Privacy

Parties Are Battling Over Whether COVID-19 Should Delay CCPA Enforcement: Data Privacy Trends

With so many other initiatives being delayed because of the coronavirus pandemic, it was only a matter of time before compliance with the California Consumer Privacy Act (CCPA) was one of those being considered. However, despite several organizations pushing for enforcement of CCPA to be pushed back six months to January 1 of next year, other organizations are resisting any delay by the state.

According to LAW360 (COVID-19 Fuels Heated Fight Over CCPA Enforcement Timing, written by Allison Grande), the California attorney general’s office has said it has no intention to cave to mounting pressure from businesses (including the California Chamber of Commerce, UPS, the Internet Coalition, the Association of National Advertisers and 30 others) to delay enforcement of the California Consumer Privacy Act until early next year.  However, calls for such a pause are only likely to intensify in the coming months as the novel coronavirus forces companies to reevaluate their priorities and stretches IT departments thin, attorneys said.

“Companies understandably need to focus now almost singularly on the health and safety of their employees and consumers and on business continuity,” said BakerHostetler partner Alan Friel, whose firm filed comments with the attorney general on March 16 arguing for the planned July 1 enforcement deadline to be extended by six months.

“Just as tax return and payment obligations have been pushed back to allow time and resources to be directed to COVID-19 response, so should the CCPA enforcement date,” Friel said.

That stance has faced resistance from advocacy groups such as Consumer Reports, which has urged the state to stay the course in order to ensure that the CCPA’s robust consumer protections are being properly implemented during these unprecedented times.

The Electronic Privacy Information Center has also opposed the bid to delay enforcement, with its president, Marc Rotenberg, telling Law360 that he was “very disappointed” to see the business community attempting “to use a public health crisis as a reason to delay implementation” of the law.

“That is both reckless and irresponsible,” he said.

However, even if the California Chamber of Commerce, UPS, the Association of National Advertisers and others are successful in their bid to secure a delay or even a formal assurance that the state will go easy on enforcement, companies can’t just write off their obligations to adhere to the law, which took effect Jan. 1, or to implement regulations that the attorney general is still drafting.

While Attorney General Xavier Becerra isn’t allowed to begin bringing enforcement actions until July, nothing prevents the regulator from coming down on companies for conduct that dates back to the law’s Jan. 1 effective date, and the attorney general has already said he intends to hold businesses accountable for their actions across CCPA’s entire lifespan.  Of course, business groups, in both their latest letter and a separate January correspondence seeking a similar enforcement delay, have also urged the attorney general to take into account that the regulations meant to help guide companies’ implementation of the novel law haven’t been finished.  So, as usual, the CCPA situation is clear as mud.

By the way, LAW360 is offering free coronavirus legal news during the pandemic, including this resource that enables you to see the latest with regard to the affect of the pandemic on Federal and State courts.  Simply hover your cursor over the state (or territory) to see an update for that selection.  Postponements of dockets are pretty much universal all over – the only question is for how long.

So, what do you think?  Should organizations be responsible for compliance with CCPA during the pandemic, especially given that the California AG hasn’t finished the regulations yet?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Here’s Why Whether Apple Provides a Backdoor to iPhones May Not Matter: Data Privacy Trends

Last week, we covered the government’s latest attempt (and Apple’s resistance) to get Apple to assist in unlocking the iPhones of a mass shooter – this time, with regard to password-protected iPhones used by Mohammed Saeed Alshamrani, who is suspected of killing three people last month in a shooting at a Navy base in Pensacola, Florida.  Ultimately, however, it may not matter whether Apple helps the government or not.

According to Business Insider (The Justice Department is demanding that Apple make it easier to unlock suspects’ iPhones, but experts say it can do that without Apple’s cooperation. Here’s how., written by Aaron Holmes), according to cybersecurity experts, new technologies have made it even easier for investigators to crack locked iPhones, even without help from Apple.

Last week, Attorney General William Barr said during a press conference on Monday that Apple had not helped the FBI crack into the password-protected iPhones used by Alshamrani.

“We have asked Apple for their help in unlocking the shooter’s iPhones. So far Apple has not given us any substantive assistance,” Barr said, next to a poster with a picture of the iPhones. “This situation perfectly illustrates why it is critical that investigators be able to get access to digital evidence once they have obtained a court order based on probable cause.”

