Close
Enter your
text here

Electronic Discovery

The Gifts that Keep on Giving: eDiscovery Holiday Wishes and Webcasts

Not only have we had a very successful year in presenting CLE-accredited webcasts this year, we’re already getting started on next year with a new webcast in January!  If you want to see how key case law decisions in 2017 may affect how you conduct discovery in 2018 AND how you can still get CLE credit for 2017’s webcasts, read on.

I thought I’d start by taking a look back at the webcasts we conducted this year.  A couple of days ago, I met with a client prospect who had attended a couple of our webcasts and had requested (and received) CLE credit for attending them.  She had very complimentary things to say about the webcasts she attended, which was a great feeling, and seemed to appreciate how easy it was to obtain CLE credit for attending.

We’ve conducted several CLE-accredited webcasts this year, covering such topics as what attorneys (and other legal professionals) need to know about eDiscovery in 2017, best practices for eDiscovery searching, how to avoid 20 different “pitfalls” and “potholes” that could derail your eDiscovery projects, what you need to know about cybersecurity and privacy in 2017, how cloud automation is revolutionizing eDiscovery for solo and small firms as we speak, considerations for selecting on-premise and/or off-premise eDiscovery solutions, what to do (or what you should have already done) when the case is actually filed, lessons learned from recent eDiscovery disasters and how to thwart Murphy’s Law and keep what could go wrong from actually going wrong.  And, because we couldn’t wait until the end of the year to analyze key case law, we took a look at key eDiscovery case law decisions for the first half of 2017.

These are just some of the twenty-three webcasts that are currently up on our webcasts page (launched less than a year ago, I might add), that also includes some product demonstrations and educational and additional informative webcasts (some of those CLE-accredited as well) that we’ve conducted through our partnership with ACEDS.

What a lot of people don’t realize is that CLE-accreditation is not just available for those who attended these webcasts live, it’s also available for those who view the webcasts on demand.  They are truly the gift that keeps on giving – CLE credits.  While each of these webcasts were accredited in selected states, CLE accreditation is available in additional states via reciprocity credit.  So, if you want to ask about CLE credit on any particular webcast, feel free to email me at daustin@cloudnine.com.

Also, feel free to sign up for our first webcast of 2018: Important eDiscovery Case Law Decisions of 2017 and Their Impact on 2018.  Tom O’Connor and I will cover key 2017 case law decisions covered by the eDiscovery Daily blog and what the legal profession can learn from those rulings – which is one reason why I was “catching up” on a couple of cases earlier this week.  :o)  To sign up for the webcast, click here.  You won’t want to miss Tom and I talking case law – there will be plenty to talk about and we can hopefully fit it all into one hour.

I want to thank everyone who participated in the webcasts this year, including Karen DeSouza, Julia Romero Peter and (of course) Tom O’Connor.  And, thanks to BrightTalk for being a terrific channel on which to conduct our webcasts.  And, a special thanks to Rob Robinson for coordinating the webcasts, including posting and promoting them (literally thousands of you have signed up for them) and kicking them off with introductions of the speakers.

Most of all, thanks to you for attending our webcasts and reading our blog (and a special thanks to those who’ve provided feedback and comments).  We’re into our eighth year for eDiscovery Daily, and (other than the couple of weeks I take off from blog writing at the end of each year to “recharge my batteries”), still going strong.  As we always say, please share any comments you might have or if you’d like to know more about a particular topic.  We love your feedback!

Merry Christmas, Happy Holidays and Happy New Year!!  eDiscovery Daily will resume with new posts after the new year on January 3.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Clawback Agreement Doesn’t Save Documents Inadvertently Produced Twice from Privilege Waiver: eDiscovery Case Law

This is another case from earlier this year that we never got around to covering.  Why are we catching up on covering cases this week?  Find out tomorrow… :o)

In Irth Solutions, LLC v. Windstream Communications LLC, No. 2:16-CV-219 (S.D. Ohio Aug. 2, 2017), Ohio Magistrate Judge Kimberly A. Jolson, rejecting the idea that a clawback agreement always protects against waiver of privilege for inadvertently disclosed materials, found that privilege was waived by the defendant’s inadvertent but “completely reckless” production of privileged materials – not once, but twice.

