Join Epstein Becker Green attorneys, Brian G. Cesaratto and Brian E. Spang, for a discussion of how employers can best protect their critical technologies and trade secrets from employee and other insider threats. Topics to be discussed include:

  • Determining your biggest threat by using available data
  • What keeps you up at night?
  • Foreseeing the escalation in risk, from insider and cyber threats to critical technologies
  • New protections and remedies under the Trade Secret Protection Act of 2014
  • Where are your trade secrets located, and what existing protections are in place?
  • What types of administrative and technical controls should your firm consider implementing for the key material on your network to protect against an insider threat?
  • What legal requirements may apply under applicable data protection laws?
  • How do you best protect trade secrets and other critical technologies as information increasingly moves into the cloud?
  • Using workforce management and personnel techniques to gain protection
  • The importance of an incident response plan
  • Developing and implementing an effective litigation response strategy to employee theft

Wednesday, October 3, 2018.
12:30 p.m. – 2:00 p.m. ET
Register for this complimentary webinar today!

Human Resources and Payroll should advise employees in their departments to be on the lookout for the latest tax season phishing scam designed to steal employees’ tax related information and social security numbers. Given the regular frequency of these types of attacks, employers should be taking appropriate steps to safeguard employee Personally Identifiable Information (“PII”).  At a minimum, Human Resources should have in place written policies regarding the handling of employee PII and provide training designed to protect employee PII against a data breach.  Because Human Resources works with employee PII on an everyday basis, it may be the best equipped to secure sensitive personnel information against the type of fraudulent scheme highlighted in the recent IRS alert.

On February 2, 2017, the IRS issued an urgent alert to employers regarding a phishing scheme intended to steal employees’ tax related information to commit identify theft and tax fraud. The IRS reports that the scam involves spoofing an email to make it appear as if it is coming from an organization’s executive.  The email is sent to an employee in the Human Resources or Payroll departments, requesting a list of employees and their Forms W-2.  The IRS reports that the phony email may also request the names and social security numbers of employees with their addresses and dates of birth.  Since the email is disguised to be from an internal email address, should the HR or Payroll employee respond with the information it will actually be sent out of the organization to a cybercriminal.  The phishing scam is presently targeting healthcare organizations, shipping companies, school districts, restaurants, and temporary staffing agencies.

What preventative steps can be taken to guard against these attacks? Human Resources should ensure that policies and procedures are in place requiring that the sending of employees’ confidential tax related information by email only be done with 100% confidence that the intended recipient is within the organization and has requested the information. Indeed, the IRS advises that employers consider adopting written policies that govern the electronic distribution of confidential employee Form W-2s and tax related information.  One simple protective measure may be that a phone call confirmation is required before hitting the send button.  As a general matter, employers should have in place comprehensive written policies and procedures that govern the electronic sending, receiving and storage of confidential personnel related PII and provide workforce training to protect against data breaches and fraudulent schemes.  In addition to procedures verifying that the recipient of sensitive PII is actually within the organization, employers may also want to consider technologies providing for use of encryption when sending personnel related PII by email.  The maxim that “an ounce of prevention is worth a pound of cure” is in full effect here since a well thought out strategy is the best defense.

For years, companies have been struggling to understand the multitude of locations where their data resides. From traditional employment files with embedded Social Security numbers, to new-aged hiring software with videos of job applicants, and enterprise software used to facilitate employee communications, controlling employee, customer, and corporate data is, to say the least, a logistical challenge. One of the newest entries into the mix is the increased use of ShadowIT and cloud-based storage systems.

ShadowIT involves workers’ use of unsanctioned products and applications to perform the work of the business enterprise. In other words, ShadowIT occurs when employees use their personal emails and applications, such as a cloud-based storage system, instead of company-approved solutions. According to a recent survey, about one-third of IT use is considered ShadowIT. Whether responding to a subpoena in a wage and hour dispute, attempting to safeguard previous corporate secrets, or analyzing the extent of a data breach, a company’s failure to understand the scope and location of ShadowIT data could be problematic. Companies should have policies in place regarding employees’ (and other workers’) use of unapproved applications, but there should also be an understanding that a policy is not a panacea.

For data storage, recent studies show that most organizations are using over 1,000 cloud-based services. Indeed, one such study found that an average organization had 1,154 cloud services in use. This large number demonstrates that companies must manage the sheer volume of data in the cloud or potentially be exposed to liability.

