Richmond Journal of Law and Technology

The first exclusively online law review.

Identity Misappropriation on Dating Apps: Did You Right Swipe the Right Person?

By

On September 13, 2016

In Blog Posts

Tinder dating app photo

By: Tatum Williams,

It is easy to confirm a Tinder profile’s authenticity when the person is someone you know. When this happens, and it often does considering the app boasts an estimated 50 million users[1], beneath the initial awkwardness of swiping across a familiar face, there is assurance. The assurance comes from knowing that the person beyond that profile is who they say they are.

With the slogan, “It’s like real life but better,” Tinder’s innovative design allows users to connect with nearby people using location-based software and basic Facebook information, such as mutual interests and friends.[2] Tinder and apps similar to it, such as Hinge, require this social authentication primarily to put users’ minds at ease over the likelihood of encountering a fake profile.[3] But such is not always the case. Of those who utilize dating apps and online dating, roughly 54% felt that some users seriously misrepresented themselves in their user profile.[4] Evidence of that is the modern phenomenon of “catfishing.” Catfishing, which is defined as the intentional deception of another through the use of a fake profile, typically done in hopes of achieving a romantic connection,[5] has exploited the rise of social media and dating apps. It is now even easier for someone to fabricate a dating profile.[6] Needless to say, the prevalence of dating apps has facilitated deceptive behavior given the availability of anonymous communications.[7]

More often than not, misrepresentations of this nature are harmless. While some people may exaggerate or lie about their preferred television shows or movies, others execute more strategic lies, often pertaining to their age, weight, height, personality traits, interests, monetary status, career aspirations, and even past relationships.[8] Most people are familiar with these kinds of misrepresentations and would agree that these lies, though wrong, are not worthy of serious legal ramifications.[9] Or are they?

This begs the question whether the legal considerations and ramifications associated with dating apps have evolved at the same burgeoning rate as the apps themselves. Unfortunately, the answer is no; dating app users have a low likelihood of success in holding a dating app liable for any harm that the user experiences from his or her interactions with other app users.[10] Most dating apps have combated these potential claims by disclaiming all warranties and representations with regards to other users in their terms of use agreements.[11] And the immunity does not stop there: The Communications Decency Act protects apps from liability based on content posted by users, such as the aforementioned catfishing scams or other misrepresentations.[12] Under the Communications Decency Act, “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”[13]

Tinder is relatively new—it was only created in 2012[14]—so not many statistics have been conducted on the number of fake profiles currently in existence. With that said, the rapid pace at which the user base is experiencing growth preserves the potential for misrepresentations and catfishing. Despite the protections dating apps and other forms of online dating services receive, several states have made lying on these platforms a criminal offense.[15] This would seem to suggest that the trend of remaining unpunished for misrepresentation or catfishing is diminishing.[16] But until cyberspace governance evolves to the level that dating apps have, it appears that users’ best defense is to swipe wisely.

[1] See Alexis Kleinman, The Typical Tinder User Spends 77 Minutes Tinding Every Day, Huffington Post (Oct. 31, 2014), http://www.huffingtonpost.com/2014/10/31/77-minutes-tinder_n_6082468.html.

[2] See Jessica L. James, Mobile Dating in the Digital Age: Computer-Mediated Communication and Relationship Building on Tinder (May 2015) (unpublished Master of Arts thesis, Texas State University) (on file with author).

[3] See Lindsay Hildebrant, Media and Self Representative Perceptions: Deception in Online Dating (May 2015) (unpublished undergraduate Honors thesis, Pace University) (on file with Pforzheimer Honors College, Pace University).

[4] See James, supra note 2.

[5] See Krystal D’Costa, Catfishing: The Truth About Deception Online, Scientific American Blog (April 25, 2014), http://blogs.scientificamerican.com/anthropology-in-practice/catfishing-the-truth-about-deception-online/#.

[6] See Keith Wagstaff, Hook, Line and Tinder: Scammers Love Dating Apps, NBC News (April 11, 2014, 5:36 PM), http://www.nbcnews.com/tech/security/hook-line-tinder-scammers-love-dating-apps-n77256.

[7] See Geelan Fahimy, Liable for Your Lies: Misrepresentation Law as a Mechanism for Regulating Behavior on Social Networking Sites, 39 Pepp. L. Rev. 2 (2012).

[8] See id.

[9] See id.

[10] See Greg Mitchell, Digital Dating: Legal Matters to Consider Before Swiping Right, Missouri Lawyers Help Blog (Feb. 12, 2016), http://missourilawyershelp.org/digital-dating-legal-matters-to-consider-before-swiping-right/

[11] See id.

[12] Doe v. MySpace, Inc., 528 F.3d 413, 416 (5th Cir. 2008).

[13] See Fahimy, supra note 7.

[14] See James, supra note 2.

[15] See Fahimy, supra note 7.

[16] See id.

Photo Source:

http://www.hercampus.com/sites/default/files/2015/11/02/tinder.jpg

A New Class of Worker for the Sharing Economy

By

On May 19, 2016

In Article

Digital Direction for the Analog Attorney – Data Protection, E-Discovery, and the Ethics of Technological Competence

By

On May 18, 2016

In Article

BMS Publication Version PDFpdf_icon

Cite as: Stacey Blaustein et al., Digital Direction for the Analog AttorneyData Protection, E-Discovery, and the Ethics of Technological Competence in Today’s World of Tomorrow, 22 Rich. J.L. & Tech. 10 (2016), http://jolt.richmond.edu/v22i4/article10.pdf.

 Stacey Blaustein,* Melinda L. McLellan,** and James A. Sherer***

 

I.  Introduction

 [1]       Over the past twenty years, the near-constant use of sophisticated technological tools has become an essential and indispensable aspect of the practice of law. The time and cost efficiencies generated by these resources are obvious, and have been for years.[1] And because clients expect their counsel to take full advantage,[2] savvy attorneys understand that they must keep up with ever-evolving legal technologies to stay competitive in a crowded marketplace.[3]

[2]       With increased globalization and exponential growth in the creation, collection, use, and retention of electronic data, the challenges to all lawyers—especially those who may not have tech backgrounds or a natural aptitude for the mechanics of these innovations—are multiplying with breathtaking speed.[4] Nevertheless, many attorneys are either blissfully unaware of the power and potential danger associated with the tools they now find themselves using on a daily basis, or they are willfully avoiding a confrontation with reality. For lawyers, technological know-how is no longer a “nice to have” bonus; it now poses an ethical obligation. Where competent client representation demands a minimum level of tech proficiency, however, many lawyers come up short with respect to this fundamental component of their professional responsibilities.[5]

[3]       What types of privacy and data security threats do various technologies pose to attorneys, their firms, their clients, and the legal profession in general? What rules and regulations govern how attorneys may make use of technology in their practice, and how might clients seek to impose restrictions around such use when it comes to their corporate data? Must attorneys gain mastery over the intricate mechanics of the technological resources they employ, or is basic knowledge sufficient? How can we weigh the potential risks and rewards of cutting-edge, emerging digital products and electronic resources about which clients—and indeed, even the lawyers themselves—may understand very little? These are just a few of the questions that arise when we consider the issue of technological competence in the legal profession and corresponding ethical requirements.

[4]       To begin to answer these questions, we look to the applicable Model Rules issued by the American Bar Association (“ABA”), various state-level professional ethics rules that incorporate the Model Rules, associated ethics opinions and guidance issued by the states, state and federal court decisions, and guidelines issued by sector-specific agencies and organizations.[6] Our focus in this investigation concerning lawyerly “technological competence” will be on privacy and data security risks and safeguards, e-Discovery-related challenges, and the potential perils of various uses of social media in the legal sphere.

 II.  The Threat Landscape: Law Firms as Prime Targets

[5]       In recent years, the volume and severity of attacks on electronically-stored data, and the information systems and networks that house that data, have increased exponentially. The modern-day “threat environment” is “highly sophisticated,” and “massive data breaches are occurring with alarming frequency.”[7] For attorneys, such perils implicate multiple ethical and professional responsibilities with respect to how they handle data, including the duty to protect the confidentiality of client information and the obligation to provide “competent” representation.

[6]       Unfortunately, law firms can provide a proverbial back door for hackers seeking access to a company’s data, as attorneys often are custodians of a veritable “treasure trove” of valuable client information “that is extremely attractive to criminals, foreign governments, adversaries and intelligence entities.”[8] Some hackers even focus their efforts primarily on law firms, especially those firms collecting vast amounts of data from corporate clients in the course of E-Discovery or corporate due diligence.[9] Corporate secrets, business strategies, and intellectual property all may be found in a law firm’s collection of its clients’ data.[10] In some cases, the interceptors may be looking for competitive information relevant to merger negotiations, or trying to suss out evidence of as-yet unannounced deals for insider trading purposes.[11]

[7]       A 2015 report estimated that 80% of the biggest 100 law firms have experienced some sort of data security incident.[12] And as is the case with so many companies that suffer a breach, law firms that have been hacked may not know about it for a considerable period of time. Moreover, unlike other industry sectors subject to various reporting requirements, law firms generally do not have a statutory obligation to publicly report cybercrimes that do not involve personally identifiable information.[13] Lack of obligations notwithstanding, a recent report indicated that “[t]he legal industry reported more “cyber threats” threats in January [2016] than nearly any other sector,” topped only by the retail industry and financial services.[14]

[8]       Although these reported “threats” might not necessarily result in data compromises, the fact that the legal industry frequently is among the most targeted for data theft should concern attorneys.[15] Anecdotal evidence of actual and attempted interference with law firms’ data security systems abounds as well. In 2014, a report indicated that communications between lawyers from the law firm of Mayer Brown and officials with the Indonesian government were intercepted by an Australian intelligence agency that had ties with the U.S. National Security Agency (“NSA”).[16] And the managing partner of the Washington-area offices of Hogan Lovells LLP recently noted that her firm “constantly intercept[s] attacks.”[17]

[9]       The message to law firms seems clear: first, if “you’re a major law firm, it’s safe to say that you’ve either already been a victim, currently are a victim, or will be a victim.”[18] Second, “[f]irms have to make sure they are not a weak link…which at its most basic level means their standards for protecting data need to be at least equivalent to those of the companies they represent.”[19]

[10]     It seems inevitable that client expectations and demands with regard to their legal service providers’ security will continue to evolve and expand. One commentator recently predicted that in the future “clients across the board will demand firms demonstrate they’re prepared for all shapes and sizes of cybersecurity breaches,”[20] while another prophesized that “in the name of risk management and data leakage prevention, a large financial industry corporation will challenge their outside counsel’s [Bring Your Own Device] program.”[21] Indeed, according to a 2014 report in the New York Times:

Banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets for their own use of sale to others….Some financial institutions are asking law firms to fill out lengthy 60 page questionnaires detailing the [law firm’s] cybersecurity measures, while others are demanding on-site inspections….Other companies are asking law firms to stop putting files on portable thumb drives, to stop emailing non-secure iPad or working on computers linked to a share network in countries like China and Russia.[22]

[11]     In short, lawyers, law firms, and other legal services providers cannot afford to be complacent when it comes to cybersecurity.

A.  Lawyering in the Cloud

[12]     Firm adoption of cloud services is on the rise, especially among boutiques and solo practitioners that previously lacked the resources to compete effectively with larger law firms when it came to technology and data storage.[23] At first, the added value of cloud services created a perception that “nirvana had arrived” in terms of leveling the playing field for smaller firms.[24] Notwithstanding the apparent advantages of the cloud, attorneys were quick to identify concerns associated with the technology and its supporting practices, including “increased sensitivity to cyber-threats and data security.”[25] Some commentators opted for a cautious and conservative approach, noting that the “legal profession has developed many safeguards to protect client confidences,” and that the use of cloud hosting, among other practices, fell on a continuum where, as “an individual attorney gives up direct control of his or her client’s information, he or she takes calculated risks with the security of that information.”[26]

[13]     There is hope for attorneys drawn to the advantages of cloud services, but vigilance and diligence is required. As noted in tech law guidance from March 2014, “[u]sing the cloud to hold data is fine, so long as you understand the security precautions.”[27] Security concerns have put a damper on adoption rates and the development of attorney-specific cloud services lags behind other industries. This reluctance is unsurprising given the slow rate of technological advancements within the profession generally,[28] and a deserved reputation that the tendency of firms is “to be technology followers, not leaders.”[29] That said, lawyers do seem to be embracing the cloud to some extent,[30] with the majority utilizing cloud solutions in some capacity,[31] even if implementation is mostly through “sporadic action and adoption among firms and law departments.”[32]

[14]     With respect to professional obligations, this type of implementation may not require specific technological expertise on the part of the attorneys. New York State Bar Association Opinion 1020, which addressed ethical implications of the “use of cloud storage for purposes of a transaction,” determined that compliant usage “depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks.”[33]

[15]     Further, New Jersey Opinion 701 addresses the reality that it is

[N]ot necessarily the case that safeguards against unauthorized disclosure are inherently stronger when a law firm uses its own staff to maintain a server. Providing security on the Internet against hacking and other forms of unauthorized use has become a specialized and complex facet of the industry, and it is certainly possible that an independent [Internet Service Provider] may more efficiently and effectively implement such security precautions.[34]

[16]     Opinion 701 does include an additional caveat, that

[W]hen client confidential information is entrusted in unprotected form, even temporarily, to someone outside the firm, it must be under a circumstance in which the outside party is aware of the lawyer’s obligation of confidentiality, and is itself obligated, whether by contract, professional standards, or otherwise, to assist in preserving it.[35]

 B.  E-Discovery Tools

 [17]     To begin with, federal judges are unconvinced that many of the attorneys appearing before them understand how to make proper use of the technologies and related strategies associated with E-Discovery. A recent report, “Federal Judges Survey on E-Discovery Best Practices & Trends,”[36] compiled some of the judges’ concerns, noting first “the typical attorney…does not have the legal and technical expertise to offer effective advice to clients on e-discovery.”[37] Some of the judges’ comments were quite blunt, with one noting that “[s]ome attorneys are highly competent; but most appear to have significant gaps in their understanding of e-discovery principles.”[38]

[18]     Legal ethical rules and related opinions and scholarship provide guidance for what attorney E-Discovery competence should look like. At least one author has made the connection between professional responsibility and technological savoir-faire, noting that:

There is growing recognition across the country that the practice of law requires some degree of competence in technology. In the forum of litigation, competence in technology necessarily equates with competence in e-discovery. It is only a matter of time before ethics bodies across the nation call for competence in e-discovery.[39]

[19]     The opinions of courts and bar associations may carry the most weight, but a number of influential professional and industry groups also have offered useful commentary on technological competence. For example, competence is

…highlighted in the very first rule of legal ethics, according to the American Bar Association[’s] Rule 1.1 of the ABA Model Rules of Professional Conduct,” which “specifically recognized the need for technological competence through a significant change in August 2012 that formally notified all lawyers (and specifically those in jurisdictions following the Model Rules) that competency includes current knowledge of the impact of e-Discovery and technology on litigation.[40]

[20]     This guidance predated and perhaps presaged a number of state and federal reactions to technology and the impact of these developments on the practice of law, especially within the realm of E-Discovery. Delaware amended its Lawyers’ Rules of Professional Conduct as they related to technology in 2013;[41] North Carolina[42] and Pennsylvania[43] did the same shortly thereafter.

[21]     California’s relatively recent Formal Opinion No. 2015-193 (the “California Opinion”) addresses a number of issues associated with attorney ethical duties vis-à-vis E-Discovery. Although advisory in nature, the California Opinion states “attorneys have a duty to maintain the skills necessary to integrate legal rules and procedures with ‘ever-changing technology.’”[44] That reads broadly, but the California Opinion has been interpreted to indicate that, because E-Discovery arises “in almost every litigation matter, attorneys should have at least a baseline understanding of it.”[45] Specifically, the California Opinion begins with the premise that E-Discovery requires an initial assessment of its inclusion at the beginning of a matter.[46] If E-Discovery will be a component of a matter,

[T]he duty of competence requires an attorney to assess his or her own e-discovery skills and resources as part of the attorney’s duty to provide the client with competent representation. If an attorney lacks such skills and/or resources, the attorney must try to acquire sufficient learning and skill, or associate or consult with someone with expertise to assist.[47]

[22]     Other commentators have noted that the California Opinion focuses on “nine (9) core competency issues” which would offer “solid guidelines for attorneys…to maintain competency and protect client confidentiality in the era of eDiscovery.”[48] One author notes that one of these core competency issues and its related directive, that of performing data searches, stretches across the entirety of the E-Discovery process “occurring at each of these steps, from preservation and collection to review and redaction.”[49]

[23]     Soon after the California Opinion was decided, Magistrate Judge Mitchell Dembin issued a Southern District of California decision that addressed “counsels’ ethical obligations and expected competency” in HM Electronics, Inc. v. R.F. Technologies, Inc.[50] The HM Electronics case focused both on specific steps the attorneys should have taken (such as implementing a legal hold and doing the legwork necessary to certify discovery responses as true) as well as behavior actively detrimental to the case (instructing client personnel to destroy relevant documents).[51] Of note in Judge Dembin’s excoriation of the misbehaving attorneys is his statement that “a judge must impose sanctions for a violation of the Rule that was without substantial justification.”[52] One article suggests that part of the problem may be simply that “counsel and clients alike…fail to take seriously judges’ expectations for how they conduct themselves throughout the discovery process.”[53]

[24]     New York attorneys followed the California Opinion with interest, first noting that it merely presented “the standard tasks one should engage in and competently execute to properly collect and produce responsive ESI [Electronically Stored Information] to the opposing party.”[54] A 2009 S.D.N.Y. opinion had chastised attorneys who would otherwise disclaim experience, warning that it was “time that the Bar—even those lawyers who did not come of age in the computer era” understood E-Discovery technologies and their application.[55] A recent article indicated that there is “an ample basis to discern a framework for ethical obligations, derived from ethics rules, court rules, and sanctions decisions in the e-discovery context” based in part on the history of New York courts as “leaders in the advancement of e-discovery law.”[56]

[25]     But such a “framework for ethical obligations” might not even be necessary where competence is the ethical rule at issue. Competence “requires that lawyers have the legal knowledge, skill, thoroughness, and preparation to conduct the representation, or associate with a lawyer who has such skills”[57] and that supervision is appropriate to ensure that the work of others “is completed in a competent manner.”[58] The issue of supervision came up in another advisory opinion, Ethics Opinion 362 of the District of Columbia Bar, which indicated that retaining an e-Discovery vendor that provided all of the E-Discovery services was both impermissible (as the unauthorized practice of law on the part of the vendor) as well as a circumstance where the attorney engaging such a vendor was not absolved from understanding and supervising the work performed, no matter how technical.[59]

 1. Metadata in Electronic Files

[26]     A very basic threat to client confidentiality (as well as the secrecy of counsel’s strategy) is the existence of metadata embedded in electronic files exchanged between the parties or produced as evidence. Most frequently this threat exists in the form of automatically created information about a file, including changes made to the file, that can be recovered and viewed by a third party if not removed (or “scrubbed”) prior to disclosing the file. This “application metadata” can include information about the document itself, the author, comments and prior edits, and may also detail when the document was created, viewed, modified, saved or printed.[60] In addition to the fact that access to metadata can provide opposing parties with everything from revealing insights to damning evidence, there’s also a “real danger” that “application metadata may be inaccurate.”[61]

[27]     Further, disputes related to metadata regularly arise in the E-Discovery context. Indeed, one of the “biggest challenges in electronic discovery” concerns “[u]nderstanding when metadata is relevant and needs to be preserved and produced.”[62] To cite just one example, the concurring opinion in State v. Ratcliff noted that judges must determine whether submitted evidence contained more than the information visible on the face of the document, or whether metadata was included as well, where the distinction “is critical, both on an ethical and adjudicative basis.”[63]

[28]     Accordingly, understanding and managing metadata has become a baseline requirement for technological competence when dealing with client data and attorney work product. Numerous products exist to help save lawyers from themselves when it comes to accidental disclosure of metadata, including software applications that may be integrated into email programs to prevent documents from being sent outside the network without first passing through a scrubbing filter. And the e-filing portal in many jurisdictions “contains a warning reminder that it is the responsibility of the e-filer to strip metadata from the electronic file before submitting it through the portal.”[64] Reliance on these tools, however, may not suffice for long as the sophistication and complexity of issues related to the creation and manipulation of metadata continue to evolve.

III. Overview of U.S. Data Privacy and
Information Security Law

 [29]     The sectoral approach to privacy and data security law in the United States often is described as “a patchwork quilt” comprised of numerous state and federal laws and regulations that apply variously to certain types of data, certain industries, the application of particular technologies, or some combination of those elements. These laws may be enforced by a variety of regulators, with state Attorneys General and the Federal Trade Commission often leading the way.[65] Plaintiffs’ lawyers also are prominent actors in this space, bringing an ever-increasing number of class action and other civil suits alleging violations of privacy rights, data protection laws, and information security standards.

[30]     Although there are no federal or state privacy statutes specifically applicable solely to lawyers, numerous data protection laws and regulations may apply to attorneys in their role as service provider to their clients or in other contexts. The obligations associated with these laws often implicitly or explicitly demand that lawyers handling client data (1) have a thorough understanding of the potential privacy and security risks to that data; (2) assess and determine how best to secure the data and prevent unauthorized access to the data; and (3) supervise anyone acting on their behalf with respect to the data to ensure the data is appropriately protected at all times.

[31]     Below we describe a few of the privacy and data security laws that tend to come up frequently for lawyers and impose requirements on their handling of client data that may involve technological competence. This discussion is by no means exhaustive, as technology touches upon virtually every aspect of data protection regulation and information security counseling by attorneys in the field. To provide just a few examples, advising companies on restrictions applicable to cross-border data transfers, data localization requirements, cybersecurity standards and information sharing obligations, and regulatory action around the use of biometrics and geolocation technologies are just a few examples of areas where a lawyer must have an understanding of the underlying technology to effectively assist clients.

 A.  HIPAA – Business Associate Agreements

[32]     The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), is the most significant health privacy law in the United States, imposing numerous obligations on “covered entities” and “business associates” of those “covered entities” to protect the privacy and security of “protected health information” (“PHI”).[66] As required by HIPAA, the Department of Health and Human Services (“HHS”) issued two key sets of regulations to implement the statute: the Privacy Rule[67] and the Security Rule.[68]

[33]     Although attorneys and law firms are not themselves considered covered entities directly subject to HIPAA’s requirements,[69] when attorneys obtain PHI from covered entity clients in the course of a representation, the law firm may be subject to certain HIPAA Privacy Rule requirements[70] in its role as a business associate.[71] The Privacy Rule and the Security Rule apply to a covered entity’s interactions with third parties (e.g., service providers) that handle PHI on the covered entity’s behalf.[72] The covered entity’s relationships with these “business associates” are governed by obligatory contracts known as business associate agreements (“BAAs”) that must contain specific terms.[73] With respect to technological competence specifically, for example, the BAA requires the business associate to implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the BAA, and states that the business associate must ensure that any agents/subcontractors that receive PHI from the business associate also protect the PHI in the same manner. And attorneys who “hold HIPAA data or [other PII] may be governed by state or federal law beyond the scope of the proposed rules, which is noted in the new comments”[74] to ABA Rule 1.6, discussed further below.

B.  GLBA Safeguards Rule Requirements

[34]     Pursuant to the Gramm-Leach-Bliley Act (“GLBA”), the primary federal financial privacy law in the United States, various federal agencies promulgated rules and regulations addressing privacy and data security issues.[75] For example, the Safeguards Rule requires financial institutions to protect security of personally identifiable financial information by maintaining reasonable administrative, technical, and physical safeguards for customer information.[76] To comply with the Safeguards Rule, a financial institution must develop, implement, and maintain a comprehensive information security program, and that program must address the financial institution’s oversight of service providers that have access to customers’ nonpublic personal information (“NPI”).[77]

[35]     Again, although a law firm is not a financial institution directly subject to the GLBA, when it acts as counsel to a financial institution, GLBA requirements may apply to its handling of NPI received from that client. To the extent a financial institution’s law firm will have access to such NPI in the course of the representation, the financial institution-client must take reasonable steps to ensure the law firm has the ability to safeguard such data prior to disclosing it to the firm, and require the firm to contractually agree (in writing) to safeguard the NPI. Assuming such data will be stored electronically (a safe assumption in virtually all cases), it is incumbent on the law firm to understand the potential data security risks and how to prevent unauthorized access, use, transfer, or other processing of their clients’ NPI.

 C.  State Data Security Laws

[36]     At the state level, there are numerous laws and regulations regarding the protection of personal information (and other types of data) that apply to all entities that maintain such data, including lawyers, law firms, and other legal service providers.

[37]     A number of states, such as California, Connecticut, Maryland, Nevada, Oregon, and Texas, have enacted laws that require companies to implement information security measures to protect personal information of residents of the state that the business collects and maintains.[78] These laws of general application are relevant to attorneys and law firms with respect to the personal information they maintain—both client data and data relating to their employees. Typically, these laws are not overly prescriptive and include obligations to implement and maintain reasonable security policies and procedures to safeguard personal information from unauthorized access, use, modification, disclosure, or destruction (though most do not offer a definition or description of what is meant by “reasonable” security). Some laws, such as California’s, impose a requirement to contractually obligate non-affiliated third parties that receive personal information from the business to maintain reasonable security procedures with respect to that data.[79]

[38]     Massachusetts was the first state to enact regulations that directed businesses to develop and implement comprehensive, written information security programs (“WISPs”) to protect the personal information of Massachusetts residents.[80] These regulations apply to all private entities (including law firms) that maintain personal information of Massachusetts residents, including those that do not operate in Massachusetts; they also list a number of minimum standards for the information security program.[81] The Massachusetts regulations are relatively prescriptive as compared to other similar state laws of this nature, and they include numerous specific technical requirements.