Case Background

In this breach of contract case, the parties “agreed that a formal court order under Fed. R. Evid. 502(d) was not necessary based on the scale of the case”, but did enter into a clawback agreement that included a provision that “[i]nadvertent production of privileged documents does not operate as a waiver of that privilege.”  During discovery, the defendant produced 2,200 hundred pages which inadvertently included 43 privileged documents totaling 146 pages.  Defense counsel realized the mistake twelve days later while preparing a privilege log and immediately sought to claw the documents back, but plaintiff’s counsel refused to return or destroy the documents; however, they did represent that once the dispute arose, they sequestered the documents and refrained from discussing them with their client.

As requested by the Court, defense counsel submitted the 43 documents for in camera inspection, which revealed that nearly a third of them (14 documents) contained the word “legal” and the signature block of in-house counsel was referenced in two others.  Nonetheless, defense counsel insisted the documents had been reviewed for privilege.

Then, six weeks later, while dispute over the first production “ensued”, the defendant once again produced the 43 privileged documents to the plaintiff as part of re-producing the same 2,200 pages because the first production wasn’t text searchable.  Defense counsel indicated that they performed a “spot check” of the documents before they were produced via FTP, but did not observe that they contained the same privileged documents from the original production.

Judge’s Ruling

Judge Jolson, while noting that she did not get to hear from the “second-year associate who allegedly performed the privilege review prior to the first production and the litigation support staff member who allegedly erred during the second production”, nonetheless assumed arguendo, that Defendant has met its burden of showing that the two productions qualify as inadvertent.”

Judge Jolson then turned to the “impact” of the parties’ clawback agreement on the question of waiver, citing three frameworks applied by other courts: “(1) if a clawback is in place, it always trumps Rule 502(b); (2) a clawback agreement trumps Rule 502(b) unless the document production itself was completely reckless; and (3) a clawback agreement trumps Rule 502(b) only if the agreement provides concrete directives regarding each prong of Rule 502(b)”.

Rejecting the first approach as it would “undermine the lawyer’s responsibility to protect the sanctity of the attorney-client privilege”, Judge Jolson then considered the second and third frameworks.  Determining that defense counsel “reviewed a limited number of documents and made critical and reckless mistakes”, Judge Jolson stated that she “need not choose” between the second and third frameworks because “when taking into account the careless privilege review, coupled with the brief and perfunctory clawback agreement, following either approach leads to the same result: Defendant has waived the privilege.”  As a result, Judge Jolson ruled that the defendant had waived privileged on the twice inadvertently produced documents.

So, what do you think?  Should clawback agreements protect parties from any inadvertent disclosure?  Would a 502(d) order have protected the defendant here?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Issues Adverse Inference Sanction for Failing to Preserve Non Party’s Text Messages: eDiscovery Case Law

This is a case from earlier this year that we never got around to covering.  It’s hard to believe that it’s been over 40 years since the Lynyrd Skynyrd plane crash that took the life of lead singer and guitarist Ronnie Van Zant and five other people.  To read a retrospective on one of rock music’s most notable airplane disasters, here’s a terrific article from Rolling Stone.  To check out case law that relates to use of the band’s name – less dramatic, but still interesting (at least to some of us), read below.

In Ronnie Van Zant, Inc. v. Pyle, No. 17 Civ. 3360 (RWS) (S.D.N.Y. Aug. 28, 2017), New York District Judge Robert W. Sweet, among other rulings, issued an adverse inference sanction against one of the defendants for its failure to preserve text messages in the possession of a non-party, finding that defendant had control of the non-party’s text messages, given that he was contracted by the defendant and provided documents and gave a deposition during discovery.

Case Background

In this dispute over alleged violation of a Consent Order (which controlled the circumstances under which surviving band members could use the name Lynyrd Skynyrd) and efforts by Cleopatra Records to make a film about the crash (working with Artimus Pyle, the drummer for Lynyrd Skynyrd and a survivor of the 1977 crash, who was a signatory “under protest” to the Consent Order), the plaintiffs initially sent a cease and desist letter and ultimately filed suit against Pyle and Cleopatra alleging violation of the Consent Order.

