On August 14, 2020, California Attorney General Xavier Becerra released final implementing regulations for the California Consumer Privacy Act (CCPA). The CCPA became enforceable on July 1, 2020, and Becerra’s office submitted a final proposed draft of the regulations to the California Office of Administrative Law (OAL) on June 1, 2020. The Proposed Regulations have gone through several revisions since the publication of the initial draft in October of 2019. The OAL approved the final version along with an updated Addendum to the Final Statement of Reasons. The final implementing regulations take effect immediately. All businesses subject to the CCPA must now comply with both the statute and the regulations.

The final implementing regulations are similar to the draft proposed in June. However, the AG’s office has made several changes it characterizes as “non-substantive” and withdrawn certain proposed provisions “for additional consideration.” The “non-substantive” changes are intended to improve consistency in language (e.g., ensuring “consumer” is used throughout the regulations, or reorganizing definitions in alphabetical order) and are described in detail in the Addendum to the Final Statement of Reasons.

Some of the withdrawn provisions may affect CCPA compliance. These changes are discussed here.

As none of us can forget, the COVID-19 pandemic forced companies to close their brick and mortar offices with little time to adequately prepare their employees for a remote work environment. All of a sudden, in-person meetings were replaced with virtual conferences via Microsoft Teams, Zoom, and Amazon Chime – each leaving a new data trail. Many IT and Legal Departments were similarly unprepared for the impact of an all remote workforce on the creation, collection and preservation of business-related documents. IT departments were overwhelmed by employees defaulting to the use of unauthorized personal devices and cloud-based applications like Dropbox and GoogleDocs to complete assigned tasks, create, share, and store data, without IT vetting or coordination. Personal communications platforms such as IMessage, Facebook Messenger, and WhatsApp with untracked or no standardized retention policies replaced or supplemented enterprise instant message and chat functions, complicating the identification, preservation and collection of data.

A remote work environment has become the new normal for many companies. This abrupt change in the way companies conduct business requires commensurate changes in E-Discovery processes. To help meet this challenge, we discuss three key steps to mitigate potential preservation and spoliation risks occasioned by the shift to remote work environments.

  • Collaboration between IT and Legal Departments regarding technology/platform usage policies and protocols for document preservation, retention policies and litigation hold notices.
  • Communication with employees regarding approved, and prohibited, locations and platforms to communicate, create, save, and share company-specific information and documentation.
  • Compliance monitoring for remote employees regarding retention and preservation of data and legal holds.

Implementing the “Three Cs” will aid companies in avoiding discovery hurdles in the future.

1. Collaboration between IT and Legal Departments

IT and Legal Departments must collaborate to understand and contain insurgent preservation risks from remote working. Companies cannot preserve what is outside of their control and vision. First, they should restructure document retention policies and litigation hold notice language to address the creation and storage of data in a remote environment. These should specifically address where and how documents should be preserved from an employee’s home office.  The next step is to identify and provide standards regarding the use of company approved technology for the creation, sharing and storage of data remotely. Without guidance, employees tend to default to the most familiar or accessible technology – which may not meet company requirements.  Companies should also review their policies regarding employee use of personal devices and apps that are not centrally managed. For some companies, a BYOD approach is a requirement of doing business, necessitating flexible management consistent with legal obligations.  For example, companies may provide employees instructions regarding retention settings or the collection of information for business or legal requirements for non-company systems, as well as training on appropriate use.  On the other hand, in certain highly regulated industries, the use of communications streams, collaboration mechanisms or repositories that are not onboarded presents an intolerable risk even in the work-at-home environment.  Strong policies and technical controls – e.g., restricting access to company devices or remote desktops – may be appropriate in those situations.  Many companies, however, must walk the line between these two extremes.  Consultation on the front end with counsel versed in these issues may save significant trouble down the line.

2. Communication with employees regarding the preservation of data

In addition to collaboration between the IT and Legal Departments, companies must routinely train and communicate with their remote employees about the rules, risks and precautions associated with working remotely. Maintaining the confidentiality of business data as well as properly preserving information when required are major concerns.  Untrained or unmotivated employees may discard information which should be preserved, or inadvertently risk the security of information by saving it to a personal communication device or other software platform rather than to a secure, company approved location.

