Richmond Journal of Law and Technology

The first exclusively online law review.

Month: March 2016

Preservation: Competently Navigating Between All and Nothing

Preservation: Competently Navigating Between All and Nothing pdf_icon 

Cite as: Lauren Wheeling Waller, Preservation: Competently Navigating Between All and Nothing, 22 Rich. J.L. & Tech. 7 (2016), http://jolt.richmond.edu/v22i3/article7.pdf.

Lauren Wheeling Waller*

I. Introduction

 [1]       Merriam-Webster defines “competent” as “having requisite or adequate ability or qualities.”[1] All professions require competence to be successful—from chefs, to tailors, to NFL quarterbacks. Without the adequate ability to poach an egg, alter suits, or read defenses, they lose patrons, customers, or—in the case of a quarterback—games and fans. Lawyers are no different. Without competence, they may not be successful. However, lawyers are different than the NFL quarterback in that they have an explicit duty of competence to their clients. The Model Rules of Professional Conduct provide “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.”[2] The comments to the Model Rules make it clear that competency also requires that lawyers “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . . .”[3] With this sentence, attorneys can no longer simply put up their hands and say, “it’s e-mail and text messages, I don’t know how nor do I want to handle that.”

[2]       Additionally, some State Bars implementing their own Rules of Professional Conduct have decided that attorney competence applies to handling electronically stored information (“ESI”), and at a minimum, that attorneys be able to carry out the following:

  • [I]nitially assess e-[D]iscovery needs and issues, if any;
  • [I]mplement/cause to implement appropriate ESI preservation procedures;
  • [A]nalyze and understand a client’s ESI systems and storage;
  • [A]dvise the client on available options for collection and preservation of ESI;
  • [I]dentify custodians of potentially relevant ESI;
  • [E]ngage in competent and meaningful meet and confer with opposing counsel concerning an e-[D]iscovery plan;
  • [P]erform data searches;
  • [C]ollect responsive ESI in a manner that preserves the integrity of that ESI; and
  • [P]roduce responsive non-privileged ESI in a recognized and appropriate manner.[4]

[3]       Attorneys now need to have an understanding of the components of the Electronic Discovery Reference Model[5] and the tools available to assist in each part of that process. If they do not have the requisite understanding, they need to associate with someone who does.[6]

[4]       Preservation of ESI is implicated in at least five of the competencies specifically listed in a California Rules of Professional Conduct’s Formal Opinion,[7] but preservation for some lawyers can be a scary concept. Why? For one, data never sleeps.[8] Every minute of the day, people generate data in the form of e-mails, Instagrams, Tweets, and Snapchats.[9] If you compare the data generated in 2012 to that created in 2015, not only has the amount of data increased, but also the type of data created has increased with the proliferation of new applications that create data.[10] Identifying the type of data that needs to be preserved and how it needs to be preserved can be complicated because of this ever-changing data landscape.

[5]       Additionally, preservation provokes fear in the heart of many attorneys, because failing to preserve potentially relevant evidence can have significant adverse consequences for not only the client in the lawsuit but also for the attorneys involved.[11] Attorneys, however, now have more guidance regarding the imposition of sanctions in Federal Court, as the Federal Rules of Civil Procedure were amended to clarify when a court can impose sanctions for the failure to appropriately preserve evidence, including when evidence is intentionally destroyed.[12]

[6]       Even with the amendments to the Rules, the following questions still exist for every piece of litigation:

  • When does the duty to preserve arise?
  • What must be preserved for the potential or current litigation?
  • What steps can I take to competently preserve potentially relevant information?

[7]       Is the answer to the above questions that every piece of data in your client’s possession must be preserved? No. Is the answer to preserve only e-mails a specific custodian sends to counsel on his or her own accord, without any further discussion with counsel? No. While there is no “one size fits all” answer to preservation, this article intends to guide practitioners through the preservation rubric outlined in the cases of “e-Discovery Canon,”[13] as well as recent case law and the 2015 amendments to the Federal Rules of Civil Procedure. This article also outlines questions practitioners should ask their clients and themselves in order to competently identify and preserve ESI.

II. The Duty to Preserve

[8]       The first question that a lawyer must answer is whether the duty to preserve has been triggered. Common law creates the duty to preserve evidence, and litigants owe this duty to the court, not just the opposing party.[14] Some commentators argue that the duty to preserve may be the most important duty a litigant has, in that failing to meet this duty can deprive the court of the ability to properly assess the claims of the parties before it.[15] This duty “arises not only during litigation but also extends to that period before the litigation when a party reasonably should know that the evidence may be relevant to the anticipated litigation.”[16] In the context of litigation for plaintiffs, the duty arises before the lawsuit is filed, and for defendants when the lawsuit is served, at the very latest.[17]

[9]       To be clear, though, whether a party is filing or has filed a lawsuit is not the test—it is the reasonable anticipation of litigation, in whatever form that takes. Recently, in Clear-View Technologies, Inc. v. Rasnic Magistrate Judge Paul S. Grewal (no stranger to preservation and e-Discovery issues[18]) found that a text message sent to a defendant over two years before suit was filed and eight months before any preservation notice was sent to the defendant triggered the duty to preserve.[19] Magistrate Judge Grewal stated that Plaintiff’s then-CEO “made clear in text messages to [defendants] that he was prepared to sue them for trying to interfere with” a potential business investment.[20] In his opinion, Judge Grewal noted that while the then-CEO later sent text messages apologizing for his previous texts, at no time did he take back his threat of litigation.[21] In the context of non-lawsuit triggers, courts have also found that a presentation regarding potential patent infringement claims,[22] ultimatums made to a CEO to “comply with [an] injunction” or face a lawsuit,[23] and of course, requests in writing that an individual or entity preserve evidence that may be relevant to a dispute trigger the duty to preserve.[24]

[10]     Accordingly, practitioners should not depend on the arrival of a complaint to trigger a client’s duty to preserve. While service of pleadings certainly can and does trigger the duty to preserve, once apprised of a potential dispute, practitioners should ask their clients not only about the facts of the potential dispute, but also how they communicated with the individuals involved with the potentially adverse party—in-person, telephone, e-mail, text messages, and/or any other medium of communication. As a practical matter, these queries will be easier the more you know about your client’s business and data landscape.[25] While a slip-and-fall, a failure to make a specified delivery under the terms of a contract, or a malfunction of a piece of equipment causing injury will remain clear triggers for the duty to preserve, practitioners should not overlook the wide variety of ways individuals now communicate with one another when analyzing whether and when the duty to preserve was triggered.

III. The Scope of Preservation

[11]     The duty to preserve evidence includes “an obligation to identify, locate, and maintain[] information that is relevant to specific, predictable, and identifiable litigation.[26] The duty pertains, however, only to relevant documents.[27] Relevant documents include:

[A]ny documents or tangible things . . . made by individuals “likely to have discoverable information that the disclosing party may use to support its claims or defenses.” The duty also includes documents prepared for those individuals to the extent those documents can be readily identified (e.g., from the “to” field in e-mails). The duty also extends to information that is relevant to the claims or defenses of any party, or which is “relevant to the subject matter involved in the action.” Thus, the duty to preserve extends to those employees likely to have relevant information—the “key players” in the case.[28]

The cases are clear on one point: once the duty to preserve is triggered, not every piece of data belonging to an organization must be preserved, just as every piece of paper belonging to an organization is not required to be preserved.[29] The cases outlined below demonstrate as much.

[13]     In Blue Sky Travel & Tours, LLC v. Al Tayyar, the Fourth Circuit vacated and remanded the district court’s decision to impose severe sanctions on the defendant for failing to preserve certain invoices requested by the plaintiff.[30] In this breach of contract action, the plaintiff’s damages included a claim for lost profits, and in an effort to prove those lost profit claims, the plaintiff requested that the defendant produce certain invoices.[31] When the defendant did not provide the invoices, the plaintiff moved to compel their production.[32] The court granted the motion, but the defendant still did not produce the invoices because the documents were not retained.[33] The plaintiff then moved for sanctions, and the magistrate recommended the court grant the motion and provide an adverse inference instruction.[34] The problem with this recommendation and ruling, though, was that the magistrate judge ruled that the defendant had a duty to hold “all” documents, stating:

[W]hen this litigation started, the defendants were required by law to preserve. Any document retention policy you had had to be stopped. . . . [o]nce you are put on notice that there is litigation pending, or once litigation starts, you are required . . . to stop [your] normal document retention policies and to preserve [ALL] documents because you don’t know what may or may not be relevant.[35]

[14]     The Fourth Circuit vacated and remanded the magistrate’s decision because the lower court used the incorrect standard for the duty to preserve.[36] The Fourth Circuit noted that a party may be sanctioned for spoliation if the party “(1) had a duty to preserve material evidence, . . . (2) willfully engaged in conduct resulting in the loss or destruction of that evidence, [and] (3) at a time when the party knew, or should have known, that the evidence was or could be relevant to the litigation.”[37] The Fourth Circuit reiterated that a party is not required to preserve all of its documents, only documents that the party knew or should have known were or could be relevant to the parties’ dispute.[38]

[15]     In Wandering Dago, Inc. v. N.Y. State Office of Gen. Servs., the court had to decide whether officials in one governmental agency and their attorney could be sanctioned for the destruction of e-mails, according to the terms of an e-mail retention policy, belonging to another governmental agency.[39] More to the point, the court had to determine whether a preservation obligation for one governmental agency involved in a specific litigation automatically applies to every other governmental agency not involved in the litigation.[40] The court said no, as the defendant agencies in the litigation had no control over the other governmental agencies’ e-mails.[41] Therefore, the defendant agencies had no obligation to preserve the other non-party agencies’ e-mails.[42] The court noted that to require a governmental agency in litigation to preserve and produce documents belonging to another governmental agency not a party to the litigation would “subject all [ ] agencies, the legislature, the judiciary, quasi-state agencies, and possibly public authorities to disclosure scrutiny, notwithstanding their relative remoteness to the case.”[43] The court found that “state agencies for most purposes are separate and distinct organs and should not be viewed in the aggregate.”[44] Moreover, the court noted that requiring each governmental agency “and thousands of officials to institute a litigation hold every time a party contemplates or even commences litigation against another agency would paralyze the State.”[45]

[16]     In AMC Technology, LLC v. Cisco Systems, Inc., Magistrate Judge Grewal distinguished between documents parties are obligated to preserve and those that they are not obligated to preserve and that can be destroyed as part of a routine retention policy.[46] Pursuant to Cisco’s document retention policy, Cisco reformatted departed employees’ laptops and deleted e-mail archives thirty days after an employee’s departure.[47] After one employee’s departure, and the deletion of his data, AMC requested his custodial data.[48] When Cisco did not provide the data because it had been destroyed according to its retention policy, AMC moved for spoliation sanctions.[49]

[17]     Judge Grewal held that sanctions were not warranted because Cisco was under no obligation to preserve his data at the time it was destroyed.[50] Judge Grewal underscored that the “scope of this duty is confined to what is reasonably foreseeable to be relevant to this action. Requiring a litigant to preserve all documents, regardless of their relevance, would cripple parties who are often involved in litigation . . . .”[51] In its analysis, the court also noted that the disposal of the employee’s documents “appears to have been routine—Cisco followed established company procedure, which deletes company emails and information within thirty days.”[52]

[18]     These cases provide a framework for identifying the scope of preservation. While each case turns on its own unique facts, these cases demonstrate that preserving everything is not the requirement of the duty to preserve, as such a requirement would create inefficiencies for business and government entities attempting to carry out their daily functions. Moreover, they show that only those documents that are reasonably foreseeable to be relevant to the action at the time the duty is triggered must be preserved. Obviously, what is relevant can change during the course of an investigation. As a result, practitioners should continue to monitor what has been preserved and the pertinent issues in the litigation to continue to observe their preservation obligations.