[39]     These requirements apply to law firms directly, but they also apply to law firms as service providers to businesses that maintain personal information of Massachusetts residents. A compliant WISP must address the vetting of service providers, and the contract must include provisions obligating the service provider to protect the data.[82]

IV.  Applicable Ethical Rules and Guidance

[40]     The myth of the Luddite[83] or caveman[84] lawyer persists, even if this type of anachronism is, in fact, an ethical violation waiting to happen.[85] But even attorneys who “only touch a computer under duress, and take comfort in paper files and legal research from actual books”[86] must deal with technology.[87] The adequate practice—or perhaps simply “the practice” of law does not exist without technology, and there is no longer a place for lawyers who simply “hope to get to retirement before they need to fully incorporate technology into their lives.”[88]

[41]     “Really?” goes the refrain. “Why can’t I just practice the way I always have, without [insert mangled, vaguely-recognizable technology portmanteau] getting in the way?”

[42]     Well, for one thing, to the extent attorneys rely on the protections of privilege to serve their clients, said attorneys must understand how the confidentiality of their communications and work product may be compromised by the technology they use. Technologies introduce complexity that, in turn, may affect privilege—especially when “many lawyers don’t understand electronic information or have failed to take necessary precautions to protect it.”[89] But how much understanding, exactly, may be required to competently represent clients in matters concerning E-Discovery, or data security, or even privacy? At many organizations, “[p]rivacy issues get handled by anyone who wants to do them” because the subject matter area is understaffed or ignored.[90] The key technological issues relevant to E-Discovery versus data privacy may be somewhat different, but the “solutions” companies find are eerily similar: the practitioners that are actually doing the work are often those who have been delegated the work, whose “expertise” is somewhat home-grown and may, in fact, not really represent true technological competence at all.[91]

[43]     What, then, are the requirements for expertise? Perhaps a pragmatic approach is best. Certainly, practitioners who use technology—again, likely all of them—must take some well-defined, initial steps toward acquiring the appropriate skill set. This might be as straightforward as the lawyer familiarizing herself with the relevant technologies at issue. Although it may sound a bit too easy, “just being well-versed enough to understand the issues is a big plus.”[92] That being said, “those considering a career in cybersecurity or privacy will need to spend time developing some level of technical expertise.”[93] In short, the answer is “it depends” and “no one really knows – yet.” In this relatively new space, actual decisions and definitive standards for “technological competence” are thin on the ground. Below we will examine some of the relevant rules and guidelines to consider.

 A.  Recent Guidelines in the Ethics Rules

[44]     Most attorneys do not have specialized training focused on a particular technological field. Certainly the vast majority do not hold themselves out as experts in cybersecurity, cloud-based storage, social media, biometrics, or any of a variety of related disciplines. However, even in the absence of expertise, there are some basic ethical rules that provide a framework for determining a practitioner’s professional duties and obligations with regard to technology—specifically, rules pertaining to competent client representation, adequate supervision, confidentiality, and communications.[94]

1.  Competent Client Representation (Model Rule 1.1)

[45]     As discussed briefly above, almost four years ago, the America Bar Association formally approved a change to the Model Rules of Professional Conduct to establish a clear understanding that lawyers have a duty to be competent not only in the law and its practice, but also with respect to technology. Detailed below, the passage of this rule contemplated changes in technology and eschewed specifics. Rather than a paint-by-numbers approach, ABA Model Rule 1.1 puts the responsibility on attorneys to understand their own—and their clients’—needs, and how new technologies impact their particular practice.

[46]     ABA Model Rule 1.1 states that:

A lawyer shall provide competent representation to a client. Competent representation requires legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.[95]

[47]     ABA Model Rule 1.1 was amended in 2012 by Codified Comment 8 as follows:

To maintain the requisite knowledge and skills, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.[96]

[48]     Some note that Rule 1.1 “does not actually impose any new obligations on lawyers;”[97] neither does it require perfection.[98] Instead it “simply reiterates the obvious, particularly for seasoned eDiscovery lawyers, that in order for lawyers to adequately practice, they need to understand the means by which they zealously advocate for their clients.”[99] One article noted, in fact, that Comment 8 was evidence of “the ABA’s desire to nudge lawyers into the 21st century when it comes to technology.”[100] It did, however, caution that it was “a very gentle nudge.”[101]

 [49]     Nudge or not, that message has resonated across the United States. In the four years since that amendment was approved and adopted by the ABA, twenty-one states since have adopted the ethical duty of technological competence for lawyers.[102] As for many of the states that have not formally adopted the change to their Model Rules of Professional Conduct, those may still explicitly or implicitly acknowledge this emerging duty to be competent in technology, having a basic understanding of technologies their clients use, and a duty to keep abreast of such changes including a required awareness of regulatory requirements and privacy laws.[103]

2.  Supervision (Model Rules 5.1 and 5.3)

[50]     ABA Model Rule 5.1 also bears on a lawyer’s duties regarding technology insofar as duties aided or supported by technology are performed by someone other than the attorney. This responsibility extends to immediate as well as remote support staff, with ABA Model Rule 5.1 requiring that “[l]awyers must also supervise the work of others to ensure it is completed in a competent manner.”[104] This attempt at establishing “the principle of supervisory responsibility without introducing a vicarious liability concept”[105] has led to considerations regarding inexperience generally,[106] but the implications for technological applications should be clear—an associate or other paralegal professional is much more likely to use technology to support legal work[107] than she is to make a representation before a court or like body.

[51]     ABA Model Rule 5.3 also sets forth responsibilities of partners and supervising attorneys to non-lawyer assistants. This set of ethical considerations further reinforces the responsibilities attorneys have to apply sufficient care in their practice when outsourcing supporting legal work to inexperienced non-professionals, and to ensure that confidentiality is maintained with outsourcing staff.[108] This is not just a matter of supervising specific tasks. It also contemplates knowing which tasks are appropriate for delegation, both within the firm and to third-party vendors. For example, if a delegate of the attorney uses technology to begin an engagement, it’s possible that such an arrangement could be viewed as “establish[ing] the attorney-client relationship,” which may be prohibited under ABA Model Rule 5.5.[109]

3.  Duty of Confidentiality (Model Rule 1.6)

[52]     ABA Model Rule 1.6 states that it is critical that lawyers do not reveal confidential or privileged client information.[110] When information was kept in an attorney’s head, or perhaps committed to a sheet of paper, historical precedent on how to comply with this duty may have been helpful. In the “world of tomorrow,”[111] looking to the past for answers makes little sense, especially in those instances where the attorney is unclear as to how information is stored, accessed, maintained, or utilized.

[53]     Model Rule 1.6 also considers a duty of confidentiality that resides at the core of every attorney’s role and serves as one of the attorney’s most important ethical responsibilities. Model Rule 1.6 generally defines the duty of confidentiality as follows: “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted [elsewhere].”[112]

[54]     This rule is broad. It encompasses any client information, confidential or privileged, shared or accessible to the attorney and is not limited to just confidential communications. Further, it may only be relinquished under the most onerous of circumstances.[113] A lawyer shall not, therefore, reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or the disclosure is permitted elsewhere in the rules.

[55]     In 2000, the Advisory Committee looked into its crystal ball and considered ESI on various platforms, in different repositories, in various forms. It then added Comment 18 to Rule 1.6, requiring reasonable precautions to safeguard and preserve confidential information. Comment 18 states that, “[A] lawyer [must] act competently to safeguard information relating to the representation of a client against … inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.”[114] Indeed, “[p]artners and supervising attorneys are required to take reasonable actions to ensure that those under their supervision comply with these requirements.”[115]

[56]     In addition to the ABA’s commentary, state and local professional organizations have issued guidance as well. In establishing a specific roadmap for lawyers to attain the skills necessary to meet their ethical obligations with respect to relevant technology in the practice of law, and returning to the California Bar’s Formal Opinion 2015-193, there is a sort of checklist that may assist lawyers in meeting their ethical obligations to develop and maintain core E-Discovery competence in the following areas:[116]

  • Initially assessing E-Discovery needs and issues, if any;
  • Implementing or causing (the client) to implement appropriate ESI preservation procedures, (“such as circulating litigation holds or suspending auto-delete programs”);[117]
  • Analyzing and understanding the client’s ESI systems and storage;
  • Advising the client on available options for collection and preservation of ESI;
  • Identifying custodians of potentially relevant ESI;
  • Engaging in competent and meaningful meet and confers with opposing counsel concerning an E-Discovery plan;
  • Performing data searches;
  • Collecting responsive ESI in a manner that preserves the integrity of the ESI; and
  • Producing responsive, non-privileged ESI in a recognized and appropriate manner.

[57]     But this technological competence inherent in the Duty of Competence represents only one third of the ethical duties that govern an attorney’s interaction with technology. This ESI and litigation skills checklist does not address “the scope of an attorney’s duty of competence relating to obtaining an opposing party’s ESI;”[118] nor does it consider the skills required of non-litigation attorneys, which must be inferred from the rule.

[58]     In addition, the State Bar of California’s Standing Committee on Professional Responsibility and Conduct, Formal Opinion 2010-179 states that “[a]n attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representations does not subject confidential client information to an undue risk of unauthorized disclosure.”[119]

[59]     In reference to the duty of confidentiality, the New York County Lawyer’s Association’s Committee on Professional Ethics examined shared computer services amongst practitioners in Opinion 733, noting that an “attorney must diligently preserve the client’s confidences, whether reduced to digital format, paper, or otherwise. The same considerations would also apply to electronic mail and websites to the extent they would be used as vehicles for communications with the attorney’s clients.”[120] The New York State Bar’s Committee on Professional Ethics Opinion 842 further stated that, when “a lawyer is on notice that the [client’s] information…is of ‘an extraordinarily sensitive nature that it is reasonable to use only a means of communication that is completely under the lawyer’s control,…the lawyer must select a more secure means of communication than unencrypted Internet e-mail.’”[121] 

4.  Communications (Model Rule 1.4)

[60]     ABA Model Rule 1.4 on Communications also applies to the attorney’s use of technology and requires appropriate communications with clients “about the means by which the client’s objectives are to be accomplished,” including the use of technology.[122]

[61]     In construing all of these Model Rules and comments, it is clear that attorneys who are not tech-must (1) understand their limitations; (2) obtain appropriate assistance; (3) be aware of the areas in which technology knowledge is essential; and (4) evolve to competently handle those challenges; or (5) retain the requisite expert assistance. This list applies equally to data security issues, such as being aware of the risks associated with cloud storage, cybersecurity threats, and other sources of potential harm to client data, and can easily be extended to include awareness and understanding with respect to domestic and foreign data privacy issues.

[62]     The ethical obligations to safeguard information require reasonable security, not absolute security. Accordingly, under such rules and related guidance from the Proposal from the ABA Commission on Ethics 20/20,[123] the factors to be considered in determining the reasonableness of the lawyers’ efforts with respect to security include:

(1) The sensitivity of the information;

(2) The likelihood of disclosure if additional safeguards are not employed;

(3) The cost of employing additional safeguards;

(4) The difficulty of implementing the safeguards; and

(5) The extent to which the safeguards adversely affect the lawyer’s ability to represent the client.[124]

As New Jersey Ethics Opinion 701 states, “[r]easonable care however does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible.”[125]

B.  Ethics and Social Media

[63]     When considering their ethical duties with respect to technology, lawyers today must confront a host of challenges that would have been almost unimaginable even ten years ago. The rise and proliferation of social media as a daily part of most people’s personal and professional lives has created one such challenge.[126] Numerous courts have addressed—and continue to address—attorney duties with respect to social media in the context of spoliation motions when social media evidence has been lost, destroyed, or obfuscated due to negligence, or in accordance with attorney advice.[127] In addition, given the novelty and complexity of the issues, and in the interest of consistency, state bar associations have begun to address issues associated with attorney use of, counseling on, and preservation of social media.

[64]     The Association of the Bar of the City of New York’s Committee on Professional and Judicial Ethics, in Formal Opinion 2010-2, provided some helpful guidelines on attorney access to social media, stating that “[a] lawyer may not use deception to access information from a social networking webpage,” either directly or through an agent.[128] While focused on behaviors that attorneys and their agents should not undertake when developing a case, the opinion does note that the “potential availability of helpful evidence on these internet-based sources makes them an attractive new weapon in a lawyer’s arsenal of formal and informal discovery devices,” and also offers up “the Court of Appeals’ oft-cited policy in favor of informal discovery.”[129] Simply put, the duty is twofold: an attorney must both be aware of social media and know how to use social media to provide effective representation.

 2.  State Bar Association Guidance

[65]     State bar associations are becoming increasingly involved in providing guidance on social media and its implications for the practice of law. For example, in 2014, the New York and Pennsylvania State Bar Associations and the Florida Professional Ethics Committee issued guidance on social media usage by attorneys and addressed the obligations of attorneys to understand how various platforms work, what information will be available to whom, the ethical implications of advising clients to alter or change social media accounts, and the value of ensuring adequate preservation of social media evidence.

i.  New York

[66]     The Social Media Ethics Guidelines of the Commercial and Federal Litigation Section of the New York State Bar Association provide specific guidance for the use of social media by attorneys.[130] Guideline 4, relating to the review and use of evidence from social media, is divided into four subparts, all of which provide specific and pertinent guidance to attorneys:

  • Guideline No. 4.A: Viewing a Public Portion of a Social Media Website, provides that “[a] lawyer may view the public portion of a person’s social media profile or public posts even if such person is represented by another lawyer. However, the lawyer must be aware that certain social media networks may send an automatic message to the person whose account is being viewed which identifies the person viewing the account as well as other information about such person.”[131]
  • Guideline No. 4.B: Contacting an Unrepresented Party to View a Restricted Portion of a Social Media Website, provides that “[a] lawyer may request permission to view the restricted portion of an unrepresented person’s social media website or profile. However, the lawyer must use her full name and an accurate profile, and she may not create a different or false profile to mask her identity. If the person asks for additional information from the lawyer in response to the request that seeks permission to view her social media profile, the lawyer must accurately provide the information requested by the person or withdraw her request.”[132]
  • Guideline No. C: Viewing A Represented Party’s Restricted Social Media Website, provides that “[a] lawyer shall not contact a represented person to seek to review the restricted portion of the person’s social media profile unless an express authorization has been furnished by such person.”[133]
  • Guideline No. 4.D: Lawyer’s Use of Agents to Contact a Represented Party, “as it relates to viewing a person’s social media account,” provides that “[a] lawyer shall not order or direct an agent to engage in specific conduct, or with knowledge of the specific conduct by such person, ratify it, where such conduct if engaged in by the lawyer would violate any ethics rules.”[134]

ii.  Florida

[67]     In Advisory Opinion 14-1, the Florida Bar Association’s Professional Ethics Committee confirmed that an attorney could advise a client to increase privacy settings (as so to conceal from public eye) and remove information relevant to the foreseeable proceedings from social media as long as an appropriate record was maintained—the data preserved—and no rules or substantive laws regarding preservation and/or spoliation of evidence were broken.[135]

iii. Pennsylvania

[68]     In 2014, the Pennsylvania Bar Association issued a Formal Opinion that included detailed guidance regarding an attorney’s ethical obligations with respect to the use of social media. Among other guidelines, the Opinion specifically stated that:

  • Attorneys may advise clients about the content of their Social networking websites, including the removal or addition of information;
  • Attorneys may connect with clients and former clients;
  • Attorneys may not contact a represented person through social networking websites;
  • Although attorneys may contact an unrepresented person through social networking websites, they may not use a pretextual basis for viewing otherwise private information on social networking websites; and
  • Attorneys may use information on social networking websites in a dispute.[136]

3.  ABA Model Rule 3.4

[69]     Finally, although ABA Model Rule 3.4 on Fairness to Opposing Party and Counsel does not directly address social media, the principles behind the rule apply in the social media context. The Rule provides that an attorney shall not “unlawfully obstruct another party’s access to evidence or unlawfully alter, destroy or conceal a document or other material having potential evidentiary value” nor shall the attorney “counsel or assist another person” to undertake such actions.[137]

C.  Guidance on Duties Related to Cybersecurity

[70]     As we discussed above in Section II, attorneys face a complex threat landscape when it comes to security concerns related to the protection of their clients’ data.[138] Although the scope of an attorney’s ethical obligations in this regard remains somewhat unclear, there are several sources of guidance relevant to how lawyers are expected to manage cybersecurity risks.

[71]     One such source that squarely addresses the issue is the Resolution issued by the ABA’s Cybersecurity Legal Task Force. The Resolution contains a detailed Report explaining the ABA’s position regarding the growing problem of intrusions into computer networks utilized by lawyers and law firms, and urges lawyers and law firms to review and comply with the provisions relating to the safeguarding of confidential client information.[139] As the ABA noted in its Report, defending the confidentiality of the lawyer-client relationship and preservation of privilege in communications and attorney work product are fundamental to public confidence in the legal system.[140] Attorneys are directed to (1) keep clients reasonably informed as set forth in the Model Rules of Professional Conduct, as amended in August 2012 and adopted in the jurisdictions applicable to their practice; and (2) comply with other applicable state, federal, and court rules pertaining to data privacy and cybersecurity.[141] The ABA further urges the respect and preservation of the attorney client relationship during the pendency of any actions in which a government entity aims to deter, prevent, or punish unauthorized, illegal intrusions into computer systems and networks used by lawyers and law firms.

[72]     The comment to ABA Model Rule 5.7 states, perhaps somewhat axiomatically, that when “[a] lawyer performs law-related services or controls an organization that does so, there exists the potential for ethical problems.”[142] This, combined with Model Rule 1.6’s requirement for attorneys to safeguard and protect client information, suggests further potential duties associated with cybersecurity.[143] As one author notes

Fulfillment of a law firm’s duty to maintain client confidences in today’s world of cyberattacks requires much more than legal knowledge and legal skills. It requires sophisticated computer knowledge and skills far beyond legal practice. That is why cybersecurity experts should be used to assist in any law firm’s client’s data protection efforts.[144]

Indeed, “[t]raining in security, including cybersecurity should be a part of every lawyer’s education. It is especially important for lawyers who do electronic discovery”.[145]

[73]     On a related subject, in Formal Opinion 2015-3, the New York City Bar Association issued guidance indicating that lawyers do not violate their ethical duties by reporting suspected cybercrime to law enforcement.[146] If an attorney has performed “reasonable diligence” to determine whether a prospective client is actually attempting fraud, the opinion says, then the attorney is free to report.[147] The Opinion continued, highlighting the lack of duty associated with individuals who are not actually clients, stating that an

attorney who discovers that is he the target of an Internet-based trust account scam does not have a duty of confidentiality to the individual attempting to defraud him, and is free to report the individual to law enforcement authorities, because that person does not qualify as a prospective or actual client of the attorney.[148]

V.  Conclusion

[74]     It goes without saying that we live (and work) in interesting times. Cloud technology offers convenience, flexibility, cost savings—and a host of potential security issues that existing “hard-copy world” rules aren’t fit to address. The details of top-secret corporate transactions are now hashed out on collaborative virtual platforms that may be vulnerable to damage, destruction, or unauthorized access. And the increasing ubiquity of social media makes it ever more likely that lawyers and clients alike may post information without appreciating the potential legal ramifications. New technologies have the capacity to enrich our personal lives and enhance our professional lives, but they also create complex and novel challenges for lawyers already subject to a web of ethical duties concerning competence and confidentiality.

[75]     Given the speed with which this dynamic area is changing, the issues raised in this piece may well feel dated within months of publication as the next new product or service revolutionizes another fundamental aspect of human interaction and connectivity. Nevertheless, in this article we have outlined some of the many challenges facing attorneys operating in a threat-laden high-tech landscape, taken a look at the ways in which existing and emerging ethical rules and guidelines may apply to the practice of law in the digital age, and opened a door to further conversation about all of these issues as they continue to evolve.

 

 

* Stacey Blaustein is a Senior Attorney – Corporate Litigation with the IBM Corporation.

** Melinda L. McLellan is Counsel in the New York office of Baker & Hostetler LLP.

*** James Sherer is Counsel in the New York office of Baker & Hostetler LLP.

 

[1] See Roger V. Skalbeck, Computing Efficiencies, Computing Proficiencies and Advanced Legal Technologies, Virginia State Bar – Research Recourses (Oct. 2001), http://www.vsb.org/docs/valawyermagazine/oct01skalbeck.pdf, archived at https://perma.cc/8YWX-YAHF.

[2] See Ed Finkel, Technology No Longer a ‘Nice to Learn’ for Attorneys, Legal Management, Association of Legal Administrators (Oct. 2014), http://encoretech.com/wp-content/uploads/2014/10/Technology-No-Longer-a-Nice-to-Learn-for-Attorneys_ALA-Legal-Management_Oct2014.pdf, archived at https://perma.cc/HUT3-672F.

[3] See, e.g., Evan Weinberger, Fintech Boom Prompts Lawyers to Add Tech Know-How, Law360 (Sep. 4, 2015, 6:05 PM), http://www.law360.com/articles/692081/fintech-boom-prompts-lawyers-to-add-tech-know-how, archived at https://perma.cc/WVE8-UPGP; see also Allison O. Van Laningham, Navigating in the Brave New World of E-Discovery: Ethics, Sanctions and Spoliation, FDCC Q. 327(Summer 2007), http://www.thefederation.org/documents/V57N4-VanLaningham.pdf, archived at https://perma.cc/9L48-MPLU.

[4] See Frank Strong, Beautiful Minds: 41 Legal Industry Predictions for 2016, LexisNexis LawBlog (Dec. 17, 2015), http://businessoflawblog.com/2015/12/legal-industry-predictions-2016/, archived at http://perma.cc/BG5W-R4DB.

[5] To further complicate matters, for attorneys and law firms practicing in the financial technology area such as payment, online lending, bitcoin and other virtual currencies, these lawyers need to be competent in “fintech”, financial technology, another outgrowth of the expertise in technology requirement. See Evan Weinberger, Fintech Boom Prompts Lawyers to Add Tech Know-How, Law360 (Sep. 4, 2015, 6:05 PM), http://www.law360.com/articles/692081/fintech-boom-prompts-lawyers-to-add-tech-know-how, archived at https://perma.cc/L76C-FZRL.

[6] See infra Part III (explaining that agencies such as the FDA have issued guidance in their arena- Postmarket Management of Cybersecurity in Medical Devices).

[7] Report to the House of Delegates, ABA Cybersecurity Legal Task Force Section of Sci. & Tech. Law 1, http://www.americanbar.org/content/dam/aba/administrative/house_of_delegates/resolutions/2014_hod_annual_meeting_109.authcheckdam.pdf, archived at https://perma.cc/KQT3-AFAJ.

[8] Ellen Rosen, Most Big Firms Have Had Some Hacking: Business of Law, Bloomberg (Mar. 11, 2015, 12:01 AM), http://www.bloomberg.com/news/articles/2015-03-11/most-big-firms-have-had-some-form-of-hacking-business-of-law, archived at https://perma.cc/YDR6-ZUV8.

[9] See Melissa Maleske, A Soft Target for Hacks, Law Firms Must Step Up Data Security, Law360 (Sep. 23, 2015, 10:09 PM), http://www.law360.com/articles/706312/a-soft-target-for-hacks-law-firms-must-step-up-data-security, archived at https://perma.cc/6V7K-2WB4.

[10] See id.

[11] See Susan Hansen, Cyber Attacks Upend Attorney-Client Privilege, Bloomberg Businessweek (Mar. 19, 2015, 2:56 PM), http://www.bloomberg.com/news/articles/2015-03-19/cyber-attacks-force-law-firms-to-improve-data-security, archived at https://perma.cc/29A5-MUNG.

[12] See Rosen, supra note 8.

[13] Id.

[14] Mark Wolski, Report: Legal Industry Was Heavily Targeted with Cyber Threats in January, Bloomberg BNA (Mar. 9, 2016), https://bol.bna.com/report-legal-industry-was-heavily-targeted-with-cyber-threats-in-january, archived at https://perma.cc/ZCR9-2WRX.

[15] See id.

[16] James Risen & Laura Poitras, Spying by N.S.A. Ally Entangled U.S. Law Firm, N.Y. Times, Feb. 15, 2014, http://www.nytimes.com/2014/02/16/us/eavesdropping-ensnared-american-law-firm.html, archived at https://perma.cc/F8M4-TEQ7.

[17] See Rosen, supra note 8.

[18] See Hansen, supra note 11.

[19] Blake Edwards, Verizon GC: Law Firms Prime Targets for Hackers, Bloomberg BNA (Feb. 4, 2016), https://bol.bna.com/verizon-gc-law-firms-are-prime-targets-for-hackers/, archived at https://perma.cc/F6WU-N6FW.

[20] Strong, supra note 4.

[21] Id.

[22] Matthew Goldstein, Law Firms Are Pressed on Security for Data, N.Y. Times (Mar. 26, 2014), http://dealbook.nytimes.com/2014/03/26/law-firms-scrutinized-as-hacking-increases/, archived at https://perma.cc/Q77A-8BN3.

[23] See N.Y. City Bar Comm. on Small Law Firms, The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations 2 (Nov. 2013), http://www2.nycbar.org/pdf/report/uploads/20072378-TheCloudandtheSmallLawFirm.pdf, archived at https://perma.cc/A8EG-AH7E.

[24] Id.

[25] Strong, supra note 4.

[26] Patrick Mohan & Steve Krause, Up in the Cloud: Ethical Issues that Arise in the Age of Cloud Computing, 8 ABI Ethics Comm. News L. 1 (Feb. 2011), http://www.davispolk.com/sites/default/files/files/Publication/a2e048ea-3b12-45fe-a639-9fc2881a4db8/Preview/PublicationAttachment/0f8af440-1db0-4936-8d0d-a1937a0e6c8f/skrause.ethics.clouds.feb11.pdf, archived at https://perma.cc/SW3C-FYT5.

[27] Sharon D. Nelson & John W. Simek, Why Do Lawyers Resist Ethical Rules Requiring Competence with Technology?, Slaw (Mar. 27, 2015), http://www.slaw.ca/2015/03/27/why-do-lawyers-resist-ethical-rules-requiring-competence-with-technology/, archived at https://perma.cc/6HNN-UCDZ.

