Month: March 2015

DownloadPDF

Cite as: Michael Arnold & Dennis R. Kiker, The Big Data Collection Problem of Little Mobile Devices, 21 Rich. J.L. & Tech. 10 (2015), http://jolt.richmond.edu/v21i3/article10.pdf.

by Michael Arnold* & Dennis R. Kiker**

[1]       There should be little question that mobile device-based data are discoverable if relevant.  However, as was the case with ordinary computer-based data a decade or more ago, there is a tendency to believe that there is only one way to collect such data—“forensically.”[1]  This article will demonstrate that there are a number of potentially reasonable ways to collect mobile device data, and that the choice depends, as it does for any other type of information, on the facts and circumstances of the case.  We will first examine the proliferation and impact of mobile data.  Then, we will survey the case law demonstrating both that mobile data are relevant and that the principle of reasonableness applies to mobile data as it does to any other source.  Next, we will outline the various methods for collecting mobile data, any of which might be reasonable under given circumstances.  Finally, we will consider other complicating factors that will impact the decision about what type of collection is appropriate under the circumstances of a give case.

I.  Prevalence and Relevance of Mobile Data

[2]       It goes without saying that mobile devices are ubiquitous.  Research by the Pew Research Center shows that:

·      90% of American adults have a cell phone

·      58% of American adults have a smartphone

·      32% of American adults own an e-reader

·      42% of American adults own a tablet computer[2]

[3]       These data represent a 37% increase in cell phone ownership since 2000, and a 23% increase in smartphone ownership in less than three years.[3]

[4]       The proliferation of mobile devices is not limited to personal use and does not only affect individuals.  Indeed, business use of mobile devices is more complex due to the trend towards “bring your own device” (“BYOD”) policies, which either allow or require employees to provide their own mobile devices for work use.[4]  The obvious result is that employees’ mobile devices will contain a larger mix of personal and business data, with the corollary result that companies will have to produce more information from a wider variety of mobile devices.[5]  In a survey conducted by Norton Rose Fulbright, 41% of the responding companies had to preserve or collect data from employees’ mobile devices in support of litigation or investigations, an increase of more than 10% in two years.[6]  Indeed, in a recent survey by BDO Consulting, “the largest percentage of in-house counsel (22.5 percent) say managing mobile and social networking data is the number one issue they will face in the near future[.]”[7]  Not surprisingly, then, mobile devices are becoming increasingly important sources of potentially relevant information.

[5]       There was, perhaps, a time when attorneys could legitimately overlook data on mobile devices in some cases.  When Blackberry devices dominated the market, and were generally synched to enterprise servers, there was little reason to believe that potentially relevant data existed on the mobile device that was not available from a more accessible source.[8]  That has changed.  First, there is a wide variety of information on mobile devices that is likely not available anywhere else.  Types of data available on a smartphone or tablet include:

·      E-mail

·      Text messages

·      Voicemail messages

·      User information stored as mini-databases or structured text files (e.g., address books, call history, favorite telephone numbers, browser history, bookmarks, recent Internet searches, cookies)

·      Photographs

·      Video recordings

·      Voice recordings

·      Notes

·      GPS data (which may be attached to other files, such as photographs)

·      Maps and navigation history

·      Wi-fi and cellular location history[9]

[6]       Second, the data on a mobile device may be quite relevant even in routine litigation.  Consider just two common scenarios, starting with routine vehicle accidents.  The National Highway Traffic Safety Administration (NHTSA) reports that in 2012 alone, 3,328 people were killed and approximately 421,000 people were injured in accidents involving distracted driving.[10]  Current research confirms that the risk of accidents increases significantly with the use of mobile devices while driving.[11]  Further, an estimated 9% of all drivers do so while using a cell phone or sending and receiving text messages.[12]  Driver conduct is an issue in just about every automobile accident case, and mobile devices are increasingly becoming a key source of evidence on that issue.[13]

[7]       On the business side of litigation, mobile devices are no less important.  Some estimates indicate that there has been a 43% increase in the use of instant messaging through mobile devices as a way employees conduct business.[14]  Unlike e-mail and voicemail, text messages are generally not duplicative of data that can be found on the company’s network.[15]  Whether the case involves allegations of employment discrimination or product liability, individual employees implicated in the litigation are increasingly likely to have potentially relevant information on mobile devices that can be found nowhere else.

A.  Emerging Case Law Involving Mobile Data

[8]       A number of recent cases have directly addressed mobile data, typically in the context of spoliation.  For example, Calderon v. Corporacion Puertorrique a de Salud was a sexual harassment case in which the plaintiff selectively retained messages on his cell phone.[16]  Records from the plaintiff’s mobile service provider indicated that plaintiff failed to produce more than thirty-eight text messages sent from the account of the alleged harasser.[17]  The court held that the plaintiff’s “decision not to forward or save the unproduced texts and photos from prpng@hotmail.com constitutes ‘conscious abandonment of potentially useful evidence’ that indicates that he believed those records would not help his side of the case.”[18]  The court determined that plaintiff’s failure to preserve the text messages “severely prejudice[d]” the defendants, requiring an adverse inference instruction at trial.[19]

[9]       In re Pradaxa (Dabigatran Etexilate) Products Liability Litigation concerned a nationwide multi-district litigation (MDL) in which the plaintiffs moved for sanctions for spoliation of, among other things, business-related text messages.[20]  After noting that the duty to preserve for each of the two defendants arose in February and April, 2012, respectively, the court went on to severely chastise the defendants for failing to institute a legal hold specifically identifying text messaging until October, 2013, even though the plaintiffs had specifically requested text messages in its initial discovery requests, and the defendants’ own documents showed that they “directed their sales force to use texts to communicate with their supervisors, district managers, and others.”[21]  In fact, despite that “[i]t is certainly common knowledge that texting has become the preferred means of communication,” the defendants failed to suspend the auto-deletion of text messages on company issued and programmed cell phones.[22]  The court ordered the immediate production of any relevant text messages, reserving the right to impose sanctions if the data were not available.[23]

[10]     Lastly, EEOC v. Original Honeybaked Ham Co. of Georgia involved the defendant’s motion to compel a wide variety of information from the class representatives in this sexual harassment, hostile environment and retaliation case.[24]  Based on information discovered on one class representative’s Facebook page, the defendant sought production of social media content, text messages, e-mail and other electronically stored information relevant to the plaintiffs’ alleged damages, as well as their credibility and bias.[25]  The court first found that the types of information sought were no different than any other discoverable information:

As a general matter, I view this content logically as though each class member had a file folder titled “Everything About Me,” which they have voluntarily shared with others.  If there are documents in this folder that contain information that is relevant or may lead to the discovery of admissible evidence relating to this lawsuit, the presumption is that it should be produced.  The fact that it exists in cyberspace on an electronic device is a logistical and, perhaps, financial problem, but not a circumstance that removes the information from accessibility by a party opponent in litigation.[26]

After determining that the requested information was, in fact, potentially relevant, the court ordered its production.[27]  To protect the individual plaintiffs’ privacy interests, the court appointed a special master to retrieve all of the data, including text messages on the plaintiffs’ cell phones, and submit information believed to be relevant for in camera inspection.[28]

B.  Case Law Regarding Collection Methods

[11]     As demonstrated above, data on mobile devices will often be relevant and, therefore, subject to preservation and possibly collection.  The legal standards applicable to the method chosen to collect that data, however, are no different than the standards applicable to any other relevant information: “Whether preservation or discovery conduct is acceptable in a case depends on what is reasonable, and that in turn depends on whether what was done—or not done—was proportional to that case and consistent with clearly established applicable standards.”[29]  The determination of whether discovery conduct was reasonable or not, “depends heavily on the facts and circumstances of each case and cannot be reduced to a generalized checklist of what is acceptable or unacceptable.”[30]

[12]     In Nola Spice Designs, LLC v. Haydel Enterprises, the court addressed the propriety and necessity of forensic images.[31]  In that trademark infringement case, the plaintiff sought an order compelling the defendants to, among other things, “submit their computers to an exhaustive forensic examination . . .”[32]  The court rejected the plaintiff’s request because it “far exceed[ed] the proportionality limits imposed by Fed. R. Civ. P. 26(b)(2)(C)—expressly made applicable to ESI by Rule 26(b)(2)(B) . . .”[33]  The court explained:

[Plaintiff’s] request for an exhaustive forensic examination of [defendants’] computers is within the scope of ESI discovery contemplated by Fed. R. Civ. P. 34(a)(1)(A).  At the same time, however, such requests are also subject to the proportionality limitations applicable to all discovery under Rule 26(b)(2)(C), including the prohibition of discovery that is unreasonably cumulative or duplicative or that could be obtained from some more convenient, less burdensome or less expensive source, or the benefit of which is outweighed by its burden or expense, when considering the needs of the case, the amount in controversy, the parties’ resources, the importance of the issues at stake and the importance of the proposed discovery to those issues.  Certainly, the Official Advisory Committee Notes to the 2006 Amendments to Rule 34 relating to electronic discovery of the type sought by Haydel counsel caution:

“As with any other form of discovery, issues of burden and intrusiveness raised by requests to test . . . can be addressed under Rules 26(b)(2) and 26(c).  Inspection or testing of certain types of electronically stored information or of a responding party’s electronic information system may raise issues of confidentiality or privacy.  The addition of testing and sampling to Rule 34(a) with regard to . . . electronically stored information is not meant to create a routine right of direct access to a party’s electronic information system, although such access might be justified in some circumstances.  Courts should guard against undue intrusiveness resulting from inspecting or testing such systems.”[34]

[13]     Indeed, although

[F]orensic computer examinations of the type sought by [plaintiff] in this motion are ‘not uncommon in the course of civil discovery, . . . “[c]ourts have been cautious in requiring the mirror imaging of computers where the request is extremely broad in nature and the connection between the computers and the claims in the lawsuit are unduly vague or unsubstantiated in nature.”[35]

Courts have only granted motions to compel forensic examinations where “where the moving party has demonstrated that its opponent has defaulted in its discovery obligations by unwillingness or failure to produce relevant information by more conventional means.”[36]

[14]     The Sixth Circuit Court of Appeals reached a similar conclusion in John B. v. Goetz.[37]  This class action litigation spanning over 10 years involved implementation of the TennCare program in Tennessee.[38]  During the course of the litigation, disputes arose about the scope of the defendants’ preservation and production of ESI.[39]  Following a series of hearing on motions to compel and reconsider, the district court entered an order allowing “plaintiffs’ computer expert to make forensic copies of the hard drives of identified computers, including not only those at the work stations of the state’s key custodians, but also any privately owned computers on which the custodians may have performed or received work relating to the TennCare program.”[40]  The defendants filed a motion for an emergency stay and a petition for mandamus, both of which the appellate court granted, finding that the district court’s order constituted an abuse of discretion.[41]  The court first acknowledged that a “party may choose on its own to preserve information through forensic imaging, and district courts have, for various reasons, compelled the forensic imaging and production of opposing parties’ computers.”[42]  One the other hand, the court cautioned that:

Civil litigation should not be approached as if information systems were crime scenes that justify forensic investigation at every opportunity to identify and preserve every detail. . . .  [M]aking forensic image backups of computers is only the first step of an expensive, complex, and difficult process of data analysis that can divert litigation into side issues and satellite disputes involving the interpretation of potentially ambiguous forensic evidence.[43]

The court found insufficient evidence in the record to suggest that the defendants intentionally deleted relevant information or were unwilling or unable to preserve and produce such information in the future.[44]  For this reason, and because the ordered forensic imaging implicated “significant privacy and confidentiality concerns,” the court granted the defendants’ petition and overturned the district court’s orders.[45]

[15]     Lee v. Stonebridge Life Ins. Co. involved a request for a forensic image of the plaintiff’s personal computer and iPhone.[46]  Lee was a class action lawsuit alleging that the defendant insurance company sent unauthorized text messages to prospective purchasers of its insurance products.[47]  During discovery, the defendants sought production of the named plaintiff’s personal computer and iPhone for the purpose of capturing a forensic image of each in an attempt to recover copies of any relevant text messages.[48]  The court denied the defendants’ motion.[49]  As in Goetz, the court first acknowledged that Rule 34 permits parties to seek inspection and testing of “data or data compilations . . . stored in any medium.”[50]  Nevertheless, the court held that the defendants “failed to demonstrate sufficient good cause to warrant the extreme step of allowing it to conduct a forensic inspection of Plaintiff’s iPhone and personal computer.”[51]  The court noted that a backup of the iPhone at issue was available on the plaintiff’s personal computer, that the plaintiff had already agreed to search for and produce any relevant information stored on her personal computer, and emphasized that there was no evidence of wrongdoing by the plaintiff: “absent a showing of misconduct on Plaintiff’s part such that serious questions exist as to the reliability and the completeness of Plaintiff’s expert’s search, [the defendant] is not entitled to a forensic examination of Plaintiff’s personal computer.”[52]

[16]     In contrast, Olney v. Job.Com is a good example of a case in which forensic images were critical to the court’s decision.[53]  Olney was a class action alleging that the defendants made unsolicited calls to the named plaintiff’s cell phone in violation of the Telephone Consumer Protection Act.[54]  The defendants requested access to the cell phone and computer the plaintiff alleged were involved in the communications between the plaintiff and the defendants, and the court ultimately ordered the plaintiff to deliver both to a neutral expert for imaging.[55]  In a very detailed opinion, the court reviewed the analyses by competing experts of the plaintiff’s personal computer to determine whether the plaintiff had deleted relevant information, either intentionally or negligently.[56]  The court ultimately determined that the plaintiff had in fact engaged in conduct that was, at various points in the litigation, negligent, grossly negligent, and willful, justifying an adverse inference instruction and monetary sanctions.[57]

[17]     The Olney opinion is instructive for a number of reasons.  First, it involves a situation that exemplifies the need for forensic imaging and analysis: where there are allegations that specific information has been deleted.  Second, it illustrates the complexity and potentially high cost of forensic analysis.  Here, the parties agreed on a neutral expert to image and analyze the data from the plaintiffs’ computer.[58]  Apparently unsatisfied with the results of that analysis, each of the parties then obtained permission to retain their own experts to perform independent analyses.[59]  These experts proceeded to generate reports, supplemental reports, rebuttal reports, and supplemental declarations, to the point where the court finally declined to consider the last submissions, as “[r]ebuttal expert reports [would be] potentially endless in this circumstance[.]”[60]  Finally, the court notes that the plaintiff “retained experienced class-action counsel with three law firms who should have known his computer could contain potentially relevant information,” leaving the plaintiff with little excuse for not preserving data on his computer.[61]  This underscores the fact that adequate preservation steps will typically obviate the need for forensic collection and analysis.

[18]     Finally, Ackerman v. PNC Bank demonstrates that sometimes the simplest collection method is adequate to the needs of the case .[62]  In her appeal from the magistrate judge’s order denying her motion to compel discovery and for sanctions, the plaintiff alleged that the defendants had “inadequately gathered electronically stored information (‘ESI’) or unlawfully destroyed ESI,” and “violated Fed. R. Civ. P. 34(b)(2)(E) by producing hard copy ESI documents without the underlying metadata.”[63]  The court disagreed, noting on the latter point that:

Rule 34(b)(2)(E) does not specifically reference the production of metadata, but refers to a party’s obligation to produce documents as they are kept “in the usual course of business” or organized and labeled according to corresponding discovery request categories.  If the discovery request does not specify the form for producing ESI, Rule 34 requires a party to produce it in the form “in which it is ordinarily maintained or in a reasonably usable form or forms.”[64]

It is readily apparent that the case law does not require a specific collection method or form of production for any type of information, including mobile data.  Rather, the collection method should be reasonable and appropriate for the circumstances of the case.

II.  Defensible Mobile Data Collection Options

[19]     Having made the determination that information contained on mobile devices is potentially relevant, attorneys must then determine whether to collect the data, and if so, how.  In making these decisions, there are many factors to consider, including the complexity and cost of the collection relative to the issues at stake in the litigation.  Here, we will first survey the available collection methods and discuss the circumstances under which each might be appropriate.  Later in this article, we will also discuss some of the challenges and complicating factors associated with mobile data collection.

A.  No Collection

[20]     Sometimes, not collecting mobile data is a perfectly reasonable option.  For example, if the only data that are potentially relevant to the matter are e-mails, and the company has implemented an insulating technology to secure communications on the mobile device and ensure that all business-related e-mails are synchronized with the enterprise e-mail server, then collecting from the mobile device would yield only duplicate data.[65]

[21]     Occasionally, all that is needed with respect to mobile data are call and text logs, and in most cases this information can be obtained via provider bills or specific detail requests that do not require the device itself.[66]  While the content of text messages is not shown on bills or generally available without collection from the device, these types of call and text logs are not easily erased by an owner or user and benefit from having an impartial timestamp for time sensitive events such as might be required in a distracted driving case.[67]  Cellular providers can also provide cellular tower triangulation data that can identify the approximate location of a mobile device at a given time.[68]

B.  Hard Copy Collection

[22]     As odd as it might seem, paper may sometimes be a defensible form of collecting mobile data.  Most modern mobile devices are equipped with applications that enable wireless printing from the device.[69]  In some cases, where metadata are not of interest or at issue, the parties may be perfectly satisfied with paper copies of e-mails, text messages, or other content on a mobile device.[70]  Simply because it is possible to collect ESI from mobile devices does not mean that it is necessary in every case.

C.  Mobile Device Collection

[23]     There are essentially three methods of collecting data from a mobile device: file level collection, logical collection, and physical collection.[71]

1.  File Level Collection

[24]     The simplest method of collecting data from a mobile device is to essentially treat it as an external hard drive.  File level collections focus on active data that can be readily accessed through the device’s operating system, the operating system of a partner device (such as a connected computer), or via third party software.[72]  This is similar in nature to collecting the active files on a computer, which are the files that can be identified using the computer’s operating system, such as Windows.[73]

[25]     Depending on the needs of the case, and particularly on the importance of preserving metadata associated with the target files, an active file collection can be accomplished as simply as connecting the device to a partner computer as a USB storage device (external hard drive), and using the computer’s operating system to navigate to the target files and copying them to the computer.[74]  It is important to note that this method has the highest risk of altering both metadata of the files and the state of the mobile device should a physical image potentially be required in the future.[75]  On the other hand, steps can be taken to mitigate any alteration of the files on the device or to the metadata of the files collected.[76]  Usually a USB write-blocker can be used to preserve the device, but not all devices will communicate with the collections computer with such a device installed.[77]

[26]     Where metadata may be at issue or will be important for other reasons (such as culling and filtering), commercial software such as Access Data’s FTK Imager, Pinpoint Labs Safecopy or Wide Angle’s TouchCopy can be used to ensure that the metadata on both the mobile device and the collection drive are not altered as part of the collection.[78]  Manual file copy collections are the most limited in what they can collect, as most devices that are not rooted or jail-broken[79] will limit the accessible areas on the device to maintain application security.[80]

[27]     Situations where file level collection might be appropriate include cases where there are no relevant call/messaging logs, and a user has identified a few select files on their mobile device that may need to be collected.[81]  File level collection is far superior to having the user e-mail the file to a person collecting the data, such as an IT person, counsel or in-house legal representative, because the latter method creates yet another copy of the file that should be preserved or collected.[82]  Some devices can be plugged directly into a prepared collection system and accessed just like a portable hard drive and the files exposed for collection.[83]

2.  Forensic Logical Copy

[28]     A forensic logical copy involves connecting the mobile device to tools or equipment and copying either everything or selected files from the device or any installed memory devices.[84]  During a logical collection, certain data such as pictures, music, e-mail, text messages and other files are copied with tools like FTK imager, Cellebrite and others to other media to be processed, evaluated and reviewed.[85]  A logical collection does not copy or access anything that is not on the device and does not copy latent information such as slack-space from deleted files or certain protected areas of a phone unless that device has been modified (often referred to as hacked, rooted or jail broken).[86]  Logical images do not collect unsaved data from volatile memory (e.g. from RAM).[87]

3.  Logical Collection of Synchronized Data

[29]     When a mobile device is synchronized with another location, it may be reasonable to collect from that location as opposed to the device itself.  It will almost certainly be simpler and more cost effective.[88]  For example, when a mobile device management system (MDM) is implemented within a company, certain applications are installed, or devices are routinely connected to other systems, the devices may be configured to back up their data to one of several locations[89], including:

•           The cloud,

•           A dedicated server, application host or file share, or

•           A specific partner computer or device.[90]

[30]     Care must be taken to ensure that the synchronized location does not materially change between the identification and the actual collection of that source.[91]  One of the safest ways to ensure that a synchronized location does not change is to disable the synchronization feature of the mobile device by turning the device off, setting the device to airplane mode and/or not connecting the device to any partner computers, sometimes referred to as “docking.”[92]  Synchronized locations may also be affected or accessed by more than one device.  For instance, Gmail, Dropbox and Facebook are common examples of locations that may be connected to more than one device or be changed from a remote computer even after the intended device has been secured.[93]  Further, all data on a mobile device may not be in one central location requiring logical collections from multiple sources.

