After much anticipation, the Cyber AB, formerly known as the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, recently released its pre-decisional draft CMMC Assessment Process (CAP).  The CAP describes the overarching procedures and guidance that CMMC Third-Party Assessment Organizations (C3PAOs) will use to assess entities seeking CMMC certification.  The current version of the CAP applies to contractors requiring CMMC Level 2 certification, which will likely be most contractors handling Controlled Unclassified Information (CUI) based on the Department of Defense’s (DoD) provisional scoping guidance for CMMC 2.0.

Aimed at increasing the accuracy and consistency of assessments conducted by C3PAOs, the CAP is segmented into four distinct phases:

Phase 1:  Plan and Prepare the Assessment;
Phase 2:  Conduct the Assessment;
Phase 3:  Report Assessment Results; and
Phase 4:  Close-Out Plan of Action and Milestones (POAMs) and Assessment.

While the assessment process is still in draft form, DoD contractors should familiarize themselves with the proposed structure and conduct of CMMC assessments, as these parameters will be critical to companies attaining CMMC certification at the level requisite for future government contract awards.

The Cyber AB is currently accepting comments on the draft CAP. 

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

On May 3, 2022, the European Commission published a proposed regulation (the “EHDS Proposal”) for the establishment of a European Health Data Space (or “EHDS”). This is the first proposal for establishing domain-specific common European data spaces following the European strategy for data and an important step in building a European “Health Union”.

In short, the proposed regulation establishes the EHDS, a common space for health data where natural persons can control their electronic health data (primary use) and where researchers, innovators and policy makers have access to these electronic health data in a trusted and secure way that preserves the individual’s personal data (secondary use). Data holders (such as health care providers, including private and public hospitals, and research institutions) may be subject to new, burdensome obligations to make their data available for secondary use through the EHDS.

In this client alert we summarize the main principles the European legislature proposes to facilitate the primary and secondary use of health data in the EHDS and examine the consequences of this proposal for the different actors involved with the EHDS (individuals, health professionals, researchers, policy makers and the health care industry).

The starting point of EHDS Proposal is the finding that health data are fundamental for advancing scientific research and medical innovation, patient well-being and public health (as the Covid 19-pandemic has demonstrated), more efficient policy making and regulatory oversight. At the same time, the patient needs to have better control over their health data, protected as personal data. The EHDS Proposal aims to reconcile the regulation of the primary use of the health data by the individual and health professionals and the secondary use by researchers, innovators and policy makers.

The EHDS Proposal is not an isolated piece of legislation: it sits on top of patchwork of relevant legislation, such as the General Data Protection Regulation, the NIS Directive and, specifically for the medical sector, the Medical Devices Regulation, the In Vitro Diagnostics Regulation and the Cross-Border Health Care Directive. Moreover, the proposal cannot be read without considering the proposed Data Governance Act, the proposed Data Act and the proposed Artificial Intelligence Act. While the Data Governance Act and Data Act would provide a generic, horizontal framework for the sharing of data, the EHDS Proposal would make these principles more concrete for health data.

Considering this complex legal framework, the EHDS Proposal is intended to offer some guidance on how electronic health data may be used for various purposes, considering not in the least that health data are protected under the GDPR as a “special category of data”, protected by additional safeguards for its processing. It does so through substantive rules, through technical regulation (e.g. formats of electronic health records or “EHRs” and interoperability requirements) and through regulatory oversight by dedicated national authorities.

The EHDS Proposal consists of two main components, being the primary and secondary use of electronic health data.

Primary Use of Electronic Health Data

The first purpose of the EHDS Proposal is to strengthen the rights of natural persons in relation to the availability and control of their “electronic health data”, a notion that covers both personal and non-personal electronic health data, i.e. data concerning health and genetic data in electronic format within or outside the scope of the GDPR.

