As the use of collaboration and cloud storage platforms expand, litigants and courts are facing increased challenges in keeping up with e-discovery requirements created with different technologies in mind. One example involves the discovery obligations associated with files referenced in email only by hyperlink. Should a litigant be required to find and produce that referenced document as if it were an attachment? What if that is very hard to do? What if the file has moved or changed in the interim? The Southern District of New York recently addressed these issues and held that – for a host of practical and technical reasons – such hyperlinked documents should not “necessarily” invoke obligations to collect and produce the referenced document.
Please join us for an investigations-focused webinar series where our team of litigators, former prosecutors, and regulatory attorneys will discuss useful strategies for navigating a government probe or ensuring compliance with regulations and corporate policies. Our presenters will provide companies with critical information for navigating commercial risk and enforcement. This webinar series covers broad-reaching investigations in a variety of areas, including:
- Nuts & Bolts of Investigations: Protecting Privilege
- Labor, Employment, and COVID-related Investigations
- Congressional Investigations & National Security
- Antitrust & Competition Investigations
- Government Contracts Investigations: FCA and Beyond
- Digital Assets Investigations
- Anti-corruption & Sanctions Investigations
- Trade Secrets Investigations
- Health Care Investigations: FCA and Beyond
- Cybersecurity Investigations
- Environmental Investigations
- PPP Investigations
The new year has brought one of the most comprehensive court decisions yet reminding attorneys in no uncertain terms of the rules mandating fundamental competency in the treatment of electronically stored information (“ESI”). Falling short may get both lawyers and clients sanctioned.
In January 2021, U.S. District Judge Iain Johnston issued his opinion in DR Distributors, LLC v. 21 Century Smoking, Inc. (N.D. Ill. No. 12 CV 50324) coming down hard on defense counsel for failing to possess the skills and diligence necessary to competently meet their ESI discovery obligations. In a detailed opinion that is well worth reading (if you have an hour or two), the court recounts the many e-discovery “missteps, misdeeds, and misrepresentations” both of client and counsel that culminated in the issuance of harsh evidentiary and cost-shifting sanctions on each.
Continue Reading Off the edge of the E-Discovery map, there be monsters! Federal court issues epic opinion sanctioning counsel for failure to show competence and diligence in meeting ESI discovery obligations.
Crowell & Moring’s E-Discovery and Information Management (EDIM) group is pleased to announce the introduction of “CMD,” an integrated E‐Discovery solution. CMD provides access to cutting-edge analytics, processing and hosting technology, AI-driven workflows combined with our Chambers-rated legal advocacy, consulting, review and professional services to accelerate and improve data analysis.
Please click here to read the full press release.
The Virginia Consumer Data Protection Act (CDPA) has become the next major U.S. state privacy law, after being signed into law by Virginia Governor Ralph Northam on Tuesday, March 2, 2021. The new law amends Title 59.1 of the Code of Virginia with a new chapter 52 (creating Code of Virginia sections 59.1-571 through 59.1-581).
Who is covered?
Per Section 59.1-572, the bill applies to “persons that conduct business in the Commonwealth or that produce products or services that are targeted to residents of the Commonwealth” who “control or process personal data of at least 100,000 consumers” or those who “control or process the data of at least 25,000 consumers” AND “derive at least 50% of their gross revenue from the sale of personal data.”
Please click here to read the full alert.
On 5 February 2021, the U.K. Supreme Court unanimously ruled that the Serious Fraud Office (SFO) does not have the power to compel a foreign company that has no registered office or fixed place of business in the U.K. to produce documents held outside the U.K. under section 2(3) Criminal Justice Act 1987 (CJA). This means that where the parent of a U.K. company is a foreign company which has no presence in the U.K., the SFO will not be able to require it to produce documents held outside the U.K. even if those documents are sought in connection with an investigation relating to its U.K. subsidiary. The decision may act as a brake on the SFO’s powers of investigation at a time when fraud is increasingly cross-border and the alternative routes for gathering evidence are slower and more cumbersome.
Click here to read the full alert.
More than 300,000 companies within the Defense Department’s supply chain will need to meet new Cybersecurity Maturity Model Certification (CMMC) requirements and pass a third-party assessment to ensure they are adequately protecting sensitive information on their networks. Now, Crowell & Moring has become the first AmLaw 100 firm to achieve Registered Provider Organization (RPO) status by the CMMC Accreditation Body (CMMC-AB) to help defense contractors comply with CMMC cybersecurity standards and prepare for their assessments.
