Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

Technology Assisted Review Finally Enters the Spotlight

Posted in Information Management, Technology Assisted Review
Jeane A. ThomasElizabeth A. Figueira

After early concerns about the defending the results of the technology and whether courts would accept its use, Technology Assisted Review (“TAR”) has now entered the spotlight as an alternative to more traditional forms of document review. These technologies, commonly referred to as predictive coding, continue to win over both clients and counsel, who have achieved significant efficiencies, cost savings and improved results over more traditional review options, including keyword searching and manual review. The strength of TAR processes is that they harness the judgments of the most knowledgeable human reviewers – the subject matter and case team experts – by having those experts train the software by coding relatively small sample sets of documents. The platform applies these judgment calls to the full data set, which often includes millions of documents, in an iterative process of multiple training rounds. Then the experts and the project managers review the results of the coding process and engage in thorough quality control efforts to ensure that the results are appropriate. When executed by experienced attorneys and review managers, the TAR process yields a high level of accuracy and consistency with only a fraction of the documents requiring manual review. In our “Data Law Trends & Developments: E-Discovery, Privacy, Cybersecurity & Information Governance” publication, we examine these topics and address some of the common components of TAR workflows, including the selection of “seed set” documents, the management of training rounds and how to effectively incorporate non-TAR quality control metrics. We also discuss how comparisons between manual review – once considered the “gold” standard – and TAR have shown quantitatively that TAR is at least, if not more, effective and often far more cost-efficient.

Bloomberg BNA’s Digital Data and e-Evidence publication also features our discussion: Technology Assisted Review Goes Mainstream.



Federal Judge Orders Microsoft to give US Prosecutors customer emails stored on an overseas server

Posted in Cloud Computing, Criminal Law, Government Agencies, Privacy, Transnational Discovery
Margaret Nielsen

A federal judge in the Southern District of New York upheld a magistrate judge’s decision that requires Microsoft to turn over to federal prosecutor customer email content stored in an overseas Microsoft data center. Ruling from the bench, Chief Judge Loretta Preska concluded that Microsoft must comply with a U.S. search warrant for customer emails, even though the data was stored on a server overseas. As companies increasingly globalized and as the use of cloud-computing increases, the ruling in this case could have potentially huge consequences for U.S.-based companies storing data overseas.

C&M has previously analyzed Magistrate Judge Francis’ decision here. In short, In The Matter Of A Warrant To Search A Certain Email Account Controlled And Maintained By Microsoft Corporation, the court granted a search warrant under the 1986 Stored Communications Act (SCA) and ordered Microsoft to turn over email content of a customer. Microsoft moved to vacate the search warrant because the content was stored on a Microsoft data server in Ireland, and Judge Francis denied Microsoft’s motion. Microsoft appealed, but Judge Preska rejected Microsoft’s argument, and upheld Judge Francis’ decision.

While Judge Preska agreed to stay her decision pending Microsoft’s appeal, if the magistrate judge’s decision continues to be upheld, it could give the U.S. government expansive powers to obtain data outside the U.S. Not only would such a power raise serious privacy concerns over the access to user data, but it may conflict with the data-protection laws of foreign countries as well. Finally, as discussed here and here, this case demonstrates the need for Congressional reform of the 1986 Electronic Communications Privacy Act and Stored Communications Act, to address the growth and globalization of modern technology.


Brown v. Tellermate Holdings: Lessons in Preserving and Producing Cloud-Based Data and Effective Communication Between Counsel and Clients

Posted in Cloud Computing, Preservation, Rules, Sanctions, Spoliation
David D. CrossMargaret Nielsen

The recent decision in Brown v. Tellermate Holdings, out of the Southern District of Ohio, provides yet another valuable illustration of the critical need for litigation counsel to take reasonable steps to educate themselves about potentially relevant ESI in the possession, custody, or control of their clients and to take appropriate measures to preserve and produce that information. The case highlights, in particular, the pitfalls associated with cloud-based ESI (specifically, a common sales app called as well as the severe sanctions that can befall those who make significant missteps, as the defendant and its counsel learned in Brown.