Several weeks after the suit was filed and after filming of the disputed movie, Jared Cohn (who had been hired by Cleopatra as the director and screenwriter, but was a non-party to the litigation), switched cell phone providers and acquired a new phone.  Some data, such as pictures, were transferred while other data, such as text messages (including those exchanged with Pyle) was not transferred and was lost.  As a result, the plaintiffs sought an adverse inference sanction against Cleopatra for failure to preserve the text messages.

In response to the plaintiffs’ motion, Cleopatra argued that it could not be sanctioned for a non-party’s actions and that the phone was not within its control, that the plaintiffs’ had not issued a valid subpoena and that the plaintiffs had not shown prejudice because they could have acquired the text messages from Pyle and because Defendants have produced a large number of other documents, rendering the missing messages cumulative.

Judge’s Ruling

With regard to Cleopatra’s argument regarding lack of control over the text messages, Judge Sweet stated: “Here, while Cohn is a non-party, his text messages were, practically speaking, under Cleopatra’s control. Cohn was contracted by Cleopatra to work on the Film, and the evidence has establishes that he worked closely with Cleopatra for over the past year. Over the course of the instant litigation, Cohn has participated by providing documents and took a deposition sought by Plaintiffs during discovery…As has been found relevant in other cases determining the relationship between a party and non-parties, Cohn also has a financial interest in the outcome of this litigation, since he is entitled to a percentage of the Film’s net receipts, which would be zero should Plaintiffs prevail…In sum, while determining practical control is not an exact science, ‘common sense’ indicates that Cohn’s texts with Pyle were within Cleopatra’s control, and in the face of pending litigation over Pyle’s role in the Film, should have been preserved.”

Judge Sweet also rejected the argument that a subpoena was required, noting “what the rules require is independent of a proper subpoena and simply that the lost information ‘should have been preserved,’ and there has been no dispute that the missing texts would have been relevant to the instant matter.”  He also rejected the lack of prejudice argument, indicating that, of the evidence already produced by Cleopatra, “none speak directly to an important piece of this puzzle that would have been covered by the texts: the quality of interaction between Pyle, the Consent Order’s signatory, and Cohn, the principal writer and singular director of the Film, a relationship that evidence established was principally developed through text messages.”  In granting the motion for adverse inference sanction, Judge Sweet noted that Cohn’s actions of retaining his pictures but not his text messages “evince the kind of deliberate behavior that sanctions are intended to prevent and weigh in favor of an adverse inference.”

So, what do you think?  Should the defendant have been sanctioned for the actions of a non-party?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Disagrees with Plaintiff’s Contentions that Defendant’s TAR Process is Defective: eDiscovery Case Law

In Winfield, et al. v. City of New York, No. 15-CV-05236 (LTS) (KHP) (S.D.N.Y. Nov. 27, 2017), New York Magistrate Judge Katharine H. Parker, after conducting an in camera review of the defendant’s TAR process and a sample set of documents, granted in part and denied in part the plaintiffs’ motion, ordering the defendant to provide copies of specific documents where the parties disagreed on their responsiveness and a random sample of 300 additional documents deemed non-responsive by the defendant.  Judge Parker denied the plaintiff’s request for information about the defendant’s TAR process, finding no evidence of gross negligence or unreasonableness in their process.

Case Background

In this dispute over alleged discrimination in the City’s affordable housing program, the parties had numerous disputes over the handling of discovery by the defendant in the case.  The plaintiffs lodged numerous complaints about the pace of discovery and document review, which initially involved only manual linear review of documents, so the Court directed the defendant to complete linear review as to certain custodians and begin using Technology Assisted Review (“TAR”) software for the rest of the collection.  After a dispute over the search terms selected for use, the plaintiffs proposed over 800 additional search terms to be run on certain custodians, most of which (after negotiation) were accepted by the defendant (despite a stated additional cost of $248,000 to review the documents).

The defendant proposed to use its TAR software for this review, but the plaintiffs objected, contending that the defendant had over-designated documents as privileged and non-responsive, using an “impermissibly narrow view of responsiveness” during its review process.  To support its contention, the plaintiffs produced certain documents to the Court that the defendant produced inadvertently (including 5 inadvertently produced slip sheets of documents not produced), which they contended should have been marked responsive and relevant.  As a result, the Court required the defendant to submit a letter for in camera review describing its predictive coding process and training for document reviewers.  The Court also required the defendant to provide a privilege log for a sample set of 80 documents that it designated as privileged in its initial review.  Out of those 80 documents, the defendant maintained its original privilege assertions over only 20 documents, finding 36 of them non-privileged and producing them as responsive and another 15 of them as non-responsive.

