eDiscoveryDaily

Why Does Production Have to be Such a Big Production?, Part Three

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom has also written several terrific informational overview series for CloudNine, including his most recent one, Understanding Blockchain and its Impact on Legal Technology, which we covered as part of a webcast on March 27.  Now, Tom has written another terrific overview regarding production challenges and what to do about them titled Why Does Production Have to be Such a Big Production? that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part one was Monday and part two was Wednesday, here’s the third part.

Load File Failures

Problems with productions have plagued us for years and none are more prevalent than load file errors. I recall a consultant in Seattle nearly 20 years ago who spent 2/3 of his times cleaning up Summation load files for clients. And the problems haven’t decreased as technology has improved.

Shawn Huston of LSP Data Solutions ( www.lspdata.com) recently told me that 2/3 of the load files he sees in productions have errors. Why? Remember my previous comment about communication? Shawn says that:

One of the biggest issues I see is parties agreeing to production specifications without understanding what they are agreeing to. A classic example is the more technologically sophisticated party requesting tiff, text and load files as a production format and the other party agreeing without realizing what that means and the process necessary to do it correctly.

We also frequently see productions that don’t have the corresponding metadata fields to aid in filtering and searching the production sets, but then counsel becomes frustrated when they can’t accurately search for dates, recipients, file names or other useful metadata fields.

So, what seems to be the problem?  Well once again let’s turn to eDiscovery Grand Master Craig Ball for an explanation. In his wonderful 2013 article, A Load File Off My Mind, which is as relevant today as it was then, Craig explains that:

More commonly, load files adhere to formats compatible with the Concordance and Summation review tools.  Concordance load files typically use the file extension DAT and the þ¶þ characters as delimiters, e.g.:

Concordance Load File

Just as placing data in the wrong row or column of a table renders the table unreliable and potentially unusable, errors in load files render the load file unreliable, and any database it populates is potentially unusable.  Just a single absent, misplaced or malformed delimiter can result in numerous data fields being incorrectly populated.  Load files have always been an irritant and a hazard; but, the upside was they supplied a measure of searchability to unsearchable paper documents.

What are some common load file errors?

Mismatched line numbers: Each line in a load file corresponds to a single document. Thus, the number of lines in a load file must match the number of documents being imported. If they do not match, a common cause is an extra line break in the load file.

Field Formatting Errors:  Mismatched date formats (1/1/19 vs Jan 1 2019) and field length, that is a field in the database structure is only 6 characters long but the data being loaded is longer than that

Delimiter errors:  Comma and semi-colon are commonly used delimiters but if a comma appears in some text being loaded …say “Apple, Inc”, it may be interpreted as a delimiter in the wrong place.  Pipes ( a vertical line) are an excellent example of a once common delimiter which can be read as another instruction by some SQL and .Net databases.

Encoding: Some programs prefer a certain background computer language. Many older databases for example preferred Unicode Standard (UTF-1, UTF-7, UTF-8, UTF-EBCDIC, UTF-16, UTF-32) or ASCII. Importing data from a database that is not consistent with the database you are using may lead to problems.

Other load file problems that may occur include:

  • Overlaps with document or Bates numbers: Documents that come from different sources in a case may have Bates numbers that are repetitive or have some portion of their sequence that overlap with each other.
  • Page number difference: The number of pages in the load file may differ from the actual page count of the document images themselves, typically because of single page vs multi page image discrepancies.
  • Uploader at incorrect stage: An error message that the loading process is not working smoothly, usually when the screen display shows that you are on one step of the upload, but the uploader recognizes it’s actually on the next stage.
  • Timeouts on reading data error: The upload has stopped, either because of an internal issue or an interruption in internet connection.
  • Encountered non-separator: Typically a typo in the load file and the load has stopped.
  • Multiple native files: Multiple files with the same name as a document present in the native path, often a native file and an image file with the same name.
  • Conflicts with a previous loaded image: The load file is pointing to multiple images for the same document page and the conflict must be resolved.
  • Error with image reader: Usually means that the uploader could not read the image file.
  • Error finding load file or directory: Most often occurs when the user is trying to upload from a network but the upload tool is either defaulting to a local drive or the user doesn’t have rights to the network.