United States Magistrate Judge Terence Kemp observed early in his decision: “Discovery did not go smoothly.” The court’s recitation of the procedural history and discovery issues in the case soon reveal this to be a significant understatement. Judge Kemp ultimately sanctioned the defendant and its counsel for failing to preserve and timely produce ESI relevant to the plaintiffs’ age discrimination suit. In addition to awarding attorney’s fees and costs incurred by the plaintiffs in filing and prosecuting various motions, the court prohibited the defendant from introducing or relying on any evidence that it terminated the plaintiffs’ employment for performance-related reasons rather than age. Judge Kemp reasoned that the defendant’s discovery failings prevented the plaintiffs from obtaining discovery relevant to that critical issue. Continue Reading

Privacy Takes Center Stage for Private and Public Sectors Alike

Posted in Cloud Computing, Cybersecurity / Data Security, Data Breach, Privacy, Rules
Jeffrey L. PostonRobin B. CampbellElliot Golding

Over the past year, privacy concerns have played an increasingly critical role in influencing how government and the private sector think about information collection, use, and disclosure. With the rapid pace of technological advancements – and the complex issues that accompany developments such as the Internet of Things, cloud technology, and “big data” analytics – privacy concerns will only become more important moving forward. As we discuss in the “Data Law Trends & Developments: E-Discovery, Privacy, Cybersecurity & Information Governance”, at page 22, regulators have responded with a patchwork of privacy principles, new laws, and aggressive enforcement, and class actions relating to issues such as the Telephone Consumer Protection Act (TCPA) have proliferated. For example, in response to the large data breaches that dominated the headlines, several states adopted or strengthened their data privacy laws. Federal regulators stepped up privacy enforcement in the health care space, coinciding with beefed up requirements under the Health Insurance Portability and Accountability Act (HIPAA). EU regulators also have floated several data protection reforms that will be finalized over the next year and the FTC has brought several cases challenging data security deficiencies under its FTC Act “unfairness” authority. These trends will continue to create an increasingly complex and uncertain regulatory environment and accompanying litigation risks over the coming year.

Riley: A New Realm of Digital Privacy

Posted in Cloud Computing, Criminal Law, Government Agencies, Privacy
Justin P. MurphyLouisa Marion

Recently, Louisa Marion and I analyzed the Supreme Court’s far-reaching decision in Riley v. California, 573 U.S. __ (2014), and its implications going forward. In Riley, Chief Justice Roberts concluded that today’s cell phones (which the Court called “minicomputers”) are fundamentally different than physical containers: their storage capacity is virtually unlimited; they contain a broad variety of information (photographs, texts, personal contacts, financial information, geolocation information, and search history, among others); they have long memories (often containing information predating the devices themselves); and they are gateway devices (that is, a portal to limitless other information, often through apps connected to the Cloud). The Court also found that traditional government interests in officer safety and preventing evidence destruction have little force when juxtaposed with the nature and scope of digital devices. These determinations are a sea-change for digital privacy, and implicate the treatment of electronically stored information in situations far beyond a cell phone in an arrestee’s hand. The decision, grounded in our Founding generation’s 18th century abhorrence of general warrants, is a reaffirmation of individual privacy rights against government intrusion, and leaves very little wiggle-room for warrantless searches of modern cell phones. In holding that “minicomputers” are subject to a different set of rules than physical containers, the Court has brought the Fourth Amendment into the digital age.

This article was reproduced with permission from Digital Discovery & e-Evidence, 14 DDEE 345, 07/17/2014. Copyright © 2014 by The Bureau of National Affairs, Inc.

DOJ and FTC Pave the Way for Greater Cyber Information Sharing in the Private Sector

Posted in Cybersecurity / Data Security, Government Agencies
David LaingEvan D. WolffKate M. Growley

In coordination with Crowell & Moring Antitrust partner David Laing — Evan Wolff, Liz Blumenfeld, and I have recently published an article in the BNA Antitrust & Trade Regulation Report entitled “DOJ and FTC Help Pave the Way For Greater Cyber Information Sharing in the Private Sector.” Our article focuses on the DOJ and FTC’s joint statement in April of this year, wherein the agencies articulated how private sector companies can share cybersecurity information without running afoul of U.S. antitrust laws. We also explain how this latest development fits into both the Obama Administration’s and private industry’s plans to shore up cybersecurity in the private sector.

