Cite as: Nicole A. Poltash, Snapchat and Sexting: A Snapshot of Baring Your Bare Essentials, 19 Rich. J.L. & Tech. 14 (2013), available at http://jolt.richmond.edu/v19i4/article14.pdf. 

by Nicole A. Poltash^*

I.  Introduction

[1]        The usurpation of personal pictures posted on social media websites is not uncommon.  Cheryl Smith was unknowingly made the face of a dating website.[1]  A headshot of popular blogger Sara Pinnix was used “to promote an overseas Tarot card reader named Cristal.”[2]  And eighteen-year-old Arielle Goldfinch’s pictures were used on Tagged, a website “aimed at meeting people for sexual relationships.”[3]  

[2]        Such potential for misuse is particularly unsettling in light of the fact that three hundred million photos are uploaded to Facebook every day.[4]  Yet a careful reading of Facebook’s privacy policy dispels any notion that information a person chooses to share will not be disclosed to anybody else—even if shared with only one friend.[5]  Communications can be disseminated “by the friends with whom [users] share it, or even by Facebook at its discretion.”[6]  Indeed, Facebook recently sent its users notice of a pending class action which claims that “Facebook unlawfully used the names, profile pictures, photographs, likenesses, and identities of Facebook users in the United States to advertise or sell products and services . . . without obtaining those users’ consent.”[7]

[3]        Enter Snapchat, a mobile phone application that sends self-destructing messages.[8]  The company touts: “[S]imply set the timer up to ten seconds and send.  [Recipients will] have that long to view your message and then it disappears forever.”[9]  And disappear it does.  “[T]he company deletes any videos or photos off its servers after the content has been viewed. . . . [T]he data is completely deleted and could not be recalled even if law enforcement came looking for [it].”[10]  Unsurprisingly, this has led to the use of Snapchat for sexting[11] since its launch in September 2011.[12]      

[4]        This comment explores sexting between minors and its inseparable link to Snapchat.  Part II provides background information on the practice and prevalence of sexting.  Part III explains the Snapchat application and its various uses.  Part IV discusses the implications of sexting, legal and otherwise.  Part V examines how Snapchat directly conflicts with current law.[13]  Lastly, Part VI proposes possible solutions.

II.  Background

[5]        Sexting has been defined as “[t]he practice of sending or posting sexually suggestive text messages and images, including nude or semi-nude photographs, via cellular phones . . . or over the Internet.”[14]  Typically, a person takes a digital photo of himself or herself and sends it via mobile phone as a text message.[15]  Children as young as twelve years old have engaged in the practice.[16]

 [6]       Between 2004 and 2009 the portion of teenagers[17] who owned cell phones increased from forty-five to seventy-five percent.[18]  Of those teens, four percent admitted to having sent a sext to another person and fifteen percent said they had received a sext of someone they know.[19]  Those figures nearly parallel the percentage of adults who have sent and received sexts,[20] and have increased significantly since 2009.[21]

[7]        A 2012 survey of over six hundred private high school students revealed that nearly twenty percent of students had sent a sext via cell phone, and nearly twice as many had received a sext.[22]  Over a third of those who had sent a sext had done so “despite believing that there could be serious consequences.”[23]  More than a quarter had forwarded a sext that they had received to others.[24]

[8]        The National Campaign to Prevent Teen and Unplanned Pregnancy sponsored a similar survey of 1,280 teenagers and young adults, which largely uncovered the same figures.[25]  Nearly twenty percent of teenagers found nothing wrong with text messages containing images of full nudity, while forty percent considered being topless acceptable.[26]  In addition, “[s]ending and posting nude or semi-nude photos or videos starts at a young age and becomes even more frequent as teens become young adults.”[27]

[9]        Sexting itself is strongly linked to sexual behavior.[28]  According to the Archives of Pediatrics and Adolescent Medicine, “[a]bout 77% of girls aged 14 to 19 who had sent a sext reported having had intercourse, compared with 42% of those who hadn’t sexted.  For boys, 82% of those who had sexted had had sex, while 46% of non-sexters had done so.”[29]  Finally, girls who sext are also more likely to engage in unsafe sex.[30] 

III.  Snapchat

A.  Application, Terms, and Loopholes

[10]      Snapchat was born in the spring of 2011 in a Kappa Sigma fraternity house.[31]  Stanford alum Bobby Murphy and Stanford dropout Evan Spiegel created the picture and video messaging application as a project for a product design class.[32]  The company’s description of the application, which is rated for users twelve and older, is short:

Snapchat is the fastest way to share a moment with friends.  You control how long your friends can view your message—simply set the timer up to ten seconds and send.  They’ll have that long to view your message and then it disappears forever.  We’ll let you know if they take a screenshot!  Build relationships, collect points, and view your best friends.  Snapchat is instantly fun and insanely playful.  Show your friends how clever you can be and enjoy the lightness of being![33]

[11]      Once Snapchat is downloaded from Apple’s iTunes or Google Play, a user must register a username and set a password.[34]  Snapchat then “accesses your contacts on your cell phone to load friends to the application, or you can add other friends beyond your contact list.”[35]  After two users approve each other, they can begin messaging.[36]

[12]      Pictures and videos are sent the same way: “by taking the picture or video, setting a timer from 1-10 seconds for the content to disappear after the user opens it, and sending it to another user.”[37]  Messages can be sent to one or more persons at a time.[38]  But with pictures, there are  additional options; they can be edited with captions or doodles, saved to a user’s phone, or uploaded directly to Instagram.[39]  Snapchat also tracks who each person messages, creating a “best friends” group for those messaged most,[40] with the top three people listed in order on each user’s public Snapchat profile.[41]

[13]      What makes the application so unique, however, is what happens to messages after they are viewed.  Pictures and videos sent via Snapchat are not just deleted from the recipient’s phone, but also from Snapchat’s network.[42]  “[T]he company deletes any videos or photos off of its servers after the content has been viewed. . . . [T]he data is completely deleted and could not be recalled even if law enforcement came looking for the information.”[43] 

[14]      But Snapchat does not and cannot entirely live up to this claim, giving users a false sense of security.  Indeed, the company’s privacy policy acknowledges as much:

Although we attempt to delete image data as soon as possible after the message is received and opened by the recipient . . . we cannot guarantee that the message contents will be deleted in every case. . . . Messages, therefore, are sent at the risk of the user.[44]          

[15]      There are additional loopholes.  For example, recipients can simply take a screenshot of the message, although this will notify the sender.[45]  Alternatively, recipients can take a picture of their phone, thereby circumventing the screenshot notification.  Even then, a more complicated approach exists.  “Snapchat saves [videos] on the phone’s local memory, which you can then recall by installing a file browser, such as iFunBox, and plugging the phone into a computer.  You then search through the file browser, copy and save the content to a computer, and you’re done.”[46]

[16]      Nevertheless, Snapchat has risen rapidly in popularity since its launch in September 2011.[47]  By the end of December 2012, the application was being used fifty million times a day,[48] up from thirty million in November and ten million in October.[49]  In 2012 alone, more than five billion messages were sent through Snapchat.[50]  In February 2013, the application “was the second-most popular free photo and video app for the iPhone . . . just behind YouTube and ahead of Instagram.”[51]  Snapchat is especially popular among individuals under twenty-five, and in December 2012 the company received eight million dollars from Benchmark Capital, the financial backer behind Instagram.[52] 

[17]      The application’s success has led other companies to copy the concept.[53]  In December 2012, for example, Facebook created the Poke app, which allows users to “send self-destructing photos, videos, and Facebook messages.”[54]  Unlike Snapchat, however, Facebook “keeps data you’ve deleted for a certain amount of time on its servers.”[55]  The new Facebook application has been largely unsuccessful, even being derided as “an obvious ripoff,” and appears to have launched Snapchat to new heights.[56]

 B.  Uses

[18]      Snapchat is meant to bring fun and spontaneity back into the digital world.  “People are living with this massive burden of managing a digital version of themselves,” co-founder Evan Spiegel explained.[57]  “It’s taken all of the fun out of communicating.”[58]  The application gives users a strong sense of inconsequentiality to their actions, enabling them to take “the ugliest, silliest, most compromising photos they want.”[59]  But emphasis should be placed on compromising.  The company’s deletion of messages from its servers has led to a widespread alternative use for Snapchat: sexting.[60]

[19]      Snapchat has been recognized as a sexting application since its inception.[61]  Because messages are ultimately deleted from the company’s servers, Snapchat has even been dubbed “the greatest tool for sexting since the front-facing camera.”[62]  The New York Times put it aptly: “All of this sexting . . . creates an opening for technology that might make the photos less likely to end up in wide circulation.  This is where a free and increasingly popular iPhone app called Snapchat comes in.”[63] 

[20]      Spiegel is unpersuaded, saying, “I’m not convinced that the whole sexting thing is as big as the media makes it out to be. . . . I just don’t know people who do that.  It doesn’t seem that fun when you can have real sex.”[64]  Yet the application is rated for users twelve years of age and older due, in part, to “suggestive themes” and “mild sexual content or nudity.”[65]

[21]      Proof of Snapchat’s use for sexting is found in “Snapchat Sluts,” a website featuring photos of naked women that were taken using Snapchat.[66]  The website was created in early December 2012 by party photographer Kirill Bichutsky and was “born from an open call for submissions posted on Bichutsky’s Twitter account.”[67]  All participants submitted pictures willingly and were over eighteen.[68]  The photos have since been removed, but the website clearly demonstrates that Snapchat “is being used in ways not intended by its creators.”[69]

[22]      Snapchat is also used for other improper purposes, such as for “crude drawings” and “to flaunt underage drinking.”[70]  In addition, “a growing number of teens [are] using Snapchat for cheating on tests.”[71] 

IV.  Implications of Sexting

A.  Legal Implications

[23]      In New York v. Ferber, the Supreme Court held that “[s]tates are entitled to greater leeway in the regulation of pornographic depictions of children.”[72]  Because the child pornography laws of most states classify a child as someone under the age of eighteen, a teenager who sexts may commit four different crimes: solicitation, production, distribution, and possession of child pornography.[73]  In effect, such laws criminalize a large fraction of American teenagers’ behavior.

[24]      The nature of sexting, however, makes “typical legal questions about the action, the actors, and the consequences difficult if not impossible to answer.”[74]  Thus state legislatures, while not ignoring the problem, have been slow to make progress.[75]  States have taken a variety of approaches to regulating teenagers who sext.[76]  Vermont, for example, created a total exception for consensual sexting between teenagers of specific ages.[77]  Vermont Senate Bill 125 amended child pornography laws to exclude persons “less than 19 years old, [when] the child is at least 13 years old, and the child knowingly and voluntarily and without threat of coercion used an electronic communication device to transmit an image of himself or herself to the person.”[78]

[25]      Other states established entirely new sex offender laws in response to sexting.  In February 2012, South Dakota criminalized a minor’s intentional creation, transmission, possession, or distribution of “any visual depiction of a minor in any condition of nudity . . . or involved in any prohibited sexual act.”[79]  With the exception of two affirmative defenses, any violation constitutes the offense of juvenile sexting, which is a class one misdemeanor.[80]

[26]      Diversionary programs are an alternative approach.  New York Assembly Bill 8131 “[d]irects the attorney general to establish a 2 year juvenile sexting and cyberbullying education demonstration program in not less than 3 counties as a diversionary program for persons under 16 who have engaged in cyberbullying or sexting, in lieu of juvenile delinquency or criminal proceedings.”[81]

[27]      Many state laws, however, do not adequately address the problem of sexting and how to punish it.  Illinois’ sexting law, for example, does not punish persons who repeatedly request sexts nor does it provide persons who receive unwanted sexts with a means to stop the sender.[82]  Further, the law fails to “go far enough to punish minors who recklessly send sext images on to unintended third parties and . . . to prevent the images from being created in the first place.”[83]  

[28]      In those states without  sexting laws, prosecutors are left to follow the laws already in place.  These laws are “mainly child pornography or obscenity laws, and some legislators have followed in turn with sex offender punishment guidelines. . . . [A] conviction . . . could result in teens being labeled sex offenders and subject to lifetime registration and reporting requirements.”[84]

[29]      Section 2256(8) of the Protection of Children Against Sexual Exploitation Act of 1977, for example, provides that child pornography “is any visual depiction of sexually explicit conduct when the visual depiction is a digital image, computer image, or computer-generated image of a minor engaging in sexually explicit conduct.”[85]  Although many sexts do not fall within the purview of “sexually explicit,”[86] teenagers across the United States have been charged with child pornography offenses.[87]  Such teenagers may face a difficult choice: “either mount a case-by-case ‘as applied’ challenge to a prima facie valid law (and risk decades in jail) or plead guilty to a lesser charge.”[88]

B.  Non-Legal Implications

[30]      Sexting also has non-legal implications, such as damaging careers and future job prospects.[89]  “According to a recent survey by Microsoft, 75 percent of U.S. recruiters and human-resource professionals report that their companies require them to do online research about candidates, and many use a range of sites when scrutinizing applicants—including. . . photo- and video-sharing sites.”[90]  Further, “[s]eventy percent of U.S. recruiters report that they have rejected candidates because of information found online.”[91]

[31]      More importantly, the distribution of pictures and videos depicting juveniles engaged in sexual activity is “intrinsically related to the sexual abuse of children” in two notable ways.[92]  “First, the materials produced are a permanent record of the children’s participation and the harm to the child is exacerbated by their circulation.  Second, the distribution network for child pornography must be closed if the production of [such] material   . . . is to be effectively controlled.”[93]

[32]      Sexting may also lead to bullying.[94]  Eighteen-year-old Jessica Logan of Cincinnati, for example, was harassed after an ex-boyfriend forwarded nude pictures of her to other high school girls.[95]  A few months later, Logan took her own life.[96]

V.  Conflicts with the Law

[33]      With all the risks associated with the application’s improper use, Snapchat has added limited liability and indemnification clauses.[97]  Its limitation of liability states, in relevant part, that the company will not be held liable for any damages resulting from “the conduct of other users of the application, even if Snapchat has been advised of the possibility of such damages.  You assume total responsibility for your use of the application.”[98]

[34]      Damages aside, Snapchat itself may be illegal because it functions as a distribution network for child pornography.  The Supreme Court has held that a state’s interest in “safeguarding the physical and psychological well-being of a minor” is “compelling.”[99]  “A democratic society rests, for its continuance, upon the healthy, well-rounded growth of young people into full maturity as citizens . . . .”[100]  Accordingly, the Court has “sustained legislation aimed at protecting the physical and emotional well-being of youth even when the laws have operated in the sensitive area of constitutionally protected rights.”[101]

[35]      One concern articulated in Ferber applies directly to teen sexting: the creation of a “permanent record.”[102]  As explained in Osbourne v. Ohio, “pornography’s continued existence causes the child victims continuing harm by haunting the children in years to come.”[103]  This “haunting” presupposes underlying sexual abuse, but abuse is not required:

[P]ornography poses an even greater threat to the child victim than does sexual abuse or prostitution.  Because the child’s actions are reduced to a recording, the pornography may haunt him in future years . . . . A child who has posed for a camera must go through life knowing that the recording is [or could be] circulate[ed] . . . .[104]

[36]      Similarly, “it is the fear of exposure and the tension of keeping the act secret that seems to have the most profound emotional repercussions.”[105]  Sexting itself is also harmful to teenagers.[106]  These harms justify the suppression of self-made pornography, even if it interferes with teenagers’ interest in expressing themselves as they wish. 

[37]      In practice, however, courts treat sexting differently than traditional child pornography.  Between 2008 and 2009, for example:

nearly 3,500 cases of sexual images produced by teens came to the attention of law enforcement agencies in the U.S. . . . . Two-thirds of these cases, however, had “aggravating” factors — such as involvement of an adult or use of the images by a teen to harass, bully or intimidate the victim.  Teens were arrested in 18% of cases where there was no aggravating factor, and registration as a sex offender occurred in only 10 cases, nine of which involved actual sexual assault . . . .[107] 

Forty-five-year-old Randy T. Davis Jr., by contrast, was sentenced to almost fourteen years in federal prison for downloading traditional child pornography from the Internet. [108]

[38]      Even if sexting by minors is distinguishable from traditional child pornography,[109] it is still illegal under prima facie valid law.[110]  Snapchat’s self-destructing messages make users feel immune from repercussions.  This has encouraged and led directly to the application’s widespread use for sexting.  Thus, Snapchat is “directed to inciting or producing imminent lawless action and is likely to incite or produce such action.”[111] 

[39]      But the application adds an additional layer of complexity.  Because Snapchat deletes photos and videos from senders’ phones, recipients’ phones, and its servers,[112] there is no “permanent record of the children’s participation.”[113]  On the one hand, Snapchat functions like contraception, protecting teenagers who are going to sext regardless of the consequences.[114]  On the other hand, it is used to both distribute child pornography and destroy the evidence.

[40]      Once deleted from Snapchat’s network, messages cannot be recovered, putting them beyond the reach of any subsequent investigation.[115]  Thus, short of real-time interception by law enforcement, Snapchat’s use deprives victims of recourse, even when aggravating factors are present.[116] 

[41]      Such aggravating factors are becoming increasingly common.  One reason is trends like “revenge porn,” in which males post naked pictures of their ex-girlfriends online to websites such as PinkMeth.[117]  Again, these harms greatly outweigh the benefits of freely taking “the ugliest, silliest, most compromising photos.”[118]

VI.  Conclusion

[42]      All states should create educational programs for teenagers about sexting.[119]  These programs should be taught using “gist”-based reasoning because “teens who are taught to focus on potential catastrophic, negative outcomes, rather than the odds, make fewer risky [ ] decisions.”[120]  These outcomes should include, among other things, bullying and career implications.  The curriculum can be incorporated into both Family Life Education and rehabilitation programs.

[43]      In addition, applications such as Snapchat must be made less readily available to minors.  Accordingly, Snapchat should be restricted to adults age eighteen and older, and the application’s content rating should be changed on Apple’s iTunes and Google Play.  As to the former, Snapchat should implement a customer protection block until a user confirms that he or she is eighteen years of age or older.[121]  As to the latter, a changed rating will put parents on alert on the front end, decreasing the need to look through their children’s phone records to unearth red flags. 

[44]      States should also pass legislation imposing fines on minors who use Snapchat.[122]  Authorities can uncover the age and identity of many Snapchat users simply through their usernames: “[s]ince Snapchat presents itself as private—basically offline—many people use the same username as they use for other social media accounts. . . . [A] quick Google search of [people’s] usernames pulled their Instagram and Twitter accounts right up.”[123]  A user’s operation of the application can then be monitored in part through his or her public Snapchat profile.[124]  Over time, such fines would reduce Snapchat’s network effect and use amongst minors.[125]

[45]      Alternatively, Snapchat could be ordered to implement nudity detection software such as Snitch[126] or PORNsweeper.[127]  Such software searches files “for the color of human pigmentation in the pixels, since nude or pornographic images contain more skin pixels than other images where skin is present.”[128]  This would detect most sexts, though the software may also flag “[b]aby pictures and pictures of people on vacation at the beach . . . because they contain large amounts of skin.”[129]

[46]      Once a message is flagged as containing nudity, Snapchat can do one of three things: delete the message, pixelate the message, or forward the message to authorities.[130]  Of these three options, deletion is the most practical.[131]  Moreover, deletion would allow teenagers to continue to use Snapchat while simultaneously reducing its ability to be used for sexting.[132]

[47]      In conclusion, many legislatures are failing to keep pace with sexting amongst minors.  The legal implications are problematic, and are only compounded by applications like Snapchat.  The above steps to prevent the baring of one’s bare essentials via Snapchat are not exclusive or exhaustive.  But they are steps in the right direction.

Cite as: Sean M. Sherman, No Implied Effect: The “Safe” FCC Cell Phone Radiation Standard and Tort Immunity by Implied Conflict Preemption, 19 Rich. J.L. & Tech. 13 (2013), available at http://jolt.richmond.edu/v19i4/article13.pdf.

By Sean M. Sherman*

I.  Introduction 

[1]        Cell phones emit low-level radiation.[1]  Constantly.[2] 

[2]        From 1992 to 1998, Dr. Christopher Newman used his cell phone for nearly 350 hours—about ten minutes per day.[3]  When he developed a tumor on the side of his head where he used his cell phone, Dr. Newman sued various cell phone manufacturers, claiming that his exposure to consistent low-level radiation had caused his brain cancer.[4]  Although his case was dismissed for an inability to prove that his cell phone exposure had caused his tumor,[5] had Dr. Newman attempted his lawsuit today, it is unlikely that his case would have progressed past the initial complaint.[6]  So long as Dr. Newman’s cell phone complied with the Federal Communication Commission’s (“FCC”) standard for a “safe” level of radiation, he would have been barred from claiming that the cell phone caused or contributed to his injury.[7]  However, it is far from clear that the FCC standard is actually safe.[8]

[3]        In the past decade, people claiming to have been injured from prolonged exposure to cell phones have brought tort suits alleging that cell phone manufacturers are not adequately warning or protecting customers from the dangerous side effects of their products.[9]  While the scientific community is divided over whether cell phones are safe,[10] two out of the three appeals courts that have addressed the issue have held that so long as cell phones comply with the FCC’s standard, tort suits against cell phone companies are barred by implied conflict preemption.[11]  Alternatively, one court of appeals has held that such suits are not barred by the FCC standard.[12]

[4]        This Article argues that under the proper application of the doctrine of implied conflict preemption, state tort lawsuits against cell phone makers should not be barred by the FCC standard.[13]  Lower courts should allow these suits to advance in accordance with Supreme Court precedent, or if necessary, the Supreme Court should grant certiorari and resolve the current circuit split.[14]  Allowing these suits to proceed will lead to safer phones because cell phone manufacturers will adopt an efficient level of precaution to avoid liability, rather than continuing to hide behind the “safe” FCC standard.[15]  While there should be a presumption of safety for phones that abide by the FCC standard, that presumption should be tested in litigation, especially as the evidence indicating serious health risks continues to grow.[16]

[5]        Part II of this Article will provide the factual background underlying the current scientific debate over cell phone radiation and the FCC response.  Part III will discuss the legal framework for the conflict preemption of state tort suits and the current circuit split over preempting tort suits against cell phone makers.  Part IV will argue that according to the legislative history, Supreme Court doctrine, and policy rationales, state tort suits against cell phone manufacturers should not be barred by the FCC standard.  Part V will address potential counterarguments against allowing the suits to go forward.

II.  Cell Phone Radiation, the International Response,

and the Rise of the FCC Standard

[6]        Worldwide, scientists vigorously debate whether long-term exposure to low-level radiation from cell phones increases health risks in humans.[17]  In 1996, the FCC adopted a standard to govern the maximum level of admissible radiation called the specific absorption rate (“SAR”)—the rate at which radiation is absorbed into tissue.[18]  While the SAR standard took into account the “thermal effects” of cell phones (literally the amount of heat they give off to avoid burning), the FCC purposely excluded from its SAR calculations the potential non-thermal effects from prolonged exposure (cancer, tumors, etc.) due to a lack of scientific evidence.

[7]        This section details the rise of the FCC’s regulation of cell phone radiation, culminating in the reaffirmation of the 1996 FCC SAR standard in 1997.[19]  Although cell phone makers and the FCC now claim that the SAR standard bars tort suits, the FCC itself explicitly and repeatedly decried any preemptive power of the SAR standard when the FCC first promulgated it.[20] 

[8]        While the SAR standard has remained unchanged since 1996, research into the non-thermal biological effects of cell phone radiation has grown exponentially.[21]  In response to the mounting evidence of the risks associated with prolonged exposure, a handful of developed countries have taken significant action to curb the potential adverse effects of cell phone radiation, especially on children.[22]  The United States has not only kept its SAR standard at the 1996 level, but the courts, at the urging of the FCC, have barred plaintiffs from addressing the possibility of non-thermal effects through the invocation of implied conflict preemption.[23]  

A.  The Rise of the FCC SAR Standard

[9]        In 1993, when there were only approximately thirteen million cell phone users in the United States,[24] worries emerged about the dangers of phone radiation exposure.[25]  In response, the FCC claimed the authority, pursuant to its interpretation of both the National Environmental Policy Act of 1969 (“NEPA”)[26] and the Telecommunications Act of 1996 (“TCA”), to regulate cell phone radiation.[27]  Despite promulgating regulations in the area of cell phone radiation, the FCC and the statutes granting it regulatory authority explicitly stated that the regulations would not preempt state and local lawsuits.[28]  Nonetheless, preemption of state and local lawsuits is exactly what has ensued.[29]

1.  The Authority of the FCC Under the NEPA and the TCA to Regulate Cell Phone Radiation Levels

[10]      The Federal Communications Act of 1934[30] established the FCC and endowed the agency with broad authority to regulate radio communications.[31]  The FCC’s regulations of cell phone radiation emissions arose from the combined mandates of the NEPA[32] and the TCA.[33]  In 1985, in response to the mandate of the NEPA,[34] the FCC concluded that it was obligated to regulate radiofrequency radiation standards.^[35]  After seeking input from other federal agencies and interested parties, the FCC adopted the then current American National Standards Institute Committee (“ANSI”) standard governing radiofrequency emissions as its own.^[36]  These regulations did not extend to cell phones.^[37]

[11]      In 1993, prompted by ANSI’s revision of its standards in collaboration with the Institute of Electrical and Electronic Engineers, Inc. (“IEEE”), the FCC began rulemaking procedures to determine whether it should strengthen its regulations.^[38]  Among the proposed changes was the extension of radiofrequency regulations to cover cell phones.^[39]  During the pendency of the notice and comment period, Congress passed the TCA,[40] which directed the FCC to “make effective rules regarding the environmental effects of radiofrequency emissions” within 180 days.^[41]

[12]      In response to both the TCA’s mandate and the NEPA,[42] the FCC adopted a hybrid of the ANSI/IEEE standard^[43] and limited radiofrequency emissions from cell phones for the first time.^[44]  In particular, the 1996 FCC First Order adopted a maximum SAR of 1.6 W/kg.[45]  After the FCC announced the 1996 SAR standard, the agency received many petitions for reconsideration.[46]  The petitioners alleged that the FCC had not, among other things, considered non-thermal effects of prolonged radiation exposure or the possibly larger impact of the SAR on children’s developing nervous systems.[47]

[13]      Despite petitions for reconsideration, the FCC reaffirmed the 1.6 W/kg SAR standard in the 1997 FCC Second Order.^[48]  The FCC Second Order dismissed criticisms of the FCC methodology in the FCC First Order, stating, “the issue of non-thermal effects was explicitly addressed in the 1992 ANSI/IEEE standard, which concluded that no reliable scientific data exist to indicate such effects may be meaningfully related to human health.”^[49]  In adopting the ANSI/IEEE standard as its own, the FCC essentially reasoned that Americans need not be protected against health effects that have not been clearly established.^[50]  The FCC SAR standard has not changed since 1997.[51]  All cell phones sold in the United States today must comply with the 1997 FCC SAR standard.^[52]

2.  The Preemptive Effects of the FCC’s SAR Standard

[14]      Today in some circuits, tort suits against cell phone manufacturers are barred by preemption.[53]  The FCC did not originally intend for its 1996 FCC First Order or 1997 FCC Second Order to preempt state laws regarding radiofrequency radiation.[54]  In contrast, the Federal Communications Act of 1934, the TCA, the FCC First Order, and the FCC Second Order each specifically disclaimed preemptive power over state laws.[55] 

[15]      The Federal Communications Act contains a saving clause[56] which provides that “[n]othing contained in this chapter shall in any way abridge or alter the remedies now existing at common law or by statute . . . .”[57]  Similarly, although the TCA included express preemption provisions that expanded the FCC’s authority to preempt certain state and local regulations regarding the placement of wireless service facilities,^[58] it did not preempt state tort suits stemming from radiofrequency radiation exposure or state laws regarding health and safety.[59]

[16]      The TCA’s preemption of state laws regarding the placement of “facilities” paralleled one of the premier goals of the statute: to ensure the development and availability of a nationwide infrastructure for wireless services.[60]  The TCA saving clause, entitled “[n]o implied effect,” makes it clear that the legislation does not preempt any state legislation except those state laws explicitly regarding “facilities.”[61] 

[17]      The FCC specifically addressed whether its radiation standards had preemptive effects under the TCA in the 1996 FCC First Order and confirmed that the preemption clause only applied to those laws regulating the placement of wireless facilities.[62]  Explaining its decision not to preempt state laws regarding radiofrequency exposure, the FCC noted that “[w]e have traditionally been reluctant to preempt state or local regulations enacted to promote bona fide health and safety objectives.”[63] 

[18]      The 1996 FCC First Order pointed to the TCA’s preemption of only state and local regulations regarding “facilities” to support the FCC’s decision not to preempt state regulations outside of the “facilities” context.[64]  Finally, the FCC indicated in the FCC First Order that if in the future cell phone manufacturers felt that state radiofrequency laws should be preempted the proper approach to obtain such preemption would be to petition the FCC for a rule change.[65]  Thus, in the FCC First Order, the FCC not only refused to preempt state laws regarding radiofrequency exposure limits, but also laid out a specific mechanistic approach to how such preemption should be adopted in the future if necessary.[66]

[19]      In the 1997 FCC Second Order, the agency addressed the preemption argument a second time and again refused to preempt outside of the specific “facilities” confine of the TCA.[67]  Proponents of preemption argued that the FCC should preempt state laws regarding all radiofrequency transmitters,[68] or in the alternative, “establish a federal ‘rule of liability’ for torts related to the environmental effects of radiofrequency emissions so that licensees can avoid ‘unnecessary and conflicting’ lawsuits.”[69]  The FCC denied both requests and reaffirmed its FCC First Order.[70]  The FCC refused to preempt state tort suits because of the language in the TCA and disregarded requests for a federal rule of liability because tellingly, it questioned “whether such an action, which would preempt too broad a scope of legal actions, would otherwise be appropriate.”[71]  Since the 1997 FCC Second Order, the FCC has not officially addressed the preemption question, nor have any licensees taken up the FCC’s proffered official process for requesting preemption of state laws.[72]

B.  The Scientific Debate Over Non-Thermal Biological Effects

[20]      While there is no dispositive data on whether cell phones cause long-term health problems, the evidence of adverse effects has steadily increased since the first enactment of the SAR standard.  In 1997, when the SAR standard was last reaffirmed, cell phones were a relatively new phenomenon.[73]  Because cell phones had not been in common usage for a long period of time, the research into the non-thermal biological effects of low levels of radiation was based primarily on short-term data.[74]  In the fourteen years since, a large amount of evidence has emerged that supports the hypothesis that long-term exposure to low levels of radiation from cell phones may cause serious deleterious health effects.[75]  While this data is not significant enough to cause a national panic, it should be more than sufficient to unseat the FCC’s position that it should disregard non-thermal effects entirely when calculating the SAR standard.

