Close
Enter your
text here

Electronic Discovery

Dispute Over Scope of Preservation Obligation Leads to Partial Sanctions For Now: eDiscovery Case Law

In E.E.O.C. v. GMRI, Inc., No. 15-20561-CIV-LENARD/GOODMAN (S.D. Fla. Nov. 1, 2017), Florida Magistrate Judge Jonathan Goodman, in a very lengthy and detailed order, denied in part and granted in part the plaintiff’s motion for sanctions for spoliation of paper applications, interview booklets, and emails.  Judge Goodman did not grant the request for most-severe type of relief sought – permissible inferences at the summary judgment and trial stages – but did rule that the plaintiff could “present evidence of the purportedly destroyed and/or missing paper applications, interview booklets and guides, and emails to the jury” and “argue to the jury that Seasons 52 acted in bad faith (as defined by Rule 37(e)(2))”, which could lead to the jury inferring that the lost ESI was unfavorable to the defendant.

Case Background

In this age discrimination case filed by the Equal Employment Opportunity Commission (EEOC) against the defendant owner of a chain of restaurants, the investigation by the EEOC began as an investigation of two employee complaints against the defendant’s Coral Gables restaurant location in late 2010.  At that time, the EEOC notified Seasons 52 (the restaurant chain owned by the defendant) of the charges and explained the EEOC’s recordkeeping regulations.  Then, on August 31, 2011, the EEOC issued an “expansion letter” and notified Seasons 52 that it was expanding the investigation to include Seasons 52’s hiring practices throughout the nation as they affect a class of individuals, applicants for employment, because of their ages.  The EEOC also sent a follow-up letter, dated the next day, which requested additional information and which referenced “expansion” of the case.  In July 2013, the EEOC issued Letters of Determination finding that Seasons 52 had engaged in age discrimination and filed its complaint in February 2015.

However, there was dispute over the August 31 2011 letter, which the defendant, (during an October 11, 2017 evidentiary hearing) claimed it never received.  The defendant acknowledged it did receive the September 1 2011 letter.  Nonetheless, the defendant contended that it was under a duty to preserve for only one restaurant in Coral Gables because the two complaints that triggered the EEOC investigation concerned that sole location. However, the plaintiff contended that Seasons 52 had a duty to preserve for all restaurants in the country because the scope of the investigation expanded into a national investigation encompassing all Seasons 52 restaurants.  So, while the defendant issued a litigation hold in Coral Gables in December 2010, it did not issue litigation holds for other locations until at least May 2015.  As a result, the defendant failed to preserve paper applications, interview booklets and emails in most of its locations (the order has WAY more detail on the extent of the failure to preserve).

Stating that the plaintiff “has come up empty handed”, the defendant filed a summary judgment motion and the plaintiff filed its motion for sanctions shortly thereafter, which the defendant contended was a last minute attempt to save the case.

Judge’s Ruling

Judge Goodman began by referencing a song from John Hiatt, who wrote a song released in 1995 called Shredding the Document, as being “at the heart of the sanctions motion being considered here”.  He rejected the defendant’s argument that the plaintiff’s motion was in direct response to the defendant’s summary judgment motion, noting that it was filed only two days after and it was “highly likely” that the plaintiff began preparing the sanctions motion long before it received the defendant’s summary judgment motion.

With regard to the dispute over the August 31 2011 letter, Judge Goodman, observing that “Seasons 52’s witnesses unequivocally testified that they never received it and that their records and databases do not contain it”, that “they concede receipt of other letters” and that the zip code on the letter was incorrect, ruled: “The EEOC has not established by a preponderance of the evidence that Seasons 52 received the so-called August 31, 2011 expansion letter.”

However, noting that “The September 1, 2011 letter made explicit reference to an ‘expansion’ of the case, and Seasons 52 was regularly forwarding information about 10 restaurants and then added another restaurant…to the ongoing production”, Judge Goodman found that “Seasons 52 was therefore under a duty to preserve relevant materials for those 11 restaurants” and found their “lack of logical follow-through to be unacceptable.”

