Key COVID-19 Considerations for U.S. Discovery and Information Governance

Many businesses have remote work and bring-your-own-device policies that cover access to company systems and information from personal devices. These policies may also state expectations or requirements for the management and security of company information. But these policies likely do not account for the rapid transition to virtual offices and remote work hastened by the COVID-19 pandemic. Among other challenges:

  • Segments of the workforce may be teleworking for the first time.
  • Those engaged in remote work may not be aware of or understand applicable policies and practices, and advance training may be (or might have been) impractical.
  • The rapid move to remote work may rely on a greater variety of devices, including home devices, that might not otherwise be favored. And in many cases, employee-owned, or even company-issued, devices may be shared with multiple users in the home (for example, students taking classes online).
  • Furloughs and workforce reductions in times of quarantine may complicate onboarding and off-boarding where legal holds are in place or are triggered during the pandemic.

Continue Reading

COVID-19 and U.S. Statutes of Limitation

At the federal and state levels, there have been calls to suspend statutes of limitations during the COVID-19 outbreak. A number of states have already acted, but state approaches vary and are open to future changes as the challenges of the pandemic play out at the national, state and local levels. This uncertainty affects businesses considering when they must file actions and those assessing whether a risk of anticipated litigation has been extinguished. It also affects companies facing potential civil or criminal enforcement actions including, for example, those for whom the clock is running on antitrust merger reviews.

Although the global response to COVID-19 is unprecedented, suspensions of limitations periods in times of great business interruptions are not. Legislation was issued to toll limitations periods, for example, during the Civil War and the subsequent world wars. In more recent times, limitations periods have been extended to account for the aftermaths of hurricanes and Sept. 11, 2001. Continue Reading

Adapting E-Discovery Workflows to a Remote Work Environment

As courts and litigants adapt to the new normal by instituting social distancing measures through remote hearings and depositions, how we preserve, collect and produce documents should not be an afterthought. While the practice of e-discovery may already be well suited to remote work given the advanced evolution of technologies available to address challenges, below are five key areas to address in the current COVID-19 environment.

1. Litigation Holds: How Are Your Custodians Communicating and Saving Documents?

Now may be a good time to check in to determine whether any additional guidance should be given to custodians and system owners, given the fact that the majority of Americans are now working from home due to COVID-19 social distancing measures. Do your current Bring Your Own Device and Employee Document policies address the different ways your employees may be communicating and saving work? They may be using platforms, such as text messaging or instant messaging services, that are not employer-provided as a matter of practicality and convenience, or saving data locally to their personal devices. Have legal hold recipients been reminded of where they should or should not be saving data? A written reminder may help protect the employer and save the cost and time required to conduct a messy collection from personal devices or platforms. Out of an abundance of caution, legal holds may need to be supplemented to include personal devices.

2. Custodial Interviews: Then v. Now

Custodial interviews can be easily conducted over the phone or by videoconference. Factor into your questions the custodian’s work-from-home environment and how that may have changed their relevant practices. Best practices still weigh against custodial self-collections; use technology to collect and narrow data for review.

3. Remote Collections: Some Challenges Remain

Technology affords us the ability to remotely access an enormous array of electronic data on servers, in cloud environments and even on personal devices without leaving the comfort of our homes. However, there are still some sources that may require physical, on-site collection (think back to the olden days of paper files). If you have media or papers that cannot be physically accessed at this time, identify them as soon as possible and consider negotiating phased discovery with your adversaries and/or the court. Make sure that those sources are adequately preserved in the meanwhile. Postpone that discovery until such a time it is safe and permissible to collect the potentially relevant data. Diligence, transparency and cooperation performed now may avert a crisis down the road.

4. Off-Site Review: Find Alternative Means of Feedback and Supervision

Vendors who are hired to collect/review discoverable materials will likely have to do this job remotely given travel bans and social distancing measures, which may last well into the future. Most vendors and review platforms are well equipped for remote work, but valuable real-time feedback from project managers given to groups of reviewers all located in a designated review center may be lost as the team learns the case, particularized privilege issues and relevant universe. Utilize calls and videoconferencing to compensate for any potential loss of communication as reviewers work individually at home. Make sure that reviewers sign remote work policies that factor in security. Some vendors offer unique security add-ons—be sure to ask your vendors about their remote review offering.

5. Data Confidentiality and Security: Protect Your Client’s Information

With attorneys, vendors and reviewers now working remotely, don’t neglect ensuring that all the ways in which you are communicating, sending, reviewing and producing discovery are secure and adequately protect your potentially privileged and confidential information from accidental or malicious loss or disclosure. It has been widely reported that data security risks have increased in the age of COVID-19. Consult competent counsel to vet vendor contracts for appropriate security and liability provisions and protect your data.

The CLOUD Act and the Warrant Canaries That (Sometimes) Live There

The Clarifying Lawful Overseas Use of Data Act (Pub. L. No. 115-141 (2018), or the CLOUD Act, was enacted in the U.S. on March 23, 2018, in response to difficulties U.S. law enforcement agencies (LEAs) had when attempting to gain access to data held by cloud service providers through Stored Communication Act (SCA) warrants, as the SCA did not contemplate cloud computing when it was enacted into law; likewise, LEAs were also forced to utilize U.S. Senate-approved mutual legal-assistance treaties (T.I.A.S. No. 10-201 or MLATs) or letters rogatory to access data stored overseas.