We’ll publish Part 4 – Recommendations for Minimizing Production Mistakes – next Monday.

So, what do you think?  Have you experienced problems with document productions in eDiscovery?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery Can Be Murder: eDiscovery Charities

I know that working on some eDiscovery projects with difficult clients or opposing parties could get you thinking of murder, but, as I said before, I don’t know why anyone would consider committing a murder these days with DNA and all the ways we are tracked by Internet of Things (IoT) devices.  However, if you like to solve murders and are in the DC area (or plan to be in mid-May), here’s an event that’s for you.  Even better, your participation helps benefit a great cause!

Murder in the Manor is a charity fundraiser hosted by Oasis Discovery to be held May 16th at The Mansion on O Street in Washington DC (2020 O Street NW, Washington, DC 20036).  As Oasis says in their promo page for the event: “The night will be filled with mystery, entertainment, cocktails and lively conversation as we come together to bring attention to a good cause.”

All proceeds from the event will benefit the Capital Area Food Bank (CAFB), which is the largest public, non-profit hunger and nutrition education resource in the Washington Metropolitan Area. The mission of the CAFB is to feed those who suffer from hunger in the Washington, D.C. Metropolitan Area by acquiring food and distributing it through their network of member agencies; and to educate, empower and enlighten the community about the issues of hunger and nutrition. Each year the CAFB distributes 20 million pounds of food, including six million pounds of fresh produce through over 700 partner agencies.

The Mansion on O, located in Dupont Circle, is noted for eccentric interior styling which includes hidden doors, secret passages, and rooms. Sounds fun, right?  The four-story historic building is over 30,000 square feet and contains 100 rooms including guest rooms, a private Social club, the O Street Museum Foundation, and a conference center.  Oasis has reserved the exclusive second floor of the mansion which has seven themed rooms: The Gallery, The Russian Room, Candle Room, Tiffany Room, Music Room, Ballroom, and secret VIP only access Speakeasy.

Speaking of the Speakeasy (say that three times fast!), CloudNine is proud to be the Scarlett sponsor of the event, so we’re running the Speakeasy!  Thanks to Oasis for including us!  Peacock sponsors include Compiled, LightSpeed and Practice Aligned.  Plum sponsors (have you figured out the sponsor naming pattern yet?) include Ankura, The CJK Group and H5.

The event runs from 7pm to 10pm on May 16th.  Ticket prices are: $75 per person to get in.  But, if you really want to maximize your experience, $125 per person will include access to the CloudNine Speakeasy, where drinks will be available and a lot of fun will be had.  And, you’ll actually get to be a character in the event (no worries, you won’t have to perform).  Trust me, you want to join us in the Speakeasy, that’s where the most fun will be!  Click here for more information and to purchase your tickets.  Remember, it’s for a great cause.

So, what do you think?  Are you going to be in DC on May 16?  If so, come join us!  If not, come to DC and then join us!  It will be epic.  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Why Does Production Have to be Such a Big Production?, Part Two

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom has also written several terrific informational overview series for CloudNine, including his most recent one, Understanding Blockchain and its Impact on Legal Technology, which we covered as part of a webcast on March 27.  Now, Tom has written another terrific overview regarding production challenges and what to do about them titled Why Does Production Have to be Such a Big Production? that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part one was Monday, here’s the second part.

Redaction Issues and Confidentiality Considerations

One of the most common technical mistakes lawyers make involve issues with redactions – there are frequent stories that make the news regarding lawyers publishing documents that were improperly redacted.  Redaction issues are also the most common error in document productions in eDiscovery as well.  There are a variety of issues associated with redactions and they have considerable impact on a lawyer’s ethical duty to confidentiality.  Let’s take a look.

Image Redaction Issues

Some of the more common mistakes I see involve redaction issues on images. And they go back years. In 2009, the TSA released a manual on the Internet that had not been redacted properly. In 2013, a Chicago lawyer was reprimanded when he failed to ensure that personal information was redacted in federal student loan collection actions he filed on behalf of the U.S. government.

In 2014, a Kentucky lawyer received a public reprimand for, among other misconduct, failing to redact his client’s social security number in bankruptcy filings he made on her behalf. Also in 2014, The New York Times reportedly failed to properly redact a PDF file of leaked National Security Administration documents and inadvertently released the name of an NSA agent.