For their part, Apple disputed Barr’s assessment that it has failed to provide law enforcement with “substantive assistance” in unlocking the password-protected iPhones used by the shooting suspect at a Navy base in Pensacola, Florida, last month, but still refused his main request to provide a backdoor.  Apple stated it “produced a wide variety of information associated with the investigation” after the FBI’s initial request on Dec. 6. The company said it provided “gigabytes of information” including “iCloud backups, account information and transactional data for multiple accounts” in response to further requests that month.

“We have always maintained there is no such thing as a backdoor just for the good guys,” Apple said in a statement. “Backdoors can also be exploited by those who threaten our national security and the data security of our customers. Today, law enforcement has access to more data than ever before in history, so Americans do not have to choose between weakening encryption and solving investigations. We feel strongly encryption is vital to protecting our country and our users’ data.”

In an interview with Business Insider, Chris Howell, CTO of Wickr said he understood why Apple wouldn’t intentionally build a backdoor into the iPhone as the FBI has requested.

“As a technologist I can tell you that there is no security mechanism that can discriminate between a hacker trying to crack it and a law enforcement officer trying to do the same thing. Either we secure it or we don’t, it’s that simple.”

However, according to The Wall Street Journal, the cybersecurity company Grayshift sells an iPhone hacking device for $15,000, and Israel’s Cellebrite sells a similar device.  Tech companies are constantly trying to develop more secure devices and platforms to win costumers’ trust, and are therefore reticent to build backdoors that would easily crack encrypted services. Similarly, companies like Grayshift and Cellebrite are constantly honing methods of cracking devices, which are kept secret.

The iPhone was long seen as uncrackable, but recent advances have changed that — one county in Georgia that purchased a Grayshift device was able to crack 300 phones in one year, The Wall Street Journal reported.

One commenter to our post last week stated “if I was a terrorist I’d throw away my iPhoneX and get an iPhone 11”.  Staying ahead of crackers and hackers seems to be a continual battle that device managers and website providers face daily.  And, if we think this issue only applies to discovery of devices in cases involving mass shooters, it could easily apply to discovery in any type of case today where a custodian of a device has something to hide.  Like this Fifth Amendment case that we covered last year and will discuss in our webcast on January 29.

So, what do you think?  Should companies like Apple and Facebook provide backdoor access to their encrypted technology to investigators?  Or are there bigger privacy concerns at play here?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Apple Battling with the Government Again Over Breaking iPhone Encryption of Mass Shooters: Data Privacy Trends

Remember back in 2016 when Apple with in a court battle with the Department of Justice over giving investigators access to encrypted data on the iPhone used by one of the San Bernardino shooters?  That was back in 2016 and we covered it here, here and here – that situation was resolved when the DOJ indicated that the FBI was able to retrieve the data with help from an “unnamed third party”.  Now, Apple is in a new dispute with the government again over the same issue.

According to CNBC (Attorney General William Barr says Apple is not helping unlock iPhones used by alleged Pensacola shooter, written by Kif Leswing), Attorney General William Barr said during a press conference on Monday that Apple had not helped the FBI crack into password-protected iPhones used by Mohammed Saeed Alshamrani, who is suspected of killing three people last month in a shooting at a Navy base in Pensacola, Florida.

“We have asked Apple for their help in unlocking the shooter’s iPhones. So far Apple has not given us any substantive assistance,” Barr said, next to a poster with a picture of the iPhones. “This situation perfectly illustrates why it is critical that investigators be able to get access to digital evidence once they have obtained a court order based on probable cause.”

“We call on Apple and other technology companies to help us find a solution so that we can better protect the lives of Americans and prevent future attacks,” he said. Barr has also clashed with Facebook over encrypted messages, which he called “data-in-motion” on Monday.

The comments highlight law enforcement’s frustration with encryption technologies that protect data so that neither Apple nor law enforcement can easily read it.  They also preview future clashes between technology companies and governments over whether to build “back doors” that would allow law enforcement elevated access to private data to solve crimes like terrorism.

On Tuesday (as covered by CNBC here), Apple disputed Barr’s assessment that it has failed to provide law enforcement with “substantive assistance” in unlocking the password-protected iPhones used by the shooting suspect at a Navy base in Pensacola, Florida, last month, but still refused his main request to provide a backdoor.

Apple said it “produced a wide variety of information associated with the investigation” after the FBI’s initial request on Dec. 6. The company said it provided “gigabytes of information” including “iCloud backups, account information and transactional data for multiple accounts” in response to further requests that month.

