e-Discovery and U.S.Privacy Laws

Much of the information coming in or out of a corporation typically touches on some level of privacy protection. At the federal level, beyond the U.S. Constitution's Fourth Amendment, there are roughly 25 different acts, laws, statutes and regulations that address data privacy. Based on existing industry-specific privacy regulations, legal teams must approach data privacy from two perspectives: the employee and the customer.

Managing these two perspectives calls for addressing how employees share confidential data (e.g., HIPAA) and how customer information is protected (e.g., the Gramm-Leach-Bliley act). These policies may also overlap such laws as the Fair Credit Reporting Act, which provides certain rights to the individual to access the information in the credit report, amend incorrect records, obtain an account or listing of disclosures of information, and restrict disclosures of personally identifiable information.

Where the government is requesting discovery of information held by a company, or a private entity is seeking the contents of communications stored by a third party, perhaps the most significant regulation impacting privacy is the Stored Communications Act (SCA) of 1986, which brings Fourth Amendment-like protections against unreasonable searches and seizures into the realm of electronic information, and addresses disclosure of communications in electronic storage and transactional records held by third-party Internet service providers (ISPs). In today's digital environment, corporations store a vast amount of discoverable information with third-party ISPs, cloud providers, social media sites and other evolving external networks. With more and more data being stored outside the corporate firewall, it is imperative that legal and IT teams become versed in how the SCA and other applicable laws affect their data privacy obligations and e-discovery processes. Companies also need to be aware that Congress is considering legislation to update and potentially expand the SCA's protections.

From a policy perspective, the U.S. is at the crossroads as to how to address data privacy rights: a laissez-faire, hands-off approach or a more regulated method. A recent Supreme Court case, U.S. v. Jones, 565 U. S. ____ (2012), a case that involved GPS tracking of a vehicle without a warrant, emphasized how technology is reshaping our ideas of privacy. While Fourth Amendment protection is designed primarily to protect individuals from unreasonable government search and seizure in criminal matters, Justice Sotomayor's concurring opinion speaks to a fundamental change in the way information is handled in today's digital age, suggesting the need “to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.” President Obama's administration recently laid out a series of aspirational principles it hopes will be enshrined into law, intended to give consumers a clearer understanding of how their personal information is handled online ' a sort of privacy “Bill of Rights” ' but private industry has been called to lead the way in reaching these goals.

While the direction of data privacy law may be somewhat unclear at the federal level, individual states are displaying a willingness to move aggressively towards the adoption of broader privacy protections. Currently, 46 states have some type of data privacy law on the books. Most of these laws address data breaches and notification requirements for especially sensitive information, such as Social Security Numbers, medical information, tax payer ID or credit card information. In addition, many states are considering data privacy protections that go well beyond just the traditional breach notice laws.

Even with the SCA and greater state privacy regulations, U.S. data privacy laws should still be considered a work in progress, and their relationship to e-discovery disputes continues to evolve. Courts are being forced to find a way to resolve these pending data privacy disputes one way or another. A good example from a litigated social media case is Zimmerman v. Weis Markets, Inc. (Pa. County Ct. May 19, 2011). The court highlighted three key overarching data privacy principles that may serve as a barometer of how the courts will treat these issues in discovery going forward: 1) A litigant may have no special privacy rights in non-public sections of social websites; 2) The pursuit of truth as to the alleged claims is still a paramount ideal of the courts; and 3) Discovery will liberally be allowed provided that it that may lead to relevant information.

U.S. Data Privacy Best Practices for e-Discovery

So what should corporations do to address e-discovery in this diverse and uncertain judicial and regulatory climate? Simply understanding that they are in possession of personal and private data that may be sought in litigation and that there are consequences for improper use or disclosure is an important first step when it comes to implementing proper protections.

Following are seven privacy-related e-discovery best practices that all legal and IT should consider:

1. Adopt a Privacy Program

Before litigation arises, adopt an all-inclusive program that incorporates state, federal and international obligations relating to privacy, including social media and the web. The program should take into account all regional and operational locations of the corporation.

Identify and specify what should be done with employee and customer private data, how to handle it and under what circumstances it can be disclosed.

Implement protocols for managing data breaches. This may involve creating a “crisis” team that utilizes a standardized process to identify the scope of the breach, notify the data owners (employees or customers) and executing a remediation plan.

Obtain buy-in and sign-off from department heads and executives in the organization. Documentation helps avoid finger pointing and helps keep everyone on the same page.