In 2018, a reporter investigating an SEC settlement with alleged fraudsters downloaded from the federal PACER database an affidavit from one of the defendants in the matter. The PDF file contained about 100 pages of financial transactions that were blacked out in the PDF file. But when the affidavit was copied and pasted into another application’s text file for uploading, the black redaction boxes vanished, revealing all the private financial information that was supposed to be hidden. A clerk at the federal courthouse where the document in question was filed said that the party filing the document was responsible for ensuring that it was properly redacted.

Also, in 2018, the school district in the Parkland, Florida high school shootings case, apparently didn’t properly redact a document regarding the alleged shooter, which contained confidential information about him.  A Florida newspaper reported that the method used “made it possible for anyone to read the blacked-out portions by copying and pasting them into another file,” which the newspaper did — drawing a contempt threat from the judge presiding over the criminal case.

More recently, lawyers for President Trump’s former campaign chairman, Paul Manafort, apparently failed to redact a federal court document properly, permitting the blacked-out text to be viewed “with a few keystrokes.”

Clearly, redaction issues on images are common. Common mistakes here include:

  1. Failing to “burn-in” the redaction on the image
  2. Not updating or re-OCRing the text files to match
  3. Providing un-redacted native files
  4. Failing to redact certain metadata
  5. Improperly using redaction software

Other Redaction Issues

The last point above involves issues for documents that have been generated in a software and then either converted or printed before redaction.

The most common type of conversion involves saving a word processing document to PDF. How do you best handle redactions in that process? Here’s a few tips:

  1. Edit out sensitive information BEFORE converting.
  2. Be aware of any metadata that may carry into the PDF file. PDF conversion deletes MOST metadata but some may transfer (eg, Comments in Word)
  3. Use non-text PDF … image only
  4. Use the most current version of Adobe

Sometimes redaction involves paper. Hard to believe but true.  Some attorneys still use a dark marker to manually cover over confidential information. Much like the Manafort case mentioned above where a simple color change in an electronic document didn’t completely hide text, using a marker on paper may also fail.

In a 2015 article, “The Perils of Redaction: Simple Steps to Protect Confidential Information,”, Mark Crandley, a partner in the litigation department of Barnes & Thornburg in Indianapolis, wrote that  “many scanners are sensitive enough to perceive covered words even when the naked eye cannot.”

Confidentiality

Lawyers have an ethical duty to preserve clients’ privileges and property. So, aside from risking potential civil liability, lawyers also could face disciplinary action when they fail to properly redact court documents. Lawyers who fail to properly redact information in confidential documents could run afoul of the American Bar Association’s rule on safeguarding client property, which has been adopted by most states.

We’ll publish Part 3 – Load File Failures – on Friday.

So, what do you think?  Have you experienced problems with document productions in eDiscovery?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Discovery Can’t Be Stayed While Motion to Dismiss is Considered, Court Says: eDiscovery Case Law

In Udeen v. Subaru of America, Inc., No. 18-17334(RBK/JS) (D.N.J. Mar. 12, 2019), New Jersey Magistrate Judge Joel Schneider denied the defendants’ request that all discovery be stayed until their Motion to Dismiss is decided, but, with the proviso that only limited and focused discovery on core issues would be permitted.

Case Background

In this nationwide class action with allegations that the defendant’s defective infotainment system creates a safety hazard, the defendants filed a Motion to Dismiss on February 28, 2019 and requested that all discovery be stayed until their motion was decided.  The plaintiffs opposed the defendants’ request, so the Court received the parties’ letter briefs and held oral argument.

Judge’s Ruling

In evaluating the defendant’s motion, Judge Schneider said: “The Court agrees that plaintiffs will be prejudiced if all discovery is stayed while waiting for defendants’ motion to be decided. Given the extensive briefing on defendants’ motion and the expected time it will take for the motion to be decided, the case will be in suspense for months if defendants’ request is granted. Having filed their complaint plaintiffs have a right to move forward… This is especially true in a case where plaintiffs claim the alleged defect in defendants’ vehicles is a safety hazard. Further, the longer the case languishes the greater chance exists that relevant evidence may be lost or destroyed.”

