Meet and Confer with Kelly Twigger
Meet and Confer is the podcast for litigators, eDiscovery professionals, and anyone who knows that in a world of electronically stored information, discovery strategy isn’t optional—it’s essential. Hosted by attorney and discovery strategist Kelly Twigger, each episode offers clear, practical discussions on how to effectively leverage the power of ESI to craft successful discovery strategies for any type of litigation. Topics include, navigating evolving rules, understanding emerging case law, and making the strategic decisions that shape the outcome of a case. Whether you're a seasoned litigator, brand new associate, in-house counsel, or law student, Meet and Confer helps you think critically, stay prepared, and master your discovery strategy for modern litigation.
Meet and Confer with Kelly Twigger
Phones, Chats, and Subpoenas: DOJ/FTC Guidance Meets Mobile Reality
Your chats are now your records. In this episode of Mobile Minutes sponsored by ModeOne Technologies, we dig into why mobile and off-channel messages—texts, WhatsApp, Signal, Slack, and Teams—have moved from “nice-to-have” discovery to core evidence and a core compliance obligation. With new DOJ and FTC guidance and eye-watering SEC penalties, regulators are no longer hinting; they’re spelling out what credible programs must include and how they’ll evaluate your effort, resources, and results.
Ruth Hauswirth of Cooley joins Kelly Twigger to translate policy into practice. We break down what changed in 2024, how agencies define off-channel communications, and why “messages are documents” is the standard. Then we get tactical: approved channel lists, BYOD and retention controls that survive scrutiny, legal holds that actually reach phones, and supervised mobile collections that avoid the self-collection trap. We also tackle the messy realities—auto-delete defaults, device upgrades, shadow IT, and the speed regulators and courts now expect when preservation triggers.
If you lead litigation, investigations, or compliance, you’ll walk away with a focused playbook: map your chat footprint, upgrade your holds with plain-English steps, run a tabletop for a subpoena or CID, and align legal, IT, HR, and security on a risk-based governance model. For global teams using WhatsApp or WeChat, we discuss harmonizing standards across jurisdictions and when to prohibit tools you cannot preserve. The through-line is simple: content over form, relevance and proportionality, and a documented, defensible program that proves you took this seriously before the knock on the door.
If business lives in chats, compliance must live there too. Subscribe, share this with your legal and IT teams, and leave a review with one question you want us to tackle next.
Thank you for tuning in to Meet and Confer with Kelly Twigger. If you found today’s discussion helpful, don’t forget to subscribe, rate, and leave a review wherever you get your podcasts. For more insights and resources on creating cost-effective discovery strategies leveraging ESI, visit Minerva26 and explore our practical tools, case law library, and on-demand education from the Academy.
Welcome to the Mobile Minutes segment on the Meet and Confer podcast, developed in partnership with Mode One Technologies. I'm your host, Kelly Twigger, the founder and CEO at Minerva 26 and a discovery strategist with ESI Attorneys.
Kelly Twigger:In this episode, we're talking about something that has become impossible to ignore if you are a litigator or in-house. What happens when the evidence you need is on someone's mobile phone in a chat app or buried inside a collaboration tool, and regulators now expect you to be able to find it, preserve it, and produce it. In 2024 and into 2025, the DOJ and the FTC updated their guidance to call out mobile and off-channel communications by name, and the SEC has been handing out hundreds of millions of dollars in penalties when firms can't get their arms around business texts and messages on personal devices. That is no longer a niche discovery problem. That is a litigation, investigations, and compliance problem.
Kelly Twigger:So, what is an off-channel communication? That term gets tossed around a lot in this context. And you'll hear it today. Off-channel communication refers to business-related discussions, oftentimes in financial services, that are conducted via unapproved, unmonitored, or unrecorded personal channels like WhatsApp, SMS, text message, or private email. These methods circumvent mandatory record keeping rules, posing significant security, compliance, and regulatory risks regarding data leaks and other misconduct. And as using those platforms has become common in business, we're dealing with them in discovery, and the government is well and truly in the game.
Kelly Twigger:To dig into all this, I'm joined today by Ruth Hauswirth, special counsel at Cooley. Ruth leads Cooley's litigation and e-discovery services and information governance counseling. She's been in the trenches on complex litigation and government investigations for decades. She teaches e-discovery at the law school level, works with the Sedona Conference, and helps clients design real-world retention and BYOD programs that actually hold up under scrutiny. She also happens to be a genuinely fabulous human, which makes this conversation even better. Today, Ruth and I will talk about what the DOJ and the FTC guidance really says, how the SEC and FTC enforcement are using off-channel communications, who inside your organization is most at risk, and what you can do this quarter to get a defensible handle on mobile device data before the next subpoena or CID shows up. And here's a pro tip. Everything we're going to tell you applies to civil litigation as well. Let's dive in. Great to be here. We're going to dive in to our topic here. And let's start by really grounding everyone in what's changed that's created new obligations for council. For people who haven't been tracking this closely, what are we talking about when we say DOJ and FTC changed their guidance in 2024? And what actually changed in those standard instructions?
Ruth Hauswirth:Yeah, so in 2024, in September of 2024, the DOJ and FTC released with a couple of things. The evolution of corporate compliance program was a document that went into great detail about what they're looking for from compliance programs. And one of the reasons why we're talking about this today is there was an emphasis on messaging applications and how corporations are, as part of their compliance program, are monitoring and monitoring and govern putting governance on the use of mobile devices, collaboration, texting, all kinds of apps that we're using now to communicate.
Kelly Twigger:How did that change from previous guidance? Were we just talking about email before and we weren't specifically addressing mobile device data? Is that the big change?
