In January 2017, The Sedona Conference Working Group on International Electronic Information Management, Discovery, and Disclosure (WG6) issued the much-anticipated International Litigation Principles on Discovery, Disclosure & Data Protection in Civil Litigation (Transitional Edition). This publication updates the 2011  International Litigation Principles, which preceded the 2013 Snowden revelations and the Schrems decision invalidating the U.S.-EU Safe Harbor.  It also incorporates adoption and implementation of the EU-U.S. Privacy Shield, and the approval of the EU General Data Protection Regulation (GDPR), which is set to replace the 1995 EU Data Privacy Directive in May 2018.  Many of these developments are consistent with the focus on “proportionality” of discovery in the 2015 amendments of the U.S. Federal Rules of Civil Procedure.

Given the complex and dynamic EU data protection  landscape – where the new Privacy Shield has not been tested, and before the GDPR has even taken effect, – WG6 has aptly designated this as a “Transitional” edition.  This edition provides interim best practices and practical guidance for courts, counsel and corporate clients on safely navigating the competing and conflicting issues involved in cross-border transfers of EU personal data in the context of transnational litigation and regulatory proceedings.  Following are the publication’s Six Transitional International Litigation Principles:

Continue Reading The Sedona Conference WG6 Issues “Transitional” International Litigation Principles

Natalya Northrip and Emily Dorner will be presenting on two interesting eDiscovery topics this April; presentations will focus on litigation hold maintenance and best practices, as well as recordkeeping for human resources professionals.  Presentations will take place on April 6, and April 26, respectively.  Summaries of presentation content and links to sign up are provided below!  Friends of Seyfarth can use the following promo code for 35% off: SPKR35

Effectively Drafting and Managing Litigation Holds

When an organization becomes a party to a lawsuit or when it reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a “litigation hold” to ensure the preservation of potentially relevant documents. In this webinar, you will learn what a litigation hold is, how to draft and manage a litigation hold, and the consequences of failing to satisfy your preservation obligations.  Among other things, you’ll learn about:

  • The duty to preserve
  • Scope and timing of preservation
  • Possession, custody and control of relevant information
  • Effective preservation strategies
  • How to draft litigation hold notices
  • The dangers of self-identification of relevant information
  • How to ensure proper management of legal holds
  • Sanctions for spoliation of evidence

Sign up here!

Document Retention and Destruction for HR Professionals

Every HR department will have a variety of records with varying retention requirements. Failure to keep these records for the prescribed periods of time may lead to evidence spoliation, fines, and the inability to properly respond to a governmental investigation or audit. In this webinar, you will learn how to develop an effective records program for HR that supports good information management and helps an organization manage risk. Among other things, you will learn about:

  • How to create and implement a records retention program
  • What are records retention schedules
  • Special handling for employee medical records
  • When to retain I-9 Forms, and for how long
  • Document retention in the face of pending or current litigation
  • Retention or disposition of former employee personnel files

Sign up here!

The Sedona Conference Working Group on Electronic Document Retention & Production (WG1) has released its Commentary on Proportionality in Electronic Discovery. The public comment period on the Commentary closed on January 31, 2017. This Commentary was much anticipated given the revamping of Rules 26(b)(1) and 37(e) of the Federal Rules of Civil Procedure in December 2015, which directly affected the scope of eDiscovery in federal litigation. The 2015 amendments were aimed at curbing gamesmanship and abuses in eDiscovery by elevating the importance of “proportionality” as the guiding principle governing the entire discovery process and by setting forth the framework for addressing the loss of electronically stored information (ESI) that was required to be preserved.

Under the amended Rule 26(b)(1), “parties may obtain discovery regarding any nonprivileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case….” (emphasis added). Rule 26(b)(1) also now includes the considerations that bear on proportionality, which were moved from the previous Rule 26(b)(2)(C)(iii), rearranged and expanded. The proportionality factors that courts will take into account are as follows: (1) the importance of the issues at stake; (2) the amount in controversy; (3) the parties’ relative access to relevant data; (4) the parties’ resources; (5) the importance of discovery for resolution; and (6) the burden or expense relative to benefit.

