Electronic Discovery

About Half of Surveyed Companies Haven’t Started Preparing for CCPA: Data Privacy Trends

Does this sound familiar?  Last week at the University of Florida E-Discovery Conference, I talked about the California Consumer Protection Act (CCPA) as one of the things that organizations need to be prepared to address these days as part of their compliance obligations.  Sounds like a lot of organizations haven’t gotten around to that just yet.

In an article in Legaltech® News (Almost Half of Companies Haven’t Started CCPA Compliance: Survey, written by Frank Ready), a recent survey of 250 executives and managers at U.S. technology, manufacturing, financial services, utilities and health care companies finds that 44 percent of companies that will impacted by the CCPA haven’t yet taken steps towards compliance.  Only 14 percent of respondents are fully CCPA compliant at this point.

The state’s forthcoming privacy regulation, which is scheduled to take effect next January 1st, empowers Californians with more control over the way their data is collected, shared or viewed by U.S. companies on a daily basis. According to the survey, a large majority of respondents, 71 percent, expect to spend at least $100,000 on compliance efforts. But consulting attorneys may not wind up seeing as much of that money as one might think.

The survey was conducted by Dimensional Research on behalf of the privacy compliance company TrustArc. Chris Bable, CEO of TrustArc, attributed some of the compliance delay to companies that have never had to wrap their heads around these issues before. While the European Union’s General Data Protection Regulation (GDPR) impacted only U.S. companies with business interests in Europe, the CCPA hits a little closer to home.

“One of the pieces that I had underestimated was truly the amount of companies that were not impacted by GDPR, so CCPA is their foray into doing this,” Babel said.

“The legal fees are going to play a role, but I don’t think the legal fee is going to be the largest chunk of the expense. It will really be the in-house kind of grind that needs to be done in order for the compliance steps to be in place,” said Jarno Vanto, a shareholder at Polsinelli.

The “grind” he’s referring to includes extensive work around understanding what data an organization holds and mapping the flow of that data. It also includes checking in with third party vendors and partners to determine what information they have access to as well.

So, how are companies planning on making the leap before the deadline? According to the survey, 72 percent of respondents plan on investing in some sort of technology to help smooth the way.  That doesn’t surprise me – as I discussed in Florida last week, Information Governance (IG) policies are vital to organizations’ ability to meet compliance obligations, but it’s going to take a combination of IG policies and technology for organizations to really get a handle on their data.

So, what do you think?  Are you surprised that so many companies haven’t begun to address CCPA yet?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Judge’s Facebook Friendship with Party Causes Decision to Be Reversed and Remanded to Different Judge: eDiscovery Case Law

In the case In Re the Paternity of B.J.M., Appeal No. 2017AP2132 (Wis. App. Feb. 20, 2019), the Court of Appeals of Wisconsin, concluding that “the circuit court’s undisclosed ESM connection with a current litigant in this case {by accepting a Facebook “friend” request from the litigant} created a great risk of actual bias, resulting in the appearance of partiality”, reversed and remanded the case for further proceedings before a different judge.

Case Background

In this case where the parties entered into an order granting parties Timothy Miller and Angela Carroll joint legal custody and shared physical placement of a minor child in 2011, Carroll filed a motion to modify the court order on the basis that Miller had engaged in a pattern of domestic abuse against Carroll. After the parties had submitted their written arguments, the judge deciding the motion – Judge Michael Bitney – accepted Carroll’s friend request on Facebook. Subsequently, Carroll “liked” eighteen of Judge Bitney’s Facebook posts and commented on two of his posts – none of which related to the pending litigation.  Judge Bitney did not “like” or comment on any of Carroll’s posts, nor did he reply to any of her comments on his posts; however, Carroll’s other activities (“liking” multiple posts from other parties and “sharing” one third-party photograph) did appear on Judge Bitney’s “newsfeed.” One of these shared stories related to domestic violence.

On July 14, 2017, Judge Bitney issued a decision granting Carroll’s modification motion. After the decision, Miller learned that Judge Bitney and Carroll were Facebook friends during the period prior to making his ruling, and moved to reconsider the judge’s decision.  At a hearing on Miller’s motion, Judge Bitney confirmed that he had accepted Carroll’s friend request after the custody hearing and before rendering his written decision. However, he concluded he was not subjectively biased by accepting Carroll’s “friend” request, because he already “had decided how I was going to rule, even though it hadn’t been reduced to writing.” Further, he concluded that “[e]ven given the timing of” his and Carroll’s Facebook connection, the circumstances did not “rise[] to the level of objective bias. . . .” Consequently, he denied Miller’s motion. Miller appealed the decision.

