Overcoming eDiscovery-related chat data challenges Part 3: during an investigation

Chat data will inevitably need to be collected for review if an investigation or dispute arises. A data collection exercise for chat data, as with other data types, first involves identifying the relevant data sources, ensuring that those data sources are preserved, and then extracting the data.

Identifying the relevant data sources for chat data

In the identification phase, a business needs to identify the available and potentially relevant data sources, and the location of those sources. This requires identifying the custodians holding data relevant to the investigation and the relevant date range for the exercise (based on when the alleged misconduct occurred).

At this stage a business should also start to consider where the chat data is stored, eg on the cloud or on mobile devices. Application chat data, as opposed to enterprise chat solutions (see our blog here to understand the difference), presents a further challenge, especially if used in conjunction with a BYOD policy because:

• the same application may have a multitude of storage options across various device makes and models, or according to user preferences
• device manufacturers are continuously updating their encryption and privacy settings. A chat application that may have been easily accessible in the past could present challenges for accessing the data from an upgraded device.

It is advisable to seek expert advice early to ensure that preservation and collection occurs efficiently and in a way that can be justified to a court or enforcement authority, if necessary, further down the line.

Preservation of relevant chat data

During the preservation stage, a business must ensure that relevant chat data is secured ahead of collection. If an investigation or litigation is looming, a business may be legally obliged to preserve relevant custodians’ data and adverse inferences may be drawn if this is not done properly.

Data retention policies and practices vary. A business will need to consult its information governance data map which, if maintained effectively, should provide a full picture of chat data retention policies. Given the sheer volume of data being generated from chat platforms, many organisations opt not to retain chat data for long periods of time, although those subject to regulatory obligations may be obliged to maintain specific business data for set periods of time.

In any event, routine data retention policies may purge chat data from company systems periodically so it is important to understand, in advance, how to preserve data at short notice if required.

Defensible preservation practices (by which we mean they will stand up to later scrutiny) will:

• include all potentially relevant documents or contents of systems/applications
• catch important metadata (hidden data that sits behind other data, eg the parties within a chat conversation) and prevent the corruption of this data
• suspend any upcoming or ongoing archival or deletion that would occur in the normal course of business
• secure data for potential collection, once the full scope of required data has been determined.

Location is key

Chat data can often be sourced from different locations. The preservation strategy should include determining the best source for preservation and subsequent collection and ensure that the entirety of the chat data is preserved.   Consider the following.

• Co-mingling: Some instant messaging platforms such as Skype and Teams can be set to archive messaging transcripts automatically in an email format in a folder within a custodian’s Exchange mailbox which can be extracted together with normal email collection.   However, this type of chat may be co-mingled with Outlook email data, which requires technical know-how and additional effort to extract and convert the relevant messages to a reviewable format. For this reason, we have a strong preference for preservation and collection from the chat system itself.
• Attachments: Many platforms maintain chat text separately from attachments sent in a chat, so both locations need to be captured independently.
• Personal devices: Consider whether potentially relevant information found in such conversations necessitates preservation and collection of an individual’s personal devices (regardless of whether they are used as part of a BYOD policy).
• Device v cloud access: Some chat applications can only be collected from mobile devices themselves, eg SMS. Others may be synced to cloud-based repositories such as iCloud, which omits the need for in-person collection of a user device.

Devices may experience physical failures while stored, so it may be preferable to have an expert image the device and preserve the device at first instance, and to determine at a later date whether further collection and processing steps need to occur.

This post is part of a blog series on our eDiscovery-related experiences working with chat data.

• Our first post looked at the main types of chat platforms and some of the issues that can arise.
• Our second post provided tips on what to consider ahead of any investigation commencing.
• Our next post will consider the collection and production of chat data.

A&O’s in-house eDiscovery team offers assistance in navigating the complex process of electronic data discovery. Working as one team with our lawyers, the eDiscovery team leverages technology to get to the facts of a matter more efficiently. This translates to better, quicker and more informed legal decisions and therefore better value for our clients. To learn more about the services we offer, please contact Christina Zachariasen, Meagan Sauve or Natalie Lau.