The amended Rule 37(e) provides guidance on the scope of the preservation effort that the court expects from litigants. Specifically, amendments to Rule 37(e) affected judicial analysis of sanctions for the loss of ESI (1) that “should have been preserved” in the anticipation or conduct of litigation (2) because a party failed to take “reasonable steps” to preserve it and (3) that cannot be restored or replaced through additional discovery. Upon making this finding, a court has to conduct additional analysis, the goal of which is to differentiate “bad faith” conduct from mere negligence, and order sanctions in accordance with the level of egregiousness. Under the amended Rule 37(e), courts will focus on a party’s intent to deprive its opponent of the benefits of the lost ESI and the resulting prejudice to the opponent. Where the court finds “bad faith” conduct, it may order the harsher sanctions, including adverse inference instruction, default judgment or dismissal. However, only measures limited to curing the prejudice are appropriate for cases where culpability is lacking.

Parties engaged in or preparing for litigation should consider how these amendments impact their overall litigation strategy, as well as their eDiscovery process. While the concepts of proportionality and good-faith discovery conduct are anything but new, the 2015 amendments provide the parties and courts with a more robust and defined framework for their application.

To help federal litigants and courts apply the new amendments in designing the eDiscovery process and resolving eDiscovery disputes, the Commentary on Proportionality offers Six Principles for consideration. The following are the key takeaways.

Continue Reading Key Takeaways from the Sedona Conference Commentary on Proportionality in Electronic Discovery

Earlier this month, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty of $3,217,000.00 against Children’s Medical Center of Dallas (Children’s), a pediatric hospital that is part of Children’s Health, the seventh largest pediatric health care provider in the nation. OCR based this penalty on its finding that Children’s failed to comply with HIPAA Security Rule over many years and that Children’s impermissibly disclosed unsecured electronic protected health information (ePHI) when it suffered two data breaches that were reportable to OCR.

The Breaches

  • On January 18, 2010, Children’s reported to OCR the loss of an unencrypted, non-password protected BlackBerry device at an airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals.
  • On July 5, 2013, Children’s reported to OCR the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. The device contained the ePHI of approximately 2,462 individuals.

Because Children’s devices were unencrypted, Children’s was obligated to report their loss, along with the unsecured ePHI they contained, to the HHS. Had Children’s devices been encrypted, it could have taken advantage of the “safe harbor” rule, pursuant to which covered entities and business associates are not required to report a breach of information that is not “unsecured.”

The Investigation

  • OCR’s investigation revealed that, in violation of HIPAA Rules, Children’s (1) failed to implement risk management plans, contrary to prior external recommendations to do so, and (2) knowingly and over the course of several years, failed to encrypt, or alternatively protect, all of its laptops, work stations, mobile devices, and removable storage media.
    • OCR’s investigation established that Children’s knew about the risk of maintaining unencrypted ePHI on its devices as far back as 2007.
    • Despite this knowledge, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

The Takeaways Continue Reading Key Takeaways from OCR’s Latest HIPAA Fine: Hospital to Pay $3.2 Million for Its Cybersecurity Violations

In an interesting decision regarding the spoliation of evidence via a mobile device, Magistrate Judge Terry F. Moorer determined that the newly amended Federal Rule 37(e) – enacted on December 1, 2015 – did not apply to the spoliation case, as the case was filed prior to the rule’s enactment.  (Morrison v. Charles J. Veale, M.D., P.C., 2017 BL 21478, M.D. Ala., No. 3:14-cv-1020-TFM, 1/25/17).

Karla Morrison, a former employee of the medical practice Charles J. Veale, M.D., P.C. sued her employer in October of 2014 alleging that the practice violated the Fair Labor Standards Act.  Following the close of discovery in August of 2016, the defendant filed a motion for sanctions for spoliation of evidence alleging that Morrison logged into her office email account after her termination and deleted emails from the account.  The defendant bolstered this argument by alleging that Morrison added 2-step verification to her log-in process in April 2015 – almost 6 months after her termination.  Morrison admitted to accessing her office email days after her termination to “close out” items, but denied any further use of the account.

For those unfamiliar, 2-step verification is an additional security measure that confirms a user’s identity through two components, usually a password followed by a code sent to a personal device, for example.  When in place, it adds an additional level of security to an account, thus making it less susceptible to hacking.  Continue Reading Interesting Sanctions Analysis Applies “Old” Bad Faith Standard Post-December 2015 Amendments

Last month, The Sedona Conference released the public comment version of The Sedona Conference Data Privacy Primer, a comprehensive catalog of U.S. data privacy issues, legislation, and resources, designed to provide “immediate and practical benefit” to organizations and practitioners dealing with privacy issues. The Primer is a work product of The Sedona Conference Working Group Eleven on Data Security and Privacy Liability (WG11). The Primer is open for public comment until April 16, 2017.

