Incorporating Social Media into Your Data Collection and Retention Policies
By Ashley A. Smith – February 16, 2016
Social media and the Internet of Things have made corporate record keeping more complex. Businesses must be prepared to collect data from sources other than their own servers.
It used to be that electronic discovery, or e-discovery, could be conducted entirely within a company’s own servers. Email archives and file directories provided a complete picture of corporate documentation. That’s no longer true. Corporate communications are supplemented, or even dominated, by social media, text messaging, connected devices (i.e., the Internet of Things, or IoT), and more, making record keeping much more complex. Businesses must consider and plan for the inevitable requirement to collect electronically stored information from disparate data sources.
In particular, data retention policies can no longer ignore social media sites and the potentially relevant information they hold. In case after case, the courts have upheld the need to not only consider but in fact review and produce data from sources such as Facebook, Twitter, and LinkedIn. The issue is no longer whether social media should be collected but how it can be collected.
It’s important to remember that the standard for discovery of social media is the same as the standard for discovery of any other digital media record under the Federal Rules of Civil Procedure. More often than not, data collected from social media include verifiable metadata and text, and despite what you may think, the data are reasonably accessible. In fact, many social media sites provide application programming interfaces (APIs) that interact with the social media source to capture data. These tools are essential during the collection and extraction process.
How Do I Collect Social Media Data?
Social media sites don’t just contain news feeds of an individual’s travel adventures or photographs of recent dinners out; these are just the colorful candy coating. Beyond that exterior lie person-to-person and group messaging features, which hold a rich trove of potentially relevant content. Depending on the user’s settings, these messages may not be saved, and collection tools may not capture them by default. It is critical that the party collecting the data considers these issues during the interview and collection process.
In addition to the APIs available for the collection of social media content, fragments of information can often be reconstructed from the Internet cache on an individual device. This leads to an important question regarding the type of data collection performed. A full forensic, or bit-by-bit, image of the original media is the only way to ensure you have the necessary file fragments to reconstruct easily recoverable deleted files or Internet cache items. In comparison, a targeted acquisition will capture only the active data files; it does not capture deleted file fragments and may not capture the temporary Internet cache. It is critically important that all efforts are made at the time of collection to capture potentially relevant data. If you don’t collect it, you don’t have the option to review it later.
In the United States, the majority of businesses issue devices to their employees to be used in the course of their employment. The information security policies of these businesses (and, to oversimplify it, the data privacy laws of the United States) favor the companies’ right to the property over the individual’s right to privacy. This is not the case in many foreign jurisdictions, but in the United States, if you’re using the company’s device or network to access a social media site or instant messaging service, you’ve waived your right to privacy and the company has the right to collect any information from that device or network. Bring-your-own-device (BYOD) policies can complicate these issues; therefore, it is critically important for companies to include Internet usage parameters in their employee policies.
You may be thinking to yourself, “Fantastic! I always consider these types of data sources and collection techniques at the time of collection; I’m covered!” Unfortunately, that may not be the case. It’s important to remember that collecting the data doesn’t necessarily mean the data will make their way through to review.
In many instances, these new data sources—social media, text messaging, instant messaging, etc.—aren’t being left behind at the time of collection; rather, they are being filtered out during data processing. The underlying files that support social media threads and content are often the same file types that are filtered in processing. Special handling is often required to parse these files and to deliver them to a traditional discovery review environment. Ultimately, the responsibility lies with the legal team to understand and confirm the data that are to move from the collected image, through processing, and finally to review.
Regardless of the type of investigation or litigation, counsel must stop thinking of social media and other messaging services as nonstandard. They are the new standard and need to be incorporated into the ordinary data retention and collection policy for electronically stored information. For the corporation, this requires attention from both network administrators and in-house counsel to ensure that policies and procedures are in place to address the challenges associated with these data collections. For outside counsel, this involves incorporating the data sources into the discovery process. The collection tools and methods may be more complex, but this is simply a reflection of the evolving ways in which businesses and people communicate.
Keywords: litigation, corporate counsel, data retention, data collection, social media, Internet of Things, record keeping, application programming interfaces
Ashley A. Smith is a managing director at Navigant in Los Angeles, California.