Social Media Creates eDiscovery and Data Privacy Challenges

Practical Considerations

(Part 3 continued from post) If a corporate entity sanctions or approves the use of social media messaging for business services, it may be best to have users open “business sanctioned” accounts which will hold only business records. This may not be ideal; but it would divide public from private messages and make life easier on all parties (employees and corporate records managers/corporate counsel).

If this is not possible it may be necessary to have an employee agree to make the entire contents of their mailbox at social media sites available to the corporation for which he or she works as a condition of employment (again not a great solution, but some sort of a solution). Another idea would be to have the employee agree to the use of an application that “downloads” an encrypted “lockbox” of their social media messages periodically so that it can be examined for legal purposes with limited keyword or other “tests” to determine if it is relevant to examine the information in a private mailbox for legal discovery purposes. The employee could be the “main key holder” and agree to have the lockbox “tested” to see if it is relevant to open it for legal review (details intentionally omitted).

Things to Think About

Again, I am not a lawyer, but one thing that should be considered if employees are going to use social media messaging services in the cloud is around data privacy. The “Google Plus” social network terms of use contain the following section:

“11.3 You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this license shall permit Google to take these actions.”

This seems to say that your data can be sent in the clear wherever it seems necessary for Google to send it and that they may share it with others. If a business is using a Google Plus messaging service and the folks running Google Plus consider some of those messages as “content” (not just your posted photographs) then you could end up exposing your client’s private data to outsiders. This in some cases could violate financial privacy laws and HIPPA statutes that may get your company in some trouble. There may be things to think about here from a privacy standpoint. I don’t think that Google would ever intentionally expose anyone’s content but if they did expose it as a consequence of moving and managing it then someone’s privacy rights could be accidentally violated. No matter how this could occur, it would likely be the corporate user’s problem, not Google’s.

It just seems like “cloud services for communication” have some angles to them that one should consider before letting employees use them for business communications. It is probably a consideration to have so that the proper discussions can occur with your company’s legal staff before such social media messaging services are used. In the interim thinking through what will happen in the event that a legal discovery may become necessary and that it will include publically hosted data is prudent. It may not be time to get rid of that corporate email server just yet.

Digital Reef's Founder and CTO, Steve Akers, is moderating a panel of industry experts on "Social Media: The intersection of case law, data privacy, and practical discovery" at the Masters Series for Legal Professionals in San Francisco September 14. To join us at this event, please visit our Events Page