Social media discovery is much more than Facebook posts in personal injury cases. The explosive growth in social media usage across all demographics has created many new sources of relevant ESI in a wide range of cases.
Every new technology brings its own eDiscovery challenges. I had the privilege of speaking on some of the legal and ethical issues surrounding social media discovery for the panel presentation “How to ‘Like’ Social Media in eDiscovery” at the 2017 ILTA: Ohio Litigation Support Statewide Meeting.
Dos and don’ts of social media discovery
The first step for the party seeking social media discovery is serving an effective request for production. Courts have not looked with favor on requests for “all” social media postings. General requests are viewed as fishing expeditions that on their face seek irrelevant information. The problem is compounded by the fact that much of that information is also private, and often of a sensitive nature.
Many courts have however enforced targeted discovery requests, even where the requested information is non-public. Targeted requests are limited by content, date range, sender and recipient, posting category (e.g., status updates, pictures, website links) or similar criteria where there is a direct link to the subject matter of the case.
Requesting parties have also had success in seeking private social media content by making a predicate showing of relevance. This is most often based on the relevance of public portions of the user’s account, but can also be shown by information that the opposing party has already produced in discovery or testified to at a deposition.
The biggest social media discovery “don’t” is friending (or its non-Facebook equivalents) an opposing party in order to gain access to non-public information. Lawyers have an ethical responsibility to not contact a represented party directly without going through counsel. Courts and state ethics boards are unequivocal that this includes making contact through social media, no matter how seemingly impersonal the means. Creating an alias account or using an outside investigator additionally runs afoul of ethical rules against misrepresentation.
Social media discovery requires good policies and procedures
Companies have lagged behind new technology and new patterns of communication used by their employees. They are just coming to terms with the consequences of Bring Your Own Device (BYOD), and now find they must create comparable policies and procedures for social media. A training and compliance program is also essential for implementation.
A comprehensive social media policy addresses four separate areas:
- Management of the company’s own social media channels;
- Content guidelines for employees who use social media for business purposes, whether the account at issue belongs to the company, the employee or a third-party (e.g., customer, competitor);
- Content guidelines for personal social media usage where the employee is accessing social media using the company’s network or other IT resources; and
- Company access for a legitimate business purpose to an employee’s personal social media account, including relevant non-public content (for example, a salesperson who communicates with a customer using a social media messaging application).
First, content guidelines for posting on the company’s own social media channels should cover posting as the company as well as employees’ personal social media comments on the company social media channels or mentioning the company. While it may seem obvious, it’s good practice to spell out in the policy that login credentials to company accounts must be associated with a company-issued email address and recorded in a central location. This avoids worst-case scenarios of the only employee with social media access rights being unavailable at a critical time, leaving the company without sharing credentials or even sabotaging the account.
In an ideal world, all business records would be created on company-controlled programs and systems. In reality, employees use the technology tools they’re comfortable with and that give them the functionality they’re looking for. The most common example is social media messaging applications for business communication. Policies should outline what business communications can and cannot be conducted on personal social media accounts and enforce it through a compliance program. Just as use of personal email for business purposes has come under scrutiny, use of personal social media messaging applications for business communications is likely to come under similar scrutiny in the future.
Third, acceptable use policies should cover employees’ use of company equipment, network and internet for personal reasons. In this aspect, the social media policy is closely tied to the company’s general policies relating to information security and acceptable use of company property. For instance, using the company’s network to conduct illegal or harassing activities on a personal social media account is unacceptable. Similarly, violating the company’s information security policy and exposing the network to malware via social media is unacceptable. In-house counsel should work with management and IT to determine the appropriate policy details for their business.
Finally, a company can be legally required for eDiscovery or regulatory compliance to copy business-related messages or other records created on employees’ personal social media accounts. This includes non-public content that is determined to be relevant to the subject matter of the lawsuit or regulation. Social media access policies state that the employer may access and copy an employee’s social media account to the extent necessary where there is a legitimate business purpose. Policies should emphasize that the employer will make all reasonable efforts to protect the employee’s privacy interest in non-business content. Along with facilitating access, an important purpose of these policies is employee education in hopes of minimizing the need for it.
Amended Federal Rule of Evidence 902 will impact social media collection
An important legal consideration on the near horizon is the expected impact of the amendments to the Federal Rules of Evidence that are scheduled to go into effect on December 1, 2017. Under current practice, social media evidence in federal cases is authenticated by the testimony of a fact or expert witness offered under Federal Rule of Evidence 901. Forthcoming amended Rule 902 creates a mechanism to authenticate ESI, including social media, by means of a written certification instead of by live testimony.
New subsection 902(14) provides that ESI such as social media evidence may be authenticated by “a process of digital identification” as shown by a written certification of a “qualified person.” The Advisory Committee note specifically states that hash value verification, which is the ordinary means of validation used in digital forensics, satisfies the new evidentiary standard. “Qualified person” is not defined, but presumably indicates someone the court would accept as an expert in the relevant area of digital forensics. The full text of the amended rule and accompanying note may be found in the report by the Advisory Committee on Rules of Evidence (page 276, 303).
Once the proponent of the evidence offers a certification under 902(14), the burden shifts to the opposing party to challenge authentication; for example, by offering a counter affidavit of an opposing expert witness. Certifications based on hash value verification are unlikely to be challenged in any but the most unusual circumstances.
Oftentimes when a party refuses to stipulate to authenticity it is due to lack of preparation or gamesmanship rather than a genuine evidentiary challenge. Authentication by certification will drastically reduce the time and cost burden associated with preparing a witness to testify “just in case.” In addition, it will be more efficient for all parties and the court to identify the issues in dispute ahead of the trial or other proceeding. Finally, it gives the court the opportunity to decide the issue on the written record or in a separate evidentiary hearing, which may potentially change the scope of the trial.
Because social media evidence has attracted a disproportionate share of authentication challenges, Rule 902(14) promises significant benefits to parties who can satisfy the new requirements. The principal requirement is making the collection with a forensic software tool that validates the copy by hash value. Of course, it’s also critical to follow a defensible process, including maintaining chain of custody.
Social media evidence is critical in many employment and personal injury cases, and messaging apps are a potential source of relevant communications in any type of case. Social media discovery is inescapable, but lawyers can avoid the legal and ethical pitfalls by keeping in mind that the same discovery rules apply no matter how cutting edge the technology.
Social media is dynamic, interactive and informal. The very qualities that make social media so attractive to its users create a plethora of practical challenges in eDiscovery. My three part series Overcoming Social Media eDiscovery Challenges will help you recognize and overcome the most common challenges.
Helen Geib is General Counsel and Practice Support Consultant for QDiscovery. Prior to joining QDiscovery, Helen practiced law in the intellectual property litigation department of Barnes and Thornburg’s Indianapolis office where her responsibilities included managing large scale discovery and motion practice. She brings that experience and perspective to her work as an eDiscovery consultant. She also provides trial consulting services in civil and criminal cases. Helen has published articles on topics in eDiscovery and trial technology. She is a member of the bar of the State of Indiana and the US District Court for the Southern District of Indiana and a registered patent attorney.
This post is for general informational and educational purposes only. It is not intended as legal advice or to substitute for legal counsel, and does not create an attorney-client privilege.