June 24, 2026

The subpoena arrives on a Wednesday, addressed to the registered agent of a company that has never heard of the underlying lawsuit. By Friday it had been forwarded four times — from legal operations to litigation counsel to the privacy team and back — gathering questions at every stop. Who owns this? What exactly is being demanded? Can we even lawfully produce it? Somewhere in the chain, a paralegal notices the date: objections are due fourteen days from service, and six of those days are already gone.
Now multiply that scene by the dozens — at some platforms, hundreds — of demands arriving every month: civil subpoenas, government legal process, preservation requests, emergency disclosure requests. This is the quiet operational reality inside the legal departments of data-rich companies, where the volume of compulsory process has become a workload no one budgeted for, and where the cost of a single misstep can be measured in sanctions, statutory liability, and headlines.
The obligation underneath all of it is older than the companies it now burdens. Anglo-American law has insisted for nearly three centuries that “the public has a right to every man's evidence” — a maxim the Supreme Court has invoked in decisions from United States v. Bryan to United States v. Nixon — and the subpoena is that principle's working instrument. In federal civil litigation, it is administered through Rule 45 of the Federal Rules of Civil Procedure, adopted under the authority Congress delegated in the Rules Enabling Act, 28 U.S.C. § 2072, and enforced by the issuing court's contempt power. Every state maintains its counterpart. None of it is optional.
A third-party subpoena is a legal demand served on a company that is not a party to a lawsuit, compelling it to produce documents, data, or testimony for someone else's case. In federal court, it issues under Rule 45 of the Federal Rules of Civil Procedure; every state has an analog. Service triggers binding obligations enforced by the issuing court: the recipient must respond, object, or move to quash by the deadline. Ignoring one invites contempt under Rule 45(g), monetary sanctions, and compelled production — and waives the protections the rules provide.
What follows is an account of how that obligation operates, what silence costs, which protections the rules extend to the unwilling participant, and why companies whose business is other people's data inherit a second body of federal law that the standard litigation playbook does not contemplate.
Begin with a feature of federal practice that surprises many executives: a subpoena is typically not issued by a judge. Rule 45 authorizes any party's attorney to issue one as an officer of the court — no hearing, no advance judicial screening, no warning to the recipient. The signature on the document belongs to a private lawyer; the authority behind it belongs to the court. The practical consequence for the recipient: the document arrives carrying the court's full authority, and the company's own review is the first review it will receive.
The low barrier to issuance explains the volume. Companies are drawn into other people's litigation simply because they hold the relevant records:
Most third-party subpoenas are a subpoena duces tecum — literally, a command to bring with you — directed at documents and electronically stored information rather than live testimony; its counterpart, the subpoena ad testificandum, compels a witness to appear and testify. Some demand both. Either way, the recipient occupies the same position: a non-party holding enforceable obligations and — less widely appreciated — enforceable rights.
A company that ignores a valid subpoena faces an escalation that ends in contempt of court. Under Rule 45(g), the issuing court may hold in contempt a person who, having been served, fails without adequate excuse to obey the subpoena or an order related to it. Although a private lawyer signed the document, the court stands behind it, and the court's full enforcement powers are available when a recipient defaults. The process unfolds in stages, each more expensive than the last.
First, the obligation never expires. Ignoring a subpoena does not run out the clock; it converts a manageable compliance exercise into a court-supervised one, on a record that opens with the company's own default.
Second — and this is the cost companies most often fail to price — silence operates as waiver. Rule 45 extends real protections to a served non-party: objection rights, burden limits, cost recovery. Courts routinely hold them forfeited when not raised on time, excused only in unusual circumstances and for good cause. The company that ignores a subpoena has not merely courted sanctions; it has surrendered every legitimate exit the rules drafted for its benefit.
Credibility, once spent, is hard to recover. A company that responds on time and negotiates scope in good faith builds a record of reasonableness. A company that ignores a subpoena and surfaces only after a motion to compel arrives in court having already undercut its own standing — before the same judge who will decide the dispute. The cost of silence is not only sanctions; it is the loss of the benefit of the doubt.
The interval that decides whether a company controls its response or scrambles to react is the first few days after service — not the week before the production deadline, when the options have already narrowed.
A defensible sequence looks like this:
The rules' drafters understood that compulsory process reaches the uninvolved, and Rule 45 is accordingly more solicitous of non-parties than of the litigants themselves. The protections are substantial. They are also, every one of them, perishable.
