Part of the Solution

Idealistic musings about eDiscovery

Tag Archives: Electronically Stored Information

RIP, Safe Harbor

“Decision 2000/520 is invalid.”

Those few words were all it took for the European Union Court of Justice (ECJ) to shoot down the “Safe Harbor” data agreement between the US and EU on October 6. To paraphrase the prolix paragraph that preceded those four words, the ECJ ruled that the Safe Harbor agreement notwithstanding, each EU nation still retained its power to review claims of personal breaches of data privacy rights; thus, the agreement has no effect.

From Hogan Lovells:

Safe Harbor was jointly devised by the European Commission and the U.S. Department of Commerce as a framework that would allow US-based organisations [sic] to overcome the restrictions on transfers of personal data from the EU.  Following a dispute between Austrian law student Max Schrems and the Irish Data Protection Commissioner, the [ECJ] was asked to consider whether a data protection supervisory authority was bound by the European Commission’s decision that Safe Harbor provided an adequate level of protection for European data.

Eric Levy summarized the fact situation nicely:

Schrems, an Austrian citizen and a Facebook user since 2008, alleged that Facebook should not be allowed to transfer the personal information of it subscribers from its Irish servers to servers in the US. In the light of revelations made in 2013 by Edward Snowden concerning the activities of United States intelligence services like the NSA, Schrems contended that the law and practices of the United States, including Safe Harbor, offered no real protection against surveillance by the United States of personal data transferred to that country. On October 6, 2015 the ECJ agreed with him.

The New York Times has also written a tight, more complete version of the back story.

According to Hogan Lovells, supra, the death of Safe Harbor means:

  • Transfers of personal data from the EU to the US currently covered by Safe Harbor will be unlawful unless they are suitably authorized by data protection authorities or fit within one of the legal exemptions.
  • Multinationals relying on Safe Harbor as an intra-group compliance tool to legitimize data transfers from EU subsidiaries to their US parent company or other US-based entities within their corporate group will need to implement an alternative mechanism.
  • US-based service providers certified under Safe Harbor to receive data from European customers will need to provide alternative guarantees for those customers to be able to engage their services lawfully.

So, instead of a single EU-wide privacy benchmark to apply when companies send foreign citizens’ personal data back to the US, each EU country can now apply its own standards for data privacy. This is likely to mean that some EU countries will suspend transfer of their citizens’ data to the US altogether.

During discovery, US judges had already shown a rather dismissive attitude toward foreign data privacy rights, so long as that data might prove discoverable in the US court. “I don’t care how hard it might be for you to get that data,” some judges had said, “that’s not my problem. It’s your case, and your data, so do it or face sanctions.” Huron Consulting had summarized:

Thus, U.S. courts where a lawsuit is filed and where the parties have appeared are likely to enforce U.S. rules of procedure regarding requests for discovery of information housed overseas, yet the countries where the information is housed may sanction parties who produce information protected by the privacy rules or without complying with the Hague Convention.

That was the best-case scenario under Safe Harbor. Now, the 28 EU nations previously bound by the agreement are free to apply their own data privacy rules to information housed in computers within their borders.

There is no “effective date” specified in the ECJ’s ruling, implying that Safe Harbor is dead as of now. However, Norton Rose Fulbright suggested prior to the ruling that panic is unnecessary:

If the ECJ finds that [Member State Data Protection Authorities (DPAs)] have the authority to make their own determinations as to whether certain types of transfers under the Safe Harbor are valid, there would be no immediate legal effect on the legality of transfers relying on the Safe Harbor. The Irish proceedings that gave rise to Schrems would continue, and other complaints would likely be filed to seek review by the Irish and other DPAs. While these proceedings could ultimately lead to data transfers being found invalid, this process would take months or years. Meanwhile, the European Commission would have more time to reach a new Safe Harbor agreement with the US, offering the DPAs an opportunity to find that the enhanced framework addresses their concerns.

If you have pending litigation involving electronic data that you thought your clients produced in compliance with their Safe Harbor certification, do your own research and reconsider your collection and production strategies in light of the meager guidance provided by the ECJ and in the references quoted here.

This is gonna get interesting.

Chain Chain Chain …

Here’s a worthy reminder from Amy Bowser-Rollins of the need to maintain chain of custody logs while collecting eDiscovery. With all the emphasis these days on TAR, it’s nice to be reminded of the fundamentals every once in a while.