[31]     Importantly, if the synchronized data is in the form of a backup, the type, currency, and format of the data may vary significantly from what is on the mobile device and may require not only a forensic expert to review and analyze, but special software to decode the data.[94]  For example, a user that regularly receives company e-mail on their mobile device, but only periodically backs that device up to a computer or cloud, would have current e-mail easily collected from the device itself, but only out-of-date backups of files in special formats that would require a forensic analyst to translate.[95]

a.  Cloud-Based

[32]     The cloud could be one of the locations supplied by vendors of the device such as Apple’s iCloud,[96] Google’s Drive, Microsoft’s SkyDrive; or the cloud could be a subscription service such as DropBox, LiveDrive, BlackBlaze Mozy, Amazon, etc.  These services are completely hosted by third-party companies each of which have processes that must be followed if anyone other than the user or the paired device wants to collect the hosted backups.[97]

[33]     Each of the major vendors, Apple, Google, RIM and Microsoft, have made provisions for complete or selective backups to be made to their cloud services through cellular or wireless network connections.[98]

[34]     As home consumer demand for large storage drives increased, and speeds for residential Internet went up, personal clouds solutions developed, which are generally supplied by hard drive manufacturers as a feature of a home network attached storage (NAS) drive.[99]  These solutions from Western Digital, LaCie, Seagate and others allow a central backup to be almost anywhere an Internet connection exists, and may create challenges for coordinating collections.

b.  Dedicated Server, Application Host, or File Share

[35]     A dedicated server or share is similar to the personal cloud listed above, but with the key distinction of it being a company owned and managed server or share and likely only used for select applications such as Exchange, Evernote, a CRM or sales application or for centralized management of company owned devices.[100]  To further demonstrate the complexities in discussing this issue with prospective clients, a company may host their servers in the cloud (e.g., Rackspace or Amazon virtual servers), or may be using Cloud based private applications such as Office365 or Exchange Online.[101]  Unless an MDM is being used by a company to perform complete backups of mobile devices to one of these central servers, only select data would be available from these locations and typically would not include device only data such as call logs, text messages, local pictures or downloaded files.[102]

i.  Partner Computer or Device

[36]     A partner computer might be used to synchronize select information to a mobile device or even as a complete backup in the event of loss of the mobile device.  iTunes on a local PC or Mac is an example of a computer application that creates a partnership with an iPhone and allows a complete backup of the device to be stored on the computer.[103]  An iTunes backup is the closest alternative to an actual logical collection from a physical iPhone.[104]  Although the information in iPhone backups is either encrypted or obfuscated in proprietary file formats and naming conventions,[105] others companies like Microsoft or Google, store the backups of files in their original format and have industry standard .XML file formats for data such as call logs and text messages.[106]

[37]     Some devices can become partners of other mobile devices through peer-to-peer network and wireless connections such as Bluetooth[107] and Near Field Communications (NFC).[108]  Peer devices can be either other smartphones, tablets or computers which might have data such as contacts, pictures or files, or they may be more passive devices with limited usage information.[109]

[38]     Regarding each of these locations above, it is important to note that only backed up data can be collected from synchronized device locations, and that volatile data (RAM) and information changed on the device since last synchronization will not be available.[110]  Further, some companies, such as Apple, use special formats and mini-databases for the files stored as backups,[111] while others such as Microsoft or Google store the backups of files in their original format and have industry standard .XML file formats for data such as call logs and text messages.[112]

3.  Physical Imaging/Full Forensic Copy

[39]     A forensic image is a bit-level copy of all data on a device in manner that represents the entire state of the device and could clone an exact duplicate with equivalent hardware.[113]  Physical imaging, performed while the device has maintained constant power-on and has been isolated from radio communications, can collect volatile memory, current state of running programs etc.[114]  Physical imaging is limited, as logical collection, to data that are on or in the physical device and memory cards.[115]  It should be highlighted that UICC (SIM) cards are a type of memory card like removable memory cards (SD & Micro SD) and need to be included in the collection plan.[116]

[40]     The following table will highlight some of the differences in data that is available from each type of collection listed above.[117]

Table 1.

[41]     There are multiple ways to collect from mobile devices in a forensically sound manner, and there may be a need for more than one way even in a single case.  Forensic collection does not mean only imaging, and imaging does not mean collecting everything.[118]  Even the seemingly simple options that one would consider for traditional computers or servers quickly become very complex problems when we approach mobile systems.

III.  Collection as Part of a Larger Process

[42]     What we call ‘collecting’ from a mobile device is actually ‘processing’[119] and involves a series of steps that are part of an overall process of forensic handling[120] that can be challenged if not handled properly.  There are many considerations in certain litigation such as authentication of the actual device (who was the actual user at a point in time), and whether the device is being collected pursuant to a warrant, arrest or consent that go beyond the scope of this writing.

[43]     Before we can collect anything, we must identify not only what systems we need to collect from, but how those systems may interact with other systems and make preparations to secure and preserve the data.[121]  By being constantly connected, mobile devices are constantly gathering data to internal and external locations.  A mobile device can store potentially relevant information on removable memory cards, SIM cards, and internal volatile and non-volatile memory.[122]  When certain mobile devices such as the Blackberry go into a ‘locked’ state, volatile memory is wiped by the device automatically.[123]  Additionally, certain methods of unlocking a locked mobile device may require a restart of that device causing certain information to be changed or volatile memory to be cleared.[124]  If a device is not protected, incoming calls, text messages, e-mails or application notifications could still change the state of the device even without any malicious intent.[125]

[44]     Several very significant issues must be considered when approaching the collection of mobile devices:

•           Ownership of the device,

•           Expected cooperation of the owner and/or user (which may not be the same person or entity),

•           Synchronized peer devices,

•           Remote access/management and control to the device,

•           Technologies and versions, and

•           Nature of litigation.[126]

[45]     Ownership of the device can complicate matters due to the potential for restricted access such as pin codes, encryption, locks, and overall permission.[127]  In many instances where a company maintains ownership of the device or has established clear policies regarding cooperation by employees with shared use devices this may not be an issue, and even passwords, passcodes, pin codes, or encryption keys may be easily obtained.[128]

[46]     As individuals become more aware of and sensitive to the amount of data that their mobile devices contain, they are employing more methods of securing the data and devices through PIN codes, and other encryption.[129]  Whether this is a personal choice, or one imposed by corporate policy, the reality is that a majority of users do use some method to protect the data on their device.[130]  These methods can create challenges, delay, or—in some circumstances—prevent inspection and collection of a mobile device.[131]  Collection tools such as Cellebrite and Oxygen support decryption, though an uncooperative or unavailable user could limit collection options if advanced encryption is used with next generation devices such as the ‘black phone’ or Apple and Google’s most recent operating systems features.[132]  It is yet to be seen how the courts will ultimately see matters when someone asserts her right to privacy.[133]

[47]     Cooperative owners and users significantly reduce risk related to intentional or unintentional loss of data due to delay or external intervention.  Sometimes the owner and a user may not be the same entity,[134] and there could be a conflict where technologies or policies were not centrally managed by the company,[135] or if the user feels that the risks associated with lack of cooperation are more favorable than the discovery of information on the mobile device.[136]

[48]     Synchronized devices are not limited to just a computer that may periodically back up the device, but may include any device that can remotely change the data on the device even after it is taken into custody.[137]  A typical smartphone or tablet will have multiple programs running on it that communicate over a number of networks such as cellular, wireless (Wi-Fi), Bluetooth, and low-frequency near field communications.[138]  Through any of these methods, or through remote access or control, data can be altered or even completely removed from a device if not secured properly.[139]

[49]     The type of device, its operating system, features, and characteristics can have a significant impact not only on how collection may need to be performed, but also on the steps for preservation at time of securing the device.[140]  Apple, Samsung, Microsoft, and Blackberry are some of the major players in the mobile device marketspace; however, Google, HP, LG, and others have ‘smart’ mobile devices with different operating systems, operating system versions, features, power sources, and connectors.[141]  Sometimes the simplest design feature such an easily removable battery[142] can impact the timing of the preservation of data or accessing simple information like serial numbers.[143]

[50]     It should also be mentioned here that security tools and applications must constantly be adapted to account for the constantly changing and ever expanding market of mobile devices.[144]  The skills for preserving, inspecting, collecting and interpreting mobile data must constantly be honed and even the results of tested tools must be validated and confirmed to maintain the most accurate and defensible presentation of data.[145]

[51]     The nature of the litigation or cause for collection is very important and should be a starting point for considering how one may need to approach a collection, and even then everything may not align in your favor.

[52]     For typical commercial litigation, where the information sought is related to typical business documents, communications (e.g., e-mail and text messages) and data from managed applications, and the device is managed by a corporate MDM system and policy, collection may be somewhat simplified.[146]

[53]     Collection gets more complicated in criminal and certain civil litigation where the use of the mobile device is itself part of the issue, or where specific and detailed analysis of the behaviors of a user or actions need to be performed.[147]

[54]     Collection may be merited, even when not specifically requested or implicated, in an effort to provide context or justification.  For example, in a personal injury claim where a litigant is seeking damages for future loss of ability and fitness, tracking applications could provide historical evidence of actual activities or a decline since injury.[148]

A.  Challenges and Complications

[55]     In some cases, it may be enough to perform a forensically sound logical collection of select targeted information.  Sometimes these collections may not even involve the actual mobile device when a reliable current backup or synchronized source of data is available.[149]

[56]     In both criminal and many civil cases today, mobile data and even just the evidence of use of a mobile device may be important and may necessitate a more comprehensive evaluation of devices and sources outside of the primary device.[150]  Criminals are becoming more tech-savvy, with many learning how to hide, encrypt, and even destroy their data on demand.[151]

1.  Cooperation and Privacy

[57]     Of course, complications will arise even in simple cases when the user is not cooperative, cannot locate the device, or is subject to other governing privacy regulations such as EU Directive 94/46/EC which, in short, is founded on seven basic principles:

•           Notice: subjects whose data is being collected should be given notice of such collection.

•           Purpose: data collected should be used only for stated purpose(s) and for other purpose.

•           Consent: personal data should not be disclosed or shared with third parties without consent from its subject(s).

•           Security: once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.

•           Disclosure: subjects whose personal data is being collected should be informed as to the party or parties collecting such data.

•           Access: subjects should granted access to their personal data and allowed to correct any inaccuracies.

•          Accountability: subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.[152]

2.  Ownership Challenges

[58]     Even with cooperative users or companies, there can be complications when the two are not one and the same, and there are differing viewpoints.

[59]     In 2013, Gartner predicted that by 2017 one half of employers will require employees to supply their own device.[153]  At the moment, thirty-eight percent of employees in mature markets—such as the US—like to use a single device for both work and personal use,[154] and as much as 46% of companies either ignore or are not aware of the use of personal devices for business use.[155]  The convenience of using a personal device for both personal and business purposes becomes a problem when users are told that they need to give up their personal device and allow it to be inspected and potentially collected in whole as an image vs. targeted collections.[156]

3.  Resources

[60]     The actors who preserve, collect, and review mobile device data are very similar to those who work with connected computing devices. However, their skillsets may be very different, and there is an increased importance in the handling and timing of events.  Turning mobile devices off does not ensure that data does not get changed, and introduces the potential that pin codes or other authentication may be triggered when turned back on.[157]  For example, first responders need to be specially equipped and trained to handle the mobile devices initially.[158]  Improperly secured or handled devices could potentially be remotely turned back on, wiped, reloaded, or have data altered through synchronization.[159]

[61]     Properly trained forensic experts and first responders must be prepared with the skills and tools to act quickly and effectively, whether through the use of radio shielding solutions like a Faraday container to prevent external influence, creating a clone UICC card (e.g. SIM, USIM, RUIM or CSIM) without the ability to communicate with a cellular network, disabling wireless, or preserving the usable state of the device.[160]  Observations and inquiry must be performed early in the securing of a mobile device.[161]  If a mobile device is unlocked and undamaged, has sufficient power or the owner is willing and able to supply any authentication codes, a logical collection might be possible quickly and without additional costs.[162]  When devices have authentication codes that are unknown, encryption is enabled or the device is physically damaged, costs and time for collection can go up substantially even for a device with limited in-device memory.[163]

[62]     Problematically, there may be a backlog to qualified data extraction facilities or engineers, which can result in the loss or destruction of data through delays before collection.[164]

III.  Conclusion

[63]     Mobile data is unavoidable in modern discovery and will continue to play an increasingly significant role in litigation.  Beyond the devices that are the subject of this discussion, the market experiences new innovations almost daily, including new “wearable” technology and the Internet of Things, all of which will be sources of potentially relevant information under the right circumstances.[165]

[64]     Attorneys must be prepared to assess and evaluate each new source of information based on the capabilities of the technology and the needs of the case.  The legal standard will remain constant: reasonableness given the issues at stake in the litigation.  But this is merely the starting point for the legal decisions about collection, which must be informed by the cost and complexity of the activity balanced against the need for the information at issue.  Whatever the collection method, it is important to document each step and every decision in the process to defend against potential challenges.

---

 

* Michael Arnold is a Solutions Program Manager with UnitedLex, a legal process solutions provider.  Mr. Arnold has been the Director of Litigation Technology at LeClair Ryan’s Discovery Solutions Practice and with UnitedLex as part of their discovery practice in Richmond, Virginia.  He has over 22 years in Information Technology and has been providing technical legal solutions for corporate and law-firm clients since 2004.  Mr. Arnold has been involved in all aspects of litigation including forensic collections, complex data analysis and presentation and has attended more than 8 cases in various capacities in local state and federal court.  Mr. Arnold is now working on developing new technologies and solutions to help clients respond to and address the needs of the next e-Discovery legal challenges.

** Dennis Kiker is consultant at Granite Legal Systems in Houston, Texas.  Mr. Kiker has been a partner in an AmLaw 200 law firm, Director of Professional Services at a major e-Discovery company, and a founding shareholder of his own law firm.  He has served as national discovery counsel for one of the largest manufacturing companies in the country, and counseled many others on discovery and information governance-related issues.  He is an AV rated attorney admitted to practice in Virginia, Arizona and Florida (retired), and holds a J.D., Magna Cum Laude & Order of the Coif from the University of Michigan Law School.

[1] Indeed, there is confusion even about what the term “forensic” means.  Some distinguish between a “forensic image” and a “forensic copy” or “forensically sound” collections.  A forensic image refers to a “bit-for-bit copy of the data that exists on the original media, without any additions or deletions.”  Ovie L. Carroll, Stephan K. Brannon & Thomas Song, Computer Forensics: Digital Forensic Analysis Methodology, U. S. Attys’ Bull., Jan. 2008, at 1, 2, available at http://www.justice.gov/usao/eousa/foia_reading_room/usab5601.pdf, archived at http://perma.cc/D7ZG-E9UJ.  In other words, every data element on the source media is collected, including program files, system files, fragmented files, and even blank disk space.  See R. Lance Fogarty & Gregory Ledenbach, Deleted Computer Data Uncovered, The Tex. Investigator, Spring 2009, at 22, 25, available at http://www.protegga.com/wp-content/uploads/2014/10/Tali-Article.pdf, archived at http://perma.cc/XS8E-78J5.  The terms “forensic copy” and “forensically sound” generally refer to a targeted, file-level collection that does not include such things as fragmented data.  See Thomas Lidbury & Michael Boland, Technology: Forensically Sound Collection of ESI, Inside Counsel (May 11, 2012), http://www.insidecounsel.com/2012/05/11/technology-forensically-sound-collection-of-esi, archived at http://perma.cc/65QY-WCAE.  In reality, any type of information gathering for litigation purposes is “forensic” according to the definition of the term: “pertaining to, connected with, or used in courts of law or public discussion and debate.”  Forensic, Dictionary.com, http://dictionary.reference.com/browse/forensic?s=t , archived at http://perma.cc/63Q8-9TCZ (last visited Mar. 3, 2015).

[2] Mobile Technology Fact Sheet, Pew Res. Center Internet Project, http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/, archived at http://perma.cc/8QTP-RD7K (last visited Mar. 3, 2015).

[3] See Device Ownership Over Time, Pew Res. Center Internet Project, http://www.pewinternet.org/data-trend/mobile/device-ownership/, archived at http://perma.cc/EVM3-Y74K (last visited Mar. 3, 2015).

[4] See, e.g., Press Release, Gartner, Gartner Predicts by 2017, Half of Employers will Require Employees to Supply Their Own Device for Work Purposes (May 1, 2013), available at http://www.gartner.com/newsroom/id/2466615, archived at http://perma.cc/4Z5N-C8DH.

[5] See, e.g., Mobile Device Analytics: Getting Smart About Smartphones, Deloitte (2013), available at http://www2.deloitte.com/content/dam/Deloitte/us/Documents/finance/us-fas-mobile-device-discovery-and-investigations-08162013.pdf, archived at http://perma.cc/2GG6-3688.

[6] Norton Rose Fulbright, Litigation Trends Survey Report 35 (2014), available at http://www.nortonrosefulbright.com/knowledge/publications/115045/norton-rose-fulbrights-10th-annual-litigation-trends, archived at http://perma.cc/CN9L-TB7L.

[7] BDO Consulting, InauguralInside E-Discovery Survey 3 (2014), available at https://www.bdo.com/getattachment/af620fbc-e3c4-46b9-a642-e9332eab5692/attachment.aspx, archived at https://perma.cc/6U4X-CY7U.

[8] See, e.g., Charlie Hiphop, Why the NSA Doesn’t Want You to Have a Blackberry, Cantech Letter (July 23, 2013), http://www.cantechletter.com/2013/07/why-the-nsa-doesnt-want-you-to-have-a-blackberry0723/, archived at http://perma.cc/CZ6Q-V4DJ.