Judge Schneider also noted: “Defendants’ concern about ‘extremely expensive’ discovery is overblown. As is always the case, the Court expects to closely manage discovery to assure that plaintiffs’ efforts are proportional. Further, contrary to defendants’ argument, a discovery stay will not simplify the issues for trial. In fact, the opposite is true. The parties initial discovery will focus on the core issues in the case to assure that only the most relevant and important discovery is produced. This discovery will be produced no matter what claims remain in the case. The discovery will serve to educate plaintiffs concerning the most important individuals and issues in the case. In the long run the Court expects defendants to benefit from this staging so that the parties do not chase discovery ‘down a rabbit hole.’”

As a result, Judge Schneider stated: “After examining all relevant evidence, the Court finds the relevant factors weigh in plaintiffs’ favor and, therefore, the Court will deny defendants’ request to stay all discovery.”  So, Judge Schneider ordered both the defendants and plaintiffs to produce certain documents and for the parties to meet and confer regarding certain other documents, noting: “The Court also finds that defendants’ documents in Japan are not necessarily off-limits. However, the Court is concerned plaintiffs’ requests are too broad. The Court will only permit narrow and focused discovery requests asking for core information. The parties meet and confer discussions shall also address plaintiffs’ request for third-party discovery. To the extent the parties cannot agree on the discovery to be produced, simultaneous letter briefs shall be served by April 15, 2019”.

So, what do you think?  Should discovery ever be stayed because a motion to dismiss is pending?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Hat tip to Jeff Dreiling and the Complete Legal blog for the tip about the case!

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Why Does Production Have to be Such a Big Production?

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars.  Tom has also written several terrific informational overview series for CloudNine, including his most recent one, Understanding Blockchain and its Impact on Legal Technology, which we covered as part of a webcast on March 27.  Now, Tom has written another terrific overview regarding production challenges and what to do about them titled Why Does Production Have to be Such a Big Production? that we’re happy to share on the eDiscovery Daily blog.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Here’s the first part.

Introduction

The aim of document productions in the ESI world is succinctly stated by the EDRM: To prepare and produce ESI in an efficient and usable format in order to reduce cost, risk and errors and be in compliance with agreed production specifications and timelines.  https://www.edrm.net/frameworks-and-standards/edrm-model/production/

Discussions of a “database production” typically refer to a collection of ESI loaded into e-discovery software in a form other than its native (original) format.  As a result, a load file may be necessary to organize and maintain original information about the documents and accompanying metadata. We’ll talk about those problems in more detail below but let’s be clear that production problems may revolve around other issues beyond load files.

So, why is this happening? Well the first reason is because it is an issue involving technical components and lawyers, who, by and large, simply aren’t good at technology. But lest we blame it all on the lawyers, let’s keep in mind that tech people don’t make good legal analysts. And neither of them are good communicators when it comes to technical issues so the potential for problems during productions is enormous.

DIY eDiscovery company Lexbe has listed 10 common reasons for production failures:

  1. Being unaware of the rules (FRCP/state/local)
  2. Neglecting to match review requests with your review approach
  3. Not knowing the common file deliverables in productions
  4. Missing the opportunity to use ‘Meet & Confer’ (Rule 26) to your advantage
  5. Failing to Request specific file types & metadata as needed
  6. No custodian tracking causing deduplication nightmares
  7. Not Addressing placeholders, databases, and unusual file types
  8. Negotiating incomplete discovery orders in complicated cases
  9. Stepping into redactions traps
  10. Decreasing privilege review accuracy by failing to apply Near Dup checks

In this paper, we will look at a couple of the most common issues associated with productions and discuss recommendations to minimize production mistakes:

  1. Redaction Issues and Confidentiality Considerations
  2. Load File Failures
  3. Recommendations for Minimizing Production Mistakes

We’ll publish Part 2 – Redaction Issues and Confidentiality Considerations – on Wednesday.

So, what do you think?  Have you experienced problems with document productions in eDiscovery?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Simon Says Two Years After Spoliation is Discovered is Too Late for Sanctions: eDiscovery Case Law

Sorry, I couldn’t resist…  ;o)

In Wakefield v. Visalus, Inc., No. 3:15-cv-1857-SI (D. Or. Mar. 27, 2019), Oregon District Judge Michael H. Simon denied the plaintiff’s motion for sanctions against the defendant for automatic deletion of call records, ruling that since the plaintiff knew about the deletion of call records for over two years, her motion was “untimely”.