[28] Ed Finkel, Technology No Longer a ‘Nice to Learn’ for Attorneys, Legal Management, Association of Legal Administrators (Oct. 2014) http://encoretech.com/wp-content/uploads/2014/10/Technology-No-Longer-a-Nice-to-Learn-for-Attorneys_ALA-Legal-Management_Oct2014.pdf, archived at https://perma.cc/TW7N-4WP5.

[29] Leslie Pappas, The Security Concerns Holding Up One Firm’s Cloud Usage, Bloomberg BNA (Jan. 22, 2016), https://bol.bna.com/the-security-concerns-holding-up-one-firms-cloud-usage/, archived at https://perma.cc/Z4LJ-H83Q.

[30] See Casey C. Sullivan, Is It Time for a Law Firm Cloud Computing Security Standard?, FindLaw (Feb. 18, 2016), http://blogs.findlaw.com/technologist/2016/02/is-it-time-for-a-law-firm-cloud-computing-security-standard.html, archived at https://perma.cc/78HF-KKX4.

[31] See Jonathan R. Tung, Survey: Law Departments Are Warming Up to the Cloud, FindLaw (Feb. 18, 2016), http://blogs.findlaw.com/in_house/2016/02/survey-law-depts-are-warming-up-to-the-cloud.html, available at https://perma.cc/M89M-LC3M.

[32] Strong, supra note 4.

[33] N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Op. 1020 (Sept. 12, 2014), http://www.nysba.org/CustomTemplates/Content.aspx?id=52001, archived at https://perma.cc/8MPU-62BR.

[34] N.J. Advisory Comm. on Prof’l Ethics, Op. 701 (2006), https://www.judiciary.state.nj.us/notices/ethics/ACPE_Opinion701_ElectronicStorage_12022005.pdf, archived at https://perma.cc/2H5Y-UYWX.

[35] Id.

[37] Aebra Coe, Judges Lack Faith in Attys’ E-Discovery Skills, Survey Says, Law360 (Jan. 28, 2016), http://www.law360.com/articles/751961/judges-lack-faith-in-attys-e-discovery-skills-survey-says, archived at https://perma.cc/5UJB-D2YX.

[38] Id.

[39] Bob Ambrogi, California Considers Ethical Duty to Be Competent in E-Discovery, Catalyst Blog (Feb. 27, 2015), http://www.catalystsecure.com/blog/2015/02/california-considers-ethical-duty-to-be-competent-in-e-discovery/, archived at https://perma.cc/2FXD-8KM4.

[40] Karin S. Jenson, Coleman W. Watson & James A. Sherer, Ethics, Technology, and Attorney Competence, The Advanced eDiscovery Inst. (Nov. 2014), http://www.law.georgetown.edu/cle/materials/eDiscovery/2014/frimorndocs/EthicsIneDiscoveryBakerHostetler.pdf, archived at https://perma.cc/TFR6-VZNG.

[41] See Order Amending Rules 1.0, 1.1, 1.4, 1.6, 1.17, 1.18, 4.4, 5.3, 5.5, 7.1, 7.2, and 7.3 of the Delaware Lawyers’ Rules of Professional Conduct, Del. R. Prof’l Conduct (2013), http://courts.delaware.gov/rules/pdf/dlrpc2013rulechange.pdf.

[42] See N.C. State. Bar Rules of Prof’l Responsibility & Conduct R. 1.1 (2014), http://www.ncbar.com/rules/rules.asp?page=4, archived at https://perma.cc/7R44-4JAG.

[43] See Notice of Proposed Rulemaking, 43 Pa. Bull. 1997 (Apr. 13, 2013), http://www.pa bulletin.com/secure/data/vol43/43-15/652.html, archived at https://perma.cc/WS5G-MHKQ.

[44] Bob Ambrogi, California Finalizes Ethics Opinion Requiring Competence in E-Discovery, Catalyst Blog (Aug. 6, 2015), https://www.catalystsecure.com/blog/2015/08/california-finalizes-ethics-opinion-requiring-competence-in-e-discovery/, archived at https://perma.cc/V7NV-QCWW.

[45] Id.

[46] See id.

[47] State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. 2015-193 (2015), https://ethics.calbar.ca.gov/Portals/9/documents/Opinions/CAL%202015-193%20%5B11-0004%5D%20(06-30-15)%20-%20FINAL.pdf, archived at https://perma.cc/8GWJ-BVJ2.

[48] Adam Kuhn, The California eDiscovery Ethics Opinion: 9 Steps to Competency, Recommind Blog (Aug. 11, 2015), http://www.recommind.com/blog/california-ediscovery-ethics-opinion-9-steps-to-competency, archived at https://perma.cc/2X2K-FCRQ.

[49] Id.

[50] H. Christopher Boehning & Daniel J. Toal, E-Discovery Competence of Counsel Criticized in Sanctions Decision, New York Law Journal (Oct. 6, 2015), http://www.newyorklawjournal.com/id=1202738840840/EDiscovery-Competence-of-Counsel-Criticized-in-Sanctions-Decision#ixzz42wNK34Ms, archived at https://perma.cc/4BMP-T76U.

[51] See generally HM Elecs., Inc. v. R.F. Techs., Inc., 2015 U.S. Dist. LEXIS 104100 (S.D. Cal. Aug. 7, 2015) (arguing the invalidity of the steps that the defendants took in order to certify discovery as true).

[52] Boehning & Toal, supra n. 50.

[53] Id.

[54] Samantha V. Ettari & Noah Hertz-Bunzl, Ethical E-Discovery: Core Competencies for New York Lawyers, New York Law Journal (Nov. 2, 2015), http://www.kramerlevin.com/files/Publication/60607051-f018-43b7-8a3c-7d43b4ff6e50/Presentation/PublicationAttachment/1e570a52-e27d-425f-a75b-9e25811df796/NYLJ%20Article-EDiscovery%2011.2.15.pdf, archived at https://perma.cc/F3R8-UWM6.

[55] William A. Gross Constr. Assocs., Inc. v. Am. Mfrs. Mut. Ins. Co., 256 F.R.D. 134, 136 (S.D.N.Y. 2009).

[56] See Ettari & Hertz-Bunzl, supra n. 54.

[57] See Ettari & Hertz-Bunzl, supra n. 54 (citing New York Rules of Professional Conduct (N.Y. Rule) 1.1.5).

[58] See Ettari & Hertz-Bunzl, supra n. 54 (citing N.Y. Rule 5.1(c)).

[59] See generally D.C. Comm. on Legal Ethics, Formal Op. 362 (2012), https://www.dcbar.org/bar-resources/legal-ethics/opinions/opinion362.cfm, archived at https://perma.cc/TXA5-26ZG (discussing the permissibility of non-lawyer ownership of discovery service vendors).

[60] See generally The Sedona Conference Working Group, Best Practices Recommendations & Principles for Addressing Electronic Document Production, The Sedona Principles: Second Edition, June 2007, at 60, 61 https://thesedonaconference.org/publication/The%20Sedona%20Principles, archived at https://perma.cc/UU5K-V8KQ (explaining the composition and functionality of metadata).

[61] Id. at 4.

[62] Id.

[63] State v. Ratcliff, 849 N.W.2d 183, 196 (N.D. 2014).

[64] See Christian Dodd, Metadata 101 for Lawyers: A 2-Minute Primer, Law360 (Oct. 15, 2015, 4:30 PM), http://www.law360.com/articles/712714/metadata-101-for-lawyers-a-2-minute-primer, archived at https://perma.cc/3VCT-TJRB.

[65] See Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583, 587 (2014).

[66]See Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §§1320d to 1320d-8 (2007) [hereinafter HIPAA].

[67] See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (Dec. 28, 2000) (codified at 45 C.F.R. pts. 160, 164).

[68] See Security Standards, 68 Fed. Reg. 8333, 8334 (Feb. 20, 2003) (codified at 45 C.F.R. pts. 160, 162, 164).

[69] The health plan within an organization, such as a law firm’s employee health plan, may itself be a “covered entity” for HIPAA compliance purposes, but a firm generally is not, itself, a covered entity. See, e.g., HIPAA, supra note 66.

[70] See John V. Arnold, PRIVACY: What Lawyers Must Do to Comply with HIPAA, 50 Tenn. B.J. 16, 17 (Mar. 2014).

[71] See Lisa J. Acevedo et. al., New HIPAA Liability for Lawyers, 30 GPSolo, no. 4, 2013, http://www.americanbar.org/publications/gp_solo/2013/july_august/new_hipaa_liability_lawyers.html, archived at https://perma.cc/F88Y-U928.

[72] See Standards for Privacy of Individually Identifiable Health Information, supra note 67; see Security Standards, supra note 68.

[73] Both the Privacy Rule and the Security Rule dictate certain terms that must be included in a BAA.

[74] See Nelson & Simek, supra note 27.

[75] See 15 U.S.C. §§ 6801–6809 (2012).

[76] See 16 C.F.R. §§ 314.2, 314.3(b).

[77] See 16 C.F.R. § 314.4(a-c).

[78] See, e.g., Cal. Civ. Code § 1798.81.5 (Deering 2009); Conn. Gen. Stat. § 42-471 (2010); Md. Code Ann., Com. Law §§ 14-3501 to 14-3503 (LexisNexis 2009); Nev. Rev. Stat. § 603A.210 (2009); Or. Rev. Stat. § 646A.622 (2009); Tex. Bus. & Com. Code Ann. §§ 72.001–72.051 (West 2009).

[79] See Cal. Civ. Code § 1798.81.5 (Deering 2009).

[80] See 201 Mass. Code Regs. 17.01–17.05 (2008).

[81] See id.

[82] See id.

[83] See Debra Cassens Weiss, Lawyers Have Duty to Stay Current on Technology’s Risks and Benefits, New Model Ethics Comment Says, ABA Journal Law News (Aug. 6, 2012, 7:46 PM)

http://www.abajournal.com/news/article/lawyers_have_duty_to_stay_current_on_technologys_risks_and_benefits/, archived at https://perma.cc/WPZ4-2DYH.

[84] See Unfrozen Caveman Lawyer, Saturday Night Live Transcripts, http://snltranscripts.jt.org/91/91gcaveman.phtml, archived at https://perma.cc/M7GB-DGJZ (“Sometimes when I get a message on my fax machine, I wonder: ‘Did little demons get inside and type it?’ I don’t know! My primitive mind can’t grasp these concepts.”) (last visited Apr. 5, 2016).

[85] See Megan Zavieh, Luddite Lawyers Are Ethical Violations Waiting to Happen, Lawyerist.com (last updated July 10, 2015), https://lawyerist.com/71071/luddite-lawyers-ethical-violations-waiting-happen/, archived at https://perma.cc/6V4W-94J7.

[86] Lois D. Mermelstein, Ethics Update: Lawyers Must Keep Up with Technology Too, American Bar Association – Business Law Today, Business Law Today (Mar. 2013), http://www.americanbar.org/publications/blt/2013/03/keeping_current.html, archived at https://perma.cc/T8CF-ZWND.

[87] See Blair Janis, How Technology Is Changing the Practice Of Law, GP Solo, http://www.americanbar.org/publications/gp_solo/2014/may_june/how_technology_changing_practice_law.html, archived at https://perma.cc/23P5-PGM7 (last visited Apr. 5, 2016).

[88] Kevin O’Keefe, We Need Laws Requiring Lawyers to Stay Abreast of Technology? LEXBLOG: Ethics & Blogging Law (Mar. 28, 2015), http://kevin.lexblog.com/2015/03/28/we-need-laws-requiring-lawyers-to-stay-abreast-of-technology/, archived at https://perma.cc/8DR5-XK43.

[89] Attorney-client Privilege: Technological Changes Bring Changing Responsibilities for Attorneys and Legal Departments, Corporate Law Advisory, http://www.lexisnexis.com/communities/corporatecounselnewsletter/b/newsletter/archive/2014/01/06/attorney-client-privilege-technological-changes-bring-changing-responsibilities-for-attorneys-and-legal-departments.aspx, archived at https://perma.cc/XQ53-P3MF (last visited Apr. 5, 2016).

[90] Daniel Solove, Starting a Privacy Law Career, LinkedIn Pulse (Aug. 27, 2013), https://www.linkedin.com/pulse/20130827061558-2259773-starting-a-privacy-law-career?forceNoSplash=true, archived at https://perma.cc/G78L-DM2X.

[91] See Peter Geraghty & Sue Michmerhuizen, Think Twice Before You Call Yourself an Expert, Your ABA (Mar. 2013), http://www.americanbar.org/newsletter/publications/youraba/201303article11.html, archived at https://perma.cc/HJK7-RSLG .

[92] Solove, supra note 90.

[93] Alysa Pfeiffer-Austin, Four Practical Tips to Succeed in the Cybersecurity and Privacy Law Market, ABA Security Law (Dec. 9, 2015), http://abaforlawstudents.com/2015/12/09/four-practical-tips-to-succeed-in-the-cybersecurity-and-privacy-law-market/, archived at https://perma.cc/AH9A-JCTU.

[94] See David G. Ries, Cybersecurity for Attorneys: Understanding the Ethical Obligations, Law Practice Today (Mar. 2012), http://www.americanbar.org/publications/law_practice_today_home/law_practice_today_archive/march12/cyber-security-for-attorneys-understanding-the-ethical-obligations.html, archived at https://perma.cc/N4VM-N4NG.

[95] Model Rules of Prof’l Conduct R. 1.1 (2014).

[96] Model Rules of Prof’l Conduct R. 1.1 cmt. 8 (2014) (emphasis added).

[97] Jenson, Watson & Sherer, supra note 40, at 2.

[98] See James Podgers, You Don’t Need Perfect Tech Knowhow for Ethics’ Sake—But a Reasonable Grasp Is Essential, ABA Journal (Aug. 9, 2014), http://www.abajournal.com/news/article/you_dont_need_perfect_tech_knowhow_for_ethics_sake–but_a_reasonable_grasp, archived at https://perma.cc/CB3P-R7YL.

[99] Jenson, Watson & Sherer, supra note 40, at 2.

[100] Kelly H. Twigger, Symposium, Ethics in Technology and eDiscovery – Stuff You Know, but Aren’t Thinking About, Ark. L. Rev. (Oct. 16, 2014), http://law.uark.edu/documents/2014/10/TWIGGER-Ethics-in-Technology-and-eDiscovery.pdf, archived at https://perma.cc/LTG8-7AYU.

[101] Id.

[102] These states are: Arizona, Arkansas, Connecticut, Delaware, Idaho, Illinois, Iowa, Kansas, Massachusetts, Minnesota, Nebraska, New Hampshire, New Mexico, New York, North Carolina, Ohio, Pennsylvania, Utah, Virginia, West Virginia, and Wyoming. See Robert Ambrogi, 20 States Have Adopted Ethical Duty of Technological Competence, Law Sites (Mar. 16, 2015), http://www.lawsitesblog.com/2015/03/11-states-have-adopted-ethical-duty-of-technology-competence.html, archived at https://perma.cc/B5TF-D6NJ (last updated Dec. 23, 2015) (listing 20 states not including Nebraska); see also Basic Technology Competence for Lawyers, Event Details, Nebraska Bar Assoc. (Apr. 6, 2016), https://nebar.site-ym.com/events/EventDetails.aspx?id=788239&group=, archived at https://perma.cc/SMU6-58TU (“[T]he need to be aware of and have a working knowledge of technology…is ethically required of all lawyers.”).

[103] Ann M. Murphy, Is It Safe? The Need for State Ethical Rules to Keep Pace with Technological Advances, 81 Fordham L. Rev. 1651, 1659, 1665–66 (2013), http://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=4876&context=flr, archived at https://perma.cc/V69A-EETR.

[104] Samantha V. Ettari & Noah Hertz-Bunzl, Ethical E-Discovery: What Every Lawyer Needs to Know, LegaltechNews (Nov. 10, 2015), http://www.kramerlevin.com/files/Publication/d7dec721-693a-4810-a4b9-32dfe9c1864b/Presentation/PublicationAttachment/018a444a-d7de-46b2-bc16-506cff88d346/EDiscovery-Legaltech%20News11.10.15..pdf, archived at https://perma.cc/4YMR-XL9U (referring to Model Rule of Prof’l Conduct 5.1).

[105] American Bar Association, A Legislative History: the Development of the ABA Model Rules of Professional Conduct, 1982-2005 560 (2006).

[106] Jeffrey P. Reilly, Rule 5.1 of the Rules of Professional Conduct: What Must Corporate General Counsel Do? Association of Corporate Counsel, Baltimore Chapter FOCUS 2Q12 5–6 (2012), http://www.milesstockbridge.com/pdf/publications/ReillyACCArticle.pdf, archived at https://perma.cc/G26J-NTJE.

[107] See Jennifer Ellis, What Technology Does a Modern US Lawyer Generally Use in Practice?, Quora (Mar. 22, 2014), https://www.quora.com/What-technology-does-a-modern-US-lawyer-generally-use-in-practice, archived at https://perma.cc/4FX4-2UV7.

[108] See Model Rules of Prof’l Conduct R. 5.3.

[109] Frances P. Kao, No, a Paralegal Is Not a Lawyer, ABA Bus. Law Today, (Jan./Feb. 2007), https://apps.americanbar.org/buslaw/blt/2007-01-02/kao.shtml, archived at https://perma.cc/3J2N-ELPA.

[110] See Model Rules of Prof’l Conduct R. 1.6.

[111] See Jon Snyder, 1939’s ‘World of Tomorrow’ Shaped Our Today, Wired (Apr. 29, 2010, 8:00 PM), http://www.wired.com/2010/04/gallery-1939-worlds-fair/, archived at https://perma.cc/D5V4-36R5.

[112] Model Rules of Prof’l Conduct R. 1.6.

[113] See Saul Jay Singer, Speaking of Ethics: When Tarasoff Meets Rule 1.6, Washington Lawyer (May 2011), https://www.dcbar.org/bar-resources/publications/washington-lawyer/articles/may-2011-speaking-of-ethics.cfm, archived at https://perma.cc/A7E4-DSH6.

[114] Model Rules of Prof’l Conduct R. 1.6 cmt. 18.

[115] David G. Ries, Cybersecurity for Attorneys: Understanding the Ethical Obligations, Law Practice Today (Mar. 2012), http://www.americanbar.org/publications/law_practice_today_home/law_practice_today_archive/march12/cyber-security-for-attorneys-understanding-the-ethical-obligations.html, archived at https://perma.cc/59Q2-55Q4.

[116] See State Bar of Cal. Standing Comm. on Prof’l Responsibility and Conduct, Formal Op. 2015-193, 3–4 (2015) [hereinafter Cal. Ethics Op. 2015-193] (discussing what an attorney’s ethical duties are in the handling of discovery of electronically stored information).

[117] Ettari & Hertz-Bunzl, supra note 104.

[118] Cal. Ethics Op. 2015-193, supra note 116, at fn. 7.

[119] State Bar of Cal. Standing Comm. on Prof’l Responsibility and Conduct, Formal Op. 2010-179, 7 (2010) (discussing whether an attorney violates the duties of confidentiality and competence she owes to a client by using technology to transmit or store confidential client information when the technology may be susceptible to unauthorized access by third parties).

[120] N.Y. Cnty. Lawyers’ Ass’n Comm. on Prof’l Ethics, Formal Op. 733, 7 (2004) (discussing non-exclusive referrals and sharing of office space, computers, telephone lines, office expenses, and advertising with non-legal professionals).

[121] N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Formal Op. 842 (2010) (discussing using an outside online storage provider to store client’s confidential information).

[122] Model Rules of Prof’l Conduct R. 1.4 (1983); see also 204 Pa. Code § 81.4 (1988), http://www.pacode.com/secure/data/204/chapter81/chap81toc.html, archived at https://perma.cc/6FG5-9VP3 (incorporating ABA Model Rule 1.4 into Pennsylvania’s Model Rule 1.4).

[123]See ABA Comm. on Ethics 20/20, Introduction and Overview (Feb. 2013), http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20121112_ethics_20_20_overarching_report_final_with_disclaimer.authcheckdam.pdf, archived at https://perma.cc/D2ZY-NYEU.

[124] Model Rules of Prof’l Conduct R. 1.6(c) cmt. 18 (1983).

[125] Opinion 701 also highlights, if inadvertently, the challenges attorneys face when trying to modify existing practices to fit new technologies. As part of the inquiry underpinning Opinion 701’s guidance, the opinion notes that “nothing in the RPCs prevents a lawyer from archiving a client’s file through use of an electronic medium such as PDF files or similar formats.” This note is nearly laughable when read in the context of current practice, as it suggests that attorneys were (or are?) concerned about whether PDF files are appropriate for retaining paper documents. N.J. Advisory Comm. on Prof’l Ethics, Formal Op. 701 (2006), https://www.judiciary.state.nj.us/notices/ethics/ACPE_Opinion701_ElectronicStorage_12022005.pdf, archived at https://perma.cc/EV9H-BN3T.

[126] See Brian M. Karpf, Florida’s Take on Telling Clients to Scrub Social Media Pages, Law 360 (Sept. 15, 2015, 4:33 PM), http://www.law360.com/articles/702288/florida-s-take-on-telling-clients-to-scrub-social-media-pages, archived at https://perma.cc/NZ3W-FHPS.

[127] See id.

[128] N.Y.C. Bar Ass’n Comm. on Prof’l. Ethics, Formal Op. 2010-2 (2010), http://www.nycbar.org/ethics/ethics-opinions-local/2010-opinions/786-obtaining-evidence-from-social-networking-websites, archived at https://perma.cc/JT9K-2EGV (discussing lawyers’ obtainment of information from social networking websites).

[129] Id.

[130] Mark A. Berman, Ignatius A. Grande & James M. Wicks, Social Media Ethics Guidelines of the Commercial and Federal Litigation Section of the New York State Bar Association, The New York State Bar Association (June 9, 2015), http://www.nysba.org/socialmediaguidelines/, archived at https://perma.cc/4ZSN-BXT4.

[131] Id.

[132] Id.

[133] Id.

[134] Id.

[135] See Fla. State Bar Comm. on Prof’l Ethics, Proposed Op. 14-1 (2015), http://www.floridabar.org/TFB/TFBResources.nsf/Attachments/B806500C941083C785257E730071222B/$FILE/14-01%20PAO.pdf?OpenElement, archived at https://perma.cc/DK9W-A44Z.

[136] Pa. Bar Ass’n. Comm. on Ethics, Formal Op. 2014-300, 2 (2014), http://www.americanbar.org/content/dam/aba/events/professional_responsibility/2015/May/Conference/Materials/pa_formal_op_2014_300.authcheckdam.pdf, archived at https://perma.cc/G6EY-PBFF.

[137] Model Rules of Prof’l Conduct R. 3.4 (1983).

[138] See supra Part II.

[139] See ABA Cybersecurity Legal Task Force, Resolution 118, 2 (August 2013), http://www.americanbar.org/content/dam/aba/administrative/law_national_security/resolution_118.authcheckdam.pdf, archived at https://perma.cc/UQ44-3Q2C.

[140] See id. at 4.

[141] See id. at 16.

[142] Model Rules of Prof’l Conduct R. 5.7, cmt. 1 (1983).

[143] See Model Rules of Prof’l Conduct R. 1.6.

[144] Ralph C. Losey, The Importance of Cybersecurity in eDiscovery, E-Discovery Law Today (May 9, 2014) http://www.ediscoverylawtoday.com/2014/05/the-importance-of-data-security-in-ediscovery/, archived at https://perma.cc/P64J-NYQ7.

[145] Ralph C. Losey, The Importance of Cybersecurity to the Legal Profession and Outsourcing as a Best Practice – Part Two, e-Discovery Team (May 18, 2014), http://e-discoveryteam.com/2014/05/18/the-importance-of-cybersecurity-to-the-legal-profession-and-outsourcing-as-a-best-practice-part-two/, archived at https://perma.cc/W3HW-AHCC.

[146] N.Y.C. Bar Ass’n Comm. on Prof’l Ethics, Formal Op. 2015-3, 4–5 (2015), http://www2.nycbar.org/pdf/report/uploads/20072898-FormalOpinion2015-3-LAWYERSWHOFALLVICTIMTOINTERNETSCAMS.pdf, archived at https://perma.cc/6BHV-V2YC.

[147] Id. at 1.

[148] Id. at 6 (emphasis added).

"Demand Response" In 2016

By

On April 21, 2016

In Blog Posts

demand_response2-500x333

By: Ryan Suit,

If you have ever wanted to be paid to do less than you are doing right now, then you might be a fan of “demand response.” Demand response refers to the concept of paying electricity consumers to not use electricity at certain times.[1] Currently, most demand response participants are large commercial industries, and residential participation is still small. But as advancements in technology allow more people and businesses to take part in demand response, paying consumers to not use electricity will have a lot of benefits for consumers, the electric grid, and the environment.[2]

Demand response entails less energy being consumed, which means less energy needs to be produced. For one, this decreases the costs to consumers because they use less energy.[3] Second, demand response allows the grid to be more reliable because there is a lesser likelihood of overload on the grid.[4] Third, it also decreases the amount of carbon dioxide produced by electricity generators who use fossil fuels.[5] Many power plants that use fossil fuels are both inefficient and expensive to operate, so are only turned on when demand for electricity is at its peak. Demand response can prevent the need for these types of plants, and therefore prevent them from producing carbon dioxide pollution, because it helps to balance the supply and demand for electricity by using less energy, rather than producing more.