[9] See Michael Arnold, Column, Collecting Data from Mobile Devices, 40 Litig. 53, 54–55 (2013).

[10] Nat’l Highway Traffic Safety Admin., Distracted Driving: Facts and Statistics, Distraction.gov, http://www.distraction.gov/get-the-facts/facts-and-statistics.html, archived at http://perma.cc/A8BE-G6X8 (last visited Mar. 3, 2015).

[11] See, e.g., Sheila G. Klauer et al., Distracted Driving and Risk of Road Crashes Among Novice and Experienced Drivers, 370 New Eng. J. Med. 54, 57 (2014), available at http://www.nejm.org/doi/full/10.1056/NEJMsa1204142, archived at http://perma.cc/PT4V-24L7 (showing that dialing, reaching for, or using a cell phone to send or receive text messages increased the odds of an accident by as much as eight times).

[12] See id. at 55.

[13] See id.

[14] See, e.g., OMG—Is This the End for Texting?, CNBC (Feb. 21, 2014, 4:10 AM), http://www.cnbc.com/id/101406820#, archived at http://perma.cc/W7SB-KE4H.

[15] See, e.g., Tom Kaneshige, Think Deleted Text Messages Are Gone Forever?  Think Again, CIO (Mar. 11, 2014, 8:00 AM), http://www.cio.com/article/2378005/byod/byod-think-deleted-text-messages-are-gone-forever-think-again.html, archived at http://perma.cc/2WRD-3M4E.

[16] See Calderon v. Corporacion Puertorriquena De La Salud, 992 F. Supp. 2d 48, 51–52 (D. P.R. 2014).

[17] See id. at 52–53.

[18] Id. at 52.

[19] Id. at 53.

[20] In re Pradaxa (Dabigatran Etexilate) Prods. Liab. Litig., MDL No. 2385, 3:12-md-02385-DRH-SCW, 2014 U.S. Dist. LEXIS 173674, at *56–58 (S.D. Ill. Dec. 9, 2013).

[21] Id. at *56–57.

[22] See id. at *62–63, *65.

[23] Id. at *68; see also Freres v. Xyngular Corp., No. 2:13-cv-400-DAK-PMW, 2014 U.S. Dist. LEXIS 44116 at *14 (D. Utah Mar. 31, 2014) (ordering production of plaintiffs’ cell phone for inspection and copying); Bailey v. Scoutware, LLC, No. 12-10281, 2014 U.S. Dist. LEXIS 37197, at *17–18 (E.D. Mich. Mar. 21, 2014) (allowing forensic inspection of cell phone by plaintiffs’ expert in an attempt to identify allegedly missing text and voicemail messages); Christou v. Beatport, LLC, No. 10-cv-02912-RBJ-KMT, 2013 U.S. Dist. LEXIS 9034, at *37–39 (D. Colo. Jan. 23, 2013) (issuing sanctions where defendants took no steps to preserve the text messages on an iPhone that was subsequently lost).

[24] See EEOC v. Original Honeybaked Ham Co., No. 11-cv-02560-MSK-MEH, 2012 U.S. Dist. LEXIS 160285, at *2 (D. Colo. Nov. 7, 2012).

[25] See id. at *7–8.

[26] Id. at *3–4.

[27] See id. at *7–8.

[28] See id.

[29] Rimkus Consulting Grp., Inc. v. Cammarata, 688 F. Supp. 2d 598, 613 (S.D. Tex. Feb. 19, 2010).

[30] Id.; see also Stanley v. Creative Pipe, Inc., 269 F.R.D. 497, 523 (D. Md. Sept. 9, 2010); The Sedona Conference, The Sedona Principles: Second Edition Best Practices Recommendations & Principles for Addressing Electronic Document Production 28 (Jonathan M. Redgrave et al. eds., 2007) [hereinafter THE SEDONA PRINCIPLES], available at http://www.sos.mt.gov/Records/committees/erim_resources/A%20-%20Sedona%20Principles%20Second%20Edition.pdf, archived at http://perma.cc/9HGB-C3YE.

[31] See Nola Spice Designs, LLC v. Haydel Enters., No. 12-2515, 2013 U.S. Dist. LEXIS 108872, at *2–3 (E.D. La. Aug. 2, 2013).

[32] Id. at *2–3.

[33] Id. at *3.

[34] Id. at *3–6.

[35] Id. at *6 (quoting John B. v. Goetz, 531 F.3d 448, 459-60 (6th Cir. 2008) (internal citations omitted)).

[36] Nola Spice Designs, 2013 U.S. Dist. LEXIS 108872, at *7.

[37] See John B. v. Goetz, 531 F.3d 448, 461 (6th Cir. 2008).

[38] See id. at 451–52.

[39] See id. at 451.

[40] Id. at 451.

[41] See id. at 456–59.

[42] John B., 531 F.3d at 459.

[43] Id. at 460 (quoting The Sedona Principles, supra note 30, at 34, 47.

[44] See John B., 531 F.3d at 460.

[45] Id. at 460–61.

[46] See Lee v. Stonebridge Life Ins. Co., No. 11-cv-43 RS, 2013 U.S. Dist. LEXIS 106654, at *2 (N.D. Cal. July 30, 2013).

[47] See Beth Winegarner, Stonebridge Settles Spam Text Case with 60K Plaintiffs, Law360, http://www.law360.com/articles/524843/stonebridge-settles-spam-text-case-with-60k-plaintiffs, archived at http://perma.cc/3862-H4M6 (last visited Mar. 6, 2015).

[48] See Lee, 2013 U.S. Dist. LEXIS 106654, at *2.

[49] See id. at *7–8.

[50] Id. at *2–3 (quoting Fed. R. Civ. P. 34(a)(1)(A)).

[51] Id. at *4.

[52] Id. at *4–5, *7; see also Bradfield v. Mid-Continent Cas. Co., No. 5:13-cv-222-Oc-10PRL, 2014 U.S. Dist. LEXIS 128677, at *11–12, *14–15 (M.D. Fla. Sept. 15, 2014) (denying request for forensic inspection of plaintiff’s counsel’s computer where there was no evidence that the information sought was not available from some other source, the “particular information sought [was] known to actually exist,” and there was no evidence that information had been wrongfully withheld).

[53] See Olney v. Job.com, No. 1:12-cv-01724-LJO-SKO, 2014 U.S. Dist. LEXIS 152140, at *67 (E.D. Cal. Oct. 24, 2014).

[54] See id. at *6–7.

[55] See id. at *7–8.

[56] See id. at *9–26.

[57] See id. at *30–34, *36–42.

[58] Olney, 2014 U.S. Dist. LEXIS 152140, at *8.

[59] See id. at *10.

[60] Id. at *24–27.

[61] Id. at *32.

[62] See Ackerman v. PNC Bank, No. 12-CV-42 (SRN/JSM), 2014 U.S. Dist. LEXIS 8301, at *5–7 (D. Minn. Jan. 23, 2014).

[63] Id. at *2, *5–6.

[64] Id. at *6 (quoting Fed. R. Civ. P. 34(b)(2)(E)(i)–(ii)).

[65] See ESI & Data Hosting, DLSDiscovery, http://www.dlsdiscovery.net/esi_data_hosting.html, archived at http://perma.cc/D2V2-2ZEH (last visited Feb. 9, 2015).

[66] See, e.g., Billing and Payments, Understanding the Bill, Verizon, http://www.verizonwireless.com/support/view-bill-online-faqs/, archived at http://perma.cc/VCQ9-ZCEK (last visited Feb. 9, 2015).

[67] See id.

[68] See Cell Phone Tower Triangulation, Int’l Investigators Incorporated, http://www.iiiweb.net/forensic-services/cell-phone-tower-triangulation/, archived at http://perma.cc/49AP-TPMP (last visited Feb. 9, 2015).

[69] See, e.g., Christopher Null, Mobile Printing: A Guide for the BYOD World, PCWorld (Sept. 16, 2013, 3:01 AM), http://www.pcworld.com/article/2048634/mobile-printing-a-guide-for-the-byod-world.html, archived at http://perma.cc/3V9E-AMYU.

[70] See Mark Lenetsky, eDiscovery: Collection of Text Messages, Adaptable Technologies LLC, http://adaptable-tech.com/ediscovery-r-link/ediscovery-collection-of-text-messages/, archived at http://perma.cc/GW7P-XSEM (last visited Mar. 5, 2015).

[71] See Cindy Murphy, Cellular Phone Evidence: Data Extraction and Documentation, available at https://mobileforensics.files.wordpress.com/2010/07/cell-phone-evidence-extraction-process-development-1-1-8.pdf, archived at https://perma.cc/NWN6-A6JX.

[72] See id.

[73] See Paul Henry, Quick Look—Cellebrite UFED Using Extract Phone Data & File System Dump, SANS Digital Forensics & Incident Response (Sept. 22, 2010, 6:16 PM), http://digital-forensics.sans.org/blog/2010/09/22/digital-forensics-quick-cellebrite-ufed-extract-phone-data-file-system-dump/, archived at http://perma.cc/CB63-6XNC.

[74] See Tim Proffitt, Forensic Analysis on iOS Devices 3–4, 6–9 (2012), available at http://www.sans.org/reading-room/whitepapers/forensics/forensic-analysis-ios-devices-34092/ forensic-analysis-ios-devices-34092 (1).pdf, archived at http://perma.cc/4PL3-9T5E.

[75] See id. at 10–11.

[76] See Write Blockers, Forensics Wiki, http://www.forensicswiki.org/wiki/Write_Blockers, archived at http://perma.cc/6VXA-9C5L (last visited Mar. 6, 2015).

[77] See id.

[78] See, e.g., Data Acquisition & Preservation, Access Data, http://accessdata.com/services/digital-forensics/data-aquisition-preservation, archived at http://perma.cc/3EPB-JZHA (last visited Mar. 6, 2015); SAFECOPY, Pinpoint Labs, http://pinpointlabs.com/sc2.html, archived at http://perma.cc/38QX-NDNY (last visited Mar. 6, 2015); TOUCHCOPY, Wide Angle Software, http://www.wideanglesoftware.com/touchcopy/index.php, archived at http://perma.cc/7JBL-GRNJ (last visited Mar. 6, 2015).

[79] See, e.g., Mary McMahon, What Is a Jailbroken Phone?, wiseGEEK, http://www.wisegeek.com/what-is-a-jailbroken-phone.htm, archived at http://perma.cc/6ZHX-LR6B (last modified Feb. 15, 2015).

[80] See id.

[81] See, e.g., Murphy, supra note 71.

[82] See, e.g., Henry, supra note 73.

[83]  See Proffitt, supra note 74, at 9.

[84] See id.

[85] See David Ashfield, Mobile Device Forensics: Data Acquisition Types, CCL Group (May 19, 2014), http://www.cclgroupltd.com/mobile-device-forensics-data-acquisition-types/, archived at http://perma.cc/C5RQ-FLW7.

[86] See id.

[87] See What Are Our Best Options for Collecting and Synchronizing GIS Field Data?, WebMapSolutions, http://www.webmapsolutions.com/what-are-our-best-options-for-collecting-and-synchronizing-gis-field-data, archived at http://perma.cc/C8AK-QVW4 (last visited Feb. 18, 2015).

[88] See Vangie Beal, What Is Mobile Device Management (MDM)?, Webopedia, http://www.webopedia.com/TERM/M/mobile_device_management.html, archived at http://perma.cc/7FVM-2TZ7 (last visited Mar. 6, 2015).

[89] See Carla Schroder, 6 Data Backup Devices for Small Businesses, Small Business Computing.com (Aug. 4, 2014), http://www.smallbusinesscomputing.com/biztools/6-data-backup-devices-for-small-businesses.html, archived at http://perma.cc/6EVR-GHSF; see also The Difference Between Cloud Hosting and Dedicated Servers and What’s Right for You, steadfast, http://www.steadfast.net/blog/index.php/cloud/he-difference-between-cloud-hosting, archived at http://perma.cc/U82P-TVZ7 (last visited Mar. 6, 2015).

[90] See, e.g., Rene Millman, Smartphones & Tablets Remotely Wiped in UK Police Custody, ITPro (Oct. 10, 2014), http://www.itpro.co.uk/security/23273/smartphones-tablets-remotely-wiped-in-uk-police-custody, archived at http://perma.cc/EH3U-5DCB.

[91] See, e.g., Supreme Court Watch: Ten Key Issues from the Riley Opinion Protecting Cell Phone Data Seized During an Arrest, Fed. Evidence Rev. (June 30, 2014), http://federalevidence.com/blog/2014/june/supreme-court-watch-cell-phone-content-protected-under-fourth-amendment, archived at http://perma.cc/DR9P-NZ8P.

[92] See, e.g., Computer Tips and Tricks, Gadgets, How-To, Life-2.0 Style, Tech Buzz (Mar. 21, 2009), http://www.techbuzz.in/can-two-people-be-logged-into-the-same-facebook-account-at-the-same-time.php, archived at http://perma.cc/ZDJ7-77C2; see also Remote Wipe Overview, Dropbox, https://www.dropbox.com/en/help/4227, archived at https://perma.cc/743T-JMJJ (last visited Mar. 6, 2015).

[93] See, e.g., Create and Delete iPhone, iPad, and iPod Touch Backups in iTunes, Apple, https://support.apple.com/en-us/HT204269, archived at https://perma.cc/RT4L-HXU4 (last visited Mar. 6. 2015).

[94] See iCloud Security and Privacy Overview, Apple, https://support.apple.com/en-us/HT202303, archived at https://perma.cc/FL7M-NQTV (last visited Jan. 27, 2015).  Microsoft offers a similar service.  See Back up My Stuff, Windows Phone, http://www.windowsphone.com/en-us/how-to/wp8/settings-and-personalization/back-up-my-stuff, archived at http://perma.cc/3P9H-RXNM (last visited Mar. 6, 2015).  Android users can download apps, such as inDefend, to back up their personal information.  See inDefend Mobile Backup, Google, https://play.google.com/store/apps/details?id=com.dataresolve.android.security.backup&hl=en, archived at https://perma.cc/GSQ7-SXNL (last visited Jan. 27, 2015).  Except using the Link function on a corporate Blackberry server, Blackberry does not backup e-mail, contacts or calendars. See User Guide: BlackBerry Link for Windows 1.0, Back Up Your Device Data, BlackBerry, http://docs.blackberry.com/en/smartphone_users/deliverables/49304/lym1340633934452.jsp, archived at http://perma.cc/X4XE-ZGPF (last visited Mar. 6, 2015).

[95] See Satish B., iPhone Forensics—Analysis of iOS 5 Backups: Part 1, Infosec Inst. (May 3, 2012), http://resources.infosecinstitute.com/ios-5-backups-part-1/, archived at http://perma.cc/7N6N-9LQL.

[96] See Thomas J. Trappler, When There’s a Third Party in the Cloud, Computerworld (July 30, 2012, 10:42 AM), http://www.computerworld.com/article/2505135/cloud-computing/when-there-s-a-third-party-in-the-cloud.html, archived at http://perma.cc/45KH-HD4D.

[97] See, e.g., Back Up My Stuff, supra note 94; BlackBerry Business Cloud Services, BlackBerry, http://us.blackberry.com/enterprise/products/cloud-services/overview.html, archived at http://perma.cc/DEP4-EJ6Z (last visited Mar. 6, 2015); see also iCloud: iCloud Storage and Backup Overview, Apple, https://support.apple.com/kb/PH12519?viewlocale=en_US&locale=en_US (last visited Mar. 6, 2015), archived at https://perma.cc/BFB4-VBDA.

[98] See, e.g., sources cited supra note 97.

[99] See, e.g., Margaret Rouse, What Is Network-Attached Storage (NAS)?, Search Storage (Aug. 2014), http://searchstorage.techtarget.com/definition/network-attached-storage, archived at http://perma.cc/RN4Q-32YJ.

[100] See, e.g., Margaret Rouse, Dedicated Server Definition, TechTarget (Sept. 2005), http://searchsoa.techtarget.com/definition/dedicated-server, archived at http://perma.cc/BSX6-XR6D.

[101] See, e.g., Barney Beal, Public vs. Private Cloud Applications: Two Critical Differences, TechTarget (May 2012), http://searchcloudapplications.techtarget.com/feature/Public-vs-private-cloud-applications-Two-critical-differences, archived at http://perma.cc/D6WB-S68S.

[102] See Why Mobile Device Management, 2X, http://www.2x.com/mdm/why-mobile-device-management/, archived at http://perma.cc/4824-7JSE (last visited Mar. 6, 2015).

[103] Satish B., Forensic Analysis of iPhone Backups, Exploit DB, http://www.exploit-db.com/wp-content/themes/exploit/docs/19767.pdf, archived at http://perma.cc/39FT-EPLV (last visited Mar. 16, 2015).

[104] See Bader & Baggili, iPhone 3GS Forensics: Logical Analysis Using Apple iTunes Backup Utility, 4 Small Scale Digital Device Forensics J. 1 (2010), available at http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.185.4439&rep=rep1&type=pdf, archived at http://perma.cc/N4AS-J6DV.

[105] See, e.g., Selena Ley, Processing iPhone / iPod Touch Backup Files on a Computer, The Apple Examiner, http://www.appleexaminer.com/iPhoneiPad/iPhoneBackup/iPhoneBackup.html, archived at http://perma.cc/X7VK-HBRH (last visited Mar. 5, 2015).

[106] See , e.g., FAQ about SMS Backup & Restore, AndroidStuff (Apr. 18, 2012), http://android.riteshsahu.com/misc/faqs-about-sms-backup-restore, archived at http://perma.cc/UMR9-U477.

[107] See, e.g., Fast Facts, Bluetooth SIG, Inc., http://www.bluetooth.com/Pages/Fast-Facts.aspx, archived at http://perma.cc/B5JN-ANJE (last visited Mar. 3, 2015).

[108] See, e.g., Near Field Communication, http://www.nearfieldcommunication.org, archived at http://perma.cc/EXM3-GT56 (last visited Mar. 3, 2015).

[109] Peer devices go beyond just passive ear pieces and are a growing market with the increase in ‘wearable’ technologies such as smart watches, fitness bands, health meters and even pain management devices and can be important in litigation due to their ability to either allow files to move from the device without traditional e-mail or text transmissions or for the data that they might supply.  See Sean Greene, Electronic Evidence Expert Witness: Will Fitbit and Crowdsourcing* Change Personal Injury Cases?, Evidence Solutions, Inc., http://www.evidencesolutions.com/web/Digital-Evidence-Articles/fitbit-data-goes-to-court-electronic-evidence-expert.html, archived at http://perma.cc/Z58Z-GQET (last visited Mar. 3, 2015).

[110] See Rick Ayers et al., Nat’l Inst. of Stds. & Tech., U.S. Dept. of Commerce, Guidelines on Mobile Device Forensic 3, 6 (Special Pub. 800-101, Rev. 1, May 2014), available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf, archived at http://perma.cc/U7SV-DWU9.

[111] See, e.g., Selena Ley, Processing iPhone / iPod Touch Backup Files on a Computer, The Apple Examiner, http://www.appleexaminer.com/iPhoneiPad/iPhoneBackup/iPhoneBackup.html, archived at http://perma.cc/K3KW-K3RH (last visited Mar. 5, 2015).

[112] See, e.g., FAQ about SMS Backup & Restore, AndroidStuff (Apr. 18, 2012), http://android.riteshsahu.com/misc/faqs-about-sms-backup-restore, archived at http://perma.cc/TM2Y-YH8W.

