The District of Columbia Bar Rules of Professional Conduct Review Committee (“Committee”) recently released recommended changes to D.C. Bar rules 1.1, 1.6, and 4.4 to address the increased focus and evolving landscape of E-Discovery and technology in law. All D.C. practitioners should take notice of these potential rule changes, and ensure they stay current—or engage those with appropriate expertise—on these quickly changing areas of practice.

The proposed changes are as follows:
Continue Reading

Please join us for a seminar on December 5 in Washington, D.C. or December 6 in New York City on “Law Firm Data Security”. Our very own Partner Evan Wolff will be presenting alongside RSA’s Doug Howard and Niloofar Howe. Our panelists will cover all sorts of critical issues such as:

  • How to defend high-demand

Kansas Judge Rules that Class Action over CareCentrix Data Breach may Proceed

On December 19, 2016, in Hapka v. Carecentrix, the United States District Court for the District of Kansas denied CareCentrix, Inc.’s (CareCentrix) motion to dismiss a class action suit arising from a data breach affecting CareCentrix’s personal and tax information regarding thousands of employees.  The Court found that plaintiff Sarah Hapka, individually and on behalf of all others similarly situated, met the Article III standing requirements and sufficiently alleged a claim upon which relief could be granted.

Hapka claimed that in February 2016, an unauthorized person posed as one of CareCentrix’s employees and emailed a request for current and former employees’ Internal Revenue Service (IRS) Wage and Tax Statements (W-2 Forms). One of CareCentrix’s employees complied with the request, providing the W-2 Forms which included employees’ names, addresses, birth dates, wages, and Social Security Numbers.  Hapka alleged that shortly after this data breach, she received a letter from the IRS indicating that someone filed a fraudulent tax return in her name.  She later brought the underlying putative class action claiming that CareCentrix negligently permitted the data breach and that she and the class of plaintiffs will suffer imminent and certain impending injury of fraud and identity theft.

CareCentrix conceded that Hapka suffered some form of actual, concrete injury due to the filing of a false tax return. However, it argued that the other allegations of injury—the impending costs of countering the current tax fraud and heightened risk for future identify theft—are too speculative to meet the Article III standing bar set by the Supreme Court’s decision in Spokeo, Inc. v. Robins, which required plaintiffs to show an invasion of a legally protected interest and allege a concrete injury.  The Court rejected CareCentrix’s attempt to look at the plaintiff’s alleged injuries in a vacuum, stating that “[t]he fact that her stolen information has been used once has a direct impact on the plausibility of future harm.” Although the Court acknowledged that federal courts have disagreed about whether an alleged increased risk of identity theft is a sufficient injury to meet standing requirements, it followed the line of cases finding standing because the plaintiffs suffered from identity theft after a data breach.  Ultimately, the Court held that the plaintiffs met standing requirements.

The Court further rejected CareCentrix’s claim that Hapka failed to adequately plead the negligence claim because it did not have a statutory duty of care regarding employee information, and that plaintiff failed to allege any common-law duty. The Court found that identification of a statutory duty was unnecessary, and that the allegations that the harm was foreseeable established a common-law duty to exercise reasonable care.

This case further highlights how the Supreme Court’s decision in Spokeo earlier this year has produced varied results in breach litigation.  The Kansas Court acknowledged the split among federal courts on standing requirements, but effectively avoided ruling on the issue since Hapka actually suffered injury due to the filing of a false tax return.  If the plaintiffs did not have this example demonstrating that a concrete injury had in fact occurred, it is questionable whether the Kansas Court would have decided to deny CareCentrix’s dismissal motion on standing grounds.


Continue Reading

In conjunction with the 2015 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “Digital Privacy and E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by digital privacy

In an open letter to President Obama, 143 of the nation’s most well-known businesses, trade associations, academics, and organizations urged the President to promote strong encryption technologies. The letter was prompted by recent law enforcement (including the FBI and NSA) advocacy for built-in government access to encrypted data despite a December 2013 recommendation by the President’s Review Group on Intelligence and Communications Technologies to support encryption without such vulnerabilities.

As the letter states, strong encryption helps protect individuals and organizations from street criminals pilfering information from stolen devices; computer criminals from defrauding individuals to steal their identities; corporate spies from stealing trade secrets; repressive governments from stifling dissent; and foreign intelligence agencies from stealing national security secrets. The letter argues that any attempt to provide law enforcement with an encryption key leaves individuals and companies vulnerable to such bad actors.


Continue Reading

In an obscure case that could have broad implications, a judge in the Eastern District of Virginia sentenced the Danish CEO of two overseas technology companies to time served and a fine of $500,000 for the advertisement and sale of a mobile application capable of surreptitiously monitoring communications and other information on a mobile device. A Department of Justice press release touted the result as “the first-ever criminal conviction concerning the advertisement and sale of a mobile device spyware app.” Nevertheless, the sentence of ten days of time served represents a significant downward departure from the recommended 4-10 month prison term contemplated by the defendant’s plea agreement.

According to a statement of facts filed with the plea agreement, the defendant, Hassam Akbar, advertised and sold “StealthGenie,” a now-defunct mobile app that could be used for real-time monitoring of a mobile device owner’s calls, texts, emails, photographs, calendar appointments, contacts, and other information. The app apparently could also remotely activate the phone’s microphone and record nearby sound. Once installed and activated, the app was undetectable to the average user because it ran in the background whenever the smartphone was powered on with no indication that the app was running. According to the DOJ, “[a]pps like StealthGenie are expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim’s personal life – all without the victim’s knowledge”; indeed, according to the DOJ “SteathGenie ha[d] little use beyond invading a victim’s privacy.” For this reason, as Wired reported, the Akbar indictment was hailed as a step in the right direction by at least one group working to fight domestic violence, which was hopeful the conviction signaled an intent to crack down not only on the users but also on the developers and distributors of tools used to perpetrate domestic violence and stalking.
Continue Reading

Social media has become an ubiquitous means of communication in today’s society, with more than 90% of today’s online adults using social media regularly.  With this backdrop, it is no surprise that social media implicates an evolving legal landscape.  In the  “Data Law Trends & Developments: E-Discovery, Privacy, Cybersecurity & Information Governance”, on

In conjunction with the 2014 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by e-discovery in this context, including

We are pleased to announce the publication of a report titled “Data Law Trends & Developments: E-Discovery, Privacy, Cyber-Security & Information Governance.” The report explores recent trends and anticipated future developments on critical issues related to the intersection of technology and the law, which affect a wide range of companies and industries. In addition, the report highlights key cases and issues to watch in 11 areas of data law, including: information governance, cybersecurity, social media, technology-assisted review, criminal law, regulatory, cooperation, privacy, cross border transfers, bring your own device (BYOD), and privilege.
Continue Reading

The State Bar of California may soon deem an otherwise highly skilled attorney to be “incompetent” in the practice of law if he or she does not know the basic steps to take with respect to electronic discovery and does nothing to fill that gap in knowledge. On February 28, 2014, California’s State Bar Standing Committee on Professional Responsibility and Conduct tentatively approved a Proposed Formal Interim Opinion for a 90-day public comment distribution, which analyzes a hypothetical fact pattern of an attorney who makes egregious mistakes in e-discovery.
Continue Reading