It’s hard to predict how businesses will fare in the world post COVID-19, but if the experience of prior disruptions can be used as a model, the pandemic is going to result in massive amounts of litigation that will take years to adjudicate. Shareholders will file actions charging boards and management with taking the wrong actions during the crisis. Employees will put forward claims that they weren’t properly protected or that they were treated poorly. Insurers are likely to be sued on issues relating to coverage. Litigation may also arise related to accounts receivable and accounts payable.
While we can’t predict the details of the litigation that any given company will face, we know that with any litigation, once it is filed (or it becomes evident that an action is pending) the first question counsel will ask is “what happened?” The question that will accompany it is “what evidence do you have to support the company’s position?”
New Evidence Sources
It’s usually straightforward to search company email systems and files to provide the material that counsel will need and that may be required to be turned over in the litigation discovery process. You have probably accounted for these data sources in data mapping exercises run for GDPR and CCPA compliance before the pandemic. Now, people are working from home who may have never done so before. They are using cloud- and web-based systems like Office 365, and connecting from company computers, personal computers and mobile devices. They may be sending and receiving emails using their personal email accounts and using messaging systems like personal Zoom accounts, or “disappearing” messaging systems like Signal which are not part of the company’s normal suite of software. Finally, there will be data commingling—people at home are far more likely to use company equipment for personal reasons.
This will create a series of unintended regulatory and litigation impacts. It raises the question of whether the company’s IT management—in coordination with general counsel—is in control of its information. As data and litigation information points, it’s vital to know if emails, instant messaging, audio and video conferencing and all the other ways that people are communicating are being managed to assure that everything that should be preserved (whether as a matter of law or regulation, or based on the analysis of counsel) is actually being preserved.
Key Next Steps
Management and counsel may assume that communications that should be preserved are actually being preserved. Don’t make that assumption! Unless you have technology on the machines that people are using—both company and bring-your-own-device equipment—that can determine what programs are being used for communication, you may not get positive assurance that only authorized software is being used.
You need to let your people know what you expect. This is not a situation that is unique to COVID-19 disruptions. We see “shadow IT” in many organizations where individuals or groups adopt software that hasn’t been authorized or tested, and for which counsel hasn’t determined whether the contractual terms for use are acceptable.
Send an email (and preserve a copy, along with the list of people who received/read it, and the date and time it was distributed and read) stating that only “official” email and messaging (and other authorized) systems can be used for company business. Using personal email addresses or systems and other email and instant messaging systems is specifically prohibited. Emphasize that this is to assure that the company can preserve communications that are required or should be preserved. Send these communications regularly to demonstrate that you took reasonable steps to encourage the use of only official, preserved communications channels.
Additionally, you don’t want to be seen as encouraging your remote working staff to store company documents solely on their local machines. When litigation occurs, you may find yourself in a nightmare of trying to pull together information on dozens, hundreds or thousands of endpoints, not knowing what may have been deleted or modified.
As a result, we strongly recommend that IT management confer with the organization’s counsel and human resources specialists to craft a communication that is legally sufficient, takes into account users’ needs and gives instruction that the company’s systems, staff and networks can actually accommodate and accomplish.
Monitor the Reality
Sending the message with your expectations for use of approved (and preserved) communication and storage technologies is vital, but can you simply assume that your instructions will be carried out without any issues?
To the extent your technology and in-house or outsourced endpoint monitoring systems permit, be on the lookout for people who have downloaded unauthorized and potentially dangerous applications like Signal onto their phones or laptops.
You can imagine opposing counsel in a deposition asking an executive why they felt a need to use a communication application which could not be preserved, and exactly what they used it for. These are questions for which you might not like the answers!
Many companies protect themselves by limiting the ability of an end-user to download application programs that are not on a pre-approved “white list.” If someone needs an additional application, there should be a mechanism to seek authorization.
A key step in gaining this control is deploying endpoint monitoring software to remote user systems. This can help identify the programs being run and the data sources being created, so that after the crisis, data can be relocated as needed into approved corporate storage systems.
Watch Senior Managing Director Jason Smolanoff discuss the importance of endpoint detection and response in 2021.