Most importantly, enforce the program and continually educate the workforce on its purpose to ensure full compliance.

2. Open the Lines of Communication Between Legal And IT

Legal teams need to avoid the “silo mentality” where groups with different competencies, namely IT and management, do not communicate effectively, resulting in flawed process and poor outcomes. IT should be brought on board early, perhaps with a selected liaison with one foot in both divisions, who can build trust and exert influence where necessary.

3. Understand Where Data Is Located

Undertake a comprehensive assessment of the personal data stored, how it's being used, and how current privacy policies and practices apply.

Create a working data map to help identify where personal and private information is located within and outside the corporation's data infrastructure.

For information stored in the Cloud, evaluate and assess what protections the chosen cloud vendors provide, keeping in mind that some vendors reserve the right to mine all data stored in the Cloud service, using it for business purposes.

4. Conduct a Contingent Risk Analysis

Both prior to and at the time of a legal action, assess the potential privacy issues implicated and whether reasonable steps have been taken to protect private information.

Leverage technology to identify how employees are accessing and disclosing data.

Sample data to determine if private information exists within the information in question.

Employ access control rights to limit how or when information is accessed, safeguarding private information from improper use.

5. Discuss Potential Privacy Issues Before Collecting Data

Before engaging in litigation-related data collection, schedule a formalized discussion with the identified custodians, general counsel, IT and executive team.

Discuss and evaluate the potential privacy concerns to determine what data may be relevant, the appropriate timeframes, potential costs and discovery scope.

Leverage the FRCP Rule 26(f) “meet and confer” process to negotiate the appropriate protections needed to ensure that the protective steps are approved and do not result in the exposure of private data latter production stages. If opposing counsel is uncooperative, utilize the FRCP Rule 16 scheduling order process, which enables the judge to intervene, so that further protections can be put in place.

Specifically segregate and identify private information so that it can be dealt with appropriately (e.g., redaction, production under confidentiality designation, production with limited access to the other, etc.).

6. Employ Procedural Safeguards Before Data Is Collected and Disclosed

Unfortunately, when it comes time to collect data, legal teams will generally collect a lot of personal and private information in discovery, enter into a general protective order, and produce the data to opposing counsel without adequate consideration of privacy obligations. The following steps can prevent this from occurring:

Utilize procedural safeguards to make sure that private and personal information is protected, which may call for specific confidentiality agreement.

Give employees the opportunity to object, intercede and subsequently stop the production by seeking the individual's consent before production.

If private data has already been produced, file a protective order or a motion to quash to preclude the production of certain private and personal information, which may further shield the data producer from liability.

7. Create Matter-Specific Protocols

Ultimately, the goal is to utilize e-discovery software that builds in repeatable, defensible processes for identifying whether a dataset contains private information well before production. In the absence of this technology, legal teams should leverage specific data privacy protocols based on matter type and specific privacy obligations (HIPPA, Gramm-Leach-Bliley Act, etc.). It's important to remember that these best practices apply not just in the civil context, but also in criminal law and government investigations, such as administrative proceedings or administrative inquiries.

Conclusion

Data privacy laws are significantly impacting how data is stored, managed and produced in e-discovery. As the laws continue to mature and evolve, corporations face a tremendous increase in potential exposure and liability when it comes to safeguarding private information. These risks are not easy to manage, especially given the fact that corporate information is growing at a staggering rate, and e-discovery often casts a very wide net. Taking into account these challenges, the best advice for corporations is to be proactive in assessing risks, formulating policies and procedures, and harnessing technology to avoid negative future consequences.

David A. Sorensen is a partner at Hinshaw & Culbertson, LLP in Chicago. He is a co-founder of Hinshaw's legal ethics blog: http://blog.hinshawlaw.com/theethicalquandary/. Michael Hamilton is an e-Discovery Analyst for Exterro, Inc. He is a regular blogger on The E-Discovery Beat: www.exterro.com/e-discovery-beat/.

U.S. data privacy laws pose complex issues for corporations, especially in the context of e-discovery. The associated risks are multi-faceted and subject to diverse internal and external agents. For example, the fragmented nature of data privacy laws at the state, national and international levels makes it increasingly difficult for an organization to track regulatory compliance. Furthermore, the rapid increase of data volumes in the “wild” (e.g., tablets, smartphones and the Cloud) are creating even more sources of private information. Understanding all of these data privacy issues and how they impact the e-discovery process is crucial for defensively managing e-discovery in the United States.

