Close
Enter your
text here

Privacy

You Have to Be Certifiable to be Privacy Shield Approved: eDiscovery Trends

At a session at The Master’s Conference Chicago event this week, there was an entire session dedicated to international eDiscovery and privacy considerations.  Some of the discussion centered around the General Data Protection Regulation (GDPR), which is set to take effect next year (in almost exactly one year).  Most of the rest of the discussion centered around the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law (we covered the announcement of the EU-U.S. Privacy Shield here and the formal adoption here). On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States (we covered that one too here).

The Privacy Shield Principles lay out a set of requirements governing participating organizations’ use and treatment of personal data received from the EU and Switzerland. By joining the Privacy Shield, participants make a commitment to comply with these Principles that is enforceable under U.S. law.  There are several benefits to becoming Privacy Shield certified, with the most important being that, as a participating organization, you are deemed to provide “adequate” privacy protection, which is a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive and outside of Switzerland under the Swiss Federal Act on Data Protection.

The Privacy Shield site is here and the page for U.S. businesses to understand the benefits and requirements of participation in the Privacy Shield is here.

If you go to this page here, you can actually search for companies that are Privacy Shield certified.  Surprisingly, only 2,150 organizations currently are certified at this point.  Of course, in the eDiscovery world, a lot of those organizations may not matter to you, so Rob Robinson (in his Complex Discovery blog) was kind enough to identify here the eDiscovery providers that are currently certified (he also includes PDF copies of both Privacy Shield Frameworks).  According to the list, there are 45 eDiscovery companies that are EU-U.S. Privacy Shield approved, of which only 17 are also Swiss-U.S. Privacy Shield certified.  CloudNine is both EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield certified.  Rob does note that the list may not be all inclusive, so check the link at the beginning of this paragraph if you have questions about a particular eDiscovery provider.

International data privacy issues and frameworks are one of the topics we’ll be discussing at our webcast on Wednesday, May 31.  For more info on where to register, click here.

So, what do you think?  Has your organization become Privacy Shield certified?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

eDiscovery Daily will resume with new posts next Tuesday.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Here’s a Chance to Learn What You Need to Know About Cybersecurity and Data Privacy in 2017: eDiscovery Best Practices

You’ve heard the horror stories. Maybe even experienced them yourselves.  Data breaches are happening within organizations at an alarming rate, and sensitive data is being compromised regularly. As an attorney, what can you do to protect yourself, your firm and your client from becoming a victim? And, what do you need to do to keep up with ever-changing requirements for data security, both within the US and internationally?

On Wednesday, May 31 at noon CST (1:00pm EST, 10:00am PST), CloudNine, along with our friends, the cybersecurity experts at Firm Guardian, LLC, will conduct the webcast What Attorneys Need to Know About Cybersecurity and Data Privacy in 2017.  This one-hour webcast will discuss what you need to know today about cybersecurity and data privacy to protect the sensitive data that your organization manages every day.  Examples of topics being discussed include:

  • The State of Cybersecurity in the U.S. in 2017
  • Top Threats Facing Your Practice
  • Your Responsibility to Your Clients: The High Cost of Data Leaks
  • How to Protect Your Firm and Your Clients
  • Recent Developments in International Data Privacy
  • Criteria for Evaluating Providers in Your eDiscovery Projects
  • Ethics Considerations
  • Looking Forward: The Future of Cybersecurity in the Legal Field

I’ll be presenting the webcast, along with Julia Romero Peter, General Counsel and VP of Sales at CloudNine and joining us from Firm Guardian will be Sean Hall, CEO at Firm Guardian and Paul Cobb, the company’s COO.  The Firm Guardian team has over 30 years of combined experience dealing with foreign and domestic cyber-threats against government and military targets.  So, they have a lot of good information to share to help your organization combat those threats!

To register for the webcast, click here.  Don’t be this firm.

Also, I will be in Chicago on Tuesday, May 23 for the Chicago leg of The Master’s Conference.  The conference will be held at the Wyndham Grand Chicago Riverfront at 71 E Upper Wacker Dr., Chicago, IL 60601.  If you’re going to be in Chicago that day (or close enough to come in for it), you can register here for the full day event (or attend for just half a day, if that’s all your schedule permits).  I will be moderating a panel discussion on Data, Discovery, and Decisions: Extending Discovery From Collection To Creation, at 1:45pm on that day, with panelists Matthew C. Wolfe, Attorney with Shook, Hardy & Bacon, LLP, Ryan Tilot, Counsel, eDiscovery and Information Governance with Seyfarth Shaw and Mykhaylo Bulyk, Manager, Cyber Intelligence & Incident Response with CDK Global.  If you’re in Chicago, hope to see you there!