[113] What is Forensic Hard Drive Imaging, Forensicon Computer Forensic Specialists , http://www.forensicon.com/resources/articles/what-is-forensic-hard-drive-imaging/, archived at http://perma.cc/3NUC-XM9T (last visited Mar. 3, 2015).

[114] Kristine Amari, Techniques and Tools for Recovering and Analyzing Data from Volatile Memory, SANS Institute InfoSec Reading Room (Mar. 26, 2009), available at www.sans.org/reading-room/whitepapers/forensics/techniques-tools-recovering-analyzing-data-volatile-memory-33049, archived at http://perma.cc/5B8D-8EDK.

[115] See Rick Ayers et al., supra note 110, at 46.

[116] Id. at 7.

[117] See supra notes 113–16 and accompanying text.

[118] Matthew Nelson, The Top 3 Forensic Data Collection Myths in eDiscovery, Symantec eDiscovery Blog (Aug. 7, 2013), http://www.symantec.com/connect/blogs/top-3-forensic-data-collection-myths-ediscovery, archived at http://perma.cc/ZL5C-EC7L.

[119] See, e.g., Murphy, supra note 71.

[120] See Ayers et al., supra note 110, at 2–3.

[121] See Murugiah Souppaya & Karen Scarfone, NIST Special Publication 800-124 Revision 1: Guidelines for Managing the Security of Mobile Devices in the Enterprise 5–6 (2013), available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-124r1.pdf, archived at http://perma.cc/FF9G-B38U.

[122] See Ayers et al., supra 110, at 6–8, 10–11.

[123] Any Way to Prevent Device Wipe after Failed password Attempts in BB10?, Crackberry (May 22, 2013), http://forums.crackberry.com/blackberry-z10-f254/any-way-prevent-device-wipe-after-failed-password-attempts-bb10-810021/, archived at http://perma.cc/Z9TV-L3U4.

[124] Ensure Mobile Device Security, 2X MDM, http://www.2x.com/mdm/mobile-device-security/, archived at http://perma.cc/V489-LJ2W (last visited Mar. 3, 2015).

[125] Jason Gonzalez & James Hung, Stroz Friedberg LLC, Mobile Device Forensics: A Brave New World?, Bloomberg Law Reports, http://www.strozfriedberg.com/files/Publication/224ca0f8-5101-4e1b-938a-4d4b128ad5ed/Presentation/PublicationAttachment/ef4a28ad-ff7d-4014-aea8-80505789b86c/Mobile%20Device%20Forensics_%20A%20Brave%20New%20World.pdf, archived at http://perma.cc/ZR43-D9RF (last visited Mar. 3, 2015).

[126] See Michael Arnold, Collecting Data from Mobile Devices, ABA, http://apps.americanbar.org/litigation/litigationnews/trial_skills/110113-tips-collecting-data-mobile-device.html, archived at http://perma.cc/EK2D-U27L (last visited Mar. 3, 2015).

[127] See, e.g., id.

[128] See, e.g., id.

[129] Mobile Devices, Stay Smart Online, http://www.staysmartonline.gov.au/mobile_devices, archived at http://perma.cc/QW37-DKCC (last visited Mar. 3, 2015).

[130] See, e.g., Donna Tapellini, Smart Phone Thefts Rose to 3.1 Million Last Year, Consumer Reports Finds, Consumer Reps. (May 28, 2014, 4:00 PM), http://www.consumerreports.org/cro/news/2014/04/smart-phone-thefts-rose-to-3-1-million-last-year/index.htm, archived at http://perma.cc/RA4M-J7HP.

[131] See Ayers et al., supra 110, at 43.

[132] See, e.g., James B. Comey, Director, Federal Bureau of Investigation, Remarks at the Brookings Inst. (Oct. 16, 2014), available at http://www.fbi.gov/news/speeches/going-dark-are-technology-privacy-and-public-safety-on-a-collision-course, archived at http://perma.cc/HGK5-UPMV.

[133] See Andy Greenberg, Google and Apple Won’t Unlock Your Phone, But a Court Can Make You Do It, Wired (Sept. 22, 2014 6:30 AM), http://www.wired.com/2014/09/google-apple-wont-unlock-phone-court-can-make/, archived at http://perma.cc/4L8Y-MVDZ.

[134] See, e.g., Ex-Lawyer Tells Goffer Jury He Traded 3Com Merger Tips for Cash, Bloomberg (May 19, 2011, 12:01 AM), http://www.bloomberg.com/news/2011-05-19/goffer-trial-witness-says-he-traded-merger-tips-for-cash-filled-envelopes.html, archived at http://perma.cc/C4AG-S3WR.

[135] Id.

[136] See, e.g., Sentencing Memorandum on Behalf of Raj Rajaratnam, United States v. Raj Rajaratnam, 2011 U.S. Dist. LEXIS 21062, at 59 (S.D.N.Y. Aug. 9, 2011), available at http://www.law.du.edu/documents/corporate-governance/criminal/rajaratnam/Sentencing-Memorandum-on-Behalf-of-Raj-Rajaratnam-US-v-Rajaratnam-S1-09-CR-1184-SD-NY-August-9-2011.pdf, archived at http://perma.cc/ZKA7-D5F7.

[137] See, e.g., Arnold, supra note 126.

[138] Gonzalez, supra note 125.

[139] See, e.g., Rene Millman, Smartphones & Tablets Remotely Wiped in UK Police Custody, ITPro (Oct. 10, 2014), http://www.itpro.co.uk/security/23273/smartphones-tablets-remotely-wiped-in-uk-police-custody, archived at http://perma.cc/4TE6-TVKH; Jane Wakefield, Devices Being Remotely Wiped in Police Custody, BBC News (Oct. 9, 2014, 8:30 AM), http://www.bbc.com/news/technology-29464889, archived at http://perma.cc/RZS6-29KX.

[140] See Arnold, supra note 126.

[141] See, e.g., Jessica Dolcourt, Best Phones of 2015, Cnet (Feb. 20, 2015, 11:16 AM), http://www.cnet.com/topics/phones/best-phones/, archived at http://perma.cc/KR96-B6PH; see also Thomas Halleck, Google Planning Two Nexus Smartphones for 2015: Rumor Pegs LG For New Nexus 6 (Mar. 2, 2015, 7:53 PM), http://www.ibtimes.com/google-planning-two-nexus-smartphones-2015-rumor-pegs-lg-new-nexus-6-1833718, archived at http://perma.cc/87EN-RUWD.

[142] See, e.g., How to Remove the Battery from an iPhone, wikiHow, http://www.wikihow.com/Remove-the-Battery-from-an-iPhone, archived at http://perma.cc/7BED-EHFA (last visited Jan. 28, 2015) (noting nine steps are needed to remove the iPhone 5 battery).

[143] See Ayers et al., supra note 110, at 41.

[144] See Souppaya & Scarfone, supra note 121, at 12.

[145] See Murphy, supra note 71, at 9.

[146] See, e.g., CDW, Mobile Device Management:  Not What it Used to Be 4 (2012), available at http://webobjects.cdw.com/webobjects/media/pdf/108281-WP-Mobile-Device-Mgt.pdf, archived at http://perma.cc/KHT6-D8TK; see also Arnold, supra note 126.

[147] See Arnold, supra note 126.

[148] See Parmy Olsen, Fitbit Data Now Being Used In The Courtroom, Forbes (Nov. 11, 2014, 4:10 PM), http://www.forbes.com/sites/parmyolson/2014/11/16/fitbit-data-court-room-personal-injury-claim/, archived at http://perma.cc/MFG8-CCVV.

[149] See Arnold, supra note 126.

[150] See id.

[151] See Tim Crushing, DOJ Whines That A Warrant To Search A Mobile Phone Makes It More Difficult To Catch Criminals, TechDirt (Apr. 24, 2014, 12:48 PM), https://www.techdirt.com/articles/20140423/15081827008/government-argues-that-warrant-requirement-cell-phone-searches-does-nothing-keep-cops-catching-bad-guys.shtml, archived at https://perma.cc/8UDA-EXDY.

[152] See Protection of personal data, European Commission (Apr. 9, 2014), available at http://ec.europa.eu/justice/data-protection/, archived at http://perma.cc/VG4A-RDF9.

[153] See Press Release, Gartner, Inc., Gartner Predicts by 2017, Half of Employers will Require Employees to Supply Their Own Device for Work Purposes (May 1, 2013), available at http://www.gartner.com/newsroom/id/2466615, archived at http://perma.cc/ZV7K-RAYY.

[154] See Brian Proffitt, Worried Workers: BYOD Or You’re SOL [Infographic], readwrite (Dec. 6, 2012), http://readwrite.com/2012/12/06/pause-economy-linked-to-bring-your-own-device-use, archived at http://perma.cc/Q7X3-RYY9.

[155] See id.; see also Businesses Unprepared to Support New Mobile Ways of Working, Citrix (Nov. 21, 2011), http://www.citrix.com/news/announcements/nov-2011/businesses-unprepared-to-support-new-mobile-ways-of-working.html, archived at http://perma.cc/7AHJ-ARDP.

[156] Haman Allen & David Herman, Challenges of Mobile Devices, BYOD and EDiscovery, Law Technology Today (Sept. 19, 2014), http://www.lawtechnologytoday.org/2014/09/challenges-of-mobile-devices-byod-and-ediscovery/, archived at http://perma.cc/4HPP-MDHY.

[157] See Gonzalez, supra note 125.

[158] See Ayers et al., supra note 110, at 27.

[159] See Arnold, supra note 126.

[160] See Ayers et al., supra note 110, at 29.

[161] See Jill Griset & Melissa Laws, Navigating A Case Through E-discovery, McGuire Woods LLP 2 (2012), http://www.mcguirewoods.com/news-resources/publications/navigating-e-discovery.pdf, archived at http://perma.cc/C4A7-LBW8.

[162] See Ayers et al., supra note 110, at 35–37; Digital Mountain, Inc, Taking the First Step—Data Preservation 2 (2009), available at http://digitalmountain.com/fullaccess/Article5.pdf, archived at http://perma.cc/S77J-UEXF.

[163] See Arnold, supra note 126.

[164] See Millman, supra note 90.

[165] See Ted Samson, How Wearable Tech Will Fuel The Internet of Things, InfoWorld (June 5, 2013), http://www.infoworld.com/article/2614798/mobile-technology/how-wearable-tech-will-fuel-the-internet-of-things.html, archived at http://perma.cc/3DBN-CWHY.

 

DownloadPDF

Cite as: Antigone Peyton, Kill the Dinosaurs, and Other Tips for Achieving Technical Competence in Your Law Practice, 21 Rich. J.L. & Tech. 7 (2015), http://jolt.richmond.edu/v21i3/article7.pdf.

by Antigone Peyton*

I.  Introduction

[1]       It is a challenge to practice law in the digital age.  This is particularly true when a practice involves significant e-Discovery, Intellectual Property, and technology law—areas in which technical issues merge with legal ones.  One of the major challenges of bringing a law practice up to twenty-first-century standards relates to dinosaur thoughts, a.k.a. an “old ways are best” mentality.

[2]       Recent spectacular corporate data losses and publicized hacks highlight the frequency and scale of cybersecurity issues.[1]  At least one leaked global surveillance effort focused on electronic information involving U.S. law firms,[2] and hackers’ focus on high-value information repositories, like law firms, has increased.[3]  These realities have sensitized clients to the importance of data protection protocols and secure infrastructure.[4]  In the era of Edward Snowden,[5] WikiLeaks,[6] and global surveillance nets,[7] firms must vigilantly guard against unauthorized third-party access to sensitive client information and privileged communications.  All of this highlights the importance of technical competence in the practice of law.

II.  Dinosaurs Take Risks with Technology

[3]       There are many dinosaur thoughts pervading lawyers’ views regarding the adequacy of their technical knowledge, practices, and systems.  Dinosaurs say quaint things like:

·      “Fax and e-mail are secure ways to communicate with clients.”

·      “It’s ok to use public WiFi, as long as it’s the airport, hotel, or Starbucks.”

·      “E-Discovery is just like paper discovery, except there’s no boxes or warehouses.”

·      “I don’t see a problem with using my firm-issued smart phone to download my favorite free game app and post comments and pictures on social media.”

Dinosaur thoughts can cause trouble if Information Technology (IT) personnel or other colleagues at the firm do not temper them and educate their colleagues regarding the risks.

A.  The Old World Is a Dangerous Place to Live

[4]       About a decade ago, the groundbreaking Zubulake series of opinions were issued. [8]  These cases laid the groundwork for the concept that technical competence is a necessary component of effective legal representation and our ethical obligation to clients.[9]  Dinosaur thoughts were not welcome in Judge Scheindlin’s courtroom then, nor are they today.  Now more judges are talking about the importance of technical competence, particularly when dealing with e-Discovery issues and noncompliance with increasingly complex electronic filing rules and procedures.[10]  As the district court vented in Allstate Ins. Co. v. Linea Latina de Accidentes, Inc.,

 Every federal district now has embraced electronic filing.  The days of attorneys being able to ignore the computer and shift blame to support staff in the event of an error are gone.  The consequences are simply too serious.  To the extent there are attorneys practicing in federal court who are under the impression that someone in the Clerk’s office will comb their filings for errors and call them with a heads-up, the Court delivers this message: It is the responsibility of counsel to ensure that personal identifiers are properly redacted.[11]

The above-mentioned district court sanctioned a lawyer who filed a Complaint with attachments containing personal identifiers in unredacted form.[12]  He then refiled the documents when the defendants raised a concern regarding the information that had not been redacted.[13]

[5]       The second filing was not much better, as it contained removable redactions that could be deleted and expose the underlying information.[14]  Counsel did not understand how to properly apply redactions to a PDF image.[15]

[6]       In delivering its sanction decision, the court concluded that attorneys “who are slow to change run the very real risk of sanctions,” and there was no excuse for not complying with the Federal Rule’s requirement of redacting personal information from public electronic filings.[16]

B.  Rise of the Technology Lawyers

[7]       Lawyers need some technical competence if they are practicing law today, though the skills and knowledge needed vary widely depending on their practice areas and client needs.  In fact, in August 2012 the American Bar Association (ABA) approved a resolution that changed the ABA Model Rules of Professional Conduct (Model Rules) and included technical competency requirements.[17]  This change requires lawyers to keep pace with “relevant technology” to comply with their ethical obligation to competently represent clients.[18]

[8]       Model Rule 1.1 addresses the “client-lawyer” relationship and provides that a lawyer owes clients a duty of competence.[19]  This Rule explains: “[a] lawyer shall provide competent representation to a client.  Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”[20]  While the Rule remains the same, Comment 8 now explains that lawyers should become educated regarding the benefits and risks associated with technology relevant to their practice.[21]  This amendment to Comment 8 illustrates the ABA’s desire to highlight the important role that technology plays in the practice of law today.[22]

[9]       This seemingly minor change to an advisory comment is significant because the Model Rules serve as a guide for the ethical rules governing lawyers in most states, including Virginia.[23]  The Model Rules now formally require lawyers in those jurisdictions following them to understand technology, including technology that relates to fulfilling e-Discovery obligations and protection of client confidences.  Failure to comply with these ethics rules can lead to temporary or permanent disbarment or suspension of their license to practice law.[24]

[10]     Rules aside, in-house counsel should understand the level of technical proficiency required for their internal team and outside counsel to competently represent the company’s interests, and they should hire accordingly.  Outside counsel must receive education regarding the technologies that support the practice, clients’ businesses, and best practices that minimize risks and maximize benefits associated with its use.  Additionally, technical competence is important to satisfy counsel’s obligations to the Court, the clients, and the opposing parties in a litigation or regulatory investigation.

[11]     In short, lawyers are practicing law in a brave new world, and technology plays a starring role.  Whether it is a predictive coding technology, cell phone tracking technology, or a firm’s or company’s communication software and systems—lawyers must roll up their sleeves and learn how to use it.

III.  Running the Shop

[12]     Regardless of size, law firms are becoming more reliant on technology to manage their day-to-day activities, interact with clients, and find critical information among massive data repositories and across the Internet.  Many cases filed in federal courts are subject to electronic document filing requirements, and state courts are following this trend.[25]  With this increased use of technology, a number of risks arise that can harm a firm’s reputation or result in loss of clients’ data and legal liability.  This paper discusses some common risks that firms should be aware of as well as ways in which they can minimize them.

A.  The Nature of the Risk

[13]     Law firms tend to foster a target-rich environment for data theft.[26]  One important risk that law firms must anticipate—and prepare a rapid response plan for—involves security breaches.  There are three major categories of reported data loss breaches involving lawyers and law firms: disposal of client records, mobile device theft or loss, and misuse of firm systems and security protocols.[27]  Other losses can occur because of lax policies, inadequate training, or the inattention of system users.[28]

B.  Data Security Technologies in the Modern Firm

[14]     Law firms often hold a high concentration of clients’ most sensitive information in their files.  State-sponsored hackers have been blamed for several high-profile law firm data breaches motivated by an interest in merger and acquisition information, intellectual property assets, and other sensitive strategic or competitive information.[29] This information may be easily obtainable because of the simple Account-Matter structure that law firms use to keep their client files organized.  However, client systems may be difficult to understand, and it is often harder for outsiders to identify the subset of information they seek.  Lawyers who have pulled a complicated client database or shared team folder can likely commiserate.

1.  Password Management & Security

[15]     Technology systems often require strong passwords and multi-step authentication processes upon sign-in and sign out or lock access after a period of inactivity or attempted access from a suspicious IP address.[30]  These layers of protection are built into technology for a reason, but they can be easily circumvented by poor password management and careless security policies.

[16]     Passwords should be between sixteen and twenty-four or more characters, depending upon the field limits of the software.  Ideal passwords include special characters, uppercase and lowercase letters, and numbers.  Firm employees should be required to change their passwords regularly and should not use the same password for all systems.  Particularly for financial institution access and client data systems, the password used should be complex and unique to that system.  Never keep a temporary or default password provided when receiving access to software or new hardware such as computers and routers.  Some defaults are as simple as username: “admin” and password: “1234.”

[17]     Many people feel overwhelmed by the number of passwords they must track for personal use or firm systems.  Using password management software to store passwords in one place and ensure that newly generated passwords meet certain requirements is an excellent first line of defense.

[18]     Web browsers’ (Chrome, Safari, Firefox, or Internet Explorer) built-in password storage systems have known security issues,[31] and they should be avoided.  Cloud-based systems such as 1Password, KeePass, Roboform Everywhere, and LastPass are more robust than browser management systems and are designed to securely store passwords for websites, mobile apps, notes, credit card information, and other sensitive information.  Many of these management systems can be accessed across platforms, meaning they work on computers, smartphones, and tablet devices equally well.[32]  Several offer the ability to generate random secure passwords, audit your existing passwords, and analyze them to identify those that may have been compromised by major security breaches like the Heartbleed Security Bug of 2014.[33]  All password management systems have potential vulnerabilities,[34] but they are better than a note stuck on your computer.

2.  Data & Traffic Encryption

[19]     Firms should also be using encryption technology to share information between an individual computer, mobile device, or web browser and the system or database where the information resides or a communication is sent.  This is true regardless of whether the information is transferred over the Internet, via cellular and satellite communication channels, or using landlines.