As a result, the plaintiffs filed a motion requesting random samples of several categories of documents and also sought information about the TAR ranking system used by the defendant and all materials submitted by the defendant for the Court’s in camera review relating to predictive coding.

Judge’s Ruling

Judge Parker noted that both parties did “misconstrue the Court’s rulings during the February 16, 2017 conference” and ordered the defendant to “expand its search for documents responsive to Plaintiffs’ document requests as it construed this Court’s prior ruling too narrowly”, indicating that the plaintiffs should meet and confer with the defendant after reviewing the additional production if they “believe that the City impermissibly withheld documents responsive to specific requests”.

As for the plaintiffs’ challenges to the defendant’s TAR process, Judge Parker referenced Hyles v. New York City, where Judge Andrew Peck, referencing Sedona Principle 6, stated the producing party is in the best position to “evaluate the procedures, methodologies, and technologies appropriate for preserving and producing their own electronically stored information.”  Judge Parker also noted that “[c]ourts are split as to the degree of transparency required by the producing party as to its predictive coding process”, citing cases that considered seed sets as work product and other cases that supported transparency of seed sets.  Relying on her in camera review of the materials provided by the defendant, Judge Parker concluded “that the City appropriately trained and utilized its TAR system”, noting that the defendant’s seed set “included over 7,200 documents that were reviewed by the City’s document review team and marked as responsive or non-responsive in order to train the system” and that “the City provided detailed training to its document review team as to the issues in the case.”

As a result, Judge Parker ordered the defendant “to produce the five ‘slip-sheeted’ documents and the 15 NR {non-responsive documents reclassified from privileged} Documents”, “to provide to Plaintiffs a sample of 300 non-privileged documents in total from the HPD custodians and the Mayor’s Office” and to “provide Plaintiffs with a random sample of 100 non-privileged, non-responsive documents in total from the DCP/Banks review population” (after applying the plaintiffs’ search terms and utilizing TAR on that collection).  Judge Parker ordered the parties to meet and confer on any disputes “with the understanding that reasonableness and proportionality, not perfection and scorched-earth, must be their guiding principles.”  Judge Parker denied the plaintiffs’ request for information about the defendant’s TAR process (but “encouraged” the defendant to share information with the plaintiffs) and denied the plaintiffs’ request to the defendant’s in camera submissions as being protected by the work product privilege.

So, what do you think?  Should TAR ranking systems and seed sets be considered work product or should they be transparent?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Four: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part One was last Monday, Part Two was last Wednesday and Part Three was last Friday.  Here’s the fourth and final part.

Part Four: Now That I Understand The GDPR, What Do I Do?

In preparing for GDPR, all companies should start by doing the following:

Determine Their Role Under the GDPR: Any organization that decides on why and how personal data is processed is essentially a “data controller”, regardless of geographic location.

Appoint a Data Protection Officer: This is especially critical if the organization is a public body or is doing regular large-scale processing.

Prepare for Data Subjects Exercising Their Rights: These include the right to data portability and the right to be informed as well as the right to be forgotten.

And then, companies should continue by taking the following steps:

  • Build a data map
  • Identify all privacy-related data
  • Analyze all privacy-related data
  • Conform all data handling practices to GDPR standards
  • Ensure compliance policies and procedures meet GDPR standards
  • Secure all systems against data theft
  • Obtain ISO 27001 Certification
  • Hire a Consumer Data Ombudsman specifically for dealing with requests and complaints from data subjects.

This new GDPR regulatory framework will be the strictest privacy doctrine in the world and appears to be on a collision course with some US based discovery rules.

Bart Willemsen, research director at Gartner, recently commented that, “The GDPR will affect not only EU-based organizations, but many data controllers and processors around the globe and with the renewed focus on individual data subjects and the threat of fines of up to €20 million or 4% of annual global turnover for breaching GDPR, organizations have little choice but to re-evaluate measures to safely process personal data.”

Despite this warning and even though many organizations have been monitoring and preparing for the GDPR during the past few years of negotiation, more than a few have not. Gartner predicts that on May 28 of next year, more than half of companies affected by the GDPR will not comply fully with its requirements.