Case Background

In this class claim related to alleged violations of the Telephone Consumer Protection Act (“TCPA”), the defendant used an automated telephone system called the “Progressive Outreach Manager” (“POM”), which the plaintiff contended generated and maintained historical records of each calling campaign and each call attempted by the defendant.  The POM system’s ESI was programmed to be automatically deleted after three months and, even though the defendant was on notice since October 2015 that it had a duty to preserve the information contained in the POM system, the plaintiff claimed that the defendant failed to suspend the call records’ automatic deletion. The plaintiff pointed to statements made by the defendant’s corporate representative and compliance analyst, during his deposition in December 2016 as evidence that these call records had been automatically deleted.

For many of those calls, the defendant maintained contact information spreadsheets containing all of the POM system information, so that data was replaced through other sources. However, the plaintiff contended there were 1.7 million calls that were not within the contact information spreadsheets that were deleted from the POM system, asserting that the lost call records would have proven that 350,228 of those calls delivered a message using an artificial or prerecorded voice to class members. In February 2019, the plaintiff asked the Court to order sanctions against the defendant, including instructing the jury that the defendant deleted call records and that the lost information was unfavorable to defendant.  The defendant argued that the motion was untimely, among other arguments against the motion.

Judge’s Ruling

In evaluating the plaintiff’s motion, Judge Simon said: “Plaintiff learned no later than December 12, 2016 that Defendant’s system deleted POM call records every three months. Discovery closed in December of 2017, one year later, and at that point Plaintiff had in her possession all call records produced by Defendant. Plaintiff acknowledges that she was aware in late 2016 that the call record data generated by the POM system had been “destroyed,” but claims she continued to believe that the same information was available elsewhere. It was only when performing final trial preparation that Plaintiff organized her trial exhibits, compiled the evidence obtained in discovery, and realized that some of the call data ‘deleted’ from the POM system had not been produced through other sources…Only then did Plaintiff file her motion for sanctions.”

Judge Simon also observed: “Had Plaintiff timely undertaken to examine the evidence produced by Defendant, any deleted call records that could not be restored or replaced through additional discovery would have been apparent to Plaintiff at that time, and she could have sought sanctions for the alleged spoliation.”  Noting that “courts are cautioned to be ‘wary of any spoliation motion made on the eve of trial’”, Judge Simon stated in denying the plaintiff’s motion: “Plaintiff filed her spoliation motion more than a year after the close of discovery, more than two years after she first learned of the alleged destruction of call records, and less than two months before trial. Plaintiff’s motion is untimely.”

So, what do you think?  Was that the correct call or should the plaintiff have been given the time to determine what she was missing?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Data Privacy Compliance Isn’t Just for Europe or California Anymore: Data Privacy Trends

We have covered Europe’s General Data Protection Regulation (GDPR) over several posts the past couple of years and even conducted a webcast on the topic last year.  And, we have covered the California Consumer Privacy Act (CCPA) several times as well, including as recently as last week.  But, what about the rest of the wide, wide world?  Do countries in other parts of the world have data privacy policies as well?  Yes.  Do they mimic GDPR policies?  Not necessarily.

As reported in Legaltech News (Data Protection Laws Take Center Stage For Global GC, written by Caroline Spiezio), lawyers are saying that ignoring data privacy changes outside of Europe, or assuming GDPR policies will comply anywhere, may lead to fines or diminished consumer trust in other regions.  For example, Camila Tobón, a Colorado-based data privacy lawyer at Shook, Hardy & Bacon, said many countries in the Latin America follow a consent-based model, which doesn’t allow for the legitimate interest data collection case presented under GDPR. She said many Latin American countries with data privacy laws used Spain’s consent-based version of the 1995 Data Protection Directive (the predecessor to GDPR in Europe) to shape their regulations.

