Announced in April, Google’s Gmail confidential mode includes features such as the ability to have messages expire from a recipient’s inbox after a specific time period as well as controls on whether recipients can forward, copy, or download messages.
Of course, calling it “confidential” may be somewhat of a misnomer. After all, as Snapchat has warned users before, anybody can take a screenshot before a message vaporizes into cyberspace—that’s before we even get to the issue of whether it vaporizes from Google’s servers.
We talked recently with Dan Patterson, senior writer for CBS Interactive’s TechRepublic, about the challenges of e-discovery data preservation in a world of ephemeral data. Check out the embedded video below to watch the conversation.
From an e-discovery perspective, data preservation requirements are another consideration. Here are a few points that go beyond the interview.
Ephemeral e-Discovery
In most cases, there’s nothing wrong inherently with ephemeral data for e-discovery—depending on how you use it. Having said that, you noticed we said, “in most cases.”
In the conversation with Dan Patterson, we discussed the “reasonable anticipation of litigation” standard for the preservation of litigation. However, there are additional regulatory requirements one must consider.
For instance, the federal Occupational Safety and Health Administration (OSHA) has extensive record-keeping requirements under the Occupational Safety and Health Act of 1970 and its recordkeeping rule.
OSHA logs must be kept for five years—whether or not there is a reasonable anticipation of litigation—and occupational exposure records must be kept for the duration of employment plus 30 years. Even employee training records must be retained three years. Ephemeral data in these situations could get you into trouble.
On the other hand, we discussed data privacy requirements, including domestic requirements, such as those of the Federal Trade Commission and under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and international requirements, such as the EU’s General Data Protection Regulation (GDPR).
Theoretically, ephemeral data could actually help organizations with requirements such as the GDPR’s right to erasure (or right to be forgotten).
Article 17 of the GDPR gives data subjects the right of erasure of personal data “without undue delay,” and—subject to certain exceptions—a data controller must comply. Ephemeral data could help with compliance if personal data are set to erasure under specified guidelines, but proper information governance is critical.
Why Ephemeral e-Discovery Matters
G Suite, Google’s suite of products—including Gmail—has about four million paid business users. Although that pales in comparison to the 120 million business subscribers and 29 million consumer subscribers using Microsoft’s Office 365 platform, G Suite usage has doubled since 2016, making it a consideration for the e-discovery practitioner.
The ability of the G Suite administrator to enable and disable Confidential Mode is significant from both information governance and legal e-discovery perspectives.
For information governance, having a “kill switch” will help G Suite administrators ensure that data are preserved for regulatory requirements and for business needs. For e-discovery purposes, it could get trickier. Administrators must ensure they comply with legal holds in litigation and regulatory actions.
One could argue that using Confidential Mode would be no different that choosing to pick up a phone and call instead of sending an email. However, if evidence were lost, and discovery reveals an administrator was enabling and disabling Confidential Mode during a legal hold, it could establish an intent to deprive the other side of evidence, the threshold for the most serious sanctions under the 2015 amendments to the Federal Rules of Civil Procedure.
As usual with tech and the law, it’s all in how you use it.