Ruth Hauswirth:Really, because the truth is they've been putting out guidance about this for several years. They've been ratcheting up awareness around the use of it. And this has been for there, there was guidance put out in, I believe, uh might be not formal guidance, but for guidance that came out in 23 and even prior to that, because this was be something that was continuing to come up. And so what they were doing is letting companies know that if they become subject to an investigation, one of the things that they'll be that the prosecutors will be looking at is what are you doing to control these the communication via these types of uh applications that can't be preserved or can't be retained as part of a document retention, an overall information governance or retention program. And making it very clear that as part of the investigation, if you can show, if you can show a program, like a governance program where you're actually trying to, you don't have to be perfect, but that you can you can show that this is something that the corporation is paying attention to. There would be certain part of the cooperation process, there would certain credits would be given to the entity being investigated.
Kelly Twigger:So it's it's not necessarily a you can't do it all. So therefore you're penalized, right? It's a question of it's an analysis as part of the cooperation. Are you really putting a program in place to address these sources of VSI? And are you making an attempt to be able to provide them when we ask for them?
Ruth Hauswirth:Exactly. And I think in 24, that became a when I was reviewing the documents that they put out, it's very clear they're making, they're sending a clear message to particularly to compliance programs within corporations to keep this at the forefront of what they're doing. And I would say I was as I was thinking about this, governance has been a huge part of my practice for over 15 years. Governance may be the word of the decade when it comes to certainly messaging apps, because we're still using email. We're all still communicating by email. But that is certainly not necessarily the primary way people are communicating anymore within corporations. And so there's the issue of internal corporate communications, and then we have the mobile device, the mobile question, and how people are communicating on mobile devices. And so it's very clear that the investigative agencies are looking closely at how are companies applying governance to the use of all types of communication methods and making that part of their corporate governance, their information governance program.
Kelly Twigger:You and I know because we're in it every day, how difficult getting data from mobile devices is and how expensive it can become. And these compliance requirements are they're creating a substantial burden on companies who need to be able to comply with this. And we're going to get to exactly who that is in a little bit. But because we're talking about so many different kinds of applications, and each one of those applications retains data differently, stores data differently, may store it on the device, may store it in the cloud, may not store it at all. That's really what creates this huge challenge, isn't it? Why these parties are like, whoa, this guidance is tremendously burdensome in terms of governance.
Ruth Hauswirth:Absolutely. Because one thing as an e-discovery lawyer, one of the things you become very sensitized to is the fact that when these platforms of communication are created, or any type of technology is created, it's like the idea behind how are we going to export, preserve, and export this data for use in some kind of investigation or a litigation, civil litigation matter, that's not on the top of people's minds. People are the even the creators of these technologies, that's not what they're thinking about. And so you can't rely on any sort of standard in terms of how you get the information preserved or retained. And so it is very complicated and it doesn't lend itself to a very check the box kind of way of governance. And so one of the things in the guidance that the DOJ put out in 24 was sort of an it's very clearly laid out the types of things that they're going to assess as to whether a company is meeting the requirements that they're going to be looking for. And one of them isn't compliance overall, but it's an interesting thing to note that there's a sufficient, I know, sort of adequate resources given to the task of making sure that the company is essentially putting governance and return.
Kelly Twigger:Adequate resources.
Ruth Hauswirth:Adequate resources.
Kelly Twigger:And that varies by company. Yeah.
Ruth Hauswirth:Yeah. And this is something that we see widely because again, an organization's business is to focus on their business, not necessarily managing all of the information that the business is generating. And even just 20 years ago, it wasn't that big of a lift. It was still something that we needed to think about, but it wasn't close to what we're dealing with now that we are truly in the age of technology driving all of the way that we do our business. And so it's not really at the forefront of executives and engineers' minds. And so it makes it very complicated. And but the good news is that the standard isn't perfection in terms of how we respond to these kinds of requirements, but it does take a more proactive approach. And you'll probably hear me repeat that several times because that's what it means.
Kelly Twigger:That's what everything in Discovery Now means is you have to be proactive, reactive, practically equal sanctions.
Ruth Hauswirth:And it's getting it's getting dicier because we are not just dealing with email, it's hundreds of potential applications that could be within scope. And one thing we'll probably get into this more, but one of the things just kind of as we're setting the table on what what the government agencies have been making clear to to organizations is you have that text messages, whether it's ephemeral or otherwise, messaging applications, the texts themselves are documents. So they can they made it very clear that is considered within the scope of a document. And so I don't think there were many people who didn't think that was the case, but the guidance has made it very clear progressively over the years, in case it wasn't, that these are things that have to be have to be subject to some kind of governance within an organization.
Kelly Twigger:Yeah, and I would say someone out there will make that argument that it's not a document because that's their last-ditch effort at trying to just to reiterate something that you raised, which is exactly I mean, you and I are so on the same page with all of this, as we discussed multiple times, but the technology that we use to create, store, send, and receive information is not designed for us to extract it in a way that we use for litigation or any sort of legal proceeding, any way, shape, or form. And so it is literally a process of understanding how every single piece of technology works from iMessages on an iPhone to text messages on a Google phone and how that information is stored and retained and how you can export it and what it looks like. And so finding the right technology to be able to do that in a cost-efficient way is one of the big things that these new policies, I think, really put in place. But it's but it's consistent too, and it's consistent with everything that we see in civil litigation in the case law, right? That all the data on mobile devices is quite frankly where the good stuff is, right? That's where people used to pour their souls into email. Now they pour it into text messages and WhatsApp messages and signal and and whatever else, right? On social media posts, et cetera. So let's move on just slightly to to crystallizing. Where are companies seeing this language? Are we talking about second requests, civil investigative demands, grand jury subpoenas, preservation letters? What kinds of matters is it showing up in?
Ruth Hauswirth:Showing up everywhere. And we are seeing this in investigation demands. Language has been specifically put in to make clear that the mobile text messaging, mobile device information is information that's that's within scope, assuming it's within the scope of the investigation. So you're seeing it in all of the all of the above that you name. We're seeing definitely one of the areas which is sort of a low-hanging fruit that the organizations can immediately deal with these types of things is to update their hold notices to make it clear to recipients that this type of information, at least from a preservation standpoint, it needs to be preserved. Uh, whether it ultimately is something that needs to be collected and processed and reviewed and potentially turned over is a separate question. But it's if there is a legal duty, if a duty to preserve has been triggered, then this information needs to be preserved. So it should be, there should be clear instructions. And we can talk more about this, but updating hold notices is kind of a low-hanging fruit. And you will be seeing those in demands that you're receiving from maybe government agencies or from civil adversaries in a litigation matter.