So immediate preparation is essential.  Keep in mind that the goal of the GDPR is not to punish business entities but rather the public policy purpose of ensuring that companies and public bodies increase their ability to detect and deter breaches.

Fines are designed to be proportional to the effort by companies to comply with the new regulations and will focus on those which systematically either fail to comply with the law or disregard it altogether. They can be avoided by companies which are transparent in their policies and procedures, make a good faith effort to develop that transparency and report any data breaches swiftly.

Prepare now to put into place policies and procedures for both compliance and reporting, especially if you have multiple business locations and/or handle data from inside the EU.  Various consulting firms and trusted advisors such as CloudNine can help provide guidance but don’t delay.  Remember that given the Gartner figures above, organizations in compliance with the GDPR may find themselves have a true competitive differentiator on May 25, 2018.

So, what do you think?  Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Three: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part One was Monday, Part Two was Wednesday.  Here’s the third part.

Part Three: eDiscovery and the GDPR

Initial hopes were that the GDPR would promote eDiscovery cooperation between the US and Europe by standardizing data protection laws and regulations among the 31 EEA nations and the US.  But instead, some sections of the new regulation emphasize even further the difference between US law and the European countries mentioned in Part One.

US discovery comes from the UK common law system, but the other EU countries do not share that background and typically have no discovery at all or it is only available through specific requests to a judge. The regulations tend to favor that approach and thus make things difficult for US eDiscovery practitioners in several areas set out below.

First and perhaps most important is the issue of litigation holds.  In the US, data being held pursuant to a litigation hold is not considered to be data undergoing “processing”.  The GDPR definition of processing, however, is much broader and makes no provisions for holding personal data for an unlimited period of time simply because of the possibility of impending litigation in the US.

Other areas of disconnect include:

DPO Requirement: There are concerns that when a company must create a DPO position, it will exacerbate relations with any US concern seeking data by institutionalizing the resistance to data requests under the new GDPR compliance structure.

Privacy Impact Assessment (PIA) Obligation: Data that is inadvertently deleted and is potentially relevant to an ongoing investigation or litigation in the US could result in a request for a company to produce data audit information. But the company’s compliance with the GDPR’s PIA requirements would appear to create a shield against any such discovery request.

Transfer of Data to Third Countries: Article 48 of the GDPR expressly states that orders or judgments by non-EU courts and administrative authorities requiring transfer or disclosure of personal data are not a valid basis for transferring data to third countries. Article 48 states, rather, that such orders or requests will be recognized only in so far as they are based on international agreements or treaties between the third country and the EU or member state, such as The Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters.

It would appear then at first blush that no request for a data transfer to a third country outside the EU will stand unless supported by a treaty or trade agreement. None of those options is well suited for a US-based discovery suit.

Data Portability Rights: Custodians who request the deletion and/or transfer of their own data, especially during a government investigation or litigation, may create a conflict between US preservation requirements and the GDPR right to forget provisions.

Sanctions: The new GDPR privacy requirements may push US litigants to early settlements rather than proceed with litigation discovery that may lead to high fines in Europe or ethical issues with regards to preservation or “complete” discovery under FRCP Rule 26(g) in the US

Extraterritorial Effects: As noted in the Introduction, the GDPR covers not only data stored in the EU but also any data created or stored in the US that concerns an EU citizen.

THE BUSINESS OF THE GDPR: CONTROLLERS AND PROCESSORS

The GDPR defines two distinct roles for business entities, that of “controller” and that of “processor”. A “controller” determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology, whereas a “processor” actually processes the personal data on behalf of a controller.

An organization cannot be both a controller and a processor of the same data, but it can be a controller of one set of data and a processor of yet another. For example, a software company such as Microsoft or IBM may be a controller with respect to personal data that it collects from its employees but can also be a processor with respect to personal data that its commercial customers collect and the company processes on their behalf through their own solutions such as Office 365 or Watson.

With respect to data sets where the company is the controller, they are directly responsible for responding to data subject requests under the GDPR.  When they are a processor, they must ensure that its customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to such requests.