Companies may consider virtual training sessions as a standard offering and when particular actions are needed. They can also make available electronic copies of updated usage, preservation and document retention policies for relevant employees, consistent with maintaining privilege and confidentiality. The training and policies should identify approved locations and technology platforms to use to create, store and share business data, along with explicit instructions regarding where documents should not be saved (i.e., personal drives or communication devices) and a mechanism for enforcement to show this is not just a paperwork exercise. It is also important to provide guidance regarding physical records printed at home for a business purpose (hint: minimize printing; keep it in a secure location; and shred anything not required for preservation as soon as the business need expires). Employees must be reminded of their duty to secure and preserve business data when litigation is or should be reasonably anticipated.

3. Compliance with document retention and preservation obligations to avoid spoliation

Monitoring compliance with document retention policies and legal holds is a pivotal requirement in managing a remote workforce.  Internal policies and procedures should be updated to inform employees that relevant business data, whether generated at home or in the office, may be discoverable and should be properly preserved when in the scope of a legal hold or discovery request. Companies should conduct routine compliance checks with employees to ensure awareness of data preservation obligations and the expectations of the company.

Companies should consider routinely (every three to six months, for example) reminding employees who are recipients of litigation hold notices of their preservation obligations. Such reminders may also be sent when case developments make it appropriate.  In some situations, the change in working environment is so pronounced that a company may find it appropriate to send an updated notice expressly addressing the preservation of material generated remotely, including on personal devices and platforms.

 In conclusion, the widespread shift to remote work environments is a changed circumstances that IT and Legal Departments should address in providing defensible policies and procedures to secure and preserve company data. Companies should ensure collaboration between the IT and Legal Departments and communicate regularly with remote employees regarding the preservation of data, and monitor compliance with document preservation and retention policies. Implementing the “Three C’s” will better position companies to get ahead of potential preservation issues and mitigate discovery hurdles going forward.


As employees are increasingly working from home during the COVID-19 pandemic, many communications that would typically occur face-to-face are now taking place over chat systems, such as Skype, Bloomberg Messaging, and Slack. Chats are often more informal and unfiltered than other forms of written communication such as email, and often do not provide context for the conversation. And with that comes legal risk.

This is because chats may qualify as business documents subject to discovery in litigation—especially when those chats discuss business topics. See, e.g., LBBW Luxemburg S.A. v. Wells Fargo Sec. LLC, Case No. 12-CV-7311, 2016 WL 1660498, at *8 (S.D.N.Y. Mar. 29, 2016) (ordering production of Bloomberg instant messages); JUUL Labs, Inc. v. 4X PODS, Civ. No. 18-15444, 2020 WL 747405, at *14-15 (D.N.J. Feb. 13, 2020) (ordering quarterly reporting during the pendency of a lawsuit based on internal Skype messages indicating defendants would take steps to avoid payment of any judgment that was ultimately entered); West Publ’g Corp. v. LegalEase Solutions, LLC, Case No. 18-cv-1445, 2019 WL 8014512, at *8 (D. Minn. Nov. 22, 2019) (ordering non-party’s production of Slack messages).

Companies are therefore left with the difficult question:  how can you best protect against the risks of online chats, while balancing the business need for them?  The answer may lie in the concept of proportionality.

Continue Reading How to Limit Litigation Risk from the Increased Use of Chat Programs During the COVID-19 Pandemic

On April 20, 2020, the Supreme Court granted cert in Van Buren v. United States, to resolve an important circuit split over the meaning of “authorized access” under the Computer Fraud and Abuse Act (CFAA). This is the Court’s first foray into analyzing the precise contours of CFAA liability. Van Buren may have far-reaching implications for any individual or business operating in the digital domain, as the scope of civil and criminal liability under the CFAA can impact just about any sort of relationship involving access to computer systems, whether it be employer-employee relationships or third-party relationships.

Click here to continue reading the full version of this alert.

E-Discovery no longer dominantly involves emails and shared drive documents. With the increasing prevalence of mobile devices in the workplace and new apps being developed daily, mobile data and other non-email communications are moving to the forefront of discovery. Times have changed, and attorneys have professional and ethical obligations to keep up. To effectively and competently represent clients, attorneys must stay apprised of how to work with these ever-changing forms of data – or get help from someone knowledgeable. To do so, we have set out some suggestions below organized around common stages of the discovery lifecycle of digital evidence.