The CLOUD Act was occasioned by the U.S. v. Microsoft litigation, in which Microsoft had argued that it was not required to provide access to its users’ private data stored on Dublin servers. Microsoft lost the case in 2014, but won an appeal in 2016. The U.S. Supreme Court heard argument on the case in February 2018. Demonstrating the CLOUD Act’s importance for LEA, in late March 2018 (immediately following the CLOUD Act’s passage), the U.S. Department of Justice (DOJ) asked the U.S. Supreme Court to drop the pending Microsoft litigation as moot, as the DOJ could (and did) alternatively use the CLOUD Act to issue a new warrant for the data held by Microsoft in Dublin. Continue Reading

E-discovery, the Cloud and Blockchain – How New Practices May Require a ‘Back to School’ Approach

The practice of e-discovery has always incorporated considerations of new and emerging technologies as well as related attorney competence. With the advent of cloud services and significant use by clients, e-discovery practitioners incorporated knowledge of those new platforms and offerings into their preservation strategies and requests for production, appropriately considering a variety of client and party uses of the cloud, especially for heavily used services such as email, customer relationship manager (CRM) platforms, and document storage and sharing. This focus on the cloud came to a head in the 2014 Brown v. Tellermate Holdings litigation, which examined the defendant’s use of a cloud provider and raised the following considerations for practitioners:

Continue Reading

eDiscovery and Technology

Should All States Require Continuing Technology Education (CTE)?

For more than five years we have discussed the need for attorney competence in technology, especially as related to discovery in posts like this one and this one. As Electronically Stored Information (ESI) continues to grow, it is critical for all attorneys to understand ESI and evolving technology. This need for competence is only enhanced as the volume of ESI increases and new technologies and methods of creating, storing and sharing data emerge. Continue Reading

What the Working Party might be Thinking about Discovery – WP 261 Derogations to the GDPR

On Feb. 6, 2018, the Article 29 Working Party (Working Party 29) published Working Paper 261 (WP 261), which provided guidance on the provisions of Article 49 of the European Union’s (EU) General Data Protection Regulation (GDPR). This guidance was especially interesting to data privacy attorneys and litigators (primarily e-discovery practitioners) in the United States who had been considering the operation of GDPR Article 49 as it relates to cross-border data transfers undertaken in the context of litigation or regulatory investigations and had been looking at the derogations in Article 49 as a means to continue data transfers in those instances. Many of those attorneys had already been cautious when determining how to best protect the privacy of citizens of EU Member States when responding to litigation or regulatory requests that originated in the United States, which does not specifically recognize the same types of privacy protections and does often require the production of information that raises EU privacy concerns, and they were especially concerned with how the GDPR would further modify that calculus.

Continue Reading

What Judges are really saying about Technology Assisted Review

Since the first judicial opinion endorsing the use of Technology Assisted Review (or TAR) was written by Judge Andrew J. Peck in 2012, an entire legal industry has grown up on the premise of streamlining the document review process in discovery – that is, taking a repetitive task traditionally performed entirely by attorneys and introducing the concept of computer assistance to increase efficiency and improve consistency. And while some of the marketing efforts surrounding TAR make it seem TAR can replace attorney review wholesale, some attorneys considering the use of TAR in litigation or in response to regulatory inquiries are more focused on ignoring the “buzz” and instead have zeroed in on what judges have actually said (and held) regarding TAR.

Continue Reading

Social Media Privacy Settings May Not Protect Your Information From Discovery

Users of social media are likely familiar with privacy settings, and understand that setting their profiles to “private” ensures that people who are not friends, connections or followers cannot view their information and postings. However, it is equally likely that most social media users have not considered whether those privacy settings protect their information from production in litigation. The Court of Appeals of New York recently considered the issue.

Continue Reading

What Controls: The Location of the Data or the Location of the Searches for the Data?

The U.S. Supreme Court recently heard oral arguments in U.S. v. Microsoft, tackling the question of whether an organization can refuse to disclose foreign-stored data sought by the U.S. government through domestic warrants. Currently, the Second Circuit says yes while other circuits tend to say no.

While several district courts have concluded that it is not an extraterritorial seizure to enforce warrants that require organizations to produce U.S. users’ account data stored in foreign servers, these decisions conflict with precedent from the Second Circuit Court of Appeals. The Second Circuit held that Microsoft could not be compelled to comply with a warrant if it meant producing foreign-stored data for use in a domestic case. Elsewhere in the United States, judges have rejected the Second Circuit’s decision, ordering the production of foreign-stored data pursuant to domestic warrants. These decisions follow the reasoning that a court can order the production of anything that can be accessed and delivered within the United States. Accordingly, no relevant extraterritoriality concerns are implicated despite the storage of data in a foreign location. Outside of the Second Circuit, it is clear that courts are focusing on where the access to and disclosure of the stored data occurs (domestically) rather than the location of the data (internationally). Conversely, the Second Circuit’s Microsoft decision focuses on the seizure of the data from a foreign location, which is where it locates the privacy violations and applies its extraterritoriality analysis.

Legislation could fix the differing interpretations, but despite near universal agreement that the Electronic Communications Privacy Act of 1986 needs to be updated and the repeated introduction of new legislation, Congress has been slow to act. Thus, both parties urged the Supreme Court to clarify the law during oral arguments in U.S. v. Microsoft, which focused on whether the search, retrieval, and disclosure of foreign-stored data constituted an extraterritorial act, and if so, how the law should apply. Continue Reading