“We have always maintained there is no such thing as a backdoor just for the good guys,” Apple said in its latest statement. “Backdoors can also be exploited by those who threaten our national security and the data security of our customers. Today, law enforcement has access to more data than ever before in history, so Americans do not have to choose between weakening encryption and solving investigations. We feel strongly encryption is vital to protecting our country and our users’ data.”

Apple made a similar point at a congressional hearing in December as senators threatened regulation if tech companies could not figure out a way to work with law enforcement to legally access encrypted devices and messages. A Facebook representative also attended the hearing, defending the company’s plans to make its entire private messaging system end-to-end encryption, which law enforcement fear will make it harder for them to track down instances of child exploitation, as they do now.

I expected we would see another dispute between Apple (or other provider) and the government, along the lines of the San Bernardino shooter case – surprised it took this long.  Maybe it’s time for the AG’s office to solicit the assistance of an “unnamed third party”… ;o)

So, what do you think?  Should companies like Apple and Facebook provide backdoor access to their encrypted technology to investigators?  Or are there bigger privacy concerns at play here?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Today’s Webcast Will Help You Learn about Important eDiscovery Developments for 2019: eDiscovery Webcasts

2019 was another busy year from an eDiscovery, cybersecurity and data privacy standpoint.  So busy, we couldn’t fit it all into a single webcast!  Nonetheless, what do you need to know about those important 2019 events?  Today’s webcast will discuss what you need to know about important 2019 events and how they impact your eDiscovery, data privacy and cybersecurity efforts.

Today at noon CST (1:00pm EST, 10:00am PST), CloudNine will conduct the webcast 2019 eDiscovery Year in Review.  In this one-hour webcast that’s CLE-approved in selected states, we will discuss key events and trends in 2019, what those events and trends mean to your discovery practices and provide our predictions for 2020. Key topics include:

  • How Much Data is Being Transmitted Every Minute on the Internet in 2019
  • What a Lawyer’s Notification Duty When a Data Breach Occurs
  • General Data Protection Regulation (GDPR) and Data Privacy Fines
  • Biometric Security and Data Privacy Litigation
  • Cell Phone Passwords and the Fifth Amendment
  • How Organizations Are Doing on Compliance with the California Consumer Privacy Act (CCPA)
  • Social Media and Judges Accepting “Friend” Requests from Litigants
  • How #metoo and Investigations are Impacting eDiscovery within Organizations
  • Whether Emojis Are the Next eDiscovery Challenge
  • The Challenge to Obtain Significant Spoliation Sanctions under the New Rule 37(e)
  • Whether Lawyers Are “Failing” at Cybersecurity?
  • Outside Hackers vs. Internal Employees As Cybersecurity Threat
  • Sanctions Resulting from Inadvertent Disclosure of Privileged Information

As always, I’ll be presenting the webcast, along with Tom O’Connor.  To register for it, click here – it’s not too late! Even if you can’t make it, go ahead and register to get a link to the slides and to the recording of the webcast (if you want to check it out later).  If you want to learn how key events and trends in 2019 can affect your eDiscovery practice in 2020, this webcast is for you!

So, what do you think?  Do you have FOMO (fear of missing out) on important info for 2019?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Denies Criminal Defendant’s Motion to Suppress Evidence Obtained via Warrantless Search: eDiscovery Case Law

In United States v. Caputo, No. 3:18-cr-00428-IM (D. Or Nov. 6, 2019), Oregon District Judge Karin J. Immergut denied the defendant’s motion to suppress emails and evidence derived from a warrantless search of Defendant’s workplace email account, finding “any expectation of privacy in Defendant’s work email was objectively unreasonable under the military’s computer-use policies in effect at his workplace.”

Case Background

In this case where the defendant was indicted on four counts of wire fraud, the defendant filed a motion to suppress emails and evidence derived from a warrantless search of the defendant’s workplace email account.  The Government’s response to the motion provided additional facts about the email account and the context in which it received copies of the defendant’s emails, including an image of the banner message displayed when the defendant logged on to his work computer system and two policies which governed the defendant’s computer use at work.

During the period at issue in this case, the warning banner advised (among other things) that at any time, the US Government may inspect and seize data stored on the information system.  The defendant was also subject to the Oregon National Guard’s acceptable use policy and Employees of the Oregon National Guard, including the defendant, were required to sign the policy before they received computer access. They also had to acknowledge and recertify their understanding of the policy annually.