[20]     You might use a Virtual Private Network (VPN) to securely connect the computer networks for two geographically distant offices or connect to your office’s systems while traveling.  Some firms use VPN technologies to encrypt all of their Internet traffic, whether they are in or outside the office, to add another layer of security while the information is in transit.[35]  Other variants on the VPN connection take advantage of the functionality, security, and other benefits obtained from data protection and management protocols.[36]  The right protocol for a firm will depend on the firm’s other security measures and infrastructure and what types of communications will be covered.

[21]     Like data on the move, sensitive data at rest should also be encrypted.  Media coverage of data breaches involving lost laptops that resulted in the potential exposure of very sensitive client or employee information remind us that the loss of one device connected to the firm network can be catastrophic.  Firm laptops and mobile devices should be protected with whole disk encryption or biometric access options and automated device wipe functions if someone tries to access the device without authorization.

[22]     Certain document and data management systems and encryption technologies like FileVault, LUKS, or BitLocker give firms the option to encrypt sensitive information (like client data) where it is stored on a Mac, Linux, or Microsoft system, respectively.[37]  This means that even if someone else—such as a disgruntled former employee or a hacker—accessed the encrypted data, they would be unable to read it without the decryption key.

[23]     While it may seem obvious, the encryption key should not reside on the same system or in a location where it may be accessible to a third party, such as an employee of the cloud-computing provider hosting the document management system.  Public cloud document providers such as Google Drive, Box.net, and Dropbox, which are popular client file storage solutions used by some small and mid-sized law firms, have been criticized for violating this simple data-protection rule.[38]

3.  Security Vulnerabilities

[24]     At a recent Black Hat security conference in Nevada, several researchers disclosed that USB drives can be corrupted with undetectable malware that infects the device and any computer it is connected to.[39]  The researchers disclosed this vulnerability to the USB manufacturers months before the code for those attacks was published in an attempt to spur changes in the manufacturing process and fix these vulnerabilities.[40]

[25]     If a firm does allow USB drives, the firm IT staff might monitor and log activity involving the USB ports of firm equipment.  USB ports are a common vulnerability point for employees or unauthorized third parties to access firm systems and inject viruses or download information that should not leave the firm systems on a separate hard drive.[41]  Without logging, it is hard to prove what and how much information was copied—or who did it.[42]

[26]     Successful firms use a combination of human and software technical support to protect firm systems, equipment, and network against spam, viruses, and malware.  If a firm allows client access to its wireless network, it may want to rethink that strategy.  Once one piece of equipment is infected, it can infect every piece of equipment on the network.[43]  In contrast, if every lawyer’s device is “authorized” to access the firm network and the clients are relegated to a separate secured client wireless network, this provides an added layer of protection for the firm’s systems and equipment.[44]  As previously mentioned, it is a good idea to use encryption for all communications shuttled through the firm’s network.  A competent IT provider should be advising the firm to use security protocols that are adequate in light of the importance and sensitivity of the information that is shared on that network.[45]

4.  Log History & Restricted Access

[27]     Vulnerability issues arise with unsecured File Transfer Protocol (FTP) sites that use the “honor access system,” systems on which any user can issue new user credentials.[46]  The honor system sounds nice, but if a former employee creates new credentials for themselves and accesses information they placed on the site after leaving the company, it is hard to un-ring that bell or determine what information they took.  Often FTP server log files are only kept for a specific (short) period of time.[47]  If the theft is discovered after the log file is destroyed, the primary evidence of theft may be gone forever.

[28]     This illustrates just one area where there is a genuine need for certain technology within the firm to be inaccessible to certain employees who neither need nor merit access to the information contained within it.  This also demonstrates the importance of an IT manager’s oversight of access history and file changes.  In a utopian world, lawyers would all trust their peers to make good decisions 100% of the time, but in the real world they have a duty to verify reasonably diligent behavior when it comes to client confidences.

5.  Due Diligence & Electronic Housekeeping

[29]     With any data system accessible over the Internet, good physical and electronic security measures are crucial.  Firms must do their research before implementing any firm data storage system on site or in the cloud.  Here are some basic questions they might ask during the due diligence process:

•     What is the geographic location of the data center, and what protections have been implemented at that site?

•     Is someone in charge of applying patches and upgrades, particularly updates that address known security vulnerabilities and stability issues?

•     What happens if the primary system goes down; is there a live, redundant backup that is geographically distant from the primary data site?

•     Is there an offline backup, and how often is that backup created?

•     What is the security policy and compliance protocol for the backup solution?

•     Does the provider have direct access to the data, or is it pre-encrypted before being uploaded to the provider?

These are just a few of the questions a firm should cover when considering where and with whom they will store their firm and client data.  Should a data breach involving firm or client information occur, the firm’s diligence in choosing the data storage provider and implementing sound system policies and protections may become a central issue in triggering insurance coverage, weathering legal ramifications of the breach, and managing client communications after any notifications occur.[48]

[30]     It is a bad idea to share passwords and login information.  Often, it is considered a violation of the Terms of Service or Service Level Agreement when a lawyer or other firm employee signs or clicks through a site under another user’s access credentials when purchasing a particular software product or a user license to a product.[49]

[31]     In certain circumstances, such a situation can violate the Computer Fraud and Abuse Act (CFAA)¾a quasi-criminal statute aimed at unauthorized access to proprietary and confidential information on computer systems—or the Stored Communications Act (SCA)¾which protects against unauthorized interception of electronic information if access to the stored communication was “without authorization”[50] or “exceeds authorized access.”[51]

[32]     Both statutes provide for civil liability in particular circumstances.[52]  If an assistant or another employee who has access to other employees’ account passwords leaves on bad terms, it will be hard to isolate and deal with their unauthorized access to the system using another person’s credentials.  And it is difficult to justify the decision to share passwords to the firm’s IT personnel when they have to shut down a lawyer’s user accounts and issue new ones, with new credentials.  Just don not do it.

[33]     Additionally, sometimes law firms are required (or decide) to delete client data, a litigation opponent’s information, or firm electronic records.  When deleting confidential records, consider servers and their backup systems, computers and mobile devices, external drives including USB drives, disks such as CD-ROMs and other non-reusable physical media.

[34]     At a minimum, delete the electronic files and then empty the trash bin.  Optimally, use a secure deletion method like a file shredder program that performs a permanent delete and overwrites the disk several times.[53]  Physical media should be securely destroyed.[54]  Firms should only keep encrypted copies of the minimum data necessary to comply with a data retention policy, legal, or business requirement.

[35]     Many firms are notorious data hoarders and seem to hold old records without any legitimate business justification—such firms have a “sub-standard” information governance and recordkeeping model.[55]  Legitimate business justifications for retaining electronic information do not include “I may need that information someday—you never know.”

6.  Cloud Computing

[36]     Many papers, blog posts, and books have been written about the benefits and risks of using cloud-computing technologies.[56]  This paper will not focus on the benefits and risk analysis that should occur when contemplating adding cloud technologies to the firm’s system.

[37]     However, if a firm is considering a cloud computing solution, which means it will be using computing resources that are delivered over the Internet via a web browser or other interface, it needs to carefully read the documents that cover the contracts that provide the terms of the engagement with the cloud provider.[57]  Some standard contracts state that the cloud provider owns the data, lack an assurance that the system will be live, or lack tools to export data once it is in the cloud system.[58]

[38]     Analyze whether it is reasonable to place certain data in a cloud provider’s hands if they refuse to meet the firm’s needs and expectations.  Also, check the firm’s state bar website for current ethics opinions on this subject before moving to the cloud.  At least nineteen states have issued ethics opinions that directly or indirectly address this subject.[59]  All of those states have indicated that cloud computing or other similar technologies can be used in the practice of law but that reasonable care should be exercised to determine whether a particular provider is appropriate in a particular situation.[60]

[39]     In considering options among cloud computing providers, a firm’s investigation should delve into the question of whether the files are hidden from the cloud provider’s employees.  It would be a huge security risk if any employee who had access to the firm’s accounts could view clients’ files.

[40]     A more subtle risk involves firm employees use of their personal cloud accounts to shuttle files between the office and home.  Ultimately, this opportunity can be used for nefarious purposes, as was the case when one employee of a popular social gaming company allegedly stole confidential trade secrets using his personal Dropbox account before resigning from the company.[61]

7.  Mobile Devices

[41]     Many lawyers have a mobile phone attached to their hand and a tablet in their bag whenever they travel.  Firm employees should use a PIN or password on their mobile device and IT managers should enable remote wiping and tracking technologies in case a device is lost or stolen.

[42]     Additionally, most smartphones and tablets write a surprising amount of data to the device hard drive.[62]  For instance, if a lawyer opens a client document attached to an e-mail on their phone, the device usually stores that information on the hard drive.  Unlike traditional desktop systems, it is very hard to delete these types of files from the mobile device hard drive.[63]  Sometimes, the entire device has to be wiped in order to delete sensitive files that can be casually accessed on them.[64]

[43]     Now, I like mobile app games as much as the next person, but beware of apps that collect and share other data available on the device.  Many mobile apps and mobile system software track a user’s location, web browsing history, purchases, and a host of other information that you may not want to share.[65]  After a number of high profile blow-ups, some privacy controls have been implemented on mobile platforms.[66]  Users need to learn how to access these privacy controls through their system settings and review the terms for any app they download on a device.

[44]     Some free apps give users access to games or information, then collect lots of data from their device.[67]  Other apps deliver targeted ads based upon information that connects a person and past activities on that device.[68]  These seemingly harmless mobile apps represent security breach risks to the firm.  For example, researchers recently revealed that most of the top flashlight apps available on the Android platform are actually spyware.[69]  It can be creepy once one digs into the data being collected and the surveillance that occurs with or without their knowledge.

[45]     Here is another situation that illustrates the problems associated with unmanaged data collection by mobile apps.  Imagine a firm lawyer takes a picture with their phone and posts it on Facebook.  This may reveal their location at the time the picture was taken or when they accessed the Facebook app to post the picture.  What if opposing counsel learned that lawyer is in New York the night before a big hearing because their social media post included their current location?  The fact that the lawyer will be arguing an important motion the next day may be something they did not want to share with opposing counsel ahead of time.

8.  Social Media

[46]     There are many potential pitfalls associated with the use of social media or social media management apps on firm devices.  Be wary of social media applications and platforms, as they are frequently invaded by cybercriminals and hacktivists.[70]  Giving another application access to your credentials for one site or account could result in other linked accounts being hijacked.

[47]     Facebook is a well-known example of a social media site that has seen its share of hacks and complaints about unauthorized sharing of private data with other sites and companies.[71]  Even though Facebook now sends all hyperlinks through Websense first (a vast improvement), be wary of clicking on them.[72]  The firm should have a social media policy and a plan for responding if client confidences or other sensitive information leave the firm through a social media outlet, and it should train everyone in the firm to be responsible ambassadors of the firm brand and client information when using social media.

9.  Travel Troubles

[48]     Attorneys often travel for depositions or client meetings, and they can be most vulnerable to data breaches when on the road.  Aside from remembering to encrypt traffic across open Internet connections, exercising good sense in not accessing client information in a manner that can be readily viewed or recorded by others would be wise.  With the advent of smartphone cameras and the ready availability of lapel cameras, a traveling lawyer would be wise to wait for the privacy of their hotel room to open and work on documents containing privileged information or work product.

[49]     It is easy to look over someone’s shoulder at the airport, on the plane, or in the hotel lobby.  And it can be particularly dangerous to rely on public WiFi or hotspots when traveling—they are often unencrypted and an excellent target for eavesdroppers who want to capture data packets and login credentials for any sites others access while on that WiFi network.[73]  For instance, the recent “Darkhotel” espionage campaign effectively targeted traveling business executives using hotel WiFi.[74]

[50]     Another key point to remember when traveling is that many cellular providers give users the ability to turn their smartphone into a hotspot, but this does not protect their Internet traffic in any way.  Using an unsecured mobile device as a WiFi hotspot for accessing the Internet on a laptop is a security concern.  Anyone within range can eavesdrop on the data a traveling lawyer sends or receives from the Internet and the mobile device.[75]  Some of the larger WiFi hotspot networks are secured (not open) and use enterprise-level security to protect a wireless connection on that network from eavesdroppers.[76]  These networks are a safer option.

[51]     Additionally, in the U.S., many large cellular providers encrypt the data traffic traveling to and from cell towers and the cellular device.  This connection may be slower than a traditional WiFi connection, but the security benefits are significant.  Finally, a VPN connection can be used on both WiFi and cell data connections.  Under these circumstances, all of the user’s Internet traffic and passwords travel through an encrypted tunnel, and already encrypted traffic enjoys double encryption.

10.  Insurance and Audits

[52]     Law firms have heightened responsibility for maintaining the confidentiality of client information because of their professional ethical requirements.  What should law firms be doing to better protect their data and deal with discovered breaches after they occur?

[53]     The firm should consider whether it needs cyber insurance to protect against the possible consequences of a breach.  Most general liability or professional liability insurance policies (and even umbrella business insurance policies) do not cover the cost of investigating a data breach, taking remedial steps to fix the problem, or notifying those who may be affected by it.  Cyber insurance policies are becoming more prevalent in many industries.

[54]     Additionally, the firm might hire someone to test the systems and determine technical and human areas of vulnerability.  Security audits may highlight practices or systems that should be changed in order to reduce these risks before a breach occurs.

11.  Hardware Vulnerabilities

[55]     As computer equipment ages and is replaced, it is vital to wipe all hard drives according to industry standards before either disposing of, or donating, those computers.  The Department of Defense DoD 5220.22-M (ECE) recommends seven complete wipes,[77] and there are a number of free or low cost products that can be used to wipe computers and external hard drives.

[56]     Every typical law office has a multi-function copier/scanner that is networked, and these devices always contain a hard drive with a copy of every page that has been either scanned or copied.  These represent a huge security risk for several reasons.  First, they are risky from a data perspective because of the massive number of stored documents sitting on an unencrypted hard drive in the machine.[78]  Second, their networked permissions often provide access to computers, but the copier/scanner itself has low security measures required to gain access.  People think nothing of leaving their copier code on a sticky note next to their computer—after all, what harm could that pose?  This means anyone who can gain access to the office can access the network through this simple “backdoor” methodology.

III.       What it Takes to Practice Law in the 21st Century

[57]     Law firms are becoming more reliant on technology to manage their day-to-day activities, interact with clients, and work on the substantive aspects of their job.  Now that we have identified dinosaur thoughts relating to technology, how do we extinguish them in the practice of law?  Well, initially, lawyers must purposefully focus on education initiatives involving relevant technology.  Extinguishing dinosaur thoughts also involves raising the bar and hiring good people who understand and embrace technology, then making them an integral part of the team.  Ultimately, law firms must become better stewards of their clients’ sensitive information and have protocols for holding or accessing it.

[58]     Security breaches do not occur at one single point of failure, but at several points.  Thus, a firm should verify that its IT provider is undertaking reasonable efforts to protect firm systems and equipment and ensure that firm employees are educated on those systems.  Finally, firms need to understand and take advantage of the security measures that are already built into the systems.

[59]     Diverse teams with different and complementary technical skills help law firms keep up with technology and continually evolve their practice.  As technology continues to take a starring role in firm infrastructure, processes, and communication channels (and clients’ businesses), lawyers must adapt and keep up with those changes—or go the way of the dinosaurs.

---

 

* Antigone Peyton is the founder and CEO of Cloudigy Law PLLC, an Intellectual Property and technology law firm located in McLean, Virginia. Antigone is an unabashed technophile focused on IP litigation and cutting-edge legal issues involving patents, trademarks, copyrights, and trade secrets.  A longstanding member of The Sedona Conference Working Group 1 (electronic document retention and production), Antigone is a frequent speaker and lecturer on law and technology issues involving IP, social media, cloud computing, big data, and eDiscovery and a technology panelist for EmeraldPlanetTV.
[1] See, e.g., Reuters, Aramco Says Cyberattack Was Aimed at Production, N.Y. Times, Dec. 10, 2012, at B2, available at http://www.nytimes.com/2012/12/10/business/global/saudi-aramco-says-hackers-took-aim-at-its-production.html, archived at http://perma.cc/39WX-7L76 (noting that “Cutting Sword of Justice” were credited for a hack wiping data from about 30,000 computers at Saudi Arabia’s national oil company, and that hackers are getting more creative, sometimes using devices that seem like everyday objects that belong in the workplace—like a cell phone charger); Greg Kumparak This Fake Phone Charger Is Actually Recording Every Key You Type, TechCrunch (Jan. 14, 2015), http://techcrunch.com/2015/01/14/this-fake-phone-charger-is-actually-recording-every-key-you-type/, archived at http://perma.cc/P4TC-M846 (crediting a fake phone charger that logs the information you type on a wireless keyboard to Samy Kamkar); Kim Zetter, Logic Bomb Set Off South Korea Cyberattack, Wired (Mar. 21, 2013, 7:05 PM), http://www.wired.com/2013/03/logic-bomb-south-korea-attack/, archived at http://perma.cc/3RL8-CA8Q (noting that several banks and broadcasting companies were attacked by a logic bomb that wiped computer hard drives and master boot records that interrupted ATM operations in South Korea); Kim Zetter, Sony Got Hacked Hard: What We Know and Don’t Know So Far, Wired (Dec. 3, 2014, 4:02 PM), http://www.wired.com/2014/12/sony-hack-what-we-know/, archived at http://perma.cc/VL6R-TJ2V (discussing that hacktivists “Guardians of Peace” stole up to 100 terabytes of data from Sony, including login credentials and documents with personal employee information).

[2] See, e.g., James Risen & Laura Poitras, Spying by N.S.A. Ally Entangled U.S. Law Firm, N.Y. Times, Feb. 16, 2014, at A1, available at http://www.nytimes.com/2014/02/16/us/eavesdropping-ensnared-american-law-firm.html, archived at http://perma.cc/AD5Y-G3FT.

[3] See, e.g., Jennifer Smith, Client Secrets at Risk as Hackers Target Law Firms, Wall St. J. (June. 25, 2012, 2:21 PM), http://blogs.wsj.com/law/2012/06/25/dont-click-on-that-link-client-secrets-at-risk-as-hackers-target-law-firms/, archived at http://perma.cc/B696-8ZBB.

[4] See Matthew Goldstein, Law Firms Are Pressed on Security for Data, N.Y. Times, Mar. 27, 2014, at B1, available at http://dealbook.nytimes.com/2014/03/26/law-firms-scrutinized-as-hacking-increases/, archived at http://perma.cc/6Z34-3BGL.

[5] See, e.g., Glenn Greenwald, Ewen MacAskill & Laura Poitras, Edward Snowden: The Whistleblower behind the NSA Surveillance Revelations, Guardian (June 11, 2013, 9:00 AM), http://www.theguardian.com/world/2013/jun/09/edward-snowden-nsa-whistleblower-surveillance, archived at http://perma.cc/D9PZ-KYCH.

[6] See, e.g., Scott Shane & Andrew W. Lehren, Leaked Cables Offer Raw Look at U.S. Diplomacy, N.Y. Times, Nov. 29, 2010, at A1, available at http://www.nytimes.com/2010/11/29/world/29cables.html, archived at http://perma.cc/H9AU-D3GF.

[7] See, e.g., David Ljunggren & Mike De Souza, Snowden Files Show Canada Spy Agency Runs Global Internet Watch: CBC, Reuters, (Jan. 28, 2015), http://www.reuters.com/article/2015/01/28/us-canada-spying-idUSKBN0L11W520150128, archived at http://perma.cc/HK3N-GDBF.