The big question for demand response is, “Who gets to regulate it?” Section 201 of the Federal Power Act gives the Federal Energy Regulatory Commission (FERC) the power to regulate interstate transmission of wholesale electricity sales.[6] While FERC was given the authority to regulate interstate electricity and wholesale rates, states were left to regulate intrastate electricity sales and retail sales to end-users.[7] Almost one year ago, the Supreme Court held in Learjet that federal natural gas laws do no preempt state laws that regulate any phase of natural gas production.[8] By holding that federal laws did not preempt state regulation of an energy industry, Learjet signaled that the Supreme Court might be in favor of allowing states to regulate demand response.[9] Earlier this year the Court clarified its stance on demand response in FERC v. EPSA.[10] In that case, the Supreme Court confirmed that FERC has the ability to require firms that transmit energy on the grid to accept bids from demand response companies.[11] This makes demand response a much more viable competitor to energy generators, and also creates more of the benefits described above: lower costs, more reliability, and less pollution. Though state regulatory commissions still have the ability to regulate demand response by prohibiting customers in their states from participating in demand response markets[12], the holding in FERC v. EPSA may indicate that “veto” power could be taken away, and FERC might soon have more power to increase demand response schemes.

Demand response is becoming more than just an energy concept, and is gaining more traction both economically and legally. More lawsuits dealing with demand response are likely to be litigated in the near future, but the Supreme Court’s recent rulings show that demand response could be in your near future as well.

 

 

[1] See Joel Eisen, FERC v. EPSA and the Path to a Cleaner Energy Sector, 40 Harvard Environmental Law Review 1 (2016).

[2] Id. at 2.

[3] Id.

[4] Id.

[5] Id.

[6] Federal Power Act § 201

[7] Id.

[8] See Oneok, Inc. v. Learjet, Inc.

[9] Ashley Davoli, Demand Response: The Consumer’s Role in Energy Use, Rich. J.L. & Tech. (April 26, 2015) http://jolt.richmond.edu/index.php/demand-response-the-consumers-role-in-energy-use/.

[10] See Federal Energy Regulatory Commission v. Electric Power Supply Assoc., 136 S.Ct. 760 (2016)

[11] Id. at 763-764.

[12] Id. at 779-780.

Smith et al v. Facebook, Inc. et al: Plaintiffs Allege Facebook is Mining Private Medical Information to Generate Profit

By

On April 6, 2016

In Blog Posts

Facebook-lawsuit

By: Quinn Novak,

 

If you Google the American Cancer Society and search through their website for information about breast cancer, do you have a reasonable expectation of privacy? Or do you expect that someone is monitoring your activity and collecting your medical searches? Winston Smith believed he had privacy when searching those types of medical websites for cancer information. Smith did not realize that Facebook collects his private medical information from well-respected cancer organizations[1] and uses that private health data to create marketing profiles, targeting him with tailored advertisements based on his private information.[2] When Smith discovered this reality, he initiated a class action lawsuit against Facebook and seven healthcare organizations, including the American Cancer Society, the American Society of Clinical Oncology, and the Melanoma Research Foundation.[3]

Smith filed the complaint on March 15, 2016 in a San Jose, federal court.[4] The case was assigned to Magistrate Judge Nathanael M. Cousins.[5] The three plaintiffs, including Smith, allege that the named defendants violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), federal Wiretap Acts, and several state statutes.[6] According to HIPAA, because medical data is private, it should be difficult to acquire and companies are not allowed to gather or share medical information without express authorization of the patient.[7] Plaintiffs argue that because users have no idea that their information is being gathered and because Facebook does not disclose on its data and privacy policies that it tracks, collects, and intercepts users’ sensitive medical information and communications, Facebook and the named healthcare organizations violate HIPAA.[8]

Although it is evident that Facebook is harvesting cancer data to generate profit through targeted advertising,[9] it is unclear if the medical website owners have knowledge that Facebook is using their data.[10] However, if the healthcare organizations were aware that Facebook was collecting their user’s data, plaintiff claims that the organizations should have disclosed their relationship with Facebook to their users.[11]

Although Smith seeks certification, damages, restitution, and permanent injunction from all eight defendants, a Facebook spokesperson stated that the “Lawsuit is without merit and we will defend ourselves vigorously.”[12] In rebuttal, a representative from plaintiff’s counsel, Kiesel Law LLP, stated, “When you’re searching private medical information, you don’t realize it’s being sent to Facebook” and states that there is a reasonable expectation of privacy for these types of searches.[13] Fortunately, not all medical websites allow Facebook to track their user’s communications; the Mayo Clinic and Johns Hopkins Medicine website do not allow Facebook to mine their data through the use of cookies.[14] So, for now, if you need to search for medical information about cancer and you don’t want Facebook to keep track of that information, use one of the numerous protected websites. Otherwise, the next time you log onto Facebook, you can reasonably expect to see advertisements across your newsfeed catering to your cancer medical needs.

 

 

[1] See Bethy Squires, Facebook is Mining Private Data from Cancer Organizations, New Lawsuit Alleges, Broadly (Mar. 18, 2016, 4:15 PM), https://broadly.vice.com/en_us/article/facebook-is-mining-private-data-from-cancer-organizations-new-lawsuit-alleges.

[2] See Nicholas Iovino, Facebook Mines Data Off Cancer Sites, Users Say, Courthouse News Service (Mar. 16, 2016, 7:05 PM), http://www.courthousenews.com/2016/03/16/facebook-mines-data-off-cancer-sites-users-say.htm.

[3] See Carrie Pallardy, Lawsuit Claims Facebook Mined PHI from Websites of Cleveland Clinic, MD Anderson Cancer Center & More for Advertising Profit, Becker’s Health IT & CIO Review (Mar. 23, 2016), http://www.beckershospitalreview.com/healthcare-information-technology/lawsuit-claims-facebook-mined-phi-from-websites-of-cleveland-clinic-md-anderson-cancer-center-more-for-advertising-profit.html.

[4] See Smith et al v. Facebook, Inc. et al, PacerMonitor (Apr. 1, 2016, 12:07 AM), https://www.pacermonitor.com/public/case/10970091/Smith_et_al_v_Facebook,_Inc_et_al [hereinafter PacerMonitor]; see Neil Versel, Suit Claims Facebook Mines Private Cancer Data, MedCity News (Mar. 23, 2016, 1:21 AM), http://medcitynews.com/2016/03/facebook-cancer-data/.

[5] See PacerMonitor, supra note 4.

[6] See Versel, supra note 4.

[7] See Squires, supra note 1.

[8] See id.; see Iovino, supra note 2.

[9] See Iovino, supra note 2.

[10] See Squires, supra note 1; see also Versel, supra note 4 (stating that it is unclear whether cancer institutes named in the suit are aware of Facebook’s practices).

[11] See Pallardy, supra note 3.

[12] See Iovino, supra note 2.

[13] See Squires, supra note 1.

[14] See id.

 

Photo Source: http://www.valuewalk.com/wp-content/uploads/2015/02/Facebook-lawsuit.jpg

Are Your Legal (Or Illegal Undertakings) Really Anonymous?

By

On April 4, 2016

In Blog Posts

 

how-can-i-buy-bitcoins-630x382

By Celtia van Niekerk,

When Silk Road was developed, it became a haven for illegal activity. Masked by the cryptic underworld of the dark web, many people thought that their activities online were finally free from the peering eyes of law enforcement.

The Developer of Silk Road, Ross Ulbricht was ones such person.

He created Silk Road, a website where narcotics were freely sold—an Amazon of the underworld. In order to sell narcotics, buyers and sellers turned to bitcoin, a digital currency which enabled them to conduct their activities in secrecy… Or so they thought.

The Bitcoin network relies on a shared public ledger called a block chain. This block chain records all transactions and in that way, the amount in each wallet is calculated.[1] This process is made secure through cryptography. The difficulty for law enforcement is that a user’s true identify is kept secret because instead of using your real name like you would at a bank, a user creates a code which serves as their digital signature in the blockchain.[2] But while Bitcoins itself are anonymous, spending them starts a forensic trail that may lead right back to you.[3]

Graduate students at Penn State were the first to crack the cryptography wall—by isolating some of the Bitcoin addresses, they were able to isolate other address and eventually map the IP addresses of over 1000 Bitcoin addresses.[4] But this easier said than done—once bitcoins mix in with other users, the trace is harder to follow as Bitcoin is designed to blur the lines between the IP address and the transaction.[5] According to Sarah Meiklejohn, a computer scientist, once you catch someone buying an illegal product off a website such as Silk Road, the blockchain serves as a history of all their criminal activity.[6]

Some have contended that the Federal government may issue their own cryptocurrency, like Bitcoin which would require a user to verify their real world identity.[7] But a move like this may have no effect on the popularity of Bitcoin, which offer’s their users more anonymity. One thing is for certain, Bitcoin is not as anonymous as once believed, leading law enforcement to take notice.

 

 

[1] Bitcoin, How does Bitcoin Work? https://bitcoin.org/en/how-it-works (last accessed March 14, 2016).

[2] John Bohannon, Why criminals can’t Hide behind Bitcoin, Science, (March 9,2016).

[3] Elliot Maras, How Bitcoin Technology Helps Law Enforcement Catch Criminals, CCN.LA, (March 10, 2016).

[4] Id.

[5] Supra, note 2.

[6] Supra, note 3.

[7] Supra, note 2 (Statement from Bill Gleim, head of machine learning at Coinalytics).

 

Photo Source: http://media.coindesk.com/2013/08/how-can-i-buy-bitcoins-630×382.jpg

A Litigator's Guide to the Internet of Things

By

On April 1, 2016

In Article

Peyton Publication Version PDFpdf_icon 

 

Cite as: Antigone Peyton, A Litigator’s Guide to the Internet of Things, 22 Rich. J.L. & Tech. 9 (2016), http://jolt.richmond.edu/v22i3/article9.pdf. 

Antigone Peyton, Esq.*I

I. Introduction

[1]       Maybe you’ve heard about the Internet of Things (IoT). It’s the network of physical objects (or “things”) that connect to the Internet and each other and have the ability to collect and exchange data. It includes a variety of devices with sensors, vehicles, buildings, and other items that contain electronics, software, and sensors. Some IoT objects have “embedded intelligence,” which allows them to detect and react to changes in their physical state.[1] Though there is no specific definition of IoT, the concept focuses on how computers, sensors, and objects interact with each other and collect information relating to their surroundings.[2]

[2]       In 2009, the number of “things” connected to the Internet surpassed the number of people worldwide.[3] That was just the beginning of the IoT movement.[4] In fact, some industry experts estimate that there will be up to 50 billion connected devices by 2020.[5] The LinkedIn “Internet of Things Community” is 12,000 members strong, and it’s growing every day.[6] Lawyers need to understand how this explosive growth in the IoT market is going to change their practice in the courtroom.

[3]       From a litigator’s perspective, there are benefits and risks associated with IoT evidence. These connected objects, combined with big data analytics, can make cases simultaneously clearer and more complicated. The IoT movement also challenges litigators to roll up their sleeves and think creatively about how all these connected objects can tell a story. The key evidence that blows the case wide open may be right in front of your face, flying through the interweb, waiting patiently in a client’s smart phone app, or sitting on their fitness device.

[4]       For instance, and as this paper explores, IoT information can be used to track suspects’ movements at the time a crime occurred and provide evidence of an alibi. It can be used to attack the credibility of witness testimony and show how a vehicle was (or wasn’t) functioning properly when an accident occurred. As with all evidence we might use in the courtroom, lawyers, juries, and judges need to understand how IoT data should be interpreted and its limitations.

[5]       Lawyers also need to talk with clients about the smart objects they interact with and which objects might have information that is potentially relevant to litigation. The data those objects collect might reflect a client’s physical injury and diminished capacity, indicate the physiological response to a sexual harassment incident, or provide evidence of a former employee’s unauthorized access to company systems to steal data. Consider the narrative that can be created once you obtain the right IoT data from a client or opponent. You can’t consider the options, however, until you ask the right questions.

[6]       It’s time to hone your technical competence and start thinking about how IoT will forever change the way you prepare and try your case! This is the litigator’s guide to the Internet of Things.

II. The Internet of What?

[7]       The basic premise behind IoT is that everyday objects can be turned into “smart” devices that operate better, are more efficient, and communicate with their people masters and other objects. These objects are programmed to communicate via apps, text messages, browsers, and other tools. They tend to communicate using embedded sensors and wired and wireless communication protocols and systems, including Wi-Fi, Bluetooth, and a variety of specialized IoT protocols.[7]

[8]       Imagine a refrigerator that tells you when you need more milk,[8] or a home thermostat that can be adjusted remotely using an app on your mobile device and learns your behavior patterns relating to your home climate.[9] Or a networked house that connects power outlets to sounds systems, TVs, smoke detectors, security cameras, coffee pots, and the home owner through a software app.[10] These homes already exist,[11] and more are coming online everyday.

[9]       This increased connectivity includes objects outside the home. Workers and service professionals are connecting remotely and communicating with their company’s business equipment and office systems via mobile devices.[12] Consumers are buying networked cars,[13] and walking around with wearable fitness and health technologies strapped to their arms and embedded in their clothes that track their vitals and activity levels.[14] Bikers are using apps and devices to track their workouts and film their surroundings.[15] Google Glass wearers are creating and recording information as they travel and they are communicating with the Internet using voice commands.[16] All of these connected technologies create interesting information about their users and have some level of situational awareness.

III. The Connected State 

A. Connected Toys

[10]     There are a surprising number of everyday objects found in homes that are recording information and transmitting it offsite. One creepy example of the IoT revolution is Mattel’s talking Barbie.[17] Mattel’s connected Barbie can talk with your child through an embedded microphone and a Wi-Fi connection that’s engaged when you hold down a button on her belt.[18] When someone talks to “Hello Barbie,” the conversation is recorded and sent to a server back at the company that makes the voice recognition technology powering Barbie.[19] There, speech recognition software (think of a Barbie version of Siri) interprets the child’s statements and sends back a pre-programmed response.[20] That’s right, the doll talks back to the child. Mattel’s partner, ToyTalk, stores all of the children’s conversations and the conversations of others who interact with the doll.[21]

[11]     Whether ToyTalk is controlling the object or its behaviors or listening to the people or other objects that its products interact with, these activities are important to lawyers investigating potential sources of relevant evidence in the litigation context. Perhaps a lawyer might send a subpoena to ToyTalk seeking the audio records from its client’s Hello Barbie doll for use in a domestic abuse case. And Hello Barbie is not an outlier—there are a number of connected toys popping up on store shelves. It’s rarely, if ever, explained to the consumer where the conversations these toys record and transmit are being stored, how that information is being used by the manufacturer or a partner company, and how it might be collected for use in litigation.

[12]     Some enterprising companies, including several rent-to-own companies that ran into a bit of trouble with the FTC, put spyware (called Detective Mode) on their rental laptops that would turn on the built-in-cameras if the customer failed to make timely payments.[22] The spyware could also track the user’s location, disable the computers, and add a fake software registration popup window that would take a user’s registration information and transmit it back to the rental store, who would use it to track the renters to collect money.[23] Detective Mode also gathers data about whoever is using the computer, and transmits it to the software manufacturer every two minutes, who then sends the data to the rent-to-own store.[24] Since the software collected private data including user names and passwords for e-mail accounts, social media websites, financial institutions, Social Security numbers, medical records, private e-mails, bank and credit card statements, along with webcam pictures of children, partially undressed individuals, and intimate activities at home, the FTC put a stop to the practice.[25] While these rental laptops are not considered an IoT object, similar spyware can be loaded on any object with a chip that includes a camera and access to the Internet and used to collect massively sensitive information.

B. Wearable IoT Devices 

[13]     Wearable IoT devices include a wide range of medical devices and health and fitness products, including casual wearable fitness devices (like the Apple watch) and connected pacemakers and insulin pumps.[26] Wearable fitness devices, including smart watches and smart clothes, now monitor geolocation as well as heart rate, pulse, calorie consumption, sleep patterns, and other biological data.[27] Most wearable devices monitor very sensitive personal and health data. The devices constantly store data that users unconsciously create while going about their day. Wearables also transmit that data to the manufacturer and other entities for analysis and to share the information with the user so they can track their health and fitness over time.[28] Without a doubt, this data can be used in a court of law.

[14]     The information wearable fitness and health devices collect can be highly relevant in determining, for example, where an individual was at a particular time and whether they have been “disabled” or injured as a result of a particular accident. A personal injury lawyer might be interested in the data collected from their client’s wearable fitness device. For instance, the data obtained from a Fitbit device[29] has been used as evidence of an individual’s diminished physical activity resulting from a work-related injury in a Canadian personal injury case.[30] The plaintiff used her Fitbit data to show that her post-injury activity levels were lower than the baseline for someone of the same age and profession to prove she deserved compensation for the injury.[31] With the help of a startup analytic company that aggregates Fitbit data and prepares analytical reports, her lawyers contrasted her personal data with the general population’s health and wellness data (from other Fitbit devices) to make their case.[32]

[15]     Prosecutors and defense counsel seeking incriminating or exculpatory evidence can also use wearable device data. In a case alleging rape in Pennsylvania, the Fitbit data contradicted the statements of the alleged victim by showing that at the time of the crime, she was awake and walking around, even though she claimed she was attacked while asleep.[33] She now faces misdemeanor charges because the Fitbit data contradicted her story.[34]

[16]     Some wearables, like Google Glass, transmit location information, take photos and videos, and perform web searches. Imagine if a person who witnesses a crime while wearing this device took pictures of the perpetrator and the scene after the crime occurred.[35] Unlike surveillance technology, humans tend to look at something interesting or important. Technology like Google Glass might help them record valuable eye-witness evidence. The device may contain evidence like photos and geolocation information, along with time stamps, that police may use to investigate and prosecute crimes and civil litigants may use to pursue their cases.

[17]     However, there are downsides to a person’s voluntary collection of sensitive health information using a wearable device. Insurers and employers seeking to deny injury and disability claims can just as easily use wearable devices to support their own litigation claims and positions. It is generally seen as illegal for employers and insurers to force people to use the wearable devices.[36] But if individuals decide to collect this information on their own, device manufacturers or companies that store or report wearable device data might receive a subpoena for it, assuming the consumers don’t have it.

[18]     The fact that wearable device data may have evidentiary value should come as no surprise, given the fact that evidence from other self-tracking devices has already been used in court. Courts already use data from GPS devices and biking apps in cases involving bike accidents.[37] Police routinely use surveillance technology like Automatic License Plate Readers (ALPR) mounted on police cars, or on objects like road signs and bridges, to photograph thousands of plates per minute and track motorist movements.[38] Private companies also collect license plate photos and geotagged images and sell that data to law enforcement, insurers, and financial institutions.[39] They consider this analogous to taking photographs in public and disseminating the information, an activity protected by the First Amendment.[40] This is one part of a larger trend toward surveillance of private citizens’ activities. While this type of surveillance usually occurs without consent, wearable tracking is voluntary.

[19]     One issue raised by wearable evidence involves the reliability of the data and the analyses performed on it. The software that analyzes wearable data interprets the wearer’s daily activities and compares that data to predetermined baselines and standards set by the manufacturer. For example, Fitbit monitors sleep patterns, decides how many hours a user sleeps, and determines the quality and efficiency of that sleep.[41] The wearer is compared to the “average” sleeper (as determined by the manufacturer’s algorithm).[42] That information might be useful for an employer defending itself against a worker’s compensation claim, particularly if the sleep analysis reveals that the worker was considered “sleep deprived” by the data analysis at the time of the accident. So regardless of her personal optimal sleep duration or the outside forces that might have impacted her sleep the night before the accident occurred, she would be categorized and measured against a population baseline.

[20]     Other wearable devices collect different data, function differently, and use different algorithms and standards to analyze data and report trends and health information in comparison to the general population.[43] All of this means that before wearable evidence is used in a case, you need to understand what it means and the limitations inherent in the analysis of that data. This information should be clearly explained to the fact finder by someone who knows the IoT device that collected the data and the analytic method or methods it uses to interpret that data. Perhaps the IoT revolution will give rise to a whole new class of “experts” who interpret wearables data and the analytics engines in a courtroom setting.

C. Connected Cars

[21]     Another category of IoT technology relates to connected transportation. Today, many cars have sophisticated software that connect the user to many remotely managed features including real-time navigation, mapped points-of-interest, dash-based Internet search, streaming music, and mobile device app connectivity.[44] IoT implicates a wide variety of technologies involved with running and monitoring connected cars, including connected control systems, Event Data Recorders (EDRs), and other vehicle telematics.[45] Vehicle control software may use proximity sensors to identify collision risks and automatically engage the brake, survey blind spots and report objects, and park a vehicle without driver assistance. Automakers are turning vehicles into smartphones using connection technology that controls the entertainment and navigation systems, enables phone calls, and provides a Wi-Fi hotspot. Further, a number of well-know tech companies are currently testing driverless cars and intend to offer self-driving cars in the near future.[46] These cars will be connected to the Internet and they will transmit all kinds of data relating to the vehicle and its passengers’ activities.

[22]     Particularly in light of the Volkswagen emissions scandal,[47] the connected control systems on vehicles are of great interest to the public and regulatory bodies. Additionally, an insurance carrier might seek records reflecting the information an auto manufacturer collects through a connection with an in-dash entertainment system and the data relating to car speed and breaking that resides in the vehicle control system. Was the driver checking her email while driving 70 miles an hour before she rear-ended another car? And a class action lawyer might find the data housed on EDRs useful in a class action lawsuit relating to certain safety issues involving the physical components of vehicles or the software that runs them.

[23]     Some vehicles have safety features that include automated calls in case of emergencies, and in at least one reported incident, a hit and run accident was foiled when the fleeing driver’s car called the police after impact.[48] The car synced to the driver’s phone using Bluetooth, and because the emergency call feature was enabled, it gave police the vehicle’s GPS location and opened the line so the driver could talk with the police.[49] The owner told the police that her car was not in an accident when connected, but the dents in the front of her car and her airbags told a different story when the police showed up at her house later.[50]

[24]     At least one rental car agency is already putting cameras in navigational devices installed in its fleet of cars, and the user cannot disable the camera.[51] While the agency reports that these cameras are not currently optional, they are clearly moving towards the day when customers (and the entire interior of a car) will be visible to their representatives if a service call is made using the navigational device.[52]

IV. e-Discovery of IoT Information

[25]     Lawyers and clients should prepare for IoT-related e-discovery issues. IoT objects will present many challenges in the e-Discovery context. There are limitations on wearable devices and other IoT objects and the information they collect, however, the technology is becoming more sophisticated, accessible, and shareable every day. And when information is shared among multiple objects—a watch, a smartphone and a cloud computing system—the preservation issues are complex. Also, some IoT data is ephemeral and never really stored for future use or access. The Federal Rules of Civil Procedure provide some flexible guidance for dealing with this technical revolution, and counsel against “a limiting or precise definition of electronically stored information.”[53] Yet companies that store data from IoT devices will need to develop processes for preserving, collecting, and producing it when the duty arises—whether it’s the consumer’s duty or their own.

[26]     The legal regimes that govern the capture, processing, use, and ownership of object data are important when determining whether we—or our clients—have a duty to protect data generated from IoT activities (keep it secure and confidential) or preserve and produce it in a litigation. Often, consumers will expect that their wearable device data is “off limits” and they are surprised to learn that it can be used in certain types of cases. The sooner litigators identify the important IoT data clients and their customers generate and the objects they interact with everyday, the better off everyone will be when evaluating the legal risks and obligations to secure and produce that information.

[27]     Additionally, as IoT finds its way into the courtroom, judges will be asked to analyze the complex possession, custody, and control issues encountered in the IoT context. These questions may involve an analysis of the relative cost and burden associated with owner focused or manufacturer focused production options. For example, if an owner must jailbreak her device and hire an expensive expert to collect data off her wearable device, but the manufacturer can export her data with relative ease, courts should consider such practical realities when deciding their relative obligations. Moreover, access controls, privacy restrictions, and contractual obligations play a role in determining the appropriate process for engaging in e-discovery of IoT data.

[28]     One of the practical problems relating to collection of IoT information is that device manufacturers each collect data in their own way. And the analytic platforms that collect and aggregate IoT data do the same thing. Raw data residing on IoT objects may not be preserved or collected without undertaking significant efforts at a significant cost. The manufacturers don’t build these objects with the purpose of making it easy to collect information from them directly. This makes it particularly difficult to develop standard processes for preserving, collecting, reviewing, and producing information from a wide variety of IoT objects using their APIs or built in data reporting and download features. It also makes it hard to aggregate data from different devices and standardize it to obtain big data metrics using data collected from all wearable devices of a particular class. Given these issues, the cost associated with using this type of data could be prohibitive, given the relatively lower value of a case and the damages at stake. This is a prime area in which companies and e-discovery vendors can innovate and create a strong market for flexible services and solutions involving IoT device data.

[29]     Undoubtedly, more lawsuits involving IoT data are coming, as more lawyers and litigants realize that the data is discoverable, relevant, and useful as evidence that can support their case. Litigators and clients should understand how IoT objects work, what information they collect, where it is stored, how long it is stored, and who is obliged to keep it safe. Only after we understand how the system works, can we make strategic decisions about legal risks, e-discovery options and obligations, and appropriate use of IoT data in court. It will be interesting to see how the market responds to the challenges that will arise when parties start engaging in IoT discovery.

V. IoT Object As Witness 

[30]     As wearables and other IoT objects find their way into the courtroom, litigators must figure out how we will use IoT information as “witness” evidence. Did we ever imagine that the objects gathering information about us could be used against us? Will judges and juries treat it like forensic evidence, and give it the same weight and credibility as scientific analysis or the results reported by an expert witness? Not unlike scientific researchers or forensic experts, wearable technologies collect data, interpret it, and reflect it in reports that provide information about the user activity and experience.