A. Identifying What Must Be Preserved

[19]     So the next question is: how do you identify and preserve documents that are potentially relevant to the parties’ dispute? Understanding who created and possesses potentially relevant ESI—and how that ESI is stored—is the first step to competently complying with the duty to preserve. Not taking these steps can lead to the destruction of potentially relevant information, and adverse consequences for that destruction. Brown v. Tellermate Holdings Ltd. outlines the failings of practitioners in executing their duty to identify and preserve potentially relevant ESI, and thus provides a good description of what practitioners need to do to competently comply with their preservation obligations.

[20]     In Brown v. Tellermate Holdings Ltd., the court found that Tellermate’s counsel “failed to uncover even the most basic information about an electronically-stored database of information” and that “as a direct result of that failure, took no steps to preserve the integrity of the information in that database.”[53] In this age discrimination case, the plaintiffs requested reports from both of their accounts in salesforce.com, a web-based application that allows businesses to track sales activities, as well as a number of other employees’ reports.[54] While at Tellermate, the plaintiff employees knew that Tellermate acquired licenses for their sales team to use salesforce.com and encouraged its employees to use it.[55] During discovery, Tellermate contended that it could not produce the reports because, among other things, Tellermate could not “print out accurate historical records from salesforce.com. . . .”[56] Counsel for Tellermate represented to the court that “Tellermate [did] not possess or control data maintained in the salesforce.com database and [was] not at liberty to produce it in discovery,” as well as that no one from Tellermate “has access to [the] ESI of salesforce.com . . . .”[57] However, in direct contradiction from its attorneys’ representations to the court, Tellermate’s representative testified that “any Tellermate employee with a login name and a password could access . . . historical information . . . at any time.”[58]

[21]     Additionally, after the plaintiffs’ departure, Tellermate changed the user names to the their accounts and took no action to preserve the information in the plaintiffs’ accounts, as the data in their accounts could be changed or deleted by salesforce.com administrators at the company.[59] For the above actions, the court admonished Tellermate’s counsel, stating “all of this information was clearly known to at least some Tellermate employees since Tellermate began using salesforce.com; had the right questions been asked of the right people, counsel would have known it as well.”[60]

[22]     The court also found that “counsel apparently never identified the persons having responsibility for salesforce.com information, which would have included those Tellermate employees (named by the [plaintiffs] in their document request) whose salesforce.com accounts were being requested, or the persons designated by Tellermate as its salesforce.com administrators.”[61] In short, the court found that “counsel had an affirmative obligation to speak to the key players at Tellermate so that counsel and client could identify, preserve, and search the sources of discoverable information.”[62]

[23]     To competently preserve ESI, practitioners must determine the individuals who may have knowledge or information about the different issues involved in the dispute, then determine what potentially relevant documents and data those individuals have in their possession, custody, or control.[63] Simultaneously, practitioners should speak with their client’s information technology personnel, who can explain the company’s system-wide back up procedures, any “auto-delete” functions, and gain a general overview of where and how data resides throughout the company (e.g., e-mail servers, file share servers, VM systems, databases, etc.).[64] These steps allow a practitioner to ask the right questions of the right people in order to determine where potentially relevant information resides.

[24]     Additionally, asking the right questions of the right people can also inform your decision as counsel as to what is reasonably accessible and therefore reasonably can be preserved. For example, if you learn from information technology personnel that the company’s disaster recovery systems are truly disaster recovery systems rather than a form of long-term storage, it may be worth mentioning at a Fed. R. Civ. P. 26(f) conference or meeting that, because these systems are for disaster recovery only, they are not reasonably accessible and will not be preserved.[65]

[25]     Moreover, discussing the data landscape with key custodians and information technology personnel provides valuable information about the various data sources and the amount it may cost to preserve those data sources, which can provide insight into whether producing from that data source is proportional to the needs of the case.[66] For example, in You v. Japan the court allowed defendant Sankei, a newspaper publisher, to modify a piece of a preservation order because of the undue burden it was placing on its business.[67] The preservation order required each party to take affirmative steps to preserve evidence related to the action by ceasing “any document destruction programs and any ongoing erasures of e-mails, voicemails, and other electronically recorded materials.”[68] Sankei took steps to comply with the order, including retaining versions of articles that it placed in a proprietary application used for laying out each edition of the newspaper.[69] The application typically retained these versions for 90 days.[70] Sankei stated that requiring that application to retain the article versions for greater than 90 days “could slow down the system or cause it to crash.”[71] Sankei also stated that installing a new storage system could take up to eight months and would cost $18 million.[72] Accordingly, Sankei filed a motion for relief from the preservation order and proposed an alternative method to preserve the documents in the proprietary application.[73] The Court, noting plaintiffs’ objections, granted Sankei’s proposal and included a modification proposed by the plaintiffs.[74] Without asking the right questions of the right people, Sankei may not have been able to seek an alternative that would allow it to continue functioning as a business and maintain its preservation obligations.

B. The Litigation Hold

[26]     While the litigation hold or legal hold notice should now be part of every practitioner’s litigation checklist, it is still an integral part of competently complying with the duty to preserve. As the court in Zubulake V stated, “[o]nce a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”[75]

[27]     A litigation hold informs custodians and information technology personnel about the lawsuit and their preservation obligations to preserve potentially relevant information relating to the lawsuit.[76] However, implementing the litigation hold does not end a party’s preservation obligations—“[c]ounsel [also] must oversee compliance with the litigation hold.”[77]

[28]     Apple Inc. v. Samsung Electronics Co., Ltd. demonstrates the potential consequences of failing to monitor compliance with a litigation hold. There, Magistrate Judge Grewal analyzed “whether Samsung took adequate steps to avoid spoliation after it should have reasonably anticipated” litigation.[78] In this case, a Samsung entity/defendant failed to disable the “auto-delete” function of its e-mail system after the duty to preserve was triggered.[79] Judge Grewal noted that it is “generally recognized that when a company or organization has a document retention policy, it is ‘obligated to suspend’ that policy and ‘implement a “litigation hold” to ensure the preservation of relevant documents’ after the preservation duty has been triggered.”[80] Samsung issued a litigation hold notice requesting employees to “preserve any and all [] documents that may be relevant to the issues in the potential litigation . . . until [the potential litigation] is fully resolved.”[81] However, while the litigation hold notice provided categories of documents that should be retained, Samsung took no steps to evaluate what its employees were doing to comply with the litigation hold notice, especially in light of the continued use of the auto-delete function.[82] While under the legal hold, Samsung never checked to see whether a single custodian was in compliance with the given directives.[83]

[29]     Practitioners and clients should consistently monitor employee and information technology compliance with their legal hold directives. The longer a legal hold is in place and the more time that goes by opens companies up to something that can be described as “Litigation Hold Fatigue,” resulting in less enthusiastic preservation practices.[84] Additionally, as noted above, issues in a litigation change, which can change what needs to be preserved. Follow-up reminders and revisions to litigation holds not only assist in complying with preservation obligations, but they can also assist in defining the scope of preservation.

IV. What Can We Learn From Failing to Preserve

[30]     Cases outlining complete failures to preserve are instructive to practitioners as a template for “Preservation Do Nots.” In Altercare, Inc. v. Clark, the Ohio Court of Appeals was required to determine whether the trial court abused its discretion in dismissing Altercare’s case against its former employee, Clark, for failing to preserve the former employee’s computer after the obligation to preserve arose.[85] After being told not to return to Altercare for work, Clark’s attorney sent Altercare a letter stating that it had breached Clark’s employment contract, and requesting that Altercare preserve evidence relevant to the dispute.[86] The preservation notice portion of the letter provided a non-exhaustive list of data covered by Altercare’s obligation, as well as ways that Altercare could comply with its obligation.[87] Once suit was filed, Clark requested in discovery all ESI relating to Clark and/or Clark’s employment with Altercare.[88]

[31]     The trial court attempted to determine what Altercare did to preserve Clark’s ESI on numerous occasions.[89] The court found that, at one point, Altercare returned a different hard drive to Clark than belonged to the work computer she sent the company for preservation.[90] The trial court held that Altercare did not preserve Clark’s work computer, failing to either “[pull] it out of service or [make] a copy or clone of its hard drive at the time Ms. Clark put [Altercare] on notice” of its obligation to preserve.[91] Because the trial court found that Altercare’s conduct in failing to preserve Clark’s work computer showed “such extreme carelessness and indifference,” the trial court dismissed Altercare’s complaint.[92] The Court of Appeals affirmed the trial court’s ruling, finding that Altercare “took no action whatsoever” to preserve Clark’s computer, either when she was terminated—even though it was reasonably foreseeable that litigation with Clark was probable—or after receiving the preservation notice from Clark’s attorney.[93] Notably, the Court of Appeals also recognized that the trial court “found that there was no evidence that Clark’s computer was lost as a result of a routine, good faith operation,” [94] such as a retention schedule.

[32]     Similarly, in Alter v. Rocky Point Sch. Dist., in ruling on the Plaintiff’s motion to compel and for sanctions in a workplace discrimination claim, the court found that defendants had failed to satisfy their duty to preserve relevant evidence.[95] The court based its ruling on the following facts:

  • Defendants failed to issue a timely litigation hold, instead waiting more than two years after Plaintiff filed a Notice of Claim;[96]
  • Defendants “failed to discuss the litigation hold with key players” in the lawsuit;[97]
  • Defendants failed to inform key custodians regarding their obligation to preserve relevant evidence “on whatever devices contained the information, [including] [personal] laptops, cellphones or any personal digital devices capable of ESI storage.”[98]

[33]     In Clear-View Techs., discussed above, the defendants took “no reasonable steps to preserve relevant evidence” and, in fact, “affirmatively destroyed it,” after the text message that triggered the preservation obligation was sent and, in some cases, after the preservation letter was received and after suit was filed.[99]

[34]     In each of these cases, the party responding to destruction allegations failed to take reasonable steps to preserve potentially relevant evidence—no litigation holds issued, no custodian interviews performed or even simple questions asked, and in a workplace discrimination suit, the terminated employee’s workstation was not preserved—and was then punished in some manner by the court. As these cases demonstrate, it is this failure to competently preserve potentially relevant evidence that places clients and their attorneys on rocky ground with the court.

[35]     Prior to the 2015 amendment of Rule 37(e), the sanctions imposed by courts because of the destruction of evidence, whether through negligence or bad faith, created inconsistencies in the sanctions imposed throughout the federal circuits.[100] In one circuit, a party could receive an adverse inference instruction from the grossly negligent deletion of an employee’s ESI,[101] while in another, an adverse inference instruction was appropriate only where there was a finding of bad faith in the destruction of the evidence.[102] Amended Rule 37(e) no longer allows courts to punish parties through an adverse inference instruction in the wake of destroyed evidence if they can show they took reasonable steps to preserve evidence.[103]

[36]     So what does this mean for practitioners? In the words of algebra teaches everywhere, litigants must “show their work.” Litigants should document the processes by which and steps they took to preserve potentially relevant evidence. The following steps, while not all-inclusive, and when they were taken should be well-documented by practitioners:

  • Issue a litigation hold that outlines the potential forms of ESI (e-mail, text messages, word documents, databases, etc.) and the potential sources of ESI (e-mail mailbox, smart phone, workstation, network servers, social media accounts, etc.) available to custodians;[104]
  • Identify and interview key players and custodians regarding their ESI forms and sources;
  • Interview information technology personnel regarding forms and sources of ESI available to employees and other personnel at the company, as well as the back-up and disaster recovery systems in place;
  • Document which devices were identified as having potentially relevant evidence and how each device was preserved for each custodian;
  • Document how specific information on servers and other company sources was identified and preserved;
  • Monitor legal hold compliance and refresh litigation hold notice as issues in the litigation evolve and new custodians are identified and new employees hired;
  • Disable and document the disabling of “auto-delete” functions for systems containing such functions;
  • Evaluate software offerings available to assist with the implementation of a legal hold;[105]
  • Analyze records management or retention policies for those categories of documents under a litigation hold to ensure routine destruction as to those documents has stopped.

[37]     Practitioners should document what was done and when it was done to demonstrate to the court how they took reasonable steps to preserve ESI. Taking the time to identify whose data and what sources and forms of data need to be preserved, and then “showing your work” by documenting those preservation steps and the considerations necessary to make those choices, demonstrates competence and may save you from headaches and discord later.

