When water cooler chatter became less common when the pandemic hit in 2020, chat platforms and text messages (IM) filled the gap.  Collaboration tools like Zoom, Microsoft Teams, Slack, Bloomberg Chat and IM are now ubiquitous, with more than 67% of white-collar employees still “working from home to some degree.”[1] Indeed, a survey of IT managers reported that 91% of all companies now use at least two messaging apps.[2]

As more companies integrate these channels into their typical business practices, more and more legal matters will involve the review of chat message conversations. It is imperative that companies have processes and systems in place to control, retain, monitor, and review such business communications.

There are numerous challenges for business in reviewing chat data, including identifying and accessing chat platforms, handling ephemeral data, identifying participants (with various aliases or usernames), decoding the cryptic nature of some messages, coordinating the attachments and responses to those messages, and making sense of notices when parties enter or leave the conversation.  People also often speak differently in a chat setting (more tersely, and using shorthand, emojis, slang, abbreviations, and images) than in other communication forms. Thus, external context may be even more essential to understand the nuances of the matter being discussed.Continue Reading From The Water Cooler to the DMs – Tips and Tricks for Efficiently Reviewing Chat Communications

When you first hear about “auto-deleting” or “ephemeral” messaging, you may think of nefarious techniques to hide evidence of wrongdoing. In fact, ephemeral messages – which are typically end-to-end encrypted and set for deletion shortly after they are sent and/or read – in various forms are routinely used for business and other relevant communications. That means that they must be considered for preservation and potential disclosure, raising all sorts of legal, technical, and optical considerations. This came up recently in Federal Trade Commission v. Noland, No. CV-20-00047-PHX-DWL, 2021 WL 3857413 (D. Ariz. Aug. 30, 2021), where the court considered the use of ephemeral messages in the context of an investigation by the Federal Trade Commission (FTC) of the company Success By Health (SBH) and its officers for a potential pyramid scheme. The day after learning of the inquiry, the officers switched from their existing communication means (WhatsApp and iOS messages) to other encrypted mobile messaging apps including Signal, which they set to “auto-delete” all messages on reading. Company leaders exchanged thousands of such messages over many months, despite the FTC’s instruction to preserve documents and suspend ordinary-course document destruction. Further, defendants colluded to remove all traces of the apps and messages from their phones right before turning them over for inspection. The truth came out when the FTC received anonymous information alerting it to the undisclosed use of the apps. On the FTC’s motion against defendants for sanctions, District Court Judge Lanza found defendants had intentionally deprived the FTC of relevant documents, and sanctioned them under Fed. R. Civ. P. 37(e)(2) with an adverse inference that the spoliated evidence was unfavorable to the individual defendants.

Examples of Ephemeral PlatformsContinue Reading Ephemeral Messages: Handle With Care

E-Discovery no longer dominantly involves emails and shared drive documents. With the increasing prevalence of mobile devices in the workplace and new apps being developed daily, mobile data and other non-email communications are moving to the forefront of discovery. Times have changed, and attorneys have professional and ethical obligations to keep up. To effectively and competently represent clients, attorneys must stay apprised of how to work with these ever-changing forms of data – or get help from someone knowledgeable. To do so, we have set out some suggestions below organized around common stages of the discovery lifecycle of digital evidence.

Identification. In conducting custodian interviews, ask questions to target the data types the custodian works with. Start broadly by determining if the company has a BYOD policy and asking if they allow the use of personal devices for work purposes. Confirm which messaging tools they use for business purposes, with the understanding that people tend to play down such use. For each messaging application, ask how they are used and with whom they communicate. Discuss these same topics with your client’s IT team to better understand  the company’s policies and capabilities for controlling the use of personal devices, as well as employees’ actual practices.Continue Reading Best Practices for Navigating Discovery of Mobile Data and Alternative Communication Tools in Today’s Digital World

On June 19, 2017, the Federal Trade Commission (FTC) issued a public comment regarding the National Telecommunications & Information Administration’s (NTIA) draft guidance titled Communicating IoT Device Security Update Capability to Improve Transparency for Customers.  In commenting on the guidance, the FTC acknowledged the benefits of and challenges to IoT device security, and encouraged

Adoption of Privacy Shield expected in early July; Federal Court limits VPPA liability; Belgian Court overturns Facebook fine; FTC robocall crackdown; A rare HIPAA criminal conviction; UK’s ICO fines Brexit campaigners for mass text messages; House report calls for national encryption commission.

European Commission expects adoption of Privacy Shield for beginning of July

European officials are hoping to finally formalize the “EU-U.S. Privacy Shield”, the cross-Atlantic data transfer pact aiming at replacing the formerly invalidated “U.S.-EU Safe Harbor” Framework, on July 5. The initial draft agreement has been amended to include new explanations of U.S. governmental entities and further limitations on the bulk collection of data and mass surveillance. The European Commission is now confident that also the Article 31 Committee will give its approval to the draft framework.

Many European Privacy regulators and EU bodies, such as the European Parliament and the European Data Protection Supervisor, had argued that the initial draft did not sufficiently protect the fundamental rights of European data subjects. The revised version now “only” allows bulk collection “exceptionally”, where targeted collection is “not feasible”, although it remains open how ‘feasibility’ should be determined.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 26

OCR Announces a Settlement … Again; HHS Eases Restrictions on Mental Health Information Sharing to Facilitate Gun Control Efforts; Facebook: Users Lack Standing in Cookie MDL; Plaintiffs Argue for Summary Judgment in $5 Million Twitter TCPA Suit

OCR Announces a Settlement … Again

For the second time this week, OCR announced another huge settlement. The

In conjunction with the 2015 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “Digital Privacy and E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by digital privacy