“The man who complains about the way the ball bounces is likely the one who dropped it.” – Lou Holtz

If ESI Isn’t Inaccessible, Better Speak Up

I don’t know if I’m more impressed that the author’s name is “Gary Discovery”, or that the ESI_logo[1]wisdom contained in his note is so cogent, but this author cites a new Pennsylvania case in which the judge presumed ESI to be inaccessible where neither party contended otherwise. In this case, the result was that the costs of production shifted to the requesting party.

The requesting party should submit to the court that the ESI sought is accessible to avoid both a presumption of inaccessibility and the possibility of cost-shifting.  Requesting parties should not leave it up to the producing party to bear the burden of showing that the ESI is inaccessible because the courts are now willing to presume this finding if neither party contends otherwise.

The Terminal Legal Hold: Pippins v. KPMG

I came up with the term “terminal legal hold” to describe the situation faced by an enterprise which can’t bring itself to delete obsolete data, lest any of that data be potentially responsive in future litigation and the organization’s document destruction policy couldn’t pass the Zubulake v. UBS Warburg “systematic and repeatable” test. The enterprise fears sanctions so greatly that they never delete anything. For obvious reasons, this isn’t a best practice.

A New York federal court, however, has now tacitly approved of — indeed, ordered — the “terminal legal hold”.

Pippins v. KPMG is being litigated before Magistrate Judge James L. Cott, in the Southern District of New York. KPMG is being sued by two as-yet-uncertified classes of audit associates who claim that they were misclassified as exempt employees under the Fair Labor Standards Act, and therefore are owed overtime pay. There are as many as 9,000 potential class members, and thus as many as 9,000 hard drives which they may have used. Counsel for the two parties could not agree on the sampling criteria or the number of drives to include in the sample. KPMG asserted that the cost to preserve the more than 2,500 drives currently in its possession was more than $1.5 million, and proposed that for the sake of proportionality, one hundred randomly-selected hard drives should be preserved as the sample set.

On October 11, Judge Cott ruled that KPMG has to preserve the hard drive of every potential class member. Because the district judge had not yet ruled on class certification, every auditor was a potential plaintiff and therefore a “key player” as defined in Zubulake v. UBS Warburg. “With so many unknowns involved at this stage in the litigation,” Judge Cott wrote, “permitting KPMG to destroy the hard drives is simply not appropriate at this time.”

KPMG filed an objection brief to the district judge on October 28, writing, “The ‘key player’ analysis has never been extended to require the preservation of ESI of every potential member of a putative class or proposed FLSA collective action.” Also:

[N]ever has it been held that an employer on notice of a putative class action or proposed collective must impose a ‘litigation hold’ and preserve ESI (among other materials) for every current or former employee who theoretically could bring an individual action in the future. If companies were required to retain documents whenever there is a mere possibility that they could be sued, they effectively would face a perpetual duty to preserve and thus would be unable to implement document-retention policies.

In other words: a terminal legal hold. Leonard Deutchman referred to this today as “the perfect e-discovery storm”:

At virtually the earliest moment in the litigation, the plaintiffs require the defendant to spend a remarkable amount of money simply on preservation — the cost to search, review and produce e-discovery has not yet even been discussed. … If the legal claims are insufficient or the class uncertifiable, millions will have been wasted in preservation; if, however, the allegations are shown to be strong and the class intact but the drives are not preserved, the defendant may then have been allowed to destroy, or let be destroyed, the mythical smoking gun ESI. Because the cost of preservation is so high, the issue of cost has arisen earlier than it usually does (when calculating the costs of processing, searching and production) — so early that neither side has the facts to support its position. Thus, the potential for gross injustice lies in taking either position.

This led to the filing of an amicus brief by the United States Chamber of Commerce on November 8, arguing that the magistrate judge got it wrong. “’Key players’ … could not, and does not, embrace every member of a putative class of thousands. … Put bluntly: no absent member of a properly certified class or non-party to a properly certified collective action should be a ‘key player.'”

Judge Cott may have gotten the “key player” analysis wrong, but Deutchman argues that the judge otherwise made the right call:

As a legal matter, and as a way of governing e-discovery practice, the court was wise to enforce the rules as they are by denying both sides’ motions, advising the defendant to allow the plaintiffs to examine the sample drives and letting the parties then act in their enlightened self-interest. In so doing, the court instructs those who follow to act as the defendant should have rather than as it did. Cooperation generally works when the parties act in their enlightened self-interest. By interpreting the rules properly, the court “enlightened” the defendant as to what its self-interest truly was. Presumably it, and those reading the opinion, will now know how to act.