The rights of the data subjects regarding the “primary use” of electronic health data would be clarified in the EHDS Proposal, with “primary use” defined as the processing of such data “for the provision of health services to assess, maintain or restore the state of health of the natural person to whom that data relates, including the prescription, dispensation and provision of medicinal products and medical devices, as well as for relevant social security, administrative or reimbursement services”.

The EHDS Proposal would also provide more detailed guidance on how the data subject rights under the GDPR (e.g. rights to access, to obtain a copy in a standardized format or to rectify the data) may be exercised in relation to electronic health data, as well as on how to restrict such rights (e.g. delay the exercise of the rights to allow the health care professional the time to communicate with the patient). Individuals would be able to easily access and share these data (e.g. with the healthcare professionals of their choice) in and across Member States. They may even require a data holder to transmit their electronic health data to a “data recipient” in the health or social security sector. They would also be able to exercise better control over their data, in the sense that they would have the right to know which health care professionals have access to their data and to restrict their access to all or part of their data.

The health care professionals, on their end, would also have the right under the EHDS Proposal to access the electronic health data of individuals under their treatment (in particular patient summaries, prescriptions, dispensations, medical images and image reports, lab results and discharge reports, i.e. the “priority categories of personal electronic health data”). At the same time, they would be obligated to ensure that the electronic health data are updated in an European Health Record (“EHR”) system, with the information concerning the health services they provided.

Secondary Use

Acknowledging the importance of health data for research, innovation, policy making, regulatory purposes, patient safety or the treatment of other patients, the EHDS Proposal would explicitly implement the possibilities to reuse personal data for secondary purposes authorized under the GDPR.

Under the proposal, the “data holder” (a notion similar to the one in the proposed Data Act) would be under the obligation to make certain categories of electronic data available for secondary use. These categories of data cover a wide variety of data, including EHRs but also data impacting on data, genomic data, socio-economic data, etc. from various sources (generated using connected devices, administrative data, data from clinical trials, questionnaires, biobanks etc.).

The obligation to make these data available for secondary use would be required, even where the data may be protected under intellectual property rights or trade secrets, and measures must be taken to maintain this protection (although the EHDS Proposal does not indicate who would be responsible for these measures).

Access to these data would be managed by a “health data access body”, which would grant requests for access (in the form of a “data permit”) only for the broad objectives of scientific research, innovation, policy-making and regulatory activities.

In particular, the EHDS Proposal would authorize the processing of data for one of the following limited purposes: (a) public interest activities in public and occupational health (e.g. epidemics or pandemics), (b) supporting various public authorities in the health or care sector, (c) producing statistics, (d) education or teaching in the health or care sectors, (e) scientific research related to health or care sectors, (f) development and innovation in relation to products or services in public health or social security, medicinal products or of medical devices or, (g) training, testing and evaluating of algorithms (including in medical devices, AI systems and digital health applications) for medical applications (public health or social security, medicinal products or of medical devices); or (h) providing personalised healthcare.

Inversely, the EHDS Proposal would explicitly prohibit the use of data for a number of prejudicial secondary uses. It would forbid the use the data for taking decisions that are detrimental to the natural person, based on their electronic health data, or decisions that exclude natural persons from their insurance contracts or modify the terms to their detriment, developing harmful products or services. The data may not be used for advertising or marketing activities and the data may not be transferred in any way to a third party which is not mentioned in the data permit.

Interestingly, the “data users” may include any person who has lawful access to electronic health data – although some purposes are reserved for public authorities. This means that members of the pharmaceutical industry may request access to the data, even if they have a commercial purpose, as long as they intend to pursue one of the legitimate purposes, such as scientific research, innovation or the use of data to develop and train selected algorithms.

Whether this “permit-based approach” will be sufficient to facilitate the sharing of health data for secondary use, while at the same time guaranteeing the rights of individuals, remains to be seen: the success will largely depend on the practice and staffing of these national health data access bodies. It is noted that the GDPR follows a risk-based approach, creating more flexibility due to self-assessments and sufficient documentation.

Technical Provisions

The EHDS Proposal not only contains substantive provisions on the use and reuse of health data but also organizes Europe’s technical infrastructure to support the primary and secondary uses of health data.