[31]     It will be particularly interesting to see what happens when a witness’s sensory experiences (sight, sound, taste, etc.) clash with the “experience” reported by their wearable device and how the fact finder reconciles these competing stories. For example, if a biker testifies that they were traveling down a hill towards an intersection at about 15 miles per hour, but their wearable device or Strava[54] app reports the speed down the slope at 25 (due to a complicated three-dimensional GPS reading and reporting algorithms), which “witness” will the jury credit more? Both systems for reporting experiences are fallible and fraught with errors. But if litigators prioritize IoT data-driven evidence over eyewitness statements or expert analysis, then we must ensure that the algorithms used to analyze IoT data are understood and their imperfections are disclosed. As one commentator noted, if we think of devices as partial witnesses, we must understand that they carry biases and have a worldview, based on their relationship with their environment.[55]

[32]     There is a significant risk that IoT object information, for instance, the Fitbit data and its sleep analysis,[56] would carry more evidentiary weight than the owner’s own experience and view of her sleep patterns or alertness at the time an injury occurred. As with forensics results, there is a significant risk that judges and jurors will conclude that device data doesn’t lie or have an imperfect memory. Yet there is an interpretive activity lurking behind the scene. When wearable object data is collected and interpreted by analytics companies using proprietary algorithms, counsel, judges and juries will need to understand what’s happening under the hood, whether the results reported are reliable, and what evidentiary weight they should be given. The interpretive tools used to report IoT data are often highly subjective or an imperfect fit for a number of users because of their crude analysis methods or the individual’s health status and biology. This is but one area where possibilities are far ahead of the law on witness-style testimony from things connected the Internet.

[33]     Only time will tell whether this type of IoT information is seen as objective and unbiased evidence in the courtroom. If we can’t demonstrate that IoT evidence meets the requirements for introduction of scientific or forensic evidence, then it may be excluded.[57] If introduced, it may be given too much weight in light of its significant limitations. A balanced approach is needed.

[34]     Courts will also have to figure out how the Fifth Amendment protects the right against self-incrimination when the incriminating evidence involves user data created by an IoT object. And the Sixth Amendment provides the Constitutional right to confront a witness that will provide evidence against the accused in a criminal prosecution.[58] How would a witness confront her wearable device or the companies that think they know the best way to interpret the data it collects? This raises fundamental philosophical questions regarding the witness who must be available for “confrontation.” Is it you, your device, the manufacturer, the service provider that collects and analyzes your data, or the company that provides the algorithms used to interpret it? The case law is going to be messy and inconsistent as courts start considering the obstacles presented by use of IoT evidence in the courtroom and sorting the Constitutional issues out.

[35]     Additionally, as more IoT objects are used in litigations, people’s relationships with their wearables are likely to change. How will they react after learning that the connected IoT objects they interact with can be used as an involuntary informant? Perhaps the day is coming when eyewitness testimony will become almost irrelevant and will be replaced by the information our objects provide about our location, health, conscious state, and activities at any given time. But while IoT can reveal truths, those truths must be understood in context, in all their fallible or limited glory.

VI. Litigating in an IoT World

[36]     Some have called IoT a third major revolution—one built on the industrial revolution and the Internet revolution.[59] Lawyers and their clients are becoming more reliant on IoT to manage, monitor, and control their objects, interact, and work on the substantive aspects of their job. Regardless of the source, the information that IoT objects collect and share provide litigators rich new evidence stores that should be explored to find interesting information that impacts their case.

[37]     A tech-savvy lawyer knows how to get the right evidence in the right format from her client or opponent. The fact that IoT raises a number of novel and interesting legal issues and practical complexities means that tech-savvy lawyers, with a good grasp of the basic issues, will be well positioned to provide thoughtful and constructive advice. This guidebook provides some basic information regarding IoT technologies, legal issues, and practical concerns that should be considered. But it needs to be applied to the real world, for each client and case, and in the context of each connected collection of objects, companies, and people. The IoT movement is your opportunity to continue your self-education journey, and learn more about the implications of IoT on lawyering in the Information Age.

 

 

* Antigone Peyton is the founder and CEO of Cloudigy Law PLLC, an intellectual property and technology law firm located in McLean, Virginia. Antigone is an unabashed technophile focused on intellectual property litigation and cutting-edge legal and emerging technology issues, particularly those involving social media, patents, trademarks, copyrights, and trade secrets. Antigone is a frequent speaker and writer covering technological competence, IP, social media, and e-Discovery issues. You can find her on Twitter (@antigonepeyton) or on SnapChat (assuming you know what it is and how to use it).

[1] See Embedded Intelligence – Connecting Billions of Smart Sensors Into the Internet of Things, ARM Holdings, http://ir.arm.com/phoenix.zhtml?c=197211&p=irol-embeddedintelligence, archived at https://perma.cc/3HWX-QBWW (last visited Mar. 23, 2016).

[2] The “things” or “objects” in the IoT generally do not include desktop or laptop computers, smartphones, and tablets.

[3] See Dave Evans, Cisco Internet Bus. Solutions Grp., The Internet of Things: How the Next Evolution of the Internet Is Changing Everything 3 (2011), http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf, archived at https://perma.cc/HDF9-NM6T.

[4] See Accenture, The Internet of Things: The Future of Consumer Adoption (2014), https://www.accenture.com/t20150624T211456__w__/us-en/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Technology_9/Accenture-Internet-Things.pdf, archived at https://perma.cc/JKG7-UT4P.

[5] See Evans, supra note 3, at 3. IDC’s Digital Universe study reports that by 2020, there will be 200 to 300 billion connected IoT objects. See The Digital Universe of Opportunities: Rich Data and the Increasing Value of the Internet of Things, EMC2 (Apr. 2014), http://www.emc.com/leadership/digital-universe/2014iview/internet-of-things.htm, archived at https://perma.cc/86RJ-786G; see also Data Set to Grow 10-fold By 2020 As Internet of Things Takes Off, ComputerWeekly.com (Apr. 9, 2014, 1:00 PM), http://www.computerweekly.com/news/2240217788/Data-set-to-grow-10-fold-by-2020-as-internet-of-things-takes-off, archived at https://perma.cc/KGW9-K7DF.

[6] See Internet of Things Community, LinkedIn, https://www.linkedin.com/groups/4662022/profile, archived at https://perma.cc/2CPN-EAXX (last visited Mar. 23, 2016).

[7] Current IoT products are communicating through a variety of communication platforms and standards, including new home automation standards produced by Google (Brillo/Weave) and Apple (HomeKit) that connect each company’s devices in a proprietary communication network.

[8] See Michael Gowan, LG Smart Fridge Spots Spoiled Food, Orders Groceries, NBCNews.com, http://www.nbcnews.com/id/50364798/ns/technology_and_science-tech_and_gadgets/t/lg-smart-fridge-spots-spoiled-food-orders-groceries/#.VvNWzmQrL6c, archived at https://perma.cc/6JXM-ZUY7 (last updated Jan. 4, 2013, 12:46 PM) (explaining how LG’s smart refrigerator connects to the Internet, allowing users to remotely access the refrigerator content list, keep track of their grocery list, and identify out-of-date products stored in it).

[9] See Bernard Marr, Google’s Nest: Big Data And The Internet of Things In The Connected Home, Forbes (Aug. 5, 2015, 10:52 AM), http://www.forbes.com/sites/bernardmarr/2015/08/05/googles-nest-big-data-and-the-internet-of-things-in-the-connected-home/#5a41706b58a1, archived at https://perma.cc/F2SQ-F867 (discussing the Nest thermostat and the usage data uploaded from individual devices via the Internet, which allows Nest to understand energy usage trends across community microcosms and around the world).

[10] See, e.g., A Smart Home Solution That Lives in the Cloud, Comcast, http://corporate.comcast.com/news-information/news-feed/the-future-of-the-home-bringing-the-power-of-the-cloud-to-home-management, archived at https://perma.cc/CR59-UF3J (last visited Mar. 23, 2016) (describing the Xfinity Home technology, which allows users to monitor and control security cameras, smoke detectors, thermostats, lights, and motion sensors through web browsers or Internet connected devices); see also Marr, supra note 9 (discussing how Google is building infrastructure for smart homes of the future that are fully networked by its own devices).

[11] See Daniel H. Wilson, Smart House: Your So-Called Sci-Fi Life, Popular Mechanics (Sept. 30, 2009), http://www.popularmechanics.com/technology/gadgets/a4109/4216434/, archived at https://perma.cc/R3LT-HH69.

[12] See Angela Moscaritolo, Your Printer Can Now Order Ink for You, Thanks to Amazon, PCMag.com (Jan. 19, 2016, 11:35 AM), http://www.pcmag.com/article2/0,2817,2498102,00.asp, archived at https://perma.cc/9HRR-R6MT.

[13] See Brendan O’Brien, The Cloud-Connected Car Drives IoT Monetization, TechCrunch (Oct. 20, 2015), http://techcrunch.com/2015/10/20/the-cloud-connected-car-drives-iot-monetization/, archived at https://perma.cc/7NJJ-VV8K.

[14] See James Stables, Best Fitness Trackers 2016: Jawbone, Misfit, Fitbit, Garmin and More, Wareable (Mar. 7, 2016), http://www.wareable.com/fitness-trackers/the-best-fitness-tracker, archived at https://perma.cc/HF2M-BJU9.

[15] See Elisha Hartwig, 5 Apps to Map Your Bike Route, Mashable (Sept. 11, 2013), http://mashable.com/2013/09/11/bike-route-apps/#nIAaDJ1kfEqZ, archived at https://perma.cc/E8D9-HTHM.

[16] See Matt Swider, Google Glass Review, TechRadar (Feb. 20, 2015), http://www.techradar.com/us/reviews/gadgets/google-glass-1152283/review, archived at https://perma.cc/6NW4-FLK3.

[17] See Lee Moran, Mattel Unveils Talking Hello Barbie Doll, Which Will Have Conversations with Kids, N.Y. Daily News, http://www.nydailynews.com/life-style/mattel-unveils-barbie-talk-kids-article-1.2119732, archived at https://perma.cc/QLJ9-PHRQ (last updated Feb. 18, 2015, 8:18 AM).

[18] See James Vlahos, Barbie Wants to Get to Know Your Child, N.Y. Times Mag. (Sept. 16, 2015), http://www.nytimes.com/2015/09/20/magazine/barbie-wants-to-get-to-know-your-child.html, archived at https://perma.cc/BPV7-HDTD.

[19] See Ashlee Kieler, Mattel Unveils Hello Barbie, a Doll That Can Hold a Conversation, Consumerist (Feb. 17, 2015), https://consumerist.com/2015/02/17/mattel-unveils-hello-barbie-a-doll-that-can-hold-a-conversation/, archived at https://perma.cc/24CB-PK44.

[20] See id.

[21] Mattel and ToyTalk responded to these concerns by confirming that the recorded conversations will not be used to advertise or market products to children, further nothing that parental consent is required to set up a Hello Barbie account. Also, interestingly, parents can listen to their child’s recorded conversations and delete all recorded conversations. Additionally, ToyTalk states that it will only use the recordings to improve its speech recognition technology. See Privacy Policy, ToyTalk, https://www.toytalk.com/legal/privacy/, archived at https://perma.cc/Z8K8-2DRS (last updated Jan. 11, 2016). Mattel does seem to obtain data that it can use to market other products, and it does so with a parent’s consent when they use Mattel’s websites and apps. See Mattel Online Privacy Statement and Children’s Privacy Statement, Mattel, http://corporate.mattel.com/privacy-statement-shared.aspx, archived at https://perma.cc/QSV6-SXAV (last updated Apr. 9, 2014).

[22] See Press Release, Fed. Trade Comm., FTC Halts Computer Spying (Sept. 25, 2012), https://www.ftc.gov/news-events/press-releases/2012/09/ftc-halts-computer-spying, archived at https://perma.cc/R5XS-6DPR; see also David Kravets, Rent-to-Own Laptops Secretly Photographed Users Having Sex, FTC Says, Wired (Sept. 25, 2012, 6:11 PM), http://www.wired.com/2012/09/laptop-rental-spyware-scandal/, archived at https://perma.cc/NQV4-6HQP.

[23] See Kravets, supra note 22.

[24] See Complaint at 3–4, FTC v. Designerware, LLC., Kelly, & Koller (2012), https://www.ftc.gov/sites/default/files/documents/cases/2012/09/120925designerwarecmpt.pdf, archived at https://perma.cc/96PJ-YVVP.

[25] See id.; see also Kravets, supra note 22.

[26] See Accenture, supra note 4, at 3–4 (noting some reports indicate that over 28% of consumers will own wearable IoT technology by the end of 2016).

[27] See, e.g., Fitbit App, Fitbit, https://www.fitbit.com/app, archived at https://perma.cc/5WER-PS9L (last visited Mar. 23, 2016).

[28] See Murray Grigo-McMahon, My Data, Your Data, Our Data, Qlik (July 6, 2015), http://global.qlik.com/us/blog/posts/murray-grigo-mcmahon/my-data-your-data-our-data?SourceID1=SocialChorus&__2hqwt_=2hqwt, archived at https://perma.cc/V479-N3CU.

[29] Fitbit is an extremely popular wearable fitness tracker.

[30] See Kate Crawford, When Fitbit is the Expert Witness, The Atlantic (Nov. 19, 2014), http://www.theatlantic.com/technology/archive/2014/11/when-fitbit-is-the-expert-witness/382936/, archived at https://perma.cc/AW5G-5NY2.

[31] See id.

[32] See id.

[33] See Brett Hambright, Woman Staged ‘Rape’ Scene with Knife, Vodka, Called 9-1-1, Police Say, Lancaster Online (June 19, 2015, 2:57 PM), http://lancasteronline.com/news/local/woman-staged-rape-scene-with-knife-vodka-called–/article_9295bdbe-167c-11e5-b6eb-07d1288cc937.html, archived at https://perma.cc/YY5M-QEXF.

[34] See Kashmir Hill, Fitbit Data Just Undermined a Woman’s Rape Claim, Fusion (June 29, 2015), http://fusion.net/story/158292/fitbit-data-just-undermined-a-womans-rape-claim/, archived at https://perma.cc/2J6W-BYAT.

[35] See Kashmir Hill, Google Glass Will Be Incredible for the Courtroom, Forbes (Mar. 15, 2013, 5:02 PM), http://www.forbes.com/sites/kashmirhill/2013/03/15/google-glass-will-be-incredible-for-the-courtroom/#604082cd36eb, archived at https://perma.cc/2QCU-NAYZ.

[36] See Adam Satariano, Wear This Device So the Boss Knows You’re Losing Weight, Bloomberg (Aug. 21, 2014, 1:26 PM), http://www.bloomberg.com/news/articles/2014-08-21/wear-this-device-so-the-boss-knows-you-re-losing-weight, archived at https://perma.cc/GS3Y-KXF6.

[37] See Patrick Brady, Prosecution Rest in LA Road Rage Rase. Defense Will Call Witnesses Monday, VeloNews (last updated Nov. 3, 2009, 7:00 PM), http://velonews.competitor.com/2009/10/news/prosecution-rest-in-la-road-rage-case-defense-will-call-witnesses-monday_99537, archived at https://perma.cc/87G9-KLSP.

[38] See Conor Friedersdorf, An Unprecedented Threat to Privacy, The Atlantic (Jan. 27, 2016), http://www.theatlantic.com/politics/archive/2016/01/vigilant-solutions-surveillance/427047/, archived at https://perma.cc/NL4V-AJKA (discussing how one private company has taken approximately 2.2 billion license-plate photos to date, and each month it captures and permanently stores nearly 80 million more geotagged images).

[39] See id.

[40] See David Sirota, Companies Test Their First Amendment Right to Track you, Or. Live, http://www.oregonlive.com/opinion/index.ssf/2014/03/companies_test_their_first_ame.html, archived at https://perma.cc/VZ8R-K7QS (last updated Mar. 8, 2014, 7:10 AM).

[41] See What Should I Know About Sleep Tracking?, Fitbit, https://help.fitbit.com/articles/en_US/Help_article/Sleep-tracking-FAQs, archived at https://perma.cc/KB2D-MZMW (last updated Mar. 7, 2016).

[42] See id.

[43] The wearable fitness device market includes Nike Fuelband, Fitbit, Withings Pulse, and Jawbone Up, among others. A number of companies have also developed fitness apps that interact with these wearable devices and collect the user data they create. Fitbit lists over 30 apps that are compatible with the Fitbit device. See Compatible Apps, Fitbit, https://www.fitbit.com/partnership, archived at https://perma.cc/P2L9-TNE4 (last visited Mar. 25, 2016).

[44] See, e.g., Cisco Connected Transportation, http://www.cisco.com/c/en/us/solutions/industries/transportation.html, archived at https://perma.cc/548E-TPXF (last visited March 25, 2016).

[45] An EDR is “a device or function in a vehicle that records the vehicle’s dynamic time-series data during the time period just prior to a crash event (e.g., vehicle speed vs. time) or during a crash event . . . intended for retrieval after the crash event.” 49 C.F.R. § 563.5 (2015). Telematics refers to data collection transmission, and processing technologies for use in vehicles.

[46] See Alice Truong, Tesla Just Transformed the Model S into a Nearly Driverless Car, Quartz (Oct. 14, 2015), http://qz.com/524400/tesla-just-transformed-the-model-s-into-a-nearly-driverless-car/, archived at https://perma.cc/J439-T5JZ; Cadie Thompson, There’s One Big Difference Between Google and Tesla’s Self-driving Car Technology, Tech Insider (Dec. 5, 2015, 12:00 PM), http://www.techinsider.io/difference-between-google-and-tesla-driverless-cars-2015-12, archived at https://perma.cc/RED9-CQTZ; Feann Torr, Next-gen Audi A8 Drives Better Than You, Motoring (Oct. 22, 2014), http://www.motoring.com.au/next-gen-audi-a8-drives-better-than-you-46963/, archived at https://perma.cc/UFL4-76FG; Tom Risen, Report: Uber, Lyft Poised to Win on Driverless Cars, U.S. News & World Rep. (Nov. 13, 2015, 4:05 PM), http://www.usnews.com/news/articles/2015/11/13/report-uber-lyft-poised-to-win-on-driverless-cars, archived at https://perma.cc/3HPV-8RJ9.

[47] See Russell Hotten, Volkswagen: The Scandal Explained, BBC News (Dec. 10, 2015), http://www.bbc.com/news/business-34324772, archived at https://perma.cc/8YKM-6W5W.

[48] See Kashmir Hill, Florida Woman’s Car Calls Police After She Flees the Scene of an Accident, Fusion (Dec. 7 2015, 11:46 AM), http://fusion.net/story/242193/womans-car-calls-police/, archived at https://perma.cc/JDE6-SDST.

[49] See id.

[50] See id.

[51] See Kashmir Hill, Hertz Puts Cameras in Its Rental Cars, Says It Has No Plans to Use Them, Fusion (Mar. 13, 2015, 1:46 PM), http://fusion.net/story/61741/hertz-cameras-in-rental-cars/, archived at https://perma.cc/85TF-DDUM.

[52] See id.

[53] Fed. R. Civ. Pro. 34, advisory committee’s note on 2006 amendments.

[54] Strava is a running and cycling GPS tracker. See generally Strava, https://www.strava.com/about, archived at https://perma.cc/9F99-EWPY (last visited Mar. 21, 2016).

[55] See Crawford, supra note 30.

[56] See What Should I Know About Sleep Tracking?, supra note 41.

[57] See Fed. R. Evid. 702.

[58] See U.S. Const. amend. VI.

[59] See Harish Nivas, How Internet of Things is the Next Big Industrial Revolution, IOTWorm (Jan. 23, 2016), http://iotworm.com/internet-of-things-next-big-industrial-revolution/, archived at https://perma.cc/JD9Y-T64S.

"Connected" Discovery: What the Ubiquity of Digital Evidence Means for Lawyers and Litigation

By

On April 1, 2016

In Article

Gottehrer Publication Version PDFpdf_icon 

 

Cite as: Gail Gottehrer, “Connected” Discovery: What the Ubiquity of Digital Evidence Means for Lawyers and Litigation, 22 Rich. J.L. & Tech. 8 (2016), http://jolt.richmond.edu/v22i3/article8.pdf.

Gail Gottehrer

I. Introduction

[1]       More than ten years ago, the Zubulake case[1] raised awareness of the importance of digital evidence in litigation. At that time, for many lawyers, the discovery process consisted of collecting paper documents, manually reviewing those paper documents, and responding to document requests by producing paper documents. Digital evidence existed, but was more limited in scope and volume than it is today. Back then it was often overlooked or not recognized as a potential source of valuable evidence to be obtained in discovery.

[2]       In the post-Zubulake era, the ways in which companies and individuals create and maintain information have changed dramatically. Many types of documents that were traditionally created on paper and stored in hard-copy now never exist on paper. Instead, they are created on computers or other digital devices and stored in e-mail archives, on backup tapes, or in the cloud. Business and personal communications that once took place via letters and faxes are now transmitted through e-mails and text messages. Microsoft Excel files replaced handwritten accounting ledgers. Medical records are routinely created and stored electronically, making the paper medical file a thing of the past. Carbon copy secretarial message books with tear-away message slips are replaced by programs that transcribe voicemail messages and deliver them to the recipient by e-mail. Designs are created and maintained in CAD files rather than drawn on paper. Many businesses advertise primarily, if not exclusively, on social media and the Internet and little, if at all, through paper mailings. Employees traded in paper calendars and address books for electronic schedulers, using programs and applications that reside on their computers and mobile phones.

[3]       The prevalence of digital information, and the corresponding decline in the use of paper for the creation and storage of information, profoundly affected litigation, including discovery and trials. The “documents” and information that are requested and produced in discovery are overwhelmingly electronic documents and data. Electronically created and stored information is being used in depositions, to support motions, and at hearings and trials. Given the ways in which technology transforms how people communicate and do business, the “smoking gun” in a case—to the extent one exists—is more likely to be an e-mail, text message or social media post than a tangible document. Knowing how potential sources of digital evidence are created and stored, how to obtain that data in discovery, and how to maximize the value of that information during depositions and at trial are now critical components of the practice of law.

[4]       Digital evidence is so significant in discovery and litigation that it should be acknowledged as being much more than a subset of discovery, often referred to as “e-Discovery.” Existing and emerging technologies provide digital evidence that can shape the outcome of a case or investigation. Digital evidence from a wide range of technologies finds its way into civil and criminal litigation in the United States and other countries, with dramatic results. Digital evidence is poised to take on an even greater role in litigation as the Internet of Things continues to grow,[2] autonomous vehicles become commonplace,[3] industrial business operations incorporate drones,[4] and blockchain revolutionizes banking.[5]

[5]       This article discusses some of the reported cases in which digital evidence was the subject of motion practice, was introduced at trial, and was a determining factor in a case. It is not an exhaustive look at all the cases that have been affected by digital evidence, or all the kinds of technology that generate data relevant to legal proceedings. A review of the cases in this article, however, is sufficient to dispel any doubt about the importance of digital evidence and to confirm the magnitude of its impact on the practice of law. 

