Winning E-Discovery with Superior Records
Burst.com's e-mail records bolstered the company in its intellectual property lawsuit against Microsoft. The background: Burst had signed a written, mutual non-disclosure agreement with Microsoft, in which Microsoft agreed not to use secrets revealed by Burst without Burst's permission. Then Burst confidentially revealed trade secrets about Burst's streaming media technology in the hopes that Microsoft would want to license it. Microsoft elected not license it, but it did develop streaming media technology, claiming its engineers did so without using any of Burst's secrets. Burst was suspicious. Burst eventually claimed Microsoft chose to use these trade secrets without Burst’s consent, and without compensation to Burst.
So Burst sued, claiming misappropriation of trade secrets and breach of the non-disclosure agreement. During the discovery stage of the litigation, Microsoft was required to reveal all of its e-mail records on the topic, and Microsoft did turn over a large number of e-mails regarding its communications with Burst and its streaming media technology in general.
But in court Burst argued Microsoft did not dutifully comply with the discovery requirements. Burst argued that Microsoft had illegally withheld some e-records or lost them. To support its argument, Burst brandished numerous of its own e-mail records showing particular exchanges between Burst and Microsoft, where Microsoft had produced no matching records on its end.
The Law of Spoliation and Obstruction of Justice
In enterprise records administration one philosophy says employees should be expected to examine each of their e-mail, instant and text communications and make records retention decisions. Under this philosophy, the decisions are 1. do we keep this communication or allow our computer system to destroy it quickly, and 2. if we do keep this communication, which retention category do we keep it in, A, B or C? I'll call this the make-a-decision philosophy.
As a general rule, I am skeptical of the make-a-decision philosophy. The reason is that – in our digital world – few employees have the time, skills or disposition to make good decisions. The number of digital messages touching employees grows and grows and grows. It will continue to grow rapidly.
Court cases show the legal system penalizing organizations for deleting records too early under the make-a-decision philosophy.
Arthur Andersen's written records policy directed its staff to make lots of records decisions (keep this record, destroy that record). But Andersen's accountants were pre-occupied with their regular duties, so they procrastinated about making decisions with respect to records related to their client named Enron. In other words, the computer age had overwhelmed Andersen's staff with too many e-mails, faxes and paper documents. Therefore, they amassed a backlog of records . . . records for which decisions were required under the written policy. Then, when Enron approached disaster, AA's staff debated about what to do with this backlog. They debated about how to interpret their record retention policy in this unanticipated state of affairs, and then (with the involvement of an experienced in-house lawyer) they made decisions that later appeared to be sinister. . . . Read more
Tiered Storage for Medical Records and Electronic Messages
How long should an organization retain e-data? What is a wise policy for purging e-records? East Carolina University reports how it addressed these questions for electronic mail, patient records and security videos.
The enterprise retains those three classes of data in a dedicated archival system (more than just normal production records and backup).
East Carolina retains e-mail of executive school administrators seven years, then deletes it. In my experience, seven years is the traditionally-recognized time for responsible retention of important financial records.
The state university chooses to keep e-mail of faculty and staff for three years.
It saves digital security videos [continue reading]
Privileged Electronic RecordsE-discovery risk: the party turning over documents may mistakenly hand its adversary some documents that should be protected by attorney-client privilege (that is, confidentiality because they are communications between an attorney and a client). E-discovery often involves so many records that privileged ones might divulged inadvertently.
In answer to this risk, Congress is adopting new Federal Rule of Evidence 502. Basically the new Rule says that if a litigant mistakenly divulges a privileged record, she can still prevent her adversary from using it – provided she had taken reasonable steps at the beginning to prevent the release. Another way to say it: before delivering e-discovery documents, a party should execute a reasonable search through them to screen out any that contain protected attorney-client material.
That kind of screening can be hard to do. In Victor Stanley, Inc. v. Creative Pipe, Inc., 250 F.R.D. 251 (D. Md. 2008), the defendant did search to filter for attorney-client material before disclosing voluminous e-discovery documents to the plaintiff. However, the filter was imperfect, and the plaintiff came to possess 165 privileged records.
The defendant contended those 165 documents should remain protected (i.e., the plaintiff should return them and be barred from using them), but the court disagreed. The court said for those 165 items the defendant had "waived" the privilege. As a rationale for its decision, the court . . . Continue Reading
Identity Theft Damages
Connecticut'a Attorney General has a new way to impose legal liability on a company that loses sensitive customer data.
Only a small number of court decisions hold data holders liable for damages suffered by data subjects after a security compromise. One instance of such a decision is Bell v. Michigan Council 25 AFSCME [Michigan Ct. of Appeals, unpublished op. 2/15/05] . It upheld a quarter-million-dollar judgment against a small labor union after a thief stole member's identity data from the union. Members proved in court that the criminal committed identity theft against them.
That result required the union members to prosecute a lawsuit and prove their case.
Sometimes state legislatures enact a law that specifically requires a data holder to pay the costs of others in the wake of a data leak. A good example of such special legislation is Minnesota's HF 1758 (Plastic Card Security Act), which sometimes requires credit card retailers to reimburse the costs of card issuers when they cancel cards after a data leak at the retailer.
Now, following an incident at Countrywide Financial Corp (part of Bank of America), the Connecticut state attorney general seeks liability without the support of a judicial decision or special legislation. Continue Reading
Are Employees Competent to Implement E-mail "Legal Hold"?Under its record retention policy, a government entity might delete its e-mail relatively quickly. It might futher direct individual employees to keep important e-records on an as-needed basis. Then, when litigation arises, the entity's policy would be to tell employees to retain e-mails that pertain to the topic of the litigation
But courts are frowning on this approach, in good part because employees are prone to lose records they have been told to keep. The approach can trigger punishment in court, or a mandate that the entity execute the arduous task of sifting through network backup tapes.
A case in point involves Washington Metro Transit Authority.
Advocates for disabled passengers sued Metro, alleging its para-transit services were inadequate. When the lawsuit started, Metro initiated a "litigation hold". It told employees such as facilities managers to keep relevant e-mails. (This meant employees would store chosen e-mails in PST files.)
Metro did not have a central facility for long-term archival of e-mail. Its central e-mail storage retained records for only two months and then destroyed them.
Private Data (or Personally Identifiable Information) DefinedThe key to avoiding liability for data leakage is due diligence. As a broad generalization, the law of data security rewards those who are diligent, who exercise due care to prevent a compromise of privacy. Hence, if a data holder is diligent, but still suffers a mishap, it is less likely to be held legally liable.
For example, Guin v. Brazos Higher Education held a loan processor was not liable for a compromise of data security, in part because the processor had taken reasonable steps to protect the data.
Reasonable steps, or due diligence, can include application of latest technology, such as filters that inspect outgoing data transmissions and block those that appear suspicious. An e-mail filter would have been helpful to the Palm Beach County health department when (in 2005) an employee inadvertantly broadcast a list of HIV/AIDS patients to 800 county employees.
When employing such filters, however, an issue is to know what to filter. Continue Reading