Under Rule 45(d)(2)(B), a non-party may serve written objections to producing documents or ESI within 14 days of service (or before the compliance date, if earlier). A timely objection generally suspends the duty to produce: the issuing party must then move the court for an order compelling compliance, and in practice many never do — a fact that gives the timely objection a quiet power out of proportion to the effort of serving one. The preservation duty, however, continues until the matter is resolved.
Rule 45(d)(3)(A) requires the court to quash or modify a subpoena that fails to allow reasonable time to comply, requires compliance beyond the geographic limits set in Rule 45(c) — generally 100 miles from where the recipient resides, works, or regularly transacts business — requires disclosure of privileged or protected matter with no exception or waiver, or subjects the recipient to undue burden. Rule 45(d)(3)(B) permits the court to quash or modify a subpoena that demands trade secrets or other confidential commercial information; under Rule 45(d)(3)(C), the court may instead order production on specified conditions, but only if the issuing party shows a substantial need that cannot otherwise be met without undue hardship and ensures the recipient is reasonably compensated. And where the concern is not whether material must be produced but how it will be used once it is, the recipient may seek a protective order under Rule 26(c) restricting disclosure to the litigation itself.
Rule 45(d)(1) obligates the party issuing a subpoena to take reasonable steps to avoid imposing undue burden or expense on the recipient and authorizes sanctions against issuers who do not. And when a court orders a non-party to comply over objection, Rule 45(d)(2)(B)(ii) directs that the order must protect the non-party from significant expense resulting from compliance — the basis on which companies recover collection, review, and production costs.
State practice follows the federal model imperfectly, and objection windows vary by forum. The governing deadline is always the local rule, not the federal one — a detail better confirmed before the calendar entry than litigated after it.
For employers and most operating businesses, a third-party subpoena is a records problem — burdensome, occasionally expensive, ultimately ministerial. For platforms, communication services, fintechs, AI companies, and connected-device makers, it is a different instrument altogether: a demand for information about other people — customers, users, account holders — and its arrival summons a second body of federal law governing what the company may lawfully hand over.
The Stored Communications Act, 18 U.S.C. § 2701 et seq., is a 1986 statute that has aged into one of the more consequential laws a modern platform encounters. It restricts when providers of electronic communication and remote computing services may disclose the contents of communications and other account information, and its architecture routinely surprises litigators who do not practice in it: for the contents of communications, the SCA admits no exception for civil subpoenas. Courts have held, with striking consistency, that a civil litigant cannot subpoena content out of a provider. The statute's consent exception explains the practice that has grown up around the rule — the route to content runs through the account holder, whose lawful consent unlocks what compulsory process cannot alone. A provider that produces content anyway, on the comfortable theory that compliance is always the safe course, has the analysis exactly backward: it can violate federal law and answer in damages to its own users.
Non-content records stand on different footing. The SCA generally permits providers to disclose subscriber information and similar customer records to non-governmental entities — which is why a civil subpoena for basic subscriber data presents a different question than a demand for message content. Government demands proceed along their own gradient under 18 U.S.C. § 2703, the required process escalating from subpoena to court order to search warrant as the data sought grows more sensitive. Add state consumer-privacy statutes, contractual confidentiality commitments, and the question of notice to the affected user, and the data-holding company arrives at a rule that is underappreciated outside this practice area: blind compliance is as dangerous as silence. Every demand must be sorted — civil or governmental, content or non-content, lawful to disclose or forbidden.
Non-content records stand on different footing. The SCA generally permits providers to disclose subscriber information and similar customer records to non-governmental entities — which is why a civil subpoena for basic subscriber data presents a different question than a demand for message content. Government demands proceed along their own gradient under 18 U.S.C. § 2703, the required process escalating from subpoena to court order to search warrant as the data sought grows more sensitive. Add state consumer-privacy statutes, contractual confidentiality commitments, and the question of notice to the affected user, and the data-holding company arrives at a rule that is underappreciated outside this practice area: blind compliance is as dangerous as silence. Every demand must be sorted — civil or governmental, content or non-content, lawful to disclose or forbidden.
And the hardest cases are no longer about any single statute; they are about collisions between them. Modern privacy law rewards minimization — collect less, keep less, delete sooner — while the duty to preserve, once a subpoena triggers it, can compel a company to retain data it had told its users and its regulators it would delete. A demand may arrive for data held abroad, in a jurisdiction whose own law forbids producing it. These conflicts have no clean doctrinal answer. They are managed, demand by demand, through scoping, negotiation, and documented judgment — and the companies that manage them well are the ones whose response function can explain, years later, why each decision was made. Every production decision is a future exhibit.