* Lauren Wheeling Waller is a partner at Williams Mullen and chairs the firm’s e-Discovery and Information Governance Practice Group. She is an experienced litigator and provides guidance in crafting defensible and uniform approaches to records management and retention, litigation hold implementation, as well as managing complex e-Discovery projects in commercial litigation and investigations. She has written and spoken frequently on electronic discovery topics and is a member Working Group I on Electronic Document Retention and Production of The Sedona Conference.

 

 

[1] Competent, Merriam-Webster, http://www.merriam-webster.com/dictionary/competent, archived at https://perma.cc/VZ57-Z6TR (last visited Feb. 25, 2016).

[2] Model Rules of Prof’l Conduct R. 1.1 (2014).

[3] Model Rules of Prof’l Conduct R. 1.1 cmt. 8 (2014) (emphasis added).

[4] State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. 2015-193, 3–4 (2015) [hereinafter Cal. Ethics Op.] (emphasis added) (internal citations omitted).

[5] See EDRM Stages, EDRM, http://www.edrm.net/resources/edrm-stages-explained, archived at https://perma.cc/D63L-HC9E (last visited Feb. 25, 2016).

[6] See Cal. Ethics Op., supra note 4, at 3; see also HM Electronics, Inc. v. RF Techs., Inc., No. 12cv2884-BAS-MDD, 2015 WL 4714908, at *24 (S.D. Cal. Aug. 7, 2015) (holding that an “attorney’s duty to supervise the work of consultants, vendors, and subordinate attorneys is non-delegable. ‘An attorney must maintain overall responsibility for the work . . .,’ and, must do so by remaining regularly engaged in the . . . work.”) (internal citations omitted) (emphasis in original).

[7] See Cal. Ethics Op., supra note 4, at 3–4. (“[I]nitially assess e-[D]iscovery needs and issues, if any; [I]mplement/cause to implement appropriate ESI preservation procedures; [A]nalyze and understand a client’s ESI systems and storage; [A]dvise the client on available options for collection and preservation of ESI; [I]dentify custodians of potentially relevant ESI; [C]ollect responsive ESI in a manner that preserves the integrity of ESI”).

[8] See generally Data Never Sleeps 3.0, DOMO, https://web-assets.domo.com/blog/wp-content/uploads/2015/08/15_domo_data-never-sleeps-3_final1.png, archived at https://perma.cc/HN24-72YD (last visited Feb. 11, 2016). 

[9] See id.

[10] Compare id., with Data Never Sleeps 2.0, DOMO, www.domo.com/learn/data-never-sleeps-2, archived at https://perma.cc/83QJ-HM8Q (last visited Feb. 11, 2016), and Data Never Sleeps, DOMO, www.domo.com/blog/2012/06/how-much-data-is-created-every-minute, archived at https://perma.cc/Q5LW-ZK4B (last visited Feb. 11, 2016) (noting that applications such as Snapchat and Tinder were not identified in 2012 but generated vast amounts of data in 2015).

[11] See Victor Stanley, Inc. v. Creative Pipe, Inc., 269 F.R.D. 497, 538–41 (D. Md. 2010) (recommending sanctions including permanent injunction and attorneys’ fees); Malibu Media, LLC v. Tashiro, No. 1:13-cv-00205-WTL-MJD, 2015 U.S. Dist. LEXIS 64281, at *104 (S.D. Ind. May 18, 2015) (granting motion for sanctions for default judgment); HM Elecs., Inc. v. RF Techs., Inc., No. 12cv2884-BAS-MDD, 2015 WL 4714908, at *31–35 (S.D. Cal. Aug. 7, 2015) (recommending adverse inference instruction, as well as other sanctions). As these cases indicate, EDRM preservation tends to be the area where attorneys and clients make the most mistakes.

[12] See Fed. R. Civ. P. 37(e) (allowing for sanctions only when information is lost and cannot be replaced, and the court finds that another party is prejudiced from the loss or that the party acted with the intent to deprive the other party of information).

[13] See Pension Comm. of Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, 685 F. Supp. 2d 456, 461 (S.D.N.Y. 2010) [hereinafter Pension Comm.], abrogated by Chin v. Port Auth. of N.Y. & N.J., 685 F.3d 135, 143 (2d Cir. 2012); Rimkus Consulting Grp. v. Cammarata, 688 F. Supp. 2d 598, 607 (S.D. Tex. 2010); Victor Stanley, Inc., 269 F.R.D. at 499–500; Zubulake v. UBS Warburg LLC (Zubulake V), 229 F.R.D. 422, 424 (S.D.N.Y. 2004), Zubulake v. UBS Warburg LLC (Zubulake IV), 220 F.R.D. 212, 214 (S.D.N.Y. 2003).

[14] See Victor Stanley, Inc., 269 F.R.D. at 525 (noting “the duty to preserve evidence relevant to litigation of a claim is a duty owed to the court.”) (emphasis in original).

[15] See Monica McCarroll, Discovery and the Duty of Competence, 26 Regent U. L. Rev. 81, 91 (2013).

[16] Silvestri v. Gen. Motors Corp., 271 F.3d 583, 591 (4th Cir. 2001).

[17] See Pension Comm., 685 F. Supp. 2d at 466.

[18] See generally Apple Inc. v. Samsung Elecs. Co., Ltd., 881 F. Supp. 2d 1132, 1132 (N.D. Cal. 2012).

[19] See Clear-View Techs., Inc. v. Rasnick, No. 5:13-cv-02744-BLF, 2015 U.S. Dist. LEXIS 63579, at *3. The text message stated, in part, “[D]on’t call my shareholders with your b.s. That is [tortious] economic interference. I will not accept this. . . . [K]eep it up and you’ll find [yourself] in court[.] Call Clyde again and I sue. Mark my words.” Id at *3–4 (alteration in original).

[20] Id. at *3.

[21] See id. at *21.

[22] See Apple Inc., 881 F. Supp. 2d at 1145 (noting that the presentation from Apple provided Samsung with “more than just a vague hint” that litigation “was at least foreseeable, if not ‘on the horizon.’”).

[23] In re Napster, Inc. Copyright Litig., 462 F. Supp. 2d 1060, 1069 (N.D. Cal. 2006).

[24] See, e.g., Altercare, Inc. v. Clark, 9th Dist. No. 12CA010211, 2013-Ohio-2785, at ¶ 2.

[25] While discussed only in the context of preservation below, information about a client’s data landscape prior to litigation should be part of an overall information governance effort. See Information Governance Reference Model (IGRM), EDRM, www.edrm.net/projects/igrm, archived at https://perma.cc/6F5N-D633 (last visited Mar. 18, 2016) [hereinafter IGRM].

[26] Apple Inc., 881 F. Supp. 2d at 1137; The Sedona Conference, The Sedona Conference Commentary on Legal Holds: the Trigger & the Process 1 (Conor R. Crowley et al. eds., 2007), https://thesedonaconference.org/download-pub/77, archived at https://perma.cc/EP4B-2AAY (download required).

[27] See Pension Comm., 685 F. Supp. 2d 456, 466 (S.D.N.Y. 2010), abrogated by Chin v. Port Auth. of N.Y. & N.J., 685 F.3d 135, 143 (2d Cir. 2012).

[28] Zubulake IV, 220 F.R.D. at 217–18. While this case was decided under the pre-2015 amendment scope of discovery, it remains a seminal case in defining the scope of the duty to preserve.

[29] See id. at 217 (noting that the duty to preserve does not require litigants to preserve “every shred of paper, every e-mail or electronic document, and every backup tape[.]”).

[30] See Blue Sky Travel & Tours, LLC v. Al Tayyar, 606 Fed. Appx. 689, 690 (4th Cir. 2015).

[31] See id. at 691.

[32] See id.

[33] See id. at 692.

[34] See id. at 692–93.

[35] Blue Sky Travel & Tours, LLC, 606 Fed. Appx. at 692.

[36] See id. at 690.

[37] Id. at 697–98.

[38] See id.

[39] See Wandering Dago Inc. v. N.Y. State Office of Gen. Servs., No. 1:13-CV-1053 (MAD/RFT), 2015 U.S. Dist. LEXIS 69375, at *1 (N.D.N.Y. May 29, 2015).

[40] See id. at *1–2.

[41] See id. at *22 (“Defendants correctly assert that they have no control over [Defendants’] emails. . . .”).

[42] See id.

[43] Id. at *23 (quoting N.Y. v. Amtrak, 233 F.R.D. 259, 266 (N.D.N.Y. 2006).

[44] Wandering Dago Inc., 2015 U.S. Dist. LEXIS 69375, at *24.

[45] Id. at *24–25.

[46] See AMC Tech., LLC v. Cisco Sys. Inc., No. 11-cv-3403 P, 2013 U.S. Dist. LEXIS 101372, at *4 (N.D. Cal. July 15, 2013).

[47] See id. at *4.

[48] See id. at *5–7.

[49] See id.

[50] See id. at *10.

[51] AMC Tech., LLC, 2013 U.S. Dist. LEXIS 101372, at *9.

[52] Id. at *11.

[53] Brown v. Tellermate Holdings, Ltd., No. 2:11-cv-1122, 2014 U.S. Dist. LEXIS 90123, at *6 (S.D. Ohio July 1, 2014).

[54] See id. at *7, *10.

[55] See id. at *8.

[56] Id. at *11.

[57] Id. at *13.

[58] Brown, 2014 U.S. Dist. LEXIS 90123, at *14.

[59] See id.

[60] Id. at *19 (emphasis added).

[61] Id. at *52–53.

[62] Id. at *56.

[63] See Zubulake V, 229 F.R.D. 422, 432 (S.D.N.Y. 2004); see also McCarroll, supra note 15, at 94–95.

[64] See Zubulake V, 229 F.R.D. at 432.

[65] See Zubulake IV, 220 F.R.D. 218. Amended Rule 26(f) now puts issues of preservation at the forefront of a 26(f) conference. See Fed. R. Civ. P. 26(f)(3)(C) (“A discovery plan must state the parties’ views and proposals on: . . . any issues about disclosure, discovery, or preservation of electronically stored information, including the form or forms in which it should be produced . . . .”) (emphasis added); see also Fed. R. Civ. P. 37(e), advisory committee’s note on 2015 amendments (“A party may act reasonably by choosing a less costly form of information preservation, if it is substantially as effective as more costly forms.”).

[66] Fed. R. Civ. P. 26(b)(1) (“Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense” and proportional to the needs of the case).

[67] See Hee Nam You v. Japan, No. C 15-03257 WHA, 2015 U.S. Dist. LEXIS 123877, at *2–5 (N.D. Cal. Sept. 16, 2015).

[68] Id. at *2.

[69] See id. at *2–3.

[70] See id. at *3.

[71] Id.

[72] See Hee Nam You, 2015 U.S. Dist. LEXIS 123877, at *3.

 [73] See id.

[74] See id. at *4–5.

[75] Zubulake V, 229 F.R.D. at 431 (quoting Zubulake IV, 220 F.R.D. at 218).

[76] See id. at 439.

[77] Id. at 432.

[78] Apple Inc. v. Samsung Elecs. Co., Ltd., 881 F. Supp. 2d 1132, 1134 (N.D. Cal. 2012).

[79] See id. In his opinion, Judge Grewal again reiterated that the duty to preserve includes identifying, locating, and maintaining information that is relevant to the litigation. See id. at 1137.

[80] Id. at 1137 (internal citations omitted).

[81] Id. at 1142–43.

[82] See id. at 1145.

[83] See Apple Inc., 881 F. Supp. 2d at 1147.

[84] See generally Legal Hold Software, Exterro, http://www.exterro.com/e-discovery-software/legal-hold/, archived at https://perma.cc/HS9M-VFVQ (last visited Feb. 20, 2016) (“Help custodians understand the importance of pending obligations, fight ‘notice fatigue’ by those on multiple legal holds, and promote consistent compliance.”).