So, what do you think?  Do cybersecurity and data privacy concerns keep you up at night?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

The Impact of Cybersecurity Concerns on M&A Activities is Growing: eDiscovery Trends

This is the second story that I’ve covered in the past several months where cybersecurity concerns impacted merger and acquisitions.  See below for more on the first one…

After Verizon Communications took a $350 million discount on its purchase of Yahoo based on the massive data breaches disclosed by the Internet company last year, it may be time for cybersecurity and data privacy lawyers to take a more active role in merger and acquisition discussions.

In Bloomberg Law (Are Cyber Lawyers Poised to Play Bigger Role in M&A?, written by Rebecca Beyer), the author notes that, in two attacks in 2013 and 2014, more than a billion Yahoo users’ personal account info was hacked.  Yes, that’s billion with a “b”.

The resulting acquisition of Yahoo by Verizon, negotiated over several months, may be the first time a merger price has been discounted because of a data breach, said Craig A. Newman, a global cybersecurity partner at Patterson Belknap Webb & Tyler in New York.  Yahoo tapped Hunton & Williams to handle the cyber issues in its amended agreement with Verizon, according to a company representative. The firm’s privacy and cybersecurity practice is led by Lisa J. Sotto, a noted expert who chairs the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.

Sotto was quoted in the article observing: “Privacy and data security really had for years been on the back burner in M&A transactions…It’s only in the last few years that privacy and cyber security lawyers have been brought into the due diligence and document negotiation process.”

After Yahoo announced the hacks of its users’ data, many people asked whether Verizon would try to back out of the deal — or if it would be able to.

But walking away from a merger agreement is almost impossible, according to Steven Davidoff Solomon, a professor at UC Berkeley School of Law. To exit a deal, a company would need to prove that a data breach counts as a material adverse event or change as defined by so-called MAC clauses in merger agreements, he said.

Proving a material adverse event often requires battling in court over questions like whether an incident was “significant” and “durational,” said Solomon, who has written in the past that about the Yahoo/Verizon deal. He noted that it’s not at all clear whether data breaches — even of the size disclosed by Yahoo — would rise to that level.

As a result, buyers are asking their counsel to look long and hard at targets’ IT departments so they can at least be informed in advance about potential problems. According to a survey by West Monroe Partners, 80 percent of respondents said cybersecurity due diligence was highly important in reaching a deal (and 77 percent said that issue had “increased significantly” in importance in the past two years).

So, it may be a good idea to get your cyber lawyers involved in the early stages of M&A discussions.  And, make sure you’re on the same page when talking about mergers and acquisitions:o)

The first post I mentioned at the top of this post related to this merger of law firms where the lead attorney of one firm decided to merge with a larger law firm, at least in part over her concerns about cybersecurity.  Concerns about cybersecurity are not only impacting mergers, they are also causing them, at least in some instances.

So, what do you think?   Do concerns about cybersecurity and data privacy play a role in M&A discussions at your organization?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

New Survey Says 75 Percent of Respondents Unfamiliar with China’s New Cybersecurity Law: eDiscovery Trends

Are you familiar with it?

According to a survey conducted by Consilio and released earlier this week, 75 percent of legal technology professionals responding to the survey indicated that they are not familiar with China’s new Cybersecurity Law, which was passed by the Standing Committee of the National People’s Congress, China’s top legislature, in November 2016.  The new law is set to go into effect on June 1.

China’s new Cybersecurity Law will require foreign companies conducting business in the country to localize their data within mainland China which may contain sensitive privacy data or state secrets. Organizations that do not adhere to this provision will face potential financial penalties, including the possible loss of their ability to conduct business in mainland China. Individuals can face civil and criminal penalties, up to and including imprisonment and the death penalty for particularly egregious cases.

For more on China’s Cybersecurity Law, you can read Understanding China’s Cybersecurity Law, by Chris Mirasola on the LawFare blog here.  An unofficial translation of the law can be found on the China Law Translate site here.