Judge’s Ruling

Judge Immergut noted that “Defendant has not offered any evidence that he had a subjective expectation of privacy in his work email” and stated that “any expectation of privacy in Defendant’s work email was objectively unreasonable under the military’s computer-use policies in effect at his workplace.”

Judge immergut also rejected two cases that the defendant cited to support his claim of a reasonable expectation of privacy, stating that “neither case requires suppression here” and that “[u]nder these circumstances, it was objectively unreasonable for Defendant to expect privacy in his work email.”  As a result, Judge Immergut denied the defendant’s motion to suppress.

So, what do you think?  Should employees expect privacy within their work email accounts?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Another Sign That Companies Aren’t Ready for CCPA Yet: Data Privacy Trends

As we’ve reported several times (including just last week), the California Consumer Privacy Act (CCPA) is scheduled to go into effect on January 1 next year.  That’s only 42 days from now!  Here’s another sign that companies still aren’t ready for it yet.

As reported by Legaltech® News (CCPA Uncertainty May Put Cloud Agreements Up in the Air, written by Frank Ready), it appears that many businesses still have some prep work ahead of them when it comes to updating their cloud agreements.

That insight arrives courtesy of Baker McKenzie’s 2019 Cloud Survey, which garnered 190 responses from professionals across the globe working in roles that include legal, information security, sales, marketing, information technology, procurement and C-suite level.

While 80% of those respondents indicated they had amended cloud agreements as a result of the EU’s General Data Protection Regulation, only 26% had done the same for the CCPA. An additional 44% said “not yet” with regards to the CCPA, while 30% answered “no.”

Aren’t “not yet” and “no” the same thing?  ;o)

Anyway, part of the delay in amending cloud agreements for the CCPA may be attributable to the CCPA itself. Jarno Vanto, a partner at Crowell & Moring, pointed out that the final text of the privacy regulation won’t be solidified until December.

“So that’s made it somewhat challenging, for example, to come up with language for [cloud or other] agreements that will meet the CCPA requirements,” Vanto said.

However, time may be a luxury that organizations can’t afford. Christopher Ballod, a partner a Lewis Brisbois Bisgaard & Smith, said that by the time December rolls around, the process of ironing out all of the mechanics involved in a cloud agreement, including putting mechanisms in place to satisfy subject data requests, may be too much to accomplish before the CCPA’s implementation date.

While having previously undertaken a similar process to comply with the GDPR may provide impacted parties with a data map and a framework to start from, the CCPA adds a new wrinkle in the form of a private right of action that could find organizations and their cloud providers embroiled in a protracted game of hardball negotiations over where the burden of that liability falls.

While CCPA goes into effect January 1, enforcement isn’t expected to begin until July 2020.  That gives a little more time to become compliant, but that time can evaporate quickly.

So, what do you think?  Has your organization prepared for CCPA?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Microsoft Supports CCPA, But Wants It To Be Even Stronger: Data Privacy Trends

We’re getting closer and closer to the deadline for the California Consumer Privacy Act (CCPA), which is scheduled to go into effect on January 1 next year, even though there is still a lot to be determined with regard how companies must comply.  At least one major corporation supports the new law.  But, that company also wants to see it strengthened.

As reported in Legaltech News® (Microsoft’s Top Privacy Lawyer Says CCPA Should Be Strengthened, written by Phillip Bantz), Microsoft Corp. chief privacy lawyer Julie Brill wrote in a blog post published Monday that the CCPA “marks an important step toward providing people with more robust control over their data in the United States. It also shows that we can make progress to strengthen privacy protections in this country at the state level even when Congress can’t or won’t act.”

Brill voiced Microsoft’s commitment to security by stating: “We are strong supporters of California’s new law and the expansion of privacy protections in the United States that it represents. Our approach to privacy starts with the belief that privacy is a fundamental human right and includes our commitment to provide robust protection for every individual. This is why, in 2018, we were the first company to voluntarily extend the core data privacy rights included in the European Union’s General Data Protection Regulation (GDPR) to customers around the world, not just to those in the EU who are covered by the regulation. Similarly, we will extend CCPA’s core rights for people to control their data to all our customers in the U.S.”

Brill, who serves as Microsoft’s corporate vice president and deputy general counsel for global privacy and regulatory affairs, went on to argue that the CCPA should be strengthened “by placing more robust accountability requirements on companies.”

For instance, businesses should have to minimize the amount of personal data that they keep, specify how and why they are collecting that data and be “more responsible for analyzing and improving data systems to ensure that they use personal data appropriately,” she wrote.