[85] See Altercare, Inc. v. Clark, 9th Dist. No. 12CA010211, 2013-Ohio-2785, at ¶ 12.

[86] See id. at ¶ 2.

[87] See id. (“Altercare can most easily comply with its obligation by making mirror-image bit stream back-up copy of computers and storage media (such as hard disk drive[s], floppy disks, CDs, DVDs, back-up tapes, or any other electronic data), which will inexpensively preserve relevant electronic and digital evidence on searchable CD-ROMs or DVD.”).

[88] See id. at ¶ 3.

[89] See id. at ¶¶ 3–10.

[90] See Altercare, 2013-Ohio-2785, at ¶ 6.

[91] Id. at ¶ 10.

[92] Id.

[93] Id. at ¶¶ 2, 16.

[94] Id. at ¶ 16.

[95] See Alter v. Rocky Point Sch. Dist., No. 13-1100 (JS) (AKT), 2014 U.S. Dist. LEXIS 141020, at *3 (E.D.N.Y. Sept. 30, 2014).

[96] See id. at *28.

[97] Id. at *23.

[98] Id. *22­–24, *26, *28.

[99] Clear-View Techs., Inc. v. Rasnick, No. 5:13-cv-02744-BLF, 2015 U.S. Dist. LEXIS 63579, at *21–23 (noting that defendants “failed to implement a hold policy,” “deleted thousands of relevant emails, [and] discarded several phones, laptops, [and] iPads…”).

[100] Compare Residential Funding Corp. v. DeGeorge Fin. Corp., 306 F.3d 99, 108 (2nd Cir. 2002) (“The sanction of an adverse inference may be appropriate in some cases involving the negligent destruction of evidence because each party should bear the risk of its own negligence.”), with United States v. Artero, 121 F.3d 1256, 1259 (9th Cir. 1997) (noting that a “district judge did not abuse his discretion by refusing to give an adverse inference instruction, because the appellant showed neither bad faith imputable to the federal government nor prejudice from the loss and destruction of the evidence.”) (citing United States v. Jennell, 749 F.2d 1302, 1308–09 (9th Cir. 1984)).

[101] See Sekisui Am. Corp. v. Hart, 945 F. Supp. 2d 494, 504 (S.D.N.Y. 2013).

[102] See Rimkus Consulting Grp. v. Cammarata, 688 F. Supp. 2d 598, 614 (S.D. Tex. 2010).

[103] See Fed. R. Civ. P. 37(e) advisory committee’s note on 2015 amendments (“The rule only applies if the information was lost because the party failed to take reasonable steps to preserve the information.”).

[104] See generally D.O.H. v. Lake Cent. Sch. Corp., No. 2:11-cv-430, 2015 U.S. Dist. LEXIS 20259, at *23–25 (N.D. Ind. Feb. 20, 2015) (discussing where custodians identify social media as a potential source of potentially relevant information, practitioners should take steps to ensure that they understand how to preserve data from a social media site or engage a third-party vendor that does understand both how the site works and how to preserve the data contained in the site.).

[105] See generally Jie Zhang & Garth Landers, Magic Quadrant for E-Discovery Software, Gartner (May 18, 2015), https://www.gartner.com/doc/reprints?id=1-2G57ESF&ct=150519&st=sb, archived at https://perma.cc/SC7T-8DJP (evaluating over twenty e-Discovery software vendors).

Addressing Employee Use of Personal Clouds

Favro Publication Versionpdf_icon

Cite as: Philip Favro, Addressing Employee Use of Personal Clouds, 22 Rich. J.L. & Tech. 6 (2016), http://jolt.richmond.edu/v22i3/article6.pdf.

Philip Favro*

 

I. INTRODUCTION

[1]       Cloud computing is one of the most useful innovations in the digital age.[1] While much of the attention on recent advances has focused on smartphones, tablet computers, and wearable technology, the cloud is perhaps unrivaled in its utility for organizations.[2] From simplified data storage to innovative software platforms, enterprise-grade cloud solutions provide cost-effective alternatives to acquiring expensive computer hardware and software.[3] Enterprise clouds also offer a collaborative work environment for a mobile and widespread work force, enabling businesses to maximize worker productivity.[4]

[2]       Organizations are not alone in reaping the benefits of cloud computing. Individuals have likewise discovered the value that cloud providers offer in their personal lives.[5] With increased storage for digital photos, music, and other files, personal cloud providers help users avoid losing personal data when a computer hard drive inevitably fails.[6] Furthermore, the transfer functionality afforded by personal clouds enables users to seamlessly move data between computers, smartphones, and other mobile devices.[7]

[3]       With such utility at their fingertips, it should come as no surprise that individuals use personal clouds to facilitate work responsibilities.[8] Personal cloud providers like Dropbox, Box, and Google Drive can obviate clunky network storage options and simplify data sharing and teamwork among colleagues.[9] While employees of many organizations could benefit from such functionality, it is particularly advantageous to workers whose employers lag behind the technology curve.[10]

[4]       These and other features seem to make personal clouds an ideal tool for advancing business objectives within the corporate environment.[11] Appearances, however, can be deceiving. That is exactly the case with employee use of personal cloud applications in the workplace.[12] From information retention and information security to litigation readiness and cybersecurity, personal cloud use among employees implicates a range of troubles for organizations.[13] Indeed, the very aspects that make personal clouds so attractive–cheap and unlimited storage, simplified transfers, and increased collaboration–pose serious threats to the enterprise.[14]

[5]       Nevertheless, companies in many instances have taken few, if any, actionable steps to address the proliferation of personal cloud use among their employees.[15] Worse, some organizations have implemented “bring your own cloud” (BYOC) policies that officially sanction employee use of consumer-grade cloud applications in the workplace without sufficient corporate oversight.[16] A BYOC policy that lacks proper measures to ensure compliance may very well result in a disastrous outcome for the enterprise.[17]

[6]       In this article, I address these issues by surveying recent court cases that exemplify the information governance and litigation challenges arising from personal cloud use in the business enterprise. In particular, I discuss the problems with BYOC practices that expressly or implicitly enable employee use of personal clouds. I also spotlight some of the troubles that stealth use of personal clouds creates for organizations. I conclude by suggesting some practices that can help organizations ameliorate these problems.

 II. LAISSEZ-FAIRE TREATMENT OF PERSONAL CLOUD
USE IN THE CORPORATE ENVIRONMENT

[7]       Employers are often directly responsible for the difficulties that have resulted from employee use of cloud applications.[18] That employers are at fault does not stem from this being a new trend. Indeed, personal cloud providers have been around since the 2000s,[19] with courts examining the troubles associated with cloud computing beginning in 2011.[20]Organizations previously overlooked the risks of this trend by authorizing their executives or employees to use personal cloud applications in the corporate ecosystem.[21] In addition, they ignored the hazards associated with the stealth use of personal clouds.[22] This Part examines cases that address these aspects of employee use of consumer clouds.

 A. Corporate Approved BYOC Accounts

[8]       In many instances, organizations have openly welcomed the use of personal clouds by their employees.[23] Whether by policy or by practice, corporate IT departments have approved personal cloud use by expressly enabling its functionality.[24] Nevertheless, that is often the extent of corporate oversight.[25] Beyond requiring an employee to sign a perfunctory non-disclosure agreement, little follow up effort is taken to prevent employees from transferring confidential information from company servers to a personal cloud.[26]

[9]       Such corporate inaction can be challenging for cybersecurity initiatives, retention schedules, and preservation requirements in litigation. However, it can be especially problematic when an employee leaves the company with proprietary materials and begins working for an industry competitor.[27] The Selectica v. Novatus[28] and PrimePay v. Barnes[29] decisions are particularly instructive on the need for organizations to abandon their laissez-faire attitude toward employee use of approved BYOC accounts.

  1. Selectica v. Novatus

[10]     In Selectica, plaintiff (Selectica) filed suit against defendant (Novatus), claiming Novatus misappropriated various trade secrets.[30] In particular, Selectica alleged that four of its former sales personnel violated their respective non-disclosure agreements by sharing confidential pricing information with Novatus, their new employer.[31] Those agreements provided that the employees would maintain the confidentiality of Selectica’s proprietary information and return all such materials to the company upon termination of their employment.[32]

[11]     Despite those agreements, one of the employees (Holt) offered to share Selectica’s pricing information to a member of Novatus’ senior management team after joining Novatus.[33] Holt still had access to that information along with other data belonging to Selectica because he maintained it with Box, a cloud storage provider.[34] The Box account was not a stealth cloud drive concealed from Selectica.[35]

[12]     Instead, Selectica expressly recommended and authorized Holt to store that data under a BYOC arrangement with Box: “While employed by Selectica, [Holt] had a company laptop computer which, on Selectica’s recommendation, was configured so that it automatically synced to his personal cloud storage account at Box.com. This meant that when Holt saved a file to the laptop, the system pushed a copy to his Box account.”[36] Despite having enabled the BYOC arrangement with Holt, Selectica apparently neglected to disable the Box account or remove any proprietary materials upon Holt’s departure.[37] As a result, Holt had full access to the pricing information when he joined Novatus.[38]

[13]     Selectica demonstrates the folly of a lax approach to personal cloud use within the enterprise. While Selectica enabled the Box account for backup purposes, it took no action to protect Selectica’s interest in the corporate information stored in that account. For example, Selectica did not obtain Holt’s login credentials to the Box account.[39] Nor does it appear that Selectica monitored Holt’s use of the account while employed with the company.[40] Selectica did not disable the Box account when Holt left the company.[41] Furthermore, Selectica took no action to confirm that Holt had either returned or destroyed all proprietary company information before going to work for Novatus.[42]

[14]     Any one of these steps—and certainly a combination of them—would likely have prevented the disclosure of Selectica’s product pricing information to an industry competitor.[43] Selectica exemplifies the need for corporate oversight of approved BYOC accounts if organizations are to prevent their trade secrets from falling into the hands of competitors.

  1. PrimePay v. Barnes

[15]     Another exemplary decision on these issues is PrimePay v. Barnes.[44] Like Selectica, PrimePay involves claims of trade secret misappropriation.[45] In PrimePay, the plaintiff (PrimePay) sued one of its former executives (Barnes) that established a competing business entity.[46] PrimePay moved for a preliminary injunction against the operation of Barnes’ business, arguing that Barnes took several categories of confidential PrimePay information and stored it with cloud service provider Dropbox, along with other locations.[47] According to PrimePay, Barnes accessed the Dropbox-stored data to allegedly help start his competing company. He then allegedly destroyed those materials after the plaintiff warned him “to preserve any PrimePay electronically stored information that he possessed.”[48]

[16]     In response to these arguments, Barnes asserted that he never absconded with PrimePay’s proprietary data.[49] Instead, Barnes explained that any PrimePay data in his Dropbox account was from work that he previously performed while at PrimePay.[50] According to Barnes, that data was mostly deleted at the time he left the company.[51] As for the origin of the Dropbox account, it was created far in advance of Barnes’ departure from the company.[52] Its purpose was not to steal proprietary data, Barnes argued, but to allow him to complete work for PrimePay when he was away from the office.[53] Nor was this a stealth account; it was a company-approved BYOC:

Barnes created the Dropbox [account] . . . so that he could transfer and access files when he worked remotely on PrimePay matters if he was away from the office, on vacation or elsewhere and needed access to the PrimePay files, all with the knowledge and approval of [PrimePay owner] Chris Tobin.[54]

[17]     Given that Barnes’ Dropbox account was a company-approved BYOC account, and in light of other evidence suggesting Barnes did not access the Dropbox files or other proprietary PrimePay information after leaving his position with the company, the court did not find evidence of trade secret misappropriation.[55] While the court ordered the destruction of PrimePay’s remaining confidential information stored on the Dropbox, it refused to issue a preliminary injunction against the operation of Barnes’ competing enterprise.[56]

[18]     PrimePay reinforces the lesson from Selectica that a laissez-faire approach to personal clouds may lead to corporate disasters. Because PrimePay did not monitor or disable the Dropbox account, Barnes apparently left the company with a massive trove of proprietary company data. Even though the court accepted Barnes’ explanation that he accessed little, if any, of that data after he left the company, PrimePay’s evidence suggested otherwise.[57] While PrimePay may never know how much of its information was used to start Barnes’ competing enterprise, it is reasonably certain that a more robust compliance program would have quarantined the proprietary data before Barnes left the company.[58] This may have obviated the legal expenses and opportunity costs of the litigation. Like Selectica, PrimePay ultimately teaches that organizations should police approved BYOC environments to better safeguard proprietary corporate information.