My take on this: Judges are typically referees, and should not take it upon themselves to rescue parties from their own mistakes. However, every rule has an exception, and this strikes me as a valid one.

KPMG said the cost of preserving each hard drive would cost them $600; multiply by 9,000 hard drives, and they will have spent $5.4 million before processing a single file. Even if KPMG should have made stronger efforts at cooperation with respect to sampling of the preserved hard drives (and, in my opinion, they should have), Judge Cott’s decision sets a dangerous precedent in favor of dilatory plaintiffs who would rather win their case through expense and attrition than on the merits.

While as a commentator I’d like to be less cynical and believe that most plaintiffs want their cases litigated fairly, my experience as a defense litigator has taught me otherwise. If a savvy plaintiff’s lawyer sees an opportunity to make a case so expensive for the defendant that the defendant will gladly settle, regardless of culpability, the lawyer will gladly do so. The higher the potential expense, the greater will be the amount of the settlement. If Judge Cott’s order is allowed to stand, the mere threat of class certification would be enough to cause large defendants to reach for their checkbooks rather than begin the expensive task of preserving hard drives that might contain evidence that might be of use in some unspecified, unfiled, and unthreatened future litigation. The net result? Cases won’t be tried on the merits, and no enterprise will delete anything ever again.

I would have preferred Judge Cott force the parties to agree on a sampling protocol, appointing a special master if need be, and allowing KPMG to manage its own preservation of hard drives upon pain of sanctions if they mess it up (the cost of which , in all likelihood, would be far less than the cost of preserving all 9,000 hard drives).

(Update 1/9/12: Law.com’s Evan Koblentz reports this morning that the parties may reach a resolution on this issue.)

Legal Hold Notifications: Is E-Mail Good Enough?

An e-mail exchange this morning with one of our product managers has got me thinking … and that’s always dangerous.

Most enterprises that issue legal hold notifications to their custodian employees use good ol’ e-mail. The hold notification gets pasted into the body of the e-mail, and off it goes, (theoretically) to the recipient. Perhaps the e-mail was sent with a return receipt requested; and if the recipient is feeling generous, that receipt just might come back to prove that the message was received. As for whether the notification ever gets read? Well, we’ll just have to assume the best, won’t we?

Problem is, this isn’t a very practical solution. First, let’s look at the logistics. E-mails are not only subject to one-click deletion, but (at least in Microsoft Outlook and Exchange) can also be subject to custom routing rules. A user with the appropriate software permissions can easily create a rule to route all e-mails from, say, the Office of the General Counsel directly to the “Deleted Items” folder.

E-mail retention on the enterprise level also tends to be subject to shorter data preservation times than other types of electronic documents. If a custodian is on vacation when they get the e-mail, there is a possibility that the e-mail may not be there for download when the custodian gets back.

Finally, even if the e-mail is delivered in a timely manner and doesn’t get deleted, there’s no guarantee that the custodian will actually read it. And even if they do read it, they have the option (again, in Outlook; I don’t know about other systems) of denying the sender’s request to return a receipt.

The point of all this is that the enterprise remains vulnerable to “plausible deniability”. If a custodian can be shown to have read the hold notice, and they then proceed to violate it by spoliating evidence, the enterprise can likely protect itself from liability by arguing that in violating the hold notice, the custodian was acting outside the course and scope of their employment. Without that proof, the enterprise may remain firmly on the hook.

Now, the content of the hold notice itself is probably privileged from discovery under attorney-client privilege and attorney work produce privilege. However, the process of issuing that hold notice, and of obtaining proof of receipt, may not be privileged. In the recent case Cannata v. Wyndham Worldwide Corp., 2011 WL 3495987 (D. Nev. Aug. 10, 2011), the court held that the opposing party was entitled to know “what has actually happened in this case, i.e., when and to whom the litigation hold letter was given, what kinds and categories of ESI were included in defendant’s litigation hold letter, and what specific actions defendant’s employees were instructed to take to that end.” (Emphasis mine. I commend to you Dennis Kiker’s excellent discussion of the Cannata case at his blog.)

At Autonomy, our legal hold software notifies the custodian via e-mail that they have a message awaiting them from the GC’s office, and to click on an enclosed link. The link serves a form from our workflow management engine, completely independent from the e-mail, containing the language of the legal hold notification, and requiring an electronic signature as acknowledgment that the form has been received and read. This ensures that the custodian cannot claim, “I didn’t get the e-mailed notice; and if I did, I deleted it; and if I didn’t delete it, I didn’t read it, etc.,” as a way to shift liability for spoliation back onto the enterprise. To me, this seems a MUCH better and safer practice that is more likely to withstand judicial scrutiny. (This is my opinion, not influenced by anyone at Autonomy, and I firmly and personally believe what I have written here.)