Brill added “we are calling upon policymakers in other states and in Congress to build upon the progress made by California and go further by incorporating robust requirements that will make companies more responsible for the data they collect and use, and other key rights from GDPR.  More requirements for companies, together with the rights and tools for people to control their data, will prevent placing the privacy burden solely on the individual, and will provide layers of data protection that are appropriate for the digital age.”

Apple CEO Tim Cook also previously called on Congress to pass comprehensive data-privacy regulation.  They’re not busy with anything else right now, are they?  ;o)

So, what do you think?  Are you surprised that Microsoft has been such a strong advocate of GDPR and CCPA?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

McDonalds May Soon Know Whether “You Want Fries with That” Before You Even Get There: Data Privacy Trends

In this day and age of using customer data and artificial intelligence (AI) to predict customer needs, is anybody really surprised by this headline?  Whether you are or not, the fast-food chain is turning to AI and machine learning in the hopes of predicting what customers want before they decide.

In The New York Times article (Would You Like Fries With That? McDonald’s Already Knows the Answer, written by David Yaffe-Bellany; hat tip to Peter Vogel of Foley & Lardner with the reference), McDonald’s has a new plan to sell more Big Macs: Act like Big Tech.

Over the last seven months, McDonald’s has spent hundreds of millions of dollars to acquire technology companies that specialize in artificial intelligence and machine learning. And the fast-food chain has even established a new tech hub in the heart of Silicon Valley — the McD Tech Labs — where a team of engineers and data scientists is working on voice-recognition software.

The goal? To turn McDonald’s, a chain better known for supersized portions than for supercomputers, into a “saltier, greasier version of Amazon”.

In recent years, fast-food sales have slowed across the United States, as Americans turn to healthier alternatives. While it has performed better than many of its rivals, McDonald’s has lost customers, closed restaurants and seen its quarterly sales dip below analysts’ expectations.

The chain’s new emphasis on technology is a bid to reverse that trend. So far, the technological advances can be experienced mostly at the company’s thousands of drive-throughs, where for years menu boards have displayed a familiar array of McDonald’s favorites: Big Macs, Quarter Pounders, Chicken McNuggets.

Now, the chain has digital boards programmed to market that food more strategically, taking into account such factors as the time of day, the weather, the popularity of certain menu items and the length of the wait. On a hot afternoon, for example, the board might promote soda rather than coffee. At the conclusion of every transaction, screens now display a list of recommendations, nudging customers to order more.

At some drive-throughs, McDonald’s has tested technology that can recognize license-plate numbers, allowing the company to tailor a list of suggested purchases to a customer’s previous orders – as long as the person agrees to sign away the data.

Sound familiar?  It’s the same “suggestions “approach we’re seeing with Amazon, Netflix, Pandora and other companies.  And, all of that is more and more data to someday potentially manage in eDiscovery.  ;o)

So, what do you think?  Would you want to provide McDonalds with your data (including license plate number) to improve your ordering experience?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

According to the ABA, Lawyers are “Failing at Cybersecurity”: Cybersecurity Trends

In these days of increased data privacy emphasis with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), how are lawyers doing with regard to cybersecurity within their firms?  According to the American Bar Association Legal Technology Resource Center’s ABA TechReport 2019, they are “failing at cybersecurity”.

In the ABA Journal article (Lawyers are failing at cybersecurity, says ABA TechReport 2019, by Jason Tashea), the author reports this quote from an accompanying article on cybersecurity released last Wednesday: “In fact, the results are shocking and reflect little, if any, positive movement in the past year or even in the past few years. The lack of effort on security has become a major cause for concern in the profession.”

The annual report looks at how attorneys use all kinds of technology in their practices. Articles on cloud computing, cybersecurity and websites and marketing were released free online. There are six more articles that will be released Wednesdays through Dec. 18.

The survey found that the most popular security measure being used by 35% of respondents was secure socket layers (SSL), which encrypt computer communications, including web traffic. Only 27% make local data backups. Since 2018, the number of respondents reading vendor privacy policies fell from 38% to 28%. A mere 23% investigated a vendor’s history, even though 94% said vendor reputation mattered when deciding who to contract with.

Only 35% of attorneys use SSL?!?  I have a feeling that many more use it, but don’t realize it.

Meanwhile, slightly more than a quarter of respondents (26%) reported their firm had had a security breach.  In addition, 19% of respondents who reported said that they do not know whether their firm has ever experienced a security breach.  So, the percentage of firms that have experienced a security breach could be quite a bit higher.

