In the eDiscovery universe, hot trends and evolving technologies tend to capture the attention of the legal community. Discoverable data sources have been the focus in the courtroom for quite some time, and just like the “popular kids” from high school, email has held the crown of eDiscovery darling. Not surprisingly, the more time end-users spend in a specific medium (on Facebook, for example), the more likely data will be created – and as that data multiplies, it has the potential to become compelling in discovery. It seems that many U.S. organizations are electing to allow social media use at work and for work, rather than blocking access. For obvious reasons, granting this access is culturally desirable, but from an eDiscovery perspective social media use introduces new complications. However, don’t be mystified. There is nothing that new here.
Recently, Symantec issued the findings of its second annual Information Retention and eDiscovery Survey, which examined how enterprises are coping with the tsunami of electronically stored information. Having lost some popularity, email came in third place (58%) to files/documents (67%) and database/application data (61%) when respondents were asked what type of documents were most commonly part of an eDiscovery request. The new kid on the block for data sources is social media, reported by 41% of those surveyed. Social media is in essence no different than any other data type in the eDiscovery process, it’s just the newest. Said another way; social media is the new email.
Of course, it’s no longer news to proclaim that communications from social networking sites are discoverable. What is newsworthy is the question of how to effectively store, manage and discover these communications which come in such varying forms, making the logistics of doing so for social media different than for traditional mediums. Like email, social media is used by everyone (ubiquitous), is viral (fast), has mixed uses (professional and personal) and there is a lot of it (high volume). Unlike email, social media comes in many different forms (Facebook, LinkedIn, Twitter, etc.), is not controlled within an organization’s firewalls (custody, possession and control issues), and has more complex requirements within the information governance lifecycle (technology is needed to ingest social media into an archive).
The two main areas to examine in relation to social media use and an organization’s policies are: 1) the legal issues that apply specifically to the organization, and 2) the logistical and technical requirements for preservation and collection. Essentially, what is the organization’s policy surrounding social media use, and how can the information be accessed if need be? Luckily, technology exists that is nimble enough to be able to ingest social media and archive it in accordance with an organization’s policy, should one exist. Organizations that have recognized social media as the newest kid on the block have, ideally: developed a social media policy, purchased (or deployed) collection and retention technology, and instituted training for their employees. They have also integrated social media into their information governance strategy and document retention policy. Remember, not all organizations will have to archive social media, but all should address social media with a policy and training.
Other organizations have not accepted social media as part of the evolutionary process of eDiscovery. They proceed at their own peril – as did the organizations that did not control their email some ten years ago!
These organizations will be in crisis when they need to collect social media for litigation and will most likely have a large lesson in damage control, as well as an equally large bill. They will be uneducated, ill-prepared and overwhelmed about how to discover social media. Without a policy, they will have to over collect by default, which will drive up the costs for collection and possibly for downstream review. Given that the aforementioned survey found nearly half of the respondents did not have an information retention policy in place, and of this group, only 30% were discussing how to do so, it is likely that many of these organizations do not yet have a social media policy either.
With this background in mind, organizations should evaluate which laws and regulations apply to their organization, develop a policy and train their employees on that policy. Plus ça change, plus c’est la même chose.
For more information about how IT and Legal can manage the impact of social media on their organization and to learn how archiving social media can be accomplished, please join this webcast from Symantec.