[21]      A result emblematic of the ongoing debate is The INTERPHONE Study.[76]  Following expert recommendations and a feasibility study from the late 1990s, the International Agency for Research on Cancer developed The INTERPHONE Study.[77]  INTERPHONE was a multinational case-control study involving thirteen countries, designed to definitively resolve the question of whether cell phones caused brain tumors.[78]

[22]      Notwithstanding its ambitious size and scope, the conclusions of INTERPHONE were ambiguous.[79]  Reporting of the conclusions was delayed for years as the INTERPHONE scientists battled over the meaning of their results.[80]  As described The Economist’s article in September 2008:

The Interphone researchers are split into three camps.  One believes any increased incidence of tumours shown in the study is purely the result of the biases.  Another thinks it really has found increased risks of certain tumours and wants to call for precautionary measures.  A third group is just keeping quiet.  One person who knows many of the scientists, but prefers not to be named, describes the relations between members of the three groups as “strained”—harsh language in the world of scientific research.[81]

[23]      Aside from brain tumors, however, much research has been conducted regarding other non-thermal biological effects of cell phone radiation.  Among them, a recent Danish study noted an increased risk for neurological symptoms, such as migraine and vertigo for cell phone users.^[82]  A study from the University of California, Los Angeles, found a correlation between prenatal exposure to cell phone radiation and behavioral problems in children.^[83]  Studies from the United States, Japan, Australia, and Europe reported that exposure to cell phone radiation has an adverse effect on sperm count, motility, and vitality.^[84]  Studies also reported increased risk of salivary gland tumors among cell phone users.^[85] 

[24]      Although the evidence has not demonstrated a “smoking gun” link between cell phone radiation and negative health impacts, it strongly suggests that at a minimum, a precautionary approach should be adopted.  Nonetheless, since 1997 the FCC has not changed its stance that the SAR standard should ignore the possibility of non-thermal effects on the human body.[86]  With the body of data growing, many other nations have taken precautionary actions in contrast to the United States.[87]

C.  The National and International Response to the Scientific Debate

[25]      The United States has not taken any further preventative actions to protect the public from the potential dangers of prolonged cell phone exposure.  The FCC and the cell phone lobby, the CTIA, have both taken the position that the SAR of a phone is immaterial so long as it is within the FCC standard.[88]  The FCC formerly counseled potential cell phone purchasers to buy phones with lower SAR as a precautionary measure; however, that warning was recently removed from the FCC website.[89]  The vice president of the CTIA has argued against consumers buying lower SAR phones, analogizing that “[w]hat science tells us is, ‘If the sign on the highway says safe clearance is 12 feet,’ it doesn’t matter if your vehicle is 4 feet, 6 feet or 10 feet tall; you’re going to pass through safely.  The same theory applies to SAR values and wireless devices.”[90] 

[26]      The international response to recent data is at odds with the United States and the position of the FCC and CTIA.  France has banned the advertising of cell phones to children because of evidence that children, who have thinner skulls and developing nervous systems, are more susceptible to cell phone radiation.[91]  France also requires that all phones be sold with wired headsets to keep radiation away from the brain.[92]

[27]      Germany has been advocating a cell phone SAR safety level of 0.6 W/kg (as compared with America’s 1.6 W/kg) through its “Blue Angel” Program.^[93]  The Blue Angel Program grants a special eco-seal of approval to all phones meeting the lower SAR standard and as of 2008, has been somewhat successful, with approximately thirty percent of cell phones in the German market having emissions at or below 0.6 W/kg.^[94]

[28]      Other nations have issued health warnings and safe usage guidelines.  In Israel, the Health Ministry asks parents to limit the cell phone use of their children in order to minimize radiation exposure.^[95]  The Swiss Federal Office of Public Health advises that all consumers, but especially children, should buy phones with low SAR and keep calls short.^[96]  The Swiss Public Health Office further counsels that “[w]henever possible, only use your phone when the signal quality is good.”[97]  This is indicative of the fact that when service is poor, a cell phone emits a larger SAR as it boosts power to gain a better signal.[98] 

[29]      In the United Kingdom, the Public Health Ministry has required that SAR measurements be displayed at all points of sale and asks consumers to compare SAR values against the exposure limits and buy phones with lower SAR.[99]  Contrary to the CTIA’s argument, the growing international consensus is that although the highway sign may say “safe clearance is 12 feet,” the closer to the ground, the safer you may be.[100]

[30]      Today in the United States there are over 300 million cell phone users.[101]  Sixty-six percent of children eight to eighteen years old have their own cell phones,[102] and young adults and adolescents will be exposed to low levels of radiation from cell phones for their entire lives.[103]  The 1996 FCC SAR standard remains unchanged and unchallenged.  While the lack of action by the FCC would not be problematic if injured consumers could resort to the courts for both compensatory damages and to incentivize cell phone manufacturers to take an appropriate level of precaution when designing cell phones, implied conflict preemption has barred such suits from being litigated on the merits.[104] 

III.  Conflict Preemption

[31]      Cell phone makers have consistently and successfully relied on the affirmative defense of implied conflict preemption to bar radiation suits from being litigated on the merits.[105]  Although one would imagine that the primary hurdle in cell phone litigation amidst scientific uncertainty should be proving causation,[106] cell phone makers have wielded the doctrine of conflict preemption as a firewall to prevent reaching an argument over causation.[107]  With courts dismissing cases on grounds of conflict preemption, cell phone makers have limited incentive to lower cell phone radiation emissions.  Although the Supreme Court has held that there exist situations in which the doctrine of conflict preemption should bar state tort suits, the FCC SAR standard is not among them.[108] 

A.  Regulatory Conflict Preemption of State Products Liability Claims

[32]      In certain narrow circumstances, state law tort suits can be barred because they impliedly conflict with federal agency regulations.[109]  Cell phone manufacturers have argued that the FCC SAR standard is a regulation that bars state suits.[110]  The Supreme Court has only allowed such agency regulations to have preemptive force over state tort suits in a few cases,[111] none of which are analogous to cases involving the SAR standard.

1.  Foundational Preemption Doctrine

[33]      Cell phone manufacturers have asserted that state tort lawsuits against their companies are barred by preemption because the success of such suits would interfere with the FCC SAR standard.[112]  State laws can be preempted either expressly or impliedly under the Supremacy Clause of the Constitution.[113]  Express preemption is confined to those statutory clauses that explicitly declare a federal law to be supreme.[114]  Implied preemption requires looking into the meaning and purpose of the statute.[115]  Courts have recognized two forms of implied preemption: field and conflict.[116]  Courts find field preemption when a federal scheme is so pervasive that it is clear that Congress did not intend state laws to supplement it.[117] 

[34]      Under the doctrine of implied conflict preemption, federal law supplants state law either where it is impossible for individuals to comply with both federal and state law, or where the state law is a significant obstacle to the accomplishment of a stated federal objective.[118]  There is a general presumption in preemption cases against finding state laws to be impliedly preempted (largely because of concerns over federalism)[119] and the critical inquiry is whether Congress “clearly” intended federal law to supersede state law.[120] 

[35]      While state level tort suits among private parties would not seem to conflict with federal legislative goals, the Supreme Court has recognized that if the award of damages in a state tort suit would interfere with a federal objective, federal law can bar state tort liability by implied conflict preemption.[121]  The Court explained that tort liability is a powerful government method of controlling conduct and if liability under state law discourages or prevents compliance with federal law, the state tort suit must be barred.[122]  Areas of law that are among traditional state police powers, however, such as health and safety, are subject to a somewhat heightened level of conflict preemption scrutiny.[123]  Cell phone tort suits typically allege serious health concerns and therefore fall under the rubric of state laws that ensure the health and safety of their citizens.[124]  These suits should not be preempted by federal law under implied conflict preemption unless it is the “clear and manifest purpose of Congress.”[125]

2.  Leading Cases on Conflict Preemption of State Tort Suits by Federal Regulatory Actions

[36]      The Supreme Court has held that agency regulations like the FCC SAR standard can have preemptive force to bar state tort suits in some circumstances.[126]  The Court’s decisions in Geier v. American Honda Motor Co.[127] and Sprietsma v. Mercury Marine[128] identify when federal regulatory agency actions may preempt state tort liability suits by conflict preemption.  The appellate courts that have assessed the preemptive impact of the FCC SAR standard utilized the reasoning from both Geier and Sprietsma in their analyses.[129] 

[37]      Geier and Sprietsma stand for several key propositions.  First, affirmative regulations promulgated by agencies can preempt state tort suits if the success of those suits would impose a duty the regulation expressly does not require.[130]  Second, the purposeful failure to regulate in an area should not preempt state tort suits unless the agency, by not regulating, was attempting to deregulate an area (and thus a state tort suit would add regulation to a subject area the federal government was attempting to deregulate).[131]  Third, agency amicus briefs explaining the objectives of their regulations are entitled to be given weight for conflict preemption analysis.[132]  Fourth, the statutory goal of national uniformity does not necessarily displace state common law tort suits because of the weight given to traditional state concerns for health and safety.[133]

[38]      In Geier v. American Honda Motor Co., the Supreme Court held that a state tort suit against a car manufacture conflicted with an agency regulation and was thus barred by implied conflict preemption.[134]  Geier confronted a state tort suit that allegedly conflicted with a safety standard under the National Traffic and Motor Safety Act of 1966.[135]  Under the Act, the Department of Transportation (“DOT”) promulgated Federal Motor Vehicle Safety Standard 208 (“FMVSS 208”), which gave car manufacturers the option of installing either airbags or other types of restraint systems in an effort to give them the flexibility to try different safety methods.[136]  The plaintiff in the case, a car accident victim, alleged in part that Honda was negligent for not requiring airbags in its vehicle.[137]  The Supreme Court held that the plaintiff’s tort suit was barred because of an implied conflict with FMVSS 208.[138] 

[39]      The Court explained that the plaintiff’s suit “depends upon its claim that manufacturers had a duty to install an airbag,” and  “[i]t thereby would have presented an obstacle to the variety and mix of devices that [FMVSS 208] sought.”[139]  The Court noted that although the DOT regulations did not specifically address preemption, the DOT’s interpretation of the objectives of FMVSS 208 in its amicus brief was persuasive in the preemption analysis.[140]  Therefore, Geier stands for the proposition that a state tort suit will be barred by conflict preemption if the suit seeks to impose a duty (airbag requirement) that conflicts with a federal regulation (no airbag requirement).[141]

[40]      In contrast to Geier, in Sprietsma v. Mercury Marine, the Court held that a state tort suit was not barred by a federal agency decision not to promulgate a rule requiring a safety device.[142]  Under the Federal Boat Safety Act of 1971 (“FBSA”), the Secretary of Transportation delegated authority to the United States Coast Guard to establish minimum safety standards for recreational vessels.[143]  The FBSA, like the TCA, had a saving clause which provided that “[c]ompliance with [the FBSA does] not relieve a person from liability at common law or under State law.”[144]

[41]      In 1988, the Coast Guard launched an investigation into the potential advantages and disadvantages of propeller guards on motorboats, and in 1990 decided not to promulgate a regulation requiring them.[145]  In 1995, the plaintiff’s wife died when she fell overboard and was struck by a propeller that did not have a propeller guard.[146]  The plaintiff sued the motor manufacturer, alleging that the motor was “unreasonably dangerous” because it “was not protected by a propeller guard.”[147]  The defendant argued that the decision by the Coast Guard not to require propeller guards meant that the defendant could not be held liable for not putting propeller guards on its motors.[148]  Justice Stevens, who had dissented in Geier, wrote the majority opinion in Sprietsma, reversed the decision of the Illinois Supreme Court, and held that the tort suit was not barred by conflict preemption.[149]

[42]      The Court explained that unlike Geier, which dealt with an affirmative regulation, the decision by the Coast Guard not to require propeller guards was not the functional equivalent of a regulation that prohibited their use.[150]  The Court noted that if an agency’s decision not to regulate was, in fact, a conscious deregulation of a field, the decision could bar state suits because state liability would in fact conflict with a federal goal of deregulation.[151]  The Court distinguished Sprietsma from Geier because in Sprietsma, the Coast Guard had only decided “the available data did not meet the FBSA’s ‘stringent’ criteria for federal regulation,” and not that the field of propeller safety should be deregulated or that propeller guards should be prohibited.[152]  The insufficient data to regulate on a federal level did not mean that the states could not fill the gaps.[153] 

[43]      As in Geier, the Court in Sprietsma gave substantial weight to the regulating agency’s preemption analysis in its amicus brief.  While in Geier the Secretary of Transportation argued for preemption (and the Court found it),[154] the Coast Guard in Sprietsma counseled against preemption (and the Court did not find it).[155]

[44]      The defendants had also argued in Sprietsma that because one of the main goals of the FBSA was “fostering uniformity in manufacturing regulations,” state tort suits should be barred because they could lead to differing standards throughout the country.[156]  The majority rejected this uniformity argument, explaining that while uniformity is an important consideration, it “does not justify the displacement of state common-law remedies.”[157]  The Court emphasized that uniformity arguments will not be enough to override state sovereignty and bar state tort suits by conflict preemption, especially in areas of traditional state police powers like health and safety.[158]

B.  Conflict Preemption by the FCC SAR Standard—The Courts of Appeals Split

[45]      Since 2000, there have been a handful of suits against cell phone manufacturers alleging, among other things, that wireless telephones emit unsafe levels of radiofrequency radiation and the manufacturers were knowingly and negligently endangering the public by continuing to sell the phones without warnings or headsets.[159]  In each case, the defendants, the cell phone manufacturers, moved to dismiss on grounds of federal preemption.[160]  While all of the decisions rejected the defendants’ arguments of express preemption and field preemption, the courts disagreed over whether the claims were barred by implied conflict preemption.[161]  In Pinney v. Nokia, Inc.,[162] the Fourth Circuit Court of Appeals denied the defendants’ motion to dismiss and held that the suits were not preempted by the FCC SAR standard.[163]  In contrast, in Murray v. Motorola, Inc.[164] and Farina v. Nokia, Inc.,[165] the District of Columbia Appeals Court and Third Circuit Court of Appeals respectively upheld dismissal of the plaintiffs’ claims on the grounds of conflict preemption with the FCC standard.  These cases represent a fundamental disagreement over the preemptive effect of the FCC SAR standard.

 1.  Pinney v. Nokia – No Conflict Preemption

[46]      In Pinney, the Fourth Circuit refused to read the TCA objective of creating a national wireless network so broadly as to include the goal of achieving a national radiofrequency radiation standard and therefore refused to find a conflict with state tort claims.[166]  The Pinney plaintiffs sued under state law, claiming that cell phones emit an unsafe level of radiation and Nokia, in knowing this, had “negligently and fraudulently endangered the consuming public by marketing wireless telephones without headsets” to mitigate the danger.[167]

[47]      The defendants raised the affirmative defense that the state law claims were preempted by the FCC SAR standard because the plaintiffs would have to prove that the FCC standard was insufficient in order to prove their claims.[168]  The FCC took no part in the case.  Although the district court dismissed the case on grounds of preemption, the Fourth Circuit reversed and held that the suit could go forward, notwithstanding the FCC SAR standard.[169]

[48]      The court of appeals began its analysis by trumpeting the “strong presumption” against conflict preemption, especially in the traditional state domains of health and safety.[170]  The Fourth Circuit went on to reject conflict preemption because it found no “congressional objective” to preempt state radiofrequency radiation standards for cell phones.[171] 

[49]      The court’s reasoning rested on three fundamental premises.  First, the court rejected the defendants’ “national uniformity” argument that the TCA embodied a “sweeping congressional objective of ensuring that all equipment used . . . be subject to exclusive national radiofrequency radiation standards.”[172]  The court explained that the actual text of the TCA, which referred primarily to carrier rate regulations and zoning authority, related only to the objective of developing the physical infrastructure necessary for a national wireless network, not to nationalizing radiation standards.[173]

[50]      Second, the court recognized that in the TCA, Congress had specifically preempted only state regulation regarding “personal wireless service facilities.”[174]  The court interpreted the narrow nature of the express preemption provision as a strong indication that Congress did not intend to preempt state regulation outside of this narrowly and explicitly defined category.[175]  Finally, the court pointed to the saving clauses in both the TCA and the FCA as additional strong factors that weighed against barring state tort suits that were both not explicitly preempted and seemingly explicitly preserved by the saving clauses.[176]  Finding no evidence in the TCA of intent to preempt state tort suits or state radiofrequency standards, the Fourth Circuit Court of Appeals held that the plaintiffs’ suit against the cell phone manufacturers could proceed.[177] 

2.  Murray v. Motorola and Farina v. Nokia – Conflict Preemption

[51]      In both Murray and Farina, appellate courts at the state and federal level respectively departed from the reasoning of Pinney and held that an implied conflict with the FCC SAR standard barred cell phone suits.[178]  While the Pinney decision had focused primarily on the sections of the text of the TCA to read the statute narrowly and not in conflict, the Murray and Farina courts largely deferred to the view of the FCC in its amicus brief and to a broad reading of the objective of the TCA to find a conflict and bar the plaintiffs’ claims.[179] 

[52]      In Murray, the plaintiffs brought state law tort claims alleging that brain tumors and cancers were caused by the long-term use of the defendants’ cellular phones.[180]  The plaintiffs alleged, inter alia, that the FCC SAR standard was inadequate and that the defendants were aware of the inadequacies.[181]  Unlike Pinney, in which the FCC took no part in the case, in Murray, the FCC filed an amicus brief arguing that the plaintiffs’ claims were preempted because they conflicted with the FCC SAR standard.[182]

[53]      The D.C. Court of Appeals affirmed the trial court decision to dismiss the suit on grounds of conflict preemption.[183]  In accordance with Geier and Sprietsma, the court gave great weight to the FCC’s amicus brief[184] and adopted the FCC’s view that allowing the suit to proceed would “necessarily upset [the] balance [the agency struck].”[185] 

[54]      In Murray, the court declined to follow the Fourth Circuit’s decision in Pinney for several reasons.  The Murray court stated that the “primary reason” why the Pinney decision was not persuasive was “that the court [in Pinney] appears to have reached its conclusion without considering the views of the FCC.”[186]  Second, Murray rejected Pinney because, according to the court in Murray, Pinney was not focused on the SAR standard, but on whether states could require headsets.[187]  Third, the D.C. Court of Appeals stated that the Pinney court gave unnecessary weight to the fact that the FCC had enacted its regulations to satisfy the NEPA and not the TCA.[188]

[55]      The plaintiffs in Murray argued that their claimed injuries were the results of “non-thermal” effects that the FCC standard had decidedly ignored.[189]  The plaintiffs analogized the omission of regulation to the Coast Guard’s decision not to require propeller guards in Sprietsma.[190]  The D.C. Court of Appeals held that the situation was distinguishable from Sprietsma because while in Sprietsma the agency prescribed a floor, in Murray, the FCC SAR standard was the floor and ceiling.[191]  Farina, like Murray and Pinney, presented a class action of consumers claiming injury from long-term exposure to cell phones.[192]  The Third Circuit Court of Appeals in Farina, like the D.C. court in Murray, held that the state tort law action against cell phone companies was barred by conflict preemption.[193]  The Farina court drew an analogy to Geier and explained that the FCC had carefully balanced competing policy objectives in the SAR standard.[194]  The Court of Appeals held that allowing state tort suits to proceed may have the effect of upsetting the balance the FCC had struck.[195]  The court also cited to the FCC’s amicus brief in Murray as support for a finding of conflict preemption[196] and stressed the need for national uniformity.[197]  The Farina court disregarded the plaintiff’s argument that the TCA Saving Clause counseled against a finding of preemption and held that, regardless of the clause, the tort suits against cell phone makers were barred.[198]

[56]      After these three separate appeals court decisions, there is no definitive resolution as to whether cell phone suits should be barred by conflict preemption.  Moreover, with Murray in 2009 and Farina in 2010, the courts are trending away from the earlier decision in Pinney and toward a deferential view of an FCC standard that has remained unchanged for almost two decades.  Nevertheless, with evidence of the non-thermal effects continuing to mount each month,[199] a course correction in the courts should ensue.

IV.  Proposal – Judicial Action to Allow Suits Against Cell Phone Manufacturers

[57]      In order to ensure that cell phone manufacturers are taking the efficient level of precaution and not hiding behind the outdated SAR standard, the courts should allow tort suits against cell phone manufacturers to proceed.  Cell phone manufacturers should be held responsible, thus incentivizing them to lower the SAR in phones.  When faced with the affirmative defense of preemption in the future, courts should hold that the suits are not barred by conflict preemption.  However, if the trend towards preemption continues in the courts of appeals, the Supreme Court should grant certiorari and resolve the circuit split in favor of allowing suits to proceed.

[58]      The doctrine of implied conflict preemption should not bar state tort law claims against cell phone manufacturers.  From a purely doctrinal standpoint, the cell phone radiation cases should not be barred because they are analogous to the Supreme Court’s decision in Sprietsma[200] and distinct from its decision in Geier.[201]  The preemption provisions and saving clauses of the FCA and TCA as well as the FCC’s own position in the FCC First Order and FCC Second Order all demonstrate that cell phone suits should not be barred.[202]  When the statutory and regulatory language is combined with the general presumption against preemption, especially in the field of health and safety, it is clear that regardless of a federal objective of uniformity or the FCC amicus brief to the contrary, state tort suits against cell phone manufacturers should not be barred.[203] 

[59]      Furthermore, from a policy perspective, these suits should be allowed to proceed precisely because the risk is unknown, yet potentially catastrophic.[204]  In the face of such uncertainty and risk, the highest level of efficient safety should be taken.  Yet, with the FCC standard as a shield, cell phone manufacturers may not be taking the appropriate level of care.[205]

A.  Precedent Dictates That Cell Phone Suits Should Not Be Preempted by the FCC Standard

[60]      Supreme Court precedent dictates that the FCC SAR standard should not preempt state tort suits.  The Court has consistently held that there is a “presumption against preemption,” especially in areas of traditional state control like health and safety.[206]  Under this presumption, state law should not be preempted unless it was the “clear and manifest purpose of Congress.”[207]  In Sprietsma, the Court recognized that the Coast Guard’s decision to forgo regulation did not carry preemptive force because it was not an affirmative statement that propeller guards were unnecessary, rather it was premised upon the fact that there was insufficient data to regulate on a federal level.[208]  Similarly, in its 1997 FCC Second Order, the FCC explicitly stated that it did not independently evaluate the non-thermal effects when calculating the SAR standard because expert organizations found insufficient evidence that such effects existed.[209] 

[61]      The decision of the FCC to not include non-thermal effects did not amount to a prohibition on states from allowing tort suits over the non-thermal effects of cell phones.  In Sprietsma, the Court explained that the Coast Guard’s decision to not mandate propeller guards did not prohibit state regulations because the Coast Guard “did not take the further step of deciding that . . . the States . . . should not impose some version of propeller guard regulation.”[210]  In contrast, the FCC did take that further step, albeit in the opposite direction.[211]  Rather than declare that the states were barred from imposing standards with regard to non-thermal effects, the FCC expressly stated in 1996 and reaffirmed in 1997 that the SAR standard it set forth would not preempt state laws.[212]  The FCC’s decision to ignore non-thermal effects in its standards, when coupled with its order against preemption, amount to a ruling that the states could “fill the gaps”[213] through allowing tort suits geared toward protecting the health of state residents from the non-thermal effects of cell phone radiation.

[62]      Unlike the law at issue in the Supreme Court’s decision in Geier, state liability will not undermine the federal SAR standard because it is only a minimum safety requirement.  In Geier the DOT allowed car companies to use either airbags or other safety restraints.[214]  State tort suits were barred because a state finding of liability for cars that did not include airbags would essentially result in an airbag requirement in that state, nullifying the federal goal of variety between airbags and other safety devices.[215] 

[63]      In contrast, if a state found liability for phones with a SAR of 1.5 w/kg, cell phone manufacturers would have an incentive to lower their phones maximum SAR to below 1.5 w/kg; however, this would not interfere with the FCC federal goal that all phones have SARs below 1.6 w/kg.  The new phones would be below 1.6 w/kg, but they would also comply with state law.  The FCC SAR standard is distinct from the DOT regulation in Geier because state liability would not nullify the federal requirement.  State tort suits, therefore, should not be barred on account of the SAR standard.[216]

B.  The Statutory Saving Clauses and the FCC Orders Indicate an Intent to Allow Suits to Proceed

[64]      The multiple saving clauses in the applicable statutes indicate a congressional intent to allow state suits to proceed.  The Federal Communications Act of 1934 declares that “[n]othing contained in this chapter shall in any way abridge or alter the remedies now existing at common law or by statute.”[217]  The TCA, while containing an express preemption provision barring state laws regarding the placement of wireless facilities, retains a saving clause to limit its preemptive power to only the express facilities context.^[218]  This saving clause, appropriately titled “no implied effect,” states explicitly that the TCA “shall not be construed to modify, impair, or supersede Federal, State, or local law unless expressly so provided.”[219]  If, as the Supreme Court has often repeated, the “ultimate touchstone” of a preemption analysis is the purpose of Congress, then the “no implied effect” provision should weaken any argument that Congress intended the TCA to bar suits regarding radiofrequency radiation emissions from cell phones when the legislation only expressly preempts facilities.[220]

[65]      Although not exactly saving clauses, the FCC First Order and FCC Second Order each declared that the SAR standard would not preempt state tort suits premised upon radiation emissions.[221]  The decision to not preempt was not just a policy choice; it was based on the FCC’s understanding that under the TCA, it did not have the authority to preempt outside of the facilities context.[222]  The FCC First Order also created a procedure for aggrieved parties to petition the FCC to change its ruling on preemption in the future; however, it maintained that such a petition would have to first address whether the FCC even had such authority under the TCA.[223] 

[66]      The FCC pronouncements in the FCC First Order and FCC Second Order serve two vital functions.  First, they strengthen the earlier assertion that the TCA does not allow the preemption of state tort suits because this is clearly how the FCC itself understood the TCA to operate.  Second, the creation of an official procedure for petitioning the FCC for preemption weakens the agency’s use of an amicus brief to claim that its SAR standard has preemptive effects.[224]

[67]      As a result of the FCC First Order and FCC Second Order, the FCC amicus brief in favor of preemption should be given little or no deference.  The Supreme Court has stated that when an agency has previously advocated a position against preemption or created a procedural mechanism for formally recognizing preemption, any later unilateral decision by the agency to preempt state law is “inherently suspect in light of this procedural failure.”[225]  The FCC’s creation of a formal procedure to petition the FCC to change its rules to preempt state laws and the FCC’s subsequent ignorance of its own procedure, is a “procedural failure” that makes the agency’s amicus brief highly suspect.

C.  Policy Rationales Support Allowing Cell Phone Litigation to Proceed

[68]      From a policy perspective, suits against cell phone manufacturers should not be barred by the doctrine of conflict preemption because the actual danger posed by cell phones is still inconclusive.[226]  While cell phone manufacturers have argued that the FCC has weighed the dangers into the FCC SAR standard, the evidence indicates that the FCC did not take non-thermal effects, the truly dangerous potential consequences, into account.[227]  Furthermore, the sheer size and scope of potential future harm that could result from non-thermal effects counsels strongly in favor of taking the utmost precaution.  The attitude of other nations that have guided their citizens towards phones with lower SARs stands in stark contrast with the cavalier stance of the FCC, the CTIA, and the cell phone industry.[228]

[69]      Allowing litigation against cell phone manufacturers would permit the tort system to incentivize phone makers to take the appropriate level of precaution.[229]  The current system of conflict preemption results in disincentivizing cell phone manufacturers to conduct safety research into their products because they are not threatened by the possibility of tort litigation.[230]  Moreover, the current system provides an incentive to cell phone manufacturers not to research their products because this lack of research decreases plaintiffs’ potential ability to prove causation and/or knowledge of effects should the courts cease to find the suits barred by conflict preemption.[231] 

[70]      Allowing these suits to proceed would put the emphasis onto the part of the litigation where it should be—the merits.  Cell phone manufacturers would likely cite to the FCC SAR standard to show that the sales and advertising of their phones as “safe” was not “unreasonable” and plaintiffs would be hard pressed to prove otherwise.  If, however, it became clear that cell phone companies were aware that the FCC SAR standard was deficient and still took no action, there is no legitimate reason that the SAR standard should stand as a bar to holding such reckless companies accountable. 

