Posts By :

Doug Austin

eDiscovery Can Be Murder: eDiscovery Charities

I know that working on some eDiscovery projects with difficult clients or opposing parties could get you thinking of murder, but, as I said before, I don’t know why anyone would consider committing a murder these days with DNA and all the ways we are tracked by Internet of Things (IoT) devices.  However, if you like to solve murders and are in the DC area (or plan to be in mid-May), here’s an event that’s for you.  Even better, your participation helps benefit a great cause!

Murder in the Manor is a charity fundraiser hosted by Oasis Discovery to be held May 16th at The Mansion on O Street in Washington DC (2020 O Street NW, Washington, DC 20036).  As Oasis says in their promo page for the event: “The night will be filled with mystery, entertainment, cocktails and lively conversation as we come together to bring attention to a good cause.”

All proceeds from the event will benefit the Capital Area Food Bank (CAFB), which is the largest public, non-profit hunger and nutrition education resource in the Washington Metropolitan Area. The mission of the CAFB is to feed those who suffer from hunger in the Washington, D.C. Metropolitan Area by acquiring food and distributing it through their network of member agencies; and to educate, empower and enlighten the community about the issues of hunger and nutrition. Each year the CAFB distributes 20 million pounds of food, including six million pounds of fresh produce through over 700 partner agencies.

The Mansion on O, located in Dupont Circle, is noted for eccentric interior styling which includes hidden doors, secret passages, and rooms. Sounds fun, right?  The four-story historic building is over 30,000 square feet and contains 100 rooms including guest rooms, a private Social club, the O Street Museum Foundation, and a conference center.  Oasis has reserved the exclusive second floor of the mansion which has seven themed rooms: The Gallery, The Russian Room, Candle Room, Tiffany Room, Music Room, Ballroom, and secret VIP only access Speakeasy.

Speaking of the Speakeasy (say that three times fast!), CloudNine is proud to be the Scarlett sponsor of the event, so we’re running the Speakeasy!  Thanks to Oasis for including us!  Peacock sponsors include Compiled, LightSpeed and Practice Aligned.  Plum sponsors (have you figured out the sponsor naming pattern yet?) include Ankura, The CJK Group and H5.

The event runs from 7pm to 10pm on May 16th.  Ticket prices are: $75 per person to get in.  But, if you really want to maximize your experience, $125 per person will include access to the CloudNine Speakeasy, where drinks will be available and a lot of fun will be had.  And, you’ll actually get to be a character in the event (no worries, you won’t have to perform).  Trust me, you want to join us in the Speakeasy, that’s where the most fun will be!  Click here for more information and to purchase your tickets.  Remember, it’s for a great cause.

So, what do you think?  Are you going to be in DC on May 16?  If so, come join us!  If not, come to DC and then join us!  It will be epic.  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Discovery Can’t Be Stayed While Motion to Dismiss is Considered, Court Says: eDiscovery Case Law

In Udeen v. Subaru of America, Inc., No. 18-17334(RBK/JS) (D.N.J. Mar. 12, 2019), New Jersey Magistrate Judge Joel Schneider denied the defendants’ request that all discovery be stayed until their Motion to Dismiss is decided, but, with the proviso that only limited and focused discovery on core issues would be permitted.

Case Background

In this nationwide class action with allegations that the defendant’s defective infotainment system creates a safety hazard, the defendants filed a Motion to Dismiss on February 28, 2019 and requested that all discovery be stayed until their motion was decided.  The plaintiffs opposed the defendants’ request, so the Court received the parties’ letter briefs and held oral argument.

Judge’s Ruling

In evaluating the defendant’s motion, Judge Schneider said: “The Court agrees that plaintiffs will be prejudiced if all discovery is stayed while waiting for defendants’ motion to be decided. Given the extensive briefing on defendants’ motion and the expected time it will take for the motion to be decided, the case will be in suspense for months if defendants’ request is granted. Having filed their complaint plaintiffs have a right to move forward… This is especially true in a case where plaintiffs claim the alleged defect in defendants’ vehicles is a safety hazard. Further, the longer the case languishes the greater chance exists that relevant evidence may be lost or destroyed.”