Kelly Twigger:Yeah, because I know that a lot of people follow what's happening in eDiscovery and they're saying if the government's asking for it, then why can't they ask for it? And the case law is pretty clear that each one of these different areas, these different sources of ESI, text messages, all the different instant messaging platforms, they're all discoverable if they're relevant and proportional to the needs.
Ruth Hauswirth:And that's that's the key that often coming back to and scoping these is not easy, as we talked about at the very beginning. There's time and cost and difficulty because of the technical issues that we were talking about. There's no ubiquity in terms of how they all operate. But one of the kind of things that I use and talk to clients and others about is the content is what matters, not the form. And that's it doesn't mean that we have to go after every single possible iteration of something. There are proportionality limitations and things within the rules that have been around for a while, but that we're definitely using more and more. It's more at the forefront of, I think, of civil judges' finds, civil courts. I but yeah, content over form is when we're scoping, that's what we need to be thinking about in terms of what and and that's that goes back to just basic lawyering. What is this about? And that sometimes can get lost, I think, in the conversation.
Kelly Twigger:So does. And that's my take every time is when we start at a case, let's sit down for a minute and talk about what are the business goals here? What does this really look like? Do we want to continue a relationship with the opposing party? Are we trying to resolve this? Are we trying to fight to the death? What are we doing here? And that needs to frame what we're doing. And then what are the actual allegations of the complaint or the demand or whatever that's happening so we can focus? Because I think you just hit on exactly what is a challenge. And that is we've started to look at discovery as compliance instead of fact-finding and instead of getting to the truth of a case so that we can resolve a matter. And I really want us to come back to the fact-finding. We have to do the compliance, but the compliance seems to have ballooned. And I'd like to bring that balloon back down to a manageable size for manageable litigation and technology and even AI, which we're not going to get into so much today, although that's a whole nother discussion for us, really allows us to do that now. So going from that compliance. But that being said, coming back to this, these new standards, these new government standards that civil counsel are starting to pick up on, it still creates a huge burden because, as you mentioned, you have to be proactive. If you're trying to capture text messages from six months ago, two years ago, three years ago in an instant, it's unlikely you're going to be able to do that very effectively most of the time. Now that we have this updated language out there, what are some of the most common assumptions that you still hear from companies about their obligations around texts and WhatsApp and other mobile messaging services?
Ruth Hauswirth:A common misconception is if it's not managed by the company's IT, it's not within the scope. And that is certainly not how the agencies that we're talking about today or in civil litigation generally, that's not the guiding principle.
Kelly Twigger:I'm 100% with you, but I just want to clarify what you're saying. When you say in scope, you mean that they don't have an obligation to produce it. It's not within their possession, custody, or control under Rule 34. Is that what you're referring to?
Ruth Hauswirth:Yeah. It's, for example, it's we'll talk about this, I'm sure, but when employees are using their personal devices, and if the if there's information on the personal devices like text messages that are not, cannot be managed by the company's IT department, that doesn't necessarily mean that though that information isn't within the scope of an investigation or is part of discovery in a litigation matter. It doesn't mean that it automatically is either, but it's not something that we can just, I think that is a misconception that if we don't manage it, it's not within our control.
Kelly Twigger:I've done a whole podcast on just this particular issue, possession custody, or control, as it relates to data on employers on the Judge Rodriguez. And we'll talk about it at the case law session at the University of Florida, where you're gonna join us. I'm so excited about that. Not for that panel, but for a talk on AI, which is gonna be amazing. And the reality is that it's very up in the air what's happening with possession custody or control because the old tests don't fit the interpretation of data created using new technology. And it's gonna be really interesting how that plays out. Any other assumptions other than the possession custody or control?
Ruth Hauswirth:I think it comes down to things that are not within this bubble, that are just doing business, aren't necessarily thinking top of mind that what they're creating could potentially be used in an investigation or needed in an investigation. And so one of the things we talk about with clients when we're having these governance types. Of discussions is awareness training, training about any communication for business purposes. Well, regardless of whatever device that you're using, could potentially be something that is discoverable and trying to chip away at those misconceptions about if I'm not doing it on my company device, it isn't discoverable, or things like that. Just misconceptions about just what is business communication and what's proper and what's not proper. And what the agencies like the DOJ and FTC, what they're particularly looking for, they want to see that companies have these, that there's some controls in place to really what they're looking for is to obviously prevent misconduct and to prevent the loss of information that's needed for an investigation, but also using devices in a way that could be creating harm and that could be potentially subject to regulatory or criminal penalties because of engaging in. So they're looking for companies to have educational programs and governance programs that are risk-based to reduce that, to reduce the likelihood that those things are happening. That's an underlying principle to why this guidance has been put in place and why it's being used.
Kelly Twigger:And is it fair to say, and I'm asking this because of what Ivan pulled out from the different finds and things that we're going to talk about, but is it fair to say that in a lot of instances, it's field people, right? It's brokers, it's salespeople, it's people who are in the field making decisions on the fly, trying to make things happen. And for better or worse, we live in this on-demand world where we expect a response within five seconds of shooting off a text messages. And email now is old. It's old school. We don't, if we email someone, we may not hear back from them for days. We want a response right now. And so those are the places where those conversations are happening that are the subject of those investigations. And those are the places where the data is going to live, and that's what they want.