[8] See Victor Li, Looking Back on Zubulake, 10 Years Later, A.B.A. J. (Sept. 1, 2014, 10:30 A.M.), http://www.abajournal.com/magazine/article/looking_back_on_zubulake_10_years_later, archived at http://perma.cc/965H-GF38 (discussing the Zubulake opinions and their impact on the body of case law relating to e-Discovery and a lawyer’s obligations including a minimal level of technical competence).

[9] See id.

[10] See, e.g., Baella-Silva v. Hulsey, 454 F.3d 5, 11–12 (1st Cir. 2006) (affirming a $50,000 sanction against a party for electronically filing a confidential settlement document and failing to take the proper precautions to preserve confidentiality in an electronically filed document that could lead to sanctions or other liabilities).

[11] Allstate Ins. Co. v. Linea Latina De Accidentes, Inc., No. 09-3681, 2010 U.S. Dist. LEXIS 124773, at *8 (D. Minn. Nov. 24, 2010).

[12] See id. at 3, 10–11.

[13] See id. at 4–5.

[14] See id. at 6–7.

[15] See id. at 5–7.

[16] 2010 U.S. Dist. LEXIS 124773, at 8–9.

[17] See, e.g., ABA Comm. on Ethics, Res. 105C, 1–2 (2012) (report to the House of Delegates), available at http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/2012_hod_annual_meeting_105c.authcheckdam.pdf; ABA Commission on Ethics 20/20, archived at http://perma.cc/S2XZ-WQS6; ABA, ABA House of Delegates Approves Commission’s Resolutions (Aug. 6, 2012), http://www.americanbar.org/groups/professional_responsibility/aba_commission_on_ethics_20_20.html, archived at http://perma.cc/3QF7-FL4L.

[18] Model Rules of Prof’l Conduct R. 1.1 cmt. 8 (2014).

[19] See id. at R. 1.1.

[20] Id.

[21] See id. at cmt. 8 (“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”) (emphasis added).

[22] See, e.g., Matt Nelson, New Changes to Model Rules a Wake-Up Call for Technology Challenged Lawyers, InsideCounsel (Mar. 28, 2013), http://www.insidecounsel.com/2013/03/28/new-changes-to-model-rules-a-wake-up-call-for-tech, archived at http://perma.cc/9U6Q-XT33 (noting the report accompanying the resolution suggests this was always a component of the competence standard for lawyers and that “[t]he proposed amendment, which appears in a Comment, does not impose any new obligations on lawyers.  Rather, the amendment is intended to serve as a reminder to lawyers that they should remain aware of technology, including the benefits and risks associated with it, as part of a lawyer’s general ethical duty to remain competent.”).

[23] See, e.g., Chronological List of States Adopting Model Rules, ABA Center for Prof. Resp., http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/chrono_list_state_adopting_model_rules.html, archived at http://perma.cc/2AJL-EG7V (last visited Feb. 12, 2015).

[24] See Model Rules of Prof’l Conduct Scope para. 19–20 (2014).

[25] See, e.g., Electronic Filing and Case Management, U.S. Dist. Ct. Cent. Dist. Cal., http://www.cacd.uscourts.gov/e-filing, archived at http://perma.cc/VX2T-JQTH (last visited Feb. 12, 2015) (“[E]lectronic filing is mandatory in all civil and criminal cases in the Central District of California.”); EFiling, Super. Ct. Cal. County Orange, http://www.occourts.org/online-services/efiling/, archived at http://perma.cc/JY6H-2Z2D (last visited Feb. 12, 2015) (“Pursuant to section 1010.6 of the Code of Civil Procedure, rule 2.253(b)(2) of the California Rules of Court, Orange County Superior Court Local Rule 352, and Local Rule 601.01 all documents filed by attorneys in probate, limited civil, unlimited civil, and complex civil actions . . . must be filed electronically unless the Court rules otherwise.”).

[26] See, e.g., Lolita C. Baldor, FBI: Hackers Targeting Law and PR Firms, NBC News (Nov. 17, 2009, 10:58 AM), http://www.nbcnews.com/id/33991440/ns/technology_and_science-security/t/fbi-hackers-targeting-law-pr-firms/#.VMKMdV6hy7x, archived at http://perma.cc/C6LS-2GJ8 (discussing the November 1, 2009 FBI issued advisory warning to law firms that hackers were specifically targeting them); Goldstein, supra note 4 (discussing that in 2011, the FBI began organizing meetings with top law firms in the U.S. to highlight the cybersecurity and corporate espionage risks, particularly for firms with offices in countries like Russia and China and in 2012, security company Mandiant reported that an estimated 80% of the 100 largest American law firms had some malicious computer breach in 2011).

[27] See Matthew H. Meade, Lawyers and Data Security: Understanding a Lawyer’s Ethical and Legal Obligations that Arise from Handling Personal Information Provided by Clients, 28 Computer & Internet Law. 1, 1 (2011).

[28] See id. at 2–3.

[29] See, e.g., Michael A. Riley & Sophia Pearson, China-Based Hackers Target Law Firms to Get Secret Deal Data, Bloomberg (Jan. 31, 2012, 4:37 PM), http://www.bloomberg.com/news/2012-01-31/china-based-hackers-target-law-firms.html, archived at http://perma.cc/T6LY-2P4N (noting that China-based hackers targeted several law firms while they were involved in a $40 Billion company takeover deal); see also Breaking the Law: How Legal Firms Get Hacked, ZeroFOX (May 20, 2014) [hereinafter Breaking the Law], http://www.zerofox.com/whatthefoxsays/breaking-law-legal-firms-get-hacked/#.VMKOR16hy7x, archived at http://perma.cc/6CH8-C3QB.

[30] IT Examination Handbook InfoBase: Authentication, FFIEC, http://ithandbook.ffiec.gov/it-booklets/information-security/security-controls-implementation/access-control-/authentication.aspx, archived at http://perma.cc/V89D-978R (last visited Feb. 16, 2015).

[31] See Melanie Pinola, Which Password Manager Is the Most Secure?, Lifehacker (Sept. 20, 2012, 10:00 AM), http://lifehacker.com/5944969/which-password-manager-is-the-most-secure, archived at http://perma.cc/5FC7-YWYP (noting that Malware or tools like WebBrowserPassView can reveal passwords stored in web browsers because those systems rely on the computer login as the cypher for the encrypted password data stored by the browsers, and that web-based password managers that rely on a master password to gain access to the management system are generally more secure options); see also Jill Scharr, Google Chrome’s Security Flaw: How to Safely Store Passwords, Tom’s Guide (Aug. 8, 2013, 11:54 PM), http://www.tomsguide.com/us/chrome-security-password-saver,review-1840.html, archived at http://perma.cc/K24P-UB6W (discussing Google Chrome’s lack of security measures for data storage, easily allowing unwanted access to the user’s password in unencrypted plain text).

[32] Best Password Manager: Dashlane Vs Lastpass Vs 1Password Vs Roboform Vs KeePass, A Secure Life (last updated Mar. 4, 2015), http://www.asecurelife.com/dashlane-vs-lastpass-vs-1password-vs-roboform-vs-keepass/, archived at http://perma.cc/A4PB-9ZQ3.

[33] See The Heartbleed Bug, Heartbleed.com, http://heartbleed.com/, archived at http://perma.cc/8KMU-3NAA (explaining that the Heartbleed Bug allows unwelcome individuals to read the memory of systems protected by versions of the OpenSSL software with design flaws).

[34] See, e.g., Greg Kumparak, LastPass Finds Security Holes in Its Online Password Manager, Doesn’t Think Anyone Exploited Them, TechCrunch (July 11, 2014), http://techcrunch.com/2014/07/11/lastpass-finds-security-holes-in-its-online-password-manager-doesnt-think-anyone-exploited-them/, archived at http://perma.cc/P446-KECS (discussing the discovery of two security flaws in LastPass online password manager products).

[35] See, e.g., VPN Technologies: Definitions and Requirements, VPN Consortium (July 2008), http://www.vpnc.org/vpn-technologies.html, archived at http://perma.cc/724G-UD48.

[36] See id.

[37] See William Ruddy, Moving on After TrueCrypt’s Untimely Departure, Phoenix TS Blog (June 26, 2014), http://www.phoenixts.com/blog/moving-on-after-truecrypt, archived at http://perma.cc/FQC2-8DE4.  In May of 2014, TrueCrypt developers stopped supporting this open encryption software system after Microsoft terminated its support of WindowsXP.  TrueCrypt, http://truecrypt.sourceforge.net/, archived at http://perma.cc/R7HA-JKGJ (last visited Feb. 12, 2015) (“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”).  Later versions of the Windows operating systems integrated support for full disk encryption and virtual disk images.  Some have theorized the developers made this announcement because the encryption keys had been compromised or a “back door” had been created in response to a confidential demand from a law-enforcement or national security entity.  See Dan Goodin, Bombshell TrueCrypt Advisory: Backdoor? Hack? Hoax? None of the Above?, Ars Technica (May 29, 2014, 2:45 PM), http://arstechnica.com/security/2014/05/bombshell-truecrypt-advisory-backdoor-hack-hoax-none-of-the-above/, archived at http://perma.cc/JCE2-4AQJ.

[38] See, e.g., Hector Salcedo, Google Drive, Dropbox, Box and iCloud reach the Top 5 Cloud Storage Security Breaches List, Credeon Blog (Nov. 20, 2014, 7:00 AM), http://psg.hitachi-solutions.com/credeon/blog/google-drive-dropbox-box-and-icloud-reach-the-top-5-cloud-storage-security-breaches-list, archived at http://perma.cc/36CD-3FJV.

[39] See Andy Greenberg, The Unpatchable Malware that Infects USBs Is Now on the Loose, Wired (Oct. 2, 2014, 6:30 AM), http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack, archived at http://perma.cc/V345-33WD.

[40] See id. The author’s firm now has a “no thumb drive” policy because the USB attack code is public and the stakes are too high if a firm device becomes infected—the malware cannot be removed even if the USB drive is wiped and reformatted.  See id.

[41] See Caroline Baldwin, USB-Connected Devices Present Cyber Vulnerabilities, Computer Wkly. (Aug. 11, 2014, 11:45 AM), http://www.computerweekly.com/news/2240226605/USB-connected-devices-present-cyber-vulnerabilities, archived at http://perma.cc/8JW6-P2T9.

[42] See id.

[43] See Malware (Viruses et al), Info. Tech.–Miller Sch. Med. U. Miami, http://it.med.miami.edu/x699.xml, archived at http://perma.cc/8HYT-XD6B (last visited Jan. 28, 2015).

[44] See Jeff Beard, Wireless Networking Best Practices: Version 2.0, Law Tech Guru (Aug. 1, 2004), http://www.lawtechguru.com/archives/mobile_tech_gadgets.html, archived at http://perma.cc/KJ6Q-5JWD.

[45] Whether using Wired Equivalent Privacy (WEP) 128-bit or WPA encryption, your IT personnel should make sure that all communications are secure.  WEP is weaker and can be cracked.  See Vangie Beal, The Differences Between WEP and WPA, Webopedia (June 15, 2007), http://www.webopedia.com/DidYouKnow/Computer_Science/WEP_WPA_wireless_security.asp, archived at http://perma.cc/TX4L-6ZTE.  The only wireless encryption standards that have not been cracked (yet) are WPA with the AES (Advanced Encryption Standard) or WPA2.  See Jason Fitzpatrick, HTG Explains: The Difference Between WEP, WPA, and WPA2 Wireless Encryption (and Why It Matters), How-To Geek (July 16, 2013), http://www.howtogeek.com/167783/htg-explains-the-difference-between-wep-wpa-and-wpa2-wireless-encryption-and-why-it-matters/, archived at http://perma.cc/Y3PP-RX88.

[46] Rick Lehtinen, Deborah Russell & G.T. Gangemi Sr., Computer Security Basics 119 (2d ed. 2006).

[47] See IBM Knowledge Center, File Transfer Protocol (FTP), IBM (last visited Feb. 18, 2015), http://www-01.ibm.com/support/knowledgecenter/SSB23S_1.1.0.8/com.ibm.ztpf-ztpfdf.doc_put.08/gtpc1/hftp.html?lang=en, archived at http://perma.cc/EX7T-SWN9.

[48] See Sherilyn Pastor & Kelly Lloyd, When Your Data Goes Viral: Insurance for Data Breaches, Corporate Counsel (Jan. 29, 2015), http://www.corpcounsel.com/id=1202716324082/When-Your-Data-Goes-Viral-Insurance-for-Data-Breaches?slreturn=20150118121934, archived at  http://perma.cc/HQ4M-JAXZ.

[49] See Doug Gross, Facebook Speaks out against Employers Asking for Passwords, CNN (last updated Mar. 23, 2012), http://www.cnn.com/2012/03/23/tech/social-media/facebook-employers/, archived at http://perma.cc/9BP2-SJG7.

[50] 18 U.S.C. § 2701(a)(1) (2012).

[51] 18 U.S.C. § 1030(a)(1)–(2) (2012); see also Eric Matusewitch, Your Facebook Password or Your Job?, NNRC (July 18, 2014), http://blog.nnrc.com/your-facebook-password-or-your-job/, archived at http://perma.cc/8DP3-DEWN.

[52] See 18 U.S.C. § 2707(a)–(b) (2012) (“any provider of electronic communication service, subscriber, or other person aggrieved” by a knowing or intentional violation may recover damages or an injunction in a civil action as well as reasonable attorneys fees); 18 U.S.C. § 1030(g) (2012) (‘‘Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.”).

[53] See Richard Kissel et al., Nat’l Inst. of Standards & Tech., U.S. Dep’t of Commerce, NIST Special Publication 800-88: Guidelines for Media Sanitization 27–28 (rev. 1 Dec. 2014), available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf, archived at http://perma.cc/9MP7-UQVN (relating to secure reuse of hardware after data deletion and disposal of electronic information).  The National Institute of Standards and Technology (NIST) is responsible for developing information security standards and guidelines, including minimum standards for Federal information systems.  Id. at ii.

[54] See id. at 36–37.

[55] See ARMA Int’l, Generally Accepted Recordkeeping Principles: Information Governance Maturity Model (2013), available at http://www.arma.org/docs/bookstore/theprinciplesmaturitymodel.pdf, archived at http://perma.cc/8Q9F-PFEF; see also Cohasset Assocs., ARMA Int’l, 2013–2014 Information Governance Benchmarking Survey for Legal Services 6–7, available at http://www.arma.org/r1/news/2014/06/16/2013-2014-information-governance-benchmarking-survey-for-legal-service, archived at http://perma.cc/J4MG-WLS5.

[56] See, e.g., Abby Shagin, The Risks and Benefits of Cloud Computing, SAP Bus. Innovation (Oct. 25, 2012), http://blogs.sap.com/innovation/cloud-computing/risks-and-benefits-of-cloud-computing-020025, archived at http://perma.cc/4GHW-NEAX.

[57] See, e.g., Eric Griffith, What is Cloud Computing?, PC Mag (Mar. 13, 2013), http://www.pcmag.com/article2/0,2817,2372163,00.asp, archived at http://perma.cc/7R6H-8J9A.

[58] See Joe McKendrick, 9 Questions to Ask Before Signing a Cloud Computing Contract, Forbes (Jan. 14, 2013, 4:00 AM), http://www.forbes.com/sites/joemckendrick/2013/01/14/9-questions-to-ask-before-signing-a-cloud-computing-contract/, archived at http://perma.cc/6BYB-3Q83.

[59] See Cloud Ethics Opinions Around the U.S., A.B.A., http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html, archived at http://perma.cc/JN7T-L3YJ (last visited Jan. 27, 2015) (collection of ethics opinions around the United States that deal with questions regarding law firms’ use of cloud computing).

[60] See id.

[61] See Complaint at 1–2, Zynga Inc. v. Alan Patmore, No. CGC-12-525099 (Cal. Super. Ct. Oct. 12, 2012) (a former employee transferred 760 confidential Zynga files to his personal account then uninstalled Dropbox to cover his tracks), available at http://tsi.brooklaw.edu/sites/tsi.brooklaw.edu/files/filings/zynga-inc-v-alan-patmore-et-al/20121012complaint-zynga.pdf, archived at http://perma.cc/MFQ3-SRXD.

[62] See Daniel P. Dern, How to Keep Your Smartphone (and It’s Data) Secure, Computerworld (Apr. 22, 2014, 7:30 AM), http://www.computerworld.com/article/2488450/mobile-security/how-to-keep-your-smartphone–and-its-data–secure.html, archived at http://perma.cc/AP2Q-932Q.

[63] See id.

[64] See id.

[65] See, e.g., Rolfe Winkler & Elizabeth Dwoskin, Google’s New User Tracking Bridges Mobile Apps and Mobile Web, Wall St. J. (Aug. 7, 2014, 7:57 PM), http://blogs.wsj.com/digits/2014/08/07/googles-new-user-tracking-bridges-mobile-apps-and-mobile-web/, archived at http://perma.cc/2G2U-3EGH.

[66] See Zack Whittaker, Seven Privacy Settings You Should Change Immediately in iOS 8, ZDNet (Sept. 17, 2014, 2:30 PM), http://www.zdnet.com/article/seven-privacy-settings-you-should-change-immediately-in-ios-8/, archived at http://perma.cc/F4V5-9M8B; see also Klint Finley, Out in the Open: How to Protect Your Secrets from Nosey Android Apps, Wired (Mar. 31, 2014, 6:31 PM), http://www.wired.com/2014/03/x-privacy/, archived at http://perma.cc/RPZ2-TN3R.

[67] See, e.g., James Geddes, Flashlight Apps are Spying on Users Android, iOs, Windows Phone Smartphones, is Yours on the List?, Tech Times (Oct. 26, 2014, 7:36 AM), http://www.techtimes.com/articles/18762/20141026/flashlight-apps-are-spying-on-users-android-ios-windows-phone-smartphones-is-yours-on-the-list.htm, archived at http://perma.cc/4SEQ-EKA3.

[68] See Kia Kokalitcheva, Twitter Will Soon Track the Apps on Your Smartphone to Deliver More Targeted Ads, VentureBeat (Nov. 26, 2014, 10:09 AM), http://venturebeat.com/2014/11/26/twitter-will-soon-track-the-apps-on-your-smartphone-to-deliver-more-targeted-ads/, archived at http://perma.cc/83VE-QNJW.

[69] See Waqas, Flashlight Apps Stealing Personal Information Stored on Your Smartphone, HackRead (Oct. 27, 2014), http://hackread.com/flashlight-apps-stealing-your-personal-information/, archived at http://perma.cc/C7G2-48GX.

[70] See, e.g., Dan Lamothe, U.S. Military Social Media Accounts Apparently Hacked by Islamic State Sympathizers, Wash. Post, Jan. 12, 2015, available at http://www.washingtonpost.com/news/checkpoint/wp/2015/01/12/centcom-twitter-account-apparently-hacked-by-islamic-state-sympathizers/?Post+generic=%3Ftid%3Dsm_twitter_washingtonpost, archived at http://perma.cc/94LC-AM6V.