Judge Schneider also noted: “Defendants’ concern about ‘extremely expensive’ discovery is overblown. As is always the case, the Court expects to closely manage discovery to assure that plaintiffs’ efforts are proportional. Further, contrary to defendants’ argument, a discovery stay will not simplify the issues for trial. In fact, the opposite is true. The parties initial discovery will focus on the core issues in the case to assure that only the most relevant and important discovery is produced. This discovery will be produced no matter what claims remain in the case. The discovery will serve to educate plaintiffs concerning the most important individuals and issues in the case. In the long run the Court expects defendants to benefit from this staging so that the parties do not chase discovery ‘down a rabbit hole.’”

As a result, Judge Schneider stated: “After examining all relevant evidence, the Court finds the relevant factors weigh in plaintiffs’ favor and, therefore, the Court will deny defendants’ request to stay all discovery.”  So, Judge Schneider ordered both the defendants and plaintiffs to produce certain documents and for the parties to meet and confer regarding certain other documents, noting: “The Court also finds that defendants’ documents in Japan are not necessarily off-limits. However, the Court is concerned plaintiffs’ requests are too broad. The Court will only permit narrow and focused discovery requests asking for core information. The parties meet and confer discussions shall also address plaintiffs’ request for third-party discovery. To the extent the parties cannot agree on the discovery to be produced, simultaneous letter briefs shall be served by April 15, 2019”.

So, what do you think?  Should discovery ever be stayed because a motion to dismiss is pending?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Hat tip to Jeff Dreiling and the Complete Legal blog for the tip about the case!

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Simon Says Two Years After Spoliation is Discovered is Too Late for Sanctions: eDiscovery Case Law

Sorry, I couldn’t resist…  ;o)

In Wakefield v. Visalus, Inc., No. 3:15-cv-1857-SI (D. Or. Mar. 27, 2019), Oregon District Judge Michael H. Simon denied the plaintiff’s motion for sanctions against the defendant for automatic deletion of call records, ruling that since the plaintiff knew about the deletion of call records for over two years, her motion was “untimely”.

Case Background

In this class claim related to alleged violations of the Telephone Consumer Protection Act (“TCPA”), the defendant used an automated telephone system called the “Progressive Outreach Manager” (“POM”), which the plaintiff contended generated and maintained historical records of each calling campaign and each call attempted by the defendant.  The POM system’s ESI was programmed to be automatically deleted after three months and, even though the defendant was on notice since October 2015 that it had a duty to preserve the information contained in the POM system, the plaintiff claimed that the defendant failed to suspend the call records’ automatic deletion. The plaintiff pointed to statements made by the defendant’s corporate representative and compliance analyst, during his deposition in December 2016 as evidence that these call records had been automatically deleted.

For many of those calls, the defendant maintained contact information spreadsheets containing all of the POM system information, so that data was replaced through other sources. However, the plaintiff contended there were 1.7 million calls that were not within the contact information spreadsheets that were deleted from the POM system, asserting that the lost call records would have proven that 350,228 of those calls delivered a message using an artificial or prerecorded voice to class members. In February 2019, the plaintiff asked the Court to order sanctions against the defendant, including instructing the jury that the defendant deleted call records and that the lost information was unfavorable to defendant.  The defendant argued that the motion was untimely, among other arguments against the motion.

Judge’s Ruling

In evaluating the plaintiff’s motion, Judge Simon said: “Plaintiff learned no later than December 12, 2016 that Defendant’s system deleted POM call records every three months. Discovery closed in December of 2017, one year later, and at that point Plaintiff had in her possession all call records produced by Defendant. Plaintiff acknowledges that she was aware in late 2016 that the call record data generated by the POM system had been “destroyed,” but claims she continued to believe that the same information was available elsewhere. It was only when performing final trial preparation that Plaintiff organized her trial exhibits, compiled the evidence obtained in discovery, and realized that some of the call data ‘deleted’ from the POM system had not been produced through other sources…Only then did Plaintiff file her motion for sanctions.”

Judge Simon also observed: “Had Plaintiff timely undertaken to examine the evidence produced by Defendant, any deleted call records that could not be restored or replaced through additional discovery would have been apparent to Plaintiff at that time, and she could have sought sanctions for the alleged spoliation.”  Noting that “courts are cautioned to be ‘wary of any spoliation motion made on the eve of trial’”, Judge Simon stated in denying the plaintiff’s motion: “Plaintiff filed her spoliation motion more than a year after the close of discovery, more than two years after she first learned of the alleged destruction of call records, and less than two months before trial. Plaintiff’s motion is untimely.”