“When Spain incorporated the directive into their law, one noticeable change [from other EU countries] was the lack of legitimate interest for a basis for processing personal data,” Tobón said. “When most Latin American countries were starting to implement their laws in 1999, 2000, 2001, they used the Spanish law as a model, which didn’t include legitimate interest. So what you ended up seeing in Latin America was a consent-based model.”

However, Brazil’s General Data Protection Law, which passed in 2018, includes the case for legitimate interest collection, which closely aligns that country’s laws with Europe’s.  And, other countries in Latin America are working on changes as well.  Chile recently voted to create a national data protection authority. Panama’s National Assembly approved a national data protection regulation last year that currently awaits the president’s signature. An updated Argentine bill to bring the country’s data protection regulations closer to Europe’s with a legitimate interest model and data protection officer requirement is also in the works, with a draft standing in front of Congress.

Beyond Latin America, other countries are making (or considering making) changes as well.  The Corporate Counsel Association of South Africa’s chief executive officer Alison Lee said she expects to see the country implement the Protection of Personal Information Act this year.  Unlike GDPR, POPIA asserts companies also have “personal data” that requires protection. South Africa currently doesn’t require explicit consent to collect data or legitimate interest, but it does require some form of consent.  Nigeria could also see data protection changes, as it has long attempted to pass a specific data protection bill.

So, what about Asia Pacific (APAC)?  Scott Thiel, a Hong Kong-based DLA Piper partner, said, since GDPR’s implementation, he’s increasingly asked questions about data protection in Asia.

“Everyone is sort of finally taking a breath and going, ‘OK, we got through GDPR, we’re somewhere near compliance and that’s great. I assume that works everywhere, does it?’ And the short answer is no, it doesn’t,” Thiel said. “A lot of the approaches to data compliance that work in Europe don’t work in the Asian markets.”

He said many companies have tried applying their GDPR policies to China and other Asian countries and it “just doesn’t” work.  Like Latin America, much of East Asia relies on a consent-based model rather than legitimate interest, Thiel said.  Nonetheless, cybersecurity laws are changing in APAC, as well.  The article has several more details regarding data privacy changes in Latin America, Africa and APAC.  GDPR, with its heavy fines, has gotten a lot of the coverage regarding data privacy compliance, but you can’t ignore requirements in the rest of the world if you’re a multi-national company.  I’m sure Antarctica will come out with their data privacy laws any day now.  ;o)

So, what do you think?  Are you prepared for data privacy changes around the rest of the world?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Cellebrite 2019 Report on Industry Trends for Law Enforcement: eDiscovery Trends

As I’ve been saying for a while now and will be discussing with Tom O’Connor in our webcast on April 24, discovery isn’t just for litigation anymore.  Drivers for compliance and investigations are growing to the point that discovery activities are about as likely to support those needs as they for litigation.  And, for law enforcement, investigations are the primary discovery driver.  So, what are some of the trends they see with regard to the types and sources of evidence associated with these investigations?  A new report by Cellebrite, a leader in forensic collection for cellular phones and mobile devices, sheds light on those trends.

Cellebrite recently conducted an industry trends survey targeting Law Enforcement and reported the results in their 2019 Report on Industry Trends for Law Enforcement (link to download the free report available here, hat tip to Rob Robinson’s Complex Discovery site for the reference).  The survey focused on the impact of digital data in investigating and prosecuting criminal cases including:

  • What types of digital sources are being used in investigations.
  • Which digital sources and data are most frequently used and considered the most important.
  • The challenges to accessing digital data.
  • The impact to productivity and ability to resolve investigations.

Over 2,700 Law Enforcement personnel completed the survey with the majority of the respondents coming from investigators and examiners.  Five of the most important key findings from the survey were as follows:

  • Mobile phones are the most frequently used and most important digital source for investigations.
  • The variety of digital sources used in investigations in increasing and now includes sources such as wearables and smart home technology being used more frequently in investigations.
  • Two most common challenges to extracting data from mobile phones are locked phones and encrypted data.
  • Law enforcement agencies are averaging three-month backlogs on investigations.
  • Despite the backlogs and the variety of digital sources and the amount of digital data that typically need to be reviewed in an investigation, the vast majority of law enforcement agencies are reviewing this information manually instead of using analytics solutions.