Any organization that decides on how personal data is processed is essentially a data controller.  Companies which are primarily controllers will be concerned with addressing all aspects of the GDPR.  Regardless of the specific business structure, every controller will need to be sure that:

  • Compliance policies and procedures are in place
  • Business management controls are implemented
  • Users are properly trained
  • Data is properly secured
  • IT properly implements a secure system

Service providers acting as data processors have increased obligations to meet the GDPR privacy standards.  As such, a processor who demonstrates compliance with the heightened GDPR standards will likely be recognized as a preferred provider within the industry.

Processors should also have audit trials for all processing activities including:

  1. Data quality control
  2. Purpose limitations
  3. Data relevance

Processors should also demonstrate accountability and transparency in all decisions regarding personal data processing activities to maintain compliance for both present and future personal data processing activities.

Third-party service providers which are only data processors should also meet these standards. The GDPR standards require proper data subject consent and that consent and consent withdrawal must be documented scrupulously. Implied consent will no longer be accepted as an approval method.

In parts one through three in this series we have established a baseline for understanding the intent and impact of the GDPR and highlighted its impact on eDiscovery. On Monday, in the final part of our series, we will look at some recommendations for companies seeking to prepare and comply with the GDPR.

So, what do you think?  Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Dispute Over Scope of Preservation Obligation Leads to Partial Sanctions For Now: eDiscovery Case Law

In E.E.O.C. v. GMRI, Inc., No. 15-20561-CIV-LENARD/GOODMAN (S.D. Fla. Nov. 1, 2017), Florida Magistrate Judge Jonathan Goodman, in a very lengthy and detailed order, denied in part and granted in part the plaintiff’s motion for sanctions for spoliation of paper applications, interview booklets, and emails.  Judge Goodman did not grant the request for most-severe type of relief sought – permissible inferences at the summary judgment and trial stages – but did rule that the plaintiff could “present evidence of the purportedly destroyed and/or missing paper applications, interview booklets and guides, and emails to the jury” and “argue to the jury that Seasons 52 acted in bad faith (as defined by Rule 37(e)(2))”, which could lead to the jury inferring that the lost ESI was unfavorable to the defendant.

Case Background

In this age discrimination case filed by the Equal Employment Opportunity Commission (EEOC) against the defendant owner of a chain of restaurants, the investigation by the EEOC began as an investigation of two employee complaints against the defendant’s Coral Gables restaurant location in late 2010.  At that time, the EEOC notified Seasons 52 (the restaurant chain owned by the defendant) of the charges and explained the EEOC’s recordkeeping regulations.  Then, on August 31, 2011, the EEOC issued an “expansion letter” and notified Seasons 52 that it was expanding the investigation to include Seasons 52’s hiring practices throughout the nation as they affect a class of individuals, applicants for employment, because of their ages.  The EEOC also sent a follow-up letter, dated the next day, which requested additional information and which referenced “expansion” of the case.  In July 2013, the EEOC issued Letters of Determination finding that Seasons 52 had engaged in age discrimination and filed its complaint in February 2015.

However, there was dispute over the August 31 2011 letter, which the defendant, (during an October 11, 2017 evidentiary hearing) claimed it never received.  The defendant acknowledged it did receive the September 1 2011 letter.  Nonetheless, the defendant contended that it was under a duty to preserve for only one restaurant in Coral Gables because the two complaints that triggered the EEOC investigation concerned that sole location. However, the plaintiff contended that Seasons 52 had a duty to preserve for all restaurants in the country because the scope of the investigation expanded into a national investigation encompassing all Seasons 52 restaurants.  So, while the defendant issued a litigation hold in Coral Gables in December 2010, it did not issue litigation holds for other locations until at least May 2015.  As a result, the defendant failed to preserve paper applications, interview booklets and emails in most of its locations (the order has WAY more detail on the extent of the failure to preserve).

Stating that the plaintiff “has come up empty handed”, the defendant filed a summary judgment motion and the plaintiff filed its motion for sanctions shortly thereafter, which the defendant contended was a last minute attempt to save the case.

Judge’s Ruling

Judge Goodman began by referencing a song from John Hiatt, who wrote a song released in 1995 called Shredding the Document, as being “at the heart of the sanctions motion being considered here”.  He rejected the defendant’s argument that the plaintiff’s motion was in direct response to the defendant’s summary judgment motion, noting that it was filed only two days after and it was “highly likely” that the plaintiff began preparing the sanctions motion long before it received the defendant’s summary judgment motion.