[71]      Finally, plaintiffs would still have the heavy burden of proving causation.[232]  If plaintiffs were able to prove both knowledge and causation, not only should cell phone companies be held accountable, but the FCC should take such an outcome as an indicator that the FCC SAR standard, unchanged since 1997, was overdue for a reevaluation.  Therefore, the threat of litigation could serve not only to incentivize cell phone manufacturers, but successful litigation could also act as a trigger for the FCC to reconsider the SAR standard in light of the most recent scientific findings on non-thermal effects.

V.  Counterarguments Against Allowing Cell Phone Suits

[72]      Those parties in favor of the FCC SAR standard preempting state suits have reasonable arguments.  The primary reasons that critics point to for preempting cell phone litigation are the need for a nationally uniform wireless network and the high costs that litigation would impose on the industry (and would be passed on to consumers).[233]  While these arguments are facially convincing, each is flawed.

A.  National Uniformity of the Wireless Network

[73]      Proponents of the preemptive power of the FCC SAR standard have argued and courts that have found preemption have agreed, that the need for a nationally uniform wireless communications network requires that states do not interfere with the federal SAR standard.[234] This uniformity argument can be overcome on both legal and factual grounds.[235] 

[74]      Legally, in Sprietsma, the Supreme Court declared that while “[u]niformity is undoubtedly important,” it did not “justify the displacement of state common-law remedies that compensate accident victims.”[236]  In this case, while uniformity of the SAR standard may have some intrinsic value (a factual issue to be challenged momentarily), it is not substantial enough to overcome the state’s fundamental interest in matters of residents’ health and safety.  With the widespread usage of cell phones among all demographics and the inconclusive information on their potential harm, the states have a substantial interest in minimizing the potential risk.[237]  Tort suits against cell manufacturers will insure that this risk is kept to the safest and most efficient levels possible.[238]

[75]      Factually, the argument for national uniformity that both the FCC and cell phone companies have advanced is illusory, if not disingenuous.  Proponents of preemption argue that if states have widely varying SAR standards, the national network will not function.[239]  However, even without state regulations or tort suits, cell phones already have wildly varying SARs with little impact on network functionality.[240]  Illustratively, one of the phones with the lowest SAR is currently the Samsung Galaxy Note.[241]  The Galaxy Note, a “smartphone,” has a SAR of 0.19 w/kg, approximately one tenth of the FCC SAR standard.[242]  The phone conducts all standard cell operations and has advanced capabilities such as email and web browsing.[243]  The mere fact that a smartphone can interact with the national network at such a low SAR severely undercuts the argument that state tort suits will disrupt the national communications network. 

[76]      Perhaps there is an argument that anything below 0.19 w/kg is impossible to connect to the network.  If that is the case, then it can be argued that Geier requires that any state tort suits demanding a SAR lower than 0.19 w/kg should be barred by preemption.  However, absent such a bottom minimum necessary SAR level, the courts should discard the “national uniformity” argument as high in rhetoric and low in substantive validity.

[77]      Finally, the uniformity argument takes on a different meaning when the “disunifying” force is not positive state regulation but tort suit verdicts.  In other words, in order for multiple standards to be created, it would require plaintiffs to bring suits against cell phone manufacturers that prove that the SAR level of cell phones is unsafe.  If such cases are brought successfully, that may indicate cell phones emitting current SAR levels are unsafe for long-term use – a startling revelation.  A finding of liability, therefore, may be a good proxy to demonstrate that the FCC standard is deficient and should be amended.

B.  Harmless Phones, Frivolous Suits, and Higher Consumer Costs

[78]      Another reasonable objection to allowing litigation against cell phone manufacturers is that it is still unclear whether there are any harmful effects.[244]  With the evidence inconclusive, cell phones could be definitively proven to cause no harmful side effects.[245]  Furthermore, the allowance of suits may lead to frivolous suits and manufacturers will likely pass on their defense costs to consumers, resulting in higher priced technology without any gain in safety (since they are already safe).[246]  Why, in the face of such uncertainty, should suits be allowed to proceed?[247]

[79]      The response to such criticism is that, unlike products that are used by relatively few people, cell phones today are omnipresent.[248]  The risk of harm, therefore, if the SAR standard is “wrong,” is staggering.

[80]      Despite the potential costs to cell phone manufacturers and consumers stemming from allowing litigation today, the potential catastrophic downside—if cell phones cause harm in the long term—is worth the utmost precaution today. 

[81]      Litigation will force cell phone manufacturers to constantly reexamine their standards and have the status quo rigorously and frequently tested through Daubert evidence fights and trials to juries.[249]  Many products that are ultimately proven to be safe go through the fire of litigation and emerge on the other side vindicated.[250]  If such is the case with cell phones, at least we can rest assured that the devices that sit in our pockets and against our heads for our entire lives are doing as little harm as possible.

VI.  Conclusion

[82]      The FCC SAR Standard is an important safety threshold, but it is only a minimum standard.[251]  The standard is outdated and ignores the increasingly recognized non-thermal effects of prolonged cell phone radiation exposure.[252]  Suits based on these non-thermal effects should not be barred by a standard that chose to ignore them.[253]

[83]      The TCA was not intended to preempt state health and safety objectives and courts should not read it to say as much, thereby removing all remedies from those adversely affected by cell phones radiation.[254]  Broad readings of the preemptive effects of the TCA ignore the explicit language to the contrary in the statute and by the FCC itself, regardless of their changed position in recent amicus briefs.[255] 

[84]      Allowing cell phone suits to proceed to the merits will not impact the “uniformity” of the national wireless network because as demonstrated, SAR levels already vary widely within the maximum.[256]  In fact, allowing such suits to proceed could act as a complement to the FCC because a successful suit could demonstrate that enough evidence has been mounted to warrant a reexamination of the SAR standard in light of non-thermal effects (if that time has not already come).[257]  While the link between cell phones and health problems is still not definitive, the risk of future harm to hundreds of millions of people dwarfs the minimal addition of precaution.[258]  When the stakes are so high, we should not accept “inconclusive” as definitive proof that cell phones are safe.

Download PDF

Cite as: Charles R. Ragan, Information Governance: It’s a Duty and It’s Smart Business, 19 Rich. J.L. & Tech. 12 (2013), available at http://jolt.richmond.edu/v19i4/article12.pdf.

By Charles R. Ragan*

I.  Introduction

[1]        A scant generation ago (twenty-five years), the World Wide Web—“an internet-based hypermedia initiative for global information sharing” —was largely a laboratory phenomenon.[1]  In 1994, the Clinton Administration urged world leaders to develop a global information superhighway,[2] and the Information Age raced upon us.  Now, Facebook has more than one billion accounts and most of us are constantly deluged by volumes of electronic information through e-mail, texts, social media, the Internet, cable systems, and others.

[2]        Information is among the most valuable assets for most organizations—public or private.  For some, the value may lie in priceless intellectual property, such as patents or trade secrets.  For others, it may be a customer database built up over decades of sales or the brainchild of a Harvard student aggregating faces.  For still others, it may be complex workflows or systems for transmitting demand for power from individual customers onto a regional grid for the distribution of electricity.  Last but not least, and increasingly so, it may be a set of algorithms for assessing vast volumes of data and discerning what trades are most likely to succeed, or what products may appeal to a customer with discretionary income.

[3]        For most of the Information Age, it has been relatively risk-free to allow these volumes of information to accumulate—even after their normal useful life – because storage devices have been cheap.  In fact, the cost of unit storage declined approximately ninety-nine percent from 2000 to 2010.[3]  So far, as the saying goes, this is “all good.”  But recently, three important caveats have injected themselves into that bromide.  First, the total worldwide costs to store and manage the ever increasing volumes of information being generated and retained in organizations are increasing.[4]  The increase in volumes is truly staggering.  It was estimated in 2011 that ninety percent of the data in the world had been created in the prior two years and for most organizations, information volume doubles every eighteen to twenty-four months.[5]

[4]        Second, absent investment in costly search technologies capable of federated searches across platforms and storage containers, these volumes of information may jeopardize the organization’s ability to retrieve valuable information efficiently such that strategic opportunities are lost.  Third, if information is retained past its useful life (i.e., after its business function is fulfilled and while there is no other legal obligation to keep it), that information could be subject to future requests in litigation or governmental investigation.[6]  As a recent article notes, while the basic cost to manage a terabyte of information may be about $5,000, if that terabyte is retained unnecessarily and becomes the subject of discovery (and collection, processing, analysis, and review), that unneeded data may cost the organization an extra $15,000.[7]  For an organization that has petabytes of information (roughly 1,000 times a terabyte), or in the case of our largest organizations, scores of petabytes, the “electronic discovery tax” poses a horrific and unnecessary risk.[8]

[5]        For some in senior management (i.e., those in the Boomer generation), the problem of unnecessary data causing substantial costs in litigation will sound familiar.  In fact, as a result of expensive paper discovery experiences in the 1970s and 1980s, many organizations developed policies falling under the euphemistic label of “document retention” or “record retention” policies.[9]  Under these policies, an organization established how long they had to keep certain information due to laws or regulations, how long they wanted to keep information due to business value or need, and destroyed what they did not have or want to keep.[10]  The Supreme Court famously ruled in Arthur Andersen, a case that grew out of the Enron scandal, that such policies are perfectly lawful.[11]  In fact, the Court in that case recognized that such policies are “created in part to keep certain information from getting into the hands of others, including the Government,” and stated that a manager may instruct his employees to comply with a valid document retention policy under normal circumstances.[12]  In the day of paper records, relatively small staffs with administrative assistance in local offices could administer such policies.

[6]        By the late 1980s and early 1990s, however, competitive pressures of globalization forced many organizations in the United States to go lean; consequently, many records functions were cut as expendable.[13]  More problematic, however, were the advent of the Information Age and the proliferation of “road warriors” who wanted all of their potentially relevant files stored on their laptops.  Few organizations took immediate steps to update their retention policies to account for the influx of electronic records.  Further, in those organizations that sought to maintain “retention” policies for all information regardless of the media, those developments turned most employees into de facto records managers without any additional compensation or training in the discipline.[14]  Some workers tried to remain faithful to the policies, but as the volumes exploded in recent years, knowledge workers were spending more than a quarter of their time managing e-mail.[15]  In a competitive global economy, this is a not a model of efficiency.  As Jason Baron, the 2011 recipient of the prestigious Emmett Leahy award, persuasively urged, “[W]e need to declare an official end to the end-user being expected to act as de facto records manager.”[16]

[7]        The glut of information arriving randomly also interferes with productivity.  One study showed that, on average, knowledge workers are interrupted every three minutes and it takes a half hour to return to the pre-interruption level of concentration.[17]  This is no small problem.  Indeed, the problem has led senior researchers at some of the world’s leading technology companies to form (and incorporate) the Information Overload Research Group.[18]

[8]        Another exacerbating factor in the modern organization is that some users who are newer to the workplace have not received training about the risks of quickly (and informally) generating information that might prove problematic for the organization in litigation.[19]

[9]        Finally, the challenge of dealing with information in the modern organization is a dynamic, not stationary, target because the technologies that generate and deliver information are constantly changing.  Witness, for example, the quick sprint from paper documents and phone-message slips, to e-mail and voicemail, through universal messaging, or instant messaging and chat, and to Facebook, LinkedIn, and Twitter.[20]

[10]      Something new—and at least a little different—is needed if we are to avoid what Baron and others have called “the coming ‘digital Dark Ages’” in which we cannot see clear paths forward due to the glut of information before us.[21]  Thus far, those who labor principally in the fields of law and records management have started to discuss these issues, but have found difficulty gaining traction or budget, usually for want of either a champion or a clear business case with an indisputable return on investment.  As discussed below, senior management in all organizations and corporate boards of directors need to recognize that assessing and overseeing management of the risks posed by information overload is a necessary part of their existing duties.

II.  The Foundations of the Duties

[11]      The board of directors of a corporation is generally responsible for overseeing the business of and helping to set strategy for the corporation so as to minimize unnecessary risks.  Senior management is generally responsible for managing the company and executing in accordance with the organization’s strategic direction.  Board members have fiduciary duties to the owners of the corporation (its shareholders), which include the duty of care, the duty to remain informed, and the duty of loyalty, as typically circumscribed by the so-called “business judgment rule.”[22]

[12]      Several courts have elaborated on these duties in factual circumstances not stemming from an organization’s management of information-related issues, but in terms that are directly relevant to the current state of information governance in many organizations.[23]  The principles thus enunciated raise the specter of potential liability if officers and directors utterly fail to ensure the adequacy of information systems.  For example, in Caremark International Inc. Derivative Litigation, plaintiffs claimed that “directors allowed a situation to develop and continue which exposed the corporation to enormous legal liability and that in doing so they violated a duty to be active monitors of corporate performance.” [24]  The Delaware Chancery Court, noting that the theory advanced was “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” nonetheless agreed that director liability for breach of the duty of care could arise either from a board decision that resulted in loss or “from an unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”[25]  In discussing the “business judgment rule” limitations on these principles, Chancellor Allen concluded, in line with Judge Learned Hand’s analysis, “the core element of any corporate law duty of care inquiry [is] whether there was good faith effort to be informed and exercise judgment.”[26]  With respect to potential liability for failure to monitor, Chancellor Allen stated:

[A] director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.[27]

[13]      In the years since Caremark was decided, much has happened in the world of corporate governance.  The case has been cited more than 3,000 times;[28] many courts have embraced the decision, a few have commented negatively or distinguished the case, and some have found on the facts before them the “unconsidered failure of the board to act” required for liability.[29]

[14]      Perhaps even more important, Americans have already witnessed two separate periods of corporate malfeasance in this century.  The first of these periods included such fiascos as Enron and WorldCom[30] while the second stemmed from the overvaluation and trading of subprime mortgages, which led to the demise of several major financial institutions and the global financial crisis of 2008.[31]  Both led to outcries for heightened scrutiny on corporate America and each led to new legislation imposing new requirements on corporations.  The first led to the passage of the Sarbanes-Oxley legislation[32] and the second led to the passage of the Dodd-Frank legislation.[33]

[15]      Posed squarely, the issue is whether the risks attending information systems in the modern enterprise are such that directors and senior management may safely ignore them and fail to take steps to enhance information governance processes.[34]  The short answer, I submit, is a resounding “no.”  As one commentator observed, “[t]here is no doctrinal reason Caremark claims should not lie in cases in which the corporation suffered losses, not due to a failure to comply with applicable laws, but rather due to lax risk management.”[35]  The three following sections, respectively, (a) describe those risks,[36] which include some conflicting obligations, (b) suggest a logical approach for addressing the risks, and (c) identify the opportunities with existing mechanisms for addressing them.

III.  Risks Associated with Information in the Modern Enterprise 

A.  The Risks Are Many and Diverse

[16]      The risks associated with information in the modern enterprise are numerous, varied, and conflicting.  At the outset, one should also note that almost all information is now created electronically[37] and because electronic information has significant differences from paper documents, former processes and paradigms are no longer 1:1 analogs.[38]  Briefly stated, the risks associated with information in the modern enterprise include[39]:

• Proprietary information.  Information that has competitive value must be protected against disclosure or misuse.  In most organizations, there will be several levels of confidentiality or protection requiring different treatments (e.g., company-private, confidential, highly confidential, etc.).[40]
• Contractually protected information.  When considering new business arrangements or technologies, organizations often receive information under the terms of non-disclosure agreements.  Such contractual obligations with third parties also require protection of such information from misuse or theft.[41]
• Challenges to sound record keeping practices.  Information that has business value to an organization should be maintained in such a manner as to ensure its accuracy, integrity, and availability for later use, but also protected against alteration.  Keeping excessive volumes of information, which might not adequately distinguish drafts from finals, undermines these objectives.[42]
• E-Discovery.  Information that may be responsive to requests in U.S. litigation or investigation must be identified quickly and preserved once a claim (or inquiry) is reasonably anticipated.[43]
• Challenges in developing and implementing retention policy schedules.  Separate from any litigation or investigation obligation to retain information, an organization is required to retain different categories of information for various periods, depending on the jurisdictions where the organization does business and the nature of those businesses.  Determining the retention schedule for a given organization through traditional methods of legal research is a labor-intensive and expensive effort.[44]  In the case of a global enterprise, for example one doing business in 130 countries, the expense could easily exceed one million dollars and the retention requirements found for different jurisdictions often conflict, even for a single category of information.  Finally, traditional means for categorizing information into record series that can be manually segregated, stored, retrieved, and eventually destroyed do not translate well or efficiently into the world of electronic storage, retrieval, and disposition.
• Data protection and privacy.  Numerous jurisdictions outside the United States have adopted comprehensive regulations for data protection and privacy regarding “personally identifiable information,” which is broadly defined to include even information in an e-mail header.[45]  The best known of these regimes is in the European Union and its constituent nation states.[46]  Legislation or initiatives have also been launched in Asia (Singapore, South Korea, Taiwan, Malaysia, India, Vietnam, New Zealand, Hong Kong, and China) and Latin America (Brazil, Mexico, Peru, Colombia, Uruguay, and Costa Rico).[47]  Typically, such information should be retained only as long as necessary to fulfill its purpose, but enforcement of privacy regulations varies widely from one jurisdiction to another (and even within the European Union).[48]  In the United States, there is a patch quilt of federal and state, non-uniform legislation (and some state constitutions) protection of privacy interests in specific areas.[49]  In addition, most states have adopted legislation specifying what steps an organization must take in the event that its information systems with consumer information are breached.[50]  In short, most organizations face a web of potentially conflicting and constantly changing privacy obligations that must be comprehended and respected.
• Conflict between data protection regulation and traditional U.S. expectations of “liberal” pretrial discovery.  The privacy or data protection rules and regulations of many jurisdictions do not permit “processing” or “transfer” of personal information without the consent of the data subject.  (A proposed data protection reform in the European Union would ensure that explicit consent be given before a company could process a data subject’s personal data.[51])  These regulations often conflict with the expectations of judges in the United States that all information relevant to the claims and defenses in an action (if not the subject matter of the litigation) will be freely exchanged during discovery.[52]
• Enhanced risk of security breaches, and attendant release of personal information, including health and financial information.[53]
• Ever-changing landscape of technologies that enhances business communications and confounds management of electronically stored information.  Modern technologies—including social media and smart devices (i.e., tablets and smartphones)—allow for the immediate transfer of data and images to unlimited numbers of people who are virtually in any place on the planet with just a few clicks or swipes of the finger.  These developments pose obvious risks to sensitive organizational information, including trade secrets and other intellectual property.[54]
• Trend to allow workers to BYOD.  In order to attract the best and brightest young talent, many organizations are succumbing to pressures to allow employees to Bring Your Own Devices to work.[55]  The introduction of these devices into the workplace presents a host of issues for an organization’s central technology function.[56]  In the past, for example, the organization could concentrate on a few technology platforms running a particular operating system that relied on a dedicated backend server environment.  The proliferation of smart devices, however, introduces the need for some conversancy with Apple and Android operating systems and the development of new security protocols to account for them.  In addition, to the extent information on such devices may be called for in litigation or investigation, the organization (or its vendors) will have to become familiar with an array of ESI harvesting techniques because collection techniques typically vary from device to device and from operating system to operating system.[57]
• Movement to cloud alternatives.  Some organizations, in order to take advantage of economies of scale and resulting economic savings, have considered moving their data “into the cloud” where it may be commingled with data of other organizations and is not under the immediate possession or control of the organization (which may impair the ability to respond to requests in litigation or evaluate claims of internal malfeasance).[58]  The economics of cloud operations can be incredibly attractive (if not compelling) for some organizations and/or functions, but there are also a variety of risks—including mid- to long-term costs—that should be analyzed and evaluated.[59]
• Legacy or “debris” data that has no “owner” or continuing value.  As noted above, if the organization does not dispose of data and information after its useful life (and when it is not subject to a duty to preserve for litigation or investigation), but instead allows it to linger, the organization will be spending money to store and manage information with no business value[60] and that information may be subject to costly future discovery requests.  Because “storage has traditionally been cheap”[61]—at least in relative terms—this legacy or “debris” data is a significant risk and problem for many organizations.
• “Big Data.”  Lastly, and taking the opposite side from the last point, several large organizations are grappling with the issue of so-called Big Data, i.e., whether or not to keep lots of data and subject it to sophisticated algorithms and searching techniques that can produce significant business opportunities and sales.[62]

[17]      From this recitation it should be apparent that while these issues may be present for most organizations, the strategies one organization may choose to follow, and the acceptance or mitigation of particular information-related risks, will differ from the next, depending on each organization’s business objectives, specific legal obligations, and its tolerance for risk.  For example, a company like Google or Facebook may have an interest in maximum retention of personal demographic information so as to match the ads it displays in sidebars to a particular user, while a manufacturer of heavy equipment might not wish to capture and retain user information for every visit to a webpage advertising forklifts.  Senior management and corporate boards have a responsibility to ensure that the organization considers these diverse information-related issues and the optional approaches surrounding them so that the organization addresses them in line with its overall goals and strategies, rather than in an ad hoc manner driven by a single (or even a spare few) disciplinary biases.

B.  Organizations Often Assert that They Handle All Information Appropriately

[18]      In response to heightened scrutiny of corporate behavior, many organizations have “gone on offense” to assure shareholders that their interests are being managed well.[63]  Thus, many organizations have adopted “codes of conduct” that recognize that a global company must comply with the laws of many countries and that each employee is responsible for knowing and complying with the letter and spirit of applicable laws or regulations.[64]  Many organizations also speak in their public materials about the duty to protect confidential information and to take precautions before sharing it with anyone,[65] the need to protect company assets to guard its competitive advantage in the marketplace, the importance of “us[ing] electronic communications wisely,” and the expectation that each employee is responsible for maintaining accurate records and complying with company policies and procedures for recordkeeping.[66]  Some even recognize that employees have a “right to engage in social, professional and political dialogue outside the workplace” through, for example, social media.[67]

[19]      These broad statements[68] set a high bar of expectations.  The next obvious questions are whether there are mechanisms in place to facilitate compliance by individual employees or associates, and whether the board has attempted to assure itself that they are adequate. 

C.  Surveys Strongly Indicate That the Reality Is Far from the Promise

[20]      Surveys of knowledgeable persons suggest that reality falls far below the publicly stated promise.  For example, a recent survey found that lack of proper management of information was “impacting business productivity and creating costs and liabilities.”[69]  As Baron and others have observed, employees are spending too much time searching and managing information and recreating desired information that is not readily retrievable.[70]  In fact, one recent survey reported that seventy-four percent of respondents reported that valuable information was being lost, and seventy-three percent said that their organizations missed business opportunities because they could not access information efficiently.[71]  Virtually all organizations responding to the survey acknowledged rapid volume growth of electronic information: eighty-one percent said document management environments were challenging to manage, seventy-eight percent admitted increased IT infrastructure costs, and eighty-eight percent said they had large stores of legacy data.[72]

[21]      Significantly, an increasing and sizeable percentage of senior corporate personnel recognize that their valuable information is not secure.  For example, in a 2010 study, thirty-seven percent said they were not confident that their electronic records had not been modified, deleted, or inappropriately accessed.[73]  Just two years later, forty-eight percent of directors and fifty-five percent of general counsel (of more than 13,000 surveyed) cited data security as an issue of concern, making it the most referenced concern.[74]  Another study estimated the median annualized cost of cyber crime per company at $5.9 million.[75]  But these direct costs related to a data breach (Sony reportedly spent more than $170 million to address multiple breaches in 2011[76]) pale in comparison to the total injury, including that to the company’s reputation.[77]

[22]      Some of the cybersecurity risk can be attributed to criminal activity (e.g., identity theft), but some apparently is the result of international espionage or politically motivated retaliation.[78]  Further, in 2013, several major news organizations acknowledged that their systems had been hacked and their journalists’ e-mail passwords compromised by Chinese authorities seeking to monitor Chinese issues, including the news organizations’ investigations into the affairs of high-ranking Chinese government figures.[79]

D.  The “Current State” Is Usually the Result of Policies or Procedures Adopted in Silos, Often in Fire-Drill Mode 

[23]      How did so many organizations arrive at this state of affairs?  Based on the author’s experience with several Fortune 100 companies during the last decade, the answer is quite simple.  Rarely, if ever, are an organization’s information-related policies and procedures the result of an integrated harmonized approach.  Rather, the policies and procedures emerge through accretion with different departments or functions taking the lead at different times for different documenting efforts, sometimes in response to a perceived urgent need.  The result is a hodgepodge of policies and procedures, which rarely present to the workforce a coherent whole.

[24]      Thus, an organization may have separate documentation addressing each of the following information-related subjects:

• Code of Conduct or Ethics
• Information Security
• Confidentiality (Proprietary Information)
• Disaster Recovery
• Privacy
• Media Handling
• Social Media
• Bring Your Own Device (to work)
• Outsourced Systems (including Cloud)
• USB and other peripheral devices (whether they can be connected to company systems)
• Access Control (who has access to different systems)
• Records Retention (or Records & Information Management)
• Legal Hold
• Electronic Signatures
• Electronic Communications
• Acceptable Use (of company equipment, and/or social media)
• Home Computers (whether they can be used for company business)
• User Backup
• PC Maintenance
• Virus Protection

[25]      As one can discern from a simple review of this list, some subjects are highly technical, some relate to legal obligations, and many relate to business strategies.  However, as the discussion of the illustrative codes of conduct above demonstrates, management often proclaims that employees shall comply with all.[80]

[26]      Therefore, the obvious question that should be asked is:  Is it realistic to believe that employees can comprehend and comply with such diverse requirements?  The Chase Code purports to give guidance where local law, the local custom, the corporate Code, or the business unit policies may differ.[81]  But how should employees retain electronic employment-related information if there are twenty different federally mandated retention periods?[82]  Or, if an American employee is based in Europe, but the retention obligations there differ, which rule governs?  Or, how is a privacy officer in Germany to respond to a U.S. lawyer’s request for personally identifiable information concerning a Singaporean citizen working in Berlin if the laws of those three countries (U.S., Singapore, and Germany) are inconsistent?  While these are just illustrative conflicts, they lead, however, ineluctably to alternative questions.  Is it more likely that employees will substantially ignore the hodgepodge of written policies and instead behave as they personally believe may be exigent to the business circumstances?  If the answer to this last question is, as the author submits, more likely in the affirmative, does that present a significant additional risk—namely that courts or agencies asked to respect a policy will conclude that there is, in fact, no effective one present?  For example, in the context of litigation, a court may find that when litigation is reasonably anticipated, an organization has a duty not only to issue a legal hold notice promptly to persons likely to have relevant information, but also to provide adequate guidance and assistance, or even monitoring, to ensure that individual recipients of the notices can comply.[83]

IV.  An Information Governance Program Is the Logical and Appropriate Means to Deal with These Diverse Information-Related Risks and Interests

[27]      As stated at the outset, information is one of an organization’s most valuable assets and can be the source of enormous competitive power.  But if the risks associated with information are not managed in accordance with the organization’s main objectives and strategies (which may evolve over time), information can also be the source of enormous and unnecessary costs, liability, and damage to reputation.

[28]      Many organizations have an individual with the title of Chief Information Officer (CIO).  But as the descriptions above manifest, information-related issues in today’s organizations touch numerous different disciplines, and no matter how talented, the CIO cannot be solely responsible for governing all information issues.  Moreover, recent litigation experience with trying to find a “person most knowledgeable” about today’s complex information technology systems and applications has demonstrated that no one person can competently speak authoritatively about an organization’s information technologies and their functionality.[84]  Something different is needed and that something is an “information governance” program.

[29]      While much has been written recently under the “information governance” headline, one should note that definitions of the term differ in some respects and proponents may also differ as to the main driving forces in favor of adopting an information governance program.  The subsections that follow address the various definitions and points of commonality in addition to the business cases that can be made for such a program, including potential hidden “wins.”