Noting that “the EEOC’s expert witness was still able to reach conclusions even without certain paper applications and interview booklets”, Judge Goodman determined that “some prejudice” had occurred, but that “Seasons 52 certainly has a logical argument that the missing materials were not critical or crucial to the EEOC’s case, which is why the Undersigned is not now granting the EEOC harsh-type sanctions like a permissible adverse inference.”  As a result, Judge Goodman did not grant the request for most-severe type of relief sought – permissible inferences at the summary judgment and trial stages – but did rule that the plaintiff could “present evidence of the purportedly destroyed and/or missing paper applications, interview booklets and guides, and emails to the jury” and “argue to the jury that Seasons 52 acted in bad faith (as defined by Rule 37(e)(2))”, which could lead to the jury inferring that the lost ESI was unfavorable to the defendant.

So, what do you think?  Should juries decide spoliation is unfavorable to a party without judicial instructions to that effect?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes, Part Two: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Part One was Monday, Here’s the second part.

Part Two: GDPR Definitions and Changes

A DEFINITIONAL BASELINE FOR GDPR

The first and overriding concept to be understood in dealing with the GDPR is how the regulation defines personal and sensitive data and then to determine how those definitions relate to data held by your organization.  Once you understand those concepts, you can proceed to pinpoint where any data meeting the definitions is created managed and stored.

The GDPR considers personal data to be any information related to an identifiable natural person and calls such a person a “data subject.” That can include both direct identification such as a name or indirect identification which clearly points to a specific person.  This includes online identifiers such as IP addresses and location data such as a mobile device ID or position, which the EU Data Protection Directive had previously been vague about.

Examples of information relating to an identifiable person include:

  • Name
  • Identification number such as SSN, INSEE code, Codice fiscal, DNI, etc.
  • Location data such as home address)
  • Online identifier such as e-mail address, screen names, IP address, etc.
  • Genetic data such as biological samples or DNA, including gene sequence
  • Biometric data such as fingerprints or facial recognition
  • Health data
  • Data concerning a person’s sex life or sexual orientation

There is also a general category which includes data which may reveal:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership

All such sensitive personal data is afforded enhanced protections under the GDPR and generally requires an individual’s explicit consent where such data is retained or used.

Other pertinent definitions include:

Consent: Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language.

Controller: A controller alone or jointly with others, determines the purposes and means of the processing of personal data whether on-premises or while using a third-party cloud provider’s IT technology.  A controller is directly responsible for responding to data subject requests under the GDPR.

Data Breach Notification: Data breach notifications must be given to the applicable supervisory authority within 72 hours of a data breach where feasible and where the breach is likely to “result in a risk to the rights and freedoms” of individuals.

Data Protection Officers: Companies must appoint data protection officers (DPOs). Initially, the DPO requirement was limited to companies of more than 250 employees, but the final version of the GDPR contains no such restriction. However, although almost all public organizations must have a DPO, only private organizations conducting regular monitoring of data subjects or processing conviction information must appoint a DPO.

Among the DPO’s responsibilities are advising controllers and processors of GDPR requirements and monitoring compliance.

Fines: GDPR violations can result in substantial fines of up to 4 percent of annual revenue or 20 million Euro, whichever is greater.

Processor: A “processor” processes personal data on behalf of a controller (e.g., Microsoft is a processor with respect to personal data that its commercial customers collect and Microsoft processes on their behalf through solutions like Office 365.)

A processor must ensure that its commercial customers (who are the controllers) are using a trusted platform and have the capabilities needed to respond to data subject requests under the GDPR.

Right to Access: The GDPR also gives data subjects greater access to their data, requiring controllers to confirm to subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge.

Right to Erasure: Known formerly as the “right to be forgotten,” these provisions give data subjects the right to have information about them “erased.” The data may not be disseminated, but there is a balancing test between the individual’s rights and the public interest in the data.

IMPORTANT CHANGES AND ORGANIZATIONAL IMPACT

 Among the key new elements of the GDPR are the following practical results:

  • Requirement that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required;
  • Significant penalties for non-compliance including substantial fines that are applicable whether an organization has intentionally or inadvertently failed to comply;
  • Changes to eDiscovery practice in the US.

DATA EXISTENCE AND GDPR COMPLIANCE 

The GDPR requires that an organization have absolute knowledge of where all EU personal data is stored across the enterprise, and be able to remove it when required. Specifically, organizations must have in place procedures to ensure the personal data of EU residents is secure, accessible, and can be identified upon request.

