Features

Privacies of life in commercial e-Discovery: Modern opinions on employers' duties to preserve evidence on employees' personal cellphones

e-Discovery
 

by Paul A. McCarthy and Elizabeth M. Badovinac   |   Michigan Bar Journal

Personal cellphones contain the fabric of their owners' lives. Phones often store a person's most important -- and most intimate -- personal information: texts to spouses and family, calendars and emails, banking data, search history, and pictures and videos. Indeed, “[m]odern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans the privacies of life.”1

In litigation, employes have a duty to preserve electronically stored information (ESI) within their possession or control. But do employers have control over its employees’ personal phones? Can an employer be sanctioned if it does not take steps to preserve information stored on these devices?

Courts began addressing employer-targeted discovery in the early 2000s.2 However, opinions on this topic largely predate the development of smartphones, which have complicated the question of what information an employer actually controls. In fact, many employers now allow employees to use their own phones at work and for work, blurring the line between employees’ work and personal lives. Employees might use personal phones to check work emails, send personal texts, and scroll through social media during the same workday — or even within a 10-minute period. Do employers have control of these devices? Do they have the responsibility to preserve and produce information stored on them? And where is the line of relevance and proportionality?

Corporate employers face these questions in e-discovery. An opposing party might request that a company produce information from its employees’ personal phones. Absent a contract regarding device privacy, this request places the company in an impossible position. It can demand that its employees turn over their personal phone data and risk additional litigation for employee privacy violations, or it can refuse and face a motion to compel. Worse, the opposing party could seek sanctions against the employer for its employees’ personal data deletion or loss.

Thankfully, courts have adapted with the times, providing a reasonable safe harbor for employers facing these issues. This article showcases how recent opinions correctly hold that employers have no categorical duty to preserve or produce evidence or information on employees’ personal devices. Modern courts instead encourage context-specific analysis regarding employers’ actual control over personal devices before determining whether its duty to preserve arises. Recognizing the legal quagmire employer-targeted discovery creates for employers, they favor nonparty discovery to obtain employees’ personal data; given the ever-increasing use of personal phones in the modern workplace, similar opinions are likely on the horizon.

CURRENT FRAMEWORK FOR PRESERVING EMPLOYEE ESI

The Michigan Court Rules were amended in 2009 and refined in 2020 to provide a framework for ESI preservation and sanctions for spoliation of ESI.3 MCR 2.313(D) now echoes Fed R Civ P 37(e) in providing specific requirements that must be met before a court may issue spoliation sanctions for failure to preserve ESI.

First, MCR 2.313(D) provides that a court should not impose sanctions unless the ESI “should have been preserved in the anticipation or conduct of litigation.” Courts have held that “[t]he obligation to preserve evidence arises when the party has notice that the evidence is relevant to litigation or ... should have known that the evidence may be relevant to future litigation.”4

Second, ESI must be “of a type that should have been preserved.”5 MCR 2.310 provides practical guidance here,6 stating that the scope of discovery for documents and other things covers relevant materials in the “possession, custody, or control of the party on whom the request is served” (emphasis added).7

In other words, parties “have an obligation to preserve evidence within their custody or control upon notice that the evidence is relevant to litigation.”8 In the context of an employer-employee relationship, the requesting party bears the burden of establishing the employer’s control over the devices by proving that it “has the legal right to obtain the documents on demand” from its employees, such as the “right to command release from the party with actual possession.”9

EMPLOYER CONTROL OVER PURELY PERSONAL EMPLOYEE PHONES

Courts generally agree that where an employee’s phone is personally owned and used only for personal reasons, an employer has no legal right to obtain its data — even if the employee uses the phone at work. A seminal case in this regard is Cotton v. Costco Whole Corp, where a plaintiff sought text messages sent or received by certain Costco employees.10 The court noted that Costco had not issued the phones, the employees had not used the phones for any work-related purpose, and the plaintiff had not alleged that Costco “otherwise has any legal right to obtain employee text messages on demand.”11 Thus, the phones were not in Costco’s control and it had no duty to preserve or produce them.12

Similarly, the court in Goolsby v. County of San Diego held that employees’ personal devices were not under their employer’s control.13 In that case, a prisoner plaintiff speculated that defendant deputies used “their personal devices while at work,” but the court held that there was “no evidence that the use of personal devices was for ‘business purposes.’”14

The law is clear, then, that allowing employees to bring their own phones to work alone is not dispositive of employers having possession, control, or custody of such devices. Employers do not have the right to collect information from an employee’s personal phone solely by virtue of the employee using it at work.