Consilio’s survey of 118 legal technology professionals, from in-house law departments, law firms and government affiliated entities, was conducted at the Legalweek | Legaltech® New York 2017 conference held January 31 – February 2.  Some key findings of the survey include:

  • 75 percent of legal technology professionals cited that they are not familiar with China’s new Cybersecurity Law;
  • Only 14 percent of respondents indicated that they are “very concerned” about the new law;
  • Yet, 57 percent of respondents indicated having at least one legal matter that touched China within the last two years (i.e. internal or government investigations, litigation, M&A, etc.), with 27 percent indicating that they knew of at least ten Chinese legal matters that their organizations were involved in during that time.

“China is now the world’s second largest economy, and for global corporations and those that aspire to be global, it is critical for them to have a full understanding of the data requirements and regulatory landscape of that region,” said Dan Whitaker, Managing Director of Consilio’s China operations, headquartered in Shanghai. “Since 2012, cyber walls have been going up in multiple regions around the world, and as countries continue to create new regulations, organizations must continually educate themselves on the quickly evolving nuances of data privacy laws in every jurisdiction, specifically as it relates to the ability to move data in and out of the countries in question.”

In addition to China’s new Cybersecurity Law, when polled about other international compliance laws their organizations are most concerned about, respondents identified the Foreign Corrupt Practices Act, or FCPA as the most concerning (40 percent), with the General Data Protection Regulation, or GDPR (22 percent) and the UK Bribery Act (8 percent) as other regulations respondents are concerned about.

Consilio has prepared a summary infographic to illustrate the results, which can be found here.

So, what do you think?  Are you familiar with China’s new Cybersecurity Law?  Are you concerned about it?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Now, We Have a Privacy Shield with the Swiss Too: eDiscovery Trends

This appears to be our week to cover privacy stories on the blog.  First, The Sedona Conference® (TSC) released the public comment version of its new Data Privacy Primer (which we covered on Tuesday).  Also, last week, U.S. and Swiss authorities announced final agreement on the Swiss-U.S. Privacy Shield Framework.

The JD Supra article Swiss-U.S. Privacy Shield Finalized (written by Michael Young of Alston & Bird and originally sourced here), indicates that the Framework defines standards for handling personal data exported from Switzerland to the U.S. and enables U.S. companies to meet Swiss legal requirements to protect personal data transferred from Switzerland.  Like the EU-US Privacy Shield was adopted to replace the old Europe Safe Harbor agreement after it declared invalid by the by the European Court of Justice, this Framework is a successor to the former Swiss-U.S. Safe Harbor framework, which was declared invalid by the Swiss data protection commissioner following the invalidation of European Safe Harbor.

U.S. companies may participate in the Framework through an application to the International Trade Association in the U.S. Department of Commerce. Starting April 12, U.S. companies may make an application self-certifying their compliance with Swiss-U.S. Framework Principles.

As Young’s article notes, the Swiss-U.S. Privacy Shield Framework is modeled off of the EU-U.S. Privacy Shield Framework approved by the EU Commission in July last year and the two Framework principles are largely identical. However, they differ slightly with regard to the definition of “sensitive information” – the Swiss Framework expressly includes within its definition of “sensitive information” any “information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings (unlike the EU-U.S. Framework).” As a result, companies who certify their compliance under the Swiss-U.S. Framework may need to implement further measures to secure opt-in consent if such “sensitive information” is shared with third parties or used for purposes which were not clear at the time of original collection.

Because the EU-U.S. Privacy Shield Framework extended only to members of the European Economic Area (EEA) and Switzerland is not a member of the EEA, U.S. and Swiss officials sought a separate Privacy Shield agreement.  Since the EU-U.S. Privacy Shield Framework already faces legal challenges in European courts, it will be interesting to see if the Swiss-U.S. Framework quickly faces those same challenges.

The Swiss-U.S. Privacy Shield Framework is contained within this 69 page document which includes Department of Commerce letters describing the Framework (the Framework itself begins on page 13 of the document).  For more information on the self-certification program, click here.