In order to make electronic health data accessible and transmissible, they should be processed using a common, interoperable format, the “European electronic health record exchange format” for which the Commission will determine the technical specifications. The natural person, the health care provider and the data recipient should be able to use this format to read and access the health data.

In order to guarantee a minimum level of security and interoperability, the EHDS Proposal would impose a self-certification scheme for EHR systems. The proposal also introduces a voluntary label for wellness applications to ensure transparency for users (and procurers) regarding the interoperability and security requirements (so the data generated by these apps can be added to the EHR). This scheme should also reduce cross-border market barriers for manufacturers (which must be established in the EU or have an authorized representative in the EU, prior to making an EHR system available in the EU). In the same vein, importers and distributors have specific obligations (e.g. verification of the conformity of the EHR system). A system of market surveillance of EHR systems is also provided, as Regulation 2019/1020 on market surveillance and compliance of products also applies to EHR systems. These rules apply in addition to compliance obligations resulting from the AI or medical device regulations.

Furthermore, a cross-border infrastructure at the European level would be set up under the name ‘MyHealth@EU’. It will bring together the “national contact points for digital health” and the “central platform for digital health”, in view of facilitating the exchange of electronic health data for primary use. The EHDS Proposal designates which Member States  are joint controllers and the Commission as a processor.

Similarly, a cross-border infrastructure at the European level would be set up for the secondary use of electronic health data, under the name “HealthData@EU”. The Member States must designate a national contact point for secondary use of electronic health data, which will be responsible for facilitating such use by “authorised participants” in a cross-border context.

To optimize the secondary use of the health data, the EHDS Proposal contains some technical requirements to ensure the health data quality and utility for secondary use: a description of the available data sets, a data quality and utility label, a EU datasets catalogue and minimum specifications for cross-border data sets for secondary use.

Regulatory Supervision

The EHDS Proposal would introduce new regulatory authorities, with distinct responsibilities for the primary and the secondary use of the electronic health data

Member States will be required to set up a digital health authority responsible for monitoring and guaranteeing the rights of individuals, under this primary use component.

The health data access bodies, to be created by the Member States, will decide whether access for secondary use is permissible and issue a “data permit”. Interestingly, they will also collect the data from various data holders (who must inform the heath data access body about the data sets they hold), prepare and disclose the data to the data user, only for the permitted purposes, while preserving IP rights and trade secrets and allowing data subjects to exercise their rights. They would also have support, documentation, publicity and technical management obligations. They should also facilitate cross-border access to electronic health data for secondary use hosted in other Member States through HealthData@EU. Finally, they would monitor and supervise the compliance of data users and data holders with their respective obligations.

The EHDS Proposal contains detailed provisions on the content of the data permit, the application process and the access to the data (in a secure processing environment).


The EHDS Proposal introduces an ambitious framework for facilitating the access to and (re-)use of health data. Its first purpose is to improve the access to health data for the data subjects, while at the same time strengthening their rights, and health care providers (primary use). 

The harmonization of technical requirements and the self-certification scheme for EHRs may reduce the barriers for EHR-developers, importers and distributors and facilitate access to the EU-wide market.

It is, however, the incentives to unlock these sensitive data for secondary purposes that show the Commission’s ambitions.

Importantly, research and innovation in data-intensive applications (including training algorithms for AI-applications, medical devices or medicinal products) are explicitly mentioned as authorized secondary purposes, meaning that data users can apply for a data permit for such intended purposes. As the EHDS Proposal intends to assure a certain data quality and the availability of large quantities of data from different sources, research institutions and industry actors should be able to leverage this new regulation to pursue faster and better innovations than if they only had access to their own data sets.

Health professionals should benefit from the EHDS as well, in particular with the secondary use of “providing personalized healthcare consisting in assessing, maintaining or restoring the state of health of natural persons, based on the health data of other natural persons”.

