Google’s Failure to Preserve Electronic Communications — A Warning to Every Company of a New Reality Surrounding Electronic Data
Alex Cotoia, Regulatory Manager, and Daniela Melendez, an Associate at The Volkov Law Group, rejoin us for a joint posting reminding readers on the importance of addressing electronic communications preservation and management in this new age of rapid technological change. Alex can be reached at [email protected], and Daniela can be reached at [email protected].
One thing you can count on — change. Not that there is anything wrong with that, but not to be too dramatic, we are at the precipice of some significant technology trends that will have a profound impact on corporate governance, legal and compliance, and information technology leaders and staff.
It is not what we like to call the “perfect storm,” but it is a profound confluence — companies have to devote significant resources and attention to information technology and security, electronic communications and business-generated data, and to overall information security and governance.
The forces are moving rapidly, and the risk environment is evolving in response to artificial intelligence deployment, and to basic preservation and management requirements challenging businesses. Yes, the “computer age” has been a productivity accelerator for all businesses, but along with this trend, companies need to design and implement regulatory and preservation management systems to store and access electronic data.
In a significant Court decision in a multi-district antitrust case, including a consumer class action (21 million residents), 38 states and the District of Columbia, and Epic Games and Match Group, charging Google with an illegal monopoly for distributing Android mobile applications, In re Google Play Store Antitrust Litigation, U.S. District Court, Northern District of California, No. 3:21-md-02981-JD, the District Judge James Donato sanctioned Google for failing to preserve employee “chat” evidence relevant to the antitrust litigation. Specifically, Judge Donato ruled that Google “fell strikingly short” in its duties to preserve records in the case.
Pursuant to an order issued by Judge James Donato, Google was sanctioned for the costs that the plaintiffs incurred due to the failure to preserve its chat data, despite a preservation order that directed Google to preserve chat records by changing the default settings for the chat system. Further, the Court found that Google did not effectively emphasize the importance of those obligations to its employees.
As a result, a number of employees—including approximately 40 of whom were identified as document custodians—failed to follow the Court’s explicit instructions. Google’s failure to adhere to the letter of the Court’s order caused potentially critical communications to be lost, as Google maintains records of such chats for 24 hours only, in line with its own document retention policy. As the Court itself concluded, “[t]he record demonstrates that Google employees who received a litigation hold in this case were unable or unwilling to follow the [Google] chat preservation instructions, and sometimes disregarded the instructions altogether.”
While the Google case is another notable development in the rapidly emerging e-discovery domain, at a more fundamental level, the case underscores the criticality of applying document preservation policies to all media used by an organization’s employees to conduct company business. This echoes guidance provided by the U.S Department of Justice in the context of recent updates to its guidelines concerning the “Evaluation of Corporate Compliance Programs.” The most recent iteration of those guidelines calls on companies to thoroughly understand the various communication channels—including ephemeral messaging applications—utilized by a company’s employees to conduct business.
In the case of an organization that allows its employees to utilize their personal devices to conduct business (under the aegis of a “bring your own device” (“BYOD”) policy), the guidelines are emphatic that companies appropriately monitor and preserve “all business-related electronic data and communications” generated by employees in the ordinary course of commercial activity, irrespective of the medium utilized. To that end, the guidelines impose an obligation on companies to develop appropriate policies that permit the company to access, among other things, personal devices utilized under a BYOD framework, and to periodically archive such communications in line with the organization’s document retention policy. These policies must be supplemented by internal controls that do not permit individual employees to evade their preservation responsibilities by, for example, changing the default settings relied on by the company to comply with the guidelines’ requirements. Regardless of whether a company has BYOD policy in place it should still provide guidance to their employees on how to use communications applications that have the option to delete/modify the messages integrated.
Finally, from a risk management perspective, DOJ’s guidance is notable for its insistence that companies carefully consider their own risk profile and business activity to ascertain the reasonableness of allowing employees to utilize particular communication channels over others. Notably, the guidance also requires a company to implement—and effectively utilize—disciplinary procedures to discourage employees from breaching the organization’s communications and preservation policies.
In the end, the Google case stands strongly for the proposition that companies across the board must be proactive in maintaining business communications; not only for the sake of complying with a party’s discovery obligations—but also to prevent the company from being fined by the regulator or to breach a court order to DOJ expectations related to document preservation. Above all, it is essential to provide guidance to employees regarding ephemeral messages in relation to its pros and cons, which include complying with data protection laws, protection of a company’s sensitive information or failing to preserve relevant data in an ongoing litigation, or in foreseeable litigation, or in a corporate internal investigation.