With regard to the dispute over the August 31 2011 letter, Judge Goodman, observing that “Seasons 52’s witnesses unequivocally testified that they never received it and that their records and databases do not contain it”, that “they concede receipt of other letters” and that the zip code on the letter was incorrect, ruled: “The EEOC has not established by a preponderance of the evidence that Seasons 52 received the so-called August 31, 2011 expansion letter.”

However, noting that “The September 1, 2011 letter made explicit reference to an ‘expansion’ of the case, and Seasons 52 was regularly forwarding information about 10 restaurants and then added another restaurant…to the ongoing production”, Judge Goodman found that “Seasons 52 was therefore under a duty to preserve relevant materials for those 11 restaurants” and found their “lack of logical follow-through to be unacceptable.”

Noting that “the EEOC’s expert witness was still able to reach conclusions even without certain paper applications and interview booklets”, Judge Goodman determined that “some prejudice” had occurred, but that “Seasons 52 certainly has a logical argument that the missing materials were not critical or crucial to the EEOC’s case, which is why the Undersigned is not now granting the EEOC harsh-type sanctions like a permissible adverse inference.”  As a result, Judge Goodman did not grant the request for most-severe type of relief sought – permissible inferences at the summary judgment and trial stages – but did rule that the plaintiff could “present evidence of the purportedly destroyed and/or missing paper applications, interview booklets and guides, and emails to the jury” and “argue to the jury that Seasons 52 acted in bad faith (as defined by Rule 37(e)(2))”, which could lead to the jury inferring that the lost ESI was unfavorable to the defendant.

So, what do you think?  Should juries decide spoliation is unfavorable to a party without judicial instructions to that effect?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Two: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part One was Monday, Here’s the second part.

Part Two: GDPR Definitions and Changes

A DEFINITIONAL BASELINE FOR GDPR

The first and overriding concept to be understood in dealing with the GDPR is how the regulation defines personal and sensitive data and then to determine how those definitions relate to data held by your organization.  Once you understand those concepts, you can proceed to pinpoint where any data meeting the definitions is created managed and stored.

The GDPR considers personal data to be any information related to an identifiable natural person and calls such a person a “data subject.” That can include both direct identification such as a name or indirect identification which clearly points to a specific person.  This includes online identifiers such as IP addresses and location data such as a mobile device ID or position, which the EU Data Protection Directive had previously been vague about.

Examples of information relating to an identifiable person include:

  • Name
  • Identification number such as SSN, INSEE code, Codice fiscal, DNI, etc.
  • Location data such as home address)
  • Online identifier such as e-mail address, screen names, IP address, etc.
  • Genetic data such as biological samples or DNA, including gene sequence
  • Biometric data such as fingerprints or facial recognition
  • Health data
  • Data concerning a person’s sex life or sexual orientation

There is also a general category which includes data which may reveal:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership

All such sensitive personal data is afforded enhanced protections under the GDPR and generally requires an individual’s explicit consent where such data is retained or used.

Other pertinent definitions include:

Consent: Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.

Controller: A controller alone or jointly with others, determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology.  A controller is directly responsible for responding to data subject requests under the GDPR.

Data Breach Notification: Data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals.

Data Protection Officers: Companies must appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, although almost all public organizations must have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information must appoint a DPO.

Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.

Fines: GDPR violations can result in substantial fines of up to 4 percent of annual revenue or 20 million Euro, whichever is greater.

Processor: A “processor” processes personal data on behalf of a controller (e.g., Microsoft is a processor with respect to personal data that its commercial customers collect and Microsoft processes on their behalf through solutions like Office 365.)

A processor must ensure that its commercial customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to data subject requests under the GDPR.

Right to Access: The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.

Right to Erasure: Known formerly as the “right to be forgotten,” these provisions give data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.

IMPORTANT CHANGES AND ORGANIZATIONAL IMPACT

 Among the key new elements of the GDPR are the following practical results:

  • Requirement that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required;
  • Significant penalties for non-compliance including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply;
  • Changes to eDiscovery practice in the US.

DATA EXISTENCE AND GDPR COMPLIANCE 

The GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required. Specifically, organizations must have in place procedures to ensure the personal data of EU residents is secure, accessible, and can be identified upon request.