A quick read through the Primer makes clear that this publication will become a practical reference book for any attorney seeking to understand basic privacy issues in the United States. At over 100 pages, the Primer is organized much like a treatise, with chapters devoted to the basic data privacy concepts, federal and state government privacy protection, general consumer protection, protection of health and financial information, and workplace and student privacy.

With the United States having a multitude of national, local, and industry-specific privacy statutes and regulations, it can be a challenge to identify all the issues and applicable laws that might apply to a particular legal situation. The Primer conveniently gathers everything in one place and includes discussion of the protections provided by all major federal laws, including the Federal Trade Commission (FTC) Act, Children’s Online Privacy Protection Act (COPPA), Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), Telemarketing and Consumer Fraud and Abuse Prevention Act (Telemarketing Act), Communications Act of 1934, Telephone Consumer Protection Act of 1991, Health Insurance Portability and Accountability Act of 1996 (HIPAA) and The Health Information Technology for Economic and Clinical Health Act (HITECH), The Gramm–Leach–Bliley Act (GLBA), The Fair Credit Reporting Act (FCRA), The Right to Financial Privacy Act of 1978 (RFPA), Family Educational Rights and Privacy Act, Protection of Pupil Rights Amendment, as well as a variety of state laws, proposed legislation, and best practices for approaching various data privacy issues.

Employers will find helpful the discussion of Workplace Privacy, in which the Primer touches upon use of company equipment and email, bring your own device (BYOD) policies, and social media privacy issues. Educational institutions will benefit from the discussion of Student Privacy, which covers FERPA, COPPA, consent requirements and exceptions, right of access, parental rights, and proposed legislation.

The Primer also includes “Side Bar” discussions for each section with practice pointers and best practices related to each area that could help increase compliance with privacy laws and mitigate risk. Most importantly, the Primer points out the interplay among different laws as they might bear on a particular situation, thereby minimizing the risk that some relevant considerations might be overlooked when organization makes a decision on how to discharge its privacy obligations.

shutterstock_307469480On September 19, 2016, Ross Compton told police that when he noticed a fire in his Middleton, Ohio home, he hastily packed suitcases, broke a window with his cane, and pushed his bags out the window, at which point he carried them to his car. After describing the scene to a 911 dispatcher, Compton added that he had an artificial heart. However, authorities began to question Compton’s story when they found gasoline on Compton’s clothes and discovered that the fire that destroyed his home appeared to have started in multiple areas at once.

As part of their investigation, authorities subpoenaed the data stored on Compton’s pacemaker, which would provide a historical record of Compton’s heart rate, cardiac rhythms, and pacemaker activity before, during, and after the fire. After reviewing this data, a cardiologist stated that it was “highly improbable” that Compton carried out the physically demanding activities described in his account. Authorities said that the pacemaker data represented some of the “key pieces of evidence” that resulted in charging Compton with aggravated arson and insurance fraud.

This case provides an excellent example of identifying non-traditional electronically stored information that can provide critical evidence unavailable from any other sources. During an investigation, it is important to identify what sources of electronically stored information exist and then to reasonably narrow that listing down to sources that may have unique, potentially responsive information. Although authorities may have independently pursued Compton’s pacemaker data, it may very well have been Compton’s own comments regarding the existence of his pacemaker that led them to request the data in the first place.

Further information can be found here:

http://www.wlwt.com/article/middletown-mans-electronic-heart-monitor-leads-to-his-arrest/8647942

President Trump is expected to sign soon Executive Order on Strengthening U.S. Cyber Security and Capabilities.   Reports about a “leaked draft” of the Executive Order on Cybersecurity surfaced on the Internet a few days ago, along with predictions that the Order will be signed on January 31.  The Order is yet to be signed and the publicized draft may undergo some changes.  The available draft orders three reviews:

  • Review of Cyber Vulnerabilities, which asks, within 60 days of the date of the Order, for a report of initial recommendations for the enhanced protection of the most critical civilian Federal Government, public, and private sector infrastructure.
  • Review of Cyber Adversaries, which asks, within 60 days of the date of the Order, for a first report on the identities, capabilities, and vulnerabilities of the principal U.S. cyber adversaries.
  • U.S. Cyber Capabilities Review, which asks for identification of an initial set of capabilities needing improvement to adequately protect U.S. critical infrastructure, based on the results of the other two Reviews.  As part of this review, the Secretary of Defense and Secretary of Homeland Security are directed to gather and review information from the Department of Education “regarding computer science, mathematics, and cyber security education from primary through higher education to understand the full scope of U.S. efforts to educate and train the workforce of the future.”  The Secretary of Defense is also directed to make recommendations “in order to best position the U.S. educational system to maintain its competitive advantage into the future.”