Companies must also think about physical storage when a laptop or a phone is stolen and suddenly control over data on that item is lost. One leaked file in California, for example, could require a company to send out a data breach notification to millions of customers in California (an issue magnified under varying state laws as well in the current landscape). No overall system is perfect for this task, and the idea that company data can be completely controlled may be an illusory one, but there are important issues for companies to consider and sensible steps that they should take to safeguard data, including the following:

  • Survey ShadowIT Usage. Companies should consider conducting anonymous data audit surveys of employees to find out what other applications or products employees are using to perform their jobs. The company can then review its IT department to determine if it lacks the functionality for a certain program or if the problem of unsanctioned product use is simply a result of a lack of employee education as to the sanctioned products available to employees.
  • Manage ShadowIT Usage. Employees using ShadowIT or unsanctioned products create control risks for companies, and employers may consider disciplining employees for not following corporate policies on approved applications. On the other hand, having draconian disciplinary measures in an effort to maintain control over data will not necessarily stop ShadowIT use but may force it deeper undercover. Discipline could also have an adverse impact on employee engagement and retention.
  • Consider “Amnesty.” Companies should consider whether it makes sense to implement a time-limited policy, whereby employees can bring their unapproved software or application to the IT department to see if the program can be moved onto an approved list from the corporation, without the threat of discipline or sanction.
  • Review Vendor Contracts. Companies should review their contracts with vendors for approved cloud-based products and software. This may include auditing other cloud-based companies where data is stored to ensure that the company is adhering to best practices of network security. The contracts should contain data breach notification clauses, as well as indemnification agreements, when possible.
  • Train Workforce. Frequently, employees are the “weak link” in data control efforts, as they are often the cause of a data breach into a company’s secure network. Training employees about how to spot scam phishing emails and protect intellectual property can go a long way toward mitigating that risk.

Technology is constantly evolving such that there will always be a new product or service that could potentially be a benefit to employee productivity. A ShadowIT survey, while helpful, is only a look back in time. Companies need a way to address ShadowIT use as it evolves going forward. A company prohibition on ShadowIT without some method for employees to submit new products for consideration without fear of reprisal keeps the company in the dark about its data. Companies must also be mindful of the other cloud-based providers’ security protocols and the likelihood that a third party could accidently let sensitive data out into the public domain.

A version of this article originally appeared in the Take 5 newsletter “Five Trending Challenges Facing Employers in the Technology, Media, and Telecommunications Industry.”

Featured on Employment Law This Week® –  Pokémon Go creates privacy concerns for employers.

The first mainstream augmented reality game is sweeping the nation, and the game never stops, even during work hours. Despite a recent update to the game that reduces its access to players’ Google accounts, Pokémon Go’s data collection practices are under fire from privacy advocates. The Electronic Privacy Information Center has joined the fray, calling for the FTC to investigate security risks associated with the game. In light of the popularity of the game, employers should consider adding more detail into their policies about how and where business mobile devices can be used.

See the episode below.

DSCN0843Employers in the technology, media and telecommunications industry are faced with many workplace management and legal compliance challenges.  Among these are trends in the shared economy and rise of the contingent workforce, data privacy and security, and use of social media in connection with recruitment, employee monitoring and termination.  At the recent  Epstein Becker Green 34th Annual Workforce Management Briefing held at the New York Hilton, members of the firm’s TMT Group including the authors of this post, along with in-house counsel speakers Rebecca Clar of AOL and Blake Reese of Google provided a panel workshop on these hot-button issues.  Some of the key take-aways from the workshop include:

Shared Economy & Contingent Workforce

As a result of changes in the post-recession, global economy, there has been a tremendous change in how goods and services are delivered and how consumers acquire these goods and services.  As businesses try to meet these demands and save costs associated with full time employees, they have implemented many alternative work arrangements and hired workers through various means including as independent contractors,  through staffing arrangements, or temporary solutions.  Many workers also have become attracted to the flexibility that these work arrangements can provide to them.  However, employers need to be mindful of the potential pitfalls associated with the contingent workforce and take requisite steps to avoid legal risks:

  • Worker misclassifications can lead to back pay, overtime, tax, unemployment insurance, and workers compensation violations as well as employee benefit plan eligibility and coverage errors.  Ensuring that workers are properly classified is mission critical and employers should self-audit their work arrangements and benefit plans periodically for compliance.
  • The NLRB’s decision in Browning-Ferris, coupled with new “quickie” election rules and the Silicon Valley Rising movement have made for a perfect storm of issues.  As a result, TMT employers who may not currently be represented by a labor organization should be mindful that non-traditional workplaces and corporations, such as new media, may be targeted for unionizations, and/or may be brought to the bargaining table as a joint-employer who engages third-party workers.
  • Given the developments at the Department of Labor, and in particular, the proposed increase in the minimum annual salary requirement in order to meet the salary basis test of the white collar exemptions, there has never been a better and more opportune time to conduct a self-assessment audit in conjunction with counsel.

Data Privacy and Security

In the global, digital world, data privacy and security is top of mind for all organizations and their leaders.  Protecting organizational data, as well as that of employees, is imperative and development of data privacy and security policies will become the norm. The issues employers should address in their policies, as well as the ways in which they do business, include:

  • Conduct a self-audit of organizational networks and systems for security vulnerabilities and train workers on information security best practices
  • Establish audit procedures of vendors engaged to provide services to the organization and any employee benefit plan, especially where the vendor stores information in the cloud or remote data centers
  • Address data privacy and security issues in service agreements including notification procedures and indemnification provisions
  • Develop a breach response plan
  • Obtain cybersecurity insurance
  • Remember:  data privacy and security are no longer just CIO/CTO/IT issues – instead, these are topics that are increasingly becoming relevant in the employment law and employee benefits space.

Social Media and the Workplace

The use of social media by employers to review background information of prospective employees in the recruitment process, as well as ongoing activities during the employment or leading up to a termination process is highly prevalent.  It is easy for employers to search an employee’s name, background and activities on the internet but, how that information is used can have legal implications.  Employers should be mindful of the following:

  • Always rely on objective criteria set forth in a job description before conducting an online search and retain information among the recruitment team at the organization
  • Carefully document reasons for all hiring (and termination) decisions that are consistent with the job description and avoid discriminatory decision making
  • Consider separating the search and decision making functions and train employees searching to remove protected categories from summary of results, upon which hiring decision is made
  • Develop a company social media policy with counsel that is narrowly tailored to survive NLRB scrutiny, but that safeguards the company’s treasures and secrets.
  • Employers can continue to discipline employees for their social media activities, provided that the objectionable conduct does not implicate Section 7 behavior – a fact and circumstances based analysis that may be counterintuitive to HR and in-house personnel.

Employers that address these issues head-on will be able to benefit from the advent of new technologies in the workplace and stay in compliance with applicable laws.

IMG_0019IMG_0023IMG_0029IMG_0030

Today, Law360 published our article “Considering Best Data Practices for ERISA Fiduciaries.” (Download the full article in PDF format.)

In this article, we outline steps that ERISA plan fiduciaries can take to develop a policy concerning protection of plan data and prudent selection and monitoring of plan service providers who handle PII.  Benefit plan service providers, including technology-based outsourcing companies, should also consider these important guidelines and implement the appropriate safeguards to protect against infringement of plan and participant data.  These issues must be addressed in service arrangements and will continue to evolve.

Following is an excerpt:

Employee benefit plan fiduciaries are charged with meeting a prudence standard when discharging their duties solely in the interest of plan participants and beneficiaries. With increasing regulation of benefit plans, these duties and associated responsibilities are mounting. With advancements in technology, online enrollment and access to account information, as well as benefit plan transaction processing, participant identifiable information and data have become increasingly more vulnerable to attack as it travels through employer and third-party systems.

Earlier this year, the attack on Anthem Inc.’s information technology system, which compromised the personal information of individuals under numerous health plans (including personally identifiable information, bank account and income data, and Social Security numbers), raised questions of privacy and security under the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act, and there have been other similar attacks.

These cases remind us that in today’s world, plan participant information, whether it be protected health information, personally identifiable information or retirement savings account information, is vulnerable to theft. Employee Retirement Income Security Act plan fiduciaries must not only act prudently in responding to a breach of their plan participants’ PHI, but should also consider developing prudent policies and procedures with respect to the handling and transmission of all PII and participant data in the regular course.