Balance these requirements against recent IDG research which suggests that approximately 70% of information stored by companies is “dark data” in a distributed, unstructured format.  If that figure is accurate, the new requirement will pose substantial legal risks.

To achieve GDPR compliance, organizations will need to develop explicit policies for handling personal information.  This will need to include:

  • Enterprise-wide Data Inventory: Identify the presence of personal data in all locations
  • Data Minimization: Retain as little personal data on EU subjects as possible.
  • Enforcement of Right to Be Forgotten: An individual’s personal data must be identified and deleted on request.
  • Effective Response Time: The ability to conduct enterprise-wide searches and report on the extent of any data breach within seventy-two (72) hours.
  • Accountability: Ability to create audit trails for all personal data identification requests.

Finally, and equally important, the company must be able to show that these policies are being enforced and followed throughout the enterprise. Failure in any of these areas will now lead to heavy fines.

FINES: THE POTENTIAL COST OF NON-COMPLIANCE

One of the biggest changes coming with the GDPR is the increase in fines for violations. Previously, under the Directive, each member state was free to adopt laws in accordance with the principles laid out in the Directive, which meant that there were differences in the way each member country implemented and enforced the Directive.

But the GDPR is a regulation that applies to all member states of the EU and as such provides a new uniform regulatory framework. This model is designed to provide a uniform, cross-EU enforcement model that still provides individual member states flexibility on matters that pertain only to their own data subjects.

Under this new framework, a member state’s supervisory authority will operate in one of these ways:

  • Lead Supervisory Authority: will act as the lead for the controllers and processors whose main establishments are located in its member state.
  • Local Authority: may deal with complaints or infringements that only affect data subjects in its member state.
  • Concerned Authorities: will cooperate with the lead supervisory authority when data subjects in their member state are affected.

Article 58 of the GDPR provides these supervisory authorities with the power to impose administrative fines under Article 83 based on several factors, including:

  • How the regulator was told about the infringement
  • Types of data involved
  • Duration of the infringement
  • Whether the infringement was intentional or negligent
  • Policies and procedures deployed by the company
  • Prior infringements by the controller or processor
  • Degree of cooperation with the regulator

How is the fine calculated? There is a tiered approach with technical issues being separated from actual records management. Non-compliance on technical measures such as impact assessments, breach notifications and certifications can lead to a fine up to an amount that is the GREATER of 10 million or 2% of global annual revenue. If the breach involves key provisions of the GDPR (processing personal data, infringement of the rights of data subjects or transfer of personal data to third countries or international organizations that do not meet GDPR standards) the fine can be an amount that is up to the GREATER of 20 million or 4% of global annual turnover in the prior year.  Finally, it is important to note that these rules apply to both controllers and processors which means ‘clouds’ will not be exempt from GDPR enforcement.

In part one and part two of this series, we have established a baseline for understanding the intent and impact of the GDPR. On Friday, in part three, we will look directly at the impact of the GDPR on eDiscovery.

So, what do you think?  Are you ready for the GDPR? Read more about this important event in this overview and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Start Planning for Next Year, This Year: eDiscovery Trends

We’re getting close to the end of another year.  What do organized people in eDiscovery do when that happens?  Start planning for next year.

On his excellent Complex Discovery blog, Rob Robinson helps you get a “running start” in your planning for next year, with a preliminary list of eDiscovery-related industry events for 2018.  From Legalweek (a.k.a., Legaltech) at the end of January to The Masters Conference Orlando event in November, Rob has identified 41 initial eDiscovery and cybersecurity related events (with links to each) to consider adding to your calendar for next year.  Here are a few highlights:

These are just a few of the cool events related to eDiscovery and cybersecurity for next year.  In addition, you have terrific regional events, like The Masters Conference, which has events planned next year for Dallas, San Francisco, Chicago, Denver, New York, London, Washington DC and (as mentioned above) Orlando.

Of course, other events will undoubtedly be added to the calendar as the year progresses (for example, I would guess there would be another E-Discovery Day in December, though I doubt it will be on December 1 as that falls on a Saturday next year – consider it a “floating” holiday, haha).  Regardless, Rob’s list (once again) provides a great eDiscovery and cybersecurity related event list by which to plan your 2018 event activities.  Click here to access the list.