Identification. In conducting custodian interviews, ask questions to target the data types the custodian works with. Start broadly by determining if the company has a BYOD policy and asking if they allow the use of personal devices for work purposes. Confirm which messaging tools they use for business purposes, with the understanding that people tend to play down such use. For each messaging application, ask how they are used and with whom they communicate. Discuss these same topics with your client’s IT team to better understand  the company’s policies and capabilities for controlling the use of personal devices, as well as employees’ actual practices.

Continue Reading Best Practices for Navigating Discovery of Mobile Data and Alternative Communication Tools in Today’s Digital World

Increasing mobile device usage for routine business – such as through text messages and mobile applications like WhatsApp – is contributing to a new developing trend in E-Discovery: broad discovery requests for businesses to collect and produce data from their employees’ mobile phones.

The proliferation of electronic communication not only makes it imperative for organizations to have mechanisms in place to capture and preserve mobile text messages, but also raises new challenges about how to protect employee privacy.  As more and more employees use their personal devices for business purposes (and vice-versa – employees using company-provided devices also for personal purposes), there is an increasing desire among employees to ensure their personal data is protected, even as the company produces other data required in discovery.

Courts have recognized this is an issue, and the law is evolving to strike a balance between the discoverability of relevant information and privacy protections from overly intrusive requests for text messages. Continue Reading Court Rules Personal Privacy Interests May Impact Scope of Discovery for Text Messages

Crowell & Moring has released its Regulatory Forecast 2020: What Corporate Counsel Need to Know for the Coming Year, a report that explores the impact of regulatory changes on the technology industry and other sectors, and provides insight into thehouse counsel can expect to face in the coming year.

For 2020, the Forecast highlights the driving forces behind the increased regulatory focus, including access to the data, online platforms, and cutting-edge technologies that define competitive advantage. It explores regulatory trends in antitrust, environment and natural resources, and public affairs.

The cover story, “Antitrust in the Digital Age: How Antitrust Investigations into Big Tech Impact Companies in Every Industry,” discusses why there has been an increase in antitrust investigations and the effort to crack down on potential abuses among large technology companies.

Be sure to read the full report and follow the conversation on social media with #RegulatoryForecast.

Aiming to identify, enhance, and test supply chain vulnerabilities in the energy sector and cybersecurity response capabilities between public and private sectors, the U.S. Senate Committee on Energy & Natural Resources approved legislation that directs the Department of Energy (DoE) to create several new programs towards the development of “advanced cybersecurity applications and technologies” for the sector.[1]  The Energy Cybersecurity Act of 2019 (the Act) directs DoE to establish programs that identify supply chain vulnerabilities and expand Federal cooperation and coordination for responses to cyber threats.

If passed, the Act will require the DoE to:

Continue Reading Energy Cybersecurity Act of 2019

In Ingham Regional Medical Center v. U.S. (Jan. 6, 2020), the Court of Federal Claims compelled production of certain government investigatory documents that the Court found were not privileged work product prepared “in anticipation of litigation.” The Medical Center sued to recover payments for outpatient healthcare services performed in connection with DoD’s TRICARE program after initial settlement discussions had failed. During discovery, the government inadvertently produced several documents that assessed the accuracy of its previous payments to the Medical Center, including documents that had been repeatedly logged as privileged. Although the government claimed that the documents were prepared in anticipation of litigation, the court held that the documents did not constitute protected work product because they were produced in furtherance of a business purpose (i.e., payment investigation) well before a genuine threat of litigation arose. The court equated the government’s function in assessing the hospital’s claims for alleged underpayments to that of an insurer who investigates a claim before making a final determination. Therefore, since the threat of litigation was too remote, the court found that the work product had been prepared for a possible negotiated business settlement between the parties, rather than for litigation. Contractors and others engaged in litigation with the government should keep “ordinary course of business” arguments in mind as a basis to challenge government privilege assertions.

The Department of Defense (DoD) has released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), Appendices A-F, and an Overview Briefing. While Version 1.0 largely mirrors the draft Version 0.7, the final version includes notable revisions. Please click here to see the full client alert.