Whether they are large or small, businesses struggle with the question of whether discovery requests served on the company also extend to home computers, cell phones, and other equipment personally owned by employees of the company. In a time when many corporate e-mail systems offer web access and telecommuting is increasingly common, this is not a simple analysis. Courts, too, have struggled for some time to find consistent rules for resolving this issue, and this is one situation where the amended Federal Rules of Civil Procedure have not provided significant additional guidance. A number of simple tests, however, can often suggest how many requests should be resolved, both at the enterprise level and with respect to specific individuals?
I. Has the personal equipment been used for business purposes?
Perhaps to the chagrin of some employees, it’s increasingly easy to access corporate computer systems and work-related information from outside the office. Many corporate e-mail and document management systems have web interfaces that permit remote users to access information from computers and download files to their local (outside) computers using nothing more than a common Internet connection. Virtual Private Network (“VPN”) connections permit both corporate and non-corporate computers to attach to company networks through the Internet or, less frequently today, dial-up access. Once connected via VPN, remote computers have the same access as they would have if the user had logged into a computer physically connected to the office network. Other common technology, such as Citrix and Microsoft Remote Desktop Connection, permits users to access and manipulate computers at the business as if they were physically present in the office and working at their physical console.
The existence of these and other solutions, however, doesn’t mean that everyone takes advantage of them. Many members of a company may check their e-mail while out of the office, but only a few may actually use the corporate extranet to access other corporate information. If a corporate litigant needs to determine whether a particular employee uses home computer equipment for business work, some simple investigation and a quick conversation with the employee will usually provide a solid answer to this question. In addition, as a security matter, most remote access solutions also keep logs of the individuals accessing these systems. To the extent that these logs cover the appropriate time period, they may be an excellent way of identifying which employees worked outside the office and eve what electronic documents they may have accessed or downloaded.
II. Is there a unique value to the ESI stored on employee-owned equipment?
Even if it has been established that an employee used personally-owned computer equipment to access company resources or perform work on behalf of the company, it’s equally important to consider the importance of the information that may be stored there. Using browser-based tools to read e-mail and view corporate information generally stores the new or modified work product on corporate servers and leaves little information on the workstation running the browser software. Sending an e-mail through Microsoft’s Outlook Web Access (“OWA”), for example, stores all information directly on a company’s Exchange server, not on the computer used to send the e-mail. Using a Blackberry or Windows Mobile-powered device to access corporate e-mail similarly synchronizes all changes onto corporate servers, also minimizing the unique information that may be stored on these devices. Citrix or Remote Desktop connections turn a computer into a glorified terminal, with all actual work performed on workstations or virtual machines at the company.
In each of these solutions, to the extent that any documents or corporate information is stored on the employee-owned computer, it may reside only in temporary cache and not in a format that is particularly usable or unique. For each time that this cached data may be uniquely relevant and probative, many more times, this information is both duplicative and significantly less accessible than the equivalent data stored on corporate infrastructure.
Sometimes, of course, employees have downloaded copies of corporate materials to their personal computers, perhaps for ease of working with them or for any number of other reasons. It’s also possible (though not likely for Blackberry and other remote e-mail devices to retain older messages stored that are no longer stored on corporate e-mail servers. The mere possibility that files and data can be downloaded, however, is normally insufficient grounds for a court to extend corporate discovery to employee-owned equipment. Actual evidence of data downloading (or a lack thereof) can often be found within the company; corporate document management systems are often set to log each time that a file has been accessed or exported. If these systems are in place, purely corporate resources may be able to prove or disprove the likelihood that these actions have occurred, reducing the need to see whether these materials are actually present on an employee’s personal computers. And finally, of course, these issues can easily be raised in fact witness depositions to test whether any of these possible activities have actually taken place.
III. What is the employee’s importance to the dispute?
Preservation of potentially relevant information is a key legal obligation within discovery. Even before the Federal Rules of Civil Procedure were amended in 2006, litigants had an obligation to use reasonable efforts to identify relevant materials under their custody and control. Part of that early case assessment includes identifying the individuals who have greatest involvement in or knowledge of the legal dispute. To some extent, companies that have identified the “key players” involved in the dispute may be well-advised to proactively investigate whether these potential witnesses used non-corporate resources in performing their work for the organization, and if any such equipment contains potentially unique responsive information. Again, a few simple questions may provide enough basis to move forward or to persuasively argue that personally-owned equipment does not need to be searched further.
What measures will be taken to protect personal information?
Employee-owned computer equipment normally contains extensive private information. Popular news articles have focused on the most sensitive information that can be stored on a personal computer, such as financial records and online banking accounts and passwords, but personal e-mail messages, web browsing histories, and even that half-finished novel all constitute protected personal information that deserves proactive protection. An individual’s strong privacy interest in their personal information weighs heavily against extending corporate legal obligations into traditionally protected areas, and courts are likely to require processes that safeguard non-responsive personal information from inappropriate disclosure, either to a requesting party or even to a producing party that is trying to collect discovery materials from its employees.
The same safeguards used to limit a requesting party’s access to non-responsive materials stored by a producing party (see, e.g., Conrad Jacoby, “Direct Inspection of Opposing Party Source Documents,” www.llrx.com (September 2007)) have also been applied in cases where employee-owned computer equipment is searched for responsive material. For example, in Simon Property Group v. mySimon, Inc., 194 F.R.D. 639 (S.D. Ind. 2000), the court used the same protocol for searching both corporate and executive-owned computers and protecting any non-responsive material from disclosure to the requesting party. Similar solutions have been applied elsewhere, when courts were asked to extend corporate discovery obligations to employee-owned equipment.
V. Does the company have a policy about use of non-corporate equipment?
One way to minimize the potential relevance of employee-owned computers in discovery is to develop-and enforce-policies that discourage using personal equipment to access corporate information. At first glance, this may seem like an extreme measure, but it’s one that many organizations have implemented, both to control the use and misuse of corporate intellectual property and also to protect corporate servers against computer viruses and other malware. The steadily dropping price of laptop computers has also made it increasingly cost-effective for companies to issue portable devices to employees, standardizing the way that they access corporate resources and also reducing the need to use any other equipment for this purpose. Further corporate cost savings accrue when an organization can argue that these policies minimize the need to search outside corporate equipment in making a good faith attempt to identify relevant information, and that any requests for employee-owned equipment are overbroad and unlikely to lead to the identification of relevant information.
Thanks to continued advances in technology that have made it ever-easier for employees to remain productive even when out of the office, fact discovery increasingly includes analysis of whether employee-owned computer equipment must be searched as part of a litigant’s legal obligations. Tests for deciding these questions may well indicate that this material is unlikely to include uniquely relevant information, but failing to document this analysis could make it difficult for counsel to explain the adequacy of their discovery efforts if disputes arise. Requesting parties, in turn, should also keep in mind that the most effective way to obtain this information may be through a third-party subpoena, rather than seeking to extend a producing party’s legal obligations onto a non-party.