Ruth Hauswirth:Yeah, and another really important point is that when we used to say this about email, but I think this is 10 million times more true when it comes to text messaging, is people are less formal and you might just shoot off that text too. Yes, there's the demand to get everything moving quickly. That's why they're so helpful. But then there's also the kind of reduced awareness around when just people shoot off a text and might not be thinking that text could be problematic in unintended ways, or we don't want people to be doing that regardless. And we want to be making sure that we're creating cultures that are educating people about communicating in an appropriate way. But it's just that off the cuff kind of a thing that can blow something up. The thing about who is subject to these kinds of it's everyone. It's everyone is potentially subject to the requirements of what the government agencies are expecting in terms of communication and preservation and retention. But you were referring to people out, like salespeople all over the place, just doing what they're trying to do, whatever device they're on, it can be very, very difficult to put controls on that. But I think we're getting to a point if there aren't some controls in place and some procedures and guidance about what to use, what is an approved channel, what is not an approved channel, and devoting some resources to this, I think we're in a time when that's going to be less and less tenable going forward. When you do find the company in a position to have to defend a claim or to respond to an investigative demand, you don't want to be caught on your back foot there, not having some of those controls in place.
Kelly Twigger:And you know, it's interesting about it because there's a real evolution here in how we would advise companies on policies, because historically there's been a rub of well, if you're gonna have a policy, you have to make sure you're enforcing it and auditing that enforcement and making sure you're complying with it. Otherwise, it looks bad to have a policy you're not complying with. Paper only, not in actual practice. Right. And so now it's sort of transitioned to you got to have a policy and you got to have the compliance of the policy. It's got to be realistic, something that really works for your organization. But I also would say that constant vigilance around conversations with folks in the field, whoever it may be that are using these applications that can create so much consternation for the organization, because they're gonna constantly change. You got the Secretary of Defense using Signal. It's so many places where people are just choosing to use these applications, and the organization has to stay on top of that. And I think that's a challenge because a lot of organizations, even those with legal ops teams now, they really don't have that bandwidth. It's tough.
Ruth Hauswirth:That's what I think it was interesting about this specific section of the guidance from the DOJ that was about resources and about making sure that adequate resources were being put into compliance, but it has value to the whole company. And that's where, yes, there can be a lot of burden to creating a compliance program. It actually has so much benefit. When an organization finds itself in a position where it has to respond to an investigation demand or to a complaint and discovery, or if they're in a position where they are needing to take legal action against another party, having that compliance in place, not only just for meeting the requirements of government agencies, but also to be able to nimbly respond to those types of situations. So you're not scrambling in the heat of an investigation or the heat of a litigation. You have put in place procedures and things that can serve you in that moment. It's easier said than done to say, we'll have a policy that's not just paper, but there are actually pretty practical things that companies can put in place that are not huge, like move a mountain kind of a things to get some more controls in place over this and to have sort of a risk management focus on how you are running the business. I think the dividends pay off when you don't have to be reactive when something comes along that you have to respond to. And which is why I, again, I think having a policy that is very on like a mobile, a messaging policy, a policy that specifically talks to mobile device and collaboration type platform use. What is the company, what are you allowed to do business on? And make it very clear to people what you're not allowed to do, whether it's on your personal phone or on a company issued device, making sure that people understand what are the retention requirements on your devices. Obviously, even if there are personal devices, if you're gonna be using it for business, the business should be putting some controls on that personal device. And that can we could talk about that for a whole entire hour. Yeah.
Kelly Twigger:I mean, that from a technical perspective has so many challenges.
Ruth Hauswirth:But there are things in your fold notice, you can have instructions about how to make sure that your settings are necessary. But it is possible to do things that you can put in place that you can have that will definitely one of the things I said the word of the decade is governance. I also think it's demonstrating, being able to demonstrate that you're taking these steps. We talk about this a lot when we're talking about a preservation obligation, but companies having procedures set up in a way that you can demonstrate, we have this, we do this. Yes, this actually turned out to be a problem for X reason. And there's usually some explanation why something didn't go the way that it was supposed to that's not nefarious. Sometimes there might be a nefarious reason, but even in the guidance that the DOJ and FTC provides, you cannot govern for every single time. Like a bad actor is that's what they're trying to prevent. But the company can be in a better position to defend itself if that happens, if they have these in place. And just making it really clear what's expected of people within the organization and what's not, and providing resources, saying you can't use signal, but you can use the company-issued texting application. You could have mobile device management software on people's phones. There's all different kinds of things that can be put in place. It doesn't have to feel like boil the ocean. It can be like these are things that we can put in place relatively quickly and have huge benefits down the road.
Kelly Twigger:I completely agree with you. And I think to me, there needs to be a mental shift for organizations in this level of governance. The speed at which business moves now requires communications that move with that. And these applications on mobile devices and the advent of these smartphones allows those communications to happen. So rather than saying no, which is a lot of what legal wants to say, you've got to embrace the fact that your business is growing by using these forms of communication and addressing how to proactively meet these legal challenges. And like you said, technically speaking, they're not really hard, but it's all a risk, a cost risk balance, as everything is in legal. But even if you just have a plan in place that you can execute when something comes up, that's a big difference. And I do think that your adequate resources and tell me, based on your experience in representing clients on these issues, if it's a smaller client and this is a kind of a one-off investigation, and they have done a few things, say their resources are they've put, let's just put a percentage on it, maybe a 25% resources towards it. Larger corporation or entity that is a serial litigant and they're routinely having government investigations, that company puts more like 50, 60, 75% of resources towards having that. Is that something that meets the obligations? And obviously, I'm speaking in very, very broad generalistic terms, but is that kind of where you mean when you talk about the adequate resources within the guidance?
Ruth Hauswirth:What I read, what what I took from it was that that would be a consideration, like that these types of things would be a consideration that the investigators would take into account when they're looking at what happened here. And when they're looking at the resource question, the size of a company, the, you know, what type of industry, all of those things would be considerations that would be taken into account. And I think practically, if a company is a serial litigant, serial being investigated, it's just a no-brainer that they're going to put more resources to these kinds of things than a company though, where it might happen very often. I think that if a company has a perspective on sort of risk management, what regardless of the size, regardless of the industry, it's going to benefit the entity for whatever business they're in. What you actually do, like you have a 20-person department that's responsible for it, or you know, one person or something like that. It's obviously very company specific. But I feel like doing this for over 30 years, you can see the perspective of if we put a little bit of attention here, it can have such a huge benefit down the road. And it's a little bit of pain here.