The Current U.S. Data Privacy Landscape

Historically, there have been very few U.S. laws and regulations that specifically address data privacy rights, but that has changed in recent years. New data privacy laws at both the federal and state level have been enacted, and the interpretation of old privacy laws has changed, creating more stringent protections over an individual's private information. For corporations, which have essentially owned all the information that resided on their systems, this change has created waves. Today, corporations must navigate numerous laws that restrict how customer and employee information can be used.

Much of the information coming in or out of a corporation typically touches on some level of privacy protection. At the federal level, beyond the U.S. Constitution's Fourth Amendment, there are roughly 25 different acts, laws, statutes and regulations that address data privacy. Based on existing industry-specific privacy regulations, legal teams must approach data privacy from two perspectives: the employee and the customer.

Managing these two perspectives calls for addressing how employees share confidential data (e.g., HIPAA) and how customer information is protected (e.g., the Gramm-Leach-Bliley act). These policies may also overlap such laws as the Fair Credit Reporting Act, which provides certain rights to the individual to access the information in the credit report, amend incorrect records, obtain an account or listing of disclosures of information, and restrict disclosures of personally identifiable information.

Where the government is requesting discovery of information held by a company, or a private entity is seeking the contents of communications stored by a third party, perhaps the most significant regulation impacting privacy is the Stored Communications Act (SCA) of 1986, which brings Fourth Amendment-like protections against unreasonable searches and seizures into the realm of electronic information, and addresses disclosure of communications in electronic storage and transactional records held by third-party Internet service providers (ISPs). In today's digital environment, corporations store a vast amount of discoverable information with third-party ISPs, cloud providers, social media sites and other evolving external networks. With more and more data being stored outside the corporate firewall, it is imperative that legal and IT teams become versed in how the SCA and other applicable laws affect their data privacy obligations and e-discovery processes. Companies also need to be aware that Congress is considering legislation to update and potentially expand the SCA's protections.

From a policy perspective, the U.S. is at the crossroads as to how to address data privacy rights: a laissez-faire, hands-off approach or a more regulated method. A recent Supreme Court case, U.S. v. Jones, 565 U. S. ____ (2012), a case that involved GPS tracking of a vehicle without a warrant, emphasized how technology is reshaping our ideas of privacy. While Fourth Amendment protection is designed primarily to protect individuals from unreasonable government search and seizure in criminal matters, Justice Sotomayor's concurring opinion speaks to a fundamental change in the way information is handled in today's digital age, suggesting the need “to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.” President Obama's administration recently laid out a series of aspirational principles it hopes will be enshrined into law, intended to give consumers a clearer understanding of how their personal information is handled online ' a sort of privacy “Bill of Rights” ' but private industry has been called to lead the way in reaching these goals.

While the direction of data privacy law may be somewhat unclear at the federal level, individual states are displaying a willingness to move aggressively towards the adoption of broader privacy protections. Currently, 46 states have some type of data privacy law on the books. Most of these laws address data breaches and notification requirements for especially sensitive information, such as Social Security Numbers, medical information, tax payer ID or credit card information. In addition, many states are considering data privacy protections that go well beyond just the traditional breach notice laws.

Even with the SCA and greater state privacy regulations, U.S. data privacy laws should still be considered a work in progress, and their relationship to e-discovery disputes continues to evolve. Courts are being forced to find a way to resolve these pending data privacy disputes one way or another. A good example from a litigated social media case is Zimmerman v. Weis Markets, Inc. (Pa. County Ct. May 19, 2011). The court highlighted three key overarching data privacy principles that may serve as a barometer of how the courts will treat these issues in discovery going forward: 1) A litigant may have no special privacy rights in non-public sections of social websites; 2) The pursuit of truth as to the alleged claims is still a paramount ideal of the courts; and 3) Discovery will liberally be allowed provided that it that may lead to relevant information.

U.S. Data Privacy Best Practices for e-Discovery

So what should corporations do to address e-discovery in this diverse and uncertain judicial and regulatory climate? Simply understanding that they are in possession of personal and private data that may be sought in litigation and that there are consequences for improper use or disclosure is an important first step when it comes to implementing proper protections.

Following are seven privacy-related e-discovery best practices that all legal and IT should consider:

1. Adopt a Privacy Program

Before litigation arises, adopt an all-inclusive program that incorporates state, federal and international obligations relating to privacy, including social media and the web. The program should take into account all regional and operational locations of the corporation.