II. Connected Devices

A. Telematics Devices

 [6]       Telematics devices are wireless devices, typically installed in personal vehicles or fleet vehicles. They collect data on how the vehicle is being operated, if the vehicle crashes or an airbag is deployed, and when maintenance is needed.[6] These devices transmit that data from the vehicle to an entity, such as an insurance company or a fleet owner, in real time.[7]

[7]       Telematics data led to the criminal conviction of a driver in the United Kingdom who was involved in a hit and run accident that resulted in the death of a pedestrian in 2014.[8] Police experts analyzed data from the telematics device Omar Tariq was driving at the time of the accident, which showed that he was speeding—driving more than 20 miles over the posted speed limit.[9] Confronted with that evidence, Tariq pled guilty to causing a death by dangerous driving and was sentenced to more than three years in prison.[10]

[8]       In the United States, data from a Progressive Insurance telematics device helped a Cleveland, Ohio father persuade a jury that he was not guilty of murder.[11] Michael Beard was accused of suffocating his infant daughter on May 8, 2011 at 4:45 a.m., after he finished his shift working as a nursing aide.[12] Counsel introduced data from the Snapshot telematics device in his car at trial, and showed that Beard had turned the car off in front of the child’s house “at 4:44 a.m. and turned it back on three minutes later.”[13] After deliberating for an hour, the jury found that Beard was not guilty of the crime.[14]

[9]       Important leads in another criminal matter came from data from the UConnect telematics system in a stolen Jeep Renegade.[15] That evidence, in combination with footage from a Nest home security camera in the Jeep owner’s house, led to an arrest and assisted police in identifying the other thieves.[16] When a group of teenagers broke into the house of a Baltimore man, their faces were caught on the Nest camera in the house, which led to the arrest of one of the thieves.[17] He refused to identify his accomplices, who also stole the homeowner’s Jeep.[18] When the homeowner got his Jeep back, he noticed three new device names on the Jeep’s UConnect system paired device list.[19] The homeowner matched one of the device names to an Instagram account of a teenager who appeared to match one of the individuals seen on the Nest footage.[20] The homeowner also noticed that one of the names on the Instagram account’s contacts matched one of the phones on the list on the UConnect System.[21] This digital evidence gave Baltimore police several leads in the case.[22]

[10]     On the civil side, data from a telematics device enabled a driver in the United Kingdom to successfully challenge a speeding charge by contradicting the evidence that allegedly supported it.[23] Police charged Neil Herron with driving 10 miles over the posted speed limit.[24] Herron insisted that he had not been speeding.[25] At the time of the alleged speeding incident, Herron had been conducting a trial of a telematics device in his car.[26] The data from that device enabled Herron to prove that the car had been traveling far below the speed limit, as he had claimed.[27]

B. GPS Navigation Systems

[11]     Data from a GPS device[28] introduced in a criminal non-jury trial led to the conviction of a New Jersey man for second degree murder for intentionally running over a twelve year old girl.[29] Prosecutors alleged that George Ford killed the girl to prevent her from reporting what had happened to her when he was alone with her in the hours before her death.[30] Ford contended that he had hit the girl by accident after showing her horses he had in a pasture near Binghamton.[31] The critical evidence came from a GPS device that Ford’s estranged wife placed in his vehicle when she suspected he was having an affair.[32] When she provided the GPS device to the police, the data from the device showed that Ford had not been at the pasture and had spent the hours before the girl’s death behind an abandoned farmhouse half a mile from where she was killed.[33]

[12]     Similarly, in State v. Jackson, data from a GPS device installed by police proved to be key evidence leading to the conviction of defendant William Jackson for the murder of his daughter.[34] Jackson told police that his daughter had been kidnapped on her way to school.[35] After a search of Jackson’s house and truck failed to yield any evidence, police obtained a warrant and put a GPS tracking device in his truck.[36] Data from the GPS device led police to a storage unit, an empty grave near a logging road and a new grave where the girl was buried.[37] Based largely on the GPS data connecting Jackson to the body and its burial and reburial sites, the court convicted Jackson of murder and sentenced him to fifty-five years in prison.[38] The conviction was affirmed by the Washington Supreme Court.[39]

[13]     Ironically, in the case of a Wisconsin man, the evidence used to convict him of stalking his former girlfriend was the data from the GPS device he himself had used to commit the crime.[40] Paul Seidler previously installed a GPS tracking device on his ex-girlfriend’s car that tracked the car’s location and reported it to him by cellphone or computer through the Internet.[41] Seidler used the data to follow his ex-girlfriend.[42] Prosecutors used the data to support their case against him, describing the GPS device as “the best witness.”[43]

[14]     GPS data is also used as evidence in civil cases, such as the wrongful termination action brought by a cable company employee against his former employer, Pacific Bell Telephone Company.[44] Pacific Bell terminated Blake Smith’s employment after an investigation into the theft of his work truck led the company to conclude that Smith had failed to safeguard company property and that he had lied during the investigation into the theft.[45] Smith claimed he parked the truck, took the keys out of the ignition, and locked the truck.[46] A significant factor in Pacific Bell’s determination that Smith was lying was the data obtained from the GPS technology in the truck, which revealed that the truck was idling when it was stolen.[47] In an affidavit filed in support of its motion for summary judgment, Pacific Bell explained that the GPS technology in its trucks generates a report in a Microsoft Excel spreadsheet that records various data, including the time and location of every vehicle, each time the ignition is turned on or off, the time and location of the vehicle every seven seconds, and the time and location of the vehicle every one mile it is driven.[48] The Court ultimately granted Pacific Bell’s motion for summary judgment.[49]

C. Wearables[50]

 [15]     Digital evidence from wearable fitness trackers will play a role in a pending criminal case in Pennsylvania and a pending civil case in Canada. In West Chester, Pennsylvania, police arrested defendant Jeannine Risley when data from her Fitbit showed she lied to police when she reported she was assaulted.[51] Risley told the police officers responding to her 911 call that she was sleeping until around midnight, when she awoke to find a man on top of her.[52] She alleged that the man assaulted and raped her.[53] An examination of data from the Fitbit she wore that night, however, contradicted her claims.[54] The Fitbit data showed that Risley was awake and walking around at the time she claimed she was sleeping and ultimately assaulted.[55] Risley now faces trial on three misdemeanor counts including knowingly filing a false police report.[56]

[16]     On the civil side, a Canadian law firm is planning to use Fitbit data as evidence in a personal injury case to prove the effect that a car accident had on their client.[57] The accident victim, injured years before Fitbits were available, was a personal trainer and led an active lifestyle before the accident.[58] To support the plaintiff’s claim that her activity level is impaired by the accident, her lawyers intend to run data from the Fitbit she currently wears through an analytics platform which uses publicly available research to compare a person’s activity data with that of the general population.[59] Her lawyers expect the data to show that their client’s activity levels are now below average for a woman of her age and profession, as a result of the injuries she sustained in the accident.[60]

D. Dashboard Cameras and Red Light Traffic Cameras 

[17]     Data from dashboard video cameras and government operated traffic cameras is effective in both civil and criminal cases. Evidence from an onboard video camera, in addition to cell phone records, led to an Alabama jury awarding nearly $1.3 million to a driver who was severely injured in a crash caused by a truck driver who was distracted by a work-related phone call at the time of the accident.[61] At trial, the jury saw video footage from a camera that was in the school bus with which Michael Duey collided.[62] Additional digital evidence from cell phone records from the truck driver Gregory Moore, whose negligence caused the collision, showed Moore was on a business call at the time of the accident.[63] Based on this data, the jury found Moore and his employer liable for the damages incurred by Duey.[64]

[18]     In a criminal case in California, the court convicted Carmen Goldsmith of failing to stop at a red light in an intersection, based on photos and video generated by a red light traffic camera system.[65] At trial, a police investigator testified that this computer based digital camera system records events that occur in an intersection after the traffic light turns red, and stores the information on the hard disc of a computer at the scene.[66] Technicians retrieve the data during the day via an Internet connection.[67] The system records and produces three photos and a twelve-second video.[68] The photos show the vehicle approaching the intersection before the violation, then the vehicle within the intersection turning right or going through the intersection, and finally the vehicle’s license plate.[69] The system puts a data bar on all three photos showing the date, time, location and amount of time the traffic light was red at the time of the photo.[70] In this case, the video shows the vehicle approaching the intersection and moving through it.[71] The Appellate Division of the Superior Court, the Court of Appeals, and the California Supreme Court all affirmed Goldsmith’s conviction. In response to Goldsmith’s claim that the camera evidence was not adequately authenticated, the Supreme Court explained that it frequently approved the “substantive use of photographs as essentially a ‘silent witness’ to the content of the photographs,” because to “hold otherwise would illogically limit the use of a device whose memory is without question more accurate and reliable than that of a human witness.”[72]

E. Event Data Recorders

[19]     Data from event data recorders, also known as black boxes, proves to be important evidence in criminal cases. In Commonwealth v. Zimmerman, the Massachusetts Appellate Court held that the trial judge properly admitted evidence taken from the event data recorder (EDR[73]) in the defendant’s car, which contributed to her conviction for motor vehicle homicide.[74] Michelle Zimmerman lost control of her SUV and it spun, sliding off the road, hitting a tree, and resulting in the death of the passenger in the front seat of her vehicle.[75] At the time of the accident, road conditions were poor, with both rain and snow.[76] The police accident investigator found there was probable cause to believe that “evidence of this crime would be found in the EDR.”[77] While Zimmerman claimed she was driving between 20 and 30 miles per hour, the data from the EDR in her vehicle showed that five seconds before the accident, she was driving at 58 miles per hour.[78] Zimmerman was charged with and convicted of operating her vehicle at a rate of speed that was not reasonable or prudent and criminally negligent operation of a vehicle.[79]

[20]     In Matos v. State, the Florida District Court of Appeal affirmed the conviction of Edwin Matos on two counts of vehicular manslaughter where the key issue in the case–the speed at which Matos had been driving–was established by the prosecution through data from an EDR.[80] Matos collided with another vehicle, killing two teenage girls.[81] Data from the EDR in Matos’s car showed he was driving at a 114 miles per hour (in a 30 mile per hour zone) four seconds before the crash, and 103 miles per hour within one second after the crash.[82] The defense’s expert estimated the car’s speed at only 56.91 miles per hour.[83] Data from the EDR helped the court to convict Matos.[84]

[21]     Similarly, in People v. Hopkins, data from the air bag module in the defendant’s car helped prosecutors establish “a prima facie case of depraved indifference murder” and defeat the defendant’s motion to dismiss the indictment.[85] The air bag module data showed that at the time of impact, the defendant’s vehicle was going between 65 and 70 miles per hour; that five seconds before impact, the defendant’s car was travelling at 104 miles per hour; and that three to four seconds before impact, the vehicle was going 106 miles per hour.[86] The posted speed limit in the area was 30 miles per hour.[87] The data further showed that the defendant did not apply the brakes until two and a half to three second before he crashed into the line of cars stopped at a red light.[88]

F. E-Z Pass Transponders

[22]     The E-Z Pass system, implemented in toll plazas in sixteen states, collects data used by both prosecutors and defendants in states like New Jersey. In S.S.S. v. M.A.G., a New Jersey appellate court reversed the lower court’s entry of a final restraining order in a domestic violence case and remanded the case for a new trial due to the improper exclusion of E-Z Pass evidence.[89] In this case, a woman alleged her former boyfriend picked her up at her school at Rutgers-Newark at 9 A.M., assaulted her at a Jersey City motel at 9:30 A.M., and returned her to her school at 10 A.M.[90] The defendant denied this and claimed that nothing had happened.[91] In addition to a letter from his employer stating he had been at work from 8:35 A.M. until 5 P.M., he also offered data from E-Z Pass transponder records, showing that he crossed the Bayonne Bridge in to Brooklyn at 8:16 A.M. that day.[92] The defendant argued that he could not have crossed the bridge into Brooklyn at 8:16 A.M., gotten to work at 8:35 A.M., and been in Newark at 9 A.M.[93] The appellate court found that in this he-said-she-said dispute, where no witnesses could be called or exhibits introduced, the E-Z Pass transponder evidence was critical to the defense and its exclusion on hearsay grounds was improper.[94]

[23]     In State v. McGuire, the prosecutor introduced E-Z Pass transponder data against Melanie McGuire, a New Jersey woman accused of killing her husband, cutting up his body, and disposing of it in suitcases in Virginia.[95] The prosecution introduced the evidence to support the allegation that she traveled from her home to Atlantic City in order to create false evidence showing that her husband was still alive and in the Atlantic City area.[96] McGuire had called E-Z Pass customer service trying to get them to remove two forty-five cent charges showing her traveling near Atlantic City, which she claimed were incorrect.[97] The prosecution also introduced E-Z Pass evidence from the vehicles of McGuire and her parents.[98] This data, in combination with the state’s case, suggested that on May 3, McGuire picked up her kids from day care, dropped them off with her parents, and then returned to her house to get the suitcases containing her husband’s body and travel to Delaware and Virginia to dump them.[99]

III. Social Networking Sites

[24]     Not only does the widespread use of social networking sites create new ways for individuals and businesses to communicate, but it also creates a treasure trove of relevant data for civil and criminal litigation. For example, in Reid v. Ingerman Smith LLP, Reid sued her employer and Mary Anne Sadowski for damages resulting from alleged sexual harassment by Sadowski.[100] Defendants sought production of postings and photographs from private portions of Reid’s Facebook account, arguing that since postings and photographs on the public portions of her account contradicted her claims in the lawsuit, the private portions may also contain relevant information.[101] After reviewing the public postings, the Court found them to be probative evidence of Reid’s mental and emotional state, and concluded that her private postings may also contain relevant information that reflected her emotional state.[102] The Court also found that postings by third parties about Reid’s social activities were discoverable, as they could be relevant to her claims of emotional distress and loss of enjoyment of life, and could reveal the names of potential witnesses in the case.[103] Reid was ordered to produce social media postings and photographs that “reveal[ed], refer[ed], or relate[d] to any emotion, feeling or mental state… [and] relate[d] to events that could be reasonably expected to produce a significant emotion, feeling or mental state,” including posts made by third parties that contain their observations of Reid and Reid’s responses to those posts.[104]

[25]     Similarly, in Romano v. Steelcase, Inc., the court required the plaintiff to provide the defendant with access to her Facebook and MySpace pages and accounts, as they were deemed to contain information relevant to her damages claims and to the extent of her alleged injury, including her claim for loss of enjoyment of life.[105] The plaintiff alleged that she was permanently injured as a result of the accident and could not participate in certain activities due to her injuries.[106] The defendant argued that information on the public pages of plaintiff’s Facebook and MySpace pages showed her to have an active lifestyle, and that one account contained a photo of the plaintiff smiling outside her home–even though she claimed that she was bedridden and confined to her house as a result of her injuries.[107] The contradictions between the information on the public portions of these social media sites and plaintiff’s claims in her lawsuit led the Court to find it was reasonably likely that the private portions of those sites may contain additional information relating to her activities and enjoyment of life, which were relevant and material to the defense of the case.[108]

[26]     In Held v. Ferrellgas, Inc., a recent employment discrimination and retaliation case, the Court found that data from the online job search engines that the plaintiff had used were relevant and had to be produced.[109] Defendants argued that any job searches conducted during the course of plaintiff’s employment related to his commitment to his job, his perspective on the working environment at the company, and any emotional distress he allegedly suffered.[110] Searches conducted after his employment ended, defendants contended, related to plaintiff’s alleged emotional distress, actual damages and attempts to mitigate his alleged damages.[111] The court ultimately agreed with the defendants.[112]

[27]     Being equally probative in criminal matters, postings and communications on Facebook played a role in the conviction of several men on terrorism conspiracy charges in U.S. v. Hassan.[113] The prosecution used the defendants’ Facebook postings and communications to demonstrate their violent tendencies and commitment to terrorism.[114] At trial, the prosecution’s evidence included messages posted by one defendant on Facebook promoting his radical Jihadist beliefs; another defendant’s postings on Facebook and other social media sites that demonstrated his belief in violent jihad and his willingness to further violent causes; and information showing that the second defendant had asked someone to delete the postings that related to his violent ideology.[115] The defendants were convicted of conspiracy to provide material support to terrorists and other charges.[116] Their convictions were affirmed by the Fourth Circuit Court of Appeals.[117]

IV. Text Messages and Tweets 

[28]     Digital evidence played a central role in the criminal trial of Dharun Ravi, a Rutgers college student charged with witness tampering, invasion of privacy, and bias intimidation arising from his activation of a webcam to watch his roommate’s date with a man in their dorm room.[118] The evidence of Ravi’s witness tampering included a series of text messages he sent to fellow Rutgers student Molly Wei while police interviewed her.[119] Those texts showed that Ravi tried to influence what Wei told the police about their spying on his roommate.[120] In one text message, Ravi wrote: “Did you tell them we did it on purpose? What did you tell them when they asked why we turned it on? I said we were just messing around with the camera.”[121] After the trial, where Ravi was convicted of witness tampering, one juror stated that Ravi’s texts convinced her that he had tampered with a witness.[122]

[29]     Texts and tweets were also important evidence introduced at trial in connection with the invasion of privacy and bias intimidation charges.[123] In a Tweet from Ravi to another student, he wrote: “Roommate asked for the room. I went to Molly’s room and turned on my webcam I saw him making out with a dude. Yay.”[124] In another Tweet, Ravi invited others to view video of his roommate during another date with the same man, saying “[a]nyone with iChat I dare you to video chat me between hours of 9:30 and 12. Yes it’s happening again.”[125] In an attempt to persuade the jury that he was not biased against gay people, Ravi’s attorney introduced a text Ravi sent to his roommate where Ravi wrote “I’ve known you were gay and I have no problem with it. In fact one of my closest friends is gay and I have a very open relationship.”[126] The jury found Ravi guilty on those charges as well.[127]

V. Blogs and Chat Rooms 

[30]     Litigants also rely on blog entries and chat room transcripts to support their claims in civil cases. Portions of a blog were among the evidence a father used to support his motion for a new trial in a divorce case, after a Louisiana trial court awarded domiciliary custody of his minor son to his ex-wife.[128] The father unsuccessfully relied on pages of his ex-wife’s blog to argue that she may have had a relationship with another man during the couple’s separation, despite having denied that she was in a relationship during the trial.[129] He further argued that his ex-wife’s blog entries showed she spent an excessive amount of time on the Internet rather than taking care of her child, and that she hated his parents because she accused them of cyberstalking her by reading her blogs.[130] The trial judge stated that while the Internet statements were evidence that could have been used to impeach the ex-wife’s credibility during the divorce proceeding, the statements occurred after the trial and were not made under oath, and therefore, did not provide the basis for a new trial.[131] The Court also noted that, more generally, it was not clear that the statements would be evidence that was important to the case.[132] The appellate court affirmed the trial court’s order.[133]

[31]     Conversely, other courts have found chat room transcripts to be relevant evidence. In Glazer v. Fireman’s Fund Insurance Company, the plaintiff was ordered to produce copies of all her chats from LivePerson, a website offering online advice and professional consulting services, including sessions with online psychics.[134] Glazer chatted with the online psychics on numerous occasions, and e-mailed portions of some of those online chats to her work e-mail account.[135] When she sued Fireman’s Fund for allegedly retaliating against her after “she complained about discrimination against non-African Americans and [ultimately terminating] her because of her religion,” Fireman’s Fund reviewed the excerpts of the chats and sought to obtain the transcripts of all chats in discovery.[136] Based on a review of the excerpts, the Court agreed with Fireman’s Fund that all the chats appeared to be relevant to one or more issues in the case—such as Glazer’s work performance, her relationships with her co-workers, her opinions about how she was treated during her employment at the company, her emotional state before, during, and after her employment, the steps she took to mitigate her damages, and her personal beliefs about African Americans—and allowed them to be discoverable.[137]

VI. E-mails

[32]     While there is a myriad of other digital evidence sought in building cases, perhaps the most frequently sought and used form of digital evidence is e-mail. In Arroyo v. Volvo Group North America, LLC, a military service discrimination and disability discrimination case, e-mail evidence led to the reversal of an order granting summary judgment to Volvo.[138] The Court found that e-mails sent between Volvo employees could lead a reasonable jury to conclude that Volvo had anti-military animus against Arroyo, and discriminated against her because she had post-traumatic stress disorder.[139] The Seventh Circuit Court of Appeals found that the District Court underestimated the “strength of the emails as support for Arroyo’s case.”[140]

[33]     In those e-mails, Volvo supervisors expressed frustration with Arroyo’s taking time off from work for military service, writing “are we required to give her the day before and day after for travel?” and “I find myself with a dilemma if I were to discipline a person for taking too much time off for military reserve duty․ I certainly give her credit for serving our country but of course I am also responsible for our business needs.”[141] During Arroyo’s deployment to Iraq, her supervisor sent an e-mail to Volvo’s head of labor relations complaining that Arroyo had contacted him only once since she deployed, stating that for scheduling purposes, “it would be beneficial for us to know her status.”[142] Responding to that concern, the head of labor relations wrote in another e-mail that “[u]nfortunately, there isn’t a lot we can do. Per the law we have to wait for her. Sorry it isn’t what you wanted to hear.”[143]

[34]     Internal e-mails from Volvo personnel also provided support for Arroyo’s disability discrimination claim.[144] One such e-mail showed that Volvo considered disciplining Arroyo for being absent while she was hospitalized for her post-traumatic stress disorder, even though she previously advised Volvo of her disabling condition.[145] In another e-mail, one of Arroyo’s supervisors joked about her absence, writing that there were “several rumors for [Arroyo’s] not being here,” including that “[s]he’s on vacation in Hawaii.”[146] In yet another e-mail, a Volvo employee opined that Arroyo was “really becoming a pain with all this.”[147] 

VII. Conclusion 

[35]     Digital evidence has disrupted discovery, civil and criminal litigation, and the practice of law. Advances in technology radically changed the way in which information is created, transmitted, preserved, and accessed–as well as the way in which potential litigants communicate. Technological innovation altered the types of claims that are litigated, the way in which they are litigated, and the kinds of evidence that must be used to support and undercut those claims.

[36]     There is no turning back. The days of document production consisting primarily of paper and of hard-copy trial exhibits sitting on easels in front of juries are behind us. When asked to find information about an opposing party, the initial inclination of lawyers who have recently graduated from law school and entered the practice of law will be to check social media to obtain information about that party. To investigate the allegations in a complaint, these lawyers’ first instinct will be to search the e-mails on the client’s office computer and their messages on cell phones and tablets. All lawyers must acknowledge that digital evidence plays an important role in litigation. Those who fail to understand the relevance of technology and digital evidence to the practice of law do so at their—and their clients’—peril.

[37]     The cases discussed in this Article illustrate why lawyers need to stay abreast of changes in technology and be knowledgeable about sources of data they create.[148] To competently and effectively represent their clients, lawyers need to know which digital evidence may be relevant in a particular case, what they should request from the opposing party in discovery, the proper way in which to craft those requests, how to confirm that what they received is what they requested, how to use digital evidence in depositions, as well as how to authenticate digital evidence at trial and overcome potential objections to its admissibility.

[38]     As the widespread adoption of new technology continues, and more companies, industries, and governmental entities recognize the transformative power of big data and analytics, the volume of data that will be relevant in litigation will increase exponentially. The frequency with which digital evidence will be used in litigation, in government investigations and administrative proceedings, and at civil and criminal trials will soar. It will become clear to lawyers and clients that gaining competence, if not expertise, in the use of digital evidence is not a necessary evil, but a way to enhance the litigation strategy for a case and to increase the likelihood of a successful resolution. The ubiquity of digital evidence means that litigation and data are inextricably intertwined and that mastering “connected” discovery and maximizing the value of digital evidence are critical skills for today’s lawyers.

 

 

[1] See Zubulake v. UBS Warburg, 220 F.R.D. 212, 214 (S.D.N.Y. 2003) (stating “Electronic evidence only complicates matters. As documents are increasingly maintained electronically, it has become easier to delete or tamper with evidence (both intentionally and inadvertently) and more difficult for litigants to craft policies that ensure all relevant documents are preserved. This opinion addresses both the scope of a litigant’s duty to preserve electronic documents and the consequences of a failure to preserve documents that fall within the scope of that duty.”).

[2] See Internet of Things: Privacy and Security in a Connected World Fed. Trade Comm’n i (2015), https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf, archived at https://perma.cc/44WA-JH2N.

[3] See The Driverless Cars Are Coming Sooner than You Think, Classifiedleaks, (Oct. 27, 2015, 8:04 AM), http://classifiedleaks.com/driverless-cars-are-coming-sooner-you-think, archived at https://perma.cc/2G36-95AX; see also Catherine Clifford, There Will Be 20 Million Self-Driving Cars on the Road by 2025, Entrepreneur (Dec. 2, 2015), http://www.entrepreneur.com/article/253468, archived at https://perma.cc/7L4C-6Z8P.

[4] See Tim Devaney, Eight Industries that Want to Fly Drones, The Hill (Oct. 25, 2014, 2:43 PM), http://thehill.com/regulation/221788-eight-industries-that-want-to-fly-drones, archived at https://perma.cc/PYG5-YWMD; see also Megan Crouse, Which Industry Uses Drones Most? Manufacturing (July 31, 2014, 9:57 AM), http://www.manufacturing.net/news/2015/07/which-industry-uses-drones-most, archived at https://perma.cc/3M2R-PA9F; Sally French, Drone Delivery Is Already Here — And It Works, MarketWatch (Dec. 15, 2015, 7:32 AM), http://www.marketwatch.com/story/drone-delivery-is-already-here-and-it-works-2015-11-30, archived at https://perma.cc/TH98-ZPH8.

[5] See Jack Bowling & Steve Quinlivan, Bitcoin Blockchain Technology to Revolutionize Financial Services, StarTribune (Jan. 10, 2016, 2:00 PM), http://www.startribune.com/bitcoin-blockchain-technology-to-revolutionize-financial-services/364706851/, archived at http://perma.cc/R8GG-TBWM; see also Dion Hinchcliffe, How Blockchain Is Likely to Transform IT and Business, ZDNet (July 31, 2015), http://www.zdnet.com/article/how-blockchain-is-likely-to-change-it-and-business-forever/, archived at https://perma.cc/9DKA-C799.

[6] See What is Telematics, Fleetmatics, https://www.fleetmatics.com/what-is-telematics, archived at (last visited Mar. 18, 2016); see also Brian Hughes, Why Telematics (Think: Driverless Cars) Is the Future, Entrepreneur (Dec. 18, 2015), http://www.entrepreneur.com/article/252578, archived at https://perma.cc/5WZ5-2C2J.

[7] See Telematics, Gartner, http://www.gartner.com/it-glossary/telematics, archived at https://perma.cc/3A3Z-XRUZ (last visited Mar. 18, 2016).

[8] See Telematics Data Helps Jail Courtesy Car Driver for Hit and Run Collision, FleetNews (Jan. 26, 2016), http://www.fleetnews.co.uk/news/fleet-industry-news/2016/01/26/telematics-data-helps-jail-courtesy-car-driver-for-hit-and-run-collision, archived at https://perma.cc/THN5-SVKM.

[9] See id.

[10] See id.

[11]See Donna J. Miller, With Help from Snapshot Insurance Device, Parma Heights Man Is Cleared of Murdering His 7-Month-Old Daughter, Cleveland.com (July 2, 2013, 3:30 PM), http://www.cleveland.com/metro/index.ssf/2013/07/with_help_from_snapshot_insura.html, archived at http://perma.cc/8FSE-Y34E.

[12] See id.

[13] See id.

[14] See id.

[15] UConnect is a multimedia infotainment system in Chrysler vehicles that integrates with smartphones, has navigation functionality and gives drivers access to physical controls that adjust features from climate control to music preferences. See Lindsay Martell, What Is Chrysler UConnect?, Autotrader (Oct. 2013), http://www.autotrader.com/car-tech/what-is-chrysler-uconnect-215353, archived at https://perma.cc/J287-CYWM.

[16] See Sean Gallagher, Opsec Fail: Baltimore Teen Car Thieves Paired Phones with Jeep UConnect, arstechnica (Feb. 11, 2016, 11:44 AM), http://arstechnica.com/security/2016/02/opsec-fail-baltimore-teen-car-thieves-paired-phones-with-jeep-uconnect/?mc_cid=db1e887d36&mc_eid=664f313ded, archived at https://perma.cc/TU63-3LUG.

[17] See id.

[18] See id.

[19] See id.

[20] See id.

[21] See Gallagher, supra note 16.

[22] See id.

[23] See Telematics Successfully Used to Overturn Speeding Prosecution, FleetNews (Feb. 10, 2015), http://www.fleetnews.co.uk/news/manufacturer-news/2015/10/01/telematics-successfully-used-to-overturn-speeding-prosecution, archived at https://perma.cc/38XF-5NKS.

[24] See id.

[25] See id.

[26] See id.

[27] See Driver Wins Speeding Case Through Telematics, The Driving Instructor Leicester (Oct. 5, 2015), http://www.the-driving-instructor-leicester.co.uk/Blog/uncategorized/driver-wins-speeding-case-through-telematics/, archived at https://perma.cc/YFW8-YKM9; see also supra note 23.

[28] See What Is GPS?, Garmin, http://www8.garmin.com/aboutGPS/index.html, archived at https://perma.cc/PE47-QS93 (stating Global Positioning System (GPS) devices use a “satellite-based navigation system made up of a network of [twenty-four] satellites placed into orbit by the U.S. Department of Defense,” and made available for private use. The satellites transmit signal information to GPS receivers that use the data to determine a vehicle’s location and display it on an electronic map on the device) (last visited Feb. 23, 2016).