Smartphones remain the primary source for digital evidence with 91% of respondents indicating that evidence sources from smartphones were an evidence source “very frequently” (81%) or “frequently” (10%).  Computers were a distant second at 52%, followed by CCTV (i.e., surveillance systems) and feature phones (those “lacking the functionality of smart phones”) at 45% each.  And, many of the top data types reviewed during an investigation are likely to be from mobile device sources, including Images from Digital Evidence (at 94% total “very frequent” and “frequent”), Text messages (93%), Videos from Digital Evidence (90%) and Location History from Digital Evidence (86%), among others.  The report contains many more stats, including percentage of cases involving data from cloud sources, time spent reviewing various sources of data, time spent on reporting and caseloads, among other things.

According to Cisco, monthly global mobile data traffic will be 77 exabytes by 2022, and annual traffic will reach almost one zettabyte (if you didn’t know already, a zettabyte is 1 trillion gigabytes).  And, the report notes that 85% of criminal investigations include some form of digital data, so establishing the relevancy of collecting digital data was not a focus of the survey.  You can click on the link above to download a copy of the report or view an insert of the report within Rob’s blog.

So, what do you think?  Does it surprise you that law enforcement investigations are so heavily focused on mobile devices?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Appeals Court Reverses Jury Decision Based on Failure of Court to Issue Spoliation Sanction: eDiscovery Case Law

In Marshall v. Brown’s IA, LLC, No. 2588 EDA 2017 (Pa. Super. Mar. 27, 2019), the Superior Court of Pennsylvania, ruling that the trial court “abused its discretion in refusing the charge” of an adverse inference sanction against the defendant for failing to preserve several hours of video related to a slip and fall accident, vacated the judgment issued by the jury within the trial court for the defendant and remanded the case for a new trial.

Case Background

In this case where the plaintiff slipped and fell in one of the defendant’s ShopRite stores in August 2014, the plaintiff’s counsel sent a letter two weeks after the incident requesting that the defendant retain surveillance video of the accident and area in question for six hours prior to the accident and three hours after the accident. Additionally, the letter cautioned:

“If any of the above evidence exists, and you fail to maintain same until the disposition of this claim, it will be assumed that you have intentionally destroyed and/or disposed of evidence. Please be advised that you are not permitted, and are in no position, to decide what evidence plaintiff would like to review for this case. Accordingly, discarding any of the above evidence will lead to an Adverse Inference against you in this matter.”

Nonetheless, the defendant decided to preserve only thirty-seven minutes of video prior to the plaintiff’s fall and approximately twenty minutes after, and permitted the remainder to be automatically overwritten after thirty days.  The defendant’s Risk Manager (Matthew McCaffrey) testified that it was the store’s “rule of thumb” to preserve video surveillance from twenty minutes before and twenty minutes after a fall.  The plaintiff contended that the defendant’s conscious decision not to retain the video evidence constituted spoliation, and she asked the trial court to give an adverse inference charge to the jury.  But, the trial court concluded that there was no bad faith by the defendant and refused to give the requested adverse inference charge, but did agree, that the plaintiff’s counsel could argue to the jury that it should infer from the defendant’s decision not to retain more of the video prior to her fall that the video was damaging to the defendant.  Despite that, the jury returned a verdict in favor of the defendant, finding no negligence.

The plaintiff filed timely post-trial motions alleging that she was entitled to a new trial because the trial court erred in refusing to give the requested spoliation instruction to the jury, but the trial court did not rule on the motion, so she appealed, asking if the trial court abused its discretion by declining to read a spoliation of evidence instruction to the jury at trial.

Appellate Court’s Ruling

The opinion by J. Bowes noted that “[t]he duty to retain evidence is established where a party ‘knows that litigation is pending or likely’ and “it is foreseeable that discarding the evidence would be prejudicial” to the other party.”  The court also observed: “Although Mr. McCaffery testified that ShopRite’s rule of thumb was to retain only twenty minutes of tape prior to the fall and twenty minutes after the fall, it actually preserved thirty-seven minutes of footage prior to Ms. Marshall’s fall, and twenty minutes after the fall. He offered no explanation why ShopRite deviated from its typical practice herein.”  The court also observed that “conspicuously absent was testimony from anyone at ShopRite that he or she watched the video for the six-hour-period prior to the fall before determining that it did not contain any relevant evidence.”

