Taming Modern Data Challenges: Mobile Devices and Possession, Custody & Control

In our last post, we discussed the three Vs of Big Data, how the Big Data era is changing Information Governance and the impact of the Three Vs on eDiscovery.

While the explosion in the volume of data over the past 15 years has significantly impacted the practice of electronic discovery, the increasing variety of data has probably forced the most changes in eDiscovery workflows. This series is designed to discuss the challenges associated with various modern data formats and challenges that eDiscovery professionals are faced with today, and the first format we’ll discuss is the one that has become perhaps most ubiquitous in our lives today – mobile devices. However, since we recently published a series on mobile devices, we will focus this discussion on the considerations regarding how possession, custody, and control can impact eDiscovery of mobile devices within an organization.

Recapping our Recent Mobile Device Series

Last year, we published a series that discussed several considerations that are part of the landscape of mobile device discovery today. Those include:

• Device Management Policies and Mobile Device Management (MDM) Solutions: Device management policies and the considerations for each policy, as well as industry recommended principles for devices that are fully owned by employees and contractors.
• Types of Data Discoverable on Mobile Devices: Unique data types specific to mobile devices that are routinely responsive in discovery (hint: it’s much more than just text messages).
• Metadata Considerations with Mobile Devices: Examples of metadata in mobile devices and how they can provide useful evidence in discovery.
• Mobile Device Data in Criminal Investigations: How investigators use mobile device data in criminal investigations, privacy considerations and an example of a high-profile investigation.
• Recent Mobile Device Case Law Trends: Recent case law rulings related to 1)relevance and accessibility of mobile device data (including whether forensic examination of mobile devices is warranted), and 2) sanctions related to the preservation and production of mobile device data (including fabrication of evidence).
• Traditional Challenges Associated with Mobile Device Collection: How the technology used to collect from mobile devices originated and has evolved and the pros and cons associated with each current approach to collect mobile device data.
• Technological Advancements in Mobile Device Collection: Recent technological advancements to address traditional mobile device collection challenges through providers such as ModeOne.

These trends, best practices, and other considerations impact discovery of mobile device data and awareness of them is key to taming the modern data challenges associated with them.

Mobile Devices and Possession, Custody & Control

Please refer to the mobile device data topics we previously covered, yet there is one additional topic that bears discussion: the consideration of possession, custody, and control of employee mobile devices for organizations.

In the Federal Rules of Civil Procedure, parties have a duty to preserve and produce electronically stored information (ESI) in their “possession, custody, or control”. This obligation is governed by rules like FRCP 26(a)(1)(A)(ii) for duty to disclose, 34(a)(1) for producing ESI, and 45(a)(1)(A)(iii) for third-party subpoenas.

However, the application of these concepts to mobile devices can be complex, particularly given the personal nature of such devices and the mix of personal and business data they may contain. Here are some of the considerations related to mobile devices and possession, custody and control:

Relevance of Mobile Devices in Discovery

• Company-Issued Devices: If the company owns and manages the device, it will typically be considered under the company’s possession, custody, or control.
• Bring Your Own Device (BYOD) Devices: However, when employees use personal devices for work purposes, questions of control become critical. Courts often look at whether the employer has the practical ability to obtain relevant information stored on the device. With 84% of organizationshaving a BYOD policy, most devices fall into this category for discovery purposes.

Factors Considered by Courts

• Company Policies and Agreements: Policies around data ownership, retention, and access can be decisive. For instance, if a company’s BYOD policy explicitly provides the company with access rights to work-related data on personal devices, this could strengthen the case for control.
• Actual Access: Even if a party does not have legal ownership, if they can access the data on demand, courts may still find possession, custody, or control.
• Practical Ability to Obtain Data: Courts may look at whether a party can practically obtain the data even if they do not have direct access (e.g., requesting employees to turn over relevant work-related messages).

Considerations for Requesting Parties

• Understanding Policies of Producing Parties: To understand the producing party’s level of possession, custody, or control over the mobile devices of its employees, it may be important to request information about the company’s mobile device policies in interrogatories to understand your options.
• Third-Party Subpoenas for Mobile Device Data: If there is doubt about whether the producing party has possession, custody, or control over the mobile devices of its employees, consider issuing third-party subpoenas directly to those employees. Requesting parties were able to do so in the In re Pork Antitrust Litigation and in the case Oakley v. MSG Networks, Inc.

Considerations for Producing Parties

• Considering Privacy Concerns: It’s important to consider balancing the need to preserve relevant information with privacy rights, particularly when personal devices are involved.
• Clarity of Mobile Device Policies: Policies and agreements outlining data access rights must be clear, especially in BYOD scenarios. It’s important to consider balancing the needs for the data to support general purposes with the potential discovery obligations in litigation (including instructing employees to suspend auto-deletion of text and chat messages).
• Mobile Device Management (MDM): Implementing technologies that enable remote access to business data on personal devices is likely to establish possession, custody, or control of the mobile device data of your employees.

Conclusion

With the proliferation of BYOD mobile devices in organizations today, the question of whether an organization has possession, custody, or control of the mobile device data can be murky. Organizations must understand the ramifications of their mobile device policies to their obligations to preserve that data in discovery. Requesting parties need to consider third-party subpoenas to request mobile device data directly from the employees if there are questions regarding whether the producing party has possession, custody, or control over that data.

In our next post in the series, we will discuss enterprise solutions (like G-Suite and M365) and collaboration apps (like Slack and Teams) and the challenges they create for legal teams in discovery!

For more regarding Cimplifi forensics & collections capabilities, click here.