On April 20, 2020, the Supreme Court granted cert in Van Buren v. United States, to resolve an important circuit split over the meaning of “authorized access” under the Computer Fraud and Abuse Act (CFAA). This is the Court’s first foray into analyzing the precise contours of CFAA liability. Van Buren may have far-reaching implications for any individual or business operating in the digital domain, as the scope of civil and criminal liability under the CFAA can impact just about any sort of relationship involving access to computer systems, whether it be employer-employee relationships or third-party relationships.
E-Discovery no longer dominantly involves emails and shared drive documents. With the increasing prevalence of mobile devices in the workplace and new apps being developed daily, mobile data and other non-email communications are moving to the forefront of discovery. Times have changed, and attorneys have professional and ethical obligations to keep up. To effectively and competently represent clients, attorneys must stay apprised of how to work with these ever-changing forms of data – or get help from someone knowledgeable. To do so, we have set out some suggestions below organized around common stages of the discovery lifecycle of digital evidence.
Identification. In conducting custodian interviews, ask questions to target the data types the custodian works with. Start broadly by determining if the company has a BYOD policy and asking if they allow the use of personal devices for work purposes. Confirm which messaging tools they use for business purposes, with the understanding that people tend to play down such use. For each messaging application, ask how they are used and with whom they communicate. Discuss these same topics with your client’s IT team to better understand the company’s policies and capabilities for controlling the use of personal devices, as well as employees’ actual practices.
Increasing mobile device usage for routine business – such as through text messages and mobile applications like WhatsApp – is contributing to a new developing trend in E-Discovery: broad discovery requests for businesses to collect and produce data from their employees’ mobile phones.
The proliferation of electronic communication not only makes it imperative for organizations to have mechanisms in place to capture and preserve mobile text messages, but also raises new challenges about how to protect employee privacy. As more and more employees use their personal devices for business purposes (and vice-versa – employees using company-provided devices also for personal purposes), there is an increasing desire among employees to ensure their personal data is protected, even as the company produces other data required in discovery.
Courts have recognized this is an issue, and the law is evolving to strike a balance between the discoverability of relevant information and privacy protections from overly intrusive requests for text messages. Continue Reading Court Rules Personal Privacy Interests May Impact Scope of Discovery for Text Messages
Crowell & Moring has released its Regulatory Forecast 2020: What Corporate Counsel Need to Know for the Coming Year, a report that explores the impact of regulatory changes on the technology industry and other sectors, and provides insight into thehouse counsel can expect to face in the coming year.
For 2020, the Forecast highlights the driving forces behind the increased regulatory focus, including access to the data, online platforms, and cutting-edge technologies that define competitive advantage. It explores regulatory trends in antitrust, environment and natural resources, and public affairs.
The cover story, “Antitrust in the Digital Age: How Antitrust Investigations into Big Tech Impact Companies in Every Industry,” discusses why there has been an increase in antitrust investigations and the effort to crack down on potential abuses among large technology companies.
Be sure to read the full report and follow the conversation on social media with #RegulatoryForecast.
Aiming to identify, enhance, and test supply chain vulnerabilities in the energy sector and cybersecurity response capabilities between public and private sectors, the U.S. Senate Committee on Energy & Natural Resources approved legislation that directs the Department of Energy (DoE) to create several new programs towards the development of “advanced cybersecurity applications and technologies” for the sector. The Energy Cybersecurity Act of 2019 (the Act) directs DoE to establish programs that identify supply chain vulnerabilities and expand Federal cooperation and coordination for responses to cyber threats.
If passed, the Act will require the DoE to:
In Ingham Regional Medical Center v. U.S. (Jan. 6, 2020), the Court of Federal Claims compelled production of certain government investigatory documents that the Court found were not privileged work product prepared “in anticipation of litigation.” The Medical Center sued to recover payments for outpatient healthcare services performed in connection with DoD’s TRICARE program after initial settlement discussions had failed. During discovery, the government inadvertently produced several documents that assessed the accuracy of its previous payments to the Medical Center, including documents that had been repeatedly logged as privileged. Although the government claimed that the documents were prepared in anticipation of litigation, the court held that the documents did not constitute protected work product because they were produced in furtherance of a business purpose (i.e., payment investigation) well before a genuine threat of litigation arose. The court equated the government’s function in assessing the hospital’s claims for alleged underpayments to that of an insurer who investigates a claim before making a final determination. Therefore, since the threat of litigation was too remote, the court found that the work product had been prepared for a possible negotiated business settlement between the parties, rather than for litigation. Contractors and others engaged in litigation with the government should keep “ordinary course of business” arguments in mind as a basis to challenge government privilege assertions.