In 2011, the Advisory Council on Employee Welfare and Pension Benefit Plans studied the importance of addressing privacy and security issues with respect to employee benefit plan administration. The council examined issues and concerns about potential breaches of the technological systems used in the employee benefit industry, the misuse of benefit data and PII and the impact on all parties, including plan sponsors, service providers, participants and beneficiaries. The council recognized several potential causes of breaches relating to benefit plan information, including hacking into retirement plan financial data, and recommended that the U.S. Department of Labor provide guidance on the obligation of plan fiduciaries to secure PII and develop educational materials. To date, the the Department of Labor has issued no such guidance.

Corporations incorporated in Delaware, regardless of whether they are domiciled in Delaware, should take note of a new Delaware law that went into effect on January 1, 2015 regarding the destruction of unencrypted personal identifying information concerning employees.  Under the new Safe Destruction of Records Containing Personal Identifying Information law (19 Del. C. § 736), employers are required to take “reasonable steps to destroy or arrange for the destruction” of unencrypted records containing employees’ “personal identifying information.”  Upon passing this law, Delaware joined the list of 30 other states that have laws regulating the disposal of personal information, including New York and New Jersey.

The new safe destruction of records law is part of Delaware’s “Right to Inspect Personnel Files Act,” which broadly defines “employer” to include “any individual, person, partnership, association, corporation . . .”  While courts have yet to determine the issue of whether the Act’s expansive definition of employer automatically includes all corporations incorporated in Delaware, regardless of where they are domiciled, a reasonable interpretation of the Act and recent speculation in the media is that the Act, and the new safe destruction of records law are intended to apply to all Delaware incorporated corporations.

The new law also broadly defines both the terms “records” and “personal identifying information.”  The term “records” is defined as “information that is inscribed on a tangible medium,” and includes information “stored in an electronic or other medium.”  Under the law, “personal identifying information” means “an employee’s first name or first initial and last name” combined with any one of the following:

  • Social Security number;
  • passport number;
  • driver’s license or state identification card number;
  • insurance policy number;
  • financial services account number;
  • bank account number;
  • credit card number;
  • debit card number;
  • tax or payroll information; or
  • confidential health care information.

Companies wishing to destroy unencrypted personal identifying information must shred, erase or otherwise destroy or modify the personal identifying information in the records so that it is rendered unreadable or indecipherable.  A company who fails to properly destroy unencrypted personal data in accordance with the law could be subject to a civil action as the law provides a civil remedy to employees who incur actual damages due to a reckless or intentional violation of the law.

Given the number of companies that are incorporated in Delaware, this law has the potential to affect a large number of individuals and corporations located outside of Delaware, and further guidance should be monitored.  Employers who are incorporated in Delaware should examine and update their data destruction policies to ensure they are in compliance with the new Delaware law, as well as any other similar applicable laws that are in effect in states where they are domiciled and/or have employees located.  Epstein Becker & Green, P.C., attorneys can assist with updating existing, or developing new, policies to comply with these data destruction laws.

In light of the many high profile cyber-attacks on businesses this past year, employers should assess their vulnerability relative to data breaches and take steps to protect themselves from hackers as well as more innocuous business practices that could result in data breaches. Businesses that handle protected health information are regulated under HIPAA to adopt administrative, technical, and physical safeguards to protect the confidentiality of this information. However, various state and federal laws place duties upon employers to protect non-HIPAA-covered sensitive information in a secure manner.  Considering the recent hacking attacks, as well as the Obama Administration’s focus on cyber-security issues businesses should understand their risk relative to cyber security and consider adopting these safeguards to reduce their vulnerability to a business acceptable level. As discussed below, businesses should protect their customers, employees, and themselves by: (1) conducting a risk assessment to identify their system’s vulnerabilities; (2) adopting and regularly auditing compliance with network security policies; and (3) utilizing physical safeguards to deny unauthorized users system access.

In the wake of the massive attacks against Sony, its employees have filed a putative class action Michael Corona and Christina Mathis v. Sony Pictures Entertainment Inc., No. 2:14-cv-9600 in the U.S. District Court for the Central District of California, alleging that Sony was negligent for allowing itself to be hacked. The Complaint alleges that Sony breached its duty to its employees to implement technical safeguards, specifically: “failing to properly and adequately encrypt data, losing control of and failing to timely regain control over Sony Network’s cryptographic keys, and improperly storing and retaining” personal identifying information. Businesses should conduct a risk assessment or penetration test to determine their network’s vulnerabilities and ensure that they are exercising reasonable care in protecting employee information. This will allow businesses to identify and address their most pressing vulnerabilities.