 B.  Stealth Use of Personal Clouds

[19]     Beyond the problem of a poorly monitored BYOC ecosystem stands the equally troubling scenario of stealth use of personal clouds.[59] Such a scenario involves employees using their personal cloud accounts in connection with their work duties without express company approval.[60] While some employees do so in good faith to facilitate their work, others clandestinely use their cloud accounts to sabotage the organization or to gain a competitive advantage over their former employers after leaving the company.[61] A number of decisions demonstrate the problems with stealth—or “shadow”—use of personal clouds across the spectrum of corporate employees.[62]

  1. Operations-Level Employee

[20]     Operations-level employees are often at the heart of stealth use of personal clouds. For example, in Toyota Industrial Equipment Manufacturing v. Land, a managerial level employee (Land) used Google Drive and other personal cloud applications to steal hundreds of critical documents from his employer (Toyota) before going to work for an industry competitor.[63] Those documents included technical specifications reflecting the proprietary design of certain industrial equipment, along with related pricing and financial information.[64] While authorized to use that data during his employment, Land stored and kept shadow copies of these materials on his Google Drive account so they could be accessible after he left Toyota.[65]

[21]     To facilitate the removal of Toyota’s proprietary information, Land downloaded “GoogleDriveSync.exe” on his work computer.[66] Similar to the corporate-enabled Box account in Selectica, the GoogleDriveSync.exe program enabled Land to simultaneously save documents on his personal Google Drive account that he saved to his company-issued computer.[67] On the eve of his departure from Toyota, Land placed approximately 800 “files and folders” on Google Drive.[68] These actions—Land removing and then retaining Toyota’s proprietary information after his departure from the company in violation of his non-disclosure agreement—resulted in an injunction preventing Land from working for Toyota’s competitor.[69]

[22]     Another case involving stealth cloud use by an operations-level employee is RLI Insurance Company v. Banks.[70] In RLI, the employee (Banks) used a Norwegian cloud provider (Jottacloud)[71] to upload “757 customer claim files and other files containing proprietary information” belonging to her employer (RLI).[72] Banks initially tried to upload the files to her Dropbox account, but RLI’s corporate network denied access to Dropbox.[73] RLI had employed a web filtering software blocking employees from accessing more commonly used cloud providers, such as Dropbox.[74] Undeterred, Banks researched “Dropbox alternatives” that could evade RLI’s filtering protocol, opened a Jottacloud account, and used that service to remove proprietary RLI data in violation of her employment agreement.[75] RLI eventually discovered Banks’ malfeasance, but only after offering her a severance package subsequent to her dismissal from the company.[76]

  1. Company Executives

[23]     Operations-level employees are not alone in their furtive use of personal clouds. Company executives can also be guilty of such conduct. Given the nature of access that executives often have to critical information, such conduct can be particularly problematic. The Frisco Medical Center v. Bledsoe[77] and De Simone v. VSL Pharmaceuticals[78] cases are instructive in this particular scenario.

[24]     In Frisco Medical, the chief operating officer (Bledsoe) for a Texas hospital (Frisco) used Dropbox to obtain several classes of proprietary and patient information before leaving Frisco for a new position elsewhere.[79] More specifically, Bledsoe installed Dropbox on her work computer after she accepted her new position but before she resigned from Frisco.[80] With Dropbox enabled, Bledsoe then transferred “Frisco’s confidential and proprietary information, trade secrets, peer review materials, and statutorily protected patient health information to her personal” cloud account in violation of her employment agreements.[81]

[25]     Frisco did not suspect that Bledsoe surreptitiously removed proprietary information from its computer network until she revealed in an exit interview that “she knew where too many bodies were buried.”[82] It was only then that Frisco began investigating Bledsoe’s computer usage, discovered her use of Dropbox, and determined the extent of the information she had taken from the hospital.[83]

[26]     In contrast to Frisco Medical, De Simone v. VSL Pharmaceuticals involved a chief executive officer (De Simone) who used Dropbox to deprive his company (VSL) of corporate records.[84] De Simone, who served as VSL’s chief executive for more than a decade, became embroiled in a dispute with investors over who rightfully owned VSL’s intellectual property related to the probiotic drug sold by the company.[85] In connection with that dispute, De Simone transferred VSL’s corporate records to his personal Dropbox account.[86] He then wiped the corporate network in order to eliminate any trace of the records and rejected shareholder requests to access the information.[87] After resigning his position as VSL’s CEO a few months later, De Simone began working for a competitive enterprise that manufactured and sold a generic version of VSL’s probiotic drug, taking the corporate records with him.[88]

  1. Analysis of Cloud Jurisprudence

[27]     The cases discussed so far generally involve harm to employers that likely could have been obviated had the organizations taken safeguards to prevent or detect stealth use of personal clouds.[89] Instead, like Selectica, the employers in Toyota Industrial, RLI, and Frisco Medical relied on non-disclosure and other employment agreements to protect their sensitive and proprietary information.[90]

[28]     On the one hand, those agreements successfully enabled the aggrieved parties to obtain injunctions, summary judgment orders, and damages against the cloud-wielding tortfeasors.[91] But at what cost? The employers incurred legal fees and costs for the investigations and court actions they undertook to address the theft of corporate information by their former employees. In addition to those expenses, the organizations sustained substantial opportunity costs. Personnel were likely redirected from business operations to ameliorate the harm caused by the loss of proprietary data. Moreover, industry competitors may have become acquainted with strategic plans, pricing information, design specifications, financial performance, and other proprietary data. All of this may have provided their competitors with an advantage in subsequent business dealings.[92]

[29]     Simply put, the non-disclosure and employment agreements did nothing to stop the perpetrating employees from misappropriating company trade secrets.[93] Beyond the agreements, the only employer that apparently took anything close to a preventative step was RLI, which used a blocking program to prevent personal cloud use.[94] However, even that step proved inadequate as the employee easily circumvented the software filter by using a previously unknown cloud application.[95]

[30]     Just as in Prime Pay, none of the employers appears to have established a process to detect the possible use of personal cloud applications. This is evident from De Simone, as the company did not know that its chief executive used Dropbox to steal its corporate records.[96] That no such process was in place in RLI is confirmed by the company’s initial offering of severance pay to Banks.[97] The Frisco employer only began its search of Bledsoe’s computer activity after she carelessly suggested she knew where the “bodies were buried.”[98] In Toyota Industrial, no efforts were made either to examine Land’s computer activity or to verify his next work destination after he tendered his resignation.[99] Indeed, Toyota allowed Land to work for another two weeks at the company before his termination date.[100]

[31]     With employees now regularly using consumer clouds in connection with their work responsibilities, organizations must be prepared to counteract their potential negative effects. As set forth in Part III, companies should develop proactive measures to address employee use of cloud applications and to mitigate any resulting harm.

III. PROACTIVE STEPS TO ADDRESS PERSONAL CLOUD USE

[32]     Despite the complexities that personal clouds now present for many organizations, they are not insurmountable. Enterprises can generally manage potential problems through a proactive, common sense approach to information governance. In this Part, I discuss some of the key aspects of an information governance program that can help address the challenges associated with employee use of personal cloud applications.

[33]     A prefatory step that organizations can take in this regard is to create a data map identifying the locations—both on and off the corporate network—where their information resides.[101] While a data map is useful for both information retention and litigation purposes, it is essential for controlling ingress and egress to proprietary information—precisely the data endangered by personal cloud applications.[102] If a company cannot identify the precise areas where it has stored its trade secrets and other sensitive materials, it becomes difficult to establish that it used “reasonable steps” to safeguard that information.[103] In contrast, a current and accurate data map better enables organizations to reasonably account for proprietary records, along with other indispensable business information.[104] Once the data map is in place, organizations can then proceed to develop policies that reasonably ensure the protection of corporate data.[105]

[34]     Those policies should include actionable protocols that address employee use of personal cloud applications.[106] Those protocols should clearly delineate whether personal clouds are permitted and if so, what constitutes an authorized BYOC account.[107] Whether an enterprise chooses to ban the use of personal clouds or to adopt a BYOC-friendly environment, the policy should include audit and enforcement mechanisms to gauge policy observance.[108] At a minimum, those mechanisms ought to include the right to monitor, access, and disable employee use of personal clouds.[109] Related mechanisms will also be required for those organizations that proscribe BYOC use since employees will likely circumvent such a policy.[110] For example, blocking programs like the one used in RLI, while not foolproof, are a practicable first step to preventing some personal cloud use.[111]

[35]     In a BYOC ecosystem, applicable protocols should additionally describe what company data can or cannot be transferred to the cloud.[112] Organizations should also require the disclosure of user login credentials for approved cloud applications to ensure appropriate policy compliance.[113] Upon an employee’s termination, approved BYOC accounts should either be disabled or the company should verify that company data previously maintained in the account has been either returned or destroyed.[114]

[36]     In like manner, non-BYOC organizations should consider examining terminated employees’ computer activity and corporate devices to detect whether there was illicit use of personal clouds.[115] However, such a step may not be practicable for many organizations that lack the resources for a thorough review of every employee device. If a comprehensive sweep is cost prohibitive, organizations should consider conducting a review of those employees whose possible disclosure of corporate information carries the greatest risk to the enterprise.[116] The extent to which a company carries out this step likely depends on the role of the terminated employees, their position in the company, and the nature of the information to which they were privy.[117] Despite the expense of this procedure, such a step would likely have obviated much of the litigation that ensued in Selectica, Novatus, Toyota Industrial, RLI, and Frisco Medical.

IV. CONCLUSION

[37]     The challenges with personal cloud applications need not be an intractable problem. Following industry best practices like those suggested in Part III should help organizations address many of the troubles associated with approved BYOC accounts. They should also mitigate the harm created by stealth cloud use that may go undetected. While certainly not an elixir, adopting these practices should help companies avoid many of the worst problems associated with personal cloud use in the enterprise.

 

 

 

*Consultant, Discovery and Information Governance, Driven, Inc.; J.D., Santa Clara University School of Law, 1999; B.A., Political Science, Brigham Young University, 1994.

 

[1] See Joe McKendrick, 5 Benefits of Cloud Computing You Aren’t Likely to See in a Sales Brochure, Forbes (July 21, 2013, 9:04 PM), http://www.forbes.com/sites/joemckendrick/2013/07/21/5-benefits-of-cloud-computing-you-arent-likely-to-see-in-a-sales-brochure/#34a34b6e7d85, archived at http://perma.cc/ET8N-JKG5.

 [2] See Edwin Schouten, 5 Cloud Business Benefits, Wired (Oct. 5, 2012), http://www.wired.com/insights/2012/10/5-cloud-business-benefits/, archived at https://perma.cc/7LJK-RP4M.

 [3] See Jim Lynch, What Are the Benefits and Drawbacks of Cloud Computing?, TechSoup (Feb. 6, 2015), http://www.techsoup.org/support/articles-and-how-tos/what-are-the-benefits-and-drawbacks-of-cloud-computing, archived at https://perma.cc/9JYQ-AD93.

[4] See id.

[5] See Nicholas Lee, Is Your Corporate Data Appearing on Personal Clouds?, CloudTweaks (Sept. 9, 2015), http://cloudtweaks.com/2015/09/is-your-corporate-data-appearing-on-personal-clouds/, archived at https://perma.cc/HD3C-VDDX.

[6] See Zack Christenson, Benefits of Cloud Computing, American Consumer Institute (Sept. 30, 2013), http://www.theamericanconsumer.org/2013/09/benefits-of-cloud-computing/, archived at https://perma.cc/9ATN-QEP2.