Court’s Ruling

In an opinion written by Justice J. Seidl, he noted that “This case involves what appears to be an issue of first impression in Wisconsin: a claim of judicial bias arising from a judge’s use of electronic social media (ESM)” and stated that “we need not determine whether a bright-line rule prohibiting the judicial use of ESM is appropriate or necessary”.  He also referenced a New Mexico supreme court in Thomas as “particularly instructive”, which said:

“While we make no bright-line ban prohibiting judicial use of social media, we caution that ‘friending,’ online postings, and other activity can easily be misconstrued and create an appearance of impropriety… A judge’s online ‘friendships,’ just like a judge’s real-life friendships, must be treated with a great deal of care.”

The opinion also stated that “the time when Judge Bitney and Carroll became Facebook ‘friends’ would cause a reasonable person to question the judge’s partiality. Although Judge Bitney apparently had thousands of Facebook ‘friends,’ Carroll was not simply one of the many people who ‘friended’ him prior to this litigation. Rather, Carroll was a current litigant who reached out to Judge Bitney and requested to become his Facebook ‘friend’ after testifying at a contested hearing, at which Judge Bitney was the sole decision-maker. Judge Bitney then took the affirmative step to accept this ‘friend’ request before issuing his decision in this case…This timing creates a great risk of actual bias and a resulting appearance of partiality because, even assuming that a Facebook ‘friendship’ does not denote the type of relationship traditionally associated with the term ‘friendship,’ it is unquestionably evidence of some type of affirmative social connection…Carroll’s choice to send a ‘friend’ request to Judge Bitney, combined with Judge Bitney’s choice to accept that request before issuing his decision, conveys the impression that Carroll was in a special position to influence Judge Bitney’s ultimate decision – a position not available to individuals that he had not ‘friended,’ such as Miller.”

As a result, the court reversed and remanded the case for further proceedings before a different judge.

So, what do you think?  Should judges accepting friend requests from litigants disqualify them from ruling in their cases?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Hat tip to Sharon Nelson’s Ride the Lightning blog for coverage of this case.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Ignoring Internet of Things Devices Could Be IdIoTic: eDiscovery Trends

See what I did there?  ;o)  While I’m speaking at the University of Florida E-Discovery Conference today, let’s take a look at a couple of articles related to Internet of Things (IoT) devices that you need to know from an eDiscovery standpoint.

In an article in Legaltech News (E-Discovery’s New Challenge: Not Ignoring Internet of Things Data, written by Victoria Hudgins), the author notes that, in addition to smartphones, items such as Fitbits, Amazon’s Alexa, self-vacuuming Roombas and internet-connected cars also fall under the IoT umbrella of items that are connected to the internet and collect and share data.

Dana Conneally, managing partner at QDiscovery and Evidox Corp., noted IoT devices may have multiple data repositories, which creates more data for attorneys to review.

“You want to know what’s on the hard drive of the device, but they are typically connected to the internet and cloud. … Now you have three different rabbit holes you are trying to chase down at the same time,” Conneally said.

Such devices represent a new source of evidence for a lawyer’s clients, but how to find value in such data can be difficult.

“Attorneys, a lot of the time, haven’t been trained how to do that,” said Cozen O’Connor eDiscovery and practice advisory services group chairman Dave Walton. “What are the types of evidence out there? We need to know to win in this environment.”

Walton said attorneys are “overwhelmed” by IoT devices in e-discovery, and they usually reason that it’s not practical to assess such devices. However, Walton suggested lawyers should always evaluate if their client’s legal matter warrants obtaining information from an IoT device and make proportional requests for the data, an approach that also governs other types of discoverable content.

“You have to be proportional about how you go about the evidence. The more you know about the evidence, the better you know about alternatives” and efficient ways to obtain the evidence, Walton said.

Smartphones aside, while I have seen several criminal cases involving IoT devices (including this one, this one and this one), I haven’t too many civil cases involving IoT devices (yet).  But, I expect to see more over time.