Even the most formidable of technical safeguards can be compromised without adequate administrative safeguards such as policies regarding the storage of confidential information and computer use. In addition to implementing these policies it is vital that employers adequately train employees regarding these policies. ICANN, the nonprofit organization in charge of assigning internet domain names, was hacked this past year. The hackers penetrated ICANN’s security using a “spear phishing” attack against ICANN’s employees. The hackers disguised emails containing malware as internal ICANN emails, and an employee fell for the ruse. Adopting robust internet security policies and educating employees on how to follow these policies greatly reduces the risk of an employee compromising network security. Employers should also audit their network security policies on an annual basis or as systems change to ensure compliance with these policies.

By limiting access to workstations and electronic media, companies can implement physical safeguards to protect confidential information. By requiring employees to keep doors locked and not leave company devices unattended, as well as enforcing and educating employees regarding these policies, employers can reduce their vulnerability to hackers.

In addition to HIPAA and common law negligence claims, victims of hacking are subject to state laws requiring them to notify everyone whose information may have been compromised. Because each state’s law protects residents of that particular state, companies may be subject to a variety of different disclosure requirements. For example, an employer with employees in California, Virginia, and New York would be subject to three different sets of laws governing the content of the disclosure and who is entitled to receive it.[1] All three laws punish failure to promptly disclose a data breach with consequential damages associated with the cost of identity theft protection, and the economic consequences of identity theft. New York’s law also provides for punitive damages of up to $150,000 for knowing or reckless failures to promptly disclose.

More data breach reporting laws are likely on the way. The Obama administration recently proposed a federal data breach reporting law and the New York Attorney General recently proposed measures to toughen New York’s law. Businesses should carefully monitor new legislative developments to ensure compliance with the most up to date guidance in this rapidly transforming area of the law. Epstein Becker & Green, P.C., attorneys can assist in conducting risk assessments and penetration tests and assist in developing network security policies.


[1] California Civil Code § 179.80; Code of Virginia § 18.2-186.6; New York General Business Law § 899-aa.

By Steven C. Sheinberg, General Counsel of the Anti-Defamation League & Guest TMT blogger.*

A recent McKinsey report on twelve “disruptive” technologies included four that will fundamentally transform how employers relate to their employees: mobile Internet, automation of knowledge work, the Internet of things and cloud computing. I would add to the list three results of these technologies: big-data, cybercrime and privacy.

From an employment law perspective, the common element here is data – data that flows to, is stored by, and is used (or misused) by employers, third parties and employees.

Employers

As new devices and technologies are deployed, employers will likely inadvertently gather information they probably do not want – for instance, protected health information (perhaps by detecting a disease-related app on a phone) or detailed records of employee movements (which can be very harmful in wage and hour litigation).

As employers look at these (and other) large pools of data (including applicant data), some will wish to “mine” this data using increasingly low-cost “intelligent” automated systems.  Such work has to be carefully done – both algorithmic errors and poor statistical methodology can easily lead to significant errors in the information derived from the raw data.  The results, from at least an EEO point of view, can be quite disastrous.

This data will likely be stored on third-party “cloud” storage systems –an arrangement that will raise new risks for employers.

Third Parties

Employers need to be concerned data in third party hands — whether it is there intentionally or not.

For instance, employers ask employees to use devices that are loaded with third party apps – and sometimes they even ask employees to use these apps.  These apps routinely collect significant amounts of data, including location and unique device identifier information. Such data can be combined to create a very detailed profile on users.   This data – owned, protected and even sold by these third parties – can create a new window into an employer’s operations that litigants and corporate spies alike would love to see.

Next, data will inevitably end up in third party hands through litigation and discovery.  As the cost of sophisticated analytics concerning that data is falling, there will be a sea-change in how employment cases are litigated – especially class actions.  And in the regulatory and EEO context, as a recent White House panel on so-called “big data” concluded, “the federal government should build the technical expertise to be able to identify practices and outcomes facilitated by big data analytics that have a discriminatory impact on protected classes.”   The use or misuse of this information by the government or litigants will require a very sophisticated legal response – one that will likely involve the world of statistical analysis and coding.