So, what do you think?  Will both Privacy Shield Frameworks survive legal challenges?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

“Primed” to Read about Data Privacy? The Sedona Conference Has a New Primer for You: eDiscovery Best Practices

The proliferation of data in our society today makes the task of protecting sensitive and private data more challenging than ever.  Without a doubt, privacy and data protection laws have evolved quite a bit over the past several years, especially internationally, with the striking down of the 15 year old Safe Harbor agreement back in 2015 over privacy concerns and subsequent adoption of the EU-US Privacy Shield last year.  To help legal practitioners to have a better understanding of various data privacy issues and guidelines, The Sedona Conference® (TSC) has created a new primer to help with this growing issue.

The Sedona Conference and its Working Group 11 on Data Security and Privacy Liability (WG11) has just rolled out the public comment version of its new Data Privacy Primer, which is the Working Group’s first publication for public comment.  In the announcement for the new primer, the TSC states that it is “the first of a number of WG11 publications that are intended to provide immediate, practical benefit to (1) practitioners involved in data security and privacy litigation, and (2) organizations confronting the ever-increasing threat of data breaches and resulting liability.”

This particular Primer is “intended to provide a practical framework and guide to basic privacy issues in the United States and to identify key considerations and resources, including key privacy concepts in federal and state law, regulations, and guidance.”  The TSC notes that it focuses on privacy laws in the U.S. in this Primer and that global privacy laws are outside the scope of its coverage. It also focuses primarily on privacy issues arising under civil rather than criminal law (though criminal law implications are addressed “at various points” in the Primer).

Nonetheless, the PDF file for the Primer checks in at a whopping 115 pages (data security is a weighty topic, after all) and even the Table of Contents stretches on for nearly 3 1/2 pages.  The Primer covers topics ranging from Common Law of Privacy to Federal and State Government Laws and Act regarding privacy policies and protections to discussions of general consumer protection, health (including HIPAA) and financial protections.  It also discusses Workplace and Student privacy considerations which ranges from discussions about use of company equipment and email and bring your own device (BYOD) policies in the workplace and privacy protections for educational records.

The Data Privacy Primer is open for public comment through April 16. Questions and comments can be sent to comments@sedonaconference.org. According to the TSC announcement, the drafting team will “carefully consider all comments received, and determine what edits are appropriate for the final version”.  TSC also plans to schedule a webinar in February for those who may want a more condensed overview of the topic, or can’t get enough of it, depending on your point of view.

BTW, this isn’t the first time that TSC has provided guidance on the issues of privacy and security.  Here is a link to a previous post covering their Commentary release in November 2015 on the subject.

So, what do you think?  How does your organization address data privacy?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Can Pokémon GO Right Into Your Organization’s Data?: eDiscovery Trends

Unless you’ve been living under a rock for the past month, you’ve undoubtedly heard about Pokémon GO, the new location-based augmented reality smartphone game, which has been downloaded by more than 130 million people worldwide in a little over a month.  Believe me, my kids have clamored for it.  But, if you have it installed on a BYOD device for the workplace, could you be putting your organization’s data at risk?

That’s a question raised by this article in Inside Counsel by Amanda Ciccatelli (Pokémon GO exposes the risks of BYOD policies).  In the article, Ciccatelli cites a recent blog post on Data Security Law Blog (of Patterson Belknap Webb & Tyler LLP) which notes that the app poses issues for businesses with bring-your-own-device (BYOD) policies, where employees use their own devices for work purposes.  Those policies, while enhancing employee productivity and satisfaction, can open up potential security risks if not structured – and followed – correctly.

“Because Pokemon GO has been so enormously popular – reportedly the most downloaded mobile game ever, with more than 25 million users playing each day – the security concerns of the game have received wide publicity,” Michael Whitener with VLP Law Group told Inside Counsel in a recent interview.

As a result, some security organizations, including the International Association of IT Asset Managers (IAITAM), have called on corporations to ban the use of Pokémon GO. In fact, IAITAM has described the game as “a nightmare for companies that want to keep their email and cloud-based information secure.”

Whenever a third-party mobile app is downloaded, there are two potential data security concerns, according to Whitener. First, the mobile app customer may be allowing the mobile app vendor access to certain of the customer’s personal information, which the customer may be agreeing to via the vendor’s terms of use.

Second, the mobile app, due to security flaws, may provide a handy backdoor for hackers into the customer’s mobile network – not just on the customer’s phone, but potentially to the servers of the customer’s employer too.