The DoD will begin incorporating CMMC requirements into an increasing number of solicitations later this year, creating a unified standard for implementing cybersecurity across the defense industrial base. Previously, defense contractors were responsible for certifying the security of their own information technology systems. Now, the CMMC will require all defense contractors to obtain cybersecurity certifications based on third-party assessments, creating a new verification component to ensure that contractors meet their cybersecurity requirements and adequately protect sensitive information on their networks.
The CMMC is specific to DoD contractors but is expected to become increasingly relevant to all contractors as CMMC adoption likely expands throughout the government. Achieving certification may also provide a commercial advantage for contractors, as meeting CMMC requirements may become a differentiator for companies when they compete in the private sector.
The CMMC-AB has recognized Crowell & Moring as a law firm provider to help defense contractors comply with the CMMC cybersecurity standards and prepare for their assessments. As an RPO, Crowell & Moring is recognized by the CMMC-AB to help contractors understand what requirements they have to meet and to prepare their operations for their mandatory assessment.
The firm’s team includes lawyers, technologists, and CMMC registered practitioners who will help contractors comply with cybersecurity requirements in anticipation of their assessments, remediate challenges, and manage ongoing compliance.
Achieving RPO status is important for Crowell’s team of lawyers and technologists because of CMMC’s critical importance for DoD contractors. Crowell’s team knows how the assessment process will work, and is committed to providing practical and actionable advice so that our clients reach best-in-class cybersecurity, achieve CMMC certification, and win contracts for new business.
Responding parties have significant discretion to design and deploy technology assisted review (“TAR”) workflows in a manner they determine is reasonable and proportional for the case. At least that’s what the Northern District of Illinois suggested in its September 2020 ruling in Livingston v. City of Chicago (N.D. Ill. No. 16 CV 10156).
Livingston is a gender discrimination case challenging the City of Chicago’s Fire Department’s (“City”) application process. The City collected roughly 1.5 million documents in the matter, and based on search terms agreed to following an earlier e-discovery dispute, culled this set to roughly 192,000 emails. The City then informed Plaintiffs it intended to use TAR – and specifically Relativity’s Active Learning technology – to review this culled data set.
Plaintiffs objected to this approach and argued the City should be required to produce all documents that hit on search terms. On this point, the Court rejected Plaintiffs’ argument, finding: “While the City may dump all 1.3 million pages of documents on Plaintiffs with entry of a Rule 502(d) order, it also has the right to perform a review to produce only those documents that are responsive and relevant.” (Emphasis added.) In the alternative, Plaintiffs argued that if the City were allowed to use TAR, TAR should be run across the entire ESI collection, not the universe culled by search terms.
Magistrate Judge Young B. Kim ruled that the City was permitted to use TAR on its culled search universe. In reaching this decision, the Court made several notable findings:
On August 14, 2020, California Attorney General Xavier Becerra released final implementing regulations for the California Consumer Privacy Act (CCPA). The CCPA became enforceable on July 1, 2020, and Becerra’s office submitted a final proposed draft of the regulations to the California Office of Administrative Law (OAL) on June 1, 2020. The Proposed Regulations have gone through several revisions since the publication of the initial draft in October of 2019. The OAL approved the final version along with an updated Addendum to the Final Statement of Reasons. The final implementing regulations take effect immediately. All businesses subject to the CCPA must now comply with both the statute and the regulations.
The final implementing regulations are similar to the draft proposed in June. However, the AG’s office has made several changes it characterizes as “non-substantive” and withdrawn certain proposed provisions “for additional consideration.” The “non-substantive” changes are intended to improve consistency in language (e.g., ensuring “consumer” is used throughout the regulations, or reorganizing definitions in alphabetical order) and are described in detail in the Addendum to the Final Statement of Reasons.
Some of the withdrawn provisions may affect CCPA compliance. These changes are discussed here.
As none of us can forget, the COVID-19 pandemic forced companies to close their brick and mortar offices with little time to adequately prepare their employees for a remote work environment. All of a sudden, in-person meetings were replaced with virtual conferences via Microsoft Teams, Zoom, and Amazon Chime – each leaving a new data trail. Many IT and Legal Departments were similarly unprepared for the impact of an all remote workforce on the creation, collection and preservation of business-related documents. IT departments were overwhelmed by employees defaulting to the use of unauthorized personal devices and cloud-based applications like Dropbox and GoogleDocs to complete assigned tasks, create, share, and store data, without IT vetting or coordination. Personal communications platforms such as IMessage, Facebook Messenger, and WhatsApp with untracked or no standardized retention policies replaced or supplemented enterprise instant message and chat functions, complicating the identification, preservation and collection of data.
