A company striving to comply with state and federal regulations, as well as outstanding litigation holds, should establish policies and protocols related to the who/what/when/how of archiving business-related text messages. This blog post contains compliance strategies companies may wish to consider regarding such messages.
“Who.” All directors, officers, and employees should be advised of the company’s data retention policies, including their obligations to use particular devices for business purposes (or that personal devices used for business purposes will be subject to the same data collection policy), to refrain from deleting relevant text messaging data, and to cooperate with the company and/or third-party vendors to routinely archive data. As an example, employee handbooks should include an acknowledgment of data retention and privacy policies on text messages on devices used for conducting company business.
“What.” To avoid potential penalties – whether from regulators or a court – the retention policy must thoughtfully anticipate the scope of text message data to be routinely archived and/or routinely scheduled for deletion. As a threshold matter, the company should consider what devices, whether company-owned or employee-owned, are being used to conduct business and should be subject to the company’s data collection process. The company policy should put employees on notice that the company can and will need unfettered access to mobile devices used to conduct business, removing any expectation of privacy. Critically, as soon as litigation is reasonably anticipated, a policy for archiving old and preserving new text messaging data should be immediately implemented. The litigation hold, covering text messages as well as other electronically stored information, should be a supplement to, not a substitute for, a routine data retention policy.
”When.” The business needs and applicable regulations dictate the scope of a data retention policy and how long that data should be maintained. The key takeaway from the White House Secret Service incident – don’t forget to include text messages when implementing retention policies or litigation holds. A business cannot wait until a discovery request seeking relevant historical text message data is received to start thinking about whether relevant text messages exist and/or how to manage that data.
“How.” Retention policies should be crafted to satisfy business, regulatory, and litigation needs. In other words, does the policy meet the company’s business needs, and will it be defensible in court? Especially in the context of a litigation hold, the company should consider how it will authenticate the text message data, establishing a defensible protocol and chain of custody. Manually archiving text messages by individual employees is inefficient, and risky. There is too much opportunity for non-compliance, selective archiving, or intentional deletion of data (raising potential spoliation of evidence issues). There are applications that, once loaded onto the messaging device, will routinely save text message files in a particular format, exporting them to a company’s server or cloud storage. If done according to a set schedule, the company can document the efforts made to address business needs, regulatory compliance, or discovery rules. Certain apps may enable the company to save text data in a searchable format, whether by sender, recipient, date range, or content, making the data more useful. Finally, a policy requiring employees to periodically relinquish their mobile device used for business purposes to a third party for archiving of all electronically stored data may be effective, but it can be expensive, inconvenient, and more intrusive than necessary given the regulatory and litigation profile of the company.
Bottom line – the culture of most companies accepts that electronic mail retention policies and procedures are a routine part of doing business. But don’t forget the text messages!