[29] See People v. Ford, 935 N.Y.S. 2d 368, 368–69 (NY App. Div. 2011); see also Carly Rothman, N.Y. Judge Convicts Piscataway Man of Killing Baby Sitter, NJ.com (Feb. 19, 2009, 7:08 PM), http://www.nj.com/news/index.ssf/2009/02/ny_judge_convicts_piscataway_m.html, archived at https://perma.cc/T29R-GVDF.

[30] See id.

[31] See id.

[32] See id.

[33] See id.

[34] See State v. Jackson, 46 P.3d 257, 260 (Wash. Ct. App. 2002); see also David A. Schumann, Tracking Evidence with GPS Technology, Wisconsin Lawyer (May 2004), http://www.wisbar.org/newspublications/wisconsinlawyer/pages/article.aspx?Volume=77&Issue=5&ArticleID=810, archived at https://perma.cc/D5PZ-4G8N.

[35] See id.

[36] See id.

[37] See id.

[38] See id.

[39] See Schumann, supra note 34.

[40] See id.

[41] See id.

[42] See id.

[43] Id.

[44] See Smith v. Pac. Bell Tel. Co., 649 F.Supp.2d 1073, 1076 (E.D. Ca. 2009).

[45] See id. at 1079–80.

[46] See id. at 1078.

[47] See id. at 1079–80.

[48] See id. at 1078.

[49] See Smith v. Pac. Bell Tel. Co., 649 F.Supp.2d 1073, 1101–02 (E.D. Ca. 2009).

[50] Wearable devices contain smart sensors and wirelessly connect to smartphones through a web connection. These devices collect and track data about the person who wears them, such as activity level, heart rate, calories burned and sleep patterns. They can also be used to make payments at stores and to alert the wearer about incoming calls and e-mails. Popular types of wearables include fitness trackers, smartwatches, smart glasses, smart clothing and smart jewelry. See Dan Sung, What Is Wearable Tech? Everything You Need to Know Explained, Wareable (Aug. 3, 2015), http://www.wareable.com/wearable-tech/what-is-wearable-tech-753, archived at https://perma.cc/FW2P-NKJY; see also The Wear, Why and How, The Economist (Mar. 14, 2015), http://www.economist.com/news/business/21646225-smartwatches-and-other-wearable-devices-become-mainstream-products-will-take-more, archived at https://perma.cc/8W62-JWAS. Experts have predicted that by 2019, 173.4 million wearable devices will have been shipped worldwide. See Fueled by Growing Demand for Smart Wearables, IDC Forecasts Worldwide Wearable Shipments to Reach 173.4 Million by 2019, IDC (Sep. 14, 2015), http://www.idc.com/getdoc.jsp?containerId=prUS25903815, archived at https://perma.cc/W4NQ-UTMU; see also Dinah Wisenberg Brin, As Wearables Become More Popular, What Is HR’s Responsibility?, Society for Human Resource Management (Feb. 16, 2016), http://www.shrm.org/hrdisciplines/technology/articles/pages/as-wearables-become-more-popular-what-is-hrs-responsibility.aspx?utm_source=SHRM%20HR%20Technology%20_%20PublishThis%20(17)&utm_medium=email&utm_content=February%2016,%202016&MID=01516098&LN=Gottehrer&spMailingID=24737172&spUserID=ODM1OTI3NDQzOTgS1&spJobID=742677018&spReportId=NzQyNjc3MDE4S0#sthash.kFaSjKe3.dpuf, archived at https://perma.cc/K69G-GT27.

[51] A Fitbit is a fitness tracker that allows the wearer to monitor things such as the number of steps taken, distance covered and calories burned. Some versions include an altimeter, which keeps track of the amount of stairs climbed and some include sleep tracking. The Fitbit syncs to the wearer’s Fitbit account through a computer or mobile device and enables the wearer to view the activity data collected by the wearable device. See Robert J. Nelson, Everything You Need to Know About Fitbit, iMore (Jun. 12, 2014, 8:24 AM), http://www.imore.com/everything-you-need-know-about-fitbit, archived at https://perma.cc/UD9A-GUD8; see also Brett Hambright, Woman Staged ‘Rape’ Scene with Knife, Vodka, Called 9-1-1, Police Say, Lancasteronline.com (Jun. 19, 2015), http://lancasteronline.com/news/local/woman-staged-rape-scene-with-knife-vodka-called–/article_9295bdbe-167c-11e5-b6eb-07d1288cc937.html, archived at https://perma.cc/4WQD-9EHZ.

[52] See Hambright, supra note 51.

[53] See id. 

[54] See id.

[55] See id.

[56] See id.

[57] See Parmy Olson, Fitbit Data Now Being Used in the Courtroom, Forbes (Nov. 16, 2014, 4:10PM), http://www.forbes.com/sites/parmyolson/2014/11/16/fitbit-data-court-room-personal-injury-claim/#67483e2a209f, archived at https://perma.cc/JAX9-G8UW.

[58] See id. 

[59] See id.

[60] See id. 

[61] See Video: Distracted Driving Lawsuit Draws $1.3M Award, Automotive Fleet (Feb. 8, 2016), http://www.automotive-fleet.com/channel/safety-accident-management/news/story/2016/02/video-distracted-driving-lawsuit-draws-1-3m-award.aspx?utm_campaign=topnews-20160212&utm_source=Email&utm_medium=Enewsletter, archived at https://perma.cc/J3QG-KXLQ.

[62] See id.

[63] See id.

[64] See id.

[65] See People v. Goldsmith, 203 Cal. App. 4th 1515, 1518 (Cal. App. 2d Dist. 2012).

[66] See People v. Goldsmith, 59 Cal. 4th 258, 264 (Cal. 2014).

[67] See id.

[68] See id.

[69] See id. at 264-65.

[70] See id. at 265.

[71] See People v. Goldsmith, 59 Cal. 4th 258, 265 (2014).

[72] Id. at 267.

[73] An Event Data Recorder (EDR), also known as a “black box,” is a device that is built into a vehicle’s airbag control module and records certain information from a vehicle immediately before and/or during most crashes. The data from the event data recorder’s memory can be downloaded to provide information about what happened to the vehicle, the deployment of airbags and seat belt tensioners, as well as data about the engine speed and vehicle speed prior to the crash. See Event Data Recorders, Insurance Institute for Highway Safety (Apr. 2015), http://www.iihs.org/iihs/topics/t/event-data-recorders/qanda, archived at https://perma.cc/ULM9-58YJ (last visited Feb. 18 2016).

[74] See Commonwealth v. Zimmerman, 873 N.E.2d 1215, 1218 (2007).

[75] See id. at 1217.

[76] See id.

[77] See id.

[78] See id. at 1216, 1219.

[79] See Commonwealth v. Zimmerman, 873 N.E.2d 1215, 1217 (2007).

[80] See Matos v. State, 899 So. 2d 403, 405 (Fla. Dist. Ct. App. 2005).

[81] See id. at 405.

[82] See id.

[83] See id.

 [84] See id.

 [85] People v. Hopkins, No. 2004-0338, 2004 N.Y. Misc. LEXIS 2902, at *17.

[86] See id. at *9.

[87] See id.

[88] See id.

[89] See S.S.S. v. M.A.G., No. A-1623-09T2, 2010 N.J. Super. Unpub. LEXIS 2479, at *1 (N.J. Super. Ct. App. Div. 2010). 

[90] See id. at *3. 

[91] See id. at *4.

[92] See id.

[93] See id. at *4–5.

[94] See S.S.S., 2010 N.J. Super. Unpub. LEXIS 2479, at *8–10.

[95] See State v. McGuire, 16 A.3d 411, 419, 426 (N.J. Super. Ct. App. Div. 2011).

[96] See id. at 426.

[97] See id.

[98] See id. at 427.

[99] See id.

[100] See Reid v. Ingerman Smith LLP, No. CV-2012-0307(ILG)(MDG), 2012 U.S. Dist. LEXIS 182439, at *1 (E.D.N.Y. Dec. 27, 2012).

[101] See id. at *3.

[102] See id. at *3–4.

[103] See id. at *7.

[104] See id. at *7, 9. Using the same relevance analysis, another court similarly required the plaintiff in a race discrimination action to produce her online social media communications, including “profiles, postings, messages, status updates, wall comments, causes joined, groups joined, activity streams, applications, blog entries, photographs, or media clips, as well as third-party communications that put the plaintiff’s communications in context.” See Robinson v. Jones Lang LaSalle Americas, Inc., No. 3:12-cv-00127-PK, 2012 U.S. Dist. LEXIS 123883, at *5–6 (D. Or. Aug. 29, 2012); see also Bass v. Miss Porter’s School, No. 3:08cv1807(JBA), 2009 U.S. Dist. LEXIS 99916, at *1, *3–4 (D. Conn. Oct. 27, 2009) (finding that the defendant was entitled to receive information from the Facebook account of the plaintiff, relating to her allegation that she was teased and taunted on Facebook and through text messages, because “Facebook usage depicts a snapshot of the user’s relationships and state of mind at the time of the content’s posting” and was therefore relevant to issues of liability and damages in the case)

[105] See Romano v. Steelcase, Inc., 907 N.Y.S.2d 650, 651 (2010).

[106] See id. at 653.

[107] See id. at 654.

[108] See id.

[109] See Held v. Ferrellgas, Inc., No. 10-2393-EFM, 2011 U.S. Dist. LEXIS 120980, at *1 (D. Kan. Aug. 31, 2011).

[110] See id., at *2.

[111]See id.

[112] See id., at *3. 

[113] See United States v. Hassan, 742 F.3d 104, 117 (4th Cir. 2014).

[114] See id.

[115] See id. at 147.

[116] See id. at 141.

[117] See id. at 151. 

[118] See Collen Curry, Rutgers Trial: Dharun Ravi Sent Texts to Witness During Police Investigation, abc NEWS (Feb. 27, 2012), http://abcnews.go.com/US/rutgers-trial-dharun-ravi-texts-witness-police-investigation/story?id=15800869, archived at https://perma.cc/GE6J-XBKT.

[119] See id. 

[120] See id.

[121] Id.

[122] See David M. Halbfinger & Beth Kormanik, Rutgers Case Jurors Call Digital Evidence Crucial, N.Y. Times (Mar. 16, 2010), http://www.nytimes.com/2012/03/17/nyregion/jurors-say-digital-evidence-convinced-them-of-dharun-ravis-guilt.html?_r=0, archived at https://perma.cc/5G4U-E74U.

[123] See id.

[124] Jamil Smith, ‘I Saw Him Making Out with a Dude. Yay.,MSNBC (Sept. 30, 2010, 12:10 PM), http://www.msnbc.com/rachel-maddow-show/i-saw-him-making-out-dude-yay, archived at https://perma.cc/Q4E4-Y58B.

[125] Tyler Clementi: Rutgers Suicide, CBSNEWS, http://www.cbsnews.com/pictures/tyler-clementi-rutgers-suicide/19/, archived at https://perma.cc/HR36-RJRR (last visited Feb. 25, 2016).

[126] Amy Davidson, The Tyler Clementi Verdict, The New Yorker (Mar. 16, 2012), http://www.newyorker.com/news/amy-davidson/the-tyler-clementi-verdict, archived at https://perma.cc/3YSQ-954S.

[127] See id. 

[128] See Steinebach v. Steinebach, 957 So.2d 291, 299 (Ct. of App. La. 2007).

[129] See id.

[130] See id.

[131] See id.

[132] See id. at 300.

[133] See Steinebach, 957 So.2d at 300.

[134] See Glazer v. Fireman’s Fund Ins. Co., No. 11 Civ. 4374 (PGG) (FM), 2012 U.S. Dist. LEXIS 51658, at *1–4 (S.D.N.Y Apr. 4, 2012).

[135] See id. at *2.

[136] See id. at *1–2.

[137] See id. at *2–3. Instant messages (“IMs”) have been introduced at trial and have been found to be sufficient evidence to support a verdict. See, e.g., State v. Voorheis, 844 A.2d 794, 796–97 (2004) (text of instant messages between defendant and mother of minor girl that contained graphic and sexually explicit language offered substantial evidence that defendant had attempted to promote a lewd performance by a child and to incite another to commit a felony and supported his conviction on both charges).

[138] See Arroyo v. Volvo Group North America, LLC, 805 F.3d 278, 280–81, 287, 288 (7th Cir. 2015).

[139] See id. at 285, 287.

[140] Id. at 285.

[141] Id. at 281–82.

[142] Id. at 282.

[143] Arroyo v. Volvo Group North America, LLC, 805 F.3d at 282.

[144] See id. at 287.

[145] See id.

[146] Id. at 283.

[147] Id.

[148] See Model Rules of Prof’l Conduct R. 1.1, Cmt. 8 (2015) (“A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”) (“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology….”); see also Robert Ambrogi, 20 States Have Adopted Ethical Duty of Technology Competence, LawSites (Mar. 16, 2015), http://www.lawsitesblog.com/2015/03/11-states-have-adopted-ethical-duty-of-technology-competence.html, archived at https://perma.cc/H3XG-RPT3 (stating that as of October 2015, twenty states have recognized that lawyers have a duty to be technologically competent).

Preservation: Competently Navigating Between All and Nothing

By

On March 31, 2016

In Article

Preservation: Competently Navigating Between All and Nothing pdf_icon 

Cite as: Lauren Wheeling Waller, Preservation: Competently Navigating Between All and Nothing, 22 Rich. J.L. & Tech. 7 (2016), http://jolt.richmond.edu/v22i3/article7.pdf.

Lauren Wheeling Waller*

I. Introduction

 [1]       Merriam-Webster defines “competent” as “having requisite or adequate ability or qualities.”[1] All professions require competence to be successful—from chefs, to tailors, to NFL quarterbacks. Without the adequate ability to poach an egg, alter suits, or read defenses, they lose patrons, customers, or—in the case of a quarterback—games and fans. Lawyers are no different. Without competence, they may not be successful. However, lawyers are different than the NFL quarterback in that they have an explicit duty of competence to their clients. The Model Rules of Professional Conduct provide “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.”[2] The comments to the Model Rules make it clear that competency also requires that lawyers “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . . .”[3] With this sentence, attorneys can no longer simply put up their hands and say, “it’s e-mail and text messages, I don’t know how nor do I want to handle that.”

[2]       Additionally, some State Bars implementing their own Rules of Professional Conduct have decided that attorney competence applies to handling electronically stored information (“ESI”), and at a minimum, that attorneys be able to carry out the following:

  • [I]nitially assess e-[D]iscovery needs and issues, if any;
  • [I]mplement/cause to implement appropriate ESI preservation procedures;
  • [A]nalyze and understand a client’s ESI systems and storage;
  • [A]dvise the client on available options for collection and preservation of ESI;
  • [I]dentify custodians of potentially relevant ESI;
  • [E]ngage in competent and meaningful meet and confer with opposing counsel concerning an e-[D]iscovery plan;
  • [P]erform data searches;
  • [C]ollect responsive ESI in a manner that preserves the integrity of that ESI; and
  • [P]roduce responsive non-privileged ESI in a recognized and appropriate manner.[4]

[3]       Attorneys now need to have an understanding of the components of the Electronic Discovery Reference Model[5] and the tools available to assist in each part of that process. If they do not have the requisite understanding, they need to associate with someone who does.[6]

[4]       Preservation of ESI is implicated in at least five of the competencies specifically listed in a California Rules of Professional Conduct’s Formal Opinion,[7] but preservation for some lawyers can be a scary concept. Why? For one, data never sleeps.[8] Every minute of the day, people generate data in the form of e-mails, Instagrams, Tweets, and Snapchats.[9] If you compare the data generated in 2012 to that created in 2015, not only has the amount of data increased, but also the type of data created has increased with the proliferation of new applications that create data.[10] Identifying the type of data that needs to be preserved and how it needs to be preserved can be complicated because of this ever-changing data landscape.

[5]       Additionally, preservation provokes fear in the heart of many attorneys, because failing to preserve potentially relevant evidence can have significant adverse consequences for not only the client in the lawsuit but also for the attorneys involved.[11] Attorneys, however, now have more guidance regarding the imposition of sanctions in Federal Court, as the Federal Rules of Civil Procedure were amended to clarify when a court can impose sanctions for the failure to appropriately preserve evidence, including when evidence is intentionally destroyed.[12]

[6]       Even with the amendments to the Rules, the following questions still exist for every piece of litigation:

  • When does the duty to preserve arise?
  • What must be preserved for the potential or current litigation?
  • What steps can I take to competently preserve potentially relevant information?

[7]       Is the answer to the above questions that every piece of data in your client’s possession must be preserved? No. Is the answer to preserve only e-mails a specific custodian sends to counsel on his or her own accord, without any further discussion with counsel? No. While there is no “one size fits all” answer to preservation, this article intends to guide practitioners through the preservation rubric outlined in the cases of “e-Discovery Canon,”[13] as well as recent case law and the 2015 amendments to the Federal Rules of Civil Procedure. This article also outlines questions practitioners should ask their clients and themselves in order to competently identify and preserve ESI.

II. The Duty to Preserve

[8]       The first question that a lawyer must answer is whether the duty to preserve has been triggered. Common law creates the duty to preserve evidence, and litigants owe this duty to the court, not just the opposing party.[14] Some commentators argue that the duty to preserve may be the most important duty a litigant has, in that failing to meet this duty can deprive the court of the ability to properly assess the claims of the parties before it.[15] This duty “arises not only during litigation but also extends to that period before the litigation when a party reasonably should know that the evidence may be relevant to the anticipated litigation.”[16] In the context of litigation for plaintiffs, the duty arises before the lawsuit is filed, and for defendants when the lawsuit is served, at the very latest.[17]

[9]       To be clear, though, whether a party is filing or has filed a lawsuit is not the test—it is the reasonable anticipation of litigation, in whatever form that takes. Recently, in Clear-View Technologies, Inc. v. Rasnic Magistrate Judge Paul S. Grewal (no stranger to preservation and e-Discovery issues[18]) found that a text message sent to a defendant over two years before suit was filed and eight months before any preservation notice was sent to the defendant triggered the duty to preserve.[19] Magistrate Judge Grewal stated that Plaintiff’s then-CEO “made clear in text messages to [defendants] that he was prepared to sue them for trying to interfere with” a potential business investment.[20] In his opinion, Judge Grewal noted that while the then-CEO later sent text messages apologizing for his previous texts, at no time did he take back his threat of litigation.[21] In the context of non-lawsuit triggers, courts have also found that a presentation regarding potential patent infringement claims,[22] ultimatums made to a CEO to “comply with [an] injunction” or face a lawsuit,[23] and of course, requests in writing that an individual or entity preserve evidence that may be relevant to a dispute trigger the duty to preserve.[24]

[10]     Accordingly, practitioners should not depend on the arrival of a complaint to trigger a client’s duty to preserve. While service of pleadings certainly can and does trigger the duty to preserve, once apprised of a potential dispute, practitioners should ask their clients not only about the facts of the potential dispute, but also how they communicated with the individuals involved with the potentially adverse party—in-person, telephone, e-mail, text messages, and/or any other medium of communication. As a practical matter, these queries will be easier the more you know about your client’s business and data landscape.[25] While a slip-and-fall, a failure to make a specified delivery under the terms of a contract, or a malfunction of a piece of equipment causing injury will remain clear triggers for the duty to preserve, practitioners should not overlook the wide variety of ways individuals now communicate with one another when analyzing whether and when the duty to preserve was triggered.

III. The Scope of Preservation

[11]     The duty to preserve evidence includes “an obligation to identify, locate, and maintain[] information that is relevant to specific, predictable, and identifiable litigation.[26] The duty pertains, however, only to relevant documents.[27] Relevant documents include:

[A]ny documents or tangible things . . . made by individuals “likely to have discoverable information that the disclosing party may use to support its claims or defenses.” The duty also includes documents prepared for those individuals to the extent those documents can be readily identified (e.g., from the “to” field in e-mails). The duty also extends to information that is relevant to the claims or defenses of any party, or which is “relevant to the subject matter involved in the action.” Thus, the duty to preserve extends to those employees likely to have relevant information—the “key players” in the case.[28]

The cases are clear on one point: once the duty to preserve is triggered, not every piece of data belonging to an organization must be preserved, just as every piece of paper belonging to an organization is not required to be preserved.[29] The cases outlined below demonstrate as much.

[13]     In Blue Sky Travel & Tours, LLC v. Al Tayyar, the Fourth Circuit vacated and remanded the district court’s decision to impose severe sanctions on the defendant for failing to preserve certain invoices requested by the plaintiff.[30] In this breach of contract action, the plaintiff’s damages included a claim for lost profits, and in an effort to prove those lost profit claims, the plaintiff requested that the defendant produce certain invoices.[31] When the defendant did not provide the invoices, the plaintiff moved to compel their production.[32] The court granted the motion, but the defendant still did not produce the invoices because the documents were not retained.[33] The plaintiff then moved for sanctions, and the magistrate recommended the court grant the motion and provide an adverse inference instruction.[34] The problem with this recommendation and ruling, though, was that the magistrate judge ruled that the defendant had a duty to hold “all” documents, stating:

[W]hen this litigation started, the defendants were required by law to preserve. Any document retention policy you had had to be stopped. . . . [o]nce you are put on notice that there is litigation pending, or once litigation starts, you are required . . . to stop [your] normal document retention policies and to preserve [ALL] documents because you don’t know what may or may not be relevant.[35]

[14]     The Fourth Circuit vacated and remanded the magistrate’s decision because the lower court used the incorrect standard for the duty to preserve.[36] The Fourth Circuit noted that a party may be sanctioned for spoliation if the party “(1) had a duty to preserve material evidence, . . . (2) willfully engaged in conduct resulting in the loss or destruction of that evidence, [and] (3) at a time when the party knew, or should have known, that the evidence was or could be relevant to the litigation.”[37] The Fourth Circuit reiterated that a party is not required to preserve all of its documents, only documents that the party knew or should have known were or could be relevant to the parties’ dispute.[38]

[15]     In Wandering Dago, Inc. v. N.Y. State Office of Gen. Servs., the court had to decide whether officials in one governmental agency and their attorney could be sanctioned for the destruction of e-mails, according to the terms of an e-mail retention policy, belonging to another governmental agency.[39] More to the point, the court had to determine whether a preservation obligation for one governmental agency involved in a specific litigation automatically applies to every other governmental agency not involved in the litigation.[40] The court said no, as the defendant agencies in the litigation had no control over the other governmental agencies’ e-mails.[41] Therefore, the defendant agencies had no obligation to preserve the other non-party agencies’ e-mails.[42] The court noted that to require a governmental agency in litigation to preserve and produce documents belonging to another governmental agency not a party to the litigation would “subject all [ ] agencies, the legislature, the judiciary, quasi-state agencies, and possibly public authorities to disclosure scrutiny, notwithstanding their relative remoteness to the case.”[43] The court found that “state agencies for most purposes are separate and distinct organs and should not be viewed in the aggregate.”[44] Moreover, the court noted that requiring each governmental agency “and thousands of officials to institute a litigation hold every time a party contemplates or even commences litigation against another agency would paralyze the State.”[45]

[16]     In AMC Technology, LLC v. Cisco Systems, Inc., Magistrate Judge Grewal distinguished between documents parties are obligated to preserve and those that they are not obligated to preserve and that can be destroyed as part of a routine retention policy.[46] Pursuant to Cisco’s document retention policy, Cisco reformatted departed employees’ laptops and deleted e-mail archives thirty days after an employee’s departure.[47] After one employee’s departure, and the deletion of his data, AMC requested his custodial data.[48] When Cisco did not provide the data because it had been destroyed according to its retention policy, AMC moved for spoliation sanctions.[49]

[17]     Judge Grewal held that sanctions were not warranted because Cisco was under no obligation to preserve his data at the time it was destroyed.[50] Judge Grewal underscored that the “scope of this duty is confined to what is reasonably foreseeable to be relevant to this action. Requiring a litigant to preserve all documents, regardless of their relevance, would cripple parties who are often involved in litigation . . . .”[51] In its analysis, the court also noted that the disposal of the employee’s documents “appears to have been routine—Cisco followed established company procedure, which deletes company emails and information within thirty days.”[52]

[18]     These cases provide a framework for identifying the scope of preservation. While each case turns on its own unique facts, these cases demonstrate that preserving everything is not the requirement of the duty to preserve, as such a requirement would create inefficiencies for business and government entities attempting to carry out their daily functions. Moreover, they show that only those documents that are reasonably foreseeable to be relevant to the action at the time the duty is triggered must be preserved. Obviously, what is relevant can change during the course of an investigation. As a result, practitioners should continue to monitor what has been preserved and the pertinent issues in the litigation to continue to observe their preservation obligations.

A. Identifying What Must Be Preserved

[19]     So the next question is: how do you identify and preserve documents that are potentially relevant to the parties’ dispute? Understanding who created and possesses potentially relevant ESI—and how that ESI is stored—is the first step to competently complying with the duty to preserve. Not taking these steps can lead to the destruction of potentially relevant information, and adverse consequences for that destruction. Brown v. Tellermate Holdings Ltd. outlines the failings of practitioners in executing their duty to identify and preserve potentially relevant ESI, and thus provides a good description of what practitioners need to do to competently comply with their preservation obligations.