Kelly Twigger:The thing is, is the ROI is a little bit down the road, right? That's another adjustment in the expectation. And that's always hard in legal because legal is always a cost center, right? And so then you oh, let's do compliance on top of that. But the reality is, and this is I'm gonna to move us here to what has happened, what kind of fines have been levied for failure to comply with these, so that you can see what the potential ROI is down the road. A month after these new changes came out, but February 2024, the SEC issued $81 million in penalties to 16 broker dealers and advisors for what was called widespread and long-standing failures to maintain and preserve electronic communication, including business texts and chats on personal devices. A couple of months later, in August, the SEC fined 26 firms for $393 million for pervasive use of off-channel communications, texts and messaging apps that weren't preserved as books and records under the requirements. Another month later, in September 2024, 12 more firms for another $88 million in penalties for the same off-channel usage and record keeping failures, more than $600 million. And since 2021, the SEC has levied more than $2 billion in penalties. And January was another couple hundred million in fines. So there's lots of examples of these that that we could spend a whole lot of time talking about. And so I think the reality is, and and I love your input on this, is that these are real fines. These are real things that are happening. They are not, hey, we will come and get you if you don't do this. They are money that's happening right now. And they're not one-offs. They're we're going after a group, a segment, an industry, a practice area that we know is engaging in this behavior, almost as an example, it seems.
Ruth Hauswirth:Yeah. No, I mean, we've seen this in other areas where until there were significant fines and significant penalties, attention may not have been at the level that it needed to be. And we've seen this in the area of privacy, in other countries with privacy-related fines. We've seen it with sanctions in civil litigation. So it's a deterrent fact. It's to try and conform behavior based on if you don't, this is what could happen. And that sometimes is very motivating in certain contexts. And I do think that's the reality of what we're living in. I don't think this is going to stop because again, these technologies are making it easier for people to go off-channel and to do things. And even if they're not doing anything nefarious, just by using these types of apps that can't be preserved, for example, it creates the perception that something is not on the up and up. I think that a company needs to take that into consideration. If you're not putting controls in and you know that people aren't using these types of applications, you're putting the company at significant risk if you don't take steps to put some controls in place. Or if you can't preserve it's a type of communication platform that for some reason preservation isn't possible, then don't allow it. Don't prohibit it. Don't allow it for use. And it's hard. I'm not saying, but when you look at those penalties that you just rattled off, it's real. And this is what's so hard. You don't always know because the the information is no longer there. And so this is again where I think we want to be looking at things through a risk management lens, not just a hundred percent, hundred percent.
Kelly Twigger:Okay, now that we talked about what the guidance is, what the potential ROI is for actually doing something by looking at the penalties, let's focus a little bit more on who is covered. When the DOJ and the FTC talk about preservation expectations for ephemeral messaging and personal devices, which companies and which scenarios should assume those expectations apply to them?
Ruth Hauswirth:I don't think it's limited to a particular industry or business. I think it's safe to say one of the areas we're probably gonna be seeing a lot more is in the area of AI, in companies that are putting technology out into this public space that is based on AI, or even just companies that are not AI-based, but that are using AI. I think this is going to be something that is gonna have more and more interest from regulators, whether here or from a data perspective. From a data perspective. Yeah.
Kelly Twigger:What we're saying is every single company, every single entity out there should be concerned about these regulations because they are all subject to them.
Ruth Hauswirth:It's hard to predict what particular industry is going to raise the curiosity of investigators and in terms of what are they trying to do? The FTC is trying to ensure competition. DOJ is trying to prevent misconduct. So I don't think we can limit it to a particular industry. Obviously, regulated industries have been in this place of awareness for a very long time. The differences with regulated industries is that these new technologies come into play in their industry, and they have to be paying attention to what types of controls, if any, they have on messaging applications people are using to communicate, because those are those could be subject to investigation.
Kelly Twigger:And your other point, which is so key, and that is with AI, we're starting to see that we'll have other sources of data that are likely going to have new regulations or become added to these existing regulations in terms of governance.
Ruth Hauswirth:That's why I'm saying governance is such an important concept that may it may not have had the sort of sparkle that it maybe other types of things do within e-businesses. But I'm talking even 30 years ago when it was just basically paper or email. Now we're talking all of our business is done with a variety of different technologies. We have to be thinking about governance from if you do start to implement AI into a process, or even if you're not an AI company, you're just deciding that you're gonna use AI in some type of way. If you are using it in a way that affects certain areas, you know, where there potentially could be interest of a government agency to make sure there's protection to the public, you want to be able to point to some type of governance in terms of how you implemented that, that it was not just a random decision that someone decided to just pick up a tool and start using it and then having implications for the business and implications for the public. AI governance is a new area.
Ruth Hauswirth:It's very similar to the kind of work that I've been doing for a very long time when it came to just data governance. Again, it's so interesting because data is ubiquitous in any type of company now, regardless of the industry. It's not just big tech companies, even now individuals, our own data footprint that we're creating with all the different apps and all the different things that we use. There's like a sense that this it's just a part of every business, even if you're not a technology company, even if you're not, you know, somebody putting software into the market or apps into the market. And that's the different way of thinking about things. I think a lot of companies just think about whatever it is that they're selling, and they're not thinking about how they're doing their business and how that technology of how they're doing their business could implicate. All the areas that we're talking about. And that's where I think governance is getting more and more attention, as it should. And I've been very risk management focused from the beginning. And I've seen the chaos of investing in that early and pain that you can save later. You're not going to be able to head off everything at the pass. Right. But you're in such a better position when you're able to relatively easily and relatively quickly, this is how we handle things. These are our procedures. This is what we do in response. This is what we did in response to this. And this is what happened. And you're in a much better position than if you're you have nothing in place and it's just kind of a scramble.
