this, from a proud employee: "To you naysayers, our disc brakes are fine. I'm an engineer on that product. We test to 5x tolerance on the label, so you can be rougher on them than you think. Don't worry." You've got potential product liability in 140 characters, warns Tom Mighell, a lawyer and senior manager at Fios, an electronic discovery consulting firm.
Rules? What Rules?
Since the late 1990s, arguments about whether and how electronic evidence should be produced have regularly bogged down civil lawsuits and IT departments alike. Broad discovery demands for, say, five years' worth of e-mail for dozens of employees somehow related to a given case are common. Along the way, parties protest what they see as undue burden and the multiple millions of dollars it can cost to retrieve electronic information. Again and again, judges find they must appoint special magistrates to preside over discovery fights before the meat of the case is tried.
The way one employee discrimination suit, against investment bank WestLB, played out, the parties spent almost three years fighting about the production of text messages and e-mail and just four months on the facts of the case. The suit, filed in 2004, concluded this summer--though not before the CIO was deposed by hostile attorneys. The plaintiff got many of the archived messages she demanded. She also got a favorable verdict and $1.9 million. Some companies are still winging e-discovery, even two years after amendments were made to address the process in the Federal Rules of Civil Procedure, which are the standards for trying civil lawsuits.
The rules call for the parties in a suit to meet early in the proceedings to disclose the kinds of electronic records available, whether they are "reasonably accessible" and in what time frame. The parties must create a discovery plan for electronically stored information of all sorts, including databases, e-mail, spreadsheets, data published on the Web, as well as text and instant messages.
But when a lawsuit hits, some organizations struggle to answer such questions. Of 60 in-house corporate attorneys surveyed by Oc
Preparing for discovery is time-consuming and it does cost money. But going into court unprepared is more costly, according to the Institute for the Advancement of the American Legal System, a think tank of judges and lawyers.
Some legitimate cases make no financial sense to pursue if you must pay lawyers hundreds of dollars per hour to argue about whether and how to produce data, then pay outside consultants hundreds of thousands of dollars on top of that to get the data in shape for court, said James Bredar, a magistrate judge for the U.S. District Court in Maryland, in the institute's recent report urging e-discovery reform. "The just resolution of a dispute has little value to a party if bankruptcy was the price of its achievement," he said.
Even as e-discovery continues to vex, the pace of technology change compounds the issues.
Smoking Gun Versus Private Thought
This year, more than 600 billion wireless text messages will zip through the air worldwide, according to CTIA, an association of wireless technology providers. That's a 10-fold increase from 2005's 57 billion.
Instant messaging, meanwhile, seeps into companies unsanctioned and unpoliced by IT. Social-media technology, too, presents trouble. Facebook, LinkedIn and MySpace, for example, encourage their combined 280 million members to broadcast what they're doing and boy, do they--from work and home, from hotels on public computers, from trains and planes on cell phones. Users of these technologies move fluidly online between the personal and the professional, says Fios's Mighell.
So far, the way text messages are handled in court varies by district and judge. In Michigan, for example, the messages of a city official on a city-issued device are public record, as Detroit's ex-mayor now knows. But in June, judges in a California case concluded the opposite. They found that messages on a city-issued device are protected from an employer, at least when senior managers fail to enforce consistently their own governance policy.
In the 2006 case, police officers in Ontario, Calif., sued the city's pager provider, Arch Wireless, for violating their privacy by giving their bosses transcripts of their sometimes sexually-explicit chat, conducted on pagers provided by the city. Arch argued that the police department's computer usage, Internet and e-mail policy allows for the monitoring of users' content.
But police department officials didn't regularly monitor pager texts, according to testimony, and officers developed a "reasonable expectation of privacy," the court concluded. Unlike SkyTel in Michigan, Arch in California was wrong to provide the messages. CIOs looking for firm rules across regions about text as evidence are out of luck, says Nolan Goldberg, an intellectual property attorney at Proskauer Rose.
"There's general guidance, but not much case law," Goldberg notes.
Avoidance Won't Work
A CIO's smartest move then, says Kroll's Brill, is to work closely with company lawyers to set and manage employee expectations of privacy. For example, when you install a new technology, amend your existing policy to address it specifically, he advises, even if it is simply by adding the words "text and instant messaging" to the existing passage about e-mail. (See: "Managing the Social Networking Data Sieve")
Next--and don't get lazy about this--maintain a regular schedule of monitoring and keep records to prove you're consistent, he says. "Don't have a de facto policy. Have an affirmative policy," he says. Otherwise, the policy is open to interpretation and you may not get a judge who sees it your way.
From a technology perspective, companies should be ready to produce old text messages and IMs as soon as legal proceedings begin, says Steve Wharton, vice president of infrastructure at Dean Foods, a $12 billion dairy company.
A lawsuit, an inquiry from the U.S. Department of Justice or an audit by a regulatory body such as the Securities and Exchange Commission usually has a deadline attached, Wharton notes. Blowing it can result in fines, as well as ticking off the judge or investigator. He and CIO Art Fino watch discovery issues closely because, he says, as the biggest milk producer in the United States, Dean Foods receives two or three requests for information each year from the DoJ, which monitors dairy industry competition. "We're organized, yet it's quite a fire drill for 30 to 60 days," Wharton says.
While those inquiries are active, the company must retain all pertinent electronic data and retrieve, sort and search it to respond to DoJ requests. For IM and e-mail, Dean Foods is evaluating several outsourced archiving vendors, including AT&T, Google's Postini service, IBM and USA.net. They store messages by user for a yearly fee, but don't offer sorting and searching for e-discovery. Dean Foods will farm that out to another company when needed. Fino and Wharton haven't addressed wireless text messages yet, but considerations include how much it will cost to have telecommunications vendors or a storage service company archive the messages in a way that's searchable later.
"We've got a pretty good strategy for IM, and mobile will follow," Wharton says. At building materials manufacturer Owens Corning, the technology department wouldn't sanction IM until this year, waiting for better archiving controls and tools for keyword searches, says David Johns, CIO of the $5 billion company. "We have our [desktop software] image locked down pretty well, so it was difficult if not impossible to have employees bringing in their own" applications, Johns says. Owens Corning deployed IM in "a small pilot" this year, he adds, to study how it's used and whether IT can control it well enough. Johns says he's satisfied and will consider rolling out IM more widely during the next several months.
Johns is cautious, having lived e-discovery for his 14 years at Owens Corning as the company has navigated at least 2,141 asbestos lawsuits that led it to Chapter 11 bankruptcy protection in 2000. The company emerged in 2006.
Owens Corning has started its share of lawsuits, too, suing test laboratories for providing what it said in financial documents is "questionable medical evidence" in 40,000 individual asbestos cases. The company also sued tobacco firms in an attempt to get them to cover some of the $10.2 billion owed in damages to asbestos plaintiffs with lung damage.
A CIO must protect the company with policy and technology long before he's called upon to turn over data for a lawsuit, as a matter of best practice, Johns says. He also has outlawed .pst files, which are personal storage tables that users of Microsoft applications can create to, for example, remove data from their mailboxes and out of the sites of any automated deletion programs IT might run. He limits mailbox sizes to 100MB. "With us going through some of the legal challenges we had in the past, that's part of the reason we run things the way we do. It is more straightforward to manage."