Finally, data holders (such as healthcare providers, including private or public hospitals, and research institutions) may be subject to new, burdensome obligations to make their data available for secondary use through the health data access bodies. The definition of “data holder” in the EHDS Proposal could use some clarification, as the current description covers any entity or body health or care sectors (or researchers in these sectors) that has the right or the legal obligation to make available certain data (in case of non-personal data the control of the technical design of a product or service suffices). On the other hand, they may also develop additional sources of revenue: data holders are indeed entitled to a fee, which is based on the cost of conducting the access procedure but (except for public sector bodies) may also include compensation for part of the cost of collecting and formatting the data.

We also note that entities that are operating in the US and the EU will likely need to navigate rules regarding health data that may not be harmonized, including US regulations governing health data privacy, interoperability, certification of EHRs, and oversight of medical devices.

For more information, please contact the professional(s) listed below, or your regular Crowell & Moring contact.

The California Office of the Attorney General issued its first opinion interpreting the California Consumer Privacy Act (CCPA) on March 10, 2022, addressing the issue of whether a consumer has a right to know the inferences that a business holds about the consumer. The AG concluded that, unless a statutory exception applies, internally generated inferences that a business holds about the consumer are personal information within the meaning of the CCPA and must be disclosed to the consumer, upon request. The consumer has the right to know about the inferences, regardless of whether the inferences were generated internally by the business or obtained by the business from another source. Further, while the CCPA does not require a business to disclose its trade secrets in response to consumers’ requests for information, the business cannot withhold inferences about the consumer by merely asserting that they constitute a “trade secret.”

Under the CCPA, the definition of “personal information” includes “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” (Civ. Code, § 1798.140, subd. (o)). The CCPA gives consumers the right to know what personal information a business collects about them. As such, a consumer has the right to request and receive the specific pieces of information “collected about” them. (Civ. Code, § 1798.110, subd. (a)). The precise question that the opinion addressed was whether a consumer’s right to receive the specific pieces of personal information that a business has collected about that consumer applies to internally generated inferences.

The opinion explained that an inference is a personal “characteristic deduced about a consumer,” such as “married” or “likely voter.” For purposes of the CCPA, “inferences” means “the derivation of information, data, assumption, or conclusions from facts, evidence, or another source of information or data.” (Civ. Code, § 1798.140, subd. (m)). The opinion held that inferences are deemed “personal information” for the purposes of CCPA when two conditions are met.

First, the inference must be drawn from any information listed in the definition of “personal information.”

California Civil Code section 1798.14(o) lists the following as personal information:

  • personal identifiers (such as names, addresses, account numbers, or identification numbers);
  • customer records;
  • characteristics of protected classifications (such as age, gender, race, or religion);
  • commercial information (such as property records or purchase history);
  • biometric information;
  • online activity information;
  • geolocation data;
  • “audio, electronic, visual, thermal, olfactory, or similar information”;
  • professional or employment information;
  • education information.

Second, the inference must be used to create a profile about the consumer (where a business is using inferences to predict, target or affect consumer behavior).

In its reasoning, the opinion rejected the argument that the wording of the statute “about the consumer” is limited just to personal information collected from the consumer. Inferences can be gathered directly from the consumer, found in public repositories, created internally using proprietary technology, bought, or collected from another source. The AG opinion made clear that, irrespective of their origin, inferences constitute a part of the consumer’s unique identity and become part of the information that the business has “collected about” the consumer. As such, a request from the consumer to know and receive information collected about them must disclose inferences, regardless of how such inferences were obtained or generated by the business. The AG opinion clarified that, if the inference was based on public information, such as government identification numbers, vital records, or tax rolls, the inference must be disclosed to the consumer, even if the public information itself that formed the basis of the inference need not be disclosed.

The opinion offered an example of inferences that may not need to be disclosed, namely inferences that are used solely for internal purposes and that are not used to predict a consumer’s propensity or to create a profile. A business may combine information obtained from a consumer with online postal information to obtain a nine-digit zip code to facilitate a delivery. Such zip code would not need to be disclosed to the consumer because it will not be used to identify or predict the consumer’s characteristics.