So, what do you think?  Do you have a favorite eDiscovery or cybersecurity event you like to attend every year?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery and the GDPR: Ready or Not, Here it Comes: eDiscovery Best Practices

Editor’s Note: Tom O’Connor is a nationally known consultant, speaker, and writer in the field of computerized litigation support systems.  He has also been a great addition to our webinar program, participating with me on several recent webinars, including our webinar last Friday on E-Discovery Day (Murphy’s eDiscovery Law – How to Keep What Could Go Wrong From Going Wrong), which was great.  If you missed it, you can check out the replay here.  Now, Tom has written a terrific informational overview on Europe’s General Data Protection Regulation (GDPR) titled eDiscovery and the GDPR: Ready or Not, Here it Comes.  Enjoy! – Doug

Tom’s overview is split into four parts, so we’ll cover each part separately.  Here’s the first part.

Part One: What is the GDPR? A Primer for Understanding

Europe’s General Data Protection Regulation (GDPR) is set to take effect in less than 200 days.  It is important to understand the changes this new set of regulations will impose, but it is also important to understand that even if you don’t have a physical business presence in Europe, the GDPR may apply to you. Any organization that retains personal information of any EU individuals must act to comply with the GDPR.

HOW DID WE GET HERE?

To put the provisions of the GDPR in context, we should first point out the differing concepts of privacy between the United States and Europe.  The US tends to place a high emphasis on the concept of free speech more so than privacy and this emphasis is carried over into the litigation arena.

In the US, we view privacy rights as constitutional in nature, but there is actually no right to privacy enumerated in either the body of the Constitution itself or the Bill of Rights. In fact, it wasn’t until 1965 that the US Supreme Court set out an individual right to privacy when it overturned a state law on contraceptives in Griswold v. Connecticut.

In Europe however, privacy is considered a fundamental right. All the member states of the European Union (EU) are also signatories of the European Convention on Human Rights (ECHR). And Article 8 of the ECHR provides a right to respect for one’s “private and family life, his home and his correspondence,” subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence.

In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data.”

The seven principles governing the OECD’s recommendations for protection of personal data were:

  1. Notice: data subjects should be given notice when their data is being collected;
  2. Purpose: data should only be used for the purpose stated and not for any other purposes;
  3. Consent: data should not be disclosed without the data subject’s consent;
  4. Security: collected data should be kept secure from any potential abuses;
  5. Disclosure: data subjects should be informed as to who is collecting their data;
  6. Access: data subjects should be allowed to access their data and make corrections to any inaccurate data; and
  7. Accountability: data subjects should have a method available to them to hold data collectors accountable for not following the above principles.

The OECD Guidelines, however, were non-binding, and data privacy laws still varied widely across Europe.  In 1981 the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was negotiated within the Council of Europe. This convention obliges the signatories to enact legislation concerning the automatic processing of personal data, which many duly did.

But the European Commission realized that diverging data protection legislation amongst EU member states impeded the free flow of data within the EU and since privacy rights were declared in article 8 of the EU Charter of Fundamental Rights, acted to propose a Data Protection Directive. All seven of the OECD principles were incorporated into the EU Data Protection Directive (officially the European Union Directive 95/46/EC on the protection of individuals regarding the processing of personal data and on the free movement of such data) which was adopted in 1995.

However, European directives are guidelines which propose certain results but leave each Member State free to decide how to transpose them into national laws The EU currently has 28 member states, and a total of 31 nations comprise the European Economic Area (EEA). Over the years, they have made different laws that sometimes contradict each other.

A regulation, on the other hand, is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. Since the 1995 Directive was only able to provide overall guidance in this area, the GDPR is designed to effectively harmonize European data protection laws. It was adopted in April 2016, and will officially supersede the Data Protection Directive and be enforceable starting on May 25, 2018.

The United States, however, while endorsing the OECD’s recommendations, did nothing to implement them within the United States. Part of the issues is the diversity of laws in our federalist structure of government. With 50 states, 94 federal judicial districts, including at least one district in each state, the District of Columbia and Puerto Rico and additional territorial courts and courts of special jurisdiction such as bankruptcy, having a unified privacy directive similar to the GDPR is problematic here.