Identify and specify what should be done with employee and customer private data, how to handle it and under what circumstances it can be disclosed.

Implement protocols for managing data breaches. This may involve creating a “crisis” team that utilizes a standardized process to identify the scope of the breach, notify the data owners (employees or customers) and executing a remediation plan.

Obtain buy-in and sign-off from department heads and executives in the organization. Documentation helps avoid finger pointing and helps keep everyone on the same page.

Most importantly, enforce the program and continually educate the workforce on its purpose to ensure full compliance.

2. Open the Lines of Communication Between Legal And IT

Legal teams need to avoid the “silo mentality” where groups with different competencies, namely IT and management, do not communicate effectively, resulting in flawed process and poor outcomes. IT should be brought on board early, perhaps with a selected liaison with one foot in both divisions, who can build trust and exert influence where necessary.

3. Understand Where Data Is Located

Undertake a comprehensive assessment of the personal data stored, how it's being used, and how current privacy policies and practices apply.

Create a working data map to help identify where personal and private information is located within and outside the corporation's data infrastructure.

For information stored in the Cloud, evaluate and assess what protections the chosen cloud vendors provide, keeping in mind that some vendors reserve the right to mine all data stored in the Cloud service, using it for business purposes.

4. Conduct a Contingent Risk Analysis

Both prior to and at the time of a legal action, assess the potential privacy issues implicated and whether reasonable steps have been taken to protect private information.

Leverage technology to identify how employees are accessing and disclosing data.

Sample data to determine if private information exists within the information in question.

Employ access control rights to limit how or when information is accessed, safeguarding private information from improper use.

5. Discuss Potential Privacy Issues Before Collecting Data

Before engaging in litigation-related data collection, schedule a formalized discussion with the identified custodians, general counsel, IT and executive team.

Discuss and evaluate the potential privacy concerns to determine what data may be relevant, the appropriate timeframes, potential costs and discovery scope.

Leverage the FRCP Rule 26(f) “meet and confer” process to negotiate the appropriate protections needed to ensure that the protective steps are approved and do not result in the exposure of private data latter production stages. If opposing counsel is uncooperative, utilize the FRCP Rule 16 scheduling order process, which enables the judge to intervene, so that further protections can be put in place.

Specifically segregate and identify private information so that it can be dealt with appropriately (e.g., redaction, production under confidentiality designation, production with limited access to the other, etc.).

6. Employ Procedural Safeguards Before Data Is Collected and Disclosed

Unfortunately, when it comes time to collect data, legal teams will generally collect a lot of personal and private information in discovery, enter into a general protective order, and produce the data to opposing counsel without adequate consideration of privacy obligations. The following steps can prevent this from occurring:

Utilize procedural safeguards to make sure that private and personal information is protected, which may call for specific confidentiality agreement.

Give employees the opportunity to object, intercede and subsequently stop the production by seeking the individual's consent before production.

If private data has already been produced, file a protective order or a motion to quash to preclude the production of certain private and personal information, which may further shield the data producer from liability.

7. Create Matter-Specific Protocols

Ultimately, the goal is to utilize e-discovery software that builds in repeatable, defensible processes for identifying whether a dataset contains private information well before production. In the absence of this technology, legal teams should leverage specific data privacy protocols based on matter type and specific privacy obligations (HIPPA, Gramm-Leach-Bliley Act, etc.). It's important to remember that these best practices apply not just in the civil context, but also in criminal law and government investigations, such as administrative proceedings or administrative inquiries.

Conclusion

Data privacy laws are significantly impacting how data is stored, managed and produced in e-discovery. As the laws continue to mature and evolve, corporations face a tremendous increase in potential exposure and liability when it comes to safeguarding private information. These risks are not easy to manage, especially given the fact that corporate information is growing at a staggering rate, and e-discovery often casts a very wide net. Taking into account these challenges, the best advice for corporations is to be proactive in assessing risks, formulating policies and procedures, and harnessing technology to avoid negative future consequences.

David A. Sorensen is a partner at Hinshaw & Culbertson, LLP in Chicago. He is a co-founder of Hinshaw's legal ethics blog: http://blog.hinshawlaw.com/theethicalquandary/. Michael Hamilton is an e-Discovery Analyst for Exterro, Inc. He is a regular blogger on The E-Discovery Beat: www.exterro.com/e-discovery-beat/.