Many businesses have remote work and bring-your-own-device policies that cover access to company systems and information from personal devices. These policies may also state expectations or requirements for the management and security of company information. But these policies likely do not account for the rapid transition to virtual offices and remote work hastened by the COVID-19 pandemic. Among other challenges:
- Segments of the workforce may be teleworking for the first time.
- Those engaged in remote work may not be aware of or understand applicable policies and practices, and advance training may be (or might have been) impractical.
- The rapid move to remote work may rely on a greater variety of devices, including home devices, that might not otherwise be favored. And in many cases, employee-owned, or even company-issued, devices may be shared with multiple users in the home (for example, students taking classes online).
- Furloughs and workforce reductions in times of quarantine may complicate onboarding and off-boarding where legal holds are in place or are triggered during the pandemic.
We’ve written extensively about bring-your-own-device programs, where personal and professional communications intersect. But we wanted to provide some concise guidance to help you think through the information governance and discovery challenges of unexpected large-scale remote access. Also, this piece is focused on discovery and information challenges you may face that could involve employee actions that are inconsistent with policies intended not only to help manage information, but also to protect the security of your information and networks. By acknowledging that possibility, we do not mean to condone or encourage practices that create information security risks for your company.
Remember, reasonableness is required, perfection is not.
Perfection in the discovery process is not required or possible. Reasonable and proportional efforts are. And reasonableness and proportionality will not be judged in a vacuum. Courts will understand the unique challenges of this global pandemic and more localized response efforts. Judges will also understand the extraordinary efforts companies are making to stay in business while protecting their employees and communities.
But disputes about the preservation and collection of potentially relevant information subject to legal hold requirements may not occur for months or even years. So we advise that you take the time to document your extraordinary efforts to enable remote work now. These efforts may also yield dividends by supporting later arguments that unfocused preservation demands or discovery requests are not proportional to the needs of the case.
Don’t abandon your thoughtful discovery response programs.
It’s possible, but unlikely, that your organization has thought through the challenges we are facing today. But even if you have not thought about it on this scale, remember that a good – and scalable – discovery response program is rooted in identifying likely sources of the information needed to resolve matters in dispute. Many companies have turned to technology to help with this process. Yet, even technology-driven discovery response programs leave room for the human element.
When it comes to the identification, preservation and collection of potentially relevant information created or stored during this pandemic, plan to rely more heavily on interviews with key custodians. Ask about their document management practices, including how potentially relevant information was created, communicated or stored. Be prepared for responses that diverge from your company’s usual best practices and acknowledge that possibility in your interviews.
In short, when the dust settles, organizations will be well served to adapt existing interview questions, prepare home-collection protocols and consider data mapping exercises that extend significantly outside normal organizational operations.
Provide training or guidance if it has not been previously provided, or updates and reminders if it has.
Employees should be reminded that business records, whether created or stored on company-issued or personal devices, are discoverable. This may also be the time to encourage practices that could reduce the burden of future discovery. For example:
- If you support remotely accessible document management tools, like cloud-based tools, remind employees of the importance of using those tools so business records can properly be managed.
- Remind employees that even remote work creates business records and communications that could be subject to preservation requirements and are discoverable in litigation and in response to regulatory inquiries.
- Remind employees that personal email accounts used for business purposes are discoverable.
- Note that management of information using approved tools will make the identification of potentially relevant information less onerous and intrusive. Where company-supported tools do not exist or are inadequate, encourage employees to segregate business information from personal information.
Consider the enhanced risk that relevant information on personal devices may be lost.
Your employees may manage information on their personal devices in ways that enhance the risk that relevant information will be lost. For example, employees may respond to low memory on personal devices by deleting information. Or they may deploy devices to clean personal devices, either manually or automatically. For key custodians, especially those who come under preservation obligations during this period of remote work, consider advising them on how to manage those tools while fulfilling preservation obligations. Or consider remote collection of relevant information.
Prepare for disputes over questions of possession, custody and control as well as individual privacy concerns.
There is a jurisdictional divide between whether a party must have a legal right or practical ability to obtain information before it is discoverable from that party. This issue could flow both ways. For example, teleworking employees could see subpoenas seeking corporate information they can access remotely. And individual privacy concerns may raise new control issues as well.
While there may not be easy answers to your discovery and governance questions, remember again that reasonable and practical solutions to this unique challenge should be defensible.
As we noted at the outset, perfection is neither possible nor required. And when things inevitably fall through the cracks, document those issues as well as you can. Our hope is that parties and courts will understand, either at the outset or in the face of good advocacy, that “reasonable” information governance activities and discovery responses in the time of COVID-19 differ from what passed for reasonable efforts in the pre-pandemic world.