4 minute read
Data Privacy Issues in Electronic Discovery
BY IAN D. MCCAULEY, ESQUIRE
Data privacy and electronic discovery continue to be two of the most talked about and challenging topics in the legal world. Attorneys view privacy issues as being distinct from eDiscovery, yet the two are becoming more intertwined as sources of data multiply, walls separating traditional business and personal communications disintegrate, and large amounts of data are shared between and among litigants.
Advertisement
Several recently highly publicized lawsuits have involved significant data privacy issues, and the public is still learning the details of how various political leaders store sensitive data. While these stories are front-page news, data privacy issues can occur at every phase of litigation, no matter how small the matter. The risk is heightened due to the time pressures often imposed by court-ordered deadlines.
“Bring Your Own Device” Cha llenges
Many courts have recognized that mobile data is generally discoverable, and it is now frequently collected, searched, and reviewed in litigation as a matter of course. The advent of Bring Your Own Device Policies (“BYOD”), however, has made collecting and exchanging data from mobile devices more challenging from a data privacy perspective.
Employees now often mix their personal and business communications on one device and are encouraged to do so through their companies’ BYOD policy. Employees may not even be aware that their devices remain open to discovery, and the ubiquity of cloud storage complicates matters. When employees are named as records custodians in ongoing litigation, a key concern is how to best protect employees’ personal data while complying with discovery obligations.
Situations such as this can be alleviated by engaging a trusted vendor who understands these issues and can help to navigate both litigants’ and employees’ concerns. Employees need to be educated on how the American discovery system works, while being assured that their personal data will be protected, even if it is collected. Striking a balance between what data is relevant, what should be reviewed, and how to manage employees’ concerns and expectations is key in situations such as these.
Data Transfer
The need to securely move large quantities of data has become increasingly necessary in both business and litigation. It is also not without its challenges. Access to sharing services (Dropbox, Box.com, Google Drive, etc.) is inexpensive, and the interface of these tools is straightforward. These services can become dangerous when a user intends to share data with only a discreet number of individuals but inadvertently shares it with a wider audience. Other issues arise when sharing too many or too few files.
These challenges often occur when individuals are not well versed in the tools that they are using to transfer very large and sensitive data. Has the user set the data to expire? Are they using a link or providing direct access? Have they ensured that the data is not falling into the hands of those who should not have access to it? The capabilities of these tools are highly customizable, and it is easy to just click through and share data without fully contemplating the consequences of doing so.
Two recent examples demonstrate some of the risks involved with file sharing services. The first, Harleysville Ins. Co. v. Holding Funeral Home, Inc., involved the plaintiff using a well-known file sharing service to exchange files with multiple users. Plaintiff, however, did not limit access to the files nor did they password protect the files and certain privileged records were inadvertently made available to the opposing party. The Court eventually ruled that the privilege was waived due to the failure to take reasonable precautions in protecting the data.
More recently, counsel for Alex Jones in the Sandy Hook defamation case inadvertently produced the contents of Jones’ entire phone to opposing counsel, and not just what was deemed to be relevant and not privileged. Complicating matters, the contents revealed multiple inconsistencies in the Jones’ representations, thus resulting in national headlines, waiver of privilege, and embarrassment. The implications of this inadvertent transfer are not yet fully known, though counsel for Jones has since been suspended for six months due to the failure to use technology correctly. It is notable that Jones’ counsel blamed the access error on a paralegal in his office.
Both cases exemplify Carl Sagan’s frequently referenced vision of a future in which individuals frequently use technology that they do not truly understand. Businesses often introduce new technology to their employees without the proper training, and then find themselves in troubling situations when the use of that technology leads to a data breach.
A best practice for the use of file sharing services is to ensure that employees only use approved systems on which they have been trained. In addition, the use of these tools should not be provided to all employees; only a discreet number of individuals should be allowed to use the service following training.
Vendor Security
When choosing a discovery provider, one must also factor in data privacy concerns. It is important to speak with prospective vendors regarding how they store their data and what type of certifications are in place. It is of utmost importance to understand where the client data will be stored. The lack of understanding of where data is hosted can lead to several bad outcomes, as occurred in GlaxoSmithKline v. Discovery Works Legal, Inc. matter, in which the vendor in question refused to return the client data (and threatened to destroy it), which was stored outside of the United States, unless the plaintiff paid the full disputed fees.
It is also important to understand what type of safeguards the vendor is taking to protect the client data it will be storing. Client data often sits on vendor systems for years, and so it is best to understand what certifications and policies are in place to protect large quantities of data in order to defend against an attempted breach.
Finally, with more and more attorneys working from home, data privacy considerations come into play during document review. Counsel should ask vendors how secure the document review platform is, whether two-factor authentication is implemented, and what type of permissions users are given. It would be best, for example, to not allow printing of documents given how often lawyers are working from home, and to require VPN access prior to being able to log into the review platform.
There are many more examples beyond what is listed above that involve data privacy issues that arise during the eDiscovery process. While one can never anticipate everything, it is best to have a well-trained staff and legal team who understands best practices in gathering, storing, and transferring data.
Ian McCauley is a director in Bayard’s litigation group and leads the firm’s eDiscovery practice. He can be reached at imccauley@bayardlaw.com.