A business bears the burden of demonstrating that inferences are trade secrets under applicable law.

The opinion recognized that a consumer’s right to know about the inferences is not absolute and a business may rely on a number of exceptions to the CCPA. For example, the CCPA excludes information that is freely available from government sources, and there are specific exceptions for certain categories of information, such as medical records, credit reporting, banking, and vehicle safety records. Further, a business obligation to respond to a request for personal information may be relieved by several carve-out provisions of Section 1798.145:

  1. The obligations imposed on businesses by this title shall not restrict a business’ ability to:
    • Comply with federal, state, or local laws.
    • Comply with a civil, criminal, or regulatory inquiry . . .
    • Cooperate with law enforcement agencies . . .
    • Exercise or defend legal claims.
    • Collect, use, retain, sell, or disclose information that is deidentified . . .
    • Collect or sell a consumer’s personal information if every aspect of that conduct takes place solely outside California. . . .

(Civ. Code, § 1798.145, subd. (a)(1)).

Importantly, the opinion clarified that businesses are not required to disclose their trade secrets in response to consumers’ request for information. The opinion recognized that while an algorithm that a company uses to derive its inferences might be a protected trade secret, CCPA only requires a business to disclose an output of its algorithm, not the algorithm itself. The AG further clarified that while CCPA does not require a business to disclose trade secrets, a business does bear the burden of demonstrating that such inferences are trade secrets under applicable law, if such business would like to withhold consumers’ inferences on the ground that they are protected trade secrets. The opinion also recognized that whether a particular inference can be protected as a “trade secret” is fact-specific.

Ramifications of the opinion.

The opinion made clear that the California AG sees inferences as another piece of personal information in the bundle of consumer information that may be subject of commercial exploitation and thus subject to disclosure. While opinions on interpretations of a statute by the Office of the Attorney General are not controlling or binding on a court, they have generally been found as persuasive authority. The opinion also made clear that the California Privacy Rights Act, which becomes effective on January 1, 2023, will not change the AG’s opinion on this issue.

This opinion has an impact on the privacy practices of advertisers, data brokers, and other businesses that use behavioral analytics tools or artificial intelligence to derive personal characteristics, make profiles about consumers, and target consumers based on such particular characteristics. Such businesses need to go through the two-part test described above to determine whether inferences drawn in the context of their business are pieces of personal information and thus subject to the consumer right to know provisions of the CCPA. If the answer is yes, then these inferences must be disclosed upon request.

If a business would like to withhold an inference on the basis that the inference is a trade secret, then the business would also need to analyze whether it can protect such inference as a trade secret. The business would need to show that the inference itself derives “independent economic value” from not being generally known to the public or others who can obtain economic value from its use or disclosure. The business would also need to demonstrate that it has used reasonable efforts to maintain the secrecy of the inference and must identify the inference with “reasonable particularity.” If a business denies a consumer’s request to know “in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA,” the business would need to explain the basis of its denial, as broad assertions of “trade secret” or “proprietary information” would not suffice. (Cal. Code Regs., tit. 11, § 999.313(c)(4)).

When water cooler chatter became less common when the pandemic hit in 2020, chat platforms and text messages (IM) filled the gap.  Collaboration tools like Zoom, Microsoft Teams, Slack, Bloomberg Chat and IM are now ubiquitous, with more than 67% of white-collar employees still “working from home to some degree.”[1] Indeed, a survey of IT managers reported that 91% of all companies now use at least two messaging apps.[2]

As more companies integrate these channels into their typical business practices, more and more legal matters will involve the review of chat message conversations. It is imperative that companies have processes and systems in place to control, retain, monitor, and review such business communications.

There are numerous challenges for business in reviewing chat data, including identifying and accessing chat platforms, handling ephemeral data, identifying participants (with various aliases or usernames), decoding the cryptic nature of some messages, coordinating the attachments and responses to those messages, and making sense of notices when parties enter or leave the conversation.  People also often speak differently in a chat setting (more tersely, and using shorthand, emojis, slang, abbreviations, and images) than in other communication forms. Thus, external context may be even more essential to understand the nuances of the matter being discussed.

