Bloomberg Law
March 8, 2023, 4:37 PM

ANALYSIS: In Discovery, Hands Off My Third-Party Device

Golriz Chrostowski
Golriz Chrostowski
Legal Analyst

A surprising decision out of a New Jersey state trial court in 2021 allowed the plaintiff access to the personal cell phones of employees of a third party. Although the trial court order was reversed on appeal at the start of 2023, the case serves as a good segue into a review of the federal state of practice as it pertains to third-party discovery, particularly when it comes to the production of personal devices of third-party employees.

The Decision

In February 2021, the New Jersey trial court—in a case alleging violations of New Jersey racketeering and antitrust statutes—ordered third-party New Jersey Department of Health to turn over the personal cell phones of its non-party employees to the plaintiff’s forensic expert. The expert was permitted to hold on to the phones for a period of eight hours and to conduct a forensic analysis. In addition, the court ordered the health department and its own forensic expert to turn over all the previously extracted data in unredacted form—including mirrored device information—from the cell phones produced.

On interlocutory appeal, the appellate court reversed the lower court, finding that there was simply no justification for the trial court’s “extraordinary order,” as the health department wasn’t a party to the litigation.

The personal devices of employees were beyond the health department’s control, the appeals court said. It was also considered an invasion of privacy to order the employees to turn over their personal devices for several hours, along with the previously extracted data in an unredacted form. In addition, there was the potential for violating privilege or confidentiality attached to responsive documents or information, the court said.

Even though it’s a state court ruling based on state law, the New Jersey appellate court’s decision is much more consistent with the federal rules regarding third-party discovery. As the discovery of electronically stored information (ESI) becomes more prevalent, courts appear more conscientious of the need to balance litigants’ broad discovery rights with the rights of third parties.

Here’s a refresher on what federal law demands when seeking discovery from a third party’s personal devices.

Relevant and Proportional

When it comes to third-party discovery, the requesting party may seek non-privileged documents and information that are relevant and proportional to the needs of the case. However, the requesting party must take reasonable steps to avoid imposing undue burdens or expenses on the recipient of the subpoena.

The burden on the subpoenaed third party must be weighed against the value of the information to the requesting party. Is the information relevant? Is it proportional to the needs of the case? Can it be requested from other sources, including the litigants? Is the breadth of the discovery request reasonable and justified?

Ultimately, the third party must be protected from significant expenses resulting from compliance with the subpoena, especially because they aren’t a party to the litigation. Broad restrictions also may be applied to prevent the third party from suffering harassment and inconvenience.

Possession, Custody, or Control

One critical question in requesting and responding to any form of discovery is whether the documents and information are within the possession, custody, or control of the responding party.

In the case of personal devices of employees, federal courts are split on what circumstances render an employee’s personal devices subject to the employer’s possession, custody, or control. Generally speaking, “control” is context specific. The requesting party must show that the personal devices were used for work-related purposes, were issued by the third-party employer, or that the employer has any legal right to obtain the devices or data on it.

Contractual Control

Control—and the legal right to obtain the devices—may arise contractually. More employees are working remotely and utilizing their personal devices for business purposes than in the past, and many employers have begun to define rights and responsibilities regarding the use of personal devices in connection with the employer’s business.

The employer may contractually retain the right to access company-related content on the employee’s personal cell phone. An employer can do so by requiring employees to acknowledge or waive any expectation of privacy with respect to information on or transmitted from their devices for work-related purposes.

These contractual agreements, also known as the Bring Your Own Device (BYOD) Agreements, have limitations though. In some cases, all company-related information and communications may contractually remain the sole property of the employer. In other circumstances, the contractual agreement may only extend specifically to company-controlled data on an employee’s personal device, such as confidential and proprietary information owned by the company and disclosed to the employee.

For example, in the Pork Antitrust Litigation, the District Court for the District of Minnesota found that the BYOD Agreement only expressly granted the employer access to data that was sourced from the employer’s systems and synced between the mobile device and its servers, such as company emails, contacts, and calendars. It did not, however, give access and control to any text messages stored on its employees’ personal cell phones, even if they were work-related communications, the court said.

Employers must weigh the pros and cons of a broad BYOD agreement. On the one hand, it may be beneficial for the employer and its legal team to maintain control of any potentially discoverable information. On the other hand, a broad BYOD agreement would likely preclude the argument that the device and its data are outside of the employer’s custody, possession, or control. The employer is also under a continued obligation to remind employees of their retention policies, so that the employees don’t delete any potentially discoverable documents.

Privacy and Privilege

Courts also consider a third party’s rights to privacy and privilege when assessing the intrusiveness of the discovery request. A forensic examination by a requesting party’s expert is only allowed under extraordinary circumstances. There must be evidence that the third party intentionally withheld discoverable ESI, didn’t have the expertise to identify the responsive ESI, or failed to initiate a reasonable process to produce responsive ESI. Mere suspicion or speculation is insufficient. In addition, courts consider the proportionality of a forensic examination against the needs of the case.

Allowing carte blanche access to third-party devices may also raise issues of privilege, confidentiality, and privacy. Third parties have the right to assert privilege and confidentiality when responding to a subpoena request.

Consequently, it’s appropriate to have the third party or its employees search the personal devices for responsive information and review them for privilege or confidentiality before they’re produced. The employees can also support their production (or lack thereof) with a certification attesting to their searches and compliance with the terms of the subpoena and the law.

Applying these same discovery principles, the New Jersey appellate court appropriately held that without any evidence of wrongdoing, the requirement that the health department employees turn over their personal devices for forensic examination was “unduly invasive and burdensome, and beyond what should generally be required in civil discovery, particularly of non-parties to a litigation.”

Bloomberg Law subscribers can find related content on our Discovery practice page and our Litigation Intelligence Center.

If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content, or click here to view the web version of this article.