The corollary of the above rule is also generally true: courts may favor the company's duty to preserve data when employees are issued company-owned phones. For example, in Ewald v. Royal Norwegian Embassy, the court held that while an employer need not produce employees’ personal devices, it would compel the employees’ company-provided phones.15 Rather than a categorical rule, however, the issue of preserving data on company-issued phones is likely best addressed using the context-specific analysis described below.

CONTEXT-SPECIFIC APPROACH TO CONTROL

Although helpful, the cases above hardly solve the many questions that arise in determining whether employers must preserve employees’ personal phone data. Realistically, employees often use personal phones for both personal and business-related purposes. Though whether a phone was used for business purposes was a factor the Goolsby court considered,16 it offered no insight as to whether such use sufficiently establishes employer control. Do the purposes for which a phone is used have significant bearing on a company’s legal obligation to preserve employees’ personal phone data?

Case law largely suggests no. The court in Lalumiere v. Willow Springs Care, Inc. only ordered an employer’s production of its employees’ texts or emails made “via work phones or company email accounts” (emphasis added).17 It otherwise held that “a company does not possess or control the text messages from the personal phones of its employees and may not be compelled to disclose text messages from employees’ personal phones.”18 Other courts have echoed this.19

Perhaps the most well-articulated opinion on this subject is the 2020 U.S. District Court for the Eastern District of Michigan case Halabu Holdings, LLC v. Old National Bancorp.20 The plaintiff, Halabu Holdings, moved to compel production of records generated on Old National Bancorp (ONB) employees’ “personal and/or individual electronic devices/equipment and similar records, when such records were generated in the scope or course of their performance of their responsibilities for the [b]ank.”21 The court denied the request, holding that it had failed to show ONB exercised any “indicia of control” over the devices in its particular workplace:

Control, then, is context-specific. Some workplaces have, by agreement and practice, defined rights and responsibilities regarding personal cell phone and computer device use in connection with the employer’s business. For example, employers may contract for the right to access the employees’ personal devices, and employers and employees may agree to use software that segregates employer data from the rest of the device. Such agreements and practices are entitled to judicial respect.

Despite its obligation to do so, Halabu has made no effort to establish that ONB has any such control over the personal devices of its employees. It has pointed to no ONB agreement or practice in this regard. Without such a showing or some other set of circumstances demonstrating control, it has not met its burden.

* * *

[A]n employee’s sense of privacy and ownership of information should not be forfeited without an adequate discovery process to address those interests. Requiring a discovering party to meet the rigors of a control rule does precisely that. Because Halabu has not satisfied that rule, its motion to compel discovery must be denied.22

Halabu Holdings finally articulates a context-specific control rule consistent with other courts’ analyses, but properly and clearly focuses on a company’s legal right to obtain the devices rather than the purposes for which it is used. It stands for the principle that absent a clear contract or practice regarding an employer’s access to employees’ personal devices — i.e., a means by which a company obtains a legal right to obtain the devices — a company does not sufficiently control personal devices for a duty to preserve/produce to arise.

This context-specific analysis is especially important due to the very issue the Halabu court next emphasized: employee privacy concerns.23 In fact, the Halabu court nodded to Riley v. California, a U.S. Supreme Court case forbidding phone searches without a warrant.24 While the Court indicated that judicial deference should be given to contracts between employers and employees as to device access, phones and personal devices should otherwise be protected from employer invasion.25

ALTERNATE MEANS OF DISCOVERY FOR EMPLOYEE DEVICES

Parties wishing to conduct employee discovery are not without options. Though the Halabu court went so far as to characterize an employer-targeted route as “onerous and potentially invasive,”26 it recognized that “personal devices owned by non-defendant employees are not immunized from discovery.”27 Rather, the court noted that the route which “better addresses the privacy and property concerns raised by a document request to an employer” is a nonparty subpoena under Fed R Civ P 45.28 MCR 2.305 provides an identical mechanism.