[71] See Matthew J. Schwartz, How to Hack Facebook in 60 Seconds, InformationWeek (June 28, 2013, 11:08 AM), http://www.informationweek.com/mobile/how-to-hack-facebook-in-60-seconds/d/d-id/1110576?, archived at http://perma.cc/G8N2-ZUPE; see also Fred Stutzman, Ralph Gross & Alessandro Acquiti, Silent Listeners: The Evolution of Privacy and Disclosure on Facebook, 4 J. Privacy & Confidentiality, no. 2, 2012, at 7, 7.

[72] See Breaking the Law, supra note 29 (noting that social media engineering is an effective method for hacking law firms when employees click on links in social media postings with messages aimed at persuading them to access the link).
[73] See Michael Kassner, Convenience or Security: You Can’t Have Both When it Comes to Wi-Fi, Tech Republic (June 24, 2013, 1:09 AM), http://www.techrepublic.com/blog/it-security/convenience-or-security-you-cant-have-both-when-it-comes-to-wi-fi/, archived at http://perma.cc/4BEX-P8H6.

[74] See Press Release, Kaspersky Lab, Kaspersky Lab Sheds Light on “Darkhotel,” Where Business Executives Fall Prey to an Elite Spying Crew (Nov. 10, 2014), available at http://usa.kaspersky.com/about-us/press-center/press-releases/kaspersky-lab-sheds-light-“darkhotel”-where-business-executives, archived at http://perma.cc/PH46-Y7LK.

[75] See, e.g., Eric Geier, Here’s What an Eavesdropper Sees When You Use an Unsecured Wi-Fi Hotspot, PC World (June 28, 2013, 5:35 AM), http://www.pcworld.com/article/2043095/heres-what-an-eavesdropper-sees-when-you-use-an-unsecured-wi-fi-hotspot.html, archived at http://perma.cc/33BF-ZFUV.

[76] See Wi-Fi Hotspots: Connecting While Traveling, Norton, http://us.norton.com/travel-hotspot-security/article, archived at http://perma.cc/A6Y5-T4AD (last visited Feb. 18, 2014).

[77] See, e.g., Erase Hard Disk Wipe Parameters, KillDisk, http://www.killdisk.com/notes.htm, (last visited Mar. 5, 2015) (describing the U.S. Department of Defense DoD 5220.22-M (ECE), a seven pass overwriting algorithm used to erase data).

[78] See Armen Keteyian, Digital Photocopiers Loaded with Secrets, CBS News (Apr. 19, 2010, 6:12 PM), http://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/, archived at http://perma.cc/GVD6-7H8E.

DownloadPDF

Cite as: Philip J. Favro, The New ESI Sanctions Framework under the Proposed Rule 37(e) Amendments, 21 Rich. J.L. & Tech. 8 (2015), http://jolt.richmond.edu/v21i3/article8.pdf.

 by Philip J. Favro*

I.  Introduction

[1]       The debate over the necessity, substance, and form of the proposed e-Discovery amendments to the Federal Rules of Civil Procedure (Rules) has been ongoing for over four years.[1]  Since the Duke Conference convened in May 2010, the Judicial Conference Advisory Committee on the Civil Rules (Committee) has been working to address many of the perceived shortcomings in the current Rules regime.[2]  Their efforts have not been conducted in a vacuum.  Interest groups representing parties on either side of the “v” in litigation, the U.S. Department of Justice, and even individual federal judges have lobbied the Committee in an effort to shape the final form of the proposed amendments.[3]  This process, while both lengthy and necessary, may be reaching its closing stages.  With the Judicial Conference of the United States having approved the Rules amendment package in September 2014, the proposed changes appear to be on track for implementation by December 1, 2015.[4]

[2]      Viewed holistically, the proposed changes are designed to usher in a new era of proportional discovery, increased cooperation, reduced gamesmanship, and more active judicial case management.[5]  For many litigants the amendments of greatest significance are those affecting Rule 37(e).[6]  If enacted, the changes to Rule 37(e) would provide a uniform national standard regarding the issuance of severe sanctions to address spoliation of electronically stored information (ESI).[7]  They would also introduce a new framework for determining whether sanctions of any nature should be imposed for ESI preservation shortcomings.[8]  Counsel, clients, and the courts should all be aware of the impact these changes could have in litigation and on client information governance programs.[9]

[3]      In this article, I will analyze these issues.  After covering the deficiencies with the current version of Rule 37(e) in Part II, I consider in Part III the new sanctions framework under the proposed amendments.  This includes an analysis of the factors parties would be required to satisfy in order to justify the imposition of sanctions.  I also describe the severe measures calculated to remediate the most harmful ESI preservation failures, along with lesser sanctions designed to cure prejudice stemming from less egregious forms of spoliation.  In Part IV, I focus on some key questions about the Rule 37(e) revisions that remain unanswered and that will likely be resolved only by motion practice.  This includes, among other things, a discussion of how a revised Rule 37(e) might apply to failures to preserve ESI stored with cloud computing providers.

II.  The Need for Revisions to Rule 37(e)

[4]      The Committee has spent countless hours considering the over-preservation of ESI and the appropriate standard of culpability required to impose sanctions for its spoliation.[10]  Even though the current iteration of Rule 37(e) is supposed to provide guidance on these issues, amendments were deemed necessary given the inherent limitations with the rule.[11]

[5]      As it stands, Rule 37(e) safeguards litigants from discovery sanctions when the good faith, programmed operation of their computer systems automatically eliminates ESI.[12]  Nevertheless, the rule has largely proved ineffective as a national standard.[13]  While there are many reasons that could explain its futility, three problems predominate in the present version of the rule.

[6]      First, Rule 37(e) did not expressly abrogate the negligence standard that the U.S. Court of Appeals for the Second Circuit implemented for severe sanctions involving preservation failures under Residential Funding Corp. v. DeGeorge Financial Corp.[14]  By allowing Residential Funding to remain in effect, courts in the Second Circuit and beyond are free to impose adverse inference instructions or order other doomsday sanctions for negligent spoliation of ESI.[15]  With the Second Circuit—one of the epicenters of U.S. litigation—following a sanctions touchstone that generally varies from the rest of the country, the rule has failed to become a uniform national standard for ESI sanctions.[16]

[7]      The second reason Rule 37(e) has failed as a so-called “safe harbor” from sanctions is the emphasis the 2006 Committee note placed on requiring litigants to stop the routine destruction of ESI once a preservation duty attached.[17]  While litigants may be required to suspend particular aspects of their electronic information systems once a preservation duty is triggered, this is not the exclusive or the determinative factor in every sanctions analysis.[18]  For instance—as U.S. District Judge Paul Grimm emphasized in Victor Stanley, Inc. v. Creative Pipe, Inc.—a court should also consider as part of that analysis the “reasonableness and proportionality” of a party’s efforts to preserve relevant ESI.[19]  Nevertheless, most courts applying Rule 37(e) have instead generally focused on whether and when a party suspended particular aspects of its computer systems after a preservation duty attached.[20]  This has led to sanctions rulings that are out of step with mainline ESI preservation jurisprudence.[21]

[8]      The third factor contributing to the futility of Rule 37(e) is that courts have frequently used their inherent authority to bypass the rule’s protections.[22]  This is because Rule 37(e) only applies to conduct that occurred during the litigation.[23]  It does not govern pre-litigation activities such as the destruction of ESI that occurred before the commencement of litigation.[24]  As a result, courts have often wielded their inherent powers to fashion remedies for ESI destruction free from the rule’s present constraints.[25]

[9]      With varying preservation standards, the inordinate focus on one factor in the preservation analysis, and the ease with which the rule’s protections can be bypassed, there can be little doubt as to why a revised version of Rule 37(e) is needed.

III.  The Proposed Rule 37(e) Amendments

[10]      The proposed amendments to Rule 37(e) are designed to address these issues by providing a straightforward framework for the issuance of any sanctions stemming from failures to preserve relevant ESI.[26]  They also encourage courts to draw on a wide range of factors to fashion sanctions awards that cure prejudice caused by less harmful forms of ESI spoliation.[27]  In addition, the proposed changes establish “a uniform standard in federal court” for the imposition of severe remedial measures resulting from ESI preservation failures.[28]

A.  The New Sanctions Framework

[11]      The Committee has established a set of requirements in the proposed rule that must be satisfied before a court could impose sanctions on a litigant for failing to preserve ESI.[29]  The reason for doing so is to ensure sanctions for preservation failures are based on the designated criteria and not the potentially arbitrary use of a court’s inherent powers:

New Rule 37(e) . . . . authorizes and specifies measures a court may employ if information that should have been preserved is lost, and specifies the findings necessary to justify these measures.  It therefore forecloses reliance on inherent authority or state law to determine whether measures should be used.[30]

[12]      The prerequisites a party must satisfy when moving for sanctions under the amended Rule 37(e) proposal are as follows:

1. Relevant ESI “should have been preserved in the anticipation or conduct of litigation,”

2. Relevant ESI was “lost,”

3. The party charged with safeguarding the lost ESI “failed to take reasonable steps to preserve” the information, and

4. The lost ESI “cannot be restored or replaced through additional discovery.”[31]

[13]      While the first two steps essentially reflect existing common law requirements,[32] the third step includes a key notion memorialized in Victor Stanley II and Rimkus Consulting Group, Inc. v. Cammarata: preservation efforts must be analyzed through the lens of reasonableness.[33]  This is a significant step since it would oblige courts to examine preservation issues with a broader perspective and not focus exclusively on whether and when the party modified aspects of its electronic information systems.[34]  Moreover, it would direct preservation questions away from a mythical standard of perfection that has unwittingly crept into discovery jurisprudence over the past several years.[35]  Instead of punishing parties that somehow failed to preserve every last e-mail that could conceivably be relevant, the rule would essentially require a common sense determination of the issues based on a benchmark—reasonableness—with which courts and counsel are familiar.[36]

[14]      The fourth and final provision is significant since it would prevent the imposition of sanctions where there is essentially no harm to the moving party given the availability of replacement evidence.[37]

B.  Severe Sanctions vs. Curative Measures

[15]      To obtain the most severe measures under Rule 37(e)(2), the moving party must additionally demonstrate that the alleged spoliator “acted with the intent to deprive another party of the information’s use in the litigation.”[38]  This specific intent requirement is designed to create a uniform national standard by ensuring severe sanctions are imposed only for the most flagrant violations of ESI preservation duties.[39]  These violations appear to include bad faith destructions of ESI that occur in connection with the instant lawsuit.[40]  They do not, however, include negligent or grossly negligent conduct.[41]  The draft Committee note makes clear that the Rule 37(e) amendments “reject[] cases such as Residential Funding Corp. v. DeGeorge Financial Corp., 306 F.3d 99 (2nd Cir. 2002), that authorize the giving of adverse-inference instructions on a finding of negligence or gross negligence.”[42]

[16]      The severe sanctions a court could issue under Rule 37(e)(2) are limited to dismissing the case, entering default judgment, or “instruct[ing] the jury that it may or must presume the information was unfavorable to the party.”[43]  Alternatively, a court could presume that the lost ESI was unfavorable to the alleged spoliator.[44]  Nevertheless, a court is under no obligation to order any of these measures even if the specific intent requirement is satisfied.[45]  As the Committee cautions in the draft note, “[t]he remedy should fit the wrong, and the severe measures authorized . . . should not be used when the information lost was relatively unimportant or lesser measures . . . would be sufficient to redress the loss.”[46]

[17]      If the moving party cannot satisfy the specific “intent to deprive” requirement, the court could then resort to curative measures under Rule 37(e)(1) to address prejudice resulting from the loss of the ESI.[47]  The sanctions a court could order pursuant to that provision would be “no greater than necessary to cure the prejudice” to the aggrieved party.[48]  That wording was drafted broadly to ensure that jurists would have sufficient discretion to craft remedies that could ameliorate the prejudice.[49]  While the precise range of these remedies is not delineated in the rule, a Committee report and the draft Committee note suggest the remedies could include the following:

•         “[P]reclude a party from presenting evidence,”[50]

•         “[D]eem some facts as having been established,” [51]

•         “[P]ermit the parties to present evidence and argument to the jury regarding the loss of information,”[52]

•         “[G]ive the jury instructions to assist in its  evaluation of such evidence or argument, other than instructions to which subdivision (e)(2) applies,”[53] or

•         “[E]xclude a specific item of evidence to offset prejudice caused by failure to preserve other evidence that might contradict the excluded item of evidence.”[54]

[18]      Thus, a moving party could very well obtain weighty penalties against an alleged spoliator even if it is unable to establish the specific intent to deprive.[55]  Nevertheless, the draft Committee note establishes that any such sanctions must be tailored so they do not equal or exceed the severe measures of Rule 37(e)(2).[56]

IV.  Key Issues for Motion Practice under the New Rule 37(e)

[19]      While the new Rule 37(e) proposal addresses the main problems associated with the current rule, there are several questions about the revised rule that remain unanswered and will likely be the subject of vigorous motion practice.  I will consider three of those questions in this section.

A.  What Are “Reasonable Steps to Preserve” ESI?

[20]      One of the principal battlegrounds under the revised version of Rule 37(e) will certainly involve deciphering the meaning of “reasonable steps to preserve” ESI.[57]  This is because the “reasonable steps” provision is an express—though undefined—prerequisite for obtaining sanctions.[58]  This is confirmed by the wording of the draft Committee note: “Because the rule calls only for reasonable steps to preserve, it is inapplicable when the loss of information occurs despite the party’s reasonable steps to preserve.”[59]  Thus, a party who employs “reasonable steps” to keep relevant ESI cannot be sanctioned for its loss.[60]

[21]      However, as to the precise meaning of “reasonable steps,” the Committee provides only general guidance.  For example, the draft note suggests sanctions may not be appropriate if the destroyed ESI is either outside of a preserving party’s control or has been wiped out by circumstances (e.g., flood, fire, hackers, viruses, etc.) beyond the party’s control.[61]  Nevertheless, the note does not suggest these force majeure circumstances are an absolute defense to a sanctions request.[62]  Instead, it advises courts to view the context of the destruction and what steps the preserving party could reasonably have taken to prepare for the problem before it occurred.[63]  However, the Committee acknowledges that engaging in this type of hindsight analysis has its limitations.[64]

[22]      The note also suggests that the range of a party’s preservation efforts should be tempered by proportionality standards.[65]  However, as U.S. Magistrate Judge James Francis observed in Orbit One Communications, Inc. v. Numerex Corp., proportionality is an “amorphous” and “highly elastic” concept that may not “create a safe harbor for a party that is obligated to preserve evidence.”[66]  Therefore, while notions of proportionality may factor into the preservation analysis, it is unlikely they alone will determine the issue of “reasonable steps to preserve.”[67]

[23]      In the absence of meaningful direction on this issue, courts will likely turn to existing case law to help guide their decision on whether a party has taken “reasonable steps” to retain ESI.[68]  To be sure, the jurisprudence on this issue is far from uniform.[69]  Nevertheless, there are many cases that delineate the acceptable boundaries of preservation conduct.[70]  How those cases are applied under the revised Rule 37(e) will turn—as they always have—on the facts of the case,[71] the quality of counsel’s advocacy,[72] and the court’s perception of the issues.[73]

B.  What Does “Intent to Deprive” Mean?

[24]      Another likely area of dispute between litigants will be on the meaning of the “intent to deprive” requirement of revised Rule 37(e)(2).[74]  While the draft Committee note makes clear that this specific intent requirement does not include negligent or grossly negligent conduct,[75] the question confronting clients, counsel, and the courts is what conduct does it refer to?

[25]      The Committee report issued in connection with the Rule 37(e) proposed amendments explains that the “intent requirement is akin to bad faith.”[76]  Despite this straightforward explanation, the draft Committee note does not take such a restrictive view.[77]  Instead, the note indicates that sanctions under Rule 37(e)(2) are limited “to instances of intentional loss or destruction.”[78]  Conduct that is “intentional” and which results in the spoliation of ESI is not necessarily tantamount to bad faith.[79]  Indeed, that intentional conduct is a lesser standard than bad faith was confirmed by the United States Court of Appeals for the Seventh Circuit many years ago.[80]  In addressing a document spoliation question, the Seventh Circuit noted the distinction between bad faith and intentional conduct: “[t]hat the documents were destroyed intentionally no one can doubt, but ‘bad faith’ means destruction for the purpose of hiding adverse information.”[81]

[26]      If the “intent to deprive” requirement does encompass lesser forms of ESI spoliation than bad faith, the question then becomes what is the level of conduct punishable under Rule 37(e)(2)?  The answer is that “intentional” spoliations may very well include instances where parties have been reckless or willful in their destructions of ESI.[82]  Whether that conduct is sufficient to justify the severe measures that a revised Rule 37(e) authorizes will once again turn on the nature and circumstances surrounding the spoliation.[83]  In other words, the courts will again be left to sort out the meaning of a key provision from the rule.[84]

C.  How Would Rule 37(e) Apply to Cloud Computing Preservation Failures?

[27]      A third unanswered question is how the revised Rule 37(e) might apply in the context of cloud computing.  This is a particularly significant issue given that many organizations and individuals have moved or will move their data to cloud-based storage platforms.[85]  Even though petabytes of data are now being stored in the cloud, there are few lawyers who possess the expertise or understanding required to preserve and produce that data in discovery.[86]  These factors suggest cloud-related ESI preservation breakdowns should be expected in the coming years.[87]  Given these circumstances, how should courts address cloud preservation breakdowns under the amended Rule?

[28]      One recent case that provides some insight into the issues is Brown v. Tellermate Holdings.[88]  In Brown, the court imposed an issue preclusion sanction on the defendant employer for failing to preserve relevant information stored in the cloud.[89]  The plaintiffs had sought various categories of data from their former employer in order to substantiate their age discrimination claims.[90]  In particular, the plaintiffs—who previously worked as sales representatives at the company—requested their former employer produce sales records maintained by the employer on cloud provider Salesforce.com to establish that they either met or exceeded their sales quotas in comparison to younger employees.[91]

[29]      While the employer’s counsel issued a “general directive” that relevant documents be kept for litigation, neither the employer nor its lawyers took meaningful follow-up steps to ensure the responsive cloud-stored data was preserved.[92]  For example, the employer did not export the requested data from Salesforce.com and neglected to back up that information.[93]  Nor did the employer keep the plaintiffs’ Salesforce.com account information.[94]  Instead, it repurposed these accounts, thereby enabling other employees to modify or revise the data.[95]  Finally, the employer did not ask Salesforce.com for a back-up of the requested account data until after the cloud provider recycled the data pursuant to its own retention schedule.[96]  All of which compromised and spoliated the requested information that ultimately could have established (or negated) the plaintiffs’ claims.[97]

[30]      Would a revised Rule 37(e) change the outcome in Brown?  The employer almost certainly would not have escaped sanctions under the amended Rule since it “failed to take reasonable steps to preserve” [98] the relevant Salesforce.com ESI and due to the lack of replacement evidence.[99]  Given the importance of the spoliated evidence to the plaintiffs’ claims and the court’s other findings on the issues,[100] the issue preclusion sanction would likely be an appropriate curative measure under the updated version of Rule 37(e)(1).[101]

[31]      Indeed, the new sanctions framework suggests the only change in Brown might be in the gravity of the sanction issued against the employer.

