loading please wait..

Discovery of Salesforce.com (and SaaS) Data in Civil Litigation

cloud

Salesforce.com develops customer relationship management software that is, among other things, used to track sales activities. Salesforce.com products are offered as software as a service or, SaaS.  This means users do not install the software locally on their own computers, but access it via internet connection on salesforce.com’s servers.  As detailed in the court decisions that follow, discovery of data on SaaS servers presents unique challenges for both plaintiffs and defendants in civil litigation.

 

For plaintiffs’ lawyers the cases teach that preservation of relevant SaaS data (or data from other dynamic databases) must be confirmed at the beginning of a case and efforts should be taken to ensure that a data export or backup is created from the program to prevent against information loss and data change.  Plaintiffs’ attorneys should address SaaS preservation issues in litigation hold requests and during F.R.C.P. 26(f) or other initial discovery conference.

 

 

For defense counsel, the lesson is plain: gain a thorough understanding of your client’s technology and personally ensure that preservation efforts are implemented.  On its own, the SaaS provider may only back up a few months of information.  Also, if you are unfamiliar with the technology at issue in a particular case, take the extra effort to learn it.

 

Court: Attorneys are Obligated to Understand Software Used by Clients

In Brown v. Tellermate Holdings, Ltd., Case No. 2:11-cv-1122, (S.D. Ohio July 1, 2014), two employees sued Tellermate for age discrimination.  Tellermate denied any discrimination and contended it terminated the employees for poor performance.  As a result, to establish that that their sales performance met or exceeded that of others, the employees requested Tellermate’s Salesforce.com records.  Although Tellermate initially agreed to produce the information, it ultimately refused and after several attempts to meet and confer, the employees filed a sanctions motion.

 

In a lengthy opinion the magistrate granted the motion and touched on several issues for attorneys to consider in matters involving information stored on SaaS.

 

Tellermate’s attorneys offered several reasons for the failure to produce the records:

  • It did not maintain Salesforce.com information in hard copy;
  • It could not access or print out accurate historical information from Salesforce.com;
  • The information should be requested directly from Salesforce.com;
  • Tellermate was “contractually prohibited” from providing the requested information; and
  • Tellermate did not control data kept in Salesforce.com because it was Salesforce.com’s ESI (electronically stored information).

 

In the end, the court rejected each of these arguments and concluded that Tellermate’s failure to produce the information likely stemmed from its attorneys’ lack of understanding of SaaS. The court emphasized that an attorney is obligated to gain an understanding of technology used by a client and verify the client is preserving relevant information.  The court pointed out that when attorneys sign discovery requests they are attesting to a reasonable inquiry into the facts and therefore, client’s representations about its ESI may not always be taken at face value.

 

Pointing to testimony from one of Tellermate’s own witnesses, the court noted that it was simply incorrect for Tellermate’s counsel to state that historical information could not be gathered from Salesforce.com.  Nearly any Salesforce.com user could access information stored on Salesforce.com, including historical information. In fact, users with administrator authorization had wide access to information stored on Salesforce.com.  Indeed, one of the main reasons companies use customer relationship management software is to collect and review historical data on sales efforts.

 

The magistrate also rejected argument that Tellermate was contractually prohibited from disclosing the requested information.  In fact, the opposite was true. The license agreement for Salesforce.com states that Salesforce.com has no right in its user’s data and may not modify or disclose it without the user’s permission.

 

Extra Steps May Be Needed to Preserve Information in SaaS Applications

 

The court also faulted Tellermate for failing to preserve relevant Salesforce.com information despite receiving a litigation hold letter.  As is the case for most SaaS and database programs, the data is dynamic, accessed by multiple users and constantly changing based on each user’s input.

 

After Tellermate terminated the employees, it changed their login credentials and deactivated their accounts, but did not back up the information before doing so.  The court noted that Tellermate’s failure to back up or export the data precluded the employees from verifying the accuracy of the information Tellermate actually produced because they could not compare it to the data as it existed at the time of their firing.  Because Salesforce.com data is dynamic, and because the terminated employees account information could have been assigned to others, the data could have changed.