Consequences of security incidents included consulting fees for repair (37%), downtime/loss of billable hours (35%), expense for replacing hardware or software (20%), destruction or loss of files (15%), notifying law enforcement of breach and notifying clients of the breach (9% each), unauthorized access to other (non-client) sensitive data (4%), and unauthorized access to sensitive client data (3%).

Only 9% of firms notifying clients of the breach?!?  Ruh-roh.

The ABA Legal Technology Resource Center Tech Survey 2019 is available here.  It’s in five volumes, each available for $350 (non-members) or $300 (members).

BTW, the Legal Technology Resource Center of the ABA used to have a publicly available page with Cloud Ethics Opinions Around the U.S., showing a map of states that had a cloud ethics opinion (we’ve covered it a handful of times, the last being about 2 1/2 years ago here, when there were 21 states that had one, including one that the ABA didn’t have on its site).  That page is now inactive and I can’t find it via a search on the website.  If anybody knows if it’s still available in some form on the ABA website, let me know.

So, what do you think?  Are you surprised by any of the ABA findings on cybersecurity?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Denies Plaintiff’s Request to Avoid Forensic Imaging of Devices in Apple Performance Case: eDiscovery Case Law

In the case In Re: Apple Inc., No. 5:18-md-02827-EJD (N.D. Cal. Aug. 22, 2019), California District Judge Edward J. Davila denied the plaintiffs’ motion to modify the Special Discovery Master order that authorized the forensic imaging of devices belonging to 10 of the more than 90 named plaintiffs in order to allow Apple’s outside experts to performance test the devices, finding that “Apple’s interest in performance testing the forensic images outweighs Plaintiff’s privacy interest because Plaintiffs put the performance of the devices at the center of the lawsuit”.

Case Background

In this litigation involving the performance of Apple devices after software updates, the Special Discovery Master entered an order authorizing the forensic imaging of the devices belonging to 10 of the more than 90 named Plaintiffs in order to allow Apple’s outside experts to performance test the devices.  The plaintiff’s objected to the order and sought to modify the Order so that Apple’s discovery of the devices is limited to the extraction of “limited diagnostic data” instead of full forensic imaging, arguing that the Special Discovery Master made “erroneous factual findings and reached incorrect legal conclusions”.

The plaintiffs, basing their argument on the 2017 California Supreme Court case Williams v. Superior Court, argued that “[p]ersonal devices, like those at issue here, are afforded special privacy protections under the law. Apple therefore had to demonstrate a compelling need or interest to justify the forensic imaging. The Special Discovery Master should have conducted a balancing test between that compelling interest and the intrusion into Plaintiffs’ privacy posed by the imaging. But the Special Discovery Master failed to do so when she ‘deferr[ed] the basic question of scientific reliability to trial.’”

Judge’s Ruling

Judge Davila noted that the “motion is suitable for resolution without oral argument” and stated that “Plaintiffs’ concerns over their privacy rights are understandable; they are being asked to surrender their devices and passwords to strangers.”  But, Judge Davila also noted that the forensic imaging would be completed by a neutral, third-party computer forensics vendor and that those “outside experts will only provide counsel with their analyses and the data underlying their analyses…To the extent possible, the experts will redact the contents, authors, recipients, and subject-matter of the underlying data (and any associated metadata) or replace them with summary descriptions before providing the underlying data to Apple’s counsel.”

Judge Davila also concluded that “Plaintiffs actively put their devices at issue when they chose to sue Apple over Apple’s alleged intrusion and trespass to the devices through Apple’s software updates”, stating that “[i]t is well-established that a plaintiff cannot bring suit and then limit the defendant’s discovery that is targeted at the subject matter of the plaintiff’s claims.”  Noting that the plaintiffs “overreach” with regard to their argument “that the forensic imaging would ‘violat[e] Plaintiffs’ privacy with no gain’ to Apple”, Judge Davila found that “Apple has a compelling interest in the sought-after performance testing of Plaintiffs’ devices. The devices’ performance is integral to Plaintiffs’ claims. They allege that Apple’s software updates unjustly harmed the performance of their devices…Apple is entitled to defend itself against these allegations by testing whether the performance of the devices was, in fact, harmed. Later, Plaintiffs may challenge whether that testing is admissible, scientifically reliable, or ‘necessary’ for Apple’s defenses through in limine, Daubert, and other motions.”

So, what do you think?  Did the court properly weigh the balance of privacy and discovery in this case?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.