The Zubulake V opinion (229 F.R.D. 422, 433 (S.D.N.Y. 2004)) set the standard quite plainly: ‘‘[A] party cannot reasonably be trusted to receive the ‘litigation hold’ instruction once and to fully comply with it without the active supervision of counsel.’’ So why do so many counsel continue to insist that an e-mail “blast” of hold notices is good enough? Food for thought …

The Ethics of Lawyers’ Fees in eDiscovery

[Note: This was originally written as part of an article for a print publication for Texas lawyers, but was cut from the publication draft. Most references to the Texas Rules of Professional Conduct (TDRPC) can also be read to refer to one of the ABA Model Rules of Professional Conduct. – Gary]

It is certainly no surprise to any member of the Texas bar that TDRPC 1.04(a) emphasizes, “A lawyer shall not enter into an arrangement for, charge, or collect an illegal fee or unconscionable fee[.]” This means that, in addition to charging clients reasonable fees for the work the attorneys do personally, they should not artificially inflate the fees passed through from, let’s say, a team of document review attorneys. These temporary attorneys typically work for an outplacement firm, and get paid $25-35 per hour for their time reviewing documents (increasingly, all electronic) as part of the first-pass document review. The outplacement firm marks up these fees in billing the law firm. Frequently, the law firm will then mark up the fees again in billing its client.

This raises the ethical question: How much can a firm ethically mark up the contract attorneys’ time? Most people would not consider a reasonable markup indefensible (after all, the law firm has overhead costs too). But how much is “reasonable”? Let’s presume that you hired an expert witness who charged your firm $15,000 for his services, but the firm billed the client for $50,000 for the expert. Most grievance committees wouldn’t blink at issuing sanctions for this egregious markup.

Similarly, firms mark up the fees of their staff attorneys. However, given that contract reviewers are not technically engaged in the practice of law when performing first-pass document review (they do not, after all, determine how the documents they review fit into the theory of the case), at what point does the firm’s markup cross the line into “an illegal or unconscionable fee”? One team of bloggers has argued that since contract review attorneys exercise no independent legal judgment, they are essentially “a piece of office equipment” and therefore, like charges for copies or courier fees, they should have their costs marked up only minimally.

Except in the context of attorney fee awards generally, courts haven’t yet wrestled with the ethical implications of contract review attorney markup. A malpractice case pending in L.A. Superior Court, J-M Mfg. Co., Inc. v. McDermott Will & Emery, will likely shed some light on this issue eventually. The plaintiff has sued the McDermott law firm claiming that they did not adequately supervised an outsourced document review project, and that as a result, some 3,900 privileged documents (out of about 250,000 total) were produced that should not have been. This matter, however, will take years to result in a written opinion. [Many thanks to Joe Howie for posting the Complaint.]

The notion of “reasonable fees” goes beyond merely marking up an outside reviewer’s bill. A trio of respected commentators – Patrick Oot, Anne Kershaw, and the aforementioned Joe Howie – have argued that in ESI collections, failure to utilize technology to consolidate duplicate records prior to review, thereby requiring multiple reviewers to look at exactly the same content to make exactly the same responsiveness and privilege decisions (each of whom must of course bill for their time separately), is by definition double-billing and, therefore, unethical. They wrote:

If ediscovery were a small part of litigation and duplicate consolidation had an imperceptibly small impact on ediscovery, the whole debate might be dismissed under the rationale of de minimis non curat lex. However, the cost of ediscovery in general, and the cost of relevance and privilege reviews in particular, have been a major concern for years. There are no excuses for “not getting it” when it comes to ediscovery. Lawyers who bill hundreds of dollars an hour are implicitly promising a certain level of competence that would include the basic notion of consolidating duplicates.

These commentators go on to note, “[L]awyers are making representations to their adversaries and to the courts regarding the volume of ESI that has to be handled and the time required to review those records. Lawyers who don’t properly consolidate duplicates are inflating the time and cost required to review their productions.” Such behavior would violate TDRCP 4.01: “[A] lawyer shall not knowingly: (a) make a false statement of material fact or law to a third person[.]” It might also run contrary to Comment 6 to TDRCP 1.04, noted in the first paragraph above: “[A] lawyer should not abuse a fee arrangement based primarily on hourly charges by using wasteful procedures.”