But, that’s not all!  Earlier this month, the Cloud Security Alliance (CSA) announced the release of the CSA IoT Controls Framework, its first such framework for IoT which introduces the base-level security controls required to mitigate many of the risks associated with an IoT system operating in a range of threat environments. Created by the CSA IoT Working Group, the new Framework together with its companion piece, the Guide to the CSA Internet of Things (IoT) Controls Framework, provide organizations with the context in which to evaluate and implement an enterprise IoT system that incorporates multiple types of connected devices, cloud services, and networking technologies.

Utilizing the Framework, user owners will assign system classification based on the value of the data being stored and processed and the potential impact of various types of physical security threats. Regardless of the value assigned, the Framework has utility across numerous IoT domains from systems processing only “low-value” data with limited impact potential, to highly sensitive systems that support critical services.

The CSA IoT Working Group develops frameworks, processes and best-known methods for securing these connected systems. Further, it addresses topics including data privacy, fog computing, smart cities and more. Individuals interested in becoming involved in future IoT research and initiatives are invited to visit the Internet of Things Working Group join page.

Hat tip to Rob Robinson’s Complex Discovery blog for the info on the CSA IoT Controls Framework.  Here’s the press release with more information.  Dealing with IoT devices is inevitable, so don’t be idIoTic and get informed!  ;o)

So, what do you think?  Have you had to deal with IoT devices in your eDiscovery projects?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Tomorrow is the U-Fla E-Discovery Conference!: eDiscovery Best Practices

Usually, I remind you the day of a conference about it, but this one is big enough that I want to give you more time to register – at least for the livestream.  Believe it or not, tomorrow is the seventh annual University of Florida E-Discovery Conference.  And, as usual, the panel of speakers is an absolute who’s who in eDiscovery.

The conference focus this year is effectively managing discovery from the opposition. As they state on the site: “The opposition often holds the keys to the case. How can you make sure you get the documents you are entitled to? How can you assure that the opposition is doing the best job identifying, collecting, searching and producing requested documents.”

The conference is tomorrow from 8am to 6pm ET.  And, again this year, U-Fla will also be hosting CareerFest the day before (which is today!) at noon ET.

As you can always expect from the U-Fla conference, there are a veritable plethora of experts, including Craig Ball, George Socha, Aaron Crews, Scott Milner, Kelly Twigger, Tessa Jacobs, David Horrigan, Canaan Himmelbaum, Suzanne Clark, Mike Dalewitz, Mike Quartararo, and Ian Campbell.  And, a bunch of distinguished federal and state judges, including U.S. Magistrate Judges William Matthewman, Mac McCoy, Patricia Barksdale, and Gary Jones and retired Florida Circuit Court Judge Ralph Artigliere.

I will be there again as well, presenting in the E-Discovery Nuts and Bolts session.  The topic is Why Waiting Until the Case is Filed May Now be Too Late for Discovery!

I’ll be discussing the drivers and challenges (such as #MeToo, growing data privacy concerns with GDPR and the pending California Privacy Act) facing organizations today to understand their data better to avoid litigation in the first place and discuss where discovery is heading in the future.  Expect a lot of interesting (if not sobering) stats!

From what I understand, unless you’re a student, the conference is sold out in person!  (Maybe you’d better act earlier next time if you want to attend in person!)  But, livestream attendance is still available – and it’s still only $99 for a whole day of CLE-accredited education from a who’s who of eDiscovery experts.  And, it’s free to university and college faculty, professional staff, judicial officials, clerks, and employees of government bodies and agencies.  To register for livestream attendance, click here.

So, what do you think?  Are you going to attend the conference in person or via livestream?  There’s still time to register!  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

According to Survey, Difficulty Getting Budget is the Top Legal Tech Struggle for GCs: eDiscovery Trends

According a new survey from Clyde & Co and Winmark, the number one reason that General Counsel (GCs) struggle with legal tech adoption and implementation is ‘difficulty in getting budget‘.  But, don’t blame the board for that.  ;o)

According to Artificial Lawyer (‘Difficulty Getting Budget’ No 1 Reason GCs Struggle With Legal Tech), 55 percent of the inhouse lawyers identified ‘difficulty in getting budget‘ as a challenge, which was the most of any challenges identified.  Here is the complete list of challenges and percentages for each:

  • Difficulty getting budget: 55 percent
  • Issues with legacy systems: 45 percent
  • Deciding what to invest in: 37 percent
  • Lack of time: 31 percent
  • Tech not meeting expectations: 25 percent
  • Lack of knowledge: 24 percent
  • Implementation overruns: 20 percent
  • Legal framework for tech not complete: 18 percent
  • Resistance to change from the board: 10 percent

So, over half of the GCs indicate that it’s difficult to get the budget for technology, but only 10% indicate that the board is resistant to change.  Sounds to me like it’s not so much the board holding GCs back as it’s demonstrating return on investment (ROI) on the tech purchase that’s the stumbling block.  Maybe.

The entire 40-page report is available and can be downloaded from here – it has various findings from GCs and board directors regarding risk landscape and responsibility, technology innovation and risk and the role of the GC.  For example, despite the high perceived risk of cyber attack (75 percent from GCs, 79 percent from board members), 42 percent of GCs and 37 percent of board directors do not have a plan in place to address those attacks.

I should note that, when downloading the report yesterday, I received an odd error on the screen that seemed to indicate that it didn’t accept my inputs, but a link to the report was still emailed to me.  Be patient.  :o)

So, what do you think?  Is budget the biggest challenge for GCs with regard to technology?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

In Decision That Sounds the “Death Knell” for Fifth Amendment Protection, Defendant Ordered to Provide Cell Phone Password: eDiscovery Case Law

In Commonwealth v. Jones, SJC-12564 (Mass. Mar. 6, 2019), the Supreme Judicial Court of Massachusetts reversed a lower court judge’s denial of the Commonwealth’s renewed Gelfgatt motion (where the act of entering the password would not amount to self-incrimination because the defendant’s knowledge of the password was already known to the Commonwealth, and was therefore a “foregone conclusion” under the Fifth Amendment and art. 12 of the Massachusetts Declaration of Rights), and the court remanded the case to the Superior Court for entry of an order compelling the defendant to enter the password into the cell phone at issue in the case.

Case Background

In this case involving allegations that the defendant was trafficking a person for sexual servitude, the Commonwealth of Massachusetts seized a cell phone from the defendant that it believed contained material and inculpatory evidence, but was unable to access the phone’s contents because they were protected by a passcode.  The Commonwealth sought to compel the defendant to decrypt the cell phone by filing a motion for an order requiring the defendant to produce a personal identification number access code in the Superior Court.

The central legal issue concerned whether compelling the defendant to enter the password to the cell phone would violate his privilege against self-incrimination guaranteed by both the Fifth Amendment and art. 12.  The Commonwealth argued that under the decision in Commonwealth v. Gelfgatt, 468 Mass. 512, 11 N.E.3d 605 (2014), the act of entering the password would not amount to self-incrimination because the defendant’s knowledge of the password was already known to the Commonwealth, and was therefore a “foregone conclusion” under the Fifth Amendment and art. 12. Following a hearing, a judge denied the Commonwealth’s motion, concluding that the Commonwealth had not proved that the defendant’s knowledge of the password was a foregone conclusion under the Fifth Amendment.

Several months later, the Commonwealth renewed its motion and included additional factual information that it had not set forth in its initial motion. The judge denied the renewed motion, noting that because the additional information was known or reasonably available to the Commonwealth when the initial motion was filed, he was “not inclined” to consider the renewed motion under the Massachusetts Rules of Criminal Procedure.  The Commonwealth then filed a petition for relief in the county court, and the single justice reserved and reported the case to the full court. The single justice asked the parties to address three specific issues, in addition to any other questions they thought relevant:

  1. What is the burden of proof that the Commonwealth bears on a motion like this in order to establish a “foregone conclusion,” as that term is used in Commonwealth v. Gelfgatt?
  2. Did the Commonwealth meet its burden of proof in this case?
  3. When a judge denies a ‘Gelfgatt’ motion filed by the Commonwealth and the Commonwealth thereafter renews its motion and provides additional supporting information that it had not provided in support of the motion initially, is a judge acting on the renewed motion first required to find that the additional information was not known or reasonably available to the Commonwealth when the earlier motion was filed before considering the additional information?

