E-discovery, Privacy, and Cybersecurity Law
During the pretrial discovery phase of litigation, parties in a dispute are required to produce information, documents, and other evidence related to the case. In an increasingly digital world, electronic discovery, or e-discovery, has become a critical component of this process. This refers to the discovery of relevant electronically stored information (ESI) such as emails, text messages, databases, images, and spreadsheets.
Privacy and security are critical considerations during e-discovery due to the elevated risk of theft or leakage while data is transferred from one system to another. Because the process typically involves extremely sensitive information such as intellectual property, executive communications, strategic projections, and financial data, e-discovery repositories have become high-value targets for cybercriminals.
Furthermore, e-discovery can involve vast amounts of data. One expert has suggested that a typical matter might comprise 100 gigabytes of data, or roughly 6.5 million pages worth of Microsoft Word documents. The challenges associated with identifying, preserving, collecting, preparing, and reviewing large volumes of ESI raise the odds of inadvertent disclosure of privileged matter or a cybersecurity breach.
When E-Discovery Goes Wrong
Often, the timetable for e-discovery is short, and parties can face costly sanctions under Federal Rule of Civil Procedure 37 for failing to meet court-imposed deadlines or produce discoverable matter. Given the stakes, law firms often contract with an e-discovery vendor to oversee the production process. Such vendors have specific expertise with information technology, legal requirements, and data protection.
Even with a third-party vendor, however, the ABA advises attorneys to remain on high alert during e-discovery. It cites the 2017 data leak in Mill Lane Management, LLC v. Wells Fargo Advisors, LLC as a cautionary tale.
After using an e-discovery vendor to search for relevant documents, an attorney for Wells Fargo sent the information to opposing counsel, but mistakenly included confidential information about some of the bank’s wealthiest clients. The plaintiff and his lawyer took that information to The New York Times, which produced a front-page story about the leak. While The New York Times did not reveal confidential information, it noted that the leaked files “included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them.”
The bank’s counsel later claimed that the e-discovery vendor’s software was confusing. In an affidavit, the attorney reviewing records said she did not realize she was looking at a preview mode that did not show all of the documents.
An Attorney’s Responsibilities
Confusing software does not relieve an attorney’s obligation to maintain the confidentiality of client data. Rule 1.6 of the American Bar Association Model Rules of Professional Conduct states that “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent,” with only a limited number of exceptions. Most state bar associations have adopted the ABA Model Rules or comparable codes of ethics.
Plaintiff’s counsel in Mill Lane Management also had a responsibility to protect the opposing party’s data. Under the Sedona Principles, all parties and their attorneys “should take reasonable steps to safeguard electronically stored information.” Practitioners are also warned that common e-discovery practices don’t fully address privacy concerns.
Under Federal Rule of Civil Procedure 26(b)(1), “parties may obtain discovery regarding any nonprivileged matter that is relevant to any party's claim or defense and proportional to the needs of the case.” However, relevant ESI is typically mixed with other data, including sensitive personal information. Because it can be difficult to untangle this information from discoverable matter, parties may run afoul of privacy regulations.
Reducing E-Discovery Risks
There are a number of steps attorneys can take to reduce e-discovery risks. First, attorneys should stay abreast of the technologies used in e-discovery, even if they rely on a third-party vendor. Law firms should also implement review processes that involve senior attorneys as appropriate. While e-discovery is often delegated to junior attorneys and support staff, the attorney most familiar with the case and the client should review sensitive information.
To minimize the potential for disputes and ensure that adequate security measures are in place, the parties to the litigation should negotiate a protective order that spells out their responsibilities. Typical provisions include:
Access to a party’s ESI should be allowed only on a need-to-know basis and restricted to computers that are kept in a secure area to limit physical access. Data should be encrypted, the number of copies of ESI should be strictly limited, and all copies should be destroyed when the litigation is complete.
The receiving party should be obligated to return any privileged or protected material that is inadvertently disclosed. The “clawback” provision should state that the disclosure does not operate as a waiver of the privilege or protection.
The parties should be required to assess the security and privacy controls used by any e-discovery vendors or other third-party service providers that store or access ESI. Each party should provide a list of all such vendors used.
The receiving party should be required to promptly notify an opposing party of a security breach involving the party’s ESI, take steps to block any unauthorized access, and cooperate with any investigation.
The e-discovery process requires parties to disclose sensitive information to litigation opponents. At the same time, attorneys are obligated to protect client confidentiality, and parties who receive discoverable matter are expected to take reasonable steps to protect it. Sound e-discovery practices coupled with a well-drafted protective order can balance these opposing interests and reduce security risks.
Learn More About Data Security and the Law
As e-discovery grows, privacy and security will continue to be critical considerations. Cybersecurity and privacy legal experts will be increasingly needed in both the public and private sector. Purdue Global Law School offers an online Executive Juris Doctor program with a law and technology track that provides advanced legal training on cybersecurity issues. Single courses in technology and the law are also available. Request more information today.