[7] See Bill Kleyman, What Personal Cloud Means for Consumers and Enterprises, Data Center Knowledge (Sept. 10, 2013), http://www.datacenterknowledge.com/archives/2013/09/10/what-personal-cloud-means-for-consumers-and-enterprises/, archived at https://perma.cc/RK2Z-VE6L.

[8] See Louis Columbus, How Enterprises Are Capitalizing on the Consumerization of IT, Forbes (Mar. 24, 2014, 06:43 AM), http://www.forbes.com/sites/louiscolumbus/2014/03/24/how-enterprises-are-capitalizing-on-the-consumerization-of-it/#1af595ef6160, archived at https://perma.cc/38F9-KTQ6 (“79% [of surveyed enterprises] report that file sharing and collaboration tools including Box, Egnyte, Google Apps, Microsoft Office 365, GroupLogic, ShareFile and others are pervasively used today. 49% are with IT approval and 30% are not.”).

[9] See Andrew Froehlich, The Buck Stops at BYOC, InformationWeek (Jan. 29, 2014, 12:00 PM), http://www.networkcomputing.com/infrastructure/buck-stops-byoc/870595087, archived at https://perma.cc/K7BV-HPPL (“Employees are comfortable using services such as DropBox, Google Apps, and Carbonite at home. Because of that comfort level, they naturally want to use those same tools in their business life.”); Intermarine, L.L.C. v. Spliethoff Bevrachtingskantoor, B.V., No. 15-mc-80211-MEJ, 2015 U.S. Dist. LEXIS 112689, at *2 (N.D. Cal. Aug. 20, 2015) (“Dropbox provides a document storage and sharing service through which users can collectively save, share, and edit documents stored ‘in the cloud.’”).

[10] See Froehlich, supra note 9.

[11] See id. (“Lack of IT management and control will quickly put an end to BYOC, even though it has the potential to provide real benefits.”).

[12] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *22–24, *29 (E.D. Tex. Nov. 30, 2015) (discussing defendants’ extensive use of Dropbox to remove vast amounts of proprietary information belonging to plaintiff).

[13] See Susan Miller, New Risk on the Block: Bring Your Own Cloud, GCN (May 23, 2013) https://gcn.com/articles/2013/05/23/new-risk-bring-your-own-cloud.aspx, archived at https://perma.cc/T7DM-3CD6.

[14] See Robert L. Mitchell, IT’s New Concern: The Personal Cloud, ComputerWorld (May 20, 2013, 7:00 AM), http://www.computerworld.com/article/2497860/consumerization/it-s-new-concern–the-personal-cloud.html, archived at https://perma.cc/XZN9-RSK8.

[15] See discussion infra Part II.

[16] See Froehlich, supra note 9.

[17] See id. (“BYOC presents a nightmare scenario because data can be copied, duplicated, and ultimately lost or stolen via the various cloud services.”).

[18] See Columbus, supra note 8.

[19] See Victoria Barret, Dropbox: The Inside Story of Tech’s Hottest Startup, Forbes (Oct. 18, 2011, 8:30 AM), http://www.forbes.com/sites/victoriabarret/2011/10/18/dropbox-the-inside-story-of-techs-hottest-startup/4/#1cace6c73a44, archived at http://perma.cc/C9Q3-465F; Jonathan Strickland, How Cloud Storage Works, HowStuffWorks.com (Apr. 30, 2008), http://computer.howstuffworks.com/cloud-computing/cloud-storage2.htm, archived at https://perma.cc/5JTG-UZS3 (Web-based e-mail providers like Yahoo! and Hotmail have been providing their users with a quasi-cloud computing environment through e-mail since the 1990s).

[20] See, e.g., Animators at Law, Inc. v. Capital Legal Solutions, L.L.C., 786 F. Supp. 2d 1114, 1117–18 (E.D. Va. 2011) (explaining that plaintiff’s former employees accessed company files stored in a company Dropbox account through login credentials that plaintiff failed to disable after the employees left the company).

[21] See Columbus, supra note 8.

[22] See Boston Scientific Corp. v. Lee, No. 13-13156-DJC, 2014 U.S. Dist. LEXIS 66220, at *2, *4–7 (D. Mass. May 14, 2014) (enjoining defendant from using proprietary information that he had taken from his prior employer and which he stored both during and after his employment on Google Drive).

[23] See Selectica, Inc. v. Novatus, Inc., No. 6:13-cv-1708-Orl-40TBS, 2015 U.S. Dist. LEXIS 30460, at *2 (M.D. Fla. Mar. 12, 2015).

[24] See Columbus, supra note 8.

[25] See Froehlich, supra note 9.

[26] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *7–9 (observing that defendants’ former employer began investigating the possibility that defendants took proprietary company data in violation of their non-disclosure agreements only after one of the defendants mentioned that “she knew where too many bodies were buried.”).

[27] See Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *5–6, *9 (S.D. Ind. July 21, 2014) (explaining that defendant uploaded confidential information from his former employer to his Google Drive account before going to work for an industry competitor).

[28] See Selectica, Inc. v. Novatus, Inc., No. 6:13-cv-1708-Orl-40TBS, 2015 U.S. Dist. LEXIS 30460 (M.D. Fla. Mar. 12, 2015).

[29] See PrimePay, L.L.C. v. Barnes, No. 14-11838, 2015 U.S. Dist. LEXIS 65710 (E.D. Mich. May 20, 2015).

[30] See Selectica, Inc., 2015 U.S. Dist. LEXIS 30460, at *4.

[31] See id. at *2.

[32] See id. at *1.

[33] See id. at *3.

[34] See id.

[35] See Selectica, Inc., 2015 U.S. Dist. LEXIS 30460, at *2–3.

[36] Id. at *2 (emphasis added).

[37] See id. at *2.

[38] See id. at *2–3.

[39] See id. at *17.

[40] See Selectica, Inc., 2015 U.S. Dist LEXIS 30460, at *2–3.

[41] See id.

[42] See id.

[43] See Tom Nolle, Bring Your Own Cloud: The Movement Companies Can’t and Shouldn’t Stop, TechTarget (Apr. 8, 2014), http://searchcloudapplications.techtarget.com/feature/Bring-your-own-cloud-The-movement-companies-cant-and-shouldnt-stop, archived at https://perma.cc/C478-7NCG.

[44] See PrimePay, L.L.C. v. Barnes, No. 14-11838, 2015 U.S. Dist. LEXIS 65710 (E.D. Mich. May 20, 2015).

[45] See id. at *2.

[46] See id. at *4–5.

[47] See id. at *2, *9–11.

[48] Id. at *8–9.

[49] See PrimePay, L.L.C., 2015 U.S. Dist. LEXIS 65710, at *3.

[50] See id. at *11–13.

[51] See id. at *12.

[52] See id. at *11.

[53] See id.

[54] PrimePay, L.L.C., 2015 U.S. Dist. LEXIS 65710, at *11.

[55] See id. at *64, 66.

[56] See id. at *106–08.

[57] See id. at *34–36, *100–01.

[58] See Lee, supra note 5.

[59] See Danny Palmer, CIOs Worried Cloud Computing and Shadow IT Creating Security Risks, Computing (July 27, 2015), http://www.computing.co.uk/ctg/news/2419409/cios-worried-cloud-computing-and-shadow-it-creating-security-risks, archived at https://perma.cc/39AR-LJ4F.

[60] See Thoran Rodrigues, Cloud Computing and the Dangers of Shadow IT, TechRepublic (Aug. 16, 2013, 12:48 PM), http://www.techrepublic.com/blog/the-enterprise-cloud/cloud-computing-and-the-dangers-of-shadow-it/, archived at https://perma.cc/Y5BG-PEQZ.

[61] See, e.g., Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *3–4, *8–9 (E.D. Tex. Nov. 30, 2015); Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *10, *13–14 (S.D. Ind. July 21, 2014).

[62] See Rodrigues, supra note 60.

[63] See Toyota Indus. Equip. Mfg., Inc., 2014 U.S. Dist. LEXIS 99070, at *3–7.

[64] See id. at *5.

[65] See id. at *5–7.

[66] See id. at *6–8.

[67] See id. at *6–7.

[68] See Toyota Indus. Equip. Mfg., Inc., 2014 U.S. Dist. LEXIS 99070, at *8.

[69] See id. at *15–16, *22.

[70] See RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, (N.D. Ga. Jan. 27, 2015).

[71] See id at *2; see generally Jottacloud, https://www.jottacloud.com, archived at https://perma.cc/7HQJ-AYFR (last visited Mar. 17, 2016) (“Jottacloud is a cloud storage service for individuals and companies that lets you backup, synchronize, store and share files from all your devices. The uploaded data is protected by one of the worlds [sic] strongest privacy laws, with all your data stored in Norway.”).

[72] RLI Ins. Co., 2015 U.S. Dist. LEXIS 9396, at *2.

[73] See id.

[74] See id. at *1–2.

[75] Id. at *2.

[76] See Verified Complaint for Damages and Emergency Injunctive Relief at 15–16, RLI Ins. Co. v. Banks, 2015 U.S. Dist. LEXIS 9396 (N.D. Ga. Jan. 27, 2015) (No. 1:14-CV-1108-TWT) (“Not aware of Defendant’s misappropriation of RLI’s Customer Claim Files and Proprietary Information, RLI offered Defendant a severance package upon her termination. Defendant had not yet accepted the offer of a severance package when RLI discovered the misappropriation. Based on Defendant’s misconduct, RLI revoked its offer of severance to Defendant by letter to Defendant.”).

[77] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915 (E.D. Tex. Nov. 30, 2015).

[78] See De Simone v. VSL Pharm., Inc., No. TDC-15-1356, 2015 U.S. Dist. LEXIS 128209, at *2 (D. Md. Sept. 23, 2015).

[79] See Frisco Med. Ctr., L.L.P., 2015 U.S. Dist. LEXIS 159915, at *8.

[80] See id. at *12.

[81] Id. at *11.

[82] Id. at *7.

[83] See id. at *7–9.

[84] See De Simone v. VSL Pharm., Inc., No. TDC-15-1356, 2015 U.S. Dist. LEXIS 128209, at *48 (D. Md. Sept. 23, 2015).

[85] See id. at *1–2.

[86] See id. at *48–49.

[87] See id. at *18.

[88] See id. at *2.

[89] See discussion infra Part III.

[90] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *3 (E.D. Tex. Nov. 30, 2015); RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, at *2, *6 (N.D. Ga. Jan. 27, 2015); Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *4–6 (S.D. Ind. July 21, 2014).

[91] See Frisco Med. Ctr., L.L.P., 2015 U.S. Dist. LEXIS 159915, at *40–41 (granting Frisco summary judgment against Bledsoe on its trade secret claims); Toyota Indus. Equip. Mfg., Inc., 2014 U.S. Dist. LEXIS 99070, at *21–22 (enjoining Land from working for his new employer).

[92] See Frisco Med. Ctr., L.L.P., 2015 U.S. Dist. LEXIS 159915, at *2 (stating that beyond the problems with industry competitors, such unauthorized disclosures could violate regulatory schemes such as the Health Insurance Portability and Accountability Act, or HIPAA).

[93] See David S. Levine, School Boy’s Tricks: Reasonable Cybersecurity and the Panic of Law Creation, 72 Wash. & Lee L. Rev. 323, 334–35 (2015) (observing that many companies prefer to litigate rather than protect their trade secrets).

[94] See RLI Ins. Co., 2015 U.S. Dist. LEXIS 9396, at *1–2.

[95] See id. at *2.

[96] See De Simone v. VSL Pharm., Inc., No. TDC-15-1356, 2015 U.S. Dist. LEXIS 128209, at *48 (D. Md. Sept. 23, 2015).

[97] See Verified Complaint for Damages and Emergency Injunctive Relief at 15–16, RLI Ins. Co. v. Banks, 2015 U.S. Dist. LEXIS 9396 (N.D. Ga. Jan. 27, 2015) (No. 1:14-CV-1108-TWT).