 

Not only did Tellermate fail to back up the terminated employees’ information, it did not back up information kept by other employees whose records were also requested in discovery. When Tellermate realized that its failure to back up the Salesforce.com was a problem, it learned that Salesforce.com only stores backup information for three to six months.  The judge noted that Tellermate’s lack of preservation was “almost inexplicable” and that “Tellermate knew from the outset that its termination of the [employees] was premised on their allegedly inadequate sales performance, making the performance of other sales managers or representatives crucial evidence in the case . . . Therefore, it should have been obvious from the outset that failing to preserve the integrity of this information would threaten the fairness of the judicial proceedings.” The court pointed out that attorneys have an affirmative duty to ensure relevant evidence is preserved and are obligated to do more than sending a directive to the client not to destroy information.  Attorneys must also speak to key players at the client to identify, search for, and preserve relevant documents.

 

In the end the court issued evidentiary sanctions prohibiting Tellermate from contending that it fired the employees for performance reasons and concluded:

 

The failure to preserve the integrity of the Salesforce.com information is just a different side of the same coin as the failure to produce it. Both shortcomings were premised on the basic inability to appreciate whose information it was and who controlled it. Apart from the fact that the licensing agreement and common sense suggested the information was Tellermate’s, and the fact that inquiries made to the right people would have confirmed that, counsel did seem to appreciate the fact that the information was constantly changing, and also the fact that Tellermate was not making any record of these changes or maintaining the integrity of the data.

 

**Update: The District Court Judge ultimately upheld the Magistrate’s decision. That opinion may be found here.

 

Preserving Hard Copies is not the Same as Preserving Electronic Copies

In Mills v. Billington, 04-CV-2205 (D.D.C. Aug. 21, 2013), the court permitted employee plaintiffs to subpoena data from a SaaS based employment database directly from the SaaS company because the employer preserved only hard copies of the information.

 

Like Tellermate, Mills was also an employment discrimination case. To prove their case, the employees sought information about hiring, promotions and other job related information the employer (The Library of Congress) kept in an online database. At some point during the litigation, the Library of Congress started using a different SaaS application to record and store the job related information at issue. However, the Library preserved only hard copy documents of the data in the old application and not electronic documents. This gave the court “pause because paper records are not equivalent to electronic access” to the data and permitted the employees to subpoena the electronic information directly from the software provider.

 

 

Even Information from SaaS Applications Not Ordinarily Accessed by Users May Have to be Produced

In another employment dispute, Williams v. Angie’s List, Case No. 1:16-cv-00878 (S.D. Ind. April 10, 2017), several employees sued Angie’s List for allegedly instructing them to under-report their hours. Arguing Angie’s List time keeping software records were incomplete, the employees’ attorneys requested Salesforce user logs that recorded Angie’s List employee’s use of the software. The employees believed that the Salesforce records would provide evidence of time worked by employees not recorded by the time keeping software.

 

Similar to Tellermate, Angie’s List argued it was not obligated to produce the Salesforce information because it was background information not ordinarily accessed by most users and Salesforce maintained the information not Angie’s List so therefore, the company argued, the records were not in the company’s “possession, custody and control“.

 

The court rejected the notion the data was not in Angie’s List’s possession, custody in control, noting that as a Salesforce customer, the company had the legal right to obtain data relating to its use of the software simply by asking Salesforce to provide the information (even if Salesforce charged for the information):

 

To conclude otherwise could introduce perverse incentives into litigation involving corporate entities. . . .  Angie’s List cannot avoid producing these data with the excuse that it has outsourced critical components of their employees’ work tasks, all while taking full advantage of the benefits of that outsourcing relationship. Where would the line be drawn? Could companies be heard to have stored other critical employment records with third parties and then resist production on the grounds that the third party holds that data?

 

The court also refused to shift the cost of producing the information to the employees noting that there is generally a presumption that a party producing documents is responsible for the costs in doing so and that Angie’s List has ample resources to cover the production costs.

 

 

Posted on August 7, 2018 in E-Discovery, Electronically Stored Information (ESI), ESI preservation, SaaS, Spoliation of Evidence

About the Author

Chad Main is an attorney and the founder of Percipient. Prior to founding Percipient, Chad worked as a litigator in Los Angeles and Chicago. He is a member of the Seventh Circuit Electronic Discovery Pilot Program Committee and may be reached at cmain@percipient.co.
10 E-Discovery Action Items for E-Discovery Meet & Confer Sessions
Enter your E-mail address below to download the cheatsheet.
We will not share your information.