We all know that our work emails aren't private. Our employer can access them for a variety of reasons, including compliance issues, commercial litigation or employment disputes. In fact, we also know that even if we were to try to delete our work emails, they're almost certainly stored on back-up servers that we can't control. That's why our company's lawyers and compliance departments remind us to think twice before putting something in a work email that could come back to haunt us. But work-related communications sent from personal cellphones can be just as discoverable as official work emails. And the procedures for mining those emails is something many people are unaware of: when a tech company gets hired to collect those work-related communications, the first step will be to collect all data from you're personal phone, whether or not it relates to your job or the substance of the investigation.

If you're sure that you've never communicated about work through anything other than your work email—and that no one else within your company has done so either—feel free to stop reading. If not, hear us out, and consider forwarding this article to your in-house counsel and compliance team (via your work email, of course).

Personal Data: They Can't Collect That, Can They?

Most people think that their text messages are private communications: quick notes to a friend or relative, never to be seen by anyone else. Now, it's no secret that authorities can get a look at communications, including text messages, in government investigations—just ask Roger Stone. Indeed, government regulators now routinely collect text messages from employees' personal phones as part of an investigation involving their employer. Many people would find this invasive enough on its own, even without knowing how this complex extraction process begins: By "imaging" the complete contents of the individual's phone.

This process is rapidly becoming the "new normal": In white-collar investigations, including those conducted by the SEC, CFTC and congressional committees, communications that employees have on their personal devices are routinely sought by the government and must be turned over to the government if they are work-related. Employees of companies under investigation are often surprised to learn this, and, at a time when data breaches seem almost routine, they are reluctant to turn over their private communications to anyone—even their own lawyers, much less their companies' lawyers. These potentially relevant communications present significant challenges to companies too. They face not only considerable cost and complicated logistics for searching and producing these materials, but also uncertainty about what employees might have said over text. The "smoking gun" email that a company can identify early in the process is difficult enough; worrying about "smoking gun" text messages that could be lurking in the background takes the problem to a new level.

Collecting Internal Email: Ah, Those Were the Days

Getting caught in the government's crosshairs is never fun. Companies targeted by a government investigation have always faced costs, headaches, and frustrating intrusions into company and employee communications. Early in an investigation, prosecutors or regulators typically serve a subpoena or request for documents, seeking documents relevant to the suspected wrongdoing. Companies typically begin compliance by hiring outside counsel to review documents culled by the corporate IT department. Outside counsel identifies responsive (and non-privileged) material, and produces these documents to the government, which conducts its own review. The government then usually requests meetings with relevant employees to discuss the suspected misconduct, using the company's documents to guide its questioning.

The types of documents turned over to the government during this phase are often case-specific and usually include internal corporate policies, PowerPoint presentations, and Excel spreadsheets. But for the government, the treasure trove of "hot" documents—those that include unfortunately phrased comments or even admissions—is often found in emails. Unlike vetted and edited memos and presentations, people often send emails without adequate thought or deliberation. That renders email far more likely to contain references—often misconstrued—that provide the government with ammunition it can use during interviews of company employees.

Producing emails is a pain for both the company and its employees. But many companies have developed systems for identifying and reviewing potentially responsive emails, which reduce the time and financial burdens of responding to subpoenas requiring their production. Identifying and producing responsive text messages can be more of a challenge. The collection and production of work emails is far less costly—both financially and in terms of risk to the company—than personal communications, such as text messages and private emails. As a result, employees' use of their personal phones for work purposes opens the employer to immeasurably higher risks of financial costs and legal issues.

Personal Text Messages: What Do You Mean by Personal?

Like most people, you probably consider your smartphone an integral part of your life. It gets you there (Uber), tells you what to do when you get there (Yelp), orders you something to eat when you get there (Seamless), and lets you know what other people did and ate when they got there (Facebook). At a time when people use their phone for anything and everything, they forget what they shouldn't use it for: work-related communications.

Under many companies' policies, employees are required to limit their work-related communications to work-approved platforms—i.e., from their work email address. But in real life, people cannot resist texting coworkers, clients and customers. Text messaging is simply too quick, too easy, and too much a part of our everyday life. It doesn't help that many companies lack clear policies against such practices, and those that do have policies often fail to communicate them effectively.