CONCLUSION

Modern courts have refused to apply categorical rules regarding an employer’s possession, custody, and control of its employees’ personal devices. A company’s control over its employees’ personal devices, and thus its duty to preserve or produce the same during e-discovery, is properly viewed in context of the company’s contractual agreements. This context is not only important to capture the nuances and complexities of cellphones in the workplace, but to sufficiently protect businesses from violating their employees’ privacy rights. While case law will undoubtedly develop given the increased role of personal devices in the workplace, existing opinions provide a helpful framework and defense for employers facing discovery requests for their employees’ personal devices.


ENDNOTES

1. Riley v California, 573 US 373, 403; 134 S Ct 2473; 189 LEd 430 (2014) (citation and quotation marks omitted).

2. One of the most cited federal cases on this topic is Zubulake v UBS Warburg, 220 FRD 212 (SD NY 2003), where UBS Warburg failed to preserve so-called backup tapes containing email correspondence of key employees. The court held that “the duty to preserve extends to those employees likely to have relevant information — the ‘key players’ in the case.” Id. at 218. It is tempting to apply Zubulake to a broader modern context, as applying to employees who have relevant information in their possession on their personal devices. However, the court did not address personal devices; rather, it addressed emails stored on company systems and subject to company deletion practices. Id. Further, the court could not have foreseen, and clearly did not address, employees’ use of personal devices as described in this article.

3. MCR 2.313(E) (2009) created a safe harbor for a party losing ESI as a result of routine deletion practices (“Absent extraordinary circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system”). This safe harbor was later subsumed by MCR 2.313(D). See James L Liggins, et al, Civil Discovery: The Guidebook to the New Civil Discovery Rules (State Bar of Michigan, 2020), pp 47-54.

4. Zubulake, supra n 2 at 216; Forest Laboratories, Inc v Caraco Pharm Laboratories, Ltd, unpublished opinion of the United States District Court for the Eastern District of Michigan, issued April 14, 2009 (Docket No 06-CV-13143); see also Hollis v CEVA Logistics US, Inc, 603 F Supp 3d 611, 619 (ND Ill 2022).

5. Konica Minolta Bus Solutions, USA, Inc v Lowery Corp, unpublished opinion of the United States District Court for the Eastern District of Michigan, issued August 31, 2016 (Docket No. 15-CV-11254).

6. MCR 2.310(B)(1)(ii).

7. Id.

8. Flagg v City of Detroit, unpublished opinion of the United States District Court for the Eastern District of Michigan, issued August 3, 2011 (Docket No 05-74253), fn 1 (quotation marks and citation omitted).

9. Halabu Holdings, LLC v Old Nat Bancorp, unpublished opinion of the United States District Court for the Eastern District of Michigan, issued June 9, 2020 (Docket No 20-10427); see also Cotton v Costco Wholesale Corp, unpublished opinion of the United States District Court for the District of Kansas, issued July 24, 2013 (Docket No 12-2731-JW).

10. Cotton, supra n 9.

11. Id. (footnotes omitted).

12. Id.

13. Goolsby v County of San Diego, unpublished opinion of the United States District Court for the Southern District of California, issued August 19, 2019 (Docket No 3:17-CV-564-WQH-NLS).

14. Id.

15. Ewald v Royal Norwegian Embassy, unpublished opinion of the United States District Court for the District of Minnesota, issued November 20, 2013 (Docket No 11-CV-2116 SRN/SER).

16. Goolsby, supra n 14.

17. Lalumiere v Willow Springs Care, Inc, unpublished opinion of the United States District Court for the Eastern District of Washington, issued September 18, 2017 (Docket No 1:16-CV-3133-RMP).

18. Id.

19. RightCHOICE Managed Care, Inc v Hosp Partners, Inc, unpublished opinion of the United States District Court for the Western District of Missouri, issued August 21, 2021 (Docket No 4:18-CV-06037-DGK).

20. Halabu Holdings, supra n 10.

21. Id.

22. Id.

23. Id.

24. Id. See also City of Ontario, Cal v Quon, 560 US 746; 130 S Ct 2619; 177 L Ed 2d 216 (2010) (holding that a violation of privacy can occur where an action invades the employee’s “reasonable expectation of privacy”); In re Reserve Fund Securities and Derivative Litigation, 275 FRD 154 (SD NY 2011) (holding that expectation of privacy is possible even when email is transmitted over and maintained on a company server).

25. Halabu Holdings, supra n 10.

26. Id.

27. Id.

28. Id. See also Ewald, supra n 16 (emphasizing use of a nonparty subpoena for employee discovery).