Continue Reading From The Water Cooler to the DMs – Tips and Tricks for Efficiently Reviewing Chat Communications

When you first hear about “auto-deleting” or “ephemeral” messaging, you may think of nefarious techniques to hide evidence of wrongdoing. In fact, ephemeral messages – which are typically end-to-end encrypted and set for deletion shortly after they are sent and/or read – in various forms are routinely used for business and other relevant communications. That means that they must be considered for preservation and potential disclosure, raising all sorts of legal, technical, and optical considerations. This came up recently in Federal Trade Commission v. Noland, No. CV-20-00047-PHX-DWL, 2021 WL 3857413 (D. Ariz. Aug. 30, 2021), where the court considered the use of ephemeral messages in the context of an investigation by the Federal Trade Commission (FTC) of the company Success By Health (SBH) and its officers for a potential pyramid scheme. The day after learning of the inquiry, the officers switched from their existing communication means (WhatsApp and iOS messages) to other encrypted mobile messaging apps including Signal, which they set to “auto-delete” all messages on reading. Company leaders exchanged thousands of such messages over many months, despite the FTC’s instruction to preserve documents and suspend ordinary-course document destruction. Further, defendants colluded to remove all traces of the apps and messages from their phones right before turning them over for inspection. The truth came out when the FTC received anonymous information alerting it to the undisclosed use of the apps. On the FTC’s motion against defendants for sanctions, District Court Judge Lanza found defendants had intentionally deprived the FTC of relevant documents, and sanctioned them under Fed. R. Civ. P. 37(e)(2) with an adverse inference that the spoliated evidence was unfavorable to the individual defendants.

Examples of Ephemeral Platforms

Continue Reading Ephemeral Messages: Handle With Care

Illinois’ Biometric Information Privacy Act (“BIPA”) regulates companies that obtain, use, store, sell, and disclose the biometric data of Illinois residents.  Companies that fall under BIPA must provide notice to and receive consent from Illinois residents before obtaining their biometric data, and must take reasonable care that the biometric data remains secure.  In addition, BIPA includes a private right of action, and if a regulated company fails to comply with its provisions, statutory damages can be as high as $5,000 for each violation.  BIPA litigation is active in Illinois State Court and in Federal Courts across the United States.

A sticking point for litigants has been the statute of limitations for a party to bring a BIPA claim.  BIPA does not include its own statute of limitations.  Generally speaking, plaintiffs have argued that a longer limitations period applies, such as the five-year limitations period under section 13-205 of Illinois’ Code of Civil Procedure.  And generally speaking, defendants have argued that a shorter limitations period applies, like the one-year period under section 13-201 of the Code of Civil Procedure.

Continue Reading A Statute of Limitations for BIPA Claims? We May be One Step Closer

The 11th Circuit upheld a decision to unseal “embarrassing internal communications” between members of the United Network for Organ Sharing (“UNOS”) relating to its new policy directing liver transplants to go to the sickest patients within a certain radius of the donor.

The Court opened its opinion with a powerful question: “Organ donation saves lives—but whose?” Decades ago, Congress enacted the National Organ Transplant Act which authorized UNOS to create policies to facilitate the equitable distribution of organs among potential recipients. UNOS recently approved the Acuity Circles Policy, claiming its intent is to provide more liver transplants to patients in the greatest need, even if they are farther away from donors. Several hospitals and transplant centers who oppose the policy (and filed this lawsuit to prevent implementation of the policy), argue that it will make it more difficult for those outside of urban areas – and in particular those in socioeconomically disadvantaged areas – to access organs.

During discovery, the hospitals argued that certain of UNOS’s emails exposed “bad faith and improper behavior” in its policymaking process and should be unsealed and considered as proof that the policy change was arbitrary, capricious, and the result of a denial of due process. The Georgia District Court agreed, and UNOS appealed.