Continue Reading President Trump to Issue Executive Order on Cybersecurity

Beginning on April 12, 2017, U.S. organizations that are subject to the investigatory and enforcement powers of the FTC or the Department of Transportation will be able to self-certify to the newly adopted Swiss–U.S. Privacy Shield Framework (“Swiss Privacy Shield”). The Swiss Privacy Shield will allow transfers of Swiss personal data to the United States in compliance with Swiss data protection requirements. The Swiss Privacy Shield will replace the U.S.–Swiss Safe Harbor Framework and will impose similar data protection requirements established last summer for cross-border transfers of personal data from the EU under the EU–U.S. Privacy Shield (“Privacy Shield”).

With the adoption of the Swiss Privacy Shield, transfers of personal data from Switzerland under the Swiss Safe Harbor Framework will no longer be permitted. Organizations currently registered with the Swiss Safe Harbor would need to certify under the Swiss Privacy Shield or implement alternative methods for complying with Swiss data transfer restrictions, such as Standard Contractual Clauses and Binding Corporate Rules. To join the Swiss Safe Harbor, organizations would need to ensure that their privacy policies, notices, statements, and procedures are in compliance with the new framework. The Department of Commerce provides sample language that can be used in an organization’s privacy policy to signify its participation in the Swiss Privacy Shield.

Organizations with active Privacy Shield certifications will be able to add the Swiss Privacy Shield registration to their existing Privacy Shield accounts, at a separate annual fee. Similarly to the Privacy Shield, the fee for participation in the Swiss Privacy Shield will be tiered based on the organization’s annual revenue. The exact fee structure will be made available sometime before April 12.

Notably, organizations with dual registrations, would need to recertify under both the Privacy Shield and the Swiss Privacy Shield one year from the date the first of their two certifications was finalized. That means, for instance, that an organization that registered for the Privacy Shield on September 1, 2016, which then registers for the Swiss Privacy Shield on May 1, 2017, would need to complete its annual recertification under both frameworks by September 1, 2017.

While the requirements of the two frameworks are nearly identical, there are a few differences:

Continue Reading The Swiss Privacy Shield Opens for Business on April 12

The EU Article 29 Data Protection Working Party (WP 29) is continuing its work in preparation for the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which will take effect in May 2018. Last month, the WP29 released three sets of guidelines for controllers and processors of personal data, including guidelines on the right to data portability, on data protection officers, and on the lead supervisory authority. Key takeaways from these three guidelines can be found on our blog.

This month, WP29 announced that it adopted its “2017 GDPR Action Plan.” The Plan identifies two areas of focus: (1) follow up on 2016 topics, and (2) new 2017 priorities. The follow-up work will include finalizing guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments, administrative fines, the setting up of the European Data Protection Board (EDPB), and the preparation of the one-stop-shop” and EDPB consistency mechanism.

This year, WP29 plans to prepare and release guidelines on the topics of consent, profiling, and transparency. The WP29 will also work on the update of already existing opinions on data transfers to third countries and data breach notifications. This year, companies that rely on transfers of personal data from the EU may have the following three opportunities to engage with the WP29 and EU Data Protection Authorities (DPAs):

  • On April 5-6, 2017, the WP29 will hold a Fablab meeting, where interested stakeholders will have an opportunity to present their views and comments on the identified 2017 priorities.
  • On May 18-19, 2017, the WP29 will organize an interactive workshop where non-EU counterparts will be invited to exchange views on the GPDR and its implementation by the WP29.
  • The press release also states that relevant public consultations “may be” launched at a national level by local DPAs.

The WP29 plans to review its 2017 plan periodically and prepare a new plan for 2018 to finish the preparation work. We will be commenting on the forthcoming GDPR guidelines as they are released by the WP29.