Kelly Twigger:Who are the roles within an organization that are most exposed? And I'm asking you this is a little bit of a catch-22 because I think I know what your answer is going to be. Because a lot of people will say, well, okay, so we'll put something in place for our executives, right? Is that going to be sufficient? What are who are the roles that we need to be paying attention to?
Ruth Hauswirth:I mean, I do think it is important to have to be thinking more broadly than that. I think having having controls and procedures for the way everyone communicates within the organization is the recommended practice because having different ones, there may be a business reason for that. And there may be more restrictive for certain roles, depending on what they're doing, but certainly not more broad, um more lenient.
Kelly Twigger:The point is there needs to be thought, right? There needs to be thought about the different roles within the organizations and their roles, their business position, right? Are they in sales? Are they in marketing? Are they here? What are they doing and how do they communicate? And that is, from a governance perspective, one of the things that you need to do to understand how people within your organization, the different ways they create, store, send and receive information and the different tools they use to do it. Your benefits people have 20 different online services that they manage to be able to provide benefits for your employees, and somebody knows how to use and access and get all of that information. Your sales team is texting everybody 10 hours a day. I think you've got to think about all of that in this context. In some ways, because I've had some clients who will say, Well, we'll just do it for our executives. Here's what I would tell you your executives are the people in your business who are thinking the most about the business all the time. Every decision they make, they're thinking about the business. Can you say the same thing the further you get away from the C-suite? And the more that answer becomes no, they're thinking about their own personal growth, development, whatever sales metrics they're trying to hit, anything. Not saying they're not thinking about the company, but that's not their first priority. Their first priority is their performance within the company. You have to modify your expectations in terms of compliance with these regulations to that perception as well.
Ruth Hauswirth:I think that is another upside to governance and whether you tailor it to the specific needs and risk profile of an organization. There's a lot of benefit when you have folks within the organization that are giving thought to these types of issues, that are thinking and linking others within the organization. We were talking about earlier how maybe folks that like engineers who create these kinds of communication platforms aren't thinking about what's happening when people use them and have to like apply or you know, get information out of them for regulators. One of the things that I love about this kind of work when you see this happening within an organization, governance can sometimes, and sometimes it's illegal, sometimes it's in compliance, but there's usually some cross-disciplinary group that is involved. And so you're seeing all the opportunities for synergies. So there aren't different practices going on that could affect the business all over, disparate uses of different platforms, different policies, different ways of doing things. You're starting to create some cohesion, it's some coherence within the organization. Because HR is now connected with IT. So when legal says, hey, we have this preservation cold we need to put in place, there's links to all these other departments, and everyone is aware this is what we do, these are the procedures. It's maybe it's not a push button and there's some tailoring for each time it happens, but everyone has awareness and there's some connectivity between the organization. That not only will help you from a compliance standpoint and things that we've been talking about for the last hour, if you are before an investigative agency, but think about the synergies that can happen within your organization. There's a group that's watching for these types of data governance issues and saying, oh, wait, this department is doing this and this department is doing that. We should link them up. There's just so many benefits from this. Maybe it sounds a little pie in the sky, but I've seen this happen over and over within organizations of all sizes. There's a lot for those listening, there's costs and there's burden, and there's a lot of things that can make this hard to do. And I'm not dismissing that. But there's also a lot of value that comes out of looking at a business in the 21st century. Every business is a data-driven business. I don't care what you're making. You could be making cookies is your product. There's data going around with your company. It's just the nature of how we work now. And so having some kind of governance program, some sort of risk lens that is also benefit lens is what we're going to be. I think this is the direction we're going to have to be going the more technologically based we become.
Kelly Twigger:I 100% agree. How does that change or how does it how is it amplified when we start talking about global organizations? How should global organizations think about this issue when some regions expect employees to use WhatsApp or WeChat for business, and US regulators are effectively saying if you use it, you need to be able to preserve and produce it?
Ruth Hauswirth:I think this is a question of harmonization and this idea that there is some sort of assessment and cohesive understanding of what's required of the organization and what the organization is going to do in response. One response to that is if one jurisdiction is more restrictive than another, then the company should follow that as a whole. That's one way to do it. It doesn't have to be the way you do it. But within the context of what the expectations are, if you're going to be subject to some sort of investigation, you should, as a company, be thinking about preserving the jurisdictional requirements for different apps or what the uses are for in different regions. There has to be some sort of assessment about how are we going to preserve that if we need to. And if there isn't a way, really think about whether that is an appropriate tool to use.
Kelly Twigger:I mean, that's just Yeah. And as I I'm listening to you in my head, I'm going, oh, civil litigation. Some people are a little bit lax with their legal holds in terms of getting them out quickly and in terms of identifying sources. And if you're using surveys to get information from custodians rather than physically talking to them, the number of places where you can lose information that if you're talking about these kinds of regulations and even in just civil litigation, the duty to preserve and the sanctions that courts have levied for loss of text messages. Just in this last year, it's been nuts, the number of cases we've covered. It's a minefield, it really is. Relooking at your existing processes for civil litigation if you don't feel like you're subject to a government investigation is a worthwhile cause here because the courts are coming down with the same requirements that these regulations impose on parties before them.
Ruth Hauswirth:Agreed, because the basis upon which these types of guidance that we're receiving from these government agencies is very aligned with the state of the law when you're looking at it in terms of the duty to preserve. Or if something is within the scope of discoverable information, it's got to be preserved. I think this everything we've been talking about today has application for civil litigation. 100% agree. And you said something that I think is really important. I from what we're seeing, as you mentioned from the case law, I think the speed, like the speed at which we are taking steps to ensure that information is being preserved is has always been important. I think we're I think we're we've got to keep that top of mind. Like the more this is becoming sort of the way things are, and it is the way things are, people are using text messages, people are using collaboration apps. The whole idea of the collaboration app was to get people out of email. It's not 100% happened, but it's definitely having an effect. We have to be putting things in place to ensure that that information is properly preserved so that it can be assessed in a reasonable way. So in scoping, you said you were talking about scoping Kelly. This is where I think like the practical part of this is so hard because you have to do it quickly. You don't know everything or a lot at the beginning. And so that can be difficult. And then there's the cost and the time that it takes. And it really comes back to that investment up front, how it can save you time down the road. The reason why we are often talking to clients about having a preservation hold response program is for exactly that reason because it's very difficult. And courts are getting more comfortable with these sources as sources.