Court’s Ruling

In an opinion written by Justice J. Kafker, with regard to question 1, he wrote that: “we conclude that when the Commonwealth seeks a Gelfgatt order compelling a defendant to decrypt an electronic device by entering a password, art. 12 requires that, for the foregone conclusion to apply, the Commonwealth must prove beyond a reasonable doubt that the defendant knows the password.”

With regard to question 2, Justice Kafker wrote: “The defendant’s possession of the phone at the time of his arrest, his prior statement to police characterizing the LG phone’s telephone number as his telephone number, the LG phone’s subscriber information and CSLI records, and Sara’s statements that she communicated with the defendant by contacting the LG phone, taken together with the reasonable inferences drawn therefrom, prove beyond a reasonable doubt that the defendant knows the password to the LG phone. Indeed, short of a direct admission, or an observation of the defendant entering the password himself and seeing the phone unlock, it is hard to imagine more conclusive evidence of the defendant’s knowledge of the LG phone’s password. The defendant’s knowledge of the password is therefore a foregone conclusion and not subject to the protections of the Fifth Amendment and art. 12.”

With regard to question 3, Justice Kafker wrote: “Although some, if not all, of the additional information included in its renewed motion may very well have been available to the Commonwealth at the time it filed its initial motion, in light of the nature and purpose of Gelfgatt motions and the circumstances of this case, the judge erred in concluding that he need not consider the additional information “[a]bsent a showing of new evidence not otherwise available to the Commonwealth.” The motion judge therefore abused his discretion in denying the Commonwealth’s renewed Gelfgatt motion.”

As a result, the motion judge’s denial of the Commonwealth’s renewed Gelfgatt motion was reversed, and the case was remanded to the Superior Court for entry of an order compelling the defendant to enter the password into the cell phone

Justice J. Lenk, while concurring with the decision, also said this: “The court’s decision today sounds the death knell for a constitutional protection against compelled self-incrimination in the digital age. After today’s decision, before the government may order an individual to provide it with unencrypted access to a trove of potential incriminating and highly personal data on an electronic device, all that the government must demonstrate is that the accused knows the device’s passcode. This is not a difficult endeavor, and in my judgment, the Fifth Amendment and art. 12 demand more. That is, before the government may compel an accused’s assistance in building a case against that accused, the government must demonstrate that it already knows, with reasonable particularity, of files on the device relevant to the offenses charged, and that the defendant knows the passcode to unlock them. Because I conclude that the government here met those burdens, I join in the court’s result.”

So, what do you think?  Should defendants be ordered to provide their passcodes, even if it leads to incriminating evidence against them?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Facebook Will Shift to Emphasize Encrypted Ephemeral Messages, Zuckerberg Says: eDiscovery Trends

In a post to Facebook last week, founder Mark Zuckerberg outlined a vision of the future that includes end-to-end encryption and an ephemeral lifespan for private messages and photos.  Zuckerberg said that encryption will be one of the keys to Facebook’s future — and that the company is willing to be banned in countries that refuse to let it operate as a result.

According to The Verge (Mark Zuckerberg says Facebook will shift to emphasize encrypted ephemeral messages, written by Casey Newton), Zuckerberg wrote in a 3,200 word “missive”: “As I think about the future of the internet, I believe a privacy-focused communications platform will become even more important than today’s open platforms.  Today we already see that private messaging, ephemeral stories, and small groups are by far the fastest growing areas of online communication.”

Public social networks have their place, Zuckerberg added, but he sees a large future opportunity built on “a simpler platform that’s focused on privacy first.” That would mark a sharp reversal for Facebook, which has grown into one of the world’s wealthiest companies by inventing exotic new methods of personal data collection and allowing brands to sell advertising against it. Facebook has spent the past two years mired in scandals around data privacy, starting with last year’s revelations around Cambridge Analytica and continuing through the biggest data breach in company history.

“I believe the future of communication will increasingly shift to private, encrypted services where people can be confident what they say to each other stays secure and their messages and content won’t stick around forever,” Zuckerberg says. “This is the future I hope we will help bring about.“

From an eDiscovery standpoint, the ability to customize the lifespan of messages could wreak havoc, as discussed in this article in Legaltech News®, written by Frank Ready:

“The biggest problem is how are we going to train lawyers [and] how are they going to train their clients to preserve it?” said attorney and forensic technologist Craig Ball.  “A lot of people got into hot water or at least had to try to extricate themselves from hot water because they failed to disable the auto-delete, auto-purge function of their email collections,” Ball said.

