Legal Tech: Spring 2020 E-Discovery and Privacy Case Review

This fight between the parties was one out of a long line of discovery disputes. The court thought it resolved these disputes around text messages by ruling that text messages would only be produced from a certain type of custodian and no forensic review was necessary. But at the end of the discovery phase, the plaintiffs requested additional text messages, which the defendant felt was:

• Too costly (estimated $27k – $150k);
• Too broad (over 100 cell phones); and
• Not relevant (supervisors are higher "several rungs" above the custodians who are relevant to the case).

Based on these factors, the defendant "contend that this discovery demand does not satisfy the proportionality principles embodied in Rule 26."

Ruling

• Alternative Remedy by the Court. While declining the plaintiffs request for additional text message discovery, the court recognized "that a more narrowly tailored request, supported by a more specific showing of relevance, might be appropriate." The court ruled that the plaintiffs should modify their request.
• Focus on Cooperation and Resolving this Dispute Without the Court. The court instructed the parties to work together to identify a relevant and proportional scope for the request stating, "The parties should then consult, confer, and attempt to agree upon the scope of any carefully tailored, relevant search for such data." If terms can't be agreed upon then the parties may involve the court.
• Balancing of Private Information Included in Request. Courts are emphasizing and aware of the privacy implications of producing broad social media and text message when ruling on these requests stating, "we must be mindful of the fact that social media is at once both ubiquitous and often intensely personal, with persons sharing through social media, and storing on electronic media, the most intimate of personal details on a host of matters, many of which may be entirely unrelated to issues in specific litigation."

"While it is clear that relevant (and proportional) texts are discoverable, the document request should specifically make clear when texts are being sought," says Andrew Peck, former federal judge currently with DLA Piper. "The defense did the right thing in not just saying the request would be costly, but actually providing specific cost information to the court. Finally, the court's reference to social media seems out of place when the issue is texts, but that is because plaintiffs were seeking a forensic image of the phones in order to capture the texts."

*****

Court Says U.S. E-Discovery Rules Trump GDPR

Finjan, Inc. v. Zscaler, Inc. N.D. Cal. Feb. 14, 2020

International organizations are put in a difficult situation when litigation involves data stored abroad. But time and time again, no matter what the foreign interest is, in most cases U.S. courts won't stop the discovery of data stored in the EU.

In this patent infringement case, the discovery dispute arose around the defendant being unwilling to produce emails from a former employee located in Europe.

This refusal stemmed from two primary reasons: 1) producing the requested emails would violate the GDPR; and 2) The request was unduly burdensome, as it included irrelevant personal data. Even if the production request was valid, the defendant argued that it was very expensive, and thus disproportionate to anonymize the personal data.

The plaintiff countered that any anonymization of the requested employee's personal data would make the production of the emails pointless since that's exactly what the plaintiff wanted to understand to try their case. The plaintiff did offer an alternative remedy, that the requested emails could be reviewed only by the plaintiff's legal team, preventing any public distribution.

Ruling

• No Preclusion of Producing EU Data. After applying a five-factor test to determine whether foreign interests would outweigh the U.S. interest in production, the court ruled that U.S. interests should prevail and the defendant should produce the requested emails.
• Factors Weigh in Favor for Production. In making this ruling, the court determined in regard to each factor in the test: 1) The requested documents were important to the case; 2) The production request was narrowly tailored; 3) The data was in the UK but in the possession of a U.S. company; 4) The documents were only available from this foreign source; and 5) The balance of national interests favored production, weighing the U.S. interest in enforcing patent rights against privacy interests that could be safeguarded through a protective order.
• Conflicting Claims. The court further held that the parties made conflicting claims about whether this production would violate the GDPR and that the defendant had not provided information about the likelihood of enforcement.

"Global companies are increasingly caught between U.S. discovery requirements and GDPR prohibitions against producing personal data from Europe," says David Cohen, Chair of E-Discovery for Reed Smith LLP. "Here the defendant might have strengthened its arguments by showing that equivalent evidence was available in the U.S. and that a protective order alone would not satisfy the GDPR or preclude enforcement."

*****

Information Commissioner's Office Files First GDPR Fine for Doorstep Dispensaree

While this is a European case, it's worth mentioning in tandem with the prior GDPR-related case — as well as noting that this is the first real fine for failing to ensure the security of physical documents. Doorstep Dispensaree has been fined £275,000 (U.S. $356,000) for the improper disposal of nursing home records. While Marriott and British Airways have also received penalties related to breaches, but not for these violations.

The London-based company, Doorstep Dispensaree, which supplies medicine to thousands of elderly nursing home residents, improperly retained and stored away 500,000 medical documents containing personally identifiable information (PII). The documents were found outside their offices in unsecured containers that had been exposed to the elements.

The PII included:

• Patient Names;
• Birth Dates; and
• Medical and Prescription Information.

It's estimated that hundreds, if not thousands of individuals could have been impacted by the improper disposal of these files.

How this Violated GDPR Regulations: By failing to keep patients records secure, Doorstep Dispensaree violated the GDPR's integrity and confidentiality principle. This states that personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

When Does GDPR Apply? Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.

Complying with GDPR: Classify your data and get rid of it when it's beyond its regulated use. Businesses must find any PII that can directly or indirectly identify somebody. It's important to identify where it is stored, who has access to it, who it is being shared with and how it is being disposed of.

"This is a good example of why organizations must address two critical areas of compliance that often seem to fly under the radar still today: retention and paper records," says Stuart Davidson, Exterro's European Marketing Director. "The 'careless' storage of patient data and failure to effectively operationalize data retention, contravened various articles in the GDPR and was sufficient for the ICO to award this hefty fine. Unfortunately for the London pharmacy, this has become a well-known case study for others to learn from."

Conclusion

As data volumes continue to balloon — making e-discovery more complicated and expensive — data privacy laws are pushing organizations to do a better job of enforcing record retention standards to ensure they're keeping only the data that serves a business purpose. Keeping only necessary ESI can not only help prevent against data breaches (or a fine for unsecured data, as Doorstep Dispensaree learned), but also during litigation. Enforcing retention standards is a good foundational step for complying with both new data privacy laws and traditional e-discovery requests.

*****

Mike Hamilton is the Director of Marketing at Exterro. With a legal and business background, Mike is experienced and passionate about creating thoughtful, out-of-the-box educational resources that help keep legal teams interested and on top of emerging need to know e-discovery issues.