A.  Proposed Definitions for “Information Governance”

[30]      Gartner, the information technology research and advisory company, defines “information governance” as:

the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information.  It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.[85]

[31]      Gartner goes on to explain that the definition is derived from the firm’s definition of IT (information technology) governance, involving processes that ensure effective and efficient use of IT in enabling an organization to achieve its goals.[86]  IBM (which has products addressing many information-related issues) defines “information governance” as “a holistic approach to managing and leveraging information for business benefits and encompasses information quality, information protection and information life cycle management.”[87]  Other vendors (RSD and Autonomy among them) have also proposed formulations.[88]

[32]      Barclay Blair, a leading contributor to the literature, has said that information governance is a “new approach” that “builds upon and adapts disciplines like records management and retention, archiving business analytics, and IT governance to create an integrated model for harnessing and controlling enterprise information. . . . [I]t is an evolutionary model that requires organizations to make real changes.”[89]

[33]      While the available definitions and described scope of an information governance program may vary,[90] most of the commentators seem to agree that a well-functioning program will require the proverbial “village” of constituents who can help identify, assess, and prioritize values, costs, and risks associated with different categories of information.[91]  That village should include at least personnel from the following functions:

• Business leaders, who understand the business value of information;
• Legal personnel, who can identify obligations (including those for records retention purposes) and some risks associated with information (including those that may arise with discovery in litigation or investigations, or importantly, risks that may arise as the result of adopting new technologies);
• Records & information managers (to the extent the function exists), who can identify retention periods and how information may be stored;
• IT (including its storage experts and system architects), who can explain system volumes, costs, auto-delete functionality, how systems tie together, alternative storage strategies, and the organization’s current capabilities to search for objects across platforms;
• Privacy (which may be part of legal, or separate), who can explain what information is subject to data protection obligations in different jurisdictions;
• Security, who can explain access protocols, perceived threats (such as to trade secrets), and current approaches and challenges;
• Internal audit, who can explain practices for assessing fraud controls and internal risks associated with information;
• Risk, who can provide existing methods for assessing, measuring, and evaluating defined risks; and
• Compliance, who have experience with the organization’s general compliance efforts and history and usually at least a dotted line to the audit committee (in the case of a corporation).[92]

[34]      Like other villages, not all citizens of the information governance village need to be present at all times or for all meetings.  But, also like other villages, what is essential in order for the information governance village to function well is one or more distinguished “elders” who can set a tone and ensure that the villagers understand that the elders are committed to the goals and will expect compliance with the path charted.

[35]      Stated otherwise, senior management (and even the board) must make clear to employees not only that the organization means what it says in its Code of Conduct or other similar document, but also that the organization through its information governance program will provide employees with the tools—and the time—necessary to ensure that compliance with stated objectives is possible and achievable.  This last statement does not mean that an information governance program requires immediate investment in new and expensive technologies with attendant training and education of the workforce.  Indeed, one might question whether an information governance program will succeed if it begins with a project to acquire an expensive new tool to address some of the symptoms (e.g., management of electronic records) rather than the information-related needs and interests of the organization as a whole, such as what information should be retained and managed in line with the organization’s strategies and objectives.  What must be recognized is that achieving a successful information governance program is a process that requires time and such a program will evolve and mature over time.  During this process, priorities may change, as will available technologies, and the organization’s approaches to various information-related issues will mature.  Along the timeline tracking those changes, the organization should reevaluate its needs, its appetite for information-related risks, and its ability to bring on attractive technological tools, all of which should align with the strategic direction charted by the board and senior management.

B.  Business Cases that Can Be Made for an Information Governance Program

[36]      The advantages of maintaining an information governance program are many and vary depending upon the information-related issues (and risks) the particular organization faces[93] in addition to the extent to which an organization has already addressed records and information management, including the need to suspend normal retention and disposition schedules in the event of litigation or investigation.[94]  Stated differently, organizations that have not updated retention policies to account for the proliferation of electronic information or that have not established a litigation response plan that includes hold notice procedures and a comprehensive data atlas may find an information governance program the path to quick “wins” on these fronts.  Or, where a legal department has worried about the risk large stores of legacy data pose, an information governance program that establishes the total cost of owning legacy data may propel the organization to needed action.  Indeed, it is not surprising that much of the recent talk about a need for information governance stems from costly experiences with electronic discovery challenges and risks.[95]

[37]      Fear certainly can be a motivator, but it usually is not the best rationale to persuade a business executive to spend scarce resources.  Executives have a tendency to think that the “sky may be falling, but it is not falling on our house.”  Moreover, businesses typically are not organized for the purpose of conducting litigation[96] and, therefore, may not readily accept soft-dollar, litigation-related “benefits” as key motivators for action.

[38]     Business organizations are created to conduct business and executives understand that executing strategies well depends in part on identifying valuable information and leveraging it through technologies in order to compete efficiently.[97]  Accordingly, the rationales more likely to persuade senior management to push forward with an information governance program are those that hold the promise for the organization to conduct its business more efficiently, less expensively, with less risk, and with less grumbling from employees and customers.  In this author’s view, the potential benefits from an information governance program address all these objectives and will usually be a mix of the following consequences, which virtually all organizations should embrace: business performance improvements, cost reduction, risk mitigation, including enhanced compliance with legal obligations, and improved employee morale and customer satisfaction.

[39]      In the subsections that follow, the author outlines how and where an organization may look for these benefits.  Preliminarily, however, two points are worth highlighting.  First, the conclusion of a Deloitte survey of corporate boards was that “[o]rganizations whose boards are actively involved with IT matters perform better financially.”[98]  Second, while it may be difficult at the outset and before an assessment of risks is completed to identify hard dollar savings and a concrete ROI, measurable ROIs for particular action steps or projects should be determinable once the program gets underway and the initial risk analysis is completed.  Let us consider how this might work in practice.

1.  Business Performance Improvements

[40]      The goal of an information governance program is to optimize the value of information within the organization.  The obvious first step in any such program, therefore, is to understand what “information exists, where it exists, and how to access and leverage it.”[99]  In large organizations, some knowledge of what information exists and where it is located will be available from a central IT function, but some will also be known only at the local or departmental level.  Thus, for example, the central IT function may have an asset inventory for centrally administered systems and applications that can be leveraged.  In addition, representatives of key business functions should be queried as to the systems and applications upon which they principally rely to perform their function.  The result of merging the central IT knowledge with the local business function expertise is an understanding of the systems and applications used to drive the business.

a.      “Option Value”

[41]      Several quick benefits can be recognized from such an analysis.  First, as the Finding Hidden RIO paper sets forth, such canvassing of valuable information within an organization may help identify a source of information created in one function that can be repurposed without additional cost and reused by another function to help it meet its business objectives and enhance revenue for the organization as a whole (so-called “option value”).[100]  Conversely, such an analysis may determine that existing technologies (as opposed to the content harnessed by technologies) can be used for alternative purposes to improve efficiencies, again without additional cost.  Indeed, a recent Gartner survey of CIOs found that “technology is only used to 43 percent of its potential” and suggests such “optional technology use” could be a significant boost to business performance.[101]

b.  Litigation Response, Records, and Information Management

[42]      Second, through the information assessment process, the organization may establish a comprehensive data atlas that can be used for purposes of responding to most litigation or investigation requests.[102]  Third, this very kind of business process mapping is a linchpin in many modern information management programs and can jump-start the updating of an organization’s retention program to address electronic information.

[43]      Fourth, assessing what information has value to different business functions will also provide insight as to the quality of the record-keeping practices at the organization.  With such insights, the organization can determine whether the integrity of information is maintained and whether users are able to reliably identify and retrieve valuable information efficiently.  If they are not, the organization may choose to enhance its record-keeping systems so that employees do not waste time retrieving or re-creating information, thereby delaying execution and potentially undermining customer satisfaction.

2.  Managing “Non-Value” or “Low Value” Information Can Lead to Substantial Cost Reductions

[44]      One commentator has cautioned that the Finding Hidden ROI paper is an important contribution to the literature, “but it omits many of the details that can make or break the proposed option value information governance initiative, including details about issues of confidentiality and security, considerations for managing ‘non-value’ information, and the significant differences in managing and mining structured versus unstructured information.”[103]  In many organizations, however, confidentiality and security issues will not be unknowns, but likely will have been part of the risk assessment necessary to prepare Risk Factor sections of the organization’s public filings (e.g., 10Ks).  If so, the information governance program can leverage that analysis too.

[45]      Considerations for managing “non-value” information, as Juhnke suggests, definitely should be a key part of the information governance program.[104]  Indeed, when the organization as a whole analyzes and understands how much information it stores and manages that has no current business value in addition to the total costs of owning that information (currently and prospectively), the organization will likely identify huge potential savings.  How is it, you may ask, that such savings are not more apparent?  The answers are obvious and nearly universal (in the absence of an information governance program).  In the typical organization, an IT department is not motivated to look for such savings on its own; rather, IT has traditionally lived in fear of being criticized for not maintaining certain information.  In some instances, the organization may have encouraged executives to rely on IT to be able to find information inadvertently deleted during an “oops moment.”  In others, IT may have been a scapegoat for the loss of information when a litigation hold was not properly communicated and enforced.

[46]      Moreover, IT is tasked with storing and maintaining the information technologies and, in virtually all cases, will not understand the content of the information stored, much less its value to the organization as a whole.  On the other hand, the business functions know the value of the information, but rarely understand the total costs of owning the information.  The associated risk managers (e.g., in legal, records, and privacy) may not know the business value of the information or alternative storage techniques that may be available, but can assess the risks associated with different categories of information.

[47]      In the typical organization, cross-discipline discussions to assess these various angles have not occurred.  Consequently, huge volumes of information for which the business generator has no current use and has simply forgotten remain under management.  For example, a telecom company established that $100 million could be saved through an application retirement program and a U.S. bank expected a $400 million spend reduction over thirty-six months from an IT transformation plan.[105]

[48]      An information governance program can accelerate the process of identifying such opportunities and provide the incentive to proceed in steps.  For example, the program may identify some valueless information that is subject to legal hold and decide to move that data to cheaper storage.  Similarly, the program may identify some stores of information that have continuing value, but which can also be moved to cheaper storage with less immediate retrieval times.  Finally, such programs may provide an incentive for the organization to review legal holds placed long ago, lift those that are no longer truly required, and thereafter dispose of the valueless data.

3.  Other Risk Mitigation Including Enhanced Compliance with Legal Obligations

[49]      Section III above outlined several diverse information-related risks.  Without repeating that discussion, it suffices to say that a functioning information governance program can assess these various risks and with senior management input, chart a course that aligns decisions with the organization’s overall strategy and risk tolerance.  Thus, as the program matures, the organization should find that:

• Valuable information is reliably and readily accessible;
• Confidential and proprietary information is protected in accordance with the organization’s policies and legal duties;
• The organization avoids substantial risks of not retaining information in accordance with legal regulations and in connection with litigation or investigations;
• Personally identifiable information is retained only so long as necessary and in manners that guard against unlawful access;
• The costs of keeping information is optimized, i.e., information is kept only so long as necessary for legal or business purposes, and at storage costs appropriate to its use and needs; and
• The organization meets its duties to avoid waste and to ensure that appropriate information and reporting systems are in place to provide management with timely and accurate information.

[50]      Analysis of the systems that store and transmit personal information will also help the organization to identify the potential for breaches to its systems by hackers or others and to adopt appropriate mitigation strategies.

[51]      As with the cost-reduction issues discussed above, prudence dictates that information-related risk issues be considered in a multidisciplinary forum such as an information governance program.  For example, bringing social media and smart devices into the workplace represents only a recent and not the last new technology with business applications.  There will be others and as those new technologies are proposed, the information governance framework will provide a forum in which to evaluate the relative opportunities that the new technology promises and the risks that may arise from deploying it.  In many business situations, opportunity will trump risk, but at least with a proper forum in place for considering risks, the organization can take appropriate steps to mitigate.

[52]      As another example of what many organizations have experienced recently, if IT alone considers the potential savings and economies of moving data to a cloud environment, a positive decision can be expected quickly.  But if legal, privacy, records, and other specialists are brought into the evaluation, they can point out risks that should be addressed in negotiations with the cloud provider.  For example, how will internal auditors conduct an investigation under the radar if they do not have direct access to data in the cloud?  How quickly will data be available for discovery requests?  Will the data be stored in one location and how will data privacy authorities in EU states view that storage?  Will the cloud provider be able to dispose of the information when it is no longer needed?  On each of these issues, a considered collective evaluation is more likely to reach a conclusion in line with strategy for the organization as a whole and its risk profile.

[53]      Through a comprehensive cross-function or cross-disciplinary analysis of the organization’s various information-related policies and procedures, the organization should also assess whether one can reasonably expect employees to understand and comply with the various information-related policies and procedures that the organization has in place to address such risks or whether that documentation should be updated, harmonized, rationalized, and put into more comprehensible formats.  In line with the maxim that less is more, having a concise and cohesive set of policies would no doubt enhance the prospect that employees could follow the stated policies.[106]  In an era where public companies face the potential for more scrutiny[107] and recognizing that having an effective compliance program can under the Federal Sentencing Guidelines reduce the risk that an organization will be held criminally liable for the acts of a rogue employee, it is foreseeable that more organizations may be interested in ensuring their policies are harmonized and clarified.[108]

4.  Improved Employee Morale and Customer Satisfaction

[54]      When an organization has a set of policies and procedures that align with its business goals and strategies, employees are more likely not only to understand and comply with the policies, but also, and just as important, to understand the mission of the organization and move forward as a unified team seeking clear and commonly held purposes.  In such harmony, employee morale soars.[109]  Finally, when an organization can reliably and quickly access and leverage information through technology, it will respond to customers more quickly and with better results, likely leading to increased customer satisfaction.  Conversely, when customer data is breached or the customer gets inconsistent information slowly from the organization, sales suffer.

[55]      In short, multiple business cases can be made in support of an information governance program.  Which elements a particular organization emphasizes will depend on the particular industry in which the organization does business and the extent to which it has addressed information-related issues.[110]  And, as stated earlier, senior management in virtually all organizations should understand that information governance is not only the right thing to do for the organization, but also something that cannot be ignored under Caremark and its progeny.[111]

V.  Most Organizations Have in Place Methodologies that Can Be Leveraged To Achieve Enhanced States of Information Governance

[56]      A central thesis of this article is that senior management of organizations and corporate boards have duties to ensure that information-related issues are considered and evaluated for risk.  This idea is not a radically novel contribution, but as a rationale for organizations to adopt information governance programs, it has not been a central focus of the recent information governance discussions.[112]  Given the current (post-financial crisis) emphasis on corporate compliance programs, it should be.

[57]      Equally as important, initiating an information governance program need not entail a herculean effort or fundamentally different and foreign concepts.  Many organizations have established cross-disciplinary teams in recent years to cope with obligations to report risks, especially around financial reporting.  In addition, many organizations have launched cross-disciplinary efforts to deal with the challenges of electronic discovery response.  Financial reporting risk evaluations have enlisted joint efforts of risk managers and compliance officers, finance functions, and business personnel that understand the organization’s business operations.  E-discovery litigation response efforts have entailed joint efforts of at least the IT, legal, and records functions, and in cross-border matters, privacy.  In an organization that has addressed some of these information-related issues, the first steps to establishing an information governance program may be as simple as: (1) aggregating personnel to round out the roster of knowledgeable constituents,[113] and (2) having senior management (and the board) communicate forcefully its full support and encouragement for the launch of the program.

[58]      Further, in conducting the next significant and essential effort of such a program—a comprehensive assessment of information-related risks—the organization need not start from scratch, but can leverage existing techniques and methodologies employed is assessing financial reporting risks.[114]  Thus, to deal with Sarbanes-Oxley and other recent regulations, many organizations have adopted methods for identifying risks, evaluating them, and seeking to mitigate the more important ones.[115]  In October 2012, the Committee of Sponsoring
Organizations (COSO)[116] published a guide on Risk Assessment in Practice.[117]  This guide provides a framework with advice on navigating through the risk assessment process—from developing assessment criteria, assessing risks with a common vocabulary that is established for the particular enterprise, including the interactions of various risks,[118] and prioritizing risks in accordance with the enterprise strategy.  The guide recognizes that all organizations face risk and successful competition usually requires the organization to accept some risk.[119]  With respect to risk evaluations, it suggests that the organization establish several scales for potential risks, specifically a five-point impact scale (ranging from “incidental” to “extreme”), a five-point likelihood scale (ranging from “rare” to “frequent”), a five-point vulnerability scale (ranging from “very low” to “very high”), and a five-point speed of onset scale (ranging from “very low” to “very high”).[120]  The guide also offers several ideas on how to obtain input from different functions or departments.[121]

[59]      COSO is not the only source of readily available assistance.  The Open Compliance and Ethics Group (OCEG) is a nonprofit that provides standards and resources to aid the achievement of principled performance through integrated governance, risk, and compliance.[122]  Under the GRC (governance, risk, and compliance) tag, OCEG has published a wealth of materials, such as charts and guides that can also help an organization navigate these information governance waters.  For example, the GRC charts vividly demonstrate the costs to organizations that operate in silos with ineffective oversight—namely, disjointed strategy, poor integration, duplication, high costs, unnecessary complexity, lack of integrity, and wasted resources.[123]

[60]      CGOC also has developed materials that will aid an organization’s understanding of the interplay between and among several of the necessary constituents—specifically, legal, records, IT, and business—and how each of those groups can “give” and “get” something of value to and from the other groups.[124]

[61]      In short, an organization can leverage the lines of communications, techniques, and lessons learned from recent compliance efforts to create the formula for successful information governance.  Moreover, following a risk-based approach to information governance aligns tightly with traditional notions of corporate management, performance optimization, and risk avoidance. 

VI.  Conclusion

[62]      Virtually any organization can achieve significant benefits—in terms of better utilization of valuable information, hard dollar savings, softer-dollar risk mitigation, and unquantifiable improvements to employee morale and customer satisfaction—from an information governance program.  Commitment from the top is essential to establish and maintain a successful program, but as explained above, ensuring that such a program is established to consider information-related risks is part of the fundamental obligations of senior management and corporate boards.  Moreover, most public companies in the United States will already have in place frameworks and methodologies for proceeding with an information governance program.  Doing so is not rocket science, but it makes good business sense and should be embraced.

            We, as a society, have entered into an era in which electronic communications has become the preferred way of communicating with friends, co-workers and loved ones.  A recent study has shown that Americans spend over 20% of their online time on social networking sites alone.[1]  Although the majority of social networking sites originated as those where you could find friends, they have exploded into increasingly complex sites.  Most social networking sites, today, allow users to upload photographs and videos, post status updates, comment on friends’ posts, play games, send messages to other users and even tag themselves at specific places where they have been.  As these sites have become more popular, the number of users and the amount of content shared has increased significantly.  For example, Facebook has one billion active users as of October 2012.[2]  604 million of those monthly users use Facebook mobile products, making social networking even more convenient for, and pervasive in, people’s lives. [3]

            As technology advances over time, it forces all professional fields, specifically that of the law, to keep up with it.  One way in which the law is struggling to understand the changes in technology is the discoverability of social media files.  As Americans share more personal information on social networking sites, lawyers are increasingly turning to these social networks as resources when confronted with litigation.  Social media are not just limited to certain types of litigation – they can be found in various litigated issues.

            Social media differ from other media outlets and websites that one might mistake them for being.  Unlike traditional media outlets like newspapers, television, or books, social media’s distinctive characteristic is ease of access.  While it takes significant effort to publish a magazine or broadcast a television program, social media allow users to publish content for wide distribution at little to no cost.  Additionally, social media are different from typical websites.  Unlike a website that can be accessed simply by entering a URL, the information on social networks is not always public because users have power to control access to the content that they publish.  This notion of privacy is not only present in the mind of a social media user.  The companies that own social networking sites are concerned about the privacy of the user as well, which creates the problems lawyers face in the discovery process of social media files.  Many social media providers, as well as other holders of electronic communications, refuse to produce the content of electronic communications of their users based upon the SCA.

            The SCA was enacted as Title II of the Electronic Communications Privacy Act (“ECPA”).[4]  Part of the reason why the act was adopted was to address privacy concerns created by the rise of new technologies that the Fourth Amendment might not be able to adequately address.  In passing the SCA, Congress hoped to “protect privacy interests in personal and proprietary information” that may be stored online.[5]  At the time in which the SCA was passed, internet users were very limited to what they could do.  Therefore, the language of the SCA does not take into account advanced technology due to the very limited version of the internet that existed in 1986.  Since there have been no updates to this piece of legislation, courts have struggled on how to apply it as the internet continues to grow.

            There is a mixture of cases supporting the protection of social media sites under the SCA and those that choose to ignore the SCA completely.  The prominent case that supports protection under the SCA comes from the U.S. District Court for the Central District of California.[6]  The Crispin court walked through the language of the SCA and considered what could be protected (putting emphasis on security settings) with regards to each aspect of social media information that was to be discovered (wall posts, private messages, etc.)  The other line cases, that disregard the SCA, allow overbroad discovery requests and subsequently fail to explain why the SCA does not protect any of the information contained in the requests.

            With some viewing the currently unrevised SCA as falling into antiquity, many questions remain as to how to apply it to cases involving technologically advanced companies.  Social networking sites present one of the largest challenges for courts to tackle when it comes to apply the SCA.  Because social media providers continue to raise the SCA as a defense to third party subpoenas, courts cannot ignore the SCA forever.  In coming years, many courts will have to address whether the SCA actually offers protection to social media providers from third party subpoenas.

Download PDF

Cite as: Conrad Jacoby, Jim Vint & Michael Simon, Databases Lie! Successfully Managing Structured Data, The Oft-Overlooked ESI, 19 RICH. J.L. & TECH 9 (2013), available at http://jolt.richmond.edu/v19i3/article9.pdf.

By Conrad Jacoby,* Jim Vint,** & Michael Simon***

[1]        Legal professionals regularly advise clients to ensure that the storage, retention, and accessibility of their Electronically-Stored Information (“ESI”) is in full compliance with all legal and regulatory requirements in the event this information becomes relevant in civil, criminal, or regulatory disputes.  However, what many practitioners may not realize is that the ESI that clients are required to produce for e-discovery includes both “unstructured” and “structured” data.  Searching and producing only one of these types of ESI may well not fully satisfy a client’s full discovery obligations.  Even worse, it might not present a full understanding of the factual issues in the matter and how to best prove them to the legal team.

I.  What Is “Structured Data?”

[2]        Most legal professionals are extremely familiar with “unstructured” or “loose” data, even if they do not necessarily know it by these terms.  Simply put, unstructured data refers to e-mail messages, word processing documents, spreadsheets, and presentations, among other things—in other words, human-readable information that is commonly sought as potentially relevant ESI in discovery.[1]  Structured data, on the other hand, refers to information residing in electronic repositories or silos, such as transactional and financial databases.[2]  Unlike unstructured data, which typically exists as static and self-contained files that are preserved, collected, processed, reviewed, authenticated, and admitted into evidence as stand alone documents, structured data exists as segments of information inside a larger system, one that is often quite complex and contains many parts.[3]  A database record, the closest analog that structured data has to a “document,” may not actually exist until a user performs some action through the database system to assemble a number of separate fields that could reside in many different parts of the system.  For this reason, information stored in a database cannot be placed into a standard e-discovery review system that has been optimized to view and categorize unstructured data.

[3]        The ESI stored in databases and other structured data repositories is every bit as relevant and discoverable as the loose files that are more commonly requested.  Federal Rule of Civil Procedure (“FRCP”) 34 is clear and unambiguous on this point:

Rule 34.  Producing Documents, Electronically Stored Information, and Tangible Things, or Entering onto Land, for Inspection and Other Purposes

(a) In General.  A party may serve on any other party a request within the scope of Rule 26(b):

(1) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control:

(A) any designated documents or electronically stored information—including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form[.][4]

[4]        Unlike the discovery of unstructured data, for which a number of best practices have emerged, it has been difficult for the legal industry to develop best practices for the treatment of structured data in civil discovery due to the vast diversity of size, scope, and features found in different database systems.  The Sedona Conference^®, a non-partisan legal think-tank founded in 1997, formed a group in early 2009 to study the issues surrounding the discovery of structured data—culminating in the publication of The Sedona Conference^® Database Principles Addressing the Preservation and Production of Databases and Database Information in Civil Litigation (hereinafter the “Sedona Database Principles”) in April 2011.[5]  The Sedona Database Principles expand upon the original publication, The Sedona Principles: Best Practices Recommendations & Principles for Addressing Electronic Document Production (hereinafter the “Sedona Principles”),[6] as they specifically apply to databases and set out six additional precepts that provide practical suggestions for simplifying the discovery of structured data and clarifying the obligations of both the requesting and producing parties.[7]  An overarching theme of the Sedona Database Principles is that better communication between parties, their legal advisors and agents, and information technology professionals will substantially improve the management of this type of specialized ESI in legal disputes.[8]  To that end, the Sedona Database Principles specifically reference many of the precepts of the Sedona Principles that address and encourage cooperation between the parties.[9]

II.  How Does Structured Data Become Relevant?

[5]        Databases frequently record historical transactions and information that is relevant in litigation and investigations.  One would certainly expect that enterprise-level systems like Oracle and SAP, not to mention financial and transactional systems, human resource tracking systems, data warehouses, and content management systems (“CRM”), would all contain structured data.  However, other commonly used systems, including Cloud-based “Software-As-A-Service” (“SaaS”) systems, also feature the same back-end structured data systems as more obvious “database” systems.  Thus, structured data has largely replaced loose documents for tracking information for these and other similar functions: accident/incident reporting systems, call center records and associated data analytics, world wide web servers, point of sale systems, and social media.

[6]        The cumulative volume of data in business-related structured data repositories is immense and is projected to grow at an estimated annual rate of nearly twenty percent.[10]  Perhaps even more important to e-discovery practitioners, a recent survey about the state of discovery in civil litigation has shown that e-mail, the central focus of e-discovery requests for over fifteen years, is no longer the leading requested item.[11]  Instead, database and application data are now more often requested.[12]

[7]        An increasing number of litigation disputes involving “high profile” companies have made demands upon litigants to review, disclose, and produce at least portions of their databases.  Several examples are explored below.

[8]        The plaintiffs in In re eBay Seller Antitrust Litigation, an antitrust class action, sought production of transactional data from defendant eBay.[13]  The court granted the motion in part and eBay objected, claiming that the information sought did not already exist in easily compiled form, requiring eBay “to spend hundreds of thousands of dollars to dedicate a highly specialized engineering resource for a period of more than six months to create new data” solely for the matter.[14]  However, eBay’s own submissions in support of the objection contained three different estimates, ranging from a low of $179,000 to a high of $300,000.[15]  Moreover, eBay’s employee in charge of data warehouse development declared that the provided estimate could vary “by as much as five hundred percent.”[16]  The court first disposed of eBay’s argument that it could not be required to create anything new, finding that FRCP 34(a)(1)(A) supported the magistrate’s finding that the technical burden of creating the new material did not excuse production.[17]  In light of the hundreds of millions of dollars at stake in the action involving a defendant with billions of dollars in annual gross profits, and considering that the magistrate had already scaled back the scope of discovery, the court found no clear error in the magistrate’s determination that the potential costs and technical requirements were not unduly burdensome.[18]

[9]        In another case, a plaintiff injured by a sink that fell from a high storeroom shelf sought production of the database that the defendant, Lowe’s, used to record and track accident and injury claims.[19]  The trial court ordered Lowe’s to present a witness with knowledge and access to the system and to print out all requests for accidents occurring before the date of the plaintiff’s injury.[20]  Notably, Lowe’s objected that: (1) it had already produced a printout from the database of all falling merchandise claims for its stores within the state for the last five years; (2) the remaining portions of the database were not relevant; (3) the manner in which accident information was gathered and stored was a trade secret; (4) the purpose of the database was not for safety-related information; and (5) there was no way to restrict production of privileged or non-relevant information.[21]  The appellate court agreed with Lowe’s in part and limited the plaintiffs from accessing data without limitation as to time, place, or subject matter.[22]

[10]      In Procter & Gamble v. Haugen a plaintiff appealed from the dismissal of his Lanham Act and tortious interference claims which resulted in part from the court sanctioning it for failing to preserve relevant database information.[23]  Procter & Gamble (“P&G”) claimed that agents of a competitor spread false rumors that the company supported Satanism, using the profits from forty-three products to do so.[24]  P&G and its expert witnesses used the services of a third party vendor, Information Resources Incorporated (“IRI”), to track potential lost sales of the forty-three involved products.[25]  IRI used a database that gathered purchase information from retail stores into electronic market share databases.[26]  IRI’s databases stored data on a “rolling” basis so that data was kept only for a period of time before it was deleted from the system to make room for more data.[27]  Defendants requested production of all of the information that P&G used from the IRI databases and when P&G was unable to produce all of this information, the court found that P&G had spoliated the data and dismissed the matter as a sanction.[28]  On appeal, P&G focused on the fact that it was only a subscriber to the IRI database, did not own or control the system, and therefore could not have practicably provided the information to defendants.[29]  P&G could have provided direct access to the system to defendants, but this would not have covered all of the information they sought.[30]  P&G would have had to pay over thirty million dollars to obtain all of the information from IRI and even if it had, it would not have had sufficient storage capacity for the data.[31]  The court of appeals found that the district court had failed to address the fact that P&G did not “possess” the data and along with the defendants’ failure to prove prejudice, reversed the sanctions order.[32]

[11]      In another case involving a Lanham Act claim, a plaintiff sought discovery about the defendants’ sales of an alleged infringing product. [33]  One of those defendants, Wal-Mart, responded with 1,771 pages of Bates-stamped documents that represented a print-out of the tabular view of the raw data within its sales database.[34]  Plaintiff claimed that the printouts, with line item data arranged by columns and UPC codes, was “indecipherable” and thereby an insufficient response.[35]  The court was “convinced” that Wal-Mart’s burden in deriving the information from the database was “significantly less” than on the plaintiff since Wal-Mart controlled the system.[36]  For this reason, the court granted plaintiff’s motion to compel a more sufficient response from Wal-Mart.[37]

[12]      Finally, in an Americans with Disabilities Act claim, the Equal Employment Opportunity Commission (“EEOC”) sought to compel production of portions of the human resources database of a Supervalu and Jewel-Osco, major national food retailers.[38]  The EEOC originally sought broad production of information from the human resources database, but narrowed its requests after a meet and confer session to employee hiring, transfer, and termination records, along with job postings for the subject time period.[39]  The EEOC premised its request on the defendants’ own FRCP 30(b)(6) testimony that “this sort of analysis could be completed” and that defendants’ “types of database are designed for this sort of production at minimal expense.”[40]  Defendants first claimed that they did not have the particular database tool activated in their system to allow them to provide the information requested by the EEOC.[41]  Defendants then objected to the scope and burden of the request, claiming that the information would cover over 180 locations and 100,000 employees (when there were only 108 claimants) and that it would take their IT personnel over a week to write the code necessary to obtain the data.[42]  The court found that the EEOC had not established that the relevance or benefit of the information outweighed the burden and expense of producing it and thus denied the motion to compel.[43]

III.  Can a Party Wait to Deal with Structured Data until that Information Has Been Requested?

[13]      The information contained in databases can make the difference between winning and losing a case.  The Sedona Database Principles makes this statement as a matter of
plain fact: “Information contained in databases may be the best source for establishing certain facts in a legal dispute.  Information stored in this format also may be useful, if not essential, for analyses such as sorting, calculating, and linking to answer quantitative questions presented in a case.”[44]

[14]      It is a simple matter to move from the abstract language of the Sedona Database Principles to concrete situations.  Unstructured data, particularly e-mail, instant messages (“IM”), and typical “office” documents (i.e., Microsoft Word, Excel, and PowerPoint) provides evidence of the communication of activities—who knew what and when.  People will write e-mail and text messages to others concerning what they did.  Similarly, they will draft documents to memorialize actions that they have taken.  In contrast, the structured data in transactional and financial databases provides direct evidence of the action—how, how much, and how often.  The financial system will show that money was moved and the time and accounts involved.  A transactional application will record the supervisor’s approval of the money transfer.  Thus, the database systems provide a way to “follow the money” and recreate what happened, even if the communications record is incomplete or, in the case of fraud or shady dealing, deliberately obscured.  For this reason, some have called structured data “forgotten data”—“perhaps the single biggest missed opportunity for defense in e-discovery.”[45]

IV.  Planning for Discovery of Structured Data

[15]      Databases, especially major, enterprise, or department-level systems, are often highly complex and highly customized.  The discovery of structured data typically requires specific expertise with experience in deciphering data structures, relationships, and connections to other systems.  The Sedona Database Principles is filled with warnings about the need for expert assistance,[46] and it likens the act of trying to handle discovery requests involving structured data without such knowledge as “akin to seeing a thousand-piece jigsaw puzzle without an illustration that shows the final completed puzzle.”[47]

[16]      Seeking information stored in structured data repositories also requires more planning—and often more efforts at cooperation between the parties—than traditional e-discovery.  Parties that do not meet and confer before commencing structured data requests may well find that the court sends them back to square one.[48]  Many reasons exist for this heightened need for additional proactive planning and discussion, but none may be more pressing than the fact that downstream production requirements will control the early stage EDRM work conducted in Preservation, Collection, and Processing, and even potentially as far back as the critical Identification phase of e-discovery.