In determining whether to keep certain records sealed, Courts must evaluate whether good cause exists to prevent access, balancing “the asserted right of access against the other party’s interest in keeping the information confidential.”  Concerns about trade secrets or other proprietary information are particularly relevant and are not taken lightly; such concerns can overcome the public interest in access to judicial documents.

Here, the 11th Circuit ultimately found that the emails involve policymaking on a topic of genuine public concern, and do not contain proprietary information or trade secrets that require protection. The Court further explained that UNOS offered “no particularly compelling reasons” to keep the documents sealed in the first place. Specifically, while UNOS’s “eagerness to keep the documents secret is understandable” the Court noted that a desire to keep indiscreet communications out of the public eye “is not enough to satisfy our standard for good cause.” Even lack of relevancy is not a sufficient ground to seal documents in the 11th Circuit, absent a specific showing that the materials were offered for an abusive or improper purpose.

This case demonstrates the high burden litigants may face to overcome the presumption of public access to judicial records, particularly where records do not contain obvious trade secrets or proprietary information.

The latest report in the In re Opioid litigations is a sharp reminder not to fall short in your disclosure obligations

When it rains it pours. The ongoing saga of disclosure disputes in the many In re Opioid litigations started a new chapter with the release of a Report (referenced below) by former Justice Maltese, acting as Referee in a New York state court Opioid case.

The Report, which sketches out a series of discovery mishaps and omissions stretching across multiple courts and cases, as well as some apparent sharp dealing by defense counsel, is a strong reminder to be thorough and exercise independent judgment in fulfilling discovery obligations. In particular in mega-litigations such as the In re Opioid matters, even the smallest discovery disputes may be weaponized. Plaintiffs are actively looking for opportunities to attack defendants for discovery irregularities, and often seeking the extreme sanctions when they do. Outside counsel for defendants are not out of the line of fire. Here, because the defendant resolved the underlying case before the Report was released, Justice Maltese’s hammer largely fell on defense counsel for counsel’s, client’s and discovery vendor’s mistakes leading to the belated production of relevant interview notes, and what the court viewed as related gamesmanship.

The Report (at 18-19) briefly discusses the aggrieving conduct, finding that

Continue Reading Don’t fall short in your disclosure obligations: In re Opioid litigations.

Finding that a lower court had underestimated the harm resulting from the government’s seizure and ongoing possession of privileged material, the Fifth Circuit ruled recently that a “taint team” process was insufficient to protect the rights of the party holding the privilege.  The appellate court’s ruling is part of a trend in which courts have expressed skepticism that the use of “taint teams” by the government is an adequate safeguard against undermining the sacrosanct attorney-client privilege.

As part of a criminal investigation spawned by civil False Claims Act qui tam actions, the government executed search warrants at the offices of Harbor Healthcare System and seized “a wealth of information protected by the attorney-client privilege” including communications between the company’s Director of Compliance and its outside counsel.  Harbor subsequently filed a motion for return of property as provided for in Federal Rule of Criminal Procedure 41(g).  The District Court ultimately granted a government motion to dismiss that proceeding, finding that a “filter team” and screening process were adequate to protect Harbor’s privileged information.

Continue Reading Fifth Circuit Bolsters Company’s Claim for Return of Privileged Documents Seized by Government

As the use of collaboration and cloud storage platforms expand, litigants and courts are facing increased challenges in keeping up with e-discovery requirements created with different technologies in mind. One example involves the discovery obligations associated with files referenced in email only by hyperlink. Should a litigant be required to find and produce that referenced document as if it were an attachment? What if that is very hard to do? What if the file has moved or changed in the interim? The Southern District of New York recently addressed these issues and held that – for a host of practical and technical reasons – such hyperlinked documents should not “necessarily” invoke obligations to collect and produce the referenced document.

Continue Reading Court Finds Hyperlinked Documents Are Not Attachments for Production Purposes