Common Pitfalls in Personal Device Collection

Reprinted with permission from the April 2024 Business Crimes Bulletin, Copyright 2024 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.

Litigants increasingly face subpoenas or discovery requests for forensic collections of text messages. The increasing frequency of “bring your own device” policies creates serious implications for subpoena recipients and litigants to ensure compliance with these demands. And courts across the country consider such personal mobile data fair game. To avoid pitfalls—and sanctions—counsel must take proactive steps to ensure proper preservation and collection of personal mobile data and verify that clients comply.

Entities should also review their policies to ensure that they prohibit conducting company business on personal devices and provide for the company’s right to image personal devices if they do contain business communications. Both the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have made it clear that they will look at company policies when assessing how to resolve matters under their purview.

Interview Custodians About Their Use of Personal Devices

Let’s say Company X receives DOJ grand jury and SEC subpoenas seeking, among other things, communications about transaction Y. You are retained to represent the company in connection with responding to those subpoenas. In addition to issuing a broad litigation hold to all individuals potentially in possession of relevant documents and tangible things, you should meet with “key players” at the outset of the case to advise them of the duty to preserve and ensure proper collection.

You also should gather relevant company polices on whether business communications can take place on personal devices and ask whether the key players store data or documents on their mobile device, use the personal device to access information or applications for work purposes, and have communicated about the matter by personal email, text message, or voicemail. Likewise, information from messaging applications or social media platforms should be treated as any other source of discovery and should be preserved. If they do use the devices for business communications, you should arrange for their imaging.

The thought of attorneys rifling through one’s personal data can be nerve-racking, particularly for employees who have never been involved in litigation. To mitigate concerns, explain the purpose of the collection—to respond to a discovery request or government subpoena—and that counsel will take reasonable efforts to review only what is relevant to the matter at hand.

One common approach is to have a third-party e-discovery vendor image the individual’s personal device, apply search terms and a date range to the resulting data so that counsel reviews only the documents likely to be relevant, and then destroy the individual’s data at the conclusion of the litigation. It is important to emphasize to individual custodians that e-discovery vendors are subject to strict confidentiality agreements with outside counsel. Counsel should also be familiar with the e-discovery vendor’s security protocols, or make the vendor available to meet with custodians, so that individuals have comfort that their personal data is safe.

Request a Taint Team When Devices Include Privileged Discussions

Counsel should take the same steps to protect against the inadvertent disclosure of attorney-client privileged material on personal devices as they would if the government seized a company-issued device. If the government has obtained the entire device, counsel should ensure that there is a taint team—i.e., a team of prosecutors walled off from the investigation team who filter out privileged communications—in place. Of course, it is in the client’s best interest for counsel to do that preliminary screening, but there are times when entire devices are turned over to, or seized by, the government. A co-defendant in the recent case involving Alec Baldwin learned this the hard way.

In February, a New Mexico judge denied a motion to dismiss brought by Hannah Gutierrez-Reed, the weapons specialist on the film “Rust,” who was charged with involuntary manslaughter related to the death of a cinematographer on set. Gutierrez-Reed argued that text messages between her and her attorney, which were  uncovered during the prosecution’s investigation, should have been suppressed and the charges dismissed. The court held that any attorney-client privilege issues were a nullity because Gutierrez-Reed’s attorney consented to an unlimited search of his client’s personal cell phone. New Mexico v. Hannah Gutierrez-Reed, D-101-CR-2023-0040 (N.M. Dist. Ct., S.F. Cnty., Feb. 14, 2024).

To avoid such inadvertent disclosure, counsel should insist on additional safeguards, such as initial review by the privilege holder and judicial review before any potentially privileged communications are released to the prosecution team. Counsel should also, when possible, limit text message communications with clients to topics of logistics and avoid providing substantive legal advice over text message.

Advise Clients to Disable Auto-Delete Functions and Image Personal Devices

Counsel should advise individual custodians to disable auto-delete functions on their personal devices as soon as litigation is anticipated. Failure to disable auto-delete may be grounds for sanctions.

Federal Rule of Civil Procedure 37(e) and its state equivalents provide that a party may face sanctions “[i]f electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additionally discovery.” Obstruction of justice charges could possibly follow if, after receipt of a grand jury or SEC subpoena, or in anticipation of one, auto-delete features were not disabled.

Courts have held that it is not reasonable for litigants and their employees to leave auto-delete on once litigation is anticipated. See, e.g., DR Distributors LLC v. 21 Century Smoking Inc., 13 F. Supp. 3d 839, 931-33 (N.D. Ill. 2021); Apple Inc. v. Samsung Elecs. Co. Ltd., 881 F. Supp. 2d 1132 (N.D. Cal. 2012).

Earlier this year in Goldstein v. Denner, a breach of fiduciary duties action, the Delaware Court of Chancery sanctioned Sarissa Capital Management (Sarissa), an activist hedge fund, and its principal for failing to deactivate the auto-delete function on their head trader’s cellphone after receiving multiple litigation hold notices, which resulted in the alleged spoliation of relevant evidence. No. 2020-1061-JTL, 2024 Del. Ch. LEXIS 88, at *2 (Del. Ch. Jan. 26, 2024).

In a 67-page opinion, Vice Chancellor Travis Laster chided the defendants for their failure to take proper measures to preserve personal device data, including identifying “key locations where data could be kept” and “imaging phones” or backing up the personal mobile data of key custodians. Id. at 51-52.

The court took aim at the principal’s explanation that his texts were lost when he upgraded to a new phone, which Laster observed “makes no sense, because Apple backs up iMessages and other data to the cloud.” Id. at 2.

Laster also noted that individuals in receipt of a litigation hold “must disable auto-delete functions that otherwise would destroy emails and texts [...] and backup personal devices before disposing of them.” Id. at 49. The court emphasized that “[c]ounsel’s role in this process is essential” and that “[t]he obligation to preserve evidence runs first to counsel.” Id. at 50.

To avoid running afoul of counsel’s obligation to preserve evidence, Goldstein instructs outside counsel to “be more assertive” with clients who are resistant to personal device collection. According to the opinion, Sarissa’s general counsel “seems to have pushed outside counsel to ‘table’ the collection and imaging of personal devices by stressing that Sarissa’s policies prohibited using text for business and by representing that he reviewed [the principal’s] phone and did not identify responsive texts.” Id. at 55-56.

In other words, outside counsel should not take their client’s word for it—it is incumbent on outside counsel to verify that personal devices are properly preserved and collected.

“In a world where people primarily communicate using personal devices,” the court observed, “it will almost always be necessary to image or backup data from phones.” Id. at 52.

Conclusion

There are serious implications for companies and counsel who fail to take appropriate and immediate steps in the face of litigation or subpoenas that call for personal mobile data. Thus, proactive review of your company’s “bring your own device” policies is critical, and, as always, engagement of counsel experienced in this space is essential to ensure that all relevant material is preserved and collected.

Marjorie Peerce is a partner in Ballard Spahr’s New York office and serves on the Business Crimes Bulletin Board of Editors. She focuses on white collar criminal defense, virtual currency, regulatory matters, and complex civil litigation. Marguerite O’Brien is an associate in the firm’s litigation department, where she focuses on securities and commercial litigation, white collar defense, and internal investigations.