[98] Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *7 (E.D. Tex. Nov. 30, 2015).

[99] See Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *6 (S.D. Ind. July 21, 2014).

[100] See id.

[101] See David Wetmore & Scott Clary, To Map or Not to Map: Strategies for Classifying Sources of ESI, Information Management (2009), http://content.arma.org/IMM/SeptOct2009/to_map_or_not_to_map.aspx, archived at https://perma.cc/CG8S-VACB.

[102] See R. Mark Halligan, Protecting U.S. Trade Secret Assets in the 21st Century, 6 Landslide, No. 1, Sept.–Oct. 2013, at 4, http://www.americanbar.org/publications/landslide/2013-14/september-october-2013/protecting_us_trade_secret_assets_the_21st_century.html, archived at https://perma.cc/FU3T-L4FW (urging companies to adopt “mapping” approaches to better safeguard trade secrets); see also Sterling Miller, Ten Things: Trade Secrets and Protecting Your Company, Corporate Law Advisory (Apr. 27, 2015), http://www.lexisnexis.com/communities/corporatecounselnewsletter/b/newsletter/archive/2015/04/27/ten-things-trade-secrets-and-protecting-your-company.aspx, archived at https://perma.cc/XH3L-WXRQ [hereinafter Miller] (“You need an inventory of all of the company’s trade secrets . . . [a]n inventory helps you identify what steps are needed to keep those specific items confidential and protected and be clear with the business what items are not considered trade secrets . . .”).

[103] See Boston Scientific Corp. v. Lee, No. 13-13156-DJC, 2014 U.S. Dist. LEXIS 66220, at *10, *12–13 (D. Mass. May 14, 2014) (finding the employer used “reasonable means to protect its trade secrets” despite contradictory evidence suggesting an employee openly used a personal Google Drive account to access and store confidential company information).

[104] See Halligan, supra note 102, at 4.

[105] See, e.g., Philip J. Favro, Getting Serious: Why Companies Must Adopt Information Governance Measures to Prepare for the Upcoming Changes to the Federal Rules of Civil Procedure, 20 Rich. J.L. & Tech. 5, 25–35 (2014), http://jolt.richmond.edu/v20i2/article5.pdf, archived at https://perma.cc/SZ3M-3MNP (explaining that a comprehensive information governance plan would take various factors into consideration. They would likely include the length of pertinent retention periods, the ability to preserve data for legal matters, applicable data protection laws, cybersecurity initiatives, and use policies for smartphones and other mobile devices).

[106] See Philip Favro, Do You Know Your BYOCs?, Legal Tech. News (July 13, 2015), http://www.legaltechnews.com/id=1202731897715?keywords=favro&publication=Legal+Technology, archived at https://perma.cc/QF6S-8KVW.

[107] See Miller, supra note 102.

[108] See Sophie Vanhegan, Legal Guidance: Protecting Company Information in the Cloud-Era, HRZone (Apr. 23, 2013), http://www.hrzone.com/perform/business/legal-guidance-protecting-company-information-in-the-cloud-era, archived at https://perma.cc/8MGT-3QZG.

[109] See id. (observing that corporate policies must “allow company monitoring of employees’ IT activity and work email accounts . . .”).

[110] See id. (“Employers may also wish to consider . . . implementing IT measures to prohibit uploading of documents onto web-based applications.”); see also RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, at *2 (N.D. Ga. Jan. 27, 2015).

[111] See, e.g., RLI Ins. Co., 2015 U.S. Dist. LEXIS 9396, at *1–2.

[112] See Vanhegan, supra note 108 (explaining that policies addressing personal cloud usage should “expressly prohibit the removal of company documents and information outside the company’s systems.”).

[113] See Esther Schindler, Protecting Corporate Data…When an Employee Leaves, Druva Blog (Oct. 13, 2014), http://www.druva.com/blog/protecting-corporate-data-employee-leaves/, archived at https://perma.cc/4GS5-QJ9H.

[114] See Rachel Holdgrafer, Fix Insider Threat with Data Loss Prevention, Cloud Security Alliance (Dec. 10, 2015), https://blog.cloudsecurityalliance.org/2015/12/10/fix-insider-threat-with-data-loss-prevention/, archived at https://perma.cc/EU5U-2FZN.

[115] See Miller, supra note 102 (“Departing employees constitute one of your biggest risks for trade-secret theft.”).

[116] See id.

 [117] See id.; see also Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *5 (E.D. Tex. Nov. 30, 2015).

Big Tech Company v. Federal Government Part I: Is Code Speech? Is Privacy at Stake?

think_different_apple-1680x1050By: Biniam Tesfamariam,

Silicon Valley Company against the Federal Government, who will win? Apple has so far refused to comply with a federal magistrate-judge’s demands of the company assisting the FBI to break the encryption of an iPhone. More specifically, Apple was asked to create new software that would allow law enforcement officials to break into the iPhone. Not just any iPhone, but the one iPhone that belonged to one of the San Bernardino shooters -of last year- responsible for killing 14 people in California.

So what is at issue here? There are multiple, one being centered around the All Writs Act, which in a nutshell, allows courts to make a company turn over a customer’s data to law enforcement.[1] The act reads, “The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law; an alternative write or rule nisi may be issued by a justice or judge of a court which has jurisdiction”.[2]

The Apple’s main issue with such a request is the apparent risk of all customer data by legal precedent. Never before has a federal court granted the government to force companies like Apple to weaken its security system. This issue could easily be categorize seem to belong to the legislature.

The legal argument Apple is expected to use can be summed up like this: Code is protected speech, so the government can’t compel Apple to write a new version of iOS any more than it can force an author to write a story. There is some precedent that code is protected speech.[3] Proving that code is protected speech isn’t the biggest obstacle Apple faces. Core to Apple’s argument against writing a new version of its operating system is that, by complying, it will make its customers less secure.[4]

Whatever the outcome of this current case, the disagreement will have a significant legal impact for the future of digital privacy in the United States.

 

[1] The All Writ Act, 28 U.S.C § 1651 (1789).

[2] Id.

[3] David Goldman, Apple’s Case Against the FBI won’t be easy, CNN (Feb. 25, 2016 10:39 AM), http://money.cnn.com/2016/02/25/technology/apple-fbi-court-case/index.html?iid=SF_LN.

[4] Id.

 

Photo Source: https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=0ahUKEwiEsOmn0OvLAhVE1CYKHSFLA0MQjBwIBA&url=http%3A%2F%2Fwww.hdwallpapers.in%2Fdownload%2Fthink_different_apple-1680×1050.jpg&psig=AFQjCNEXjBnl83KMr6BETq-O_1FCFAO7Dw&ust=1459537843768178

Big Tech Company v. Federal Government Part 2:

micro soft

By: Biniam Tesfamariam,

Microsoft is also in a legal battle with the U.S. government, but this fight deals with consumer privacy information that can only be accessed in another country. In December 2013, the U.S. government obtained a search warrant requesting information about an email user for an investigation apparently involving drugs and money laundering.[1] Microsoft is refusing to cooperate because the data in question is stored in Ireland, and the company argues that the U.S. government cannot force it to hand over data stored outside American soil.[2]

Users of a Microsoft e-mail account can, with a user name and a password, send and receive email messages as well as store messages in personalized folders. E-mail message data include both content information- the message and subject line. Also non-content information such as: the sender address, the recipient address, and the date and time of the transmission.

Microsoft stores e-mail messages sent and received by its users in its datacenters, once of which is of special interest to the U.S. government. In 2013, the U.S. Department of Justice served Microsoft with a subpoena and a search for emails that live in a data center in Ireland.[3] One of Microsoft’s arguments is that for data held overseas, the U.S. government should abide by its mutual legal assistance treaties, which are agreement between the United States and foreign countries that typically require the requesting government to be in compliance with other government’s laws.[4] Irish law requires authorization from an Irish District Court judge to obtain e-main content from a provider.[5]

The judge in the case, James Francis, agreed with the government, arguing that the search warrant issued in this case applies to data in Ireland because it’s more of a hybrid between a warrant and a subpoena. What this means: the request would be legal since subpoenas have reach outside the U.S.[6]

Nonetheless, it will be interesting to see what occurs when this case goes on appeal, as it has huge implications for the privacy of U.S. citizens who use American internet services.

 

 

[1] Lorenzo Bichhierai, Microsoft Fights U.S. Government Over Rights to Data on Foreign Servers, mashable (Jun. 12, 2014), http://mashable.com/2014/06/12/microsoft-u-s-government-data-foreign-servers/#Hcz6bzoAVmqs.

[2] Id.

[3] In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 15 F. Supp.3d 466, 2014 WL 1661004 (S.D.N.Y. Apr. 25, 2014).

[4] David Goldman, Microsoft is Fighting the DOJ too, CNN (Feb. 23, 2016 6:52 PM), http://money.cnn.com/2016/02/23/technology/microsoft-ireland-case/index.html.

[5] Criminal Justice Mutual Assistance Act, (Northern Ireland) 2008.

[6] In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 15 F. Supp.3d 466, 2014 WL 1661004 (S.D.N.Y. Apr. 25, 2014)

 

Photo Source:  https://tctechcrunch2011.files.wordpress.com/2015/06/shutterstock_192614108.jpg

Shaolin In Jeopardy: Possible Fates For the Sole Copy of Wu-Tang Clan’s Latest Album

Wu-Tang-Box

By: Sean Livesey

In November of 2014, Josh Lepchitz published a blog post entitled “Step Into Shaolin and See Where the Wu-Tang Clan Could Be Taking Music.”[1] The post includes a brief yet incisive appraisal of the current state of the music industry from the artists’ perspective, given the advent and climbing popularity of services like Spotify, Pandora and Youtube.[2] Given this context, the post goes on to address a novel approach to music sale taken by the Wu-Tang Clan: the group recorded and produced a 31-track album in secret, creating one single copy to be sold directly to the highest bidder, with sole rights to the art transferring to the buyer at the time of sale. The album is entitled “Once Upon a Time in Shaolin.” Lepchitz’s post concludes with thoughts on Wu-Tang’s contribution to the music industry, not only as artists, but as market innovators, as well.[3]

Sure enough, Once Upon a Time in Shaolin was sold directly to a single wealthy buyer by the name of Martin Shkreli in May of 2015.[4] Shkreli, also referred to as “pharma bro” by the media, is the 32-year old CEO of a pharmaceutical company. He first “entered the public consciousness…when he announced a price spike in [October 2015]…for Daraprim, a 62-year-old medication used by AIDS and cancer patients to fight life-threatening parasitic infections, that upped the price from $13.50 USD to $750 a pill.[5] The public reacted very negatively to what was perceived as price gouging by Shkreli. When Shkreli bought the coveted Wu-Tang album he tweeted ostentatiously about it:

Figure 1:[6]

WU tang image 1

Martin Shkreli’s plans for the album were immediately unclear. Shortly after purchasing the album and attaining sole ownership of its contents, he teased that he might play part of it for the public. He even said that he’d probably never hear it, and that he “just thought it would be funny to keep it from people.”[7] However, while Shkreli obtained title to and possession of the album, his sole ownership is not entirely without limitations. One key provision the under the contract is that the album’s copyright belongs to the album’s creators, Wu-Tang Clan, for the next 88 years.[8] This means Shkreli will not be legally permitted to distribute the music, or make it “commercially available” for 88 years.[9] VICE later caught up with Shkreli at his midtown apartment. When asked if people would ever be able to hear the album, Shkreli replied, “It depends on the world. I could see myself in a place where I break it, and I’ve seriously considered that – just snap it in half and bury the remains of it so no one tries to reconstruct it. I’ve seen a world where I give it away for free. I’ve seen a world where I charge for it or something… If people want to hear it, I’ll put it out. If people don’t want to hear it – they don’t appreciate Wu Tang for what I think it is – that’s fine, too… Who knows…”[10]

Then, in a major turn of events, Martin Shkreli was arrested on December 17, 2015 for securities fraud and the orchestration of what amounts to a complex Ponzi scheme, wherein he used sham consulting operations to make secret payoffs.[11] “’Federal prosecutors accused Shkreli of engaging in a complicated shell game after his defunct hedge fund, MSMB Capital Management, lost millions,’ Bloomberg reports.”[12] Brooklyn U.S. Attorney Robert Capers stated, “His [Shkreli’s] plots were matched only by efforts to conceal the fraud, which led him to operate his companies, which including a publicly traded company, as a Ponzi scheme…”[13]

Shkreli defended his actions after the fact, saying, “In law, you can be prosecuted for not maximizing profits. In fact, I know people who have. And you have to do everything in your power to make as much money as possible in the system we’ve got. That’s business, you can’t hold back.”[14]

Members of the Wu-Tang clan responded to Shkreli’s arrest. “In a statement mailed to Bloomberg Businessweek, RZA [of the Wu-Tang Clan] wrote, ‘The sale of Once Upon a Time in Shaolin was agreed upon in May, well before Martin Shkreli’s [sic] business practices came to light. We decided to give a significant portion of the proceeds to charity.’”[15] Many were quick to speculate as to the fate of the Wu-Tang album, and whether the album would ever reach the public.