The original terms of use of Pokémon GO allowed the game’s creator, Niantic Labs, to access the entire Google profile of the user, including their history, past searches and anything else associated with their Google login ID.  Niantic later corrected this, but it’s unclear how Niantic may have used the information collected and whether it’s been destroyed.  And, of course, imitation Pokémon GO applications have sprung up with malware that could allow hackers to access users’ personal correspondence and other information or even remotely gain full control of the victim’s phone.

Ciccatelli’s article notes that “a realistic BYOD policy will address such issues as employee obligations to implement device security software, employee expectations of privacy when using devices for business purposes, prohibitions on device use by friends and family, and permissible and impermissible apps”.  In other words, sorry Kiley and Carter, Pokémon GO won’t be coming to my iPhone for the foreseeable future.

So, what do you think?  Does your organization have a BYOD policy that regulates the installation of third-party apps?  Please share any comments you might have or if you’d like to know more about a particular topic.

Time is running out to participate in the quarterly eDiscovery Business Confidence Survey being conducted by Complex Discovery and ACEDS!  It’s a simple nine question survey that literally takes about a minute to complete.  The more respondents there are, the more useful the results will be!  Click here to take the survey yourself.  Deadline is August 31.  Don’t forget!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Denies Defendant’s Motion to Overrule Plaintiff’s Objections to Discovery Requests

Court Rules Government’s Use of Stingray to Locate Suspect Was Unwarranted: eDiscovery Case Law
 In United States v. Lambis, No. 15cr734 (S.D.N.Y. July 12, 2016), New York District Judge William H. Pauley, III granted the defendant’s motion to suppress evidence obtained by law enforcement agents in connection with a search of his apartment because the apartment was located via the use of a “Stingray” cell-site simulator to identify the location of the defendant’s phone without a warrant.

Case Background

In 2015, the US Drug Enforcement Administration (“DEA”) was conducting an investigation into an international drug-trafficking organization and sought a warrant for pen register information (record from the service provider of the telephone numbers dialed from a specific phone) and cell site location information (“CSLI”) for a target cell phone as part of that investigation. CSLI allows the target phone’s location to be approximated by providing a record of “pings” sent to cell sites by a target cell phone to approximate where the phone has been used.  Using CSLI, DEA agents were able to determine that the target cell phone was located in the general vicinity of “the Washington Heights area by 177th and Broadway.”

However, this CSLI was not precise enough to identify the specific apartment building, much less the specific unit in the building.  To isolate the location more precisely, the DEA deployed a technician with a cell site simulator (a device known as a “Stingray” that locates cell phones by mimicking the service provider’s cell tower and forcing cell phones to transmit “pings” to the simulator) to the intersection of 177th Street and Broadway.  Using the “Stingray”, the DEA technician was able to locate the building and then the unit where the defendant was located.  That same evening, DEA agents knocked on the defendant’s door and obtained consent from his father to enter the apartment, then obtained consent from the defendant to enter his bedroom where they recovered narcotics, three digital scales, empty zip lock bags, and other drug paraphernalia.  The defendant filed a motion to suppress the evidence.

Judge’s Ruling

Noting that a “Fourth Amendment search occurs when the government violates a subjective expectation of privacy that society recognizes as reasonable”, Judge Pauley referenced Kyllo v. United States, where Government agents used a thermal-imaging device to detect infrared radiation emanating from a home.  In that case, the Court held that “[w]here . . . the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a ‘search’ and is presumptively unreasonable without a warrant.”

Judge Pauley then stated “Here, as in Kyllo, the DEA’s use of the cell-site simulator to locate Lambis’s apartment was an unreasonable search because the ‘pings’ from Lambis’s cell phone to the nearest cell site were not readily available ‘to anyone who wanted to look’ without the use of a cell-site simulator.”  He also stated this:

“Absent a search warrant, the Government may not turn a citizen’s cell phone into a tracking device. Perhaps recognizing this, the Department of Justice changed its internal policies, and now requires government agents to obtain a warrant before utilizing a cellsite simulator.”

As a result, Judge Pauley granted the defendant’s motion to suppress the evidence that was obtained by the search, even though the defendant’s father and the defendant had given consent to the search and access.

So, what do you think?  Should a warrant be required for “Stingray” devices?  Please share any comments you might have or if you’d like to know more about a particular topic.