IMPACT BEYOND THE EU

First, we should note that the GDPR affects more than merely the EU. The regulation applies not just to the 28 member states of the EU but is also being integrated into the 1992 EEA Agreement and thus applies to the 31 member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein.

Second, as noted above, you do not have to have a physical presence in Europe to be covered by the GDPR. It applies to not only EEA nations, but any organization offering goods or services to European data subjects or organizations controlling, processing, or holding personal data of European nationals, regardless of the organization’s location.

PREPARATION TRAJECTORY

Activities to deal with the upcoming implementation of the GDPR have been slowly building momentum. Groups such as The Sedona Conference and the EDRM have been studying best practice principles for US attorneys but numerous questions remain on how to proceed.

The important point is to be prepared.  The GDPR demands, not requests, data privacy compliance and places strong emphasis on organizations to act more responsibly in their data governance practices. More than ever, you need to identify what privacy-related content you possess, why it’s there, and who has access to it.

Failure to adequately prepare for the changes can have severe ramifications, including much higher fines than under the current regulatory environment. These include penalties of up to 4% of the organization’s global gross revenue for non-compliance, a point we will discuss in more detail in following parts of this overview.

For the remainder of the overview, we will highlight key elements, evaluations, and events in the planned implementation of the GDPR. Key elements to be covered will include:

  • Discuss definitions for common terms used in the GDPR
  • Discuss changes in practice to be made under the GDPR
  • Set out distinctions to be made between obligations for a specific company as opposed to service providers
  • Discuss steps to take to insure compliance with the GDPR

So, what do you think?  Are you ready for the GDPR? Read more about this important event in the following parts of our GDPR series and see how it may impact you and your organization.  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

It’s E-Discovery Day! Here are Some Great Webcasts to Check Out Today!: eDiscovery Best Practices

It’s December 1st, which can only mean one thing – it’s E-Discovery Day 2017!  This (now third) annual event includes a combination of webcasts and in-person events to promote discussion and education of eDiscovery (that’s the way I prefer to spell it, by the way).  Here are some of the webcasts to consider checking out today.

According to Exterro, the organizer of the event, there were over 1,500 webinar participants in 12 webinars last year and 7 in-person events.  So, things are hopping and happening.  Webcasts for today include:

Key E-Discovery GDPR Considerations: Advice from Across the Pond: (10am ET, 9am CT) With only six months to coming into force, legal teams are left with serious GDPR questions in relation to US e-discovery activities.  Presented by: Sr. Master Steven Whitaker (Ret.) (Queen’s Bench Division); Ralf Sauer (Head – International Data Protection, EU Commission).

The Case is Done but the Data’s Still Everywhere. What’s a Client To Do?: (11am ET, 10am CT) Join members of the Twin Cities ACEDS chapter, and Mary Mack,  for a panel discussion regarding the appropriate disposition of client data.  For many clients this can be the biggest headache.  What do they need to consider when looking at the security of their data once that data gets to law firms and providers?  What measures are taken to protect data held by those organizations and how do you vet those measures?  And, how does the client ensure appropriate disposition of data by their law firms and vendors at the end of a matter?  Our panel will offer a 360 perspective, including that of the client, the vendor, and the law firm.  Presenters include: Caroline Sweeney, Global Director, E-Discovery & Client Technology, Dorsey & Whitney LLP; Heidi J.K. Fessler, Counsel, Barnes & Thornburg LLP; Frank Krahn, Director, Investigative/Legal Discovery, Office Of Risk Management; George Socha, Co-Founder, EDRM, Managing Director, BDO; Mary Mack, Executive Director, ACEDS.

Authentication of Social Media Evidence: A New Twist on the Old Rules: (12pm ET, 11am CT) Social Media has become a hotbed of potential evidence in many cases nationwide over the past several years. The more prevalent cases involving social media as evidence are in the field of personal injury, family law, criminal law, labor law and Workman’s Compensation. How can the researcher best access this invaluable data? How to get the information into evidence? Must one preserve the social media sites where the data resides? What about private data versus public data? How do the Federal Rules of Evidence apply to social media when introducing it as evidence? Don’t miss this session on one of the most exciting areas of the law and come away with good, practical knowledge on how you can capitalize on this potential evidence for your next case. Presented by: Gayle O’Connor, Marketing Manager, Social Evidence; Tom O’Connor, Consultant, Gulf Coast Legal Technology Center.