Finding that “counsel’s letter placed ShopRite on notice to preserve the video surveillance prior to and after the fall as it was arguably relevant to impending litigation”, the court stated “we find that the trial court took an unreasonably narrow view of ‘relevant evidence’ in concluding that no spoliation occurred in this premises liability case. Relevant evidence is any evidence that ‘has any tendency to make a fact more or less probable.’…Furthermore, its finding of no bad faith on ShopRite’s part was relevant in determining the severity of the sanction to impose for spoliation, but it did not negate or excuse the spoliation that occurred.”

As a result, the court – in vacating the judgment and remanding the case for a new trial – ruled that “Ms. Marshall asked the court for the least severe spoliation sanction, an adverse inference instruction. On the facts herein, it was warranted, and the court abused its discretion in refusing the charge.”

So, what do you think?  Should the judgment have been thrown out over the defendant’s failure to preserve the rest of the video?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

What’s a Lawyer’s Duty When a Data Breach Occurs within the Law Firm: Cybersecurity Best Practices

When I spoke at the University of Florida E-Discovery Conference last month, there was a question from the live stream audience about a lawyer’s duty to disclose a data breach within his or her law firm.  I referenced the fact that all 50 states (plus DC, Guam, Puerto Rico and the Virgin Islands) have security breach notification laws, but I was not aware of any specific guidelines or opinions relating to a lawyer’s duty regarding data breach notification.  Thanks to an article I came across last week, I now know that there was a recent ABA opinion on the topic.

An article written by Anton Janik, Jr. of Williams Mitchell and originally published in the 2019 Winter edition of The Arkansas Lawyer and republished on JD Supra (The Lawyer’s Duty When Client Confidential Information is Hacked From the Law Firm, hat tip to Sharon Nelson’s terrific Ride the Lightning blog for the reference) takes a look at a lawyer’s duties following a data breach and discusses the requirements of ABA Formal Opinion 483, which was issued in October 2018.

Janik begins his article by referencing the DLA Piper NotPetya ransomware attack in 2017, as follows:

“Imagine it’s a usual Tuesday morning, and coffee in hand you stroll into your office. Right inside the door, you see a handwritten notice on a big whiteboard which says: All network services are down, DO NOT turn on your computers! Please remove all laptops from docking stations & keep turned off. *No exceptions*

Finding this odd, you turn to your firm receptionist who tells you that the firm was hit with a ransomware attack overnight, and that if you turn on your computer all of your files will be immediately encrypted, subject to a bitcoin ransom.”

That’s what happened to DLA Piper and the 4,400-attorney law firm was “reduced to conducting business by text message and cell phone” until the situation was resolved, requiring 15,000 hours of overtime IT assistance, though they sustained no reported loss of client confidential information.

Of course, as you probably know by reading this blog, the DLA Piper situation isn’t unique.  A recent American Bar Association report stated that 22% of law firms reported a cyberattack or data breach in 2017, up from 14% the year before.

The ABA Opinion discusses three duties under its Model Rules: the duty of competence, the duty of communication, and the duty of confidentiality. While the ABA Opinion focused narrowly upon the ethical duties it sees arising between an attorney and client, it is important that you understand “the types of data you work with, and keep yourself abreast of what laws, regulations and contractual provisions govern its loss” (I just pointed you to a resource for breach notification laws up above).

Janik’s article covers stopping the breach, restoring systems and determination what happened and the cause. Best practices (and often your cybersecurity insurance coverage) dictate that your law firm should draft, and regularly train on, a breach response plan which defines personnel roles and procedural steps to employ in assessing and addressing any given breach, including through the use of outside vendors whose use may be contractually prearranged.

When a breach is discovered, the ABA Opinion finds that the duty of competence under Model Rule 1.1 requires the attorney to act reasonably and promptly to stop the breach and mitigate the damage, using “all reasonable efforts” to restore computer operations to be able to continue client services.  And, Model Rule 1.4 requires that an attorney keep the client “reasonably informed about the status of the matter.”

So, now I know – which means you know too.  :o)

So, what do you think?  Were you familiar with ABA Formal Opinion 483?  Does your firm have a formalized breach response plan?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.