Text messages have been at the forefront of national news. Indeed, the controversial failure by the Department of Homeland Security (DHS) to preserve text messages related to the events of Jan. 6 requested by Congressional subpoena[1] made text messages a topic of many dinner conversations.
Statutory and regulatory provisions may trigger a company’s duty to preserve text messages. For example, Section 802 of the Sarbanes-Oxley Act of 2002 requires publicly held companies to preserve certain business records for seven years and imposes severe penalties for destroying prematurely such records with intent to impede a federal investigation.[2] So, a company that overlooks text messaging data in crafting a data retention policy does so at its peril. Additionally, some state laws define corporate records to include business-related text messages sent from/to a director, officer, or employee’s personal mobile phone,[3] which means a shareholder’s inspection rights extend to business-related text messages. Similarly, registered investment advisors are required to preserve certain communications with customers, including text messages related to investment advice, orders, or investment performance.[4] Health care providers must comply with the patient privacy rules under the Health Insurance Portability and Accountability Act.[5] And, of course, a party to pending or reasonably anticipated litigation has a duty to preserve documents potentially relevant to the case, including text messages and other electronically stored information, under Fed. R. Civ. P. 26(b) and parallel state discovery rules.
Given the recent explosion in the volume of text messages, businesses face challenges in crafting policies that balance both the need to preserve potentially relevant information and the costs attendant to those efforts. What is a company to do? The first challenge is to create policies, train employees, and monitor compliance surrounding the use of business-related text messages. In particular, a company may want to limit the use of text messaging, which is more difficult to track and preserve as opposed to email, which is more often routinely archived on company servers. Another challenge – a company must consider the costs and benefits of permitting employees to use personal devices, rather than company-owned devices, to conduct company business. The company will have less control of and access to an employee’s personal device. The next challenge – how to archive the text message data, balancing the need to preserve the data against the individual’s privacy, the need to continue conducting business with minimal interruption, and the need to minimize expense associated with collecting and storing data that may never be used. And, finally, how to efficiently produce the text message data to regulators or litigators. To meet these challenges, businesses should establish policies and protocols related to the who/what/when/how of archiving business-related text messages. Part 2 of this post will discuss considerations for these policies and protocols.
FOOTNOTES
[1] Recall, in 2021 Congress issued directives and subpoenas to the DHS demanding the production of all electronically stored information (ESI) related to the Jan. 6 attack on the Capitol including all communications between DHS officials (defined to include members of the Secret Service) and White House officials between Jan. 5 and Jan. 7. And yet, the Secret Service responded the requested text messages between the Secret Service and the White House had been deleted as part of a device-replacement program.
[2] 15 U.S.C. §7213; 18 U.S.C. §1519.
[3] See, e.g., Milbeck v. TrueCar, Inc., No. CV 18-02612-SVW (AGRx), 2019 U.S. Dist. LEXIS 165649, at *10-11 (C.D. Cal. May 2, 2019) (compelling production of text messages between corporate Director and CEO/COO about the litigation’s subject matter.)
[4] On Dec. 14, 2018, the Office of Compliance Inspections and Examinations issued a Risk Alert related to electronic messaging, including text messages between a registered investment advisor and a customer.
[5] 45 C.F.R. §160.101 et seq.