So, what do you think?  Was that the correct call or should the plaintiff have been given the time to determine what she was missing?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Data Privacy Compliance Isn’t Just for Europe or California Anymore: Data Privacy Trends

We have covered Europe’s General Data Protection Regulation (GDPR) over several posts the past couple of years and even conducted a webcast on the topic last year.  And, we have covered the California Consumer Privacy Act (CCPA) several times as well, including as recently as last week.  But, what about the rest of the wide, wide world?  Do countries in other parts of the world have data privacy policies as well?  Yes.  Do they mimic GDPR policies?  Not necessarily.

As reported in Legaltech News (Data Protection Laws Take Center Stage For Global GC, written by Caroline Spiezio), lawyers are saying that ignoring data privacy changes outside of Europe, or assuming GDPR policies will comply anywhere, may lead to fines or diminished consumer trust in other regions.  For example, Camila Tobón, a Colorado-based data privacy lawyer at Shook, Hardy & Bacon, said many countries in the Latin America follow a consent-based model, which doesn’t allow for the legitimate interest data collection case presented under GDPR. She said many Latin American countries with data privacy laws used Spain’s consent-based version of the 1995 Data Protection Directive (the predecessor to GDPR in Europe) to shape their regulations.

“When Spain incorporated the directive into their law, one noticeable change [from other EU countries] was the lack of legitimate interest for a basis for processing personal data,” Tobón said. “When most Latin American countries were starting to implement their laws in 1999, 2000, 2001, they used the Spanish law as a model, which didn’t include legitimate interest. So what you ended up seeing in Latin America was a consent-based model.”

However, Brazil’s General Data Protection Law, which passed in 2018, includes the case for legitimate interest collection, which closely aligns that country’s laws with Europe’s.  And, other countries in Latin America are working on changes as well.  Chile recently voted to create a national data protection authority. Panama’s National Assembly approved a national data protection regulation last year that currently awaits the president’s signature. An updated Argentine bill to bring the country’s data protection regulations closer to Europe’s with a legitimate interest model and data protection officer requirement is also in the works, with a draft standing in front of Congress.

Beyond Latin America, other countries are making (or considering making) changes as well.  The Corporate Counsel Association of South Africa’s chief executive officer Alison Lee said she expects to see the country implement the Protection of Personal Information Act this year.  Unlike GDPR, POPIA asserts companies also have “personal data” that requires protection. South Africa currently doesn’t require explicit consent to collect data or legitimate interest, but it does require some form of consent.  Nigeria could also see data protection changes, as it has long attempted to pass a specific data protection bill.

So, what about Asia Pacific (APAC)?  Scott Thiel, a Hong Kong-based DLA Piper partner, said, since GDPR’s implementation, he’s increasingly asked questions about data protection in Asia.

“Everyone is sort of finally taking a breath and going, ‘OK, we got through GDPR, we’re somewhere near compliance and that’s great. I assume that works everywhere, does it?’ And the short answer is no, it doesn’t,” Thiel said. “A lot of the approaches to data compliance that work in Europe don’t work in the Asian markets.”

He said many companies have tried applying their GDPR policies to China and other Asian countries and it “just doesn’t” work.  Like Latin America, much of East Asia relies on a consent-based model rather than legitimate interest, Thiel said.  Nonetheless, cybersecurity laws are changing in APAC, as well.  The article has several more details regarding data privacy changes in Latin America, Africa and APAC.  GDPR, with its heavy fines, has gotten a lot of the coverage regarding data privacy compliance, but you can’t ignore requirements in the rest of the world if you’re a multi-national company.  I’m sure Antarctica will come out with their data privacy laws any day now.  ;o)

So, what do you think?  Are you prepared for data privacy changes around the rest of the world?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Cellebrite 2019 Report on Industry Trends for Law Enforcement: eDiscovery Trends

As I’ve been saying for a while now and will be discussing with Tom O’Connor in our webcast on April 24, discovery isn’t just for litigation anymore.  Drivers for compliance and investigations are growing to the point that discovery activities are about as likely to support those needs as they for litigation.  And, for law enforcement, investigations are the primary discovery driver.  So, what are some of the trends they see with regard to the types and sources of evidence associated with these investigations?  A new report by Cellebrite, a leader in forensic collection for cellular phones and mobile devices, sheds light on those trends.