The Department of Defense (DoD) has released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), Appendices A-F, and an Overview Briefing. While Version 1.0 largely mirrors the draft Version 0.7, the final version includes notable revisions. Please click here to see the full client alert.
Crowell & Moring has released Litigation Forecast 2020: What Corporate Counsel Need to Know for the Coming Year. The eighth-annual Forecast provides forward-looking insights from leading Crowell & Moring lawyers to help legal departments anticipate and respond to challenges that might arise in the year ahead.
For 2020, the Forecast focuses on how the digital revolution is giving rise to new litigation risks, and it explores trends in employment non-competes, the future of stare decisis, the role of smartphones in investigations and litigation, and more.
The cover story, “A Tangled Web: How the Internet of Things and AI Expose Companies to Increased Tort, Privacy, and Cybersecurity Litigation,” explores how the digital revolution is transforming not only high-tech companies, but also traditional industries with products, business models, and workforces that are being affected by increased connectivity, artificial intelligence, and the ability to gather and use tremendous amounts of data.
Be sure to follow the conversation on Twitter with #LitigationForecast.
On January 13, 2020, U.S. District Court Judge Castel of the Southern District of New York in SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (PKC) granted the motion of the U.S. Securities and Exchange Commission (“SEC”) to compel Telegram Group Inc., a technology company best known for its secure messaging app, to produce overseas bank records (Dkt. 67). The SEC had sought these records “fully unredacted” on an expedited basis in support of its claim that Telegram engaged in an unregistered securities offering (Dkt. 52). Telegram objected to any production, asserting that the records were of questionable relevance, that they contained banking and personal information protected by a host of foreign laws, and that it would be unduly burdensome to “to cull through these records and redact the personal information of non-U.S. persons and entities subject to foreign data privacy law protections.” (Dkt. 55). In a short decision, the Court ordered Telegram to produce the records on a tight timeline, holding that “[o]nly redactions necessitated by foreign privacy laws shall be permitted, and a log stating the basis for any redaction shall be produced at the same time the redacted documents are produced.”
There are a few key takeaways from this decision. First, the Court recognized foreign data privacy laws as legitimate grounds for withholding otherwise discoverable information. Defendant was not given a blank check to redact; rather, the Court required Telegram to log the basis for any privacy assertions, and one can expect the SEC will closely question Telegram on the redactions. At the same time, the Court clearly did not agree with the SEC’s characterization of data privacy laws as “blocking statutes” to be ignored, and was not swayed by its complaints that Telegram had not shown that such laws require deference. This is consistent with an observed general heightened sensitivity to data privacy and data security interests in the U.S. and abroad.
Judge Castel’s approach represents a change from U.S. courts’ prior dismissive treatment of similar disclosure objections. Courts traditionally would apply a multi-factor comity analysis that generally prioritized U.S. discovery interests over those of conflicting foreign laws and ultimately required unredacted production. See, e.g., Laydon v. Mizuho Bank, Ltd., 183 F. Supp.3d 409 (S.D.N.Y. 2016) (requiring unredacted production of data protected by the then EU privacy regulation, the 1995 EU Directive 95/46/EC, based on comity analysis set out in Société Nationale Industrielle Aerospatiale v. U.S. Dist. Court for S. Dist. of Iowa, 482 U.S. 522, 544 n.29 (1987) (hereinafter “Aerospatiale”)). Certainly, the SEC pushed for the customary approach, but Judge Castel appears implicitly to have to have resolved in short form (or skipped over) the Aerospatiale comity analysis and accepted the legitimacy of foreign restrictions on disclosure in U.S. proceedings.
On January 1, 2020, California’s landmark privacy law, the California Consumer Privacy Act (CCPA), took effect. The CCPA imposes various obligations on covered businesses and provides extensive rights to consumers with respect to controlling the collection and use of their personal information. While some companies have largely completed their CCPA compliance efforts, many others are still digesting the CCPA and draft proposed regulations, and taking steps to meet the CCPA’s myriad compliance obligations.
Confusion persists about how businesses can comply with certain provisions of the CCPA. In October 2019, the California Attorney General issued proposed regulations that provide guidance on a number of key areas, but the regulations are not yet final. If adopted, violations of the proposed regulations will be treated the same as violations of the CCPA itself, with the same penalties. We have summarized the proposed regulations in previous alerts:
- Proposed CCPA Regulations from California Attorney General Just Issued: Part I – An Analysis of Required Consumer Notice
- Proposed CCPA Regulations from California Attorney General: Part II – An Analysis of Handling Consumer Requests under the CCPA
- Proposed CCPA Regulations from California Attorney General: Part III – An Analysis of the Requirement to Verify Consumer Requests and Parental Consents
- Proposed CCPA Regulations from California Attorney General: Part IV – Service Providers & Financial Incentives
Comments on the proposed regulations can be viewed here.