Murphy’s eDiscovery Law: How to Keep What Could Go Wrong From Going Wrong: (1pm ET, 12pm CT) As data complexity, discovery costs, and regulatory challenges increase in volume and impact, the pulse rate of publicly highlighted eDiscovery mistakes continues to build. While these mistakes are unfortunate for those who experienced them, they can be beneficial to the rest of us in highlighting mistakes you can avoid in your own cases.  Here’s your chance to learn from their mistakes and keep what could go wrong from going wrong. Presented by: Doug Austin, VP of Products and Professional Services, CloudNine; Tom O’Connor, Special Consultant, CloudNine.

Is it Malpractice Not to Get a FRE 502(d) Order?: (3pm ET, 2pm CT) With so few cases going to trial, lawyers may be unaware of provisions in the Federal Rules of Evidence (FRE) that protect privilege during discovery.  In this edTalk, Judge Peck will discuss why every lawyer should use FRE 502(d) in every case to prevent waiver of privilege.  Presented by: Hon. Andrew Peck, United States Magistrate Judge, Southern District of New York.

Updating Your E-Discovery Toolkit: Experts Discuss: (4pm ET, 3pm CT) There’s a lot of noise out there when it comes to what’s hot or new in e-discovery technology. In this roundtable discussion, four e-discovery technology thought leaders will cut through the noise and identify what new e-discovery technology you should be paying attention to in 2018.  Presented by: Craig Ball (Craig D. Ball PC); Ralph Losey (Jackson Lewis); Maura Grossman (University of Waterloo); George Socha (BDO).

These are just some of the excellent webcasts on tap for today.  Here is a link to all of them.  There are also several in-person events and networking opportunities around the country – here is a link to those.

So, what do you think?  Are you “celebrating” E-Discovery Day?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Legal Industry Analyst Ari Kaplan Interviews CloudNine CEO Brad Jenkins

Podcast: The Alignment of E-Discovery, Technology, and Industry Insight

Interview with Brad Jenkins by Legal Industry Analyst Ari Kaplan

I spoke with Brad Jenkins, the co-founder and CEO of CloudNine Discovery, a cloud-based e-discovery software provider. We discussed the genesis of CloudNine, how e-discovery has changed over the past 15 years, the trends that are driving what the company offers, its approach to security, how CloudNine differs from other companies in this sector, its portfolio of educational content, and how e-discovery is evolving.

Click here to listen to the podcast interview (10 Minutes).

Source: Reinventing Professionals

CloudsNine_400x400_Transparent

No Dismissal of Claim Against Defendant Accused of Transferring Company Info to Dropbox Account: eDiscovery Case Law

In Abbott Labs. v. Finkel, No. 17-cv-00894-CMA (D. Colo. Nov. 17, 2017), Colorado District Judge Christine M. Arguello denied the defendant-movant’s motion to dismiss the plaintiff-respondent’s conversion claim that the defendant disclosed the plaintiff’s confidential information and trade secrets to a third party and transferred that information to his personal online cloud storage Dropbox account.

Case Background

In December 2014, the plaintiff hired the defendant as a General Manager for its Nutrition Division, where he received access to its confidential information and trade secrets.  To protect its confidential information and trade secrets, the plaintiff required the defendant to sign confidentiality and non-disclosure agreements and its Electronic Messages policy prohibited the defendant from backing up or storing digital information on personal devices and also prohibited sharing info with outside parties.  Despite that, during the defendant’s employment, he both disclosed plaintiff confidential information and trade secrets to a third party and transferred that information to his personal online cloud storage Dropbox account and was fired, in part, for that.  On the date of his termination, the plaintiff’s IT personnel (with the defendant’s consent) deleted its confidential information that he transferred to his personal Dropbox account.