Myths began to surround the prospect of the album’s release to public. The most famous of these myths was probably what I’ll call “the Bill Murray caveat.” At least seven major news outlets released headlines referring to a Bill Murray clause in the contract between Shkreli and Wu-Tang.[16] The clause purportedly states that “the seller may legally plan and attempt to execute one (1) heist or caper to steal back Once Upon A Time In Shaolin, which, if successful, would return all ownership rights to the seller. Said heist or caper can only be undertaken by currently active members of the Wu-Tang Clan and/or actor Bill Murray, with no legal repurcussions…”[17] It turns out, however, that the clause was merely a hoax, and this language never actually existed in the written contract.

Figure 2:[18]

WU tang image 2

Hoaxes aside, there appear to be three legitimate legal possibilities that could release the album from Shkreli’s exclusive ownership. The first possibility is asset forfeiture to the U.S. government.[19] As of now, the feds do not have possession of or access to the Wu-Tank album.[20] The FBI is still investigating Shkreli’s case. If, however, the money that paid for the album can be linked with the money stolen from investors, executive power allows the U.S. government to enact asset forfeiture.[21]

Asset forfeiture would only be a possibility if Shkreli is convicted because this is a criminal case. Civil cases, on the other hand, do not require a civil judgment for asset forfeiture to be enacted by the government. In the event of an FBI discovery of such a link and a subsequent criminal conviction, the government could seize the Wu-Tang album and sell it to the public in order to recover some of the funds Shkreli allegedly stole from his investors. The FBI considers asset forfeiture to be the most effective means of recovering property and funds to compensate innocent victims of white-collar crimes.

The charges in the affidavit state, “The United States hereby gives notice to the defendants that, upon their conviction of any of the offenses charged in Counts One through Seven,[22] the government will seek forfeiture, in accordance with Title 18, United States Code, Section 981(a)(1)(C) and Title 28, United States Code, Section 2461(c), of any property, real or personal, which constitutes or is derived from proceeds traceable to any such offenses.”[23]

The second possibility is related to the first in that it, too, would result in a likely sale of the album to the public. However, it could be done in the absence of an FBI seizure of the album.[24] Mounting financial pressure on Shkreli (due to the pending lawsuit and virtually inevitable fines and penalties) could result in such a “forced sale.”[25] One interesting aspect of this scenario is the speculable market price of the album, now that it has received so much extra media exposure because of its link to the notorious high-profile CEO.[26] Shkreli could theoretically sell the album as an investment with a sizeable return.

The third possibility that could release the album from Shkreli’s exclusive ownership is an internet liberation through a formal request under the Freedom of Information Act.[27] While a somewhat unlikely possibility, a popular enough petition to release the album could carry weight in Washington. In the past, such requests have forced revelation of a great deal of information, including things like the White House beer recipe and the FBI’s Twitter slang dictionary.[28]

Will the public ever hear Once Upon a Time in Shaolin any time soon? That will likely be up to Shkreli. In spite of his accusations, he currently retains the right to sell the album, distribute it for free, or destroy it, without legal repercussions. The possibility of a seizure by the FBI seizure of the album, which is dependent on a criminal conviction, could be years away, and the chances of a revelation under the Freedom of Information Act is probably slim. Perhaps Shkreli will even have a change of heart and return the album to its creators, but I wouldn’t hold my breath.

 

 

 

[1] http://jolt.richmond.edu/index.php/blog-step-into-shaolin-and-see-where-the-wu-tang-clan-could-be-taking-music/

[2] http://jolt.richmond.edu/index.php/blog-step-into-shaolin-and-see-where-the-wu-tang-clan-could-be-taking-music/

[3] Id.

[4] http://pitchfork.com/news/62465-wu-tang-clans-once-upon-a-time-in-shaolin-bought-by-pharmaceuticals-ceo-martin-shkreli/

[5] http://www.highsnobiety.com/2015/12/18/possible-outcomes-wu-tang-once-upon-a-time-in-shaolin/

[6] https://twitter.com/MartinShkreli?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor

[7] http://www.theatlantic.com/entertainment/archive/2015/12/pharma-bro-martin-shkreli-wu-tang-asset-forfeiture/421011/

[8] http://www.highsnobiety.com/2015/12/18/possible-outcomes-wu-tang-once-upon-a-time-in-shaolin/

[9] http://www.highsnobiety.com/2015/12/18/possible-outcomes-wu-tang-once-upon-a-time-in-shaolin/

[10] http://www.vice.com/video/drinking-wine-and-playing-chess-at-martin-shkrelis-midtown-apartment

[11] http://www.theatlantic.com/entertainment/archive/2015/12/pharma-bro-martin-shkreli-wu-tang-asset-forfeiture/421011/

[12] http://www.theatlantic.com/entertainment/archive/2015/12/pharma-bro-martin-shkreli-wu-tang-asset-forfeiture/421011/

[13] http://www.highsnobiety.com/2015/12/18/martin-shkreli-arrested/

[14] https://www.youtube.com/watch?v=JTNOWSKMS10

[15] http://pitchfork.com/news/62465-wu-tang-clans-once-upon-a-time-in-shaolin-bought-by-pharmaceuticals-ceo-martin-shkreli/

[16] http://www.newsweek.com/media-was-tricked-thinking-bill-murray-can-steal-2-million-wu-tang-album-403746

[17] http://www.newsweek.com/media-was-tricked-thinking-bill-murray-can-steal-2-million-wu-tang-album-403746

[18] http://www.newsweek.com/media-was-tricked-thinking-bill-murray-can-steal-2-million-wu-tang-album-403746

[19] http://www.highsnobiety.com/2015/12/18/possible-outcomes-wu-tang-once-upon-a-time-in-shaolin/

[20] http://www.highsnobiety.com/2015/12/18/possible-outcomes-wu-tang-once-upon-a-time-in-shaolin/

[21] http://www.highsnobiety.com/2015/12/18/possible-outcomes-wu-tang-once-upon-a-time-in-shaolin/.

Brooklyn U.S. Attorney Robert Capers stated, “We’re not aware of where he got the funds for the Wu-Tang album.” (http://www.highsnobiety.com/2015/12/18/martin-shkreli-arrested/)

[22] https://assets.documentcloud.org/documents/2648482/Shkreli-Complaint.pdf

[23] http://www.highsnobiety.com/2015/12/18/possible-outcomes-wu-tang-once-upon-a-time-in-shaolin/

[24] Id.

[25] Id.

[26] Id.

[27] Id.

[28] Id.

 

Photo Source:  http://blogs-images.forbes.com/zackomalleygreenburg/files/2014/05/Wu-Tang-Box.jpg

Error 53: The iPhone Error Message Enraging Apple Users Worldwide

image 53

By: Meghan Murphy,

Shattered your iPhone 6 screen? Before having it fixed—beware third-party repairs. iPhone users around the world are outraged at the “Error 53” message appearing on their screens after updating to the newest iOS software.[1] As The Guardian reported recently, iPhone 6, 6S and 6+ users are relating countless stories of needing their shattered screens fixed, and going to a local merchant to have the work done.[2] Sometimes in the course of these repairs, the original home button was damaged and replaced.[3] Repaired well, these phones worked for months—until they attempted to update the iOS software as Apple recommends, and received the “Error 53” message before their phones became unusable.[4]

The problem appears to be in the hardware—often within the course of screen repair, the hardware connecting the fingerprint sensor on the home button could be damaged.[5] When the software attempts to update, it runs a diagnostic to make sure that all of the hardware is intact and working—and if the diagnostic finds a non-original home button, it shuts the entire phone down.[6] Apple claims this is a security measure, to make sure that no one can tamper with the home button or install another fingerprint sensor to gain access to someone else’s phone.[7] Even if this is the case, such an all-encompassing security measure seems extreme, especially considering customers had no notice that it would occur.[8]

Seattle firm PCVA agreed—and filed a class action lawsuit against Apple on February 5th, 2016.[9] As a firm press release stated, “We believe that Apple may be intentionally forcing    users to use their repair services, which cost much more than most third party repair shops. Where you could get your screen replaced by a neighborhood repair facility for $50-80, Apple charges $129 or more. There is incentive for Apple to keep end users from finding alternative methods to fix their products.”[10] However, in the interim, business savvy Apple took a U-turn and now claims now that “[diagnostic] test was designed to check whether Touch ID works properly before the device leaves the factory, and wasn’t intended to affect customers.”[11] As of February 18th, Apple is now providing new software available in iOS update 9.2.1, which they say will restore previously “bricked” devices, and offering reimbursements to those who paid for out-of-warranty device replacements.[12]

The future of the lawsuit is unclear at this juncture. While Apply has clearly attempted to mitigate the damage by restoring old devices and offering reimbursements, surely many loyal Apple customers are still angry at Apple’s actions. It is possible that even with the software fix, miffed customers will still want to proceed with the lawsuit—although perhaps with a different spin. Only time will tell.

 

 

[1] Miles Brignall, “‘Error 53’ fury mounts as Apple software update threatens to kill your iPhone,” Guardian (Feb. 5, 2016, 1:59 PM), http://www.theguardian.com/money/2016/feb/05/error-53-apple-iphone-software-update-handset-worthless-third-party-repair.

[2] Id.

[3] Jack Nicas, “‘Error 53′: Your Repaired iPhone Is Dead,” Wall Street J. Blog (Feb. 5, 2016, 4:07 PM), http://blogs.wsj.com/digits/2016/02/05/apple-error-message-killing-iphones/?mod=trending_now_4.

[4] Id.

[5] Brignall, supra note 1.

[6] Id.

[7] Chris Johnston, “Apple says iPhone ‘Error 53′ is to protect customers’ security,” guardian (Feb. 6, 2016, 8:57 PM), http://www.theguardian.com/technology/2016/feb/06/apple-says-iphone-error-53-is-to-protect-customers-security.

[8] Nicas, supra note 3.

[9] Miles Brignall, “Apple under pressure as lawyers pledge action over ‘Error 53’ codes,” Guardian (Feb. 8, 2016, 11:56 AM), http://www.theguardian.com/business/2016/feb/08/apple-under-pressure-lawyers-error-53-codes.

[10] “Class Action Lawsuit: Apple IPhone ‘Error 53,’” PCVA Law Firm (Feb. 5, 2016), http://www.pcvalaw.com/apple-iphone-error-53-lawsuit/ (last visited Feb. 23, 2016).

[11] “If you see error 53 and your iPhone or iPad gets stuck on the ‘Connect to iTunes‘ screen,” Apple https://support.apple.com/en-us/HT205628 (last modified Feb. 19, 2016).

[12] Id.

 

Photo Source:  http://rack.2.mshcdn.com/media/ZgkyMDE2LzAyLzA2LzI5L2FwdG91Y2hpZC44ZDU3Mi5qcGcKcAl0aHVtYgk5NTB4NTM0IwplCWpwZw/18551a5a/ba8/ap-touch-id.jpg

Powered by WordPress & Theme by Anders Norén