Cellebrite recently conducted an industry trends survey targeting Law Enforcement and reported the results in their 2019 Report on Industry Trends for Law Enforcement (link to download the free report available here, hat tip to Rob Robinson’s Complex Discovery site for the reference).  The survey focused on the impact of digital data in investigating and prosecuting criminal cases including:

  • What types of digital sources are being used in investigations.
  • Which digital sources and data are most frequently used and considered the most important.
  • The challenges to accessing digital data.
  • The impact to productivity and ability to resolve investigations.

Over 2,700 Law Enforcement personnel completed the survey with the majority of the respondents coming from investigators and examiners.  Five of the most important key findings from the survey were as follows:

  • Mobile phones are the most frequently used and most important digital source for investigations.
  • The variety of digital sources used in investigations in increasing and now includes sources such as wearables and smart home technology being used more frequently in investigations.
  • Two most common challenges to extracting data from mobile phones are locked phones and encrypted data.
  • Law enforcement agencies are averaging three-month backlogs on investigations.
  • Despite the backlogs and the variety of digital sources and the amount of digital data that typically need to be reviewed in an investigation, the vast majority of law enforcement agencies are reviewing this information manually instead of using analytics solutions.

Smartphones remain the primary source for digital evidence with 91% of respondents indicating that evidence sources from smartphones were an evidence source “very frequently” (81%) or “frequently” (10%).  Computers were a distant second at 52%, followed by CCTV (i.e., surveillance systems) and feature phones (those “lacking the functionality of smart phones”) at 45% each.  And, many of the top data types reviewed during an investigation are likely to be from mobile device sources, including Images from Digital Evidence (at 94% total “very frequent” and “frequent”), Text messages (93%), Videos from Digital Evidence (90%) and Location History from Digital Evidence (86%), among others.  The report contains many more stats, including percentage of cases involving data from cloud sources, time spent reviewing various sources of data, time spent on reporting and caseloads, among other things.

According to Cisco, monthly global mobile data traffic will be 77 exabytes by 2022, and annual traffic will reach almost one zettabyte (if you didn’t know already, a zettabyte is 1 trillion gigabytes).  And, the report notes that 85% of criminal investigations include some form of digital data, so establishing the relevancy of collecting digital data was not a focus of the survey.  You can click on the link above to download a copy of the report or view an insert of the report within Rob’s blog.

So, what do you think?  Does it surprise you that law enforcement investigations are so heavily focused on mobile devices?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Appeals Court Reverses Jury Decision Based on Failure of Court to Issue Spoliation Sanction: eDiscovery Case Law

In Marshall v. Brown’s IA, LLC, No. 2588 EDA 2017 (Pa. Super. Mar. 27, 2019), the Superior Court of Pennsylvania, ruling that the trial court “abused its discretion in refusing the charge” of an adverse inference sanction against the defendant for failing to preserve several hours of video related to a slip and fall accident, vacated the judgment issued by the jury within the trial court for the defendant and remanded the case for a new trial.

Case Background

In this case where the plaintiff slipped and fell in one of the defendant’s ShopRite stores in August 2014, the plaintiff’s counsel sent a letter two weeks after the incident requesting that the defendant retain surveillance video of the accident and area in question for six hours prior to the accident and three hours after the accident. Additionally, the letter cautioned:

“If any of the above evidence exists, and you fail to maintain same until the disposition of this claim, it will be assumed that you have intentionally destroyed and/or disposed of evidence. Please be advised that you are not permitted, and are in no position, to decide what evidence plaintiff would like to review for this case. Accordingly, discarding any of the above evidence will lead to an Adverse Inference against you in this matter.”

Nonetheless, the defendant decided to preserve only thirty-seven minutes of video prior to the plaintiff’s fall and approximately twenty minutes after, and permitted the remainder to be automatically overwritten after thirty days.  The defendant’s Risk Manager (Matthew McCaffrey) testified that it was the store’s “rule of thumb” to preserve video surveillance from twenty minutes before and twenty minutes after a fall.  The plaintiff contended that the defendant’s conscious decision not to retain the video evidence constituted spoliation, and she asked the trial court to give an adverse inference charge to the jury.  But, the trial court concluded that there was no bad faith by the defendant and refused to give the requested adverse inference charge, but did agree, that the plaintiff’s counsel could argue to the jury that it should infer from the defendant’s decision not to retain more of the video prior to her fall that the video was damaging to the defendant.  Despite that, the jury returned a verdict in favor of the defendant, finding no negligence.