Now, they may need to remember to change the settings for their Facebook messages as well when litigation hits.

“People don’t really have an appreciation for social media being evidence and so people will on occasion just delete things, not thinking they are doing anything bad,” said Mary Mack, executive director of the Association of Certified E-discovery Specialists (ACEDS).

Of course, ephemeral messaging has already been at issue in litigation, with the Waymo v. Uber case and Uber’s use of Wickr, an ephemeral messaging application, for internal communications.  Waymo contended that Uber was using Wickr to “hide the ball” with regard to its internal communications, but California District Judge William Alsup declined to severely sanction Uber, given that Waymo was also using its own ephemeral messaging app for communications.

Of course, there is no duty to preserve those messages until litigation is anticipated.  As Kelly Twigger, CEO of eDiscovery Assistant noted, “We’re surmising at this point but you might start to see, you know, a lot more attention paid to what is the date that the duty to preserve arises.”

We’ll see.  Craig, Mary and Kelly will be among the many eDiscovery experts that will be at the University of Florida E-Discovery Conference next week (I’m honored to be there again too!).  While it’s my understanding that the conference is booked as far as in-person attendance, you can still register for livestream attendance here.

So, what do you think?  Will ephemeral messaging make things easier or harder for attorneys?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

The Enron Data Set is No Longer a Representative Test Data Set: eDiscovery Best Practices

If you attend any legal technology conference where eDiscovery software vendors are showing their latest software developments, you may have noticed the data that is used to illustrate features and capabilities by many of the vendors – it’s data from the old Enron investigation.  The Enron Data Set has remained the go-to data set for years as the best source of high-volume data to be used for demos and software testing.  And, it’s still good for software demos.  But, it’s no longer a representative test data set for testing processing – at least not as it’s constituted – and it hasn’t been for a good while.  Let’s see why.

But first, here’s a reminder of what the Enron Data Set is.

The data set is public domain data from Enron Corporation that originated from the Federal Energy Regulatory Commission (FERC) Enron Investigation (you can still access that information here).  The original data set consists of:

  • Email: Data consisting of 92% of Enron’s staff emails;
  • Scanned documents: 150,000 scanned pages in TIFF format of documents provided to FERC during the investigation, accompanied by OCR generated text of the images;
  • Transcripts: 40 transcripts related to the case.

Over eight years ago, EDRM created a Data Set project that took the email and generated PST files for each of the custodians (about 170 PST files for 151 custodians).  Roughly 34.5 GB in 153 zip files, probably two to three times that size unzipped (I haven’t recently unzipped it all to check the exact size).  The Enron emails were originally in Lotus Notes databases, so the PSTs created aren’t a perfect rendition of what they might look like if they originated in Outlook (for example, there are a lot of internal Exchange addresses vs. SMTP email addresses), but it still has been a really useful good sized collection for demo and test data.  EDRM has also since created some micro test data sets, which are good for specific test cases, but not high volume.

As people began to use the data, it became apparent that there was a lot of Personally Identifiable Information (PII) contained in the set, including social security numbers and credit card numbers (back in the late 90s and early 2000s, there was nowhere near the concern about data privacy as there is today).  So, a couple of years later, EDRM partnered with NUIX to “clean” the data of PII and they removed thousands of emails with PII (though a number of people identified additional PII after that process was complete, so be careful).

If there are comparable high-volume public domain collections that are representative of a typical email collection for discovery, I haven’t seen them (and, believe me, I have looked).  Sure, you can get a high-volume dump of data from Wikipedia or other sites out there, but that’s not indicative of a typical eDiscovery data set.  If any of you out there know of any that are, I’m all ears.

Until then, the EDRM Enron Data Set remains the gold-standard as the best high-volume example of a public domain email collection.  So, why isn’t it a good test data set anymore for processing?

Do you remember the days when Microsoft Outlook limited the size of a PST file to 2 GB?  Outlook 2002 and earlier versions limited the size of PST files to 2 GB.  Years ago, that was about the largest PST file we typically had to process in eDiscovery.  Since Outlook 2003, a new PST file format has been used, which supports Unicode and doesn’t have the 2 GB size limit any more.  Now, in discovery, we routinely see PST files that are 20, 30, 40 or even more GB in a single file.