One further screening step is often overlooked:: authenticity. Fraudulent legal process is a documented attack vector against data-holding companies. Our analysts review incoming process for technology platforms every day, and a steady share of it is defective in some respect — wrong entity, wrong jurisdiction, overbroad on its face, or, more often than outsiders would guess, not genuine at all. Forged subpoenas have been used to extract user data from providers under color of a court’s authority. Authenticity is one question; proper service is a separate and equally important one — a subpoena can be genuine yet defectively served. A response process that confirms the issuing court, the signing attorney, and valid service before producing anything is not bureaucratic friction. It is the difference between a compliance function and an open door.
Companies that field subpoenas and law enforcement demands for user data can put a verified, deadline-managed response process behind every request. Learn how ZG Subpoena Solutions manages legal process end to end → [link: /solutions/law-enforcement-data-requests]
A company's first subpoena is an event.Its two-hundredth is a Tuesday. For an enterprise holding data on millions of users, legal process is not an occurrence but a workload: civil subpoenas, government demands, preservation requests, and emergency disclosure requests arriving weekly, each with its own deadline, its own disclosure analysis, and its own paper trail to maintain.
And the curve bends only one way. Demand follows awareness: once investigators learn that a category of company holds evidence relevant to their cases — location history, payment records, message content, the prompts typed into an AI model — the requests compound, and they do not recede. We have watched entire categories go from a handful of requests a quarter to a daily stream in the space of two years. The companies caught flat-footed are rarely the ones that ignored the law; they are the ones that assumed last year's volume predicted next year's.
Handled ad hoc — by whoever sits nearest the inbox, or by sending routine, high-volume demands through channels built for bet-the-company matters — the function fails in predictable ways. Deadlines slip. Objection rights lapse unexercised. Responses to indistinguishable demands begin to diverge, and divergence is precisely what draws scrutiny when one of them is later challenged. The cost curve, meanwhile, bends the wrong way as volume grows.
Companies that take the function seriously converge on one of three models:
Either path depends on the same tooling. Workflow software for intake, tracking, and deadline management is not a third option; it is infrastructure both models require. Software solves the calendar. It does not decide what the SCA permits, whether a demand is genuine, or when to object — which is why tooling alone is never the whole answer.
Whichever path a company chooses, the markers of a defensible function do not change: a single channel of intake, so nothing arrives unseen; authentication before anything else happens; deadline tracking that does not reside in one person’s memory; written playbooks by process type; production logs complete enough to support a transparency report; and clear escalation, so that legal judgment is spent where it is genuinely needed and not consumed on routine, repeatable demands.
What is a third-party subpoena?
A third-party subpoena is a legal demand served on a person or company that is not a party to a lawsuit, requiring production of documents, data, or testimony relevant to the case. In federal litigation it is issued under Rule 45 of the Federal Rules of Civil Procedure; states have analogous rules.
What happens if a company ignores a subpoena?
The issuing party can move to compel, and the court can order compliance and hold the company in contempt under Rule 45(g). Consequences include monetary sanctions, payment of the other side's fees, and compelled production — plus waiver of the objections the company could have raised.
How long does a company have to object to a subpoena?
Under federal Rule 45(d)(2)(B), written objections must be served within 14 days after service of the subpoena, or before the compliance date if it is earlier. State deadlines vary by jurisdiction. Objections not raised on time are generally waived.
Can a company recover the costs of responding to a subpoena?
Often, yes. Rule 45(d)(1) requires issuing parties to avoid imposing undue burden or expense, and Rule 45(d)(2)(B)(ii) requires court orders compelling a non-party's compliance to protect that non-party from significant expense. Cost-shifting should be raised in timely written objections.
Can a company produce customer data in response to a civil subpoena?
Not always — and sometimes not lawfully. The Stored Communications Act bars providers from disclosing the contents of user communications in response to civil subpoenas, with no civil-litigation exception. Non-content records are governed by different provisions. Each demand requires analysis before anything is produced.
Who at a company is responsible for responding to a subpoena?
Service is typically received by the company’s registered agent, whose role is limited to accepting process — not responding to it. Responsibility for the response itself sits with the legal department or a designated response function; many organizations also name a custodian of records. Companies that receive legal process at volume assign the work to a dedicated response team or a managed legal-response provider.
Put a defensible process behind every demand
ZG Subpoena Solutions operates turn-key legal-process response for technology companies — intake, authentication, deadline management, disclosure analysis under the Stored Communications Act, and compliant production, handled by experienced analysts. Your legal team keeps final judgment; we carry the process. Engagements range from fully outsourced response to augmenting an in-house team.