Text Messaging, Facebook Can Get You in Legal Trouble

Owens Corning deployed IM in "a small pilot" this year, he adds, to study how it's used and whether IT can control it well enough. Johns says he's satisfied and will consider rolling out IM more widely during the next several months.

Johns is cautious, having lived e-discovery for his 14 years at Owens Corning as the company has navigated at least 2,141 asbestos lawsuits that led it to Chapter 11 bankruptcy protection in 2000. The company emerged in 2006.

Owens Corning has started its share of lawsuits, too, suing test laboratories for providing what it said in financial documents is "questionable medical evidence" in 40,000 individual asbestos cases. The company also sued tobacco firms in an attempt to get them to cover some of the $10.2 billion owed in damages to asbestos plaintiffs with lung damage.

A CIO must protect the company with policy and technology long before he's called upon to turn over data for a lawsuit, as a matter of best practice, Johns says. He also has outlawed .pst files, which are personal storage tables that users of Microsoft applications can create to, for example, remove data from their mailboxes and out of the sites of any automated deletion programs IT might run. He limits mailbox sizes to 100MB. "With us going through some of the legal challenges we had in the past, that's part of the reason we run things the way we do. It is more straightforward to manage."

Goldberg, the intellectual property attorney at Proskauer Rose, knows of companies that have let IM and other communications technologies creep into corporate use without a formal policy. Other companies don't archive IM consistently, leaving it up the users to turn on or off that feature at their desktops, he says.

Those are common situations that can lead to coming unprepared to court and risking fines or sanctions. "You have to know where this stuff is and how to retrieve and preserve from the system before a lawsuit arises," he says. "It's too late to figure it out under the heat of litigation."

My Data, Pretty Please?

But that's just it. Locating and getting your own data isn't as simple as it used to be. Some of the familiar techniques for making regular e-mail discovery-ready don't translate. With e-mail, for example, you can set servers to archive a snapshot of all employee accounts on a given day, at a given time, and save it for X-number of days. E-mail administrators can then move a designated snapshot to backup tapes and delete the rest. You can't do that with text messages because your wireless provider controls that data, not you. CIOs have to understand the vendor's retention and deletion policy and negotiate something different, if necessary.

Putting data in the hands of third parties this way adds a layer of complexity and expense to discovery that e-mail evidence doesn't usually entail. There are only two ways you can get that data back: ask for it or subpoena it. Which way it goes depends on what your contract says.

It's a best practice for a contract to specify which company controls the data, regardless of who stores it, Goldberg says. Ideally, the third party will comply with your data retention and destruction schedules, but that's something you must negotiate and, depending on how complex the rules are, pay extra to get. An individual text message is small. But a few thousand employees traveling with BlackBerrys can produce heavy and expensive volumes. "Do some cost shopping," he advises.

Prohibiting a particular Web 2.0 technology may not work because people will find a way to use it anyway, says Michael Harnish, chief technology officer of Fios and former CIO at the law firm Dickinson Wright.

"Experience has taught us that if there's an expedient way to further business, it will be done,"