Kelly Twigger:Oh, yeah, they have if it's relevant and proportional, you should have it. And if you don't have it, I need to know why. And I need to have a good story for why. And I completely agree with you because I've seen it with clients who don't have a particularly large litigation portfolio. They have a few matters a year, maybe a number of employment matters and one to two significant ones every few years. But the cost savings of knowing up front and having a plan as it relates to mobile devices, but also across discovery and understanding what you can go and get, I mean, it allows Discovery Council to make decisions so much faster. And even if you just say you saved $100,000 by not having to reinvent the wheel every single time, the cost is the cost savings is real. Let me ask you this specifically about the mobile device data. When you go into a matter and you're really looking at the communication footprint, where do things most often break down with mobile devices? Is it that the legal hold's not reaching personal phones? Is it auto-delete settings? Is it self-collection? All of the above, something else.
Ruth Hauswirth:Yeah, I think it is all of the above. The settings, not ensuring that people really understand what their settings are on their phones, I think is a really significant one.
Kelly Twigger:And we talked about you actually including information about what settings should be in the legal hold.
Ruth Hauswirth:That's I would say, yeah, that for sure. And then also I'm a big proponent of not super long detailed directives to people, because again, there's only so much information that people can take in. But one of the most important things is to have this is what you should be looking at. What are your settings? It should be, you know, this is what it should be set to. And then if you don't know, this is who you call to get help and make that a really easy, non-friction, the frictionless thing for people to do. And make that very easy for them to have someone that they can reach out to and say, hey, do I have this set the way that it needs to be? Another thing that I think it they and this is this necessarily, I don't this may not happen in every case, but also maybe educating people and maybe even just educating your folks generally at your company, I think is a very wise thing to do. It just, these are holds, and this is what happens when a hold is in place. And this is what, even if you're not subject to a hold right now, this is what you should understand about why we're doing this. You know, just consciousness about, oh, I got a legal hold. What does that mean? Kind of a thing. But if someone gets a new phone, who should they contact to let them know that they're getting a new phone? Because oftentimes I've seen that a lot where problems have occurred because someone was preserving, but then they got a new phone, and then something happened with the transfer to the new phone. Keeping those kinds of things in mind, these are just really practical things. And not everybody has the same level of knowledge about how their phones work, and the phones are all different. The other thing that's really challenging in this area is security settings changes a lot. And so getting the information off the phones can also be challenging, and we have to work within those parameters. And the good thing about having some kind of playbook and procedures in place so that you're working with council internally or outside council, you're following some kind of playbook when you're doing this. You're working with providers that are up to speed on these things because it's not a good thing.
Kelly Twigger:Yeah, they know what how all these changes are happening, what all the new operating systems are throwing at you, how AI data is being captured, what how what the changes aren't exactly.
Ruth Hauswirth:All new and changing. And so, yeah, so those were the those are the most, I would say the most common self-collection is I I don't know how you feel about this, but I I there's nothing you can say. I don't think there are very many things that you could say, like never do this, never do that. But I do think that a phone collection in particular, no, I don't think that's without supervision.
Kelly Twigger:If I'm saying pure self-collection, it means that the person who has the information is making the choice about what to preserve, what to collect, and providing it to someone else with no input, no oversight. Now, I I even think that input is hard these days because you can't really have input unless you're actually looking at the data. So, in terms of self-collection, I say get on a Zoom call or a Teams call with your client, look at what you're actually talking about. You can do that via the mobile device too. So you can see what's on the mobile device. You've got to look at the data and make those decisions. Absolutely. Anything that is just the person taking the information themselves, that is pure self-collection and that is a an emphatic no-no in case.
Ruth Hauswirth:That's the one, that's the one bright line. Now, sometimes you may have a really sophisticated company that has devoted tons of resources to some sort of collection process that somebody might label that self-collection, but as long as it's not the person who's is doing it, and there is supervision, I agree, that can be reasonable under the circumstances. I think, especially with phones, I think it there has to be supervision of that. Yeah, absolutely.
Kelly Twigger:And I think as always, the facts of the given situation control how much supervision you're talking about. Right.
Ruth Hauswirth:Yeah, for sure. Everything in this area, right, is a risk-benefit. I do think that is a challenging area. But keeping hold notices, I hear this a lot. And it's the right thing to do to make them a very clear, directive, a human, plain English. This is what's happening. This is who you call if you need assistance. There isn't really a lot of magic language that you need in there. It needs to inform that information needs to be preserved. This is information that you we understand that you have. Don't do anything until we are instructed otherwise and reach out if you have questions. But making sure that there are some key points that we, as we mentioned, I think legal holds is a really important area that is relatively easy to implement and to have in place. It is.
Kelly Twigger:Some concerning case law this year and last year that allowed for the release of the whole documents of legal holds in certain situations, very specific situations. So I'm not in any way suggesting that your legal holds are automatically discoverable. They're not. There has to be a good basis for that. But um, it's important that you're thinking carefully about what is in your legal hold. And and I'm gonna use that, what you just said with the legal hold transition to, because we've talked about what the new guidance is, that the new guidance is really what civil courts are also expecting in terms of your ability to provide this information from mobile devices. If we're talking directly to a general counsel or to the person at an organization that's responsible for meeting these obligations, and they say, we have zero handle on what we're doing with mobile devices, what are the first three concrete moves that you could tell them to make right now within within a few days or a month or whatever of hearing this podcast? What are three things they can do?