What difference does it make?  The challenge today with large mailstore files like these (as well as large container files, including ZIP and forensic containers) is that single-threaded processes bog down on these large files and they can take a long time to process.  These days, to get through large files like these more quickly, you need multi-threaded processing capabilities and the ability to throw multiple agents at these files to get them processed in a fraction of the time.  As an example, we’ve seen processing throughput increased 400-600% with multi-threaded ingestion using CloudNine’s LAW product compared to single-threaded processes (a reduction of processing time from over 24 hours to a little over 4 hours in a recent example).  Large container files are very typical in eDiscovery collections today and many PST files we see today are anywhere from 10 GB to more than 50 GB in size.  They’re becoming the standard in most eDiscovery email collections.

As I mentioned, the Enron Data Set is 170 PST files over 151 custodians, with some of the larger custodians’ collections broken into multiple PST files (one custodian has 11 PST files in the collection).  But, none of them are over 2 GB in size (presumably Lotus Notes had a similar size limit back in the day) and most of them are less than 200 MB.  That’s not indicative of a typical eDiscovery email collection today and wouldn’t provide a representative speed test for processing purposes.

Can the Enron Data Set still be used to benchmark single-threaded vs. multi-threaded processes?  Yes, but not as it’s constituted – to do so, you have to combine them into larger PST files more representative of today’s collections.  We did that at CloudNine and came up with a 42 GB PST file that contains several hundred thousand de-duped emails and attachments.  You could certainly break that up into 2-4 smaller PST files to conduct a test of multiple PST files as well.  That provides a more typical eDiscovery collection in today’s terms – at least on a small scale.

So, when an eDiscovery vendor quotes processing throughput numbers for you, it’s important to know the types of files that they were processing to obtain those metrics.  If they were using the Enron Data Set as is, those numbers may not be as meaningful as you think.  And, if somebody out there is aware of a good, new, large-volume, public domain, “typical” eDiscovery collection with large mailstore and container files (not to mention content from mobile devices and other sources), please let me know!

So, what do you think?  Do you still rely on the Enron Data Set for demo and test data?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

In Lawsuit Over Prince Music, Court Grants Monetary But Not Adverse Inference Sanctions (Yet): eDiscovery Case Law

In Paisley Park Enter., Inc. v. Boxill, No. 17-cv-1212 (WMW/TNL), (D. Minn. Mar. 5, 2019), Minnesota Magistrate Judge Tony N. Leung granted in part the plaintiffs’ Motion for Sanctions Due to Spoliation of Evidence, ordering the Rogue Music Alliance (“RMA”) Defendants to pay reasonable expenses, including attorney’s fees and costs, that Plaintiffs incurred as a result of the RMA Defendants’ “misconduct”, and also ordered the RMA Defendants to pay into the Court a fine of $10,000, but chose to defer consideration of adverse inference instruction sanctions to a later date, closer to trial.

Case Background

In this infringement case involving release of previously unreleased music by the late artist Prince, the estate of Prince filed suit against George Ian Boxill, a sound engineer who worked with Prince and allegedly took tracks of certain songs that he worked on with Prince in April 2017, as well as RMA and Deliverance, LLC.  The plaintiffs subsequently added David Staley and Gabriel Solomon Wilson (principals of RMA and Deliverance) and two law firms in June 2018 to the lawsuit.

In December 2017, after Plaintiffs filed their first amended complaint, they, RMA, Deliverance, and Boxill, stipulated to certain protocols regarding the discovery of ESI in which the parties indicated that they had taken “reasonable steps to preserve reasonably accessible sources of ESI.”  The Court then issued its pretrial scheduling order in January 2018, directing the parties to preserve “all electronic documents that bear on any claims, defenses, or the subject matter of this lawsuit.”

During discovery, the plaintiffs received a third-party production of documents from a public relations firm that the defendants had hired which included text messages that Wilson sent to an employee of the public relations firm. The plaintiffs then filed a motion to compel discovery from RMA, seeking production of text messages that Staley and Wilson sent to each other and third parties and the Court ordered the defendants to produce all responsive text messages on July 19, 2018.  During a meet and confer in September 2018, counsel for Wilson, Staley, RMA and Deliverance indicated that they could not produce responsive text messages because they had not preserved their text messages, indicating that text messages had not been preserved because Staley and Wilson did not disengage the auto-delete function on their phones and because Staley had wiped and discarded his phone in October 2017 and Wilson had wiped and discarded his phone in January 2018 and then wiped and discard his new phone in May 2018.  No back-up data existed for either phone, leading to the plaintiffs’ motion for sanctions under Rule 37(e)(1), 37(e)(2) and 37(b)(2)(A).