Was the employer’s preservation failure tantamount to an “intent to deprive”[102] the plaintiffs of the Salesforce.com ESI under amended Rule 37(e)(2)?  While the employer unquestionably allowed the ESI to be destroyed, its conduct seems more akin to recklessness than bad faith,[103] i.e., the purposeful concealment of adverse information.[104]  And yet, given the ambiguity created by the draft committee note, such reckless conduct arguably could satisfy the “intentional loss or destruction” language.[105]

[32]      Though impossible to predict how a court would precisely rule in this instance, it is clear that the new sanctions framework would not dramatically change the analysis of the matter.  In essence, courts will continue to adjudicate ESI preservation failures—regardless of whether they occur in the cloud or in more conventional storage locations—based on the traditional notions of reasonableness and proportionality.[106]

V.  Conclusion

[33]      While not every issue associated with ESI preservation failures has been addressed by the Rule 37(e) proposal, it is unrealistic to expect that any rule could do so.  Moreover, the revised rule appears to have resolved many of the shortcomings with the current version.  By creating a basic analytical framework, widening the analysis to ensure a broad set of factors are considered in connection with preservation conduct, and establishing a uniform standard for severe sanctions, lawyers may finally have a workable paradigm to provide straightforward advice to clients on ESI preservation questions.

---

* Philip Favro is Senior Discovery Counsel, Recommind, Inc.; J.D., Santa Clara University School of Law, 1999; B.A., Political Science, Brigham Young University, 1994.  An earlier version of this article was first published by the Electronic Discovery & Digital Evidence Journal of the American Bar Association.  Philip Favro, The New ESI Sanctions Framework Under The Proposed Rule 37(e) Amendments, EDDE J., Summer 2014, at 12–19, available at http://www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=1&ved=0CCAQFjAA&url=http%3A%2F%2Fapps.americanbar.org%2Fdch%2Fthedl.cfm%3Ffilename%3D%2FST203001%2Frelatedresources%2FEDDE_JOURNAL-volume5_issue3.pdf&ei=pzKPVPeVA9KpogTR9oCoDA&usg=AFQjCNHpsxbsPwzvNEQ7Ku–x8m3x3oydw&sig2=gSNo1bbZeqtfCyHf2A2j0g&bvm=bv.81828268,d.cGU, archived at http://perma.cc/JKJ9-R6RY.

[1] See Judicial Conference Comm. on Rules of Practice & Procedure, Report of the Judicial Conference Committee on Rules of Practice and Procedure 13–14, app. B-1 to B-2 (Sept. 2014) [hereinafter Sept. ‘14 Report], available at http://www.uscourts.gov/uscourts/RulesAndPolicies/rules/Reports/ST09-2014.pdf, archived at http://perma.cc/S4YH-RF9T.

[2] Id. at 13–14, app. B-2.

[3] See generally Judicial Conference Advisory Comm. on Civil Rules, Report of Advisory Committee on Civil Rules 95-305, 331-411 (May 2, 2014) [hereinafter May ’14 Report], available at http://www.uscourts.gov/uscourts/RulesAndPolicies/rules/Agenda%20Books/Standing/ST2014-05.pdf, archived at http://perma.cc/6UFS-XLFQ (summarizing the nature of the comments the Committee received on the published versions of the proposed Rules amendments).

[4] See Thomas Y. Allman, The Civil Rules Package as Approved by the Judicial Conference (Sept. 18, 2014), available at http://www.theediscoveryblog.com/wp-content/uploads/2014/10/2014CommentsonRulePackage.pdf, archived at http://perma.cc/QVF2-GPD4 (discussing the timetable for approving and enacting the Rule amendments).

[5] See Philip J. Favro, A Comprehensive Look at the Newly Proposed Amendments to the Federal Rules of Civil Procedure, 26 Utah Bar J. 38, 38–41 (2013).

[6] See Raymond M. Ripple & Krystle Guillory Tadesse, Proposed Amendment to FRCP Rule 37 Addresses Sanctions for Failure to Preserve ESI, Inside Counsel (May 21, 2014), http://www.insidecounsel.com/2014/05/21/proposed-amendment-to-frcp-rule-37-addresses-sanct, archived at http://perma.cc/8BA6-BCY9.

[7] See Favro, supra note 5, at 42.

[8] See Sept. ‘14 Report, supra note 1, at app. B-59 to B-62.

[9] See Philip J. Favro, Getting Serious: Why Companies Must Adopt Information Governance Measures to Prepare for the Upcoming Changes to the Federal Rules of Civil Procedure, 20 Rich. J. L. & Tech. 5, ¶¶ 32–36 (2014) [hereinafter Getting Serious], http://jolt.richmond.edu/v20i2/article5.pdf, archived at http://perma.cc/LUN9-T76D.

[10] See Sept. ‘14 Report, supra note 1, at app. B-14 to B-15.

[11] Id. at app. B-58.

[12] Getting Serious, supra note 9, at ¶ 27.

[13] See Sept. ‘14 Report, supra note 1, at app. B-58; see also Hawley v. Mphasis Corp., 302 F.R.D. 37, 47, n.4 (S.D.N.Y. 2014) (describing that the purpose of the amendments is “to replace the disparate treatment of preservation/sanctions issues in different circuits by adopting a single standard”).

[14] Residential Funding Corp. v. DeGeorge Financial Corp., 306 F.3d 99, 113 (2d Cir. 2002); see also Sept. ‘14 Report, supra note 1, at app. B-17 to B-18, B-65.

[15] See, e.g., Sekisui Am. Corp. v. Hart, 945 F. Supp. 2d 494, 502–03 (S.D.N.Y. 2013) (relying on Residential Funding to impose an adverse inference instruction as a sanction for the plaintiffs’ grossly negligent spoliation of ESI).

[16] See Philip J. Favro, Sea Change or Status Quo: Has the Rule 37(e) Safe Harbor Advanced Best Practices for Information Management?, 11 Minn. J.L. Sci. & Tech. 317, 328–29, 332 (2010) [hereinafter Sea Change] (discussing the Committee’s intent to establish the present version of Rule 37(e) as a national standard when it was implemented in 2006).  The Second Circuit’s negligence standard is increasingly viewed as an anachronistic rule given the current challenges associated with ESI preservation.  See Sept. ‘14 Report, supra note 1, at app. B-18 (observing, among other things, that because “ESI is more easily lost than tangible evidence, . . . the sanction of an adverse inference instruction imposes a heavy penalty for losses that are likely to become increasingly frequent as ESI multiplies”).

[17] See Sea Change, supra note 16, at 327–28.

[18] Victor Stanley, Inc. v. Creative Pipe, Inc. (Victor Stanley II), 269 F.R.D. 497, 523 (D. Md. 2010).

[19] Id. (observing that an “assessment of reasonableness and proportionality should be at the forefront of all inquiries into whether a party has fulfilled its duty to preserve relevant evidence”).

[20] See Sea Change, supra note 16, at 327–28.

[21] See, e.g., In re Actos (Pioglitazone) Prods. Liab. Litig., No. 6:11-md-2299, 2014 U.S. Dist. LEXIS 86101, at *219–20 (W.D. La. June 23, 2014) (issuing an adverse inference instruction against one of the defendants for its failure to preserve relevant ESI and holding that a general litigation hold issued in an unrelated products liability suit filed nine years earlier had given rise to a duty to preserve relevant ESI in the instant litigation); Phillip M. Adams & Assocs., L.L.C. v. Dell, Inc., 621 F. Supp. 2d 1173, 1191 (D. Utah 2009) (finding that industry-related litigation that was initiated years before the lawsuit was filed against the defendant should have “sensitized” the defendant to the reasonable anticipation of litigation and that its subsequent failure to preserve relevant ESI merited sanctions).

[22] Thomas Y. Allman, Dealing with Spoliation in the Federal Rules (Again): The Proposed Amendment to Rule 37(e) at 5, IAALS/NJC E-Discovery Summit 2013 (Sept. 19–20, 2013), available at http://iaals.du.edu/images/wygwam/documents/publications/E-Discovery_Panel_2_Preservation.pdf, archived at http://perma.cc/72GB-U82V.

[23] Nucor Corp. v. Bell, 251 F.R.D. 191, 196, n.3 (D.S.C. 2008); see also Rimkus Consulting Group, Inc. v. Cammarata, 688 F. Supp. 2d 598, 611–12 (S.D. Tex. 2010) (delineating the nature and scope of the court’s inherent authority to issue sanctions and its interplay with Rule 37(e)).

[24] Nucor, 251 F.R.D. at 196, n.3 (“Rule 37(e)’s plain language states that it only applies to sanctions imposed under the Federal Rules of Civil Procedure (e.g., a sanction made under Rule 37(b) for failing to obey a court order).  Thus, the rule is not applicable when the court sanctions a party pursuant to its inherent powers.”).

[25] See, e.g., id.; see also Escobar v. Houston, No. 04-1945, 2007 U.S. Dist. LEXIS 72706, at *51–52, n.5 (S.D. Tex. Sept. 29, 2007) (describing the circumstances under which courts may exercise their inherent authority).

[26] See Sept. ‘14 Report, supra note 1, at app. B-56 to B-57.

[27] See id. at app. B-63 to B-64.

[28] Id. at app. B-65.

[29] See id. at app. B-56 to B-57, B-61 to B-62.

[30] Id. at app. B-58 (emphasis added).

[31] Id. at app. B-56.

[32] See Sept. ‘14 Report, supra note 1, at app. B-59.

[33] Victor Stanley II, 269 F.R.D. 497, 523 (D. Md. 2010); Rimkus Consulting Group, Inc. v. Cammarata, 688 F. Supp. 2d 598, 613 (S.D. Tex. 2010) (observing that reasonableness is the touchstone of the preservation analysis); see also Sept. ‘14 Report, supra note 1, at app. B-59 to B-62.

[34] See Sept. ‘14 Report, supra note 1, at app. B-59 to B-62.

[35] See id. at app. B-61 (“This rule recognizes that ‘reasonable steps’ to preserve suffice; it does not call for perfection.”); Reinsdorf v. Skechers U.S.A., Inc., 296 F.R.D. 604, 615, 631 (C.D. Cal. 2013) (holding that the Rules “do not require perfection” and discussing related authorities).

[36] Rimkus, 688 F. Supp. 2d at 613.

[37] See Sept. ‘14 Report, supra note 1, at app. B-62 (“[i]f the information is restored or replaced, no further measures should be taken.”).

[38] Id. at app. B-56 to B-57.

[39] See id. at app. B-64 to B-65.

[40] See id. app. B-17 (“This intent requirement is akin to bad faith.”).

[41] See id. at app. B-65.

[42] Id.

[43] Sept. ‘14 Report, supra note 1, at app. B-56 to B-57.

[44] See id.

[45] See id. at app. B-67.

[46] Id.

[47] Id., at app. B-55 to B-57.

[48] Id.

[49] See Sept. ‘14 Report, supra note 1, at app. B-63 to B-64 (“The range of such measures is quite broad . . . [; m]uch is entrusted to the court’s discretion.”).

[50] May ‘14 Report, supra note 3, at 312.

[51] Id.

[52] Sept. ‘14 Report, supra note 1, at app. B-64.

[53] Id.

[54] Id.

[55] Id. at app. B-63 to B-64; see also May ‘14 Report, supra note 3, at 312.

[56] See Sept. ‘14 Report, supra note 1, at app. B-64 (“Care must be taken, however, to ensure that curative measures under subdivision (e)(1) do not have the effect of measures that are permitted under subdivision (e)(2) only on a finding of intent to deprive another party of the lost information’s use in the litigation.”).

[57] Id. at app. B-56.

[58] Id. at app. B-56, B-61.

[59] Id. at app. B-61.

[60] See id. (“Because the rule calls only for reasonable steps to preserve, it is inapplicable when the loss of information occurs despite the party’s reasonable steps to preserve.”).

[61] See id.

[62] See Sept. ‘14 Report, supra note 1, at app. B-61.

[63] See id. at app. B-61 to B-62 (“Courts may, however, need to assess the extent to which a party knew of and protected against such risks.”).

[64] See id. at app. B-59 (cautioning generally about the limited perspective that hindsight provides into the nature of a party’s conduct).

[65] See id. at app. B-61 to B-62; see also Philip J. Favro & Derek P. Pullan, New Utah Rule 26: A Blueprint for Proportionality Under the Federal Rules of Civil Procedure, 2012 Mich. St. L. Rev. 933, 952 (2012) (citing authorities holding that preservation efforts “must be viewed through the lens of proportionality” and not just the “kaleidoscope of relevance”).

[66] Orbit One Commc’ns, Inc. v. Numerex Corp., 271 F.R.D. 429, 436, n.10 (S.D.N.Y. 2010).

[67] See Pippins v. KPMG L.L.P., No. 11 Civ. 0377(CM)(JLC), 2011 U.S. Dist. LEXIS 116427 (S.D.N.Y. Oct. 7, 2011), aff’d, 279 F.R.D. 245, 255–56 (S.D.N.Y. 2012) (rejecting the defendant’s proportionality-based argument because it failed to consider reasonable conditions upon its request to retain only excerpts of its preserved ESI).

[68] See Sea Change, supra note 16, at 334–39 (discussing various cases).

[69] Compare Stevenson v. Union Pac. R.R. Co., 354 F.3d 739, 746–48 (8th Cir. 2004) (holding an adverse inference instruction was appropriate given the defendant’s failure to suspend its 90-day audio recording retention policy, which resulted in the destruction of relevant evidence), with Morris v. Union Pac. R.R., 373 F.3d 896, 899–902 (8th Cir. 2004) (holding an adverse inference instruction was not proper despite the defendant’s failure to suspend its 90-day audio recording retention policy, which could have resulted in the destruction of relevant evidence).  See also Victor Stanley II, 269 F.R.D. 497, 523 (D. Md. 2010) (observing “in terms of what a party must do to preserve potentially relevant evidence, case law is not consistent across the circuits, or even within individual districts.”).

[70] See, e.g., Micron Tech., Inc. v. Rambus Inc., 645 F.3d 1311, 1322 (Fed. Cir. 2011) (approving information retention policies that eliminate documents for “good housekeeping” purposes); Brigham Young Univ. v. Pfizer, Inc., 282 F.R.D. 566, 572–73 (D. Utah 2012) (denying plaintiffs’ motion for sanctions since the evidence at issue was destroyed pursuant to defendants’ “good faith business procedures”).

[71] See, e.g., Rimkus Consulting Grp., Inc. v. Cammarata, 688 F. Supp. 2d 598, 613 (S.D. Tex. 2010) (explaining a preservation “analysis depends heavily on the facts and circumstances of each case and cannot be reduced to a generalized checklist of what is acceptable or unacceptable.”); see also Chin v. Port Auth. of N.Y. & N.J., 685 F.3d 135, 162 (2d Cir. 2012) (reasoning that a “case-by-case approach” is the preferred method for determining the appropriate remedial measures for failures to preserve relevant information).

[72] See, e.g., Mathis v. John Morden Buick, Inc., 136 F.3d 1153, 1155 (7th Cir. 1998) (affirming an order of judgment against the plaintiff despite the defendant’s destruction of relevant evidence and expressing “surprise” at the “perplexing failure” of the plaintiff’s counsel to formally move for discovery sanctions).

[73] See Sept. ‘14 Report, supra note 1, at app. B-59 to B-60.

[74] Id. at app. B-56 to B-57.

[75] Id. at app. B-65.

[76] Id. at app. B-17.

[77] See id. at app. B-65.

[78]  Id.

[79] See Micron Tech., Inc. v. Rambus Inc., 645 F.3d 1311, 1327 (Fed. Cir. 2011) (“In determining that a spoliator acted in bad faith, a district court must do more than state the conclusion of spoliation and note that the document destruction was intentional.”).

[80] See Mathis v. John Morden Buick, Inc., 136 F.3d 1153, 1155 (7th Cir. 1998) (explaining the differences between bad faith and intentional conduct in connection with a defendant’s destruction of relevant information).

[81] Id.

[82] See generally Pension Comm. of the Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, 685 F. Supp. 2d 456, 463–65 (S.D.N.Y. 2010) (“willfulness involves intentional or reckless conduct that is so unreasonable that harm is highly likely to occur”).

[83] See Chin v. Port Auth. of N.Y. & N.J., 685 F.3d 135, 162 (2d Cir. 2012); see also Rimkus Consulting Group, Inc. v. Cammarata, 688 F. Supp. 2d 598, 613 (S.D. Tex. 2010).

[84] See generally Victor Stanley II, 269 F.R.D. 497 (D. Md. 2010) (discussing cases and the challenges associated with evidence preservation confronting courts and organizational litigants).

[85] See Ned Smith, Why More Businesses Are Using Cloud Computing, CNBC (July 25, 2012, 1:00 PM), http://www.cnbc.com/id/48319526/Why_More_Businesses_Are_Using_Cloud_Computing, archived at http://perma.cc/JB7Q-D2ES (“More than eight in 10 companies currently use some form of cloud solution, and more than half plan to increase cloud investments by 10 percent or more this year . . . [and] more than half of micro (one to nine employees) and small (10 to 99 employees) businesses use cloud-based business productivity applications.”); see also Nicole Black, Introduction, Global Cloud Survey Report 2012, Legal IT Professionals 4, 7, available at http://www.legalitprofessionals.com/wpcs/cloudsurvey2012.pdf, archived at http://perma.cc/HXK7-ZS2H (“[N]early all respondents acknowledged that cloud computing would ultimately overtake on-premise computing in the legal industry.”); Sept. ‘14 Report, supra note 1, at app. B-15.

[86] See Philip Favro, ‘Mind Over Matters: Q & A with eDiscovery and Litigation Guru Craig Ball, Recommind (Aug. 7, 2014), http://www.recommind.com/blog/q-ediscovery-litigation-guru-craig-ball, archived at http://perma.cc/4D7H-7ZTF (observing that most lawyers generally lack the training and are unprepared to “preserve and produce data stored with cloud providers, maintained on mobile devices, or exchanged on social networking sites”).

[87] See id.

[88] Brown v. Tellermate Holdings Ltd., No. 2:11-cv-1122, 2014 U.S. Dist. LEXIS 90123, *4–6, *27 (S.D. Ohio July 1, 2014).

[89] Id. at *72–74.

[90] Id. at *9–10, *70–71.

[91] Id.

[92] Id. at *56–58.

[93] Id. at *24–26.

[94] Brown, 2014 U.S. Dis. LEXIS 90123 at *21–23.

[95] Id.

[96] Id. at *57–58.

[97] See id. at *72–74.

[98] Sept. ‘14 Report, supra note 1, at app. B-56, B-60 to B-62.

[99] See Brown, 2014 U.S. Dist. LEXIS 90123, at *72–74.

[100] See id. at 66–74.

[101] See Sept. ‘14 Report, supra note 1, at app. B-55 to B-57, B-63 to B-64.

[102] Id. at app. B-55 to -57, B-64 to B-67.

[103] See Brown, 2014 U.S. Dist. LEXIS 90123, at *69–70.

[104] See Mathis v. John Morden Buick, Inc., 136 F.3d 1153, 1155 (7th Cir. 1998).

[105] See Sept. ‘14 Report, supra note 1, at app. B-65.

[106] This line of reasoning appears to be equally applicable to ESI preservation failures on mobile devices.  See Philip Favro, The Impact of Cloud Computing and Mobile Devices on Litigation Holds, Law Journal Newsletters (Jan. 2015), available at http://www.lawjournalnewsletters.com/issues/ljn_legaltech/31_9a/news/the_impact_of_cloud_computing_and_mobile_devices_on_litigation_holds160645-1.html, archived at http://perma.cc/MB8Z-FAQ8 (describing the preservation challenges associated with data stored on mobile devices).