[17]      It should come as no surprise that the Sedona Database Principles places particular emphasis on one of the core principles from the original Sedona Principles:

Sedona Principle 3: The Early “Meet and Confer”

“Parties should confer early in discovery regarding the preservation and production of electronically stored information when these matters are at issue in the litigation and seek to agree on the scope of each party’s rights and responsibilities.”

Sedona Principle 3 is especially applicable in the context of database discovery because of the complicated technical and logistical questions raised by the storage of information in databases.  Database discovery may entail some of the most expensive and complex discovery in a litigation matter, and meaningful conversations between the parties early in the litigation can substantially reduce confusion and waste of resources.[49]

[18]      Challenges to the discovery of information stored in structured data repositories can occur from both opposing parties and litigants.  Many of the solutions for best using data from databases require the creation of a new view or analysis that differs from the way that the information is used in the ordinary course of business.  Responding to structured data requests is likely to require new reports, new extracts directly from the systems, or even entirely new systems to analyze data.  Attorneys are often not comfortable with this process, especially since information about how these new views of structured data were created may have to be disclosed to the other side if challenges arise as to the adequacy of the proffered discovery response.  Thus, it is critical to complete a full and frank discussion, between all stakeholders—each side and each role (Legal, IT, outside expert)—that clearly sets out all expectations before any work begins.

[19]      The first issue that practitioners are likely to confront during the e-discovery process involves the specific elements that will be extracted from the database.  In some situations, it may be necessary to preserve and collect elements that would not normally be considered “content,” such as reports, formulas, pick lists, reports, queries, and the like.[50]  For example, FLSA class action litigation often revolves around issues of how companies determined which employees were exempt from overtime and which were non-exempt; formulas within the HR and payroll systems applying these standards become critical.[51]  Fraud cases that center around who knew what and when could require the recreation of standard reports and views that were used at the time of the alleged suspicious activity.[52]  Such elements will almost certainly require rigorous preservation and collection methods, such as a complete database copy or a restored full back up, as outlined below.

[20]      In most cases, practitioners will need to focus solely on database content: the fields and records.  With this approach, legal teams must anticipate potential issues as they either use or produce this information.  Concerns include: (1) a need for completeness and usability of the data set; (2) availability of the data and technical feasibility of any planned search and retrieval Methods; and (3) cost.  Each concern is explored in turn below.

A.  A Need for Completeness and Usability of the Data Set

[21]      The fact that some of the data within a database may be relevant does not mean that the entire database must be produced.  Sedona Database Principle 1: Scope of Discovery clearly speaks to this point: “Absent a specific showing of need or relevance, a requesting party is entitled only to database fields that contain relevant information, not the entire database in which the information resides or the underlying database application or database engine.”[53]

[22]      Will legal teams require a complete set of data or merely an extensive subset of potentially relevant records?  For a small subset of data, a surgical approach will likely suffice.  However, if a complete dataset will be required for further analysis, the scope of database preservation, collection, and production will be much more extensive.  Date ranges for activity or database information creation may be helpful at this stage.

[23]      Does the team require a picture of the information present at a particular point in time?  If so, a snapshot of the data or the system will likely accomplish these objectives.  To create a historical record, a trend line, or to illustrate changes over time, more comprehensive preservation and collection will be required.

B.  Availability of the Data and Technical Feasibility of any Planned Search and Retrieval Methods

[24]      Structured data systems have a variety of capabilities and technical capacity.  Many of the older legacy systems can be very limited in how one can manipulate and export data.  Thus, before making any plans—or worse, commit to a regulator or the other side in litigation as to a methodology or deliverable data—it is critical to determine whether the target system includes the necessary capabilities.  The answer to this question will vary by the circumstances of each case, but some of the questions highlighted in Comment 2B of the Sedona Database Principles[54] provide a good starting point:

Can a user run searches within the system, other than those built specifically for the intended business uses of the database?[55]

Will the searches bring back complete information (i.e., all the requested data)?[56]

Is there information stored outside of  fielded tables?[57]

Does the producing party have custody and control of the database, such that it can access the “back end” of the system to export data, create custom reports, or otherwise access the system outside of normal business use?[58]

Does the system support third party tools that might be more efficient at querying the data?[59]

Does the system have reporting capabilities?[60]

Does the system support the creation of custom reports?

[25]      The answers to these and other questions will directly impact the extent to which a case team can preserve, collect, and ultimately produce the data stored within a database system.  It is crucial that qualified personnel correctly provide this essential foundational information.  It may be necessary to support such statements with documented expert evidence.  Given a lesser evidentiary showing, the courts have shown little sympathy for such claims, particularly when made by sophisticated corporations.[61]

C.  Cost

[26]      Structured data discovery has the potential to be more costly than “standard” requests.  It is imperative that parties have a strong understanding of the potential costs associated with structured data discovery.  Courts have become particularly sensitive over recent years to knee-jerk undue burden and cost claims under FRCP 26(b)(2)(B) that lack concrete documented support.[62]  This concern is yet one more reason why retaining experienced experts, who can attest to costs encountered in similar situations, may be critical to adequately educate both courts and requesting parties.

V.  Handling Structured Data within the EDRM

[27]      The Electronic Discovery Reference Model (“EDRM”) has come to provide an industry-accepted workflow for e-discovery across the litigation lifecycle.  Discovery of structured data can generally proceed within the EDRM framework, though a number of modifications may be required because of the unique requirements inherent in handling this type of ESI.  Virtually all structured data projects will require the application of an IT concept known as “ETL,” which is the acronym for Extract, Transform, and Load.  A good working definition for ETL is:

ETL is short for extract, transform, load, three database functions that are combined into one tool to pull data out of one database and place it into another database.  [Extract] is the process of reading data from a database.  [Transform] is the process of converting the extracted data from its previous form into the form it needs to be in so that it can be placed into another database.  Transformation occurs by using rules or lookup tables or by combining the data with other data.  [Load] is the process of writing the data into the target database.[63]

[28]      ETL is required in e-discovery for the simple reason that most business-oriented database systems (e.g., Peoplesoft, Cognos, Oracle Financials, specialized procurement software, and SQL databases) are designed to meet specific business needs and do not inherently “speak” to each other.  Hence, ETL permits different data formats to be assimilated or aggregated in a unified source for analysis.  This saves time querying multiple databases in various coding languages to try to quantify an impact, establishing relationships with the data across systems, and providing meaningful results to counsel and client.

[29]      For structured data, a typical workflow involves an ETL overlay of several EDRM phases, beginning with Identification and typically running through Preservation and Collection, and at times into the Processing phase.  This process is illustrated in the figure reproduced in the Appendix.

A.  Identification

[30]      The Identification phase for structured data is likely to require substantially more experience than it normally would for unstructured data systems.  Large-scale enterprise database systems, such as Oracle, SAP and PeopleSoft, are highly complicated and customized, requiring advisors with specialized expertise to understand them.  This complexity may even be considered a trade secret and thus protected by the software vendor.[64]  Even small-scale systems as simple as Microsoft Access databases are often customized and connected to other systems in ways that are both unexpected and poorly documented.  Older structured data repositories that fall into the categories of legacy data, obsolete hardware, and retired systems may present particular concerns since the documentation that existed at one time may no longer be available or accurate.  Further, the employees who created and maintained these systems may be long gone from the company, having taken with them any institutional knowledge about these systems.

[31]      For all of the above reasons, Sedona Principle 6: Responsibilities of Responding Parties is particularly applicable to and significant for the discovery of structured data.  Sedona Principle 6 reads: “Responding parties are best situated to evaluate the procedures, methodologies, and technologies appropriate for preserving and producing their own electronically stored information.”[65]  The Sedona Database Principles further apply this guidance to the discovery of structured data in Database Principle 2: Accessibility and Proportionality, which states: “Due to the differences in the way that information is stored or programmed into a database, not all information in a database may be equally accessible, and a party’s request for such information must be analyzed for relevance and proportionality.”[66]

[32]      However, the fact that a producing party is generally better situated to evaluate methodologies and burdens does not mean that the responding party can and should examine and evaluate such information unilaterally.  In accord with the Sedona Database Principles’ focus on cooperation between the parties, Database Principle 3: Use of Test Queries and Pilot Projects recommends that the parties work together, starting with the sharing of database and system documentation or even going so far as to create test queries and pilot projects.  It states: “Requesting and responding parties should use empirical information, such as that generated from test queries and pilot projects, to ascertain the burden to produce information stored in databases and to reach consensus on the scope of discovery.”[67]

[33]      Key goals in the identification phase should include:

Determining which systems are likely to include data that might need to be used or produced;

Establishing the current status and availability of the data, such as whether it is still within live data systems, in legacy systems, in archives, on backup media, offline, legacy or retired systems;[68]

Locating the data, as many database systems have parts spread out among many physical locations, often in remote server farms or co-location facilities;[69]

Ascertaining who controls those systems (a vendor, such as SalesForce or other third party, rather than the client/litigant, may actually have possession and day-to-day control over the database itself);

Understanding the functional purpose of those systems, both for which they were created and potentially for any later purpose or purposes for which they may be currently used;[70]

Determining the capabilities and limitations of the current system or media holding the data—an important step that will set practical boundaries for how data can be preserved, collected and processed;

Assessing the costs and burdens of obtaining—and if necessary restoring—the data from its current storage repository; and

Evaluating the potential benefit of obtaining the data.

[34]      Data flow and entity relationship diagrams can be particularly useful in tracking down database connections, assuming the company has taken the time to create such documentation.  This documentation augments the more technical documentation involved with data mapping and a data dictionary or schema.  Data mapping, which is a list of how enterprise systems interconnect (sometimes prepared as a list, but sometimes created as an actual graphical map),[71] can make the difference between the success and failure of the project.  Structured data systems connect to other systems within the enterprise, often to many systems and in surprising ways.  Missing those connections can mean missing necessary inputs, outputs, and related or relevant data.

[35]      A data dictionary or schema shows the type of data that is in a system, how it is organized and named, and the relationships between that data as it sits in fields and tables.[72]  Since structured data systems are often complicated and expensive, these tools tend to have long lives and may have changed purpose or focus over time.  As it can be burdensome to modify an underlying data table structure, newer data may be stored in repurposed fields or tables that may not be properly named or intended for the current use.  Such informal modifications are rarely fully documented unless a conscious (and recent) effort has been made to build a schema.  However, as underscored by Comment 1B of the Sedona Database Principles, data that could initially appear to be irrelevant may in fact be relevant because of its relationship and connection to other data fields.[73]  Thus, it is no surprise that the Sedona Database Principles propose that the responding party has a duty to provide the requestor with the information needed to convey a “basic understanding” of the database system.[74]

[36]      A final challenge in the identification phase is that the most common users of these structured data systems, the end-users or “customers” who query the substantive information stored in the database, are unlikely to be experienced IT professionals.  These users rarely have the time, knowledge, or ability to wade through technically confusing scenarios that a legal case team may pose.  A case team must take this into account and plan to interview a mix of end-users and database-knowledgeable IT professionals in order to build a reasonable understanding of a complex structured data repository in active use.

B.  Preservation and Collection

[37]      One of the most troubling aspects of e-discovery is that ESI has a tendency to disappear unless properly preserved.  Backup tapes get recycled, e-mail servers are purged of ex-employee accounts, and hard drives from the laptops of ex-employees are reformatted and reused.  Depending on the specific system at issue, some structured data repositories may be even worse in this regard.  While much unstructured data is lost due to human action, certain types of common structured data systems are specifically designed to eliminate or overwrite data regularly and automatically, without anyone’s direction or oversight.

[38]      These repositories stand in contrast to databases comprised of historical information, such as customer relationship management systems, complaint or incident databases, and financial systems used to determine trends, which are typically designed to log all inputted information.  In these systems, where one of their intended uses is long-term “data mining” for analytical purposes, the danger that information will disappear is appreciably less.

[39]      High volume transactional systems tend to overwrite data or regularly purge old data as the need for historical data is often limited and the volume of data that would build up over time would become prohibitively expensive to store.[75]  This problem is well known and the drafters of the 2006 FRCP Amendments who added the rules on ESI specifically noted that “many database programs automatically create, discard, or update information” and “that suspending or interrupting these features can be prohibitively expensive and burdensome.”[76]  Thus, practitioners assisting in a matter that touches these types of data systems will need to act quickly to preserve this type of system to avoid being left with incomplete data or none at all.[77]

[40]      Another unique wrinkle to the discovery of structured data is that the lines between the Preservation and Collection phases tend to blur.  For structured data, the information that is preserved is often exactly what is collected.  Most unstructured formats include potentially responsive files that are moved from at-risk locations (laptop hard drives, USB flash drives, unsecured network file stores, e-mail inboxes, etc.) to secure, locked down media or formats, pending further analysis.  In contrast, non-purging structured data typically needs to be collected from the underlying system to be preserved.  Thus, an already deadline-intensive e-discovery process can become more fraught with difficult-to-make and far-ranging early decisions.

[41]      It is important, however, to reemphasize that the fact that a database contains relevant information does not mean that the entire system must be locked down under a legal hold.  Sedona Conference Principle 5: Duty of Preservation places a practical limit on the expectations of the parties: “The obligation to preserve electronically stored information requires reasonable and good faith efforts to retain information that may be relevant to pending or threatened litigation.  However, it is unreasonable to expect parties to take every conceivable step to preserve all potentially relevant electronically stored information.”[78]  Thus, parties can use a number of different methods to collect and preserve structured data; the choice will be driven not by the impossible expectation of perfection, but by the circumstances of the case and the project scope questions previously discussed in “Planning for Discovery of Structured Data.”[79]  Each of these collection methodologies has advantages and disadvantages.  Improperly applied, some methodologies have the potential to harm the information integrity of the underlying database and therefore, need to be used carefully or may need to be discussed more fully with the requesting party before moving forward.

1.  Forensic Collection of the Live Database

[42]      Some disputes may require preservation and production of a complete copy of the database system.  For example, this may be necessary where questions exist about the integrity or functionality of the database as a whole or if there is a need to manipulate the data in some way other than just as a historical record.

[43]      Collecting an entire database has some advantages, such as in situations where the complete dataset or evidence must be preserved.  This method presents the path of least resistance to key issues of data verification and authentication in that data can be verified through MD5 or SHA-1 hash codes to authenticate it as the basis for its admissibility as factual evidence.  Complete collection also presents the safest route against spoliation as any changes to a database in active service will not impact the version that was collected and is now out of tinkering hands.

[44]      That said, copying an entire structured data repository also has disadvantages when compared to other information collection methodologies.  The first disadvantage is cost.  Unless the system is small (e.g., desktop computer-based), the sheer size of a data repository may require large amounts of storage media, significant IT investment, and costly disruption to corporate operations.  In addition, accessing a collected data repository may require building a comparable hardware and software environment to load, search, and otherwise manipulate the data.  Enterprise-level infrastructure for this task is likely to be quite costly, even on a short-term leased basis.  For older legacy systems, it might not even be possible to copy the system and even if were possible, duplicating the computer systems on which the information resides might have long become unavailable.  Contractual rights may prevent this collection methodology.  In the case of databases accessed over “the Cloud,” copying the database as a whole is strictly forbidden both by license and deliberately-created technical constraints.[80]

[45]      It is important to note that the preservation and collection of an entire database is rarely required for most legal disputes.  Most e-discovery requests involve only a subset of structured data.  Thus, collecting an entire database to preserve only a small amount of information within it incurs additional time and expense to search, cull, and select data, all of which will have to be done outside of the easy confines of an e-discovery review tool.

2.  Restoration of Backups from the Database

[46]      Similar in outcome, but potentially less burdensome, disaster recovery backups of a structured data repository may be used to preserve and collect databases.  Most organizations have regular business continuity backups of their key systems and it may be less onerous to divert one of these data snapshots than it would be to make a full copy of the live database.  However, the same disadvantages apply as making a copy of the system, along with some additional challenges that may make this potential methodology inappropriate in many situations.

[47]      Backup media may contain not just data regarding the database at issue, but also data from completely different systems as well.  Separating this information will require additional time and expense and may be complicated by data privacy requirements, such as HIPAA, that require the enactment of significant security measures for the removal of data.[81]  In addition to these costs, backup media must be restored, again requiring time, IT expertise, and suitable hardware to which the system image can be restored.[82]  Finally, backup systems are far from perfect and failure rates, while not as high as they have been even in the recent past, are still in the words of a highly-respected industry analyst, “not acceptable.”[83]

3.  Extracting Select Information from the Database

i.  All Fields/Data

[48]      A more selective and thus more efficient alternative to collecting an entire repository is extracting the substantive data from the system and exporting it into a generic data format that can be read by multiple databases.  The success of data collection using this methodology is relatively simple to test, using one of several established techniques.  In addition, if the extraction process is handled according to IT industry standard practices and properly documented, authentication should also be relatively straightforward.  Capturing a full set of the underlying data permits a case team to defer filtering and culling decisions to a later date, pushing back some expense until it is truly necessary.

[49]      Collecting database information through data extraction has some drawbacks.  As with other techniques that capture the entire data set, much of what is collected will be irrelevant and will need to be filtered out before any review or production.  This can be a lengthy, disruptive, and expensive process.  It is important to note that extracting the complete data set does not mean that all of the capabilities of the original database will be available.  Much of the value of many database systems stems from the computed values and analysis obtained by applying algorithms to source data.  Capturing raw data alone is often not adequate to collect this high-value relational information as well.[84]  The full extract, transform, and load process may be required to derive potentially critical information.

ii.  Selected Fields

[50]      Because databases typically track much more information than is relevant to a particular legal matter, it may be possible to extract select information stored within it.  Such selection can be applied along two axes: (1) limiting data extraction to a subset of database records and selecting them through an appropriate search query; and (2) limiting data extraction to only a subset of fields within a database record.  Often, both limitations are applied in the same export.  This approach has clear advantages in terms of cost, data volume, and amount of time required to complete the requested data extraction.  However, by the same token, leaving behind some of the validating information found in a database field may make the extracted information more difficult to authenticate.

[51]      Identifying and extracting the relevant data depends on three things: (1) knowledge of the system; (2) understanding of the matter; and (3) skill at creating queries.  Deficiencies in any one of these areas may complicate this effort.  In addition, because not all of the data in a database is collected using this methodology, there is some risk if the database has an information purging function built into it.  It may not be possible to fix mistakes if the initial selection criteria turn out to be incomplete.  Fortunately, when cooperation exists between all participants and parties in the process, this collection methodology can be both efficient and cost-effective for everyone.

iii.  Sample Fields (and Potentially Reiterations as Needed)

[52]      When the existence or non-existence of potentially relevant information is an open question, a final form of data extraction is to export sample database records.  The process can be repeated reiteratively, even incorporating suggestions from the requesting parties.  Properly conducted, this approach may permit a structured data repository to be dismissed as a source of potentially relevant information or it may hone the criteria required to identify and extract appropriate information.  Either way, approaching such an investigation cooperatively, rather than unilaterally, may enhance the defensibility of this approach.[85]

[53]      Selected sampling incorporates the risk factors that arise when extracting only select information from a database.  This approach adds a fourth potential failure point: the need for competence in generating appropriate sample sets and testing them for potential relevance.  Because of the highly selective nature of this approach, rigorous documentation is required to answer questions that may arise later as to the adequacy of how this methodology was applied.

4.  Reports

i.  Using Existing Reports

[54]      Existing (i.e., “canned”) database reports that are used for business purposes can be a useful first step for collecting structured data.  First, the total data volume will be much lower than other methods unless the reports are themselves massive.  However, as Comment 1F of the Sedona Database Principles highlights, even voluminous reports may still be appropriate to produce even with the inclusion of additional non-responsive information, as this could be the easiest, least expensive, and least burdensome way to obtain and produce the information so long as the producing party is not doing so for any improper purpose.[86]  Second, existing reports were created and generated for business purposes and thus have typically been “pre-validated.”  The accuracy of the information presented has been accepted as accurate and reliable as the basis for business decisions.[87]  This can greatly simplify post-production validation and authentication.  Third, these reports are typically minimally intrusive for an organization.  The report templates and underlying queries have already been created and used in the ordinary course of business so no custom workflow must be developed.  Fourth, especially with respect to Cloud-based/SaaS type proprietary systems, reports may be the only way to retrieve data from a system.

[55]      Unfortunately, the use of existing reports is not a perfect collection solution.  These reports were designed for specific business needs, not the needs specific to a legal dispute.  For this reason, existing reports rarely provide the information that is specifically requested.  They typically provide too much or too little.  A troubling problem, and one that is less well understood, is the fact that reports tend to not be “pure” output from the system.  Many database reports are compilations and aggregations of information that are more than raw information output from stored information.  Instead, this raw information may be added, reformatted, or otherwise “tweaked” from the pure source information in the database, sometimes to the point of showing significant deviation from source information.  For purposes of validation and authentication, this can create obvious problems.

[56]      Often, requesting parties do not automatically accept database reports in lieu of direct discovery of the source database.  In addition, it would be unwise to assume that the courts will side with the producing party over this issue without first examining the underlying facts leading to the creation of specific reports.[88]

ii.  Creating Customized Reports

[57]      Another option for data extraction from structured data repositories is to design a custom report.  Custom reports provide greater flexibility than existing reports due to their ability to be limited to relevant data, data fields, and time periods.  Custom reports also help to limit inadvertent disclosure of irrelevant data and can even be used on privileged, confidential, or protected personally identifiable information.

[58]      As a word of caution, not every system allows for the creation of custom reports, and even when this functionality is available, it may be difficult or expensive to use.  Custom reports may face a greater evidentiary hurdle than canned reports used in day-to-day business operations.  However, courts have been somewhat more sympathetic to production objections based on the undue burden of creating expensive custom database reports to comply with incoming discovery requests.[89]

5.  TIFF Image Snapshots

[59]      An older, and now less commonly accepted, way to produce structured data is to capture database output sent to the monitor or to reports and to render these “snapshots” to TIFF image.  This creates an easily preserved form that can be Bates-stamped and for which authenticity can easily be stipulated.[90]  While appropriate in some situations, this production method has fallen out of favor compared to other alternatives since it tends to reduce the fielded nature of the underlying data, thereby turning structured data into flat, inflexible unstructured documents that may or may not contain searchable text.  That being said, certain database systems have such limited data output capabilities that capture of data in this manner may be one of the only options currently available.

6.  Direct Access to the System

[60]      A final method for producing information from a database is to simply let the requesting party or its expert have direct access to that system to run its own queries or reports.  However, most litigants highly disfavor this method as it allows the opposing party potential access to privileged and confidential information within the database.  Courts that have addressed this situation have tended to be receptive to such concerns, requiring that limits be set.[91]  This direct access approach also has significant potential to disrupt in-house IT infrastructure and staff who are likely to be unhappy at opening a controlled organization’s asset to interlopers.  Indeed, the Committee Notes to the 2006 Amendments to FRCP 34 make it quite clear:

The addition of testing and sampling to Rule 34(a) with regard to documents and electronically stored information is not meant to create a routine right of direct access to a party’s electronic information system, although such access might be justified in some circumstances.  Courts should guard against undue intrusiveness resulting from inspecting or testing such systems.[92]

[61]      In addition, granting outsiders access to data repositories containing certain personally identifiable information may violate data privacy laws and create significant (albeit unrelated) liability for the producing party.  For these reasons, direct access to databases and other such systems tends to be granted over objection “only in extraordinary circumstances.” [93]

[62]      No matter what process is used to preserve and collect a database, proper documentation and testing is critical as many of these processes are complicated and mistakes can occur.  Proper documentation and a record of testing will help to demonstrate good faith efforts if these procedures are later called into question.[94]

C.  ECA and Processing

[63]      Once the data has been extracted from its repository, it typically undergoes further transformation so that it can be used in the investigation or litigation context prior to attorneys’ review for substance.  For loose documents, litigants typically apply early case assessment techniques, such as key word or concept filtering, to reduce the data volume.[95]  Unfortunately, such techniques do not apply well to structured data, as this information is largely centered around transactions rather than words and phrases.  Properly processing and limiting the volume of such systems can instead profile the transactions using specific fields, dates, and general ledger codes.  A strong understanding of the system at hand becomes even more important in such situations.

[64]      Traditional culling methods may be more helpful when the extracted data includes free-form text entry fields such as “comment” fields.  Even here, though, because the unified extracted data exists as a single mass of (fielded) information, culling this glob of information can raise evidentiary challenges unless all changes are well documented and ideally, negotiated at least in principle with the requesting party.

D.  Review and Analysis

[65]      Once the data has been processed and preliminary analytics have been applied, it may still need to be reviewed for responsiveness and privilege.  Some structured data can be managed within standard review platforms, especially flat-file reports and data tables rendered as Microsoft Excel spreadsheets.  On the other hand, data extracted from enterprise-grade relational databases cannot be loaded into a review platform with any genuine hope of validly reviewing this information.  As described in the Sedona Database Principles:

Analyzing email messages and discrete electronic files typically involves a team (sometimes a large team) of reviewers and takes place through a document review platform.  Such review and analytical tools, however, are a poor fit for the matrices of information found in tables of extracted database information.  Instead, review of this information may require technically sophisticated analysts to query the data and extract the meaning of its aggregated information.[96]

[66]      A more straightforward approach to reviewing structured data looks not to the data’s abstract relevance, but instead to the significance of its data values.  Certain field information, such as protected private information, may be redacted or stripped, but this is the closest analogy to the parallel review process that takes place in a document review platform.  Otherwise, extracted data is manipulated, queried, and explored.  In addition, once protected and privileged data fields are removed from extracted structured data, no further attorney review of individual data fields is typically required.

[67]      When the content of individual data fields, such as notes or memo fields, require attorney review, the review paradigm must be further adjusted.  Such a review is complicated by the fact that the information that requires review tends to be stored in a structured manner, but contains unstructured data, such as free text that lacks parameter constraints on length or format.  Technical specialists are typically enlisted to develop secure web-based database review tools that present this information in a reviewable format for redaction purposes.  Certain profiling and culling methods can be employed to reduce the overall volume of information that requires attorney review, but generally, some “eyes-on” attorney review will be required.