The plaintiff filed timely post-trial motions alleging that she was entitled to a new trial because the trial court erred in refusing to give the requested spoliation instruction to the jury, but the trial court did not rule on the motion, so she appealed, asking if the trial court abused its discretion by declining to read a spoliation of evidence instruction to the jury at trial.

Appellate Court’s Ruling

The opinion by J. Bowes noted that “[t]he duty to retain evidence is established where a party ‘knows that litigation is pending or likely’ and “it is foreseeable that discarding the evidence would be prejudicial” to the other party.”  The court also observed: “Although Mr. McCaffery testified that ShopRite’s rule of thumb was to retain only twenty minutes of tape prior to the fall and twenty minutes after the fall, it actually preserved thirty-seven minutes of footage prior to Ms. Marshall’s fall, and twenty minutes after the fall. He offered no explanation why ShopRite deviated from its typical practice herein.”  The court also observed that “conspicuously absent was testimony from anyone at ShopRite that he or she watched the video for the six-hour-period prior to the fall before determining that it did not contain any relevant evidence.”

Finding that “counsel’s letter placed ShopRite on notice to preserve the video surveillance prior to and after the fall as it was arguably relevant to impending litigation”, the court stated “we find that the trial court took an unreasonably narrow view of ‘relevant evidence’ in concluding that no spoliation occurred in this premises liability case. Relevant evidence is any evidence that ‘has any tendency to make a fact more or less probable.’…Furthermore, its finding of no bad faith on ShopRite’s part was relevant in determining the severity of the sanction to impose for spoliation, but it did not negate or excuse the spoliation that occurred.”

As a result, the court – in vacating the judgment and remanding the case for a new trial – ruled that “Ms. Marshall asked the court for the least severe spoliation sanction, an adverse inference instruction. On the facts herein, it was warranted, and the court abused its discretion in refusing the charge.”

So, what do you think?  Should the judgment have been thrown out over the defendant’s failure to preserve the rest of the video?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

What’s a Lawyer’s Duty When a Data Breach Occurs within the Law Firm: Cybersecurity Best Practices

When I spoke at the University of Florida E-Discovery Conference last month, there was a question from the live stream audience about a lawyer’s duty to disclose a data breach within his or her law firm.  I referenced the fact that all 50 states (plus DC, Guam, Puerto Rico and the Virgin Islands) have security breach notification laws, but I was not aware of any specific guidelines or opinions relating to a lawyer’s duty regarding data breach notification.  Thanks to an article I came across last week, I now know that there was a recent ABA opinion on the topic.

An article written by Anton Janik, Jr. of Williams Mitchell and originally published in the 2019 Winter edition of The Arkansas Lawyer and republished on JD Supra (The Lawyer’s Duty When Client Confidential Information is Hacked From the Law Firm, hat tip to Sharon Nelson’s terrific Ride the Lightning blog for the reference) takes a look at a lawyer’s duties following a data breach and discusses the requirements of ABA Formal Opinion 483, which was issued in October 2018.

Janik begins his article by referencing the DLA Piper NotPetya ransomware attack in 2017, as follows:

“Imagine it’s a usual Tuesday morning, and coffee in hand you stroll into your office. Right inside the door, you see a handwritten notice on a big whiteboard which says: All network services are down, DO NOT turn on your computers! Please remove all laptops from docking stations & keep turned off. *No exceptions*

Finding this odd, you turn to your firm receptionist who tells you that the firm was hit with a ransomware attack overnight, and that if you turn on your computer all of your files will be immediately encrypted, subject to a bitcoin ransom.”

That’s what happened to DLA Piper and the 4,400-attorney law firm was “reduced to conducting business by text message and cell phone” until the situation was resolved, requiring 15,000 hours of overtime IT assistance, though they sustained no reported loss of client confidential information.

Of course, as you probably know by reading this blog, the DLA Piper situation isn’t unique.  A recent American Bar Association report stated that 22% of law firms reported a cyberattack or data breach in 2017, up from 14% the year before.

The ABA Opinion discusses three duties under its Model Rules: the duty of competence, the duty of communication, and the duty of confidentiality. While the ABA Opinion focused narrowly upon the ethical duties it sees arising between an attorney and client, it is important that you understand “the types of data you work with, and keep yourself abreast of what laws, regulations and contractual provisions govern its loss” (I just pointed you to a resource for breach notification laws up above).