This article was reproduced with permission from Antitrust & Trade Regulation Report, 107 ATRR 47, 07/11/2014. Copyright © 2014 by The Bureau of National Affairs, Inc.


BYOD Devices Create Many Challenges for Companies

Posted in Accessibility, Cloud Computing, Cybersecurity / Data Security, Data Breach, Information Management, Preservation, Social Media, Spoliation
Christopher Calsyn

In just the last few years, most companies – big and small – have embraced the Bring Your Own Device (BYOD) movement at varying levels from allowing employees to access company email on their personal smartphones all the way to not issuing company-owned computers and instead having employees bring in their personal laptops to access the company network. This trend shows no signs of slowing down as employees like the freedom to choose their own devices for work and personal use, and companies like the savings that BYOD policies bring to their IT budgets. This movement also brings with it a host of challenges for companies in implementing their BYOD policies, ensuring they protect confidential information, and in complying with their discovery obligations in litigation. In the “Data Law Trends & Developments: E-Discovery, Privacy, Cybersecurity & Information Governance”, at page 31, I address some of the challenges companies face in adopting a BYOD environment and make some predictions about how this trend will continue to evolve in the coming years.

Protecting Privilege Need Not Be So Expensive And Tedious

Posted in Privilege/Rule 502
David D. Cross

Protecting privilege continues to drive up costs in litigation and government investigations. The explosion in electronically-stored information has made matters worse by generating exponentially more documents to review and log as privileged. Unfortunately, the relief Congress sought to provide more than five years ago through the adoption of Federal Rule of Evidence 502 has not been realized to the degree intended. This is largely because many litigants and their counsel surprisingly still are not aware of the rule’s protections and many others are not yet comfortable taking advantage of those protections. But as clients continue to look for ways to trim litigation spending, privilege-related costs present low-hanging fruit. In the “Data Law Trends & Developments: E-Discovery, Privacy, Cybersecurity & Information Governance”, at page 34, I address some of the ways litigants can significantly cut these costs without unreasonably risking waiver. This includes such mechanisms as non-waiver orders (under Rule 502(d) in federal court), which can allow production of documents with limited or even no privilege review at all; technology-assisted review, which can identify potentially privileged documents in an intended production without full-scale manual review; and electronically-generated privilege logs using metadata, which avoids the tedious and extremely costly effort of manually-prepared logs. I predict that these and other novel mechanisms will grow in popularity and acceptance as litigants and the courts continue to look for ways to rein in rising costs. I hope you enjoy the report and welcome your feedback.

Cyber Storms on Horizon: More Hackers, Regulators, and Litigation

Posted in Cloud Computing, Cybersecurity / Data Security, Data Breach, Government Agencies, Public Sectors, Rules
David BodenheimerEvan D. Wolff

Cybersecurity’s escalating threats, intensifying oversight, and expanding publicity in recent years exploded in 2013. It was a year bookended by President Obama’s cybersecurity warnings in his State of the Union message and the mega-breaches at Target and Neiman-Marcus. And it gave us a cyber panorama – the Cybersecurity Executive Order; industry security reports of massive cyber looting of U.S. intellectual property and technology; the Iranian cyber attacks on U.S. banks; the Snowden breach of national security secrets; the proliferation of cybersecurity standards governing everything from private- and public-sector contracts to cloud computing; and the intensified scrutiny of federal agencies (including the SEC, FTC, and HHS) on security vulnerabilities and breaches. In our recent report, “Data Law Trends & Developments: E-Discovery, Privacy, Cybersecurity & Information Governance”, on page 6, we write about recent trends and developments in cybersecurity, and how the kaleidoscope of cyber events foretells even rougher weather for both the public and private sectors.

Evolving Legal Landscape of Social Media

Posted in Admissibility, Cybersecurity / Data Security, Ethics, Government Agencies, Preservation, Privacy, Social Media
Justin P. MurphyDavid D. Cross

Social media has become an ubiquitous means of communication in today’s society, with more than 90% of today’s online adults using social media regularly.  With this backdrop, it is no surprise that social media implicates an evolving legal landscape.  In the  “Data Law Trends & Developments: E-Discovery, Privacy, Cybersecurity & Information Governance”, on page 8, we address some of the important legal trends and developments involving social media, including the employer-employee relationship and discovery.  We hope you enjoy our report and find it insightful.