E.  Production

[68]      Extraction and Transformation processes largely set the production of structured data.  Information that has been shed as a by-product of transformation processes may now be non-replicable since many forms of extraction do not allow conversion back “upstream.”  You cannot, for example, extract data as reports and then reconstitute the data to produce it as a complete database.  Such is the reason that Sedona Database Principle 6: Form of Production reminds us that: “The way in which a requesting party intends to use database information is an important factor in determining an appropriate format of production.[97]  Comment 6A of the Sedona Database Principles takes this even further by underscoring that “it may be impossible for a responding party to take appropriate steps to provide database information in a reasonably useful format if it has no idea how the requesting party intends to use it.”[98]

[69]      Even if the parties do not avail themselves of the warnings of the Sedona Principles and the Sedona Database Principles and decline to work together to determine a reasonably usable production format, this lack of agreement does not mean that parties are free to produce data in any format they choose.  FRCP 34(b)(2)(E) requires:

(E) Producing the Documents or Electronically Stored Information.  Unless otherwise stipulated or ordered by the court, these procedures apply to producing documents or electronically stored information:

(i) A party must produce documents as they are kept in the usual course of business or must organize and label them to correspond to the categories in the request;

(ii) If a request does not specify a form for producing electronically stored information, a party must produce it in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms; and

(iii) A party need not produce the same electronically stored information in more than one form.[99]

[70]      Courts have shown that they will be alert to production formats that are not usable.[100]  Courts can also order parties to produce data in particular formats even if it requires the creation of entirely new data sets.[101]  However, at the same time, the full cost of producing structured data does not always fall entirely on the producing party.  In some circumstances, a requesting party may be required to bear the burden and expense of some degree of transformation of the data from the producing party so long as the format of the production was in fact reasonable.[102]

[71]      The Sedona Principles echo the concerns of the courts in Principle 12: Form of Production and Metadata:

Absent party agreement or court order specifying the form or forms of production, production should be made in the form or forms in which the information is ordinarily maintained or in a reasonably usable form, taking into account the need to produce reasonably accessible metadata that will enable the receiving party to have the same ability to access, search, and display the information as the producing party where appropriate or necessary in light of the nature of the information and needs of the case.[103]

[72]      Difficulties can arise when an opposing party requests that structured data be produced in “native format”—that is, the original file format in which producing party keeps the ESI.  Courts have sometimes shown an un-nuanced willingness to enforce general demands for native format production if it is properly and timely requested, or even if that is lacking, if good cause can be shown[104] or absent a showing of undue burden or hardship.[105]  At times, the courts have even required such native file productions from database systems.[106]  Many parties indirectly request this by requesting production of “the entire database.”[107]

[73]      Unfortunately, a “native file” production for structured data can present a number of difficult and unique problems.  First, and most obvious, the proprietary database format in which relevant data is stored may not be readable and thus, not “reasonably usable” to the requesting party.  Handing over to the other side a complete copy of a database system, particularly a world-class enterprise system, is also not a sufficient solution.  The recipient may well need to obtain a licensed copy of the system—a potentially very expensive proposition in the case of high-end database systems—or a near impossible proposition in the case of legacy or obsolete systems that are no longer commercially available (even as they remain protected by copyright and license restrictions from free copying).  Even if a license for the system can be obtained, installation of the system could take weeks or months and success is not always a given.[108]  Finally, even once such hurdles are successfully overcome, the very first use or view of a copied database system is likely to change the information therein, as such systems typically have tracking capabilities that are difficult or even impossible to turn off, making the copy no longer an accurate copy.[109]

[74]      For all of these reasons, more transformative production formats, which change the data from the way it is stored in the ordinary course of business, have become a commonly accepted discovery practice.[110]  In addition, a strong argument can be made that the fielded nature of the raw data, not the proprietary container in which it is stored, is the essential element that provides “native format” flexibility to this information.  If this argument is accepted, further transformation of the data may provide increased accessibility without compromising essential functionality.

VI.  Issues Beyond the EDRM

[75]      Because structured data does not fit squarely within an EDRM that was implicitly designed for unstructured data types, it should come as no surprise that additional issues often arise in working with structured data in discovery.

A.  Custody and Control

[76]      A respondent in discovery is only required to turn over what is in their possession, custody, and control.[111]  This obligation extends to traditional materials and ESI alike as well as to unstructured and structured data alike.  Complex databases, however, can challenge the issue of where data is stored and the extent to which it is “owned” by the content creator.  For example, a database may be housed entirely within a corporation and serviced by company IT professionals, so there would be no possession, custody, or control issue.  However, when the database is provided by a service provider, questions about information ownership can and do arise.  The licensing provisions for many Cloud-based SaaS providers hold that while information entered into the outsourced database may be the exclusive property of the database service client, many of the internal database elements that create relationships between this client provided data are proprietary to the point that a client does not have permission to view these relationships, much less export them in response to a discovery request.[112]  As a consequence, the “owner” of information in these systems—the SaaS client—may not have custody or control over a portion of the ESI that it would have to provide if it hosted the database itself.

B.  Verifying that the Data Collected is Accurate

[77]      Structured data has the unusual property of appearing accurate and precise, even if the substantive information that the database reports is riddled with errors.  This issue can occur because the precision of a database search query or report is separate and distinct from the way in which the source data was created or entered into the system.  For example, operators at a call center may be asked to enter their recollections and remarks about customer questions and complaints.  This information is likely entered quickly as the operators focus on handling as many calls as possible during their shift and it may contain errors.  Yet, when this same information appears in a database report, it is likely to have the appearance of an accurate and truthful statement.

[78]      Sedona Database Principle 5: Data Integrity, Authenticity, and Admissibility considers this issue: “Verifying information that has been correctly exported from a larger database or repository is a separate analysis from establishing the accuracy, authenticity, or admissibility of the substantive information contained within the data.”[113]  Thus, in working with structured data, many practitioners have found it useful to separate these two competing questions about “accuracy.”  It is possible to validate the accuracy of a mechanical data export.  For example, certain reference fields or reference values can be exported with the substantive data and those values verified against the source information in the database itself.  Even something as simple as comparing the number of database records exported against the number of database records returned by a search query is a step in this direction.

[79]      Conversely, practitioners can reserve the right to further challenge the accuracy of the information contained within a structured data repository.  In evidentiary terms, the authenticity of the information—that is to say, the information was accurately exported from a database—can be the subject of a stipulation, but the truthful nature of the information remains subject to standard challenges as to hearsay and general reliability.[114]

C.  Validating Structured Data so that It Can Be Admissible as Substantive Evidence

[80]      Validating structured data is an important consideration when working with this form of ESI.  As noted previously, many practitioners are able to find common ground and negotiate a stipulation that ESI has been accurately exported or copied from the source database.  Authenticity can be mechanically established even though the exported form of the data is unlikely to be identical to the way that the structured data was maintained inside a larger database.  The Sedona Database Principles recognize and address this problem, in Principle 4: Validation: “A responding party must use reasonable measures to validate ESI collected from database systems to ensure completeness and accuracy of the data acquisition.”[115]

[81]      The larger issue, though, is finding a consistent workflow for establishing the reliability of structured data so that it may be admissible for the truth of the information contained therein.  Because structured data is typically exchanged in the form of data exports or reports, at least one court has found that the business record exception to the hearsay rule is inapplicable as grounds for admitting this information for the truth of the matter asserted.[116]  In the case of Vinhee, the court required a detailed showing of how information was entered into a database, including all efforts to identify and correct errors.[117]  The court further required additional foundation about how the underlying database was managed.[118]

[82]      A majority of other courts have imposed a less onerous set of requirements to admit extracted structured data for the truth of the matter concerned.[119]  A key point of argument remains the degree to which substantive information entered into a database has been validated as accurate near or at the time of its creation as structured data.  Systems that include such validation will have their information more easily ruled admissible than more open and less regulated databases.  In such cases, courts may begin to look at some of the Vinhee factors as additional extrinsic evidence required to lay a sufficient evidentiary foundation.

D.  Privacy

[83]      There are many types of database systems that contain vast amounts of private and personally-identifiable information (“PII”) such as HR systems, financial systems, healthcare systems, and customer transaction systems to name a few.  PII resides in some unexpected databases that most would not expect to contain confidential PII.  Web-logging systems, for example, capture unique IP addresses that could be used to track down the identity and location of users.  Such protected information will need to be identified and redacted prior to release of this data to a requesting party.  On the plus side, the same analytical measures that can assist with the extraction of the data can often also be used to locate and redact the confidential data, whether by removing it or replacing it with dummy data.  However, while such systems cannot always be perfect, many privacy laws are written with such perfection in mind so as to be rather unforgiving even as towards minor violations.  Thus, the parties are advised to carefully discuss putting into place protocols, potentially including protective orders, against the possibility of the inadvertent disclosure of PII.[120]

[84]      Unfortunately, that is not the end to the potential problems.  Because database systems tend to be distributed, portions of a system or systems to which it connects may well physically be located across jurisdictions, such as the European Union, that have strict privacy regulations.[121]  Other jurisdictions may not be concerned with the physical location of the data, but instead as to whether the data subjects—those whose information has been collected and stored—live within that jurisdiction.[122]  The penalties for violations of these laws and regulations can be severe, so careful legal consideration of the issues before taking action is well advised.[123]

VII.  Conclusion

[85]      Dealing with structured data in e-discovery is something that should neither be ignored nor treated lightly.  A case team may be required to handle structured data because an investigator, regulator or the opposing party requests it, or a case team may need to deal with it just to try to understand and prove its case.  Situations will arise where the proper expert use of structured data is the best or the only way “to follow the money” and figure out what actually happened.  When that situation arises, case teams are likely to need expert assistance to handle the myriad of issues both technical and legal, within the EDRM, and without.

Appendix

ETL As Applied to the EDRM Model

*Derived from the Electronic Discovery Reference Model v 2.0, which are used under See Creative Commons Attribution 3.0 United States License. | © 2005-2012 EDRM, LLC.

The Sedona Conference^® Database Principles Addressing the Preservation and Production of Databases and Database Information in Civil Litigation[124]

Principle 1: Scope of Discovery

Absent a specific showing of need or relevance, a requesting party is entitled only to database fields that contain relevant information, not the entire database in which the information resides or the underlying database application or database engine.

Principle 2: Accessibility and Proportionality

Due to the differences in the way that information is stored or programmed into a database, not all information in a database may be equally accessible, and a party’s request for such information must be analyzed for relevance and proportionality.

Principle 3: Use of Test Queries and Pilot Projects

Requesting and responding parties should use empirical information, such as that generated from test queries and pilot projects, to ascertain the burden to produce information stored in databases and to reach consensus on the scope of discovery.

Principle 4: Validation

A responding party must use reasonable measures to validate ESI collected from database systems to ensure completeness and accuracy of the data acquisition.

Principle 5: Data Integrity, Authenticity, and Admissibility

Verifying information that has been correctly exported from a larger database or repository is a separate analysis from establishing the accuracy, authenticity, or admissibility of the substantive information contained within the data.

Principle 6: Form of Production

The way in which a requesting party intends to use database information is an important factor in determining an appropriate format of production.

Download PDF

Cite as: Michael Yager, E-Discovery as Quantum Law: Clash of Cultures—What the Future Portends, 19 RICH. J.L. & TECH 10 (2013), available at http://jolt.richmond.edu/v19i3/article10.pdf.

By Michael Yager*

I.  Introduction

[1]        Early in the twentieth century, the phenomenon that is the “quantum”[1] stormed the fortress of classical physics, causing Albert Einstein, one of science’s greatest thinkers, to opine, “[i]t was as if the ground had been pulled out from under one, with no firm foundation to be seen anywhere, upon which one could have built.”[2]  The theoretical laws associated with looking at reality on the quantum level violently collided with those related to looking at the same reality on the macro level.  The application of quantum theory to the mathematically pure and proven classical laws of physics introduced a cultural clash in the world of theoretical physics, which caused many physicists to doubt their very sanity.  This Article argues that developments in the law related to the phenomenon of “e-discovery”[3] have been no less shattering to those practitioners in the classical practice of law than the introduction of quantum theory in physics.  The introduction of “electronically stored information” or “ESI” using the procedural rules designed to govern the classical practice of law created an identifiable shift in jurisprudence related to e-discovery.[4]  Indeed, the introduction of this category of discoverable information caused a cultural explosion within a segment of the legal profession not seen in any other profession since those great thinkers of physics nearly a century ago.

[2]        This Article provides an overview of the clash of cultures extant in the practice of e-discovery related law today along with an entertaining comparative perspective from the viewpoint of a similar clash that occurred in the physical sciences.  The author hopes that by understanding more fully some of the causes of practitioner angst in managing e-discovery obligations, along with a glimpse of what trends can be expected in the future, this phenomenon can be better confronted and managed.

II.  Discussion

[3]        Changes in the law are most often driven by reasoned debate over a period of some time and carefully, if not cautiously, embraced by the bench.  Drama is by and large a stranger to the doorstep of the law, except for those moments that attend some social or economic issue with political import, and for the most part is incompatible with the plodding evolution of jurisprudence.  With complete awareness of and respect for the reality comprising the beautifully crafted portrait of the law, which was accomplished over hundreds of years by the many practitioners and judges using the most considerate strokes of the brush, this Article introduces a moment of drama.

[4]        Cultural explosions come in many colors and stripes.  In Europe, the French Revolution comes to mind.  In America, the emergence of an anti-government, anti-authority culture reflected in unprecedented massive national demonstrations across the landscape during the Vietnam War comes to mind.  Few would argue that these two examples do not reflect the clash of cultures between two different worlds of values and beliefs.

[5]        In the classical practice of law, one would expect to find a more subtle representation of such a clash aside from the guillotine of the French Revolution or the Kent State tragedy that captured the culture clash of noble protectors of freedom and dirty hippies protesting without a permit.  While a single image may not express the violence that often accompanies socio-cultural explosions within a nation’s history, its representation of the clash of worldviews can be no less dramatic.  The graphic presented as part of the article “Sanctions for E-Discovery Violations: By the Numbers” published in the Duke Law Journal in 2010 is one such representation. [5]  This graphic, reproduced in the Appendix, shows the increase in the number of cases in which e-discovery related sanctions were sought.[6]  Like the recording instruments of the first experiments in the early days of quantum physics, the explosion documented by this graphic, although not representative of physical violence, paints a portrait of an earth-shattering cultural clash within the realms of classical law and quantum law.

III.  A Clash of Cultures

[6]        The classical culture and practice of law are best captured in the days before the FRCP and the 2006 Amendments brought ESI to life.  As with isolated early experimental results in quantum physics, there are instances where courts acted on discovery abuses relating to ESI before those now hallowed amendments found their way onto the pages of the FRCP.[7]  Just like the early theories and experiments in quantum physics, these decisions were mere drops of rain on a landscape that was soon to experience the torrent of a flash flood running beyond the banks of a reasoned river of e-discovery related jurisprudence.

[7]        In “classical law,” discovery was something most often managed down the road after litigators were convinced that a relatively swift resolution of the merits by settlement would not take place short of moving on to more serious stages of the litigation life cycle.  E-discovery was often viewed as one of the steps toward the more deliberate moments of litigation, carrying with it a classical gravity of a sort.  While the FRCP and many state rules before the advent of ESI spoke to the duty of evidence preservation, one is hard pressed to identify more than a handful of litigation hold letters or memoranda from an attorney to a client amongst the tens of thousands of cases litigated before the year 2000.[8]  As the Duke Law Journal graphic indicates, a culture clash surrounding discovery motions practice emerges with ESI and the development of jurisprudence related to discovery preservation and spoliation, the phenomenon of “quantum law.”[9]  The graphic, however, is telling in that with the introduction of ESI into the FRCP, there was a brilliant clash of cultures between classical law and quantum law.  History will determine whether quantum law finds its etiology in the bench, the bar, or a combination of the two, but something continues to drive it in ample measure in the present.

[8]        Indeed, while conducting e-discovery CLEs, references to the Duke Law Journal graphic are accompanied with a simple question: “Why?”[10]  Why, on this graphic of discovery motions practice is over a quarter of a century of relatively flat, nearly negligible bars followed by an explosion of sanctions in the last six to eight years?  If the FRCP were amended, for example, to change the number of days allowed for mailing a response to discovery, or for the filing of an answer to a complaint, would we witness similar widespread non-compliance by attorneys?

[9]        The clash of cultures related to the phenomenon of quantum law has not escaped notice.  As with the introduction of quantum theory in physics, jurisprudence related to e-discovery has slowly begun to spawn incredulous observations.  This incredulity of the present clash is well captured in some of the comments from its historical counterpart in physics.  “The more I think about the physical portion of the Schrödinger theory, the more repulsive I find it,” Werner Heisenberg fulminated.[11]  Indeed, Schrödinger seemed to agree with him, exclaiming at one point that, “[i]f all this damned quantum jumping were really here to stay, I should be sorry I ever got involved with quantum theory.”[12]  Today, running on a course parallel to those esteemed scientists’ remarks, one can almost sense the same level of abject disbelief in the words of numerous court decisions resulting from the clash of cultures between classical law and quantum law.  One is particularly poignant:

Once again, this Court is required to rule on an e-discovery issue that could have been avoided had the parties had the good sense to “meet and confer,” “cooperate” and generally make every effort to “communicate” as to the form in which ESI would be produced.  The quoted words are found in opinion after opinion and yet lawyers fail to take the necessary steps to fulfill their obligations to each other and to the court.[13]

[10]      Certain words in these decisions seem to reflect judicial rumination on the quantum law phenomenon and point to a biting and unflattering analysis.  “[L]awyers—even highly respected private lawyers . . . need to make greater efforts to comply with the expectations that courts now demand of counsel with respect to expensive and time-consuming document production.  Lawyers are all too ready to point the finger at the courts and the Rules . . . .”[14]  In the title of his article, “‘Do I Really Have To Do That?’ Rule 26(a)(1) Disclosures and Electronic Information,” United States Magistrate Judge David J. Waxse succinctly captured the attitude of practitioners of classical law who continue to be buffeted by the requirements and impact of ESI.[15]  So widespread is this crash of clashing of cultures that Judge Waxse observed that such disbelief “echo[ed] around the litigation world.”[16]  Practitioners are also taking notice.

[11]      Ralph Losey, an attorney who phased out his general trial practice to fully engage in the e-discovery world, “quickly noticed something [he] had not seen before in any other field of law. . . . case law is dominated by sanctions cases involving spoliation of evidence. . . . [and] attorneys are often directly implicated in this spoliation.”[17]  Losey expressed early wonderment at the world of quantum law, “wonder[ing] if [he] had stepped into a crazy zone of the law.”[18]  Brad Harris and Craig Ball—the former an expert practitioner and the latter an attorney and one of the foremost national experts on e-discovery law—suggest that “[t]he growing urgency of this matter . . . touched off a flurry of rulings in the area of legal holds in 2010, with several major court decisions redrawing the map in what had been virtual terra incognita.”[19]

[12]      In the laboratory of quantum law, the results of the “experiments” in the form of an exploding ESI-related motions practice and resulting sanctions were often so bizarre that practitioners of classical law simply refused to accept what was before them.  Up seems to become down and far away now seems too close to bear.  The world of classical law is askew as if stretching to the forces of some unseen black hole.[20]  Simple basic tenets of law steeped in tradition are becoming seemingly meaningless in the world of quantum law.  The bedrock principles of stare decisis and the influence of nonbinding precedence hold no sway in this clash of cultures.  Practitioners now hear that an e-discovery spoliation decision made by a judge in New York’s Southern District might bear on how they should manage discovery in their district in the Fourth or Ninth Circuit.[21]  Respected counsel from respected firms, albeit of the newly emerging practitioner class of quantum law, write things about a single decision by a single judge “promis[ing] to significantly affect the way e-discovery is practiced and litigated in the federal courts.”[22]  Classical law practitioners’ reactions are deep seated and visceral.

[13]      I recall a dear friend a well-seasoned litigator summoning me to a lunch one day shortly after the release of the FRCP 2006 Amendments and the resulting written and reported smatterings of happenings from the world of quantum law began to appear.[23]  My friend inquired: “Do you believe this is something here to stay or just the latest judicial fad?”  I opined that perhaps what we were seeing belonged to the former rather than the latter category, which was answered by a look of despondency. With a panic stricken countenance in stark dissonance to
the once confident and charismatic litigator I had known for many years, my friend exclaimed: “I don’t care what a federal judge tells me to do about this so-called e-discovery.  I am simply not going to do it.  They cannot make my client incur all of these ridiculous costs!”  This was a response that well reflects the anguish that the simple term “ESI” introduced to the world of classical law.  Many classical practitioners felt, for the first time in perhaps storied careers, that the legal landscape over which they had exercised such command and control assumed a foreign and threatening shape.  Their refusal to acknowledge and accept what was fast becoming a new force in litigation to be reckoned with, I suggest, contributed to the phenomenon so well captured by the Duke Law Journal graphic.  It certainly did not escape notice of the editors of the Federal Judicial Center, who noted in the preface to Managing Discovery of Electronic Information: A Pocket Guide for Judges that:

This second edition of the pocket guide on the discovery of electronically stored information (ESI) follows the first—and the related 2006 amendments to the Federal Rules—by more than five years.  These intervening years have seen an explosion of civil case law on ESI.[24]

[14]      While there is room for debate as to the etiology behind this explosion and the reasons behind such wholesale resistance of one culture to another, there can be little doubt that regardless of what we can, tongue in cheek, term the “uncertainty principle”[25] as to a precise description of the cause of the phenomenon before us, before us it is.  Before us, it remains.

[15]      Notwithstanding some observations that suggest even a hint of reconciliation between classical law and quantum law, such reconciliation remains much sought after.  Its elusiveness caused Magistrate Judge John M. Facciola of the United States District Court of the District of Columbia to opine that, “[w]hen the dust settles 10 years from now and the scholars sit down cooperation will be seen as the most significant development from e-discovery.”[26]  Obviously, Judge Facciola believes that cooperation among counsel will resolve the effects that the clash of cultures caused and restore some sense of balance to what has been a tumultuous world of litigation since the advent of ESI.  This sentiment echoes a law firm blog entry a few years ago entitled “Sanctions Down; Cooperation Up; Preservation, Privacy and Social Media Remain Challenging.”[27]  In this blog entry, the authors draw a silver lining around a drop in the number of requests for sanctions in 2010 as compared with 2009, believing it “reflects greater adeptness by litigants and counsel in e-discovery practice and broader acceptance of cooperation and openness in the e-discovery process.”[28]  The statistics, however, carry with them that seemingly contradictory component typified by the clash of theories in classical and quantum physics.  Any hint of resolution or cooperation between the classical and quantum worlds always seems to leave a statistical “outlier”[29] that defies ultimate peace between the two different approaches of looking at the same world.[30]

[16]      While noting the drop, albeit slight, in requests for sanctions and the corresponding sanction decisions, a statistical anomaly that challenges what seems to be on the surface some promising data confronts the authors of the blog on the theme of cooperation increasing in e-discovery.[31]  “Although requests for sanctions decreased, motions to compel more than doubled in 2010, being filed in 43% of all e-discovery cases as opposed to 20% in 2009.”[32]  Like their counterparts in theoretical physics grappling with a bothersome experimental result to a hoped for theory, the blog authors suggest an explanation consistent with the proposed model of cooperation.[33]  To paraphrase, court intervention was sought on only a small number of e-discovery issues in which counsel could not agree with the intimation because this occurred after much cooperation.[34]

[17]      But to some observers, these “laboratory results” from the world of quantum law which indicate a doubling in motions to compel in 2010 with motions filed in “43% of all e-discovery cases” may not be as accommodating or optimistic. [35]  Indeed, it is a difficult argument to make that the spirit of cooperation between counsel, the suggested cause of the decreased number of sanctions, is more strongly attached to attorney behavior than perhaps a growing judicial discretion at the bench in meting them out. [36]  It would seem that the same spirit of cooperation which led to a fewer number of requests for sanctions might be expected to play out at the motions practice level, which is driven solely by attorneys.  It might be a stretch to attribute the doubling in the number of motions to compel in e-discovery cases to counsel who were doing their best to cooperate but got hung up on the narrow technicalities of an e-discovery agreement, otherwise known as a “gosh, we all just missed that” moment.  Filing a motion to compel was simply their last resort.  The data suggest otherwise.[37]

[18]      To attribute a significant learning curve in the ranks of counsel to a decrease in the number of sanctions requested and sanctions ordered would be an understandable rush to judgment in the hope of some promising sign that the tide of the cultural clash is beginning to recede.  One might similarly be impressed by the Equal Employment Opportunity Commission (“EEOC”) Performance and Accountability Report for the 2012 fiscal year, which indicates that the federal government is filing fewer lawsuits against companies.[38]  One could infer from this statistic alone that companies are learning how to better comply with the EEOC requirements for establishing non-discriminatory work environments.  As with the 2010 decrease in the number of e-discovery sanctions, there is an outlier to the decreasing number of lawsuits filed by the EEOC.  “[T]he number of systemic discrimination investigations has increased four-fold.”[39]  At the recent Georgetown Law Advanced E-Discovery Institute annual conference held in November 2012, one observer noted that frustration among the bench with lack of attorney cooperation continues:

Collectively, the group [of Judges] expressed frustration that lawyers were not taking the lead in EDD disputes, and thus, in essence, forcing the judges—rather than the parties themselves—to determine protocols and strategies.  The judges pushed several dominant themes: the need for lawyers to take the “meet and confer” obligations seriously; to educate themselves on technology options; and to be reasonable and realistic about e-discovery protocols . . . .[40]

[19]      This hardly sounds like growing sophistication and cooperation in the world of quantum law.  Rather, it is as if the clash of cultures is still in its infancy, reflecting the reality captured a few years ago in a Federal Judicial Center survey, that “only one in three respondents reported that their 26(f) conference to plan discovery included a discussion of ESI.  More than half of all respondents reported that the conference did not include discussion of ESI.”[41]

IV.  What the Future Portends

[20]      In discussing alternative explanations for the conflicting e-discovery data referenced above, it is possible in some measure to argue what the immediate future portends with regard to the practice of the e-discovery component of law and the continuing clash of cultures.  The following loom on the horizon:

A.  A Continuing Increase in E-Discovery Motions Practice 

[21]      A growing number of attorneys, particularly at larger firms or with more sophisticated practices, are becoming increasingly adept at the practice of e-discovery and learning how to better comply with court expectations.  Various federal circuits have initiated programs or local rules which, for the first time, set forth standardized expectations required of counsel.  This had led to an appearance of greater cooperation.  The Suggested Protocol for Discovery of Electronically Stored Information in the U.S. District Court, District of Maryland, and the Seventh Circuit’s Electronic Discovery Pilot Program are two such examples.[42]  More attorneys are attempting to comply with local rules and procedures with regard to e-discovery simply because some now exist where before there were none.

[22]      Litigation practitioners are putting to good use the resulting learning curve among attorneys indexed to increased participation in the e-discovery agreements required by local rules.  But far from meaningful cooperation in resolving e-discovery issues, the doubling of motions practice from 2009 to 2010 and from 2011 to 2012 speaks volumes about what is really occurring.[43]  Practitioners are becoming increasingly skilled and savvy in attempting to leverage the e-discovery advantage to tip the scales in their clients’ favor.[44]  It is much more likely that the doubling of motions to compel reflects this reality of the litigation process.[45]  As participants in an adversarial process, litigators realize that they are advocating on behalf of their client and were not retained to enter the calmer waters of mediation practice.  The future will carry this trend forward as more practitioners become aware that many federal and state courts will impose sanctions against adversaries vulnerable to the dynamic ESI legal environment.  Moreover, the trending of an increase in the imposition of sanctions will result in growing attempts by counsel to leverage this potential tactical advantage in the courtroom.[46]

B.  Double-Dip Inflation in E-Discovery Practice 

[23]      While the American economy is haunted by the threat of double dipping back into a recessionary spiral, e-discovery practice is poised to experience the opposite economic effect.  Indeed, e-discovery is poised to double-dip back into the inflationary spiral that the first clash of quantum law caused, which is a clash that saw the early and memorable monolithic sanctions dispensed in such cases as Qualcomm and Zubulake.[47]  Many of the largest law firms and major e-discovery vendors cut their teeth on these magnificently large and complex cases.  This was the playing field of much of the early e-discovery law.  The practitioners involved in these types of cases are those that experienced the greatest knowledge building within the often-intimidating world of law associated with e-discovery practice.

[24]      As quantum law has made itself known as a practice, there is a growing awareness on the part of many counsel in how to leverage what can be termed the patterns of exposure characterizing e-discovery law.  “Patterns of exposure” have to do with the breadth and depth of e-discovery law on a variety of issues.  As an example, the law relating to the issuance of written litigation finds a home in many federal circuits and thus the pattern of exposure in litigation practice in any circuit is enormous.  Whereas, more specific and narrowly detailed opinions such as Phillip M. Adams & Associates, L.L.C. v. Winbond Electronics Corp., in which the court stated that one of the parties should have anticipated litigation based on other lawsuits happening in the industry, cannot be said to have created a significant exposure footprint; despite being bothersome, the exposure pattern is more slight.[48]

[25]      Newly enlightened practitioners in the art of e-discovery leveraging will see to it that the attendant motions practice and sanctions that confronted early practitioners will bleed down to the small or medium practices and cases.[49]

C.  Growth of the Pool of E-Discovery Victims 

[26]      As the bleed down phenomenon of e-discovery cases runs more quickly from the mountains of large firms and practices to the surrounding hills of the smaller litigation landscape, the borders of e-discovery motions practice will expand beyond those large firms and large cases to include many more victims.  The pool of law firms confronting the exponentially growing world of ESI and its permeation into every corner of litigation of every conceivable size is growing.[50]  Indeed, for every law firm that is developing an acute awareness of the nuances of e-discovery law and of the expertise, both legal and practical, with which to navigate these arguably treacherous waters, there are others that have not.  This is a victim pool.  During the introduction of quantum theories, the scientific method required that the same phenomenon tested in a different laboratory setting must yield the same results.  Results that were incompatible with classical physics eventually overwhelmed it.  Similarly, the early cycle of quantum law will find new life and live again with the growth of the e-discovery victim pool, foreshadowing a growing motions practice and number of associated sanctions with this expanding pool of smaller firms and cases.