However, the plaintiff later discovered that “Dropbox has a feature that allows a user to restore any file or folder removed from an active user account in the past 30 days or longer, depending on the version of Dropbox.”  As a result, the plaintiff asked the defendant 1) to certify that all its information was deleted from any electronic or physical storage location owned or used by the third party, 2) that it be allowed to monitor his Dropbox account activity and ensure that the deletion restoration feature was not activated and 3) to allow a third-party forensic consultant to examine his Dropbox account to ensure that all of the plaintiff’s information was deleted and not re-downloaded or transferred.  When the defendant refused, the plaintiff sued, asserting claims of breach of contract, conversion, and misappropriation of trade secrets.  The defendant filed a motion to dismiss the conversion claim, arguing that the claim is preempted by the Colorado Uniform Trade Secrets Act (“CUTSA”) and the allegations showed that the defendant was authorized to access and use the information and that he returned it to the plaintiff upon request.

Judge’s Ruling

Judge Arguello stated: “To assert a claim of conversion, Plaintiff must show: (1) Plaintiff has a right to the property at issue; (2) Defendant has exercised unauthorized dominion or ownership over the property (3) Plaintiff has made a demand for possession of the property; and (4) Defendant refuses to return it.”  In her analysis, Judge Arguello addressed elements two and four (as one and three were undisputed) and found that the defendant still has unauthorized “dominion or ownership” over the documents and concluded that “Plaintiff has sufficiently pled the fourth element” with regard to defendant’s refusal to allow it to re-access his Dropbox account.

As for the defendant’s contention that the plaintiff’s claim is preempted by CUTSA, Judge Arguello rejected that argument, stating: “At this stage in the litigation, the Court is without a sufficient record to determine whether some, part, or all of Plaintiff’s conversion claim depends on a finding of trade secret status and is, therefore, preempted by the CUTSA. Indeed, none of the allegedly converted information has been presented to the Court, nor has it been described in much detail.”  As a result, she denied the defendant’s motion to dismiss the claim.

So, what do you think?  Should the plaintiff have the right to re-access the defendant’s Dropbox account?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Uber’s Response to Data Breach? Pay the Hackers to Keep Quiet About It: Cybersecurity Trends

Hackers stole the personal data of 57 million customers and drivers from Uber last year.  Their response?  Conceal the breach for more than a year, and pay the hackers $100,000 to delete the data (sure they did) and keep quiet about the breach.

As reported on Bloomberg (Uber Paid Hackers to Delete Stolen Data on 57 Million People, written by Eric Newcomer) last week, compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

According to Bloomberg, the breach occurred when two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.

Travis Kalanick, Uber’s co-founder and former CEO, learned of the hack in November 2016, a month after it took place, the company said. Uber had just settled a lawsuit with the New York attorney general over data security disclosures and was in the process of negotiating with the Federal Trade Commission over the handling of consumer data. According to Bloomberg, Kalanick declined to comment on the hack.

Joe Sullivan, the outgoing security chief, spearheaded the response to the hack last year, a spokesman told Bloomberg.  Dara Khosrowshahi, the new CEO as of September, asked for the resignation of Sullivan and fired Craig Clark, a senior lawyer who reported to Sullivan.

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said in an emailed statement. “We are changing the way we do business.”

After Uber’s disclosure, New York Attorney General Eric Schneiderman launched an investigation into the hack, his spokeswoman Amy Spitalnick said. And it should come as no surprise that the company has already been sued for negligence over the breach by a customer seeking class-action status.

So, what do you think?  How severely should Uber be punished for failing to disclose the breach?  Please share any comments you might have or if you’d like to know more about a particular topic.

Hat tip (as always) to Sharon Nelson of Ride the Lightning for her coverage of the story.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Process This! – Close Outlook Before Compressing or Zipping PST Files for Processing: eDiscovery Best Practices

Having recently experienced this with a client, I thought I would revisit this helpful tip.  This is one of the tips Tom O’Connor and I will be covering this Friday – E-Discovery Day – on our webcast Murphy’s eDiscovery Law: How to Keep What Could Go Wrong From Going Wrong at noon CST (1:00pm EST, 10:00am PST).  Click here to register for Friday’s webcast.

As you may know, at CloudNine (shameless plug warning!), we have an automated processing capability for enabling clients to load and process their own data – they can use this capability to load their data into our review platform.  They can even process and load data straight into Relativity using our Outpost for Relativity module.