Information will also end up in third party hands through crime.  Whether inadvertent or not, the primary source of data breaches is through an employee’s keyboard.  As the breaches continue and the costs rise, employers will have to take radical approaches to data protection, including new levels of data segregation, radically shoring up security-related policies and treating mobile phones, whether company-owned or not, as on par with laptops.

Employees

As data is produced by more and different devices, there will be serious questions about who owns the data those devices store and generate.   Will an employee-owned, GPS-enabled app used on a “BYOD” device contain data that is owned by the employee (say, concerning their fitness activity) or, because it was worn during work, will it contain proprietary information (such as a record of where the employee visited)?   Employers must understand what data their employees are gathering – and update policies and executive employment agreements to deal with it.

In the social media context, employers will be forced to grapple with always-on devices, including those that constantly stream video.  It is unclear whether a simple workplace ban on such recording (as recently permitted under the NLRA) will survive video streaming’s convergence with social media –the latter of which the NLRB maintains can be a form of protected concerted activity.

Last, employers need to have action plans in place for data breaches caused by or impacting employees.  Employers should also ensure that insurance policies cover employee-caused data breaches and incidents involving employee information.

Concerns about privacy cover all three areas, but this is well covered elsewhere.

Summary

This short survey illustrates that the world of the employer will more and more involve data-driven risk –placing their lawyers deep in the world of statistics, system design and security management.

*EBG appreciates Steven C. Sheinberg’s contribution and respects his views, but notes they are his views and not necessarily those of EBG or any of its attorneys.

Companies who utilize cloud vendors to store their data on cloud-based applications should be advised: failing to understand the application’s storage and retrieval capabilities, and failing to preserve such data during litigation could lead to sanctions for both the company and its counsel.  That’s the lesson to be learned from a recent case in the Southern District of Ohio, one of the first of its kind to directly address the intersection between the cloud and its impact on litigation strategy.

In Brown v. Tellermate Holdings, Ltd., Case No. 2:11-cv-1122, 2014 U.S. Dist. LEXIS 90123 (S.D. Ohio July 1, 2014), plaintiffs, in an age discrimination suit against former employer Tellermate, Inc. (“Tellermate”), sought electronically stored information (“ESI”) from accounts that they and other employees maintained with Salesforce.com (“Salesforce”) during their employment to aid their argument that their terminations were due to their ages, and not due to performance issues.  Salesforce is a cloud-based vendor with whom Tellermate had contracted to provide Tellermate employees with a sales tracking tool to record all customer-related activity.

The Salesforce contract gave Tellermate access to the accounts and provided the ESI remained the property of Tellermate.  However, Tellermate erroneously informed its counsel that it could not gain access to the ESI.  Tellermate’s counsel, who the Court found unreasonably relied on Tellermate’s representations and misconstrued the Salesforce contract, repeatedly misrepresented to the Court that the ESI residing on Salesforce’s cloud could not be accessed.

The Court ordered Tellermate to produce the requested ESI.  Nevertheless, Tellermate waited nine months from receiving the Order before asking Salesforce about its backup policy, thus learning for the first time that Salesforce did not keep backup files for more than three to six months from the current date.  Tellermate’s failure to timely ask its cloud vendor about its backup system or promptly take measures to either suspend Salesforce’s policy, or obtain a backup copy of the ESI early in the litigation, guaranteed that the ESI was unreliable, if not irretrievable.

The Court found that the actions of Tellermate and its counsel were “simply inexcusable,” and ordered that Tellermate could not present or rely upon evidence that it terminated the plaintiffs’ employment for performance-related reasons either at the summary judgment phase or at trial.  The Court also ordered Tellermate and its counsel to jointly pay the plaintiffs’ reasonable attorneys’ fees and costs incurred in the various ESI-related discovery motions.

The Brown decision emphasizes the importance that employers who use cloud-based applications understand the terms of the agreement with the cloud-based provider, including (1) who maintains control and ownership of the ESI; (2) the provider’s backup policy; and (3) the options for preserving the ESI to maintain its reliability.  By fully understanding the intricacies involved in using cloud-based technology and taking appropriate steps at the beginning of a litigation to preserve discoverable ESI, an employer and its counsel can prevent misrepresentations to the court and take measures to avoid sanctionable conduct.