D.  An Eventual Flattening of the E-Discovery Motions Practice and Sanctions 

[27]      The relatively recent pushback against rising e-discovery costs by companies of all sizes is a pushback against and a modifying force to the clash of quantum law.  As with the downstream effect of growing e-discovery motions practice, this pushback will reach the newer practitioners who attempt to leverage this power as well.  This reality will be more responsible for cooperation among counsel than the hope that litigators reach some mythic plateau of altruism as noble officers of the court.  Also, as the next cycle of e-discovery practice bleeds down to a larger “victim pool” and runs its course, it should result in a certain equilibrium among practitioners who will know how to better manage the patterns of exposure attendant to ESI and the resulting portrait in jurisprudence related to e-discovery. 

V.  Conclusion 

[28]      Rather than doubting intuition, practitioners should heed the lessons of the introduction of quantum physics while observing the changing landscape in e-discovery that results from the clash of cultures between classical law and quantum law.  It may be comforting to classical practitioners that although quantum physics has yet to find a permanent home within the world of its classical counterpart, both now work side by side in what is seen as a quest of mutual interest of explaining the physical universe.  Each acknowledges the other’s legitimate role in the total picture and many of the early conflicts have been resolved.  In time, quantum law will reach equilibrium with classical law and e-discovery practices will become as predictable and acceptable as the filing of a motion in limine or a motion for summary judgment.

Appendix: Figure 1

[51]

Download PDF

Cite as: Justin P. Murphy & Adrian Fontecilla, Social Media Evidence in Government Investigations and Criminal Proceedings: A Frontier of New Legal Issues, 19 RICH. J.L. & TECH 11 (2013), available at http://jolt.richmond.edu/v19i3/article11.pdf.

By Justin P. Murphy and Adrian Fontecilla*

I.  Introduction

[1]        As the newest pillar of communication in today’s society, social media is revolutionizing how the world does business, discovers and shares news, and instantly engages with friends and family.  Not surprisingly, because social media factors into the majority of cases in some respect, this exploding medium significantly affects government investigations and criminal litigation.  Social media evidence includes, among other things, photographs, status updates, a person’s location at a certain time, and direct communications to or from a defendant’s social media account.  This Article will examine the importance of social media in government investigations and criminal litigation, including access to and use of social media evidence, constitutional issues that social media evidence raises, the authentication and admissibility of such evidence, in addition to the impact of social media on jurors.

II.  The Importance of Social Media

[2]        Social media use is widespread.  Ninety-one percent of today’s online adults use social media regularly, which has become the number one activity on the web.[1]  “People continue to spend more time on social networks than any other category of [web]sites,” accounting for “20% of their time spent on PCs and 30% of their mobile [use] time.”[2]  Social media use in the United States alone has increased by 356% since 2006.[3]  52% of Americans now have at least one social media profile,[4] more than one billion people use Facebook actively each month,[5] and 32% of all Internet users are now using Twitter.[6]  Notably, some of the largest growth in the last year has been among forty-five to fifty-four year old Americans, 55% of whom now have a profile on a social networking site.[7]

[3]        There are hundreds of social networking websites with each catering to a different demographic and providing a different type of content.[8]  Moreover, their users are constantly creating massive amounts of data.  “Twitter users send [one] billion tweets every two and a half days,”[9] Instagram users upload forty million images every day,[10] Facebook users share 684,478 pieces of content every minute, and YouTube users upload forty-eight hours of new video every minute.[11]  Social media users create more than just photos, videos, and tweets.  They share other information, such as their location as well.  “As of 2012, [seventeen] billion location-tagged posts and check-ins were logged.”[12]  The myriad and continually changing ways to share information via social media has resulted in a digital goldmine of potential evidence, such as profiles, lists of friends, group memberships, messages, chat logs, tweets, photos, videos, tags, GPS locations, likes, check-ins, and login timetables.[13]

[4]        The information that social media providers make available is staggering.  When a phone company responds to a government subpoena or search warrant, it may provide call or message logs.  In contrast, when a social media company like Facebook responds to a government subpoena, it could provide the user’s profile, wall posts, photos that the user uploaded, photos in which the user was tagged, a comprehensive list of the user’s friends with their Facebook IDs, and a long table of login and IP data.[14]  In addition, with the advent of location-based services that social media companies like Facebook, Twitter, and FourSquare offer, precise location information will be increasingly maintained in the ordinary course of business and subject to the same subpoenas and search warrants.[15]  One newsworthy example demonstrating the amount of information available to law enforcement from a simple photograph is that of John McAfee, the antivirus company founder who was recently on the run from law enforcement authorities investigating the murder of his neighbor.  McAfee was forced out of hiding when it was found that a photo of him published on a blog was embedded with GPS metadata pinpointing his exact location in Guatemala.[16]  Not surprisingly, each social media request can yield admissions or incriminating photos in addition to other evidence.[17]

III.  Accessing Publicly Available Social Media Evidence

[5]        It is no secret that government agencies mine social networking websites for evidence.  Even without having to seek a warrant from the court or issue a subpoena, there are troves of social media evidence publicly available.[18]  For example, the New York Police Department has a social media unit that mines Facebook, Twitter, and other social media sites for evidence of crimes and potential criminal activity.[19]  Moreover, a majority of government agencies are active participants who contribute content and solicit information through social media.[20]  Given the amount of information publicly available and the avenues that the government has to seek out such information, usually the government does not need a search warrant, subpoena, or court order to obtain social media evidence.

[6]        There are countless cases involving defendants who are arrested because of information, photos, or admissions posted to social media sites.  For example, a defendant in Kentucky was jailed after he posted a photo of himself siphoning gas from a police car onto Facebook.[21]  Another defendant broke into a Washington, D.C. home to steal a coat, a laptop, and cash, subsequently using the victim’s laptop to post a picture of himself wearing the stolen coat and holding up the stolen cash to the victim’s Facebook page.[22]  The photo was used later to secure a guilty plea from the defendant.[23]  While some sites allow users to control what content the public can access, many users do not make use of such tools.  In fact, twenty five percent of Facebook users do not use any type of privacy controls.[24]

[7]        In addition to searching for publicly available evidence, government agents are allowed to go further than defense counsel in pursuing social media evidence for a criminal proceeding.  To bypass the need for a search warrant, government agents may pierce the privacy settings of a person’s social media account by creating fake online identities or by securing cooperating witnesses to grant them access to information.[25]  For example, in United States v. Meregildo, the defendant adjusted the privacy settings on his Facebook account so that only his Facebook “friends” could view his postings.[26]  The government obtained the incriminating evidence against the defendant through a cooperating witness who happened to be Facebook “friends” with the defendant.[27]  The defendant moved to suppress the evidence seized from his Facebook account, arguing that the government had violated his Fourth Amendment rights.[28]  The court found:

Where Facebook privacy settings allow viewership of postings by “friends,” the Government may access them through a cooperating witness who is a “friend” without violating the Fourth Amendment. . . . While [the defendant] undoubtedly believed that his Facebook profile would not be shared with law enforcement, he had no justifiable expectation that his “friends” would keep his profile private.  And the wider his circle of “friends,” the more likely [the defendant’s] posts would be viewed by someone he never expected to see them.  [The Defendant’s] legitimate expectation of privacy ended when he disseminated posts to his “friends” because those “friends” were free to use the information however they wanted—including sharing it with the Government.[29]

[8]        Recently, federal authorities relied heavily on social media to build their case against four defendants who were allegedly involved in an Al Qaeda inspired terrorist cell based in California.[30]  The criminal complaint, which included a section titled “Defendants’ Social Media,” provides a glimpse into the various ways that law enforcement uses social media in its investigations.[31]  The investigators used an “online covert employee” who posed as a terrorism sympathizer to elicit damaging statements from the defendants, recorded Skype conversations between a confidential informant and the defendants, and relied on the social media content that each defendant “liked,” “shared,” or on which the defendant commented.[32]

[9]        The Securities and Exchange Commission also recently issued a Wells Notice for the first time based on a social media communication.[33]  On December 5, 2012, Netflix disclosed that it had received a Wells Notice from the SEC Enforcement Staff for allegedly violating public disclosure rules when its CEO, Reed Hastings, posted onto his Facebook with more than 200,000 followers that, “Netflix monthly viewing exceeded one billion hours for the first time ever in June [2012].”[34]  After receiving the notice, Hastings noted in a letter to shareholders that, “[W]e think posting to over 200,000 people is very public, especially because many of my subscribers are reporters and bloggers;” nevertheless, the SEC has provided no formal guidance concerning the use of social media, Regulation FD, and communications with the investing public. [35]

IV.  Social Media Companies, Subpoenas, and Warrants

[10]      Given the digital goldmine of potential evidence available from social media companies, it is not surprising that they are increasingly targeted in search warrants and government subpoenas in criminal matters.  For example, Twitter “received more government requests” for user information in the “first half of 2012 . . . than in the entirety of 2011.”[36]  In addition, approximately 80% of those requests were from authorities in the United States.[37]  Google, which operates social networking sites including YouTube and Google+, continues to receive subpoenas and search warrants in criminal matters at a rapidly accelerating pace.  Statistics published by Google, which “primarily cover requests in criminal matters,”[38] show that the number of Google user data requests received from government authorities in the United States more than doubled from 2009 to 2012 and that the United States accounts for over 39% of user data requests received from government authorities around the world.[39]

[11]      Moreover, the prevalence of social media evidence in criminal proceedings will continue to proliferate as government agencies continue to formally train their personnel to search for and collect social media evidence.  A recent survey of over 1,200 federal, state, and local law enforcement professionals reveals that social media is widely used to assist in investigations, few learned how to use social media for investigations through formal training, and “74% of those not currently using it . . . intend to start using it.”[40]  Moreover, the case law is already replete with instances in which the government obtained social media evidence through a warrant or subpoena directed at a social media company.[41]  Social media evidence is the new frontier of criminal proceedings and it raises unique legal challenges, including issues of admissibility and a defendant’s constitutional rights in material that social media companies maintain.

V.  Accounting for the Stored Communications Act

[12]      Federal law provides that in some circumstances, the government may compel social media companies to produce social media evidence without a warrant.  The Stored Communications Act (“SCA”) governs the ability of governmental entities to compel service providers, such as Twitter and Facebook, to produce content (e.g., posts and tweets) and non-content customer records (e.g., name and address) in certain circumstances.[42]  Passed in 1986, the SCA has not been amended to reflect society’s heavy use of new technologies and electronic services, such as social media, which have evolved since the SCA’s original enactment.[43]  Consequently, courts will continue to play a critical role in defining how and whether the SCA applies to the varying features of different social media services by applying precedent from older technologies, such as text messaging pager services or electronic bulletin boards.[44]

[13]      The SCA provides that non-content records can be compelled through a warrant or court order.[45]  With regard to the compelled disclosure of communication content, the SCA provides different levels of statutory privacy protection depending on how long the content has been in electronic storage.[46]  The government may obtain content that has been in electronic storage for 180 days or less “only pursuant to a warrant.”[47]  “The government has three options for obtaining communications . . . that have been in electronic storage with an electronic service provider for more than 180 days: (1) obtain a warrant; (2) use an administrative subpoena; or (3) obtain a court order under § 2703(d).”[48]

[14]      At least one Circuit Court of Appeals has called into question the constitutionality of the SCA.[49]  In United States v. Warshak, the Sixth Circuit held that “the government agents violated the Fourth Amendment when they obtained the contents of [defendant’s] e-mails” without a warrant and added that, “to the extent that the SCA purports to permit the government to obtain such e-mails warrantlessly, the SCA is unconstitutional.”[50]  The court reasoned that “[o]ver the last decade, e-mail has become ‘so pervasive that some persons may consider [it] to be [an] essential means or necessary instrument[] for self-expression, even self-identification’” and that therefore, “e-mail requires strong protection under the Fourth Amendment.”[51]  Noting that e-mail was analogous to a phone call or letter and that the internet service provider was the intermediary who made e-mail communication possible, the functional equivalent of a post office or telephone company, the court concluded that given “the fundamental similarities between e-mail and traditional forms of communication, it would defy common sense to afford e-mails lesser Fourth Amendment protection.”[52]  However, Congress made clear that changing the law will require extended consideration when, on December 24, 2012, the Senate removed from proposed legislation an amendment to the SCA that would have prevented authorities from viewing a person’s e-mail messages without obtaining a warrant.[53]  In the meantime, courts will play a key role in clarifying how the SCA applies not only to e-mails, but also to the social media that has rapidly become as pervasive and important to people as e-mail.

VI.  Defining a Defendant’s Constitutional Rights Regarding Social Media Evidence

[15]      Courts have also started grappling with novel issues relating to the constitutionality of the government’s use of information obtained from social media companies in criminal proceedings.[54]  For example, a New York appellate court will soon issue an opinion regarding Twitter’s appeal of two court orders in the prosecution of an Occupy Wall Street protestor in People v. Harris.[55]  The trial court held that the defendant lacked standing to move to quash the government’s third-party subpoena to Twitter for his account records and that the Fourth Amendment did not protect his tweets.[56]  The trial court similarly denied Twitter’s motion to quash the government’s subpoenas for the defendant’s Twitter records for the same reasons.[57]  Although Twitter’s appeal is pending, Twitter turned over the data after the trial judge threatened the company with civil contempt and fines, which led to the defendant’s guilty plea in December 2012.[58]

[16]      Notably, the defendant was only able to move to quash the subpoena because “Twitter’s policy is to notify users of requests for their information prior to disclosure,”[59] a policy which is becoming more common among social media companies.[60]  Not only does Twitter notify its users that the company has received a government-issued information request for the user’s data, but it also protects its business by litigating against such third-party government subpoenas.[61]

[17]      On appeal, Twitter argued that the defendant has standing to quash the government’s subpoena because he has a proprietary interest in his tweets, pointing to the express language of Twitter’s Terms of Service.[62]  Moreover, Twitter claimed that the Fourth Amendment protects the defendant’s tweets, primarily because the government concedes that the defendant did not make public the tweets that it sought.[63]  If a defendant has a reasonable expectation of privacy under the Fourth Amendment in his or her non-public e-mails,[64] refusing to afford that same protection to users’ non-public tweets would create “arbitrary line drawing.”[65]  Finally, even assuming that the tweets in question were public, Twitter argued that the government still requires a search warrant under the federal and New York constitutions.[66]  Notwithstanding Twitter’s pending appeal, Twitter complied with a court order requiring it to promptly submit the defendant’s tweets under seal.[67]

[18]      The line-drawing concerns that Twitter expressed in its People v. Harris brief, that a defendant’s reasonable expectation of privacy under the Fourth Amendment in his or her social media records depends on the privacy settings for the particular account in question, were implicated in United States v. Meregildo, a case in which the court held that “[w]here Facebook privacy settings allow viewership of postings by ‘friends,’ the Government may access them through a cooperating witness who is a ‘friend’ without violating the Fourth Amendment.”[68]

[19]      Some courts have concluded that individuals have “a reasonable expectation of privacy to [their] private Facebook information and messages.”[69]  Those courts, while recognizing the importance of properly understanding how Facebook works, distinguished between “private messaging” and posts to a user’s Facebook wall.[70]  Using privacy setting distinctions to determine social media users’ constitutional rights may result in arbitrary line drawing that might evaporate as social media evolves.  Indeed, with Facebook’s customizable and post-specific privacy settings, a person who shares a message by posting it on another user’s wall can actually make it as private as information shared via a Facebook message.[71]

[20]      In addition, it remains uncertain whether, given the sheer breadth of information available in any particular social media account, one can successfully challenge search warrants for entire social media accounts for lacking sufficient limits or boundaries that would enable the government-authorized reviewing agent to ascertain which information the agent is authorized to review.[72]  Ultimately, because an expectation of privacy under the Fourth Amendment is partly a function of whether “society [is] willing to recognize that expectation as reasonable,” social media’s rapid proliferation through today’s society may influence the privacy protections afforded to social media evidence in the future.[73]

VII.  Defending a Criminal Case with Social Media Evidence

[21]      Defendants face more significant obstacles than the government when seeking exculpatory evidence from social media companies.[74]  First, defendants and their counsel do not share the government’s freedom to sleuth for publicly available social media evidence, although counsel should have free access to anything his or her client produced or can access.[75]  Ethics opinions issued to lawyers in various states have established that a defendant’s lawyer may not “friend” or direct a third person to “friend” another party or witness in litigation in order to search for impeachment material or exculpatory evidence.[76]

[22]      Second, defendants face additional hurdles when seeking to issue a third party subpoena.[77]  Defendants may seek to subpoena social media companies for user information regarding the victim, the complaining witness, or another witness.[78]  In those instances, in federal criminal proceedings, defendants must pursue such non-party discovery pursuant to Federal Rule of Criminal Procedure 17 and seek a court order allowing such a subpoena.[79]  Among other hurdles in seeking such an order, the court may find that the evidence maintained by a social media website is “private,” in which case the SCA prohibits a non-governmental entity, such as Facebook and MySpace, from disclosing that information without the consent of the owner of the account or a government order.[80]  In one high profile example of a defendant clearing such hurdles, on October 19, 2012, the court presiding over the Trayvon Martin murder trial granted the defendant’s motion seeking permission to subpoena Facebook and Twitter for the records of Trayvon Martin’s social media accounts in addition to Mr. Martin’s girlfriend’s Twitter account.[81]  Notwithstanding the order, Facebook and Twitter may challenge the subpoenas as Twitter so did in People v. Harris.

[23]      Despite these challenges, criminal defendants may attempt to use novel methods of obtaining exculpatory social media evidence.  For example, under Brady v. Maryland or Giglio v. United States, one may obtain a law enforcement officer’s social media account records.[82]  Moreover, courts may order jurors, witnesses, or third parties to produce or manipulate their social media information in unique and unprecedented ways.  For example, courts have: (1) ordered a juror to “execute a consent form sufficient to satisfy the exception” in the SCA to allow Facebook to produce the juror’s wall posts to defense counsel;[83] (2) ordered a party to briefly change his Facebook profile to include a prior photograph so that his Facebook pages could be printed as they existed at a prior time;[84] (3) recommended that an individual “friend” the judge on Facebook in order to facilitate an in camera review of Facebook photos and comments;[85] and (4) ordered parties to exchange social media account user names and passwords.[86]  Such novel avenues of access to social media evidence may be considered when the defendant subpoenas a social media provider for certain records of a witness or victim and the social media company objects to the subpoena pursuant to the SCA or is unable to produce the evidence as it previously existed.

VIII.  Admissibility of Social Media Evidence

[24]      Social media is subject to the same rules of evidence as paper documents or other electronically stored information, but the unique nature of social media as well as the ease with which it can be manipulated or falsified creates hurdles to admissibility not faced with other evidence.[87]  The challenges surrounding social media evidence demand that one consider admissibility when social media is preserved, collected, and produced.  It is important for counsel to memorialize each step of the collection and production process in addition to considering how counsel will authenticate a tweet, Facebook posting, or photograph.  Methods of authentication include presenting a witness with personal knowledge of the information (they wrote it, they received it, or they copied it), searching the computer itself to see if it was used to post or create the information, or attempting to obtain the information in question from the actual social media company that maintained the information the ordinary course of their business.

[25]      Notably, these same challenges face the government who must also consider the admissibility of social media when they conduct their investigation.  In United States v. Stirling, the government seized the defendant’s computer pursuant to a search warrant and provided the defendant with a forensic copy of the hard drive.[88]  The government also performed a forensic examination of the hard drive and extracted 214 pages of Skype chats downloaded from the defendant’s computer, which were not “readily available by opening the folders appearing on the hard drive,” but did not provide this information to the defense until the morning of its expert’s testimony near the end of trial.[89]  The logs “had a devastating impact” on the defendant because they contradicted many of his statements made during his testimony and he was convicted.[90]  In a short but stinging opinion ordering a new trial, the court found:

[If a defendant] needs to hire a computer forensics expert and obtain a program to retrieve information not apparent by reading what appears in a disk or hard drive, then such a defendant should so be informed by the Government, which knows of the existence of the non-apparent information.  In such instance, and without the information or advice to search metadata or apply additional programs to the disk or hard drive, production has not been made in a reasonably usable form.  Rather, it has been made in a manner that disguises what is available, and what the Government knows it has in its arsenal of evidence that it intends to use at trial.[91]

[26]      While both government and defense attorneys continue to grapple with addressing and authenticating social media sources of evidence, courts largely seem to be erring on the side of admissibility and leaving any concerns about the evidence itself, such as who authored the evidence or whether the evidence is legitimate, to jurors to decide what weight to give that evidence.  For example, courts have ruled social media evidence as admissible where the content of the evidence contains sufficient indicia that it is the authentic creation of the purported user.[92]  In Tienda v. State, the appellant was convicted of murder based in part on evidence that the prosecutors obtained after subpoenaing MySpace. [93]  Specifically, “the State was permitted to admit into evidence the names and account information associated with [the defendant’s MySpace.com profiles], photos posted on the profiles, comments and instant messages linked to the accounts, and two music links posted to the profile pages.”[94]  The Court of Criminal Appeals affirmed the trial judge’s decision and concluded that the MySpace profile exhibits used at trial were admissible because they were a sufficient “indicia of authenticity” that “the exhibits were what they purported to be—MySpace pages for which the appellant was responsible for” the content.[95]

[27]      In another recent case, a defendant was convicted of aggravated assault following a domestic dispute with his girlfriend.[96]  At trial, the prosecution introduced Facebook messages sent from the defendant’s account in which he indicated that he regretted striking his girlfriend and asked for her forgiveness.[97]  The defendant denied sending the Facebook messages and argued that both he and his girlfriend had access to each other’s Facebook accounts.[98]  On appeal, the court, acknowledging that “electronic communications are susceptible to fabrication and manipulation,” affirmed the trial court’s ruling that allowed the state to authenticate the messages through circumstantial evidence, most notably that they were sent from the defendant’s account and that the girlfriend testified that she did not send the messages.[99]  In another instance, a federal court found that photographs of a defendant from his MySpace page, which depicted him holding cash, were relevant in his criminal trial for possession of firearms and drugs, but it withheld ruling on the admissibility of the photos and whether they presented a risk of unfair prejudice.[100]

[28]      Given the proliferation of social media, the increasing sophistication of technology, and the potential challenges relating to the reliability or authentication of social media, the authentication and admissibility of such evidence will likely continue to be the subject of vigorous disputes between parties that may mean the difference between ultimate guilt and innocence.

IX.  Juries and Social Media

[29]      Admissibility is just one challenge that the Internet and social media pose at trial.  Another difficult issue relates to what information may be gathered about prospective jurors.  At least one bar association has determined that attorneys may use social media websites to conduct juror research as long as no communication occurs between the lawyer and the juror as a result of the research.[101]  However, attorneys may not research jurors if that research results in the juror receiving a communication.[102]  Third parties working for the benefit of or on behalf of an attorney must comport with the same restrictions as that attorney and, similarly to other ethical restrictions on defense counsel’s ability to use social media as an investigative tool discussed supra, an attorney cannot use deception to gain access to a juror’s website or to obtain information.[103]

[30]      One of the most recent and challenging social media trends relates to jurors using wireless communication devices to look up a defendant’s criminal record, conduct their own investigation into a case, post their opinions about the case on social media websites, or attempt to “friend” parties, lawyers, witnesses, or judges.  In some instances, this conduct has resulted in mistrials and overturned convictions.[104]  In other instances, such conduct has caused courts to conduct lengthy hearings to determine the impact of the juror’s actions.  For example, in Sluss v. Commonwealth, a defendant appealed his murder, assault, and evidence tampering convictions on the grounds that two members of the jury, including one who served as the jury foreperson, failed to indicate during voir dire that they had each “friended” the victim’s mother through Facebook.[105]  The Supreme Court of Kentucky, noting that being a “friend” on Facebook was not enough by itself to prove bias for disqualification as those “friendships” may be superficial, reversed and remanded the case with instructions to hold a hearing on whether the jurors should have been struck from the jury panel on the basis of their alleged social networking activity.[106]  Finally, the inappropriate use of social media has led to stiff penalties for both jurors and attorneys.[107]

[31]      Both legislatures and courts have attempted to respond to these trends.  For example, California adopted a new statute clarifying that jurors may not use social media and the Internet, such as texting, Twitter, Facebook, and Internet searches, to research or disseminate information about cases, and they can be held in criminal or civil contempt for violating these restrictions.[108]  On August 21, 2012, a Judicial Conference Committee announced that it had created an updated model set of jury instructions to help judges discourage jurors from conducting research or communicating about their cases through social media.[109]  The model instructions state:

I know that many of you use cell phones, Blackberries, the Internet and other tools of technology. . . . You may not communicate with anyone about the case on your cell phone, through e-mail, Blackberry, iPhone, text messaging, or on Twitter, through any blog or website, including Facebook, Google+, My Space, LinkedIn, or YouTube.  You may not use any similar technology of social media, even if I have not specifically mentioned it here.[110]

[32]      The chair of the Conference Committee who provided the updated rules stressed that:

The judges recommended that jurors frequently be reminded about the prohibition on social media before the trial, at the close of a case, at the end of each day before jurors return home, and other times, as appropriate.  Jurors should be told why refraining from use of social media promotes a fair trial.  Finally, jurors should know the consequences of violations during trial, such as mistrial and wasted time.  Those recommendations are now part of the guidelines.[111]

X.  Conclusion

[33]      Social media evidence is undeniably a critical new frontier of government investigations and criminal proceedings.  Social media has rapidly become so pervasive that while users are creating warehouses of data every day and social media companies roll out new communication features, courts, government agencies, practitioners, and the social media companies themselves are struggling to understand how this information fits into existing legal paradigms of constitutional protections, the SCA, and rules of evidence.  Despite this uncertainty, one thing is clear.  The government has a deep and largely one-sided set of tools for seeking out and obtaining social media evidence that plays an ever-increasing critical role in their investigations and litigation.

Download PDF

 Cite as: Thomas Y. Allman, Local Rules, Standing Orders, and Model Protocols: Where the Rubber Meets the (E-Discovery) Road, 19 RICH. J. L. & TECH 8 (2013), available at http://jolt.richmond.edu/v19i3/article8.pdf.

By Thomas Y. Allman*

[District Courts], impatient with the failure of the national system to solve pressing, indeed urgent, procedural problems, utilize local rules in an effort to shape pragmatic solutions . . . . [as] one route to procedural change.[1]

I.  Introduction

[1]        In late 2012, the U.S. District Courts for the Western District of Washington,[2] the Northern District of California,[3] and the District of Oregon[4] all announced, in close proximity with one another, local initiatives that deal with e-Discovery issues that the 2006 E-Discovery Federal Rules Amendments (the “2006 Amendments” or the “Amendments”) largely ignored.  These proposals are part of a second wave of local rulemaking, which is more focused on pragmatic solutions than earlier efforts.

[2]        A large number of federal districts have undertaken local initiatives to deal with e-Discovery.[5]  Some merely make passing reference to e-Discovery in local rules while others explicitly describe topics deemed worthy of attention or mandate specific measures to resolve open e-discovery issues.  However, many districts have yet to make such special accommodations.

[3]        Less visible but equally important efforts have been made to accommodate e-Discovery by amendments to standard forms.  For example, there are now many useful forms available for Rule 26(f) reports and discovery plans, as well as for joint or individualized proffers of scheduling orders or case management orders.

[4]        Section II of this Article describes the legal context for local initiatives.[6]  Section III explores the types of local responses to the 2006 Amendments.[7]  In Section IV, the efficacy of key components emerging from the variety of approaches described is evaluated.  The author concludes that concerns over a lack of procedural uniformity among the districts are largely overblown and that some initiatives serve as welcome harbingers of national rulemaking.  The author also expresses concerns about over-reaching in some of the measures studied.

II.  The Legal Context

[5]        This Article turns first to the general description of rulemaking at the local level, focusing first on the statutory and rule-based framework.