Regardless whether they load data into CloudNine or Relativity, most of our users are using the processing capability to process emails, usually from Outlook Personal Storage Table (PST) files.  Even though increased volumes of social media and other types of electronically stored information, emails are still predominant in eDiscovery.  And, for users trying to process and load that data, we get one issue more than any other when it comes to processing those Outlook emails:

They still have Outlook open with the PST file opened when they attempt to upload that PST file or when they try to create a ZIP file containing the Outlook PST.

When that happens, the resulting ZIP file that is created (either by the user or by our client application if the data is not already contained in an archive file) will almost invariably be corrupted or empty.  Either way, this will result in a failure during processing of the loaded data – because the data being processed will simply be corrupt.

This is not only true for CloudNine processing, this is also true for any application that you use for processing, such as Law PreDiscovery.  So, before attempting to create a ZIP (or RAR or other type of archive) of a PST file (or before you upload it to a platform like CloudNine for processing), make sure that Outlook is closed or at least that the PST file is closed within Outlook.  That’s the best way to have a positive “outlook” to discovering emails.  Get it?  :o)

So, what do you think?  Is email still the predominant source of discoverable ESI in your organization?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

If You’re a Cloud Provider or Consumer, Consider These Guidelines on How to Conduct Yourself in Europe: eDiscovery Best Practices

While we were preparing to eat turkey and stuff ourselves with various goodies last week, the Cloud Security Alliance (CSA) provided an important guideline for compliance with the European Union General Data Protection Regulation (GDPR).

The CSA, a world leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, last week announced the release of the CSA Code of Conduct for GDPR Compliance, which provides cloud service providers (CSPs), cloud customers, and potential customers with much-needed guidance in order to comply with the new obligations stemming from the GDPR.  As part of the release, the CSA also launched the CSA GDPR Resource Center, a new community-driven website with tools and resources to help educate cloud service providers and enterprises on the new GDPR.

“Companies worldwide are struggling to keep pace with shifting regulations affecting personal data protection. The Privacy Level Agreement (PLA) Working Group realized it was critical for cloud providers to have guidance that would enable them to achieve compliance with EU personal data protection legislation,” said Francoise Gilbert, CSA Lead Outside Counsel and PLA Working Group co-chair.

“With the introduction of GDPR, data protection compliance becomes increasingly risk-based. Data controllers and processors are accountable for determining and implementing within their organizations appropriate protection levels for the personal data they process,” noted Paolo Balboni, European ICT, privacy and data protection lawyer, and co-chair of the Privacy Level Agreement Working Group. “In this scenario, the CSA Code of Conduct for GDPR Compliance is of fundamental importance as it gives guidance for legal compliance and the necessary transparency on the level of data protection offered by the CSPs.”

The new CSA Code of Conduct for GDPR Compliance is designed to meet both actual, mandatory EU legal personal data protection requirements (i.e., Directive 95/46/EC and its implementations in the EU member states) and the forthcoming requirements of the GDPR and specifies the application of the GDPR in the cloud environment, primarily with regard to the following categories:

  • Fair and transparent processing of personal data;
  • Information provided to the public and to data subjects (as defined in Article 4 (1) GDPR);
  • Exercise of data subjects’ rights;
  • Measures and procedures referred to in Articles 24 and 25 GDPR and the measures to ensure security of processing referred to in Article 32 GDPR;
  • Notification of personal data breaches to supervisory authorities (as defined in Article 4 (21) GDPR) and the communication of such personal data breaches to data subjects; and
  • Transfer of personal data to third countries.

The CSA Code of Conduct for GDPR Compliance also contains mechanisms that enable the body referred to in Article 41 (1) GDPR to carry out mandatory compliance monitoring by the controllers or processors who undertake to apply it, without prejudice to the tasks and powers of competent supervisory authorities pursuant to Article 55 or 56 of GDPR.

With GDPR adoption looming in less than six months, you can expect to hear more about GDPR on this blog and other publications in the coming months.  Click here to access the CSA Code of Conduct for GDPR Compliance (after completing a short survey).

So, what do you think? Is your organization preparing for GDPR?  Please share any comments you might have or if you’d like to know more about a particular topic.

Hat tip to Rob Robinson and his excellent Complex Discovery blog for coverage of the story.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.