Janik’s article covers stopping the breach, restoring systems and determination what happened and the cause. Best practices (and often your cybersecurity insurance coverage) dictate that your law firm should draft, and regularly train on, a breach response plan which defines personnel roles and procedural steps to employ in assessing and addressing any given breach, including through the use of outside vendors whose use may be contractually prearranged.

When a breach is discovered, the ABA Opinion finds that the duty of competence under Model Rule 1.1 requires the attorney to act reasonably and promptly to stop the breach and mitigate the damage, using “all reasonable efforts” to restore computer operations to be able to continue client services.  And, Model Rule 1.4 requires that an attorney keep the client “reasonably informed about the status of the matter.”

So, now I know – which means you know too.  :o)

So, what do you think?  Were you familiar with ABA Formal Opinion 483?  Does your firm have a formalized breach response plan?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Denies Plaintiff’s Motion to Compel Production of ESI Related to 34 Searches: eDiscovery Case Law

In Lareau v. Nw. Med. Ctr., No. 2:17-cv-81 (D. Vt. Mar. 27, 2019), Vermont District Judge William K. Sessions III denied the plaintiff’s motion to compel production of ESI related to 34 search terms proposed by the plaintiff during meet and confer with the defendant, based on the extrapolation from a single search term that the plaintiff’s production request would require 170 hours of attorney and paralegal time and would produce little, if any, relevant information.

Case Background

In this case related to claims of wrongful termination stemming (at least in part) from the plaintiff’s disability, the plaintiff initially asked the defendant to produce ESI using 18 search terms. Using only seven of those 18 terms, the defendant produced over 3,000 pages of documents and objected to the scope of the request. The plaintiff moved to compel, and the Court issued an order requiring the parties to confer and agree upon appropriate search terms.

The plaintiff subsequently proposed 34 search terms, some of which were in the original list to which the defendant had objected. The defendant informed plaintiff’s counsel that using just the first four of the proposed 34 terms, it had spent over 20 hours retrieving 2,912 documents totaling 5,336 pages. The plaintiff’s counsel later acknowledged in an email that the initial production was voluminous and unwieldy, and suggested that the defendant use only the newly-proposed search terms.

The defendant made another effort to comply, performing a search using the suggested term “Experian.” The process of searching, coding, and producing reportedly took five hours and identified 472 documents. the defendant represented to the plaintiff’s counsel that few of those documents were relevant. Extrapolating that work to 34 search terms, the defendant contended that the plaintiff’s production request would require 170 hours of attorney and paralegal time and would produce little, if any, relevant information.  As a result, the defendant informed opposing counsel that given the burden of production and the limited relevance of the search results, it would not expend any additional time performing the requested searches. The plaintiff’s counsel invited the defendant to offer additional suggestions as to search terms, but the defendant declined that invitation, leading to the plaintiff’s motion.

Judge’s Ruling

Judge Sessions noted that, under the FRCP, “a party is required to provide ESI unless it shows that the source of such information is ‘not reasonably accessible because of undue burden or cost.’”  With that in mind, Judge Sessions stated:

“Here, the Court ordered cooperation among counsel, and counsel’s efforts did not produce a workable solution. NMC has tried to comply and shown that, to date, the information sought using Lareau’s proposed search terms is not reasonably accessible. Indeed, NMC has expended considerable time and expense producing documents that reportedly have little relevance to this case.”

While noting that he “could nonetheless compel discovery for good cause shown”, Judge Sessions determined that “[h]ere, there has been no such showing.”  Judge Sessions stated: “Since the Court issued its prior Order, NMC has produced 3,384 additional documents containing little relevant information. Without any showing that additional searches are likely to result in a higher rate of success, the Court will not order NMC to engage in further problem-solving.”  As a result, he denied the plaintiff’s motion to compel.

So, what do you think?  Was the defendant’s analysis of expected effort a valid representative sample?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Answers to Your Frequently Asked CCPA Questions: Data Privacy Best Practices

As we discussed last year (here and here), the California Consumer Privacy Act (CCPA) is a comprehensive new consumer protection law set to take effect next January 1.  And, as we also reported recently, about half of surveyed companies haven’t even started preparing to be CCPA compliant.  Maybe that’s because they don’t know where to start to comply and don’t know whether the CCPA applies to their business, what rights will Californians have under CCPA and what impact CCPA will have on their privacy policy.  Here are answers to some of those questions.