A.  Local Rules

[6]        The authority to enact local rules flows from 28 U.S.C. § 2071 and Rule 83 of the Federal Rules of Civil Procedure.  A local rule “must be consistent with—but not duplicate—federal statutes and rules adopted under 28 U.S.C. §§ 2072 and 2075.”[8]  Local rules typically “supplement the applicable Federal Rules”[9] and have the force of law.[10]  The mere fact that a federal rule is not fully comprehensive, such when the rule is “silent” on a topic, does not bar otherwise permissible local initiatives.[11]

[7]        Unless a majority of the district judges approve the local rules after “giving appropriate public notice and an opportunity for comment,” they are ineffective.[12]  Districts must use Local Rules Advisory Committees to assist in developing suggestions for and reviewing potential changes in the rules.[13]  The rules are available on district websites and in legal research databases.[14]  Numbering must conform to a uniform national system based on the Federal Rules.[15]  In Hollingsworth v. Perry, the Supreme Court confirmed that local rules enacted without meeting these procedural requirements risk invalidity.[16]

[8]        Not all districts rely on extensive local rules.[17]  Some also use “Administrative,” “Standing,” or “General” orders, typically to provide administrative detail.[18]  In most districts, they are also available on the district website.[19]  When used to provide procedural mandates, however, they are subject to the same consistency requirements as local rules.[20]  In 2009, the Standing Committee issued helpful guidelines on the topic.[21]

B.  Individual Judicial Practices

[9]        Rule 83(b) acknowledges that individual district judges may “regulate [their] practice in any manner consistent with” federal and local rules or statutes.[22]  These preferences are often expressed in “practice guidelines” or in case management forms reflecting the preferences of individual judges.[23]  Many districts provide easy access on websites,[24] but in some instances, they can be difficult to locate.

[10]      District judges play an active role in tailoring e-Discovery to the needs of individual cases through case management.  This is consistent with an inherent right to manage individual cases,[25] which trumps mandates of the national and local rules.  It has been observed that individual judicial practices may introduce more disuniformity into the civil litigation process than do varying local rules.[26]  Not surprisingly, commentators universally advocate paying close attention to such local practices.[27]

C.  Standardized Forms

[11]      Standardized forms are provided in many districts for reports under Rule 26(f), discovery plans, scheduling orders, and the like, to conform to national or local requirements.  In some districts, the forms may be an integral part of the local rules.  In others, their adoption, modification, and implementation constitute an ad hoc process.  The ease of access varies with some districts doing better than others.[28]

[12]      The Administrative Office of the Judicial Conference (the “AO”) makes national forms relating to discovery available but none relate to case management.[29]  The Federal Judicial Center (the “FJC”) has collected some sample forms in connection with its Civil Litigation Management Manual.[30]

D.  Consistency

[13]      The consistency of a local rule with the Federal Rules can present subtle issues.  If a local initiative is challenged, the test is “whether the two rules are textually inconsistent or whether the local rule subverts the overall purpose of the federal rule.”[31]  When a specific amendment is at issue, reliance on the intent expressed in relevant Committee Reports is one of the factors used to assess the intended effect.[32]  In Colgrove v. Battin, for example, the Court tolerated local rules that reduced the minimum jury size despite what appeared to be an inconsistent federal rule.[33]

[14]      Congress has from time to time authorized the development of local initiatives without regard to consistency.[34]  One can attribute the current diversity in case management regimes in many districts to measures adopted because of the 1990 Civil Justice Reform Act, under which districts were directed to address cost and delay in civil litigation from “the bottom up.”[35]

[15]      Local districts are expected to act consistently with the Federal Rules.[36]  Copies of local rules must be furnished to the Administrative Office and to the relevant Circuit Judicial Council.[37]  The Judicial Councils have the primary responsibility to ensure “consistency [of Local Rules] with [existing Federal Rules],” and the power to “modify or abrogate any such rule.”[38]  Historically, Circuit Councils have not taken an active role,[39] although there are current signs to the contrary.[40]  As recently as 2004, an ad hoc committee of the Standing Committee studied a subset of the local rules for consistency and made recommendations to the district courts involved.[41]

E.  “Pilot Programs”

[16]      The Judicial Conference and Congress utilize formal pilot projects to test procedural innovations.  For example, “[f]ourteen federal district courts have been selected to participate in a 10-year pilot project . . . to enhance expertise in patent cases among U.S. district judges,” which will involve the generation of sample local rules and forms.[42]  In addition, a pilot project designed to standardize early disclosures in employment litigation has been undertaken[43] for use by individual judicial officers or as a model for a local rule.[44]

[17]      The Federal Rules do not, however, explicitly authorize experimental or “pilot projects” to test innovative local rules or procedures.  Indeed, the Rules Committee refused to proceed with such proposals in 1983[45] and 1991.[46]  Nonetheless, the District of Colorado recently amended its local rules to authorize pilot programs or special projects by general order.[47]

[18]      There is a history of reliance on local experimentation before adopting a measure as a uniform federal procedural rule.[48]  It is far less risky to experiment with potential solutions at the local level, which are “inspired by a belief that the [national] rulemakers got it wrong.”[49]  District courts “are willing to try [solutions] because others have confidence in them.”[50]  Consistency with the Federal Rules is rarely perceived as a barrier under those circumstances.[51]

III.  Local E-Discovery Initiatives

[19]      At their core, the 2006 Amendments responded to the need to enhance the discovery of electronically stored information.[52] They became effective in December 2006 when, after several years of study, it was apparent that the differences between electronic data and traditional documents justified rule amendments.[53]

[20]      In their final version,[54] changes to Rules 16(b), 26(a), and 26(f) were coupled with broadly worded amendments authorizing the discovery of electronically stored information (“ESI”), dealing with its form or forms of production, and providing in Rule 26(b)(2), a vague presumption against the production of ESI from inaccessible sources.[55]  No meaningful standards for preservation were included and cost shifting was ignored.  The Amendments were largely silent as to the role, if any, of local rules and standardized forms.

[21]      As noted, federal district courts have reacted in a wide variety of ways, ranging from total avoidance of the subject to an assortment of actions involving local rules, informal guidelines, and standardized forms.

A.  Early Enactments

[22]      Before the 2006 Amendments took effect, few districts addressed the unique issues that e-Discovery presents.  The Eastern and Western Districts of Arkansas were the first to act when they adopted an “Outline For [FRCP] 26(f) Report” for use in their districts.[56]  At the 2004 conference held at Fordham Law School, an involved judicial officer reported that the experience under the rule to date had been that “most attorneys work out these issues at the onset of litigation and make a report.”[57]

[23]      District courts in Wyoming,[58] New Jersey,[59] and the Middle District of Pennsylvania[60] also adopted local rules that utilize a similar approach, with an added focus on counsel undertaking preparatory investigation of client systems.[61]  In addition, the District of Delaware issued a “Default Standard,” which required, inter alia, that parties appoint “retention coordinators” and consult with an eye towards reaching binding preservation agreements.[62]

[24]      The Northern District of Ohio[63] and the Middle[64] and Western[65] Districts of Tennessee quickly adopted Delaware’s Default Standard.  Those provisions remain in effect, although the Delaware standard has been significantly updated since then.

B.  Post Amendment Activity

[25]      After the Amendments came into effect in late 2006, additional districts acted to highlight e-Discovery issues.[66]  The primary emphasis was on preservation, form of production, and presumptive limits on production from inaccessible sources of ESI.  Some districts merely referenced ESI as a topic for discussion.[67]  Others provided extensive checklists of the items identified in the Federal Rules.[68]  Yet, other districts, such as those in Mississippi,[69] Pennsylvania,[70] and New York,[71] provided substantive guidance in mandatory terms.

[26]      The bulk of the changes were reflected in the standard forms in use for case management.  Many districts simply incorporated references to the topics referenced in Rules 26(f) and 16(b).[72]  Other districts went further[73] and used “speaking forms,” which include substantive instructions on how to handle the issues.[74]

[27]      A few districts, such as the District Court of Kansas, provided informal “guidelines.”[75]  The Central District of Illinois posted the Sedona Conference^® Principles along with its local rules and orders.[76]  Perhaps the most ambitious effort was the twenty-eight-page “Suggested Protocol for Discovery of [ESI]”[77] adopted for use before courts in the District of Maryland that blends suggestions with mandatory elements.[78]

[28]      There has also been a revival of case differentiation under which e-Discovery guidance is tied to the type of litigation.[79]  The Southern District of New York is currently testing the impact of an enhanced model order applied on a case-by-case basis in cases deemed to be complex.[80]

[29]      A similar differentiation process is occurring with respect to patent litigation.  In the Districts of Maryland[81] and Massachusetts,[82] for example, the only mention of ESI in the district rules relates to patent litigation.  Similarly, a subcommittee of the Federal Circuit advocates the use of targeted rules for e-mail production in patent cases.[83]  As noted, the District of Oregon has recently proposed to adopt the model order as a local rule.[84]

C.  The Second Wave

[30]      Since roughly 2009, local initiatives have increasingly focused on pragmatic solutions for issues emphasizing the role of proportionality and cooperation.  A leading example is the Seventh Circuit E-Discovery Pilot Program, a comprehensive approach implemented by Standing Orders adopted in individual cases.[85]  The pilot program is based on “principles” designed to encourage cooperative resolution of disputes while emphasizing guidance on the underlying issues.[86]

[31]      Principle 2.04 (Scope of Preservation), for example, mandates the taking of “reasonable and proportionate steps to preserve relevant and discoverable ESI” within a party’s possession, custody, or control.[87]  This articulation, a first among rules, echoes the Sedona Conference^® Proportionality Principles[88] and helps to fill the gap in the 2006 Amendments.  Another innovative feature is the inclusion of a list of categories of ESI which are “generally not discoverable in most cases” and whose possible preservation must be raised “at the meet and confer or as soon thereafter as practicable.”[89]  These proportionally based distinctions also correspond to the recommendations found in the Sedona Conference^® Best Practice Principles.[90]

[32]      The Northern District of Illinois has recently proposed a local patent rule oriented towards guidance along similar lines.[91]  Presumptive limitations were also incorporated into the revised Delaware Default Standard,[92] whose categories of ESI in its appendix echo those of Principle 2.04.[93]  Similarly, the model protocol proposed for use in the Western District of Washington also lists categories of ESI that do not need to be preserved.[94]

[33]      The Federal Circuit has also introduced a “Model Order” for patent cases that addresses the number of custodians from whom production of e-mail may be sought in patent litigation as well as the number of search terms that can be introduced without agreement or court order.[95]  The model protocol was adapted for use in the Eastern District of Texas[96] and proposed for  the Oregon District as a local rule.[97]

IV.  Evaluation

[34]      In this Section, the local initiatives enacted to guide e-Discovery are assessed.  The Section first deals with the pros and cons of the emphasis on early agreement before discussing specific elements of interest—and possible shortcomings—that have emerged.

[35]      Promotion of early agreement by parties and active judicial involvement of the judiciary in the management of discovery has been encouraged since at least 1983, but the emphasis on the “meet and confer” process is of more recent vintage.[98]  To some, the 2006 Amendments bring the process to its ultimate intended use.[99]

[36]      The emphasis is on the preparation of a detailed “discovery plan” to be furnished to the court before the initial pretrial conference, coupled with encouragement to courts to include reference to ESI agreements in the scheduling order.  Parties are expected to discuss any preservation issues and disclosure and discovery issues.  Rule 16(b) makes it clear that any scheduling orders can “provide for the disclosure or discovery of [ESI].”

A.  The Scorecard

[37]      Many of the ninety-four federal district courts studied,  including a number located in major urban districts, have ignored e-Discovery, at least on district-wide basis.[100]  This even includes some districts that have only recently adopted other amendments to their local rules governing the Rule 26(f) process.[101]

[38]      At least thirty-two districts, however, have acknowledged the discovery of electronically stored information in civil litigation.[102]  Of these districts, seven merely make passing reference to e-Discovery in their local rules.[103]  Another twelve districts[104] emphasize e-Discovery topics deemed most worthy of attention at Rule 26(f) conferences.  Nine districts,[105] as well as others using model orders,[106] have adopted pragmatic solutions that address gaps in the Amendments more aggressively.  At least five additional districts have released non-binding guidance for parties on the topic of e-Discovery.[107]

[39]      Many of these efforts center on use of standardized forms for Rule 26(f) reports and discovery plans, as well as for scheduling orders or case management orders.  This has implications for the future.  With the possible consignment of Official Form 52 to oblivion, it will be important for the Administrative Office of the Judicial Conference to make more of an effort to collect the best extant forms and make them readily available to all districts on its national website.[108]

B.  Early Attention

[40]      It is not terribly surprising that many districts have not yet formally addressed e-Discovery.  Busy courts and practitioners may feel that individualized accommodations can be made in cases where e-discovery plays an important role.  In addition, some may have concluded that the 2006 Amendments and emerging case law suffice to place parties and their counsel on notice of the need to address e-Discovery.

[41]      However, there is another possibility.  It may be that the assumed efficacy of early attention to ESI discovery is overstated.  Most Rule 26(f) conferences last for short periods and rarely involve ESI issues.[109]  The conferences may be poorly timed.[110]  Preservation decisions, for example, must often be made before Rule 26(f) conferences.[111]  Moreover, the idea that busy judges can resolve meaningful disputes about the scope of discovery before requests have even been served may be wishful thinking.  There are also avoidable costs that may be wasted if expended too early on e-discovery.[112]  After all, most cases settle.[113]

[42]      Accordingly, it is not clear that front-loading the process by intense and expensive preparations is the most effective means of reducing costs and encouraging cooperation.   Other solutions may be required, such as presumptive “hard limits” or cost shifting, which provide assurance of fairness.  The advantage of experimentation with such measures at the local level is that adjustments can be made as experience mounts, with the best of them slated for national rulemaking.

C.   Assessment:  The Core Initiatives

[43]      Local initiatives have been prompted by the gaps in the 2006 Amendments, especially as to the onset and scope of preservation obligations, variances in culpability for sanctions, the lack of cost-shifting, and the vagueness of the application of the “accessibility” doctrine to preservation.

i.  Preservation

[44]      The 2006 Amendments ducked preservation issues.[114]  Instead, drafters added Rule 26(b)(2)(B), a presumptive limitation on production of ESI based on “accessibility” subject to overriding for “good cause.”[115]  No attempt was made to deal with its implications for preservation, despite an understanding of the issue.[116]

[45]      The Seventh Circuit Pilot Principles and other local initiatives address this shortcoming directly.  Principle 2.04 provides that “[e]very party to litigation and its counsel are responsible for taking reasonable and proportionate steps to preserve relevant and discoverable ESI within its possession, custody or control.”[117]  In addition, the Seventh Circuit Principle limits the need to preserve specific forms of ESI[118] absent agreement, thus removing incentives to “sand-bag” an opponent by not mentioning the preservation issue earlier.

[46]      The revised Delaware Default Standard[119] also notes that parties need not modify “on a going-forward basis” the backup or archive procedures in place provided that they preserve non-duplicable discoverable material.  Proposals from the Western District of Washington[120] and the Northern District of Illinois[121] also incorporate adopted elements of this approach, as do examples from best practice agreements of parties.[122]

[47]      Professor Stephen Subrin has noted that firm limits are often the best way of “providing constraint, focus, and predictability to the unruly aspects of the federal rule[s].”[123]  They provide a useful “starting point to allow parties and district courts to tailor discovery plans as appropriate”[124] and help deal with “over-preservation,” an abiding problem identified at the 2010 Duke Litigation Conference and the Dallas Conference of 2011.^[125]

[48]      Given that specific limitations already exist on the use of interrogatories[126] and depositions,[127] it seems unlikely that limits on preservation efforts exceed permissible consistency boundaries.  The limits are subject to the discretion of the court, applied on a case-by-case basis, and are not textually inconsistent with any existing rule or statute.

[49]      It would be preferable, however, to adopt these presumptive limitations as a national rule.  The Civil Rules Advisory Committee (the “Rules Committee”) is considering recommending the amendment of Rule 26(b)(1) to limit discovery to information “relevant to any party’s claim or defense and proportional to the needs of the case considering [the factors transferred from (b)(2)(C)(iii)].”[128]  That approach could be combined with other pending proposals to provide “default limitations on discovery of [ESI],” which are “useful referents for preservation decisions,” given that preservation is limited to “‘discoverable’ information.”[129]

ii.  Cooperation

[50]      The Federal Rules do not currently mandate a “duty to cooperate,” having explicitly rejected proposals to do so in former times.[130]  Instead, the Rules require participation by counsel and parties in “good faith” in preparing discovery plans and attending case management conferences.[131]

[51]      Many local rules, however, invoke cooperation as an aspirational standard.[132]  Thus, the Delaware Standard[133] provides that the court expects parties to cooperate with each other in arranging and conducting discovery.[134]  Similar expectations are found in certain ESI Guidelines[135] as well as individualized judicial instructions.[136]  The model order recommended for use in the Northern District of California recites that “[t]he parties are aware of the importance the Court places on cooperation and commit to cooperate in good in good faith throughout the [litigation covered by the Order].”[137]

[52]      Some districts emphasize that this involves “voluntary” action of counsel through “informal, cooperative discovery practices.”[138]  Local Rule 26.4 for the Southern and Eastern Districts of New York also provides that cooperation of counsel must be “consistent with the interests of their clients.”[139]  An open-ended mandate for cooperation, however,  is a slippery slope.[140]  A court has no authority to force a party to compromise a position that it does not wish to take.[141]  Placing that burden on counsel can put counsel in an impossible position with her client.[142]  There is also the problem of interference with the primary source of counsel responsibility, the state licensing activities.[143]

[53]      It is clear, however, that the judicial enthusiasm for cooperation is widespread and growing.  One can safely assume that this will continue given the enthusiasm for the call to change the “culture of discovery from adversarial conduct to [one of] cooperation.”[144]  There seems to be no fundamental inconsistency between the Federal Rules and a call for “cooperation” under local initiatives.^[145]

[54]      The Rules Committee has been asked to consider adding cooperation to Rule 1.  At the November 2012 meeting, the Duke Subcommittee appeared to step back from earlier support for requiring that “parties [should] cooperate to achieve” the ends of Rule 1 because of the open-ended nature of the commitment.[146]  However, no vote was taken on the proposal, which remains open.[147]

iii.  Cost Shifting

[55]      The 2006 Amendments avoided dealing with allocation of excessive costs attributable to preservation or production of ESI.  A number of local initiatives identify cost shifting as an option.  New Jersey local rules, for example, require parties to discuss “[w]ho will bear the costs of preservation, production, and restoration (if necessary) of any digital discovery.”[148]  Wyoming does the same.[149]  The Northern District of Ohio Default Standard provides that while “costs of discovery shall be [generally] borne by each party,” the court “will apportion the costs of electronic discovery upon a showing of good cause.”[150]

[56]      While some argue that rules “should require courts to consider cost shifting whenever a party seeks electronic discovery,”[151] a better approach would require cost-shifting for additional costs of preservation and production beyond a core of basic information.[152]  The Model Order for the Federal Circuit, for example, requires that “[c]osts will be shifted for disproportionate ESI production requests pursuant to [FRCP] 26.”[153]  Thus, e-mail production requests are limited “to a total of five custodians per producing party” with costs shifted for additional requests.[154]

[57]      The Duke Subcommittee of the Rules Committee, while stating that it “is not enthusiastic about cost-shifting,” has endorsed an amendment to Rule 26(c) that makes the availability of cost shifting a more “prominent feature of Rule 26(c).”[155]  Those provisions could be “fine-tuned” to differentiate between costs related to core information and those which exceed presumptive limitations.

[58]      Congress is currently taking a “watch and see” attitude, but is clearly interested in the issue.[156]

iv.  Production Formats

[59]      Rules 34 and 45 provide that ESI is to be produced, absent agreement or court order, in the form in which it was maintained or in a “reasonably usable form.”[157]  The clear preference is for parties to reach agreements without involving the courts.[158]  The Rules Committee apparently anticipated that local rules would “pick up the slack.”[159]  That appears to be exactly what has happened.

[60]      By an overwhelming consensus, local rules and guidelines favor the use of text searchable “imaged” formats, such as PDF, TIFF, or JPEG files for production of e-mail and other document like images.[160]  Parties are free, of course, to vary requirements and to specify the fields of metadata to be included in load files to accomplish these goals.[161]  Native production is used only for files “not easily converted to image format, such as Excel, Access files, and drawing files.”[162]

[61]      As explained by a leading case, “even if native files are requested, it is sufficient to produce memoranda, emails, and electronic records in PDF or TIFF format accompanied by a load file containing searchable text and selected metadata.”[163]  Given the consistency of this approach with the intent of the 2006 Amendments, there is no need to further address this by amendments to the national rules.

v.  Search Methodology

[62]      A number of local rules require parties to discuss search methodology, including an exchange of information about any keywords employed,[164] and favor “dialogue to discuss the search terms, as required by Rules 26 and 34.”[165]  The Delaware Default Standard suggests that “a requesting party may request no more than 10 additional search terms to be used in connection with an electronic search.”[166]

[63]      More recently, “predictive coding” and other types of “latent semantic indexing”[167] began to raise similar issues.  One challenge is that parties who seek to utilize these techniques may be required to make a copy of the set of responsive and non-responsive materials used to “train” the mathematical models employed available.[168]

[64]      However, while measures supporting discussions are consistent with the Federal Rules, one cannot reasonably read Rule 16 or Rule 26(f) to support mandating the choice.[169]  As emphasized in Sedona Conference^® Principle Six, “[r]esponding parties are best situated to evaluate” and choose the “procedures, methodologies, and technologies” most appropriate to preserve and produce their own ESI.[170]  Compelling a particular choice without regard to individualized proof that a party would not otherwise meet its discovery obligations[171] would improperly intrude on “private primary activity”[172] because it affects “behavior at the planning as distinguished from the disputative stage of activity.”[173]

[65]      It is one thing to require, for example, designation of a contact person or “liaison” to coordinate with the court and parties on technical e-Discovery issues.[174]  It is quite another to reach out beyond the litigation context and compel a party to use a particular methodology in carrying out its obligations.[175]  Any such basic change requires national authorization.[176]

vi.  Disclosures Without Discovery

[66]      Some local rules impose affirmative obligations on counsel to become knowledgeable about client information management systems[177] and requires counsel to share that information during the Rule 26(f) process.  According to one local drafting committee, these types of rules are intended to “express the obligations of counsel as articulated in case law beginning with the Zubulake cases.”[178]

[67]      In a broad sense, this is consistent with the observation in the Committee Note to Rule 26(f) that “[i]t may be important for the parties to discuss [information systems] and accordingly important for counsel to become familiar with those systems before the conference.”[179]  However, these comments in the Committee Note are not sufficient to supersede the limitations on disclosures without discovery so carefully expressed in Rule 26(a).[180]

[68]      Rule 26(a) limits early disclosures to information that a party “may use to support its claims or defenses.”[181]  The 2006 Amendments did not expand its scope.  Parties are not required to undertake an open-ended, costly, and ultimately premature effort to locate and review information.^[182]

[69]      The issue arose at the 2004 Fordham Conference prior to the adoption of the amendments to Rule 26(a).  While noting that the local rules in New Jersey and Wyoming mandated that counsel acquire information about client systems, one speaker noted that “it may be that, for national rules, such a directive would be viewed as too intrusive.”[183]

[70]      The former chair of the Standing Committee has also noted that a “local rule that require[s] parties to provide an information system ‘map’ at the Rule 26(f) conference” would go “beyond [the] national rules.”[184]  Absent further amendments to the Federal Rules, therefore, local rules and guidelines should seek to accomplish these goals by voluntary, not mandatory, compliance.  Under the case law, the act of requiring a party through its counsel to “furnish more information than is required” is barred.[185]

vii.  Rule 502 Orders

[71]      The 2006 Amendments included a “clawback” mechanism in Rules 26 and 45 to deal with post-production claims of privilege or work-product production, but made no attempt to establish the conditions under which “waiver” by such production could occur.[186]  In 2008, Congress enacted Federal Evidence Rule 502 (“FRE 502”),[187] limiting privilege waiver for “inadvertent” disclosures when the holder “took reasonable steps to prevent disclosure” as well as prompt and reasonable steps to rectify the error.  The Rule also authorized court-adopted agreements that bind parties and non-parties in federal and state cases, even over objection, to waiver-free production without proof of reasonable precautions.[188]

[72]      Surprisingly few districts have emphasized Rule 502 in local rules, guidelines, or amended forms.  Many forms simply ask whether a court order “will be requested, either on stipulation or otherwise” to address the manner in which ESI subject to claims or work product protection will be handled.[189]  However, more recently adopted local rules and model protocols routinely deal with the issue.[190]  It should also be addressed in any new standardized forms that the Administrative Office develops to supplement or replace Official Form 52.

IV.  Conclusion

[73]      There has been a healthy proliferation of local e-Discovery initiatives for use in district courts in the federal judicial system.  There is no obvious pattern emerging as the dominant approach.

[74]      Unfortunately, there is very limited empirical evidence on which one can base a conclusion as to the most effective type of local initiative.  The topic has received very little attention[191] and only the Seventh Circuit pilot program has attempted to survey its users.[192]  Hopefully, other districts will put more effort into such surveys.  As demonstrated by the evolution of the Delaware Default Standard, trial and error is useful.

[75]      There is substantial anecdotal evidence, however, that early attention to ESI can play an important role in reducing unnecessary disputes.[193]  Certainly, that effort is preferable to ignoring potential disputes that can be avoided.  The trick seems to be to find the right balance, blending a “light touch” with avoidance of unnecessary costs that produce no gain.  Ultimately, however, the choice between doing nothing and jumping in with both feet is a matter of style that reflects the culture of the district and the degree to which it can be seen as appropriate.[194]

[76]      In the main, the ninety-four districts present the reassuring conclusion that the local rules and forms in current use are largely consistent with the 2006 Amendments.  Moreover, the local initiatives do not appear to be the problem that the Standing Committee originally feared.^[195]  There is no drumbeat of complaints, aside from one comment in an ABA journal,[196] that the diversity of local e-discovery procedure has had an adverse impact.  There is no need for drastic action reining in local rulemaking, even if that were somehow possible.

[77]      However, as noted, procedural uniformity could be enhanced by converting some of the local initiatives into national rules.  After six years, the tentative approach of the 2006 Amendments, can safely give way to a more confident and aggressive attempt to improve predictability and address the exploding costs of e-Discovery.

The Conference requested permission to include a JOLT article as part of the materials that are handed out for the panel on Technology Assisted Review (TAR). The article requested was included in Vol. XVII, Issue 3 , and titled  Technology-Assisted Review in E-Discovery Can Be More Effective and More Efficient Than Exhaustive Manual Review by Maura R. Grossman and Gordon V. Cormack.

The Sedona Conference^® is a nonprofit, 501(c)(3) research and educational institute dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation, and intellectual property rights.  The Sedona Conference’s mission is to drive the reasoned and just advancement of law and policy by stimulating ongoing dialogue amongst leaders of the bench and bar to achieve consensus on critical issues.

The United States is currently at war with China.  However, this war is not taking place on any battlefields.  It’s taking place in cyberspace.  According to a recent article published by the Washington Post, the United States has been the target of an immense “cyber-espionage campaign” that is threatening the country’s economic competitiveness.

            Just days after a private security firm released a study accusing the Chinese military of carrying out numerous cyber-attacks against U.S. businesses, the Obama Administration released a long-awaited Executive Order on cybersecurity measures.  The Executive Order on Improving Critical Infrastructure Cybersecurity (the “Order”), released on February 12, 2013, has a goal to address cyber threats through a strengthened partnership between the U.S. Government and critical infrastructure owners.  To accomplish this goal, the Order:

•   Requires the development of new information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies;
•   Requires the NIST’s creation of a Framework of cybersecurity practices (“Cybersecurity Framework”) to reduce cyber risks to critical infrastructure;
•   Compels agencies to conduct regular assessments of privacy and civil liberties impacts of their activities and to make such assessments available to the public;
•   Establishes a voluntary program to promote the adoption of the Cybersecurity Framework, which will provide incentives for companies to comply; and
•   Calls for a review of existing cybersecurity regulation.

What does all of this mean for businesses?  For now, it does not mean much since none of the industries covered by the order will actually have to meet the completely voluntary standards.  According to Hunton & Williams’ Privacy Blog, the Order could potentially impact businesses in the following ways:

(1)   Businesses in the private sector will receive a surge of notifications from the government concerning cyber threats and recommended ways to respond to threats based on a process developed by the Department of Homeland Security (“DHS”).  The current DHS process mainly shares classified cyber threats only with defense companies, but under the new Order, information will be shared with other critical infrastructure companies, such as energy companies.

(2)   Critical infrastructure companies and secondary actors (i.e. insurance companies) will be able to voluntarily use the new Cybersecurity Framework to address potential risks.  Since participation is completely voluntary, it is likely that DHS will create incentives for companies to comply.  An example included in the Order is the call for a review of the federal procurement process to create a preference for vendors who meet the Cybersecurity Framework standards.

(3)   Certain private sector companies, who if targeted would have a devastating effect, will be named on a list of “Critical Infrastructure at Greater Risk.”  If added onto the list, companies can request reconsideration of their inclusion on the list.  However, this list does not change the fact that compliance with the Framework remains completely voluntary.

Although the new Order appears to be a positive step in the right direction by encouraging information sharing between the public and private sectors, it is unlikely that it is enough to prevent what seems like an inevitable national cybersecurity catastrophe.  Congress needs to make the next move fast.

Additional Sources:

http://www.huntonprivacyblog.com/2013/02/articles/obama-signs-presidential-policy-directive-on-critical-infrastructure-security-and-resilience/

http://www.huntonprivacyblog.com/2013/02/articles/observations-on-the-cybersecurity-executive-order-and-presidential-policy-directive/

http://www.bna.com/president-obama-signs-n17179872423/

http://www.whitehouse.gov/sites/default/files/uploads/07_eo_quotes_02132013.pdf