Thanks to Sharon Nelson at Ride the Lightning for the tip!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Even in Baseball, Hacking Can Get You Prison Time: eDiscovery Trends
 Just because it’s “just a game” doesn’t mean you can’t go to prison for computer hacking…


Last June, we covered this story about the St. Louis Cardinals, one of the most successful teams in baseball over the past two decades, as under investigation by the F.B.I. and Justice Department prosecutors, accused of hacking into an internal network of my hometown team, the Houston Astros, to steal internal discussions about trades, proprietary statistics and scouting reports, among other competitive information.  As a result of the investigation, the former scouting director of the Cardinals, Christopher Correa (not to be confused with Astros star shortstop Carlos Correa), was sentenced to nearly four years in prison Monday for hacking the Astros’ player-personnel database and email system.

Correa had pled guilty in January to five counts of unauthorized access of a protected computer from 2013 to at least 2014, the same year he was promoted to director of baseball development in St. Louis. He was fired last summer and now faces 46 months behind bars and a court order to pay $279,038 in restitution.

The data breach was reported in June 2014 when Astros general manager Jeff Luhnow told reporters the team had been the victim of hackers who accessed servers and proceeded to publish online months of internal trade talks. Luhnow had previously worked for the Cardinals.  The FBI said Correa was able to gain access using a password similar to that used by a Cardinals employee who “had to turn over his Cardinals-owned laptop to Correa along with the laptop’s password” when he was leaving for a job with the Astros in 2011. The employee was not identified, though Luhnow left St. Louis for Houston in December of that year to become general manager of the Astros.

So, not only can accessing your former company’s data with a shared password make you a hacker, using a variation of a departed employee’s old password to access data at his new employer can also make you a hacker.  You could even face jail time for deleting employer files before leaving your job.  A few more decisions like this might actually cut down on cybersecurity breaches within organizations.  Then again, it might not.

So, what do you think?  Do you expect to see more breaches like this between competitors in various industries?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

EU-US Privacy Shield Formally Adopted by the European Commission: eDiscovery Trends

As we discussed back in February, the EU-US Privacy Shield, an important new agreement governing the transfer of data between Europe and the United States, was announced on February 2.  Within the same month, the European Commission released details on the new trans-Atlantic data transfer arrangement.  Now, the European Commission has formally adopted the new agreement, only nine months after the old “Safe Harbor” agreement was struck down.

As discussed in The Verge (EU-US Privacy Shield agreement goes into effect, written by Amar Toor), the new data transfer pact went into effect two days ago (July 12), and US companies will be able to certify their compliance as of August 1st.

EU member states formally signed on to the agreement last week, but The Guardian reported that Austria, Slovenia, Bulgaria, and Croatia abstained from the vote. The paper reported that representatives of Austria and Slovenia still had doubts over whether the deal would protect their citizens’ data from US surveillance.

Under the agreement, US companies will have to self-certify that they meet higher data protection standards, and the US Department of Commerce will be charged with conducting “regular reviews” to ensure compliance. The US has also assured EU member states that there will be “clear limitations, safeguards and oversight mechanisms” governing how law enforcement and federal agencies access the data of Europeans, and that bulk data collection would only be carried out “under specific preconditions and needs to be as targeted and focused as possible,” according to the European Commission.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible,” Andrus Ansip, vice president for the European Commission’s Digital Single Market initiative, said in a statement Tuesday. “Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions.”

But some civil liberties groups are wary of Privacy Shield, questioning whether it will have any meaningful impact on consumer privacy. Privacy International, a London-based watchdog, expressed concerns over the new deal after a leaked version was published online last week, describing it in a post as “an opaque document that will be a field day for law firms.”  “In short: new ‘Shield’, old problems,” Tomaso Falchetta, legal officer at Privacy International, said in an email on Tuesday. “Given the flawed premises – trying to fix data protection deficit in the US by means of government’s assurances as opposed to meaningful legislative reform – it is not surprising that the new Privacy Shield remains full of holes and hence offers limited protection to personal data,” Falchetta added.

Rob Robinson’s Complex Discovery site includes a reference to the story here, which also includes a handy one-page PDF file that summarizes the new EU-US Privacy Shield.

So, what do you think?  Will the new “Privacy Shield” be an effective replacement to the old “Safe Harbor”?  Or will it be doomed to failure as well?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.