Ruth Hauswirth:One thing is to get our handle quickly around what are people using and and just what are the applications right now that we understand that people are using company offer from the company, and then a little harder to find out what are people using that isn't company sanctioned. But that would be the first thing. Figure out what people are using and what you are okay with your company using and publish that. Get something out to people that says, these are the apps that we offer you to use for texting and collaboration communication within the company. Don't use other channels or other types of applications.
Kelly Twigger:And just scope and address. Scope, address, make it an issue. Yeah.
Ruth Hauswirth:Something else quickly that just you could do this quarter is a mock kind of let's say today we got a CID or you know, we got a preservation demand, we're subject to litigation hold. What's our response? What do we do? How would we respond to that? What would we do as a company? That could be informative to see where they're an informal, very informative. It could be very informal. It's what they do on the privacy side with tabletops, with data breach. You know, you could do something very similar. It doesn't have to be, again, a major undertaking, but just it can be very informative about wow, we don't have a lot of collaboration in place for all the different sectors that this could touch. That could be another thing. The legal hold. Legal hold, a bigger legal hold. Yep, absolutely. And then the other thing I think that's worth doing is looking at your mobile device use policy and making sure that that mobile device use policy is in alignment with what you need at your company. Because there's not, there's not a one way to do this. It's one of those areas that is very specific to an organization and the organization's culture, the way they work. There are different things that you can deploy to make sure that you're doing it in a risk-focused and safe way to is protective to the company. But I think in line with what we're talking about, I think that's an area where it can be very all over the place inside of organizations. If it were me, that would be something that I would do sooner rather than later, is look at a lot of times those programs are put in place by IT departments. And I get the reasons why that may have been an issue. Like, let's just have everyone use their own device because it costs a lot less. And then you also how humans don't want to carry two phones. I mean, the only people I know that carry two phones are eDiscovery warriors. And so that would be my other thing, I would say, worth time and effort and the pay. Off could be really good.
Kelly Twigger:Go up an assessment of understanding use of applications on mobile devices. Do a mock exercise, update your legal hold, understand what your policy currently covers if you have one and whether it's being audited and actually enforced, or develop a policy. Yeah. So as our takeaways. All right. This has been awesome. I'm going to just close this out with one last question. And if you had just one thing that you want litigators, in-house teams, everyone trying to grapple with this issue to stop saying about mobile discovery, and one thing that you'd like them to start saying instead, what would that be?
Ruth Hauswirth:One thing I'd like for people to stop saying it's a personal device. So it's off limits. That's not true. That's not true. It's and sort of related to that. If if we're using it for business, then we have to make sure that we can put appropriate controls on that and preserve if we need to. And if we can't use it for business, like just some clear guidelines around that. I know that's hard to implement, but it's hard. And those of us who've been doing information governance for a while, we know that people will find ways to do things. When you say don't do this, they might find a way, they might still do it. So the other thing is don't just have a policy on paper. Have a policy or procedures in place that are actually practical, that can be implemented and monitored. It doesn't have to be perfectly enforced, but have some dedicated resources to just ensuring that it's actually accomplishing the goal. Don't do the just on paper thing. I get how hard it is to do this, but I hope one of the things that people take away is that yes, there's a lot of terrible things that can happen and those huge fines and what we go through in litigation can be so expensive. But there are so many benefits to being proactive and having a front-ended approach, and you don't have to do everything all at once.
Kelly Twigger:And just as a kind of wrapper around all of that, what the courts require is that you provide relevant information that is proportional to the needs of the case. And the case law is really going away from limiting that depending on where the information exists. And it's consistent not just across mobile devices, but cloud storage and all the places. So you need to know what ESI your people are creating that's going to be subject to discovery, and you need to have a way to handle it. And these mobile devices are just one element of that. But the fact that the government has put this guidance out here, which is what we started with, has meant that the courts are also embracing it. And so it's something you got to do.
Kelly Twigger:Ruth, this has been tremendous. Yeah. Love it. I love it. I love it. I love it. We need to have another one where we talk specifically about AI because we had such a great conversation about that. And that's a whole nother hour for us to cover. So huge thank you to you. Thank you so much for bringing your expertise and guidance here for everyone to be able to leverage. And I look forward to that next episode. And we'll see you in Florida.
Ruth Hauswirth:You, Kelly. This was great. Thank you.
Kelly Twigger:Thanks. Bye-bye. You've just heard my mobile minutes conversation with Ruth Hauswirth from Cooley. And if you take nothing else away from it, take this. Your mobile and off-channel communications are now core evidence and a core part of your compliance story. Regulators have told us in writing that if business is happening in texts, WhatsApp, Signal, Teams, Slack, and every other chat tool out there, they expect you to have policies, training, and a real way to preserve that data. And we're seeing what happens when organizations don't. Record keeping charges, eye-watering penalties, and a discovery record that's a lot harder to defend in civil litigation. For litigators in-house counsel and anyone who touches mobile device data, the homework coming out of this episode is pretty straightforward. Figure out where your people are actually communicating, make sure your legal holds and policies reach those channels, stop relying on ad hoc self-collection from phones, and build a repeatable playbook for when regulators or opposing counsel ask for mobile data.
Kelly Twigger:Mobile Minutes is developed in partnership with Mode One Technologies, which focuses on helping organizations make mobile collections more targeted, remote, and defensible. So the strategies we talked about with Ruth are actually doable in practice without turning every phone into a weeks-long fire drill. And if you want to keep this conversation going, please come and see me and Ruth at the University of Florida eDiscovery conference this year. We'll be there in person, and virtual registration is free. I'll drop the registration link in the show notes. In the meantime, your call to action is simple. Sit down with your litigation, eDiscovery, and IT teams and ask three questions. Where does our mobile data live? How do we preserve it when it matters? And what's our plan when someone with a badge or a subpoena wants to see it? If you don't like your answers, that's your roadmap for the next quarter.