Balance these requirements against recent IDG research which suggests that approximately 70% of information stored by companies is “dark data” in a distributed, unstructured format.  If that figure is accurate, the new requirement will pose substantial legal risks.

To achieve GDPR compliance, organizations will need to develop explicit policies for handling personal information.  This will need to include:

  • Enterprise-wide Data Inventory: Identify the presence of personal data in all locations
  • Data Minimization: Retain as little personal data on EU subjects as possible.
  • Enforcement of Right to Be Forgotten: An individual’s personal data must be identified and deleted on request.
  • Effective Response Time: The ability to conduct enterprise-wide searches and report on the extent of any data breach within seventy-two (72) hours.
  • Accountability: Ability to create audit trails for all personal data identification requests.

Finally, and equally important, the company must be able to show that these policies are being enforced and followed throughout the enterprise. Failure in any of these areas will now lead to heavy fines.

FINES: THE POTENTIAL COST OF NON-COMPLIANCE

One of the biggest changes coming with the GDPR is the increase in fines for violations. Previously, under the Directive, each member state was free to adopt laws in accordance with the principles laid out in the Directive, which meant that there were differences in the way each member country implemented and enforced the Directive.

But the GDPR is a regulation that applies to all member states of the EU and as such provides a new uniform regulatory framework. This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to their own data subjects.

Under this new framework, a member state’s supervisory authority will operate in one of these ways:

  • Lead Supervisory Authority: will act as the lead for the controllers and processors whose main establishments are located in its member state.
  • Local Authority: may deal with complaints or infringements that only affect data subjects in its member state.
  • Concerned Authorities: will cooperate with the lead supervisory authority when data subjects in their member state are affected.

Article 58 of the GDPR provides these supervisory authorities with the power to impose administrative fines under Article 83 based on several factors, including:

  • How the regulator was told about the infringement
  • Types of data involved
  • Duration of the infringement
  • Whether the infringement was intentional or negligent
  • Policies and procedures deployed by the company
  • Prior infringements by the controller or processor
  • Degree of cooperation with the regulator

How is the fine calculated? There is a tiered approach with technical issues being separated from actual records management. Non-compliance on technical measures such as impact assessments, breach notifications and certifications can lead to a fine up to an amount that is the GREATER of 10 million or 2% of global annual revenue. If the breach involves key provisions of the GDPR (processing personal data, infringement of the rights of data subjects or transfer of personal data to third countries or international organizations that do not meet GDPR standards) the fine can be an amount that is up to the GREATER of 20 million or 4% of global annual turnover in the prior year.  Finally, it is important to note that these rules apply to both controllers and processors which means ‘clouds’ will not be exempt from GDPR enforcement.

In part one and part two of this series, we have established a baseline for understanding the intent and impact of the GDPR. On Friday, in part three, we will look directly at the impact of the GDPR on eDiscovery.

So, what do you think?  Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Start Planning for Next Year, This Year: eDiscovery Trends

We’re getting close to the end of another year.  What do organized people in eDiscovery do when that happens?  Start planning for next year.

On his excellent Complex Discovery blog, Rob Robinson helps you get a “running start” in your planning for next year, with a preliminary list of eDiscovery-related industry events for 2018.  From Legalweek (a.k.a., Legaltech) at the end of January to The Masters Conference Orlando event in November, Rob has identified 41 initial eDiscovery and cybersecurity related events (with links to each) to consider adding to your calendar for next year.  Here are a few highlights:

These are just a few of the cool events related to eDiscovery and cybersecurity for next year.  In addition, you have terrific regional events, like The Masters Conference, which has events planned next year for Dallas, San Francisco, Chicago, Denver, New York, London, Washington DC and (as mentioned above) Orlando.

Of course, other events will undoubtedly be added to the calendar as the year progresses (for example, I would guess there would be another E-Discovery Day in December, though I doubt it will be on December 1 as that falls on a Saturday next year – consider it a “floating” holiday, haha).  Regardless, Rob’s list (once again) provides a great eDiscovery and cybersecurity related event list by which to plan your 2018 event activities.  Click here to access the list.

So, what do you think?  Do you have a favorite eDiscovery or cybersecurity event you like to attend every year?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.