But these weren’t middle school girls gathering for a sleepover. They were corporate executives, the “C-Level” kind, people whose names you see in the business section when things are going really well and in other parts of the paper when they’re raising their right hands to testify.
Testifying is the reason we were there, preparing the company CEO for deposition in a bet-the-company lawsuit. The CEO explained that hers was an iPad purchased with her own money, not the company’s. The translation: “What’s on here doesn’t count, certainly not with regard to the lawsuit.”
But in the middle of our conversation, she used the iPad to send a text message to the CFO, then again to check her business calendar. Suddenly it was painfully clear, to us if no one else, that information on the iPad was discoverable as part of the lawsuit, as was the home computer the CEO used to back it up.
The truth is, many executives and companies find themselves in similar situations, facing litigation while seemingly knowing what evidence exists, only to have their opponent discover new – and perhaps very interesting – information through a subpoena of the CEO’s iPad. As guardian of the company’s legal well-being, what are you to do?
Begin With an Assessment
It is crucial to know what’s looming out there, and what the other side may find someday. So the very first thing you need to do is a data risk assessment now – don’t wait for litigation – and ask:
- Mobile Devices: How is the CEO using the iPad and other mobile devices, including phones, other tablets, e-readers?
- Computers: What about laptops? Ancient by some standards, but people still use them.
- Communications: What email systems do executives use? Beyond company email, do they ever use personal email for company business – things such as iChat, iMessage, Webmail, Facebook, etc.?
- Apps: What about apps? Plenty of executives use these (Dropbox, Evernote, Documents To Go, LinkedIn) with the mistaken notion that if they’re not on the company system, then they won’t show up in litigation.
Head in the Clouds
Remember that the information on your CEO’s iPad doesn’t exist on the iPad alone. She backed it up to her home computer, right? When she took it out of the box and started it up for the very first time, did she say “yes” to iCloud?
If she did, she created yet another avenue – maybe an easier one – for opposing lawyers to follow. If Company X is suing Company Y, then Company Y may not turn over the information. But when third parties, those running the cloud servers, are told of the litigation, they may be required to turn over the same information.
Beyond that, companies should give serious thought to the cybersecurity implications of multiple personal devices such as iPads and phones, and the use of off-site cloud storage. Each of those devices and each server linked to them can create an electronic avenue for competitors and hackers to use in accessing your vital data. Using Google Docs, Dropbox and Evernote may have put critical business information outside your trade secret-protected environment as well.
Make a Plan
Sit down with someone who is familiar with both the law and the technology, and have them create a network map of all the devices involved, who has access to them, and where the information is stored – all of it. This strategic data management plan should include everyone at the company, most importantly the CEO and other C-level people – even the board members.
The plan should outline policies and procedures for everyone to follow, separating business from personal information and accounting for mobile devices, whether the company or the individual owns them.
Follow the Plan
In a lawsuit, one of the first things we do is compare the company’s existing policies – those that are written down somewhere – with what’s actually going on in the office or in the field. Inevitably, we’ll find people who are not following the policy perhaps because they don’t know about it or simply because human beings sometimes have a tendency to go off on their own.
That tendency can be especially strong among executives and upper-level managers who set company policy and sometimes believe the same rules do not apply to them.
At least once a year, company representatives and your outside experts should sit down with the CEO and others and go over the rules. Find out what’s on the iPad, make sure that the information and the processes involved conform with company policy, and reinforce whatever division of personal and company information you’ve outlined previously.
Admittedly, nothing involved here is incredibly high-tech. That’s because it’s not the technology or a particular device that will get a company into legal trouble or compound trouble that already exists. Instead, it’s the person tied to that device who just doesn’t realize the potential impact of the information involved.
Even when that person is the CEO. She will thank you for raising these issues long before opposing counsel does so on cross-examination.
Matt Yarbrough is the founder of the Yarbrough Law Group and Yarbrough Strategic Advisors, representing plaintiffs and defendants in general business, labor and employment, intellectual property and white-collar litigation. Email him at firstname.lastname@example.org.
Todd Shadle represents clients in commercial litigation and a broad range of labor and employment matters. Email him at email@example.com.