[20]     In Brown v. Tellermate Holdings Ltd., the court found that Tellermate’s counsel “failed to uncover even the most basic information about an electronically-stored database of information” and that “as a direct result of that failure, took no steps to preserve the integrity of the information in that database.”[53] In this age discrimination case, the plaintiffs requested reports from both of their accounts in salesforce.com, a web-based application that allows businesses to track sales activities, as well as a number of other employees’ reports.[54] While at Tellermate, the plaintiff employees knew that Tellermate acquired licenses for their sales team to use salesforce.com and encouraged its employees to use it.[55] During discovery, Tellermate contended that it could not produce the reports because, among other things, Tellermate could not “print out accurate historical records from salesforce.com. . . .”[56] Counsel for Tellermate represented to the court that “Tellermate [did] not possess or control data maintained in the salesforce.com database and [was] not at liberty to produce it in discovery,” as well as that no one from Tellermate “has access to [the] ESI of salesforce.com . . . .”[57] However, in direct contradiction from its attorneys’ representations to the court, Tellermate’s representative testified that “any Tellermate employee with a login name and a password could access . . . historical information . . . at any time.”[58]

[21]     Additionally, after the plaintiffs’ departure, Tellermate changed the user names to the their accounts and took no action to preserve the information in the plaintiffs’ accounts, as the data in their accounts could be changed or deleted by salesforce.com administrators at the company.[59] For the above actions, the court admonished Tellermate’s counsel, stating “all of this information was clearly known to at least some Tellermate employees since Tellermate began using salesforce.com; had the right questions been asked of the right people, counsel would have known it as well.”[60]

[22]     The court also found that “counsel apparently never identified the persons having responsibility for salesforce.com information, which would have included those Tellermate employees (named by the [plaintiffs] in their document request) whose salesforce.com accounts were being requested, or the persons designated by Tellermate as its salesforce.com administrators.”[61] In short, the court found that “counsel had an affirmative obligation to speak to the key players at Tellermate so that counsel and client could identify, preserve, and search the sources of discoverable information.”[62]

[23]     To competently preserve ESI, practitioners must determine the individuals who may have knowledge or information about the different issues involved in the dispute, then determine what potentially relevant documents and data those individuals have in their possession, custody, or control.[63] Simultaneously, practitioners should speak with their client’s information technology personnel, who can explain the company’s system-wide back up procedures, any “auto-delete” functions, and gain a general overview of where and how data resides throughout the company (e.g., e-mail servers, file share servers, VM systems, databases, etc.).[64] These steps allow a practitioner to ask the right questions of the right people in order to determine where potentially relevant information resides.

[24]     Additionally, asking the right questions of the right people can also inform your decision as counsel as to what is reasonably accessible and therefore reasonably can be preserved. For example, if you learn from information technology personnel that the company’s disaster recovery systems are truly disaster recovery systems rather than a form of long-term storage, it may be worth mentioning at a Fed. R. Civ. P. 26(f) conference or meeting that, because these systems are for disaster recovery only, they are not reasonably accessible and will not be preserved.[65]

[25]     Moreover, discussing the data landscape with key custodians and information technology personnel provides valuable information about the various data sources and the amount it may cost to preserve those data sources, which can provide insight into whether producing from that data source is proportional to the needs of the case.[66] For example, in You v. Japan the court allowed defendant Sankei, a newspaper publisher, to modify a piece of a preservation order because of the undue burden it was placing on its business.[67] The preservation order required each party to take affirmative steps to preserve evidence related to the action by ceasing “any document destruction programs and any ongoing erasures of e-mails, voicemails, and other electronically recorded materials.”[68] Sankei took steps to comply with the order, including retaining versions of articles that it placed in a proprietary application used for laying out each edition of the newspaper.[69] The application typically retained these versions for 90 days.[70] Sankei stated that requiring that application to retain the article versions for greater than 90 days “could slow down the system or cause it to crash.”[71] Sankei also stated that installing a new storage system could take up to eight months and would cost $18 million.[72] Accordingly, Sankei filed a motion for relief from the preservation order and proposed an alternative method to preserve the documents in the proprietary application.[73] The Court, noting plaintiffs’ objections, granted Sankei’s proposal and included a modification proposed by the plaintiffs.[74] Without asking the right questions of the right people, Sankei may not have been able to seek an alternative that would allow it to continue functioning as a business and maintain its preservation obligations.

B. The Litigation Hold

[26]     While the litigation hold or legal hold notice should now be part of every practitioner’s litigation checklist, it is still an integral part of competently complying with the duty to preserve. As the court in Zubulake V stated, “[o]nce a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”[75]

[27]     A litigation hold informs custodians and information technology personnel about the lawsuit and their preservation obligations to preserve potentially relevant information relating to the lawsuit.[76] However, implementing the litigation hold does not end a party’s preservation obligations—“[c]ounsel [also] must oversee compliance with the litigation hold.”[77]

[28]     Apple Inc. v. Samsung Electronics Co., Ltd. demonstrates the potential consequences of failing to monitor compliance with a litigation hold. There, Magistrate Judge Grewal analyzed “whether Samsung took adequate steps to avoid spoliation after it should have reasonably anticipated” litigation.[78] In this case, a Samsung entity/defendant failed to disable the “auto-delete” function of its e-mail system after the duty to preserve was triggered.[79] Judge Grewal noted that it is “generally recognized that when a company or organization has a document retention policy, it is ‘obligated to suspend’ that policy and ‘implement a “litigation hold” to ensure the preservation of relevant documents’ after the preservation duty has been triggered.”[80] Samsung issued a litigation hold notice requesting employees to “preserve any and all [] documents that may be relevant to the issues in the potential litigation . . . until [the potential litigation] is fully resolved.”[81] However, while the litigation hold notice provided categories of documents that should be retained, Samsung took no steps to evaluate what its employees were doing to comply with the litigation hold notice, especially in light of the continued use of the auto-delete function.[82] While under the legal hold, Samsung never checked to see whether a single custodian was in compliance with the given directives.[83]

[29]     Practitioners and clients should consistently monitor employee and information technology compliance with their legal hold directives. The longer a legal hold is in place and the more time that goes by opens companies up to something that can be described as “Litigation Hold Fatigue,” resulting in less enthusiastic preservation practices.[84] Additionally, as noted above, issues in a litigation change, which can change what needs to be preserved. Follow-up reminders and revisions to litigation holds not only assist in complying with preservation obligations, but they can also assist in defining the scope of preservation.

IV. What Can We Learn From Failing to Preserve

[30]     Cases outlining complete failures to preserve are instructive to practitioners as a template for “Preservation Do Nots.” In Altercare, Inc. v. Clark, the Ohio Court of Appeals was required to determine whether the trial court abused its discretion in dismissing Altercare’s case against its former employee, Clark, for failing to preserve the former employee’s computer after the obligation to preserve arose.[85] After being told not to return to Altercare for work, Clark’s attorney sent Altercare a letter stating that it had breached Clark’s employment contract, and requesting that Altercare preserve evidence relevant to the dispute.[86] The preservation notice portion of the letter provided a non-exhaustive list of data covered by Altercare’s obligation, as well as ways that Altercare could comply with its obligation.[87] Once suit was filed, Clark requested in discovery all ESI relating to Clark and/or Clark’s employment with Altercare.[88]

[31]     The trial court attempted to determine what Altercare did to preserve Clark’s ESI on numerous occasions.[89] The court found that, at one point, Altercare returned a different hard drive to Clark than belonged to the work computer she sent the company for preservation.[90] The trial court held that Altercare did not preserve Clark’s work computer, failing to either “[pull] it out of service or [make] a copy or clone of its hard drive at the time Ms. Clark put [Altercare] on notice” of its obligation to preserve.[91] Because the trial court found that Altercare’s conduct in failing to preserve Clark’s work computer showed “such extreme carelessness and indifference,” the trial court dismissed Altercare’s complaint.[92] The Court of Appeals affirmed the trial court’s ruling, finding that Altercare “took no action whatsoever” to preserve Clark’s computer, either when she was terminated—even though it was reasonably foreseeable that litigation with Clark was probable—or after receiving the preservation notice from Clark’s attorney.[93] Notably, the Court of Appeals also recognized that the trial court “found that there was no evidence that Clark’s computer was lost as a result of a routine, good faith operation,” [94] such as a retention schedule.

[32]     Similarly, in Alter v. Rocky Point Sch. Dist., in ruling on the Plaintiff’s motion to compel and for sanctions in a workplace discrimination claim, the court found that defendants had failed to satisfy their duty to preserve relevant evidence.[95] The court based its ruling on the following facts:

  • Defendants failed to issue a timely litigation hold, instead waiting more than two years after Plaintiff filed a Notice of Claim;[96]
  • Defendants “failed to discuss the litigation hold with key players” in the lawsuit;[97]
  • Defendants failed to inform key custodians regarding their obligation to preserve relevant evidence “on whatever devices contained the information, [including] [personal] laptops, cellphones or any personal digital devices capable of ESI storage.”[98]

[33]     In Clear-View Techs., discussed above, the defendants took “no reasonable steps to preserve relevant evidence” and, in fact, “affirmatively destroyed it,” after the text message that triggered the preservation obligation was sent and, in some cases, after the preservation letter was received and after suit was filed.[99]

[34]     In each of these cases, the party responding to destruction allegations failed to take reasonable steps to preserve potentially relevant evidence—no litigation holds issued, no custodian interviews performed or even simple questions asked, and in a workplace discrimination suit, the terminated employee’s workstation was not preserved—and was then punished in some manner by the court. As these cases demonstrate, it is this failure to competently preserve potentially relevant evidence that places clients and their attorneys on rocky ground with the court.

[35]     Prior to the 2015 amendment of Rule 37(e), the sanctions imposed by courts because of the destruction of evidence, whether through negligence or bad faith, created inconsistencies in the sanctions imposed throughout the federal circuits.[100] In one circuit, a party could receive an adverse inference instruction from the grossly negligent deletion of an employee’s ESI,[101] while in another, an adverse inference instruction was appropriate only where there was a finding of bad faith in the destruction of the evidence.[102] Amended Rule 37(e) no longer allows courts to punish parties through an adverse inference instruction in the wake of destroyed evidence if they can show they took reasonable steps to preserve evidence.[103]

[36]     So what does this mean for practitioners? In the words of algebra teaches everywhere, litigants must “show their work.” Litigants should document the processes by which and steps they took to preserve potentially relevant evidence. The following steps, while not all-inclusive, and when they were taken should be well-documented by practitioners:

  • Issue a litigation hold that outlines the potential forms of ESI (e-mail, text messages, word documents, databases, etc.) and the potential sources of ESI (e-mail mailbox, smart phone, workstation, network servers, social media accounts, etc.) available to custodians;[104]
  • Identify and interview key players and custodians regarding their ESI forms and sources;
  • Interview information technology personnel regarding forms and sources of ESI available to employees and other personnel at the company, as well as the back-up and disaster recovery systems in place;
  • Document which devices were identified as having potentially relevant evidence and how each device was preserved for each custodian;
  • Document how specific information on servers and other company sources was identified and preserved;
  • Monitor legal hold compliance and refresh litigation hold notice as issues in the litigation evolve and new custodians are identified and new employees hired;
  • Disable and document the disabling of “auto-delete” functions for systems containing such functions;
  • Evaluate software offerings available to assist with the implementation of a legal hold;[105]
  • Analyze records management or retention policies for those categories of documents under a litigation hold to ensure routine destruction as to those documents has stopped.

[37]     Practitioners should document what was done and when it was done to demonstrate to the court how they took reasonable steps to preserve ESI. Taking the time to identify whose data and what sources and forms of data need to be preserved, and then “showing your work” by documenting those preservation steps and the considerations necessary to make those choices, demonstrates competence and may save you from headaches and discord later.

* Lauren Wheeling Waller is a partner at Williams Mullen and chairs the firm’s e-Discovery and Information Governance Practice Group. She is an experienced litigator and provides guidance in crafting defensible and uniform approaches to records management and retention, litigation hold implementation, as well as managing complex e-Discovery projects in commercial litigation and investigations. She has written and spoken frequently on electronic discovery topics and is a member Working Group I on Electronic Document Retention and Production of The Sedona Conference.

 

 

[1] Competent, Merriam-Webster, http://www.merriam-webster.com/dictionary/competent, archived at https://perma.cc/VZ57-Z6TR (last visited Feb. 25, 2016).

[2] Model Rules of Prof’l Conduct R. 1.1 (2014).

[3] Model Rules of Prof’l Conduct R. 1.1 cmt. 8 (2014) (emphasis added).

[4] State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. 2015-193, 3–4 (2015) [hereinafter Cal. Ethics Op.] (emphasis added) (internal citations omitted).

[5] See EDRM Stages, EDRM, http://www.edrm.net/resources/edrm-stages-explained, archived at https://perma.cc/D63L-HC9E (last visited Feb. 25, 2016).

[6] See Cal. Ethics Op., supra note 4, at 3; see also HM Electronics, Inc. v. RF Techs., Inc., No. 12cv2884-BAS-MDD, 2015 WL 4714908, at *24 (S.D. Cal. Aug. 7, 2015) (holding that an “attorney’s duty to supervise the work of consultants, vendors, and subordinate attorneys is non-delegable. ‘An attorney must maintain overall responsibility for the work . . .,’ and, must do so by remaining regularly engaged in the . . . work.”) (internal citations omitted) (emphasis in original).

[7] See Cal. Ethics Op., supra note 4, at 3–4. (“[I]nitially assess e-[D]iscovery needs and issues, if any; [I]mplement/cause to implement appropriate ESI preservation procedures; [A]nalyze and understand a client’s ESI systems and storage; [A]dvise the client on available options for collection and preservation of ESI; [I]dentify custodians of potentially relevant ESI; [C]ollect responsive ESI in a manner that preserves the integrity of ESI”).

[8] See generally Data Never Sleeps 3.0, DOMO, https://web-assets.domo.com/blog/wp-content/uploads/2015/08/15_domo_data-never-sleeps-3_final1.png, archived at https://perma.cc/HN24-72YD (last visited Feb. 11, 2016). 

[9] See id.

[10] Compare id., with Data Never Sleeps 2.0, DOMO, www.domo.com/learn/data-never-sleeps-2, archived at https://perma.cc/83QJ-HM8Q (last visited Feb. 11, 2016), and Data Never Sleeps, DOMO, www.domo.com/blog/2012/06/how-much-data-is-created-every-minute, archived at https://perma.cc/Q5LW-ZK4B (last visited Feb. 11, 2016) (noting that applications such as Snapchat and Tinder were not identified in 2012 but generated vast amounts of data in 2015).

[11] See Victor Stanley, Inc. v. Creative Pipe, Inc., 269 F.R.D. 497, 538–41 (D. Md. 2010) (recommending sanctions including permanent injunction and attorneys’ fees); Malibu Media, LLC v. Tashiro, No. 1:13-cv-00205-WTL-MJD, 2015 U.S. Dist. LEXIS 64281, at *104 (S.D. Ind. May 18, 2015) (granting motion for sanctions for default judgment); HM Elecs., Inc. v. RF Techs., Inc., No. 12cv2884-BAS-MDD, 2015 WL 4714908, at *31–35 (S.D. Cal. Aug. 7, 2015) (recommending adverse inference instruction, as well as other sanctions). As these cases indicate, EDRM preservation tends to be the area where attorneys and clients make the most mistakes.

[12] See Fed. R. Civ. P. 37(e) (allowing for sanctions only when information is lost and cannot be replaced, and the court finds that another party is prejudiced from the loss or that the party acted with the intent to deprive the other party of information).

[13] See Pension Comm. of Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, 685 F. Supp. 2d 456, 461 (S.D.N.Y. 2010) [hereinafter Pension Comm.], abrogated by Chin v. Port Auth. of N.Y. & N.J., 685 F.3d 135, 143 (2d Cir. 2012); Rimkus Consulting Grp. v. Cammarata, 688 F. Supp. 2d 598, 607 (S.D. Tex. 2010); Victor Stanley, Inc., 269 F.R.D. at 499–500; Zubulake v. UBS Warburg LLC (Zubulake V), 229 F.R.D. 422, 424 (S.D.N.Y. 2004), Zubulake v. UBS Warburg LLC (Zubulake IV), 220 F.R.D. 212, 214 (S.D.N.Y. 2003).

[14] See Victor Stanley, Inc., 269 F.R.D. at 525 (noting “the duty to preserve evidence relevant to litigation of a claim is a duty owed to the court.”) (emphasis in original).

[15] See Monica McCarroll, Discovery and the Duty of Competence, 26 Regent U. L. Rev. 81, 91 (2013).

[16] Silvestri v. Gen. Motors Corp., 271 F.3d 583, 591 (4th Cir. 2001).

[17] See Pension Comm., 685 F. Supp. 2d at 466.

[18] See generally Apple Inc. v. Samsung Elecs. Co., Ltd., 881 F. Supp. 2d 1132, 1132 (N.D. Cal. 2012).

[19] See Clear-View Techs., Inc. v. Rasnick, No. 5:13-cv-02744-BLF, 2015 U.S. Dist. LEXIS 63579, at *3. The text message stated, in part, “[D]on’t call my shareholders with your b.s. That is [tortious] economic interference. I will not accept this. . . . [K]eep it up and you’ll find [yourself] in court[.] Call Clyde again and I sue. Mark my words.” Id at *3–4 (alteration in original).

[20] Id. at *3.

[21] See id. at *21.

[22] See Apple Inc., 881 F. Supp. 2d at 1145 (noting that the presentation from Apple provided Samsung with “more than just a vague hint” that litigation “was at least foreseeable, if not ‘on the horizon.’”).

[23] In re Napster, Inc. Copyright Litig., 462 F. Supp. 2d 1060, 1069 (N.D. Cal. 2006).

[24] See, e.g., Altercare, Inc. v. Clark, 9th Dist. No. 12CA010211, 2013-Ohio-2785, at ¶ 2.

[25] While discussed only in the context of preservation below, information about a client’s data landscape prior to litigation should be part of an overall information governance effort. See Information Governance Reference Model (IGRM), EDRM, www.edrm.net/projects/igrm, archived at https://perma.cc/6F5N-D633 (last visited Mar. 18, 2016) [hereinafter IGRM].

[26] Apple Inc., 881 F. Supp. 2d at 1137; The Sedona Conference, The Sedona Conference Commentary on Legal Holds: the Trigger & the Process 1 (Conor R. Crowley et al. eds., 2007), https://thesedonaconference.org/download-pub/77, archived at https://perma.cc/EP4B-2AAY (download required).

[27] See Pension Comm., 685 F. Supp. 2d 456, 466 (S.D.N.Y. 2010), abrogated by Chin v. Port Auth. of N.Y. & N.J., 685 F.3d 135, 143 (2d Cir. 2012).

[28] Zubulake IV, 220 F.R.D. at 217–18. While this case was decided under the pre-2015 amendment scope of discovery, it remains a seminal case in defining the scope of the duty to preserve.

[29] See id. at 217 (noting that the duty to preserve does not require litigants to preserve “every shred of paper, every e-mail or electronic document, and every backup tape[.]”).

[30] See Blue Sky Travel & Tours, LLC v. Al Tayyar, 606 Fed. Appx. 689, 690 (4th Cir. 2015).

[31] See id. at 691.

[32] See id.

[33] See id. at 692.

[34] See id. at 692–93.

[35] Blue Sky Travel & Tours, LLC, 606 Fed. Appx. at 692.

[36] See id. at 690.

[37] Id. at 697–98.

[38] See id.

[39] See Wandering Dago Inc. v. N.Y. State Office of Gen. Servs., No. 1:13-CV-1053 (MAD/RFT), 2015 U.S. Dist. LEXIS 69375, at *1 (N.D.N.Y. May 29, 2015).

[40] See id. at *1–2.

[41] See id. at *22 (“Defendants correctly assert that they have no control over [Defendants’] emails. . . .”).

[42] See id.

[43] Id. at *23 (quoting N.Y. v. Amtrak, 233 F.R.D. 259, 266 (N.D.N.Y. 2006).

[44] Wandering Dago Inc., 2015 U.S. Dist. LEXIS 69375, at *24.

[45] Id. at *24–25.

[46] See AMC Tech., LLC v. Cisco Sys. Inc., No. 11-cv-3403 P, 2013 U.S. Dist. LEXIS 101372, at *4 (N.D. Cal. July 15, 2013).

[47] See id. at *4.

[48] See id. at *5–7.

[49] See id.

[50] See id. at *10.

[51] AMC Tech., LLC, 2013 U.S. Dist. LEXIS 101372, at *9.

[52] Id. at *11.

[53] Brown v. Tellermate Holdings, Ltd., No. 2:11-cv-1122, 2014 U.S. Dist. LEXIS 90123, at *6 (S.D. Ohio July 1, 2014).

[54] See id. at *7, *10.

[55] See id. at *8.

[56] Id. at *11.

[57] Id. at *13.

[58] Brown, 2014 U.S. Dist. LEXIS 90123, at *14.

[59] See id.

[60] Id. at *19 (emphasis added).

[61] Id. at *52–53.

[62] Id. at *56.

[63] See Zubulake V, 229 F.R.D. 422, 432 (S.D.N.Y. 2004); see also McCarroll, supra note 15, at 94–95.

[64] See Zubulake V, 229 F.R.D. at 432.

[65] See Zubulake IV, 220 F.R.D. 218. Amended Rule 26(f) now puts issues of preservation at the forefront of a 26(f) conference. See Fed. R. Civ. P. 26(f)(3)(C) (“A discovery plan must state the parties’ views and proposals on: . . . any issues about disclosure, discovery, or preservation of electronically stored information, including the form or forms in which it should be produced . . . .”) (emphasis added); see also Fed. R. Civ. P. 37(e), advisory committee’s note on 2015 amendments (“A party may act reasonably by choosing a less costly form of information preservation, if it is substantially as effective as more costly forms.”).

[66] Fed. R. Civ. P. 26(b)(1) (“Parties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense” and proportional to the needs of the case).

[67] See Hee Nam You v. Japan, No. C 15-03257 WHA, 2015 U.S. Dist. LEXIS 123877, at *2–5 (N.D. Cal. Sept. 16, 2015).

[68] Id. at *2.

[69] See id. at *2–3.

[70] See id. at *3.

[71] Id.

[72] See Hee Nam You, 2015 U.S. Dist. LEXIS 123877, at *3.

 [73] See id.

[74] See id. at *4–5.

[75] Zubulake V, 229 F.R.D. at 431 (quoting Zubulake IV, 220 F.R.D. at 218).

[76] See id. at 439.

[77] Id. at 432.

[78] Apple Inc. v. Samsung Elecs. Co., Ltd., 881 F. Supp. 2d 1132, 1134 (N.D. Cal. 2012).

[79] See id. In his opinion, Judge Grewal again reiterated that the duty to preserve includes identifying, locating, and maintaining information that is relevant to the litigation. See id. at 1137.

[80] Id. at 1137 (internal citations omitted).

[81] Id. at 1142–43.

[82] See id. at 1145.

[83] See Apple Inc., 881 F. Supp. 2d at 1147.

[84] See generally Legal Hold Software, Exterro, http://www.exterro.com/e-discovery-software/legal-hold/, archived at https://perma.cc/HS9M-VFVQ (last visited Feb. 20, 2016) (“Help custodians understand the importance of pending obligations, fight ‘notice fatigue’ by those on multiple legal holds, and promote consistent compliance.”).

[85] See Altercare, Inc. v. Clark, 9th Dist. No. 12CA010211, 2013-Ohio-2785, at ¶ 12.

[86] See id. at ¶ 2.

[87] See id. (“Altercare can most easily comply with its obligation by making mirror-image bit stream back-up copy of computers and storage media (such as hard disk drive[s], floppy disks, CDs, DVDs, back-up tapes, or any other electronic data), which will inexpensively preserve relevant electronic and digital evidence on searchable CD-ROMs or DVD.”).

[88] See id. at ¶ 3.

[89] See id. at ¶¶ 3–10.

[90] See Altercare, 2013-Ohio-2785, at ¶ 6.

[91] Id. at ¶ 10.

[92] Id.

[93] Id. at ¶¶ 2, 16.

[94] Id. at ¶ 16.

[95] See Alter v. Rocky Point Sch. Dist., No. 13-1100 (JS) (AKT), 2014 U.S. Dist. LEXIS 141020, at *3 (E.D.N.Y. Sept. 30, 2014).

[96] See id. at *28.

[97] Id. at *23.

[98] Id. *22­–24, *26, *28.

[99] Clear-View Techs., Inc. v. Rasnick, No. 5:13-cv-02744-BLF, 2015 U.S. Dist. LEXIS 63579, at *21–23 (noting that defendants “failed to implement a hold policy,” “deleted thousands of relevant emails, [and] discarded several phones, laptops, [and] iPads…”).

[100] Compare Residential Funding Corp. v. DeGeorge Fin. Corp., 306 F.3d 99, 108 (2nd Cir. 2002) (“The sanction of an adverse inference may be appropriate in some cases involving the negligent destruction of evidence because each party should bear the risk of its own negligence.”), with United States v. Artero, 121 F.3d 1256, 1259 (9th Cir. 1997) (noting that a “district judge did not abuse his discretion by refusing to give an adverse inference instruction, because the appellant showed neither bad faith imputable to the federal government nor prejudice from the loss and destruction of the evidence.”) (citing United States v. Jennell, 749 F.2d 1302, 1308–09 (9th Cir. 1984)).

[101] See Sekisui Am. Corp. v. Hart, 945 F. Supp. 2d 494, 504 (S.D.N.Y. 2013).

[102] See Rimkus Consulting Grp. v. Cammarata, 688 F. Supp. 2d 598, 614 (S.D. Tex. 2010).

[103] See Fed. R. Civ. P. 37(e) advisory committee’s note on 2015 amendments (“The rule only applies if the information was lost because the party failed to take reasonable steps to preserve the information.”).

[104] See generally D.O.H. v. Lake Cent. Sch. Corp., No. 2:11-cv-430, 2015 U.S. Dist. LEXIS 20259, at *23–25 (N.D. Ind. Feb. 20, 2015) (discussing where custodians identify social media as a potential source of potentially relevant information, practitioners should take steps to ensure that they understand how to preserve data from a social media site or engage a third-party vendor that does understand both how the site works and how to preserve the data contained in the site.).

[105] See generally Jie Zhang & Garth Landers, Magic Quadrant for E-Discovery Software, Gartner (May 18, 2015), https://www.gartner.com/doc/reprints?id=1-2G57ESF&ct=150519&st=sb, archived at https://perma.cc/SC7T-8DJP (evaluating over twenty e-Discovery software vendors).

Page 67 of 86

Previous

Next

Powered by WordPress & Theme by Anders Norén