A remote work environment has become the new normal for many companies. This abrupt change in the way companies conduct business requires commensurate changes in E-Discovery processes. To help meet this challenge, we discuss three key steps to mitigate potential preservation and spoliation risks occasioned by the shift to remote work environments.
- Collaboration between IT and Legal Departments regarding technology/platform usage policies and protocols for document preservation, retention policies and litigation hold notices.
- Communication with employees regarding approved, and prohibited, locations and platforms to communicate, create, save, and share company-specific information and documentation.
- Compliance monitoring for remote employees regarding retention and preservation of data and legal holds.
Implementing the “Three Cs” will aid companies in avoiding discovery hurdles in the future.
1. Collaboration between IT and Legal Departments
IT and Legal Departments must collaborate to understand and contain insurgent preservation risks from remote working. Companies cannot preserve what is outside of their control and vision. First, they should restructure document retention policies and litigation hold notice language to address the creation and storage of data in a remote environment. These should specifically address where and how documents should be preserved from an employee’s home office. The next step is to identify and provide standards regarding the use of company approved technology for the creation, sharing and storage of data remotely. Without guidance, employees tend to default to the most familiar or accessible technology – which may not meet company requirements. Companies should also review their policies regarding employee use of personal devices and apps that are not centrally managed. For some companies, a BYOD approach is a requirement of doing business, necessitating flexible management consistent with legal obligations. For example, companies may provide employees instructions regarding retention settings or the collection of information for business or legal requirements for non-company systems, as well as training on appropriate use. On the other hand, in certain highly regulated industries, the use of communications streams, collaboration mechanisms or repositories that are not onboarded presents an intolerable risk even in the work-at-home environment. Strong policies and technical controls – e.g., restricting access to company devices or remote desktops – may be appropriate in those situations. Many companies, however, must walk the line between these two extremes. Consultation on the front end with counsel versed in these issues may save significant trouble down the line.
2. Communication with employees regarding the preservation of data
In addition to collaboration between the IT and Legal Departments, companies must routinely train and communicate with their remote employees about the rules, risks and precautions associated with working remotely. Maintaining the confidentiality of business data as well as properly preserving information when required are major concerns. Untrained or unmotivated employees may discard information which should be preserved, or inadvertently risk the security of information by saving it to a personal communication device or other software platform rather than to a secure, company approved location.
Companies may consider virtual training sessions as a standard offering and when particular actions are needed. They can also make available electronic copies of updated usage, preservation and document retention policies for relevant employees, consistent with maintaining privilege and confidentiality. The training and policies should identify approved locations and technology platforms to use to create, store and share business data, along with explicit instructions regarding where documents should not be saved (i.e., personal drives or communication devices) and a mechanism for enforcement to show this is not just a paperwork exercise. It is also important to provide guidance regarding physical records printed at home for a business purpose (hint: minimize printing; keep it in a secure location; and shred anything not required for preservation as soon as the business need expires). Employees must be reminded of their duty to secure and preserve business data when litigation is or should be reasonably anticipated.
3. Compliance with document retention and preservation obligations to avoid spoliation
Monitoring compliance with document retention policies and legal holds is a pivotal requirement in managing a remote workforce. Internal policies and procedures should be updated to inform employees that relevant business data, whether generated at home or in the office, may be discoverable and should be properly preserved when in the scope of a legal hold or discovery request. Companies should conduct routine compliance checks with employees to ensure awareness of data preservation obligations and the expectations of the company.
Companies should consider routinely (every three to six months, for example) reminding employees who are recipients of litigation hold notices of their preservation obligations. Such reminders may also be sent when case developments make it appropriate. In some situations, the change in working environment is so pronounced that a company may find it appropriate to send an updated notice expressly addressing the preservation of material generated remotely, including on personal devices and platforms.
In conclusion, the widespread shift to remote work environments is a changed circumstances that IT and Legal Departments should address in providing defensible policies and procedures to secure and preserve company data. Companies should ensure collaboration between the IT and Legal Departments and communicate regularly with remote employees regarding the preservation of data, and monitor compliance with document preservation and retention policies. Implementing the “Three C’s” will better position companies to get ahead of potential preservation issues and mitigate discovery hurdles going forward.