In the Data Privacy Monitor site by Baker Hostetler (The California Consumer Privacy Act: Frequently Asked Questions, written by Alan L. Friel, Laura E. Jehl and Melinda L. McLellan), the authors address ten frequently asked questions that companies are asking about CCPA (if they’re not asking them, they should be).  Here are the questions they are addressing in this article:

  1. Does the CCPA apply to my business? What if we don’t have operations in California?
  2. Does the $25 million revenue threshold apply to California revenue specifically, or is it $25 million for the business as a whole?
  3. Will the CCPA be amended? What are the open issues?
  4. What new rights will the CCPA give to California residents?
  5. Will we need to amend our company’s online privacy policy?
  6. How do the “copycat” CCPA laws being proposed in other states compare with the CCPA?
  7. How does a business confirm that a person making an access or deletion request under the CCPA is a California resident, or who they claim to be?
  8. What should our company be focusing on right now, while we wait to see how these various state and federal law proposals shake out?
  9. What are the potential penalties for violations of the CCPA?
  10. Does my business qualify for one of the CCPA’s exceptions?

I won’t steal any thunder here – the authors give detailed and thoughtful answers to the questions that you will want to check out for yourself.

It’s interesting to note that there are at least 15 state data privacy laws that are working their way through the legislative process – some that are “virtually identical to the CCPA”, others that are similar, but with key differences.  As the authors note, the “prospect of having to comply with dozens of different state laws of this nature has fueled interest in a federal law to harmonize these proposals and provide businesses with clear compliance goals.”  That’s not surprising to me.

As the authors note in their conclusion: “A new era of consumer privacy rights has dawned in the U.S., and businesses will need to have a sound understanding of the personal information they collect, process, use and share to be able to comply with incoming rules and regulations.”  Given recent trends, it certainly appears that virtually every US business will be subject to new and developing data privacy laws sooner rather than later.

So, what do you think?  Is your company subject to CCPA?  If so, has it begun to address CCPA yet?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Denies Sanctions Request Because Defendant Didn’t Prove the Information was Irretrievable: eDiscovery Case Law

In Envy Hawaii LLC v. Volvo Car USA LLC, No. 17-00040 HG-RT (D. Haw. Mar. 20, 2019), Hawaii District Judge Helen Gillmor denied the defendant’s motion for spoliation sanctions, stating that the defendant “has not established that spoliation sanctions are available because the information it seeks is not “lost” within the meaning of Fed. R. Civ. P. 37(e).”

Case Background

In this case involves contract disputes and claims of improper business practices between a local automobile dealership and the national distributor of Volvo automobiles, the parties had engaged in two years of litigation, produced discovery, and conducted depositions.  The defendant claimed that the plaintiff and its sole owner and manager failed to preserve certain electronically stored information (Google e-mail accounts and electronic dealer management system records) in violation of Federal Rule of Civil Procedure 37(e).  The plaintiff and its owner claimed no spoliation had occurred because any relevant records are available from third-parties and sanctions were not appropriate.

Judge’s Ruling

Judge Gilmor noted that “[t]he text of Federal Rule of Civil Procedure 37(e) provides that evidence is ‘lost’ and subject to spoliation sanctions when a party failed to take reasonable steps to preserve it, and ‘it cannot be restored or replaced through additional discovery’” and that “[i]nformation is ‘lost’ for purposes of Rule 37(e) only if it is irretrievable from another source, including other custodians.”  She also stated that “[s]poliation sanctions are not available pursuant to the 2015 Amendment to Rule 37(e) when information is not lost.”

With regard to that, Judge Gilmor stated:

“Volvo Car USA LLC admits that it has not sought any of the discovery from either CDK Disk or Google Enterprise. Volvo Car USA LLC’s Motion is focused on Envy Hawaii LLC’s failure to preserve the information.”

Noting that “Volvo Car USA LLC may issue subpoenas to obtain records from Google and/or CDK Drive prior to May 15, 2019”, Judge Gilmor denied the defendant’s motion for spoliation sanctions.

So, what do you think?  Should parties be required to confirm with third parties that information is not available before filing motions for spoliation sanctions?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.