Judge’s Ruling

With regard to the defendants’ duty to preserve, Judge Leung ruled that “the duty to preserve evidence arose no later than February 11, 2017, when Staley sent an e-mail regarding his plans to release the music at issue here. In that e-mail, Staley acknowledged the riskiness of his and RMA’s position and indicated that the Prince Estate could challenge their actions. Staley referred specifically to the possibility of litigation in that e-mail, noting that RMA was not concerned by a lawsuit because it had been indemnified by Boxill. It is apparent, based on this letter, that the RMA Defendants anticipated litigation following their release of the Prince music.”

With regard to whether the defendants took reasonable steps to preserve relevant ESI, Judge Leung noted that “It takes, at most, only a few minutes to disengage the auto-delete function on a cell phone” and stated “Failure to follow the simple steps detailed above alone is sufficient to show that Defendants acted unreasonably.”  He then added:

“But that is not all the RMA Defendants did and did not do. Most troubling of all, they wiped and destroyed their phones after Deliverance and RMA had been sued, and, in the second instance for Wilson, after the Court ordered the parties to preserve all relevant electronic information, after the parties had entered into an agreement regarding the preservation and production of ESI, and after Plaintiffs had sent Defendants a letter alerting them to the fact they needed to produce their text messages. As Plaintiffs note, had Staley and Wilson not destroyed their phones, it is possible that Plaintiffs might have been able to recover the missing text messages by use of the “cloud” function or through consultation with a software expert. But the content will never be known because of Staley and Wilson’s intentional acts. The RMA Defendants’ failure to even consider whether Staley and Wilson’s phones might have discoverable information before destroying them was completely unreasonable. This is even more egregious because litigation had already commenced.”

Judge Leung rejected several arguments from the defendants as to why their decision not to preserve text messages was reasonable, including the claim that “they could not possibly be expected to know that they should preserve text messages”, stating “None of these arguments is persuasive”.  Judge Leung also found that “There is no doubt that Plaintiffs are prejudiced by the loss of the text messages.”  But, with regard to the adverse inference sanctions sought by the plaintiffs, he also said that “given the fact that discovery is still on-going, the record is not yet closed, and the case is still some time from trial, the Court believes it more appropriate to defer consideration of those sanctions to a later date, closer to trial”.  He did, however, order the RMA Defendants to “pay reasonable expenses, including attorney’s fees and costs, that Plaintiffs incurred as a result of the RMA Defendants’ misconduct” and also ordered the RMA Defendants to pay into the Court a fine of $10,000.

So, what do you think?  Should the defendants have received the adverse inference sanction as well?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

For more info on this ruling, check out Ralph Losey’s e-Discovery Team® blog here.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Now, Wait Just an Internet Minute!: eDiscovery Trends

Have I mentioned lately that I love…an infographic?  Well, let me mention it again!  The past three years, we’ve taken a look at a terrific infographic each year that illustrated what happens within the internet in a typical minute.  Last week, the 2019 internet minute graphic came out, so, let’s take a look at what happens in an internet minute in 2019.

The updated graphic shown above, once again created by Lori Lewis, illustrates what happens within the internet in a typical minute in 2019.  As always, there are a couple of different categories tracked in this graphic than last year’s, but most are the same and those that are carried forward are, once again, (almost) all up compared to last year – some more than others.  Once again, Netflix more than doubled and Instagram nearly doubled, while others sources showed more incremental gains.

Here is a comparison between 2018 and 2019 (we previously published the graphic for 2016 and 2017):

Needless to say, I’ll be discussing this in my presentation next week at the University of Florida E-Discovery Conference.

In her post, Lori also goes through some of her observations on the trends.  Once again, I can’t vouch for the accuracy of the numbers, so take them for what it’s worth.  So, why do I love infographics so much?  One reason is because they make my job easier!  :o)

So, what do you think?  How have the challenges of various sources of data affected your organization?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.