Whether we blame vague corporate policies or employees' failure to follow them, the widespread use of non-work platforms for work-related communications is no secret. Regulators know that the people they're investigating do not necessarily limit their work communications to work emails. So they now regularly demand that these communications be collected, searched, and produced with the same scrutiny as company emails. Unless an employee can say with complete confidence that he never used text messaging for work purposes (or never texted during the relevant time or with people of interest), the company and the employee will need to search for produce those communications.

The Challenges

The implications of all this are still emerging, but it's already introducing costs, raising privacy concerns, and straining technological capabilities.

Cost

This process can quickly become expensive, cumbersome, and complex. Unlike the company's retrieval of its own emails—a routine task for IT specialists on the company payroll—this process typically requires the aid of a third party vendor. To "image" a phone, the vendor will likely need to meet with the employee and keep the device for an hour or more. The costs can add up quickly, and then there are fees for data hosting and for outside counsel's IT specialists.

Privacy

Using outside vendors raises new privacy and security concerns for the company and for employees. Even if a vendor employs first-rate security methods—encrypting data after imaging the device, sending it to outside counsel, and immediately destroying it, for example—nothing is foolproof. Frequent recent data breaches, affecting millions of Americans, convinced many that no data is truly safe, especially in the hands of a third party. And because that third party will image the employee's entire phone before working with outside counsel to identify work-related communications responsive to the government's requests, a large amount of undeniably personal data—including family photos, text messages between spouses, and a phone's entire contact list—will be extracted from the employee's phone. To be sure, outside counsel and the third-party vendor will take every precaution to protect that data from ever seeing the light of day. But even with those precautions, most people are understandably reluctant to turn over such personal information in an era of hacks and data breaches.

Logistics

Determining what to search on someone's phone is another challenge. Even if an employee only communicates with one client, the vendor will still need to pull all the data, and counsel will need to review it for responsiveness. What about saved voicemails from colleagues and unidentified numbers? Those aren't even text searchable, so outside counsel may need to listen to each message and determine whether it's responsive (or hire a vendor to convert the voicemails into a searchable format).

Potentially responsive communications can include anything that is work-related. An employee on WhatsApp, Marco Polo or SnapChat is creating communications potentially responsive to a future subpoena. And if you've never heard of Marco Polo (the app, not the explorer), for example, you've stumbled on an additional challenge: determining which apps and methods of communication your employees might have used for work. People can confidently say they never "texted" for work, but if you don't know whether to ask about other apps, they may not even think to mention them. This is very much the job of outside counsel—if you ask people whether they texted for work, they'll tell you about texts, but if you want to know about other communications, you better ask about them.

Responsiveness

A series of emails typically covers a limited number of themes—your coworker sends you an email about an upcoming presentation, and you each exchange emails about that meeting until you've resolved the outstanding issues. But text messages do not contain subject lines, and often flow from one topic to the next without clear demarcations. This tendency to jump from topic to topic—and back to a prior topic—makes it exponentially more difficult to determine which text messages might be responsive to the government's requests.

Steps to Take Now

In-house legal and compliance departments should make it clear to all company employees that work-related communications must be made over the company's email system or other platforms authorized by the company. They also should collaborate with outside counsel to set forth clear guidelines—in writing. Those guidelines should leave no doubt: employees must confine work-related communications to work-approved means. In addition, the company should hold in-person meetings and training sessions to communicate the policy and ensure that employees understand it.

Smartphones—whether they are owned by your company or owned by you, paid for out of corporate coffers or as part of your family plan, protected by two-step verification or overflowing with apps from the former Soviet Union—are ubiquitous. We can now assume that the government will take the position that no electronic communication is private, and that everything is potentially within the government's purview. There's no predicting the future of technology of course, but only careful planning and effective communication with employees will prepare a company to respond to today's challenges, much less tomorrow's.

Matthew T. Murphy is counsel in the White Collar Defense & Corporate Investigations Practice Group.