By now, most litigators should know that they have an affirmative duty to advise their clients about the duty to preserve potentially relevant documents.  Despite this, the United States District Court for the Southern District of New York recently denied an attorney defendant’s motion for summary judgment in part because the record was not clear as to whether the attorney defendant fulfilled its obligations with respect to the duty to preserve.

Industrial Quick Search, Inc., Michael Meiresonne, and Meiresonne & Associates (collectively “Plaintiffs”) sued their law firm Miller, Rosado & Alogis, LLP (“Defendants”) for malpractice.  Neil Miller and Chris Rosado, named partners of the firm, were also individually named as Defendants.  Defendants represented Plaintiffs in an underlying copyright infringement lawsuit in which default judgement was entered against Plaintiffs for misappropriating confidential information, plagiarizing copyrighted material, and for deliberately destroying potentially relevant documents. Continue Reading FAILURE TO ADEQUATELY ADVISE CLIENTS ON THEIR PRESERVATION OBLIGATIONS CAN BE CONSIDERED MALPRACTICE

Eleven years into the court order levied on the NSA to preserve backup tapes containing data about the NSA surveillance efforts, it’s come to light that the NSA failed to take adequate steps to ensure the data was not deleted.  Tapes containing data between 2001-2007 were deleted in 2009, 2011, and 2016, showing a systemic problem with proper data preservation.  For an agency that arguably “saves everything,” this news is rather comical.   The NSA’s deputy director of capabilities apologized for the failure in an October declaration, while another NSA official claimed the tapes were deleted during “housecleaning efforts aimed at making space for incoming information.”  Oddly enough, there was no explanation as to why live incoming information would have been put on backup tapes, adding to the mystery of the real cause of the tape destruction.  Thus far, there have been no discussions of sanctions and no requests on U.S. District Court Judge Jeffrey White to do so, at least yet.  The NSA isn’t in a great position, however, since in May 2014, an NSA official assured the court that the data on the tapes was safe.  The NSA now claims they are using “extraordinary” effort to try and recover the lost data.  However, anyone familiar with how tape rotation works should understand it’s quite likely that the tapes were overwritten with new data, effectively making the old data permanently unreadable.  The facts seem to point to a clear case of spoliation, and this time, it’s by one of the U.S. Government agencies that possessed data storage capabilities unsurpassed by any in the world.

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Seyfarth’s eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners are pleased to announce the release of Data Privacy & Protection in the EU-U.S.: What Companies Need to Know Now, which describes GDPR’s unique legal structure and remedies, and includes tips and strategies in light of the future passage of the GDPR.

How to Get Your Desktop Guide:

To request the Data Privacy & Protection in the EU-U.S. Desktop Guide as a pdf or hard copy, please click the button below:

GDPR Webinar Series

Throughout August and October of 2017, Seyfarth Shaw’s attorneys provided high-level discussions on risk assessment tools and remediation strategies to help companies prepare and reduce the cost of EU GDPR compliance. Each segment is one hour long and can be accessed on-demand at Seyfarth’s Carpe Datum Law Blog and The Global Privacy Watch Blog.

For updates and insight on GDPR, we invite you to click here to subscribe to Seyfarth’s Carpe Datum Law Blog and here to subscribe to Seyfarth’s The Global Privacy Watch Blog.

A trial court opinion involving allegations of spoliation of text messages on a mobile phone in the Southern District of New York has gotten attention because of the application of legal preservation standards.  Ronnie Van Zant, Inc. v. Pyle 2017 BL 3018, S.D.N.Y. 17 Civ. 3360 (RWS), 8/23/17) is an interesting read, not just because it involves odd characters, intrigue and drama surrounding one of the greatest Southern Rock bands of all time.  It also includes some instructive information about the application of the “practical ability” test for preservation, and the uphill battle for witnesses who lose credibility in testimony about what they did and did not do in a preservation effort.

Not long after the tragic plane crash that resulted in the deaths of Lynyrd Skynyrd lead singer Ronnie Van Zandt and his co-founding band member Steven Gaines,  Artimus Pyle, the former drummer, entered an agreement with the surviving heirs and other members of the band.  The agreement involved promises to never perform as “Lynyrd Skynyrd,” or to generally profit from the name of the band or the tragic deaths of Van Zant or Gaines without approval of the original parties to the agreement.  Their dramatically named “blood oath” agreement was more concretely memorialized in a Consent Order in 1988, following other litigation, which Pyle signed.

Over 20 years after the 1988 Consent Order, the drama that spawned the litigation began in a story that sounds like it came from a Netflix mini-series.  A film director named Jared Cohn, who worked under contract for an independent record label-turned movie producer, Cleopatra Records, Inc. (“Cleopatra”) reached out to Pyle about making a movie centered around the band and Pyle’s life in it.  Cohn was hired by the founder and co-owner of Cleopatra Records, Brian Perera, who is another interesting character in his own right. Pyle met and consulted with Perera on multiple occasions about ideas for a film generally depicting his life and the plane crash, which Pyle survived.  In their first conversations, Pyle did not mention the 1988 Consent Order, but the Order eventually was delivered to Cleopatra.  The copy of the Order was also eventually followed by a “cease and desist” letter and other correspondence from the Plaintiffs’ counsel.  All the while, Cleopatra’s movie production work continued. Continue Reading Spoliation and Southern Rock

Seyfarth eDiscovery Partner Richard Lutkus, along with William Lederer from Relativity and Patrick Zeller of Gilead Sciences, Inc., will host a panel discussion titled “Brave New Words: Cloud Data Collection, Processing, and Hosting” at this year’s RelativityFest on October 24, 2017.

This session will provide attendees with information about new data collection methods with tools like Heureka and Harvester, along with considerations for working with RelativityOne, data privacy, and security. Additionally, best practices surrounding the General Data Privacy Regulation (GDPR), international data transfer with EU entities, secure management of hosting (wiping cloud data) and SSD wiping technologies will be discussed.

RelativityFest is an annual conference designed to educate and connect the e-discovery community. The three-day festival in Chicago will feature panel discussions, hands-on labs, and breakout sessions to discuss best practices. For more information, or to register to attend, please visit https://relativityfest.com/.

Seyfarth eDiscovery attorneys Jason Priebe and Natalya Northrip will present “A Practical Roadmap for EU Data Protection and Cross-Border Discovery” at this year’s RelativityFest on October 24, 2017.

This presentation will provide attendees with practical tips for leveraging the new Sedona International Principles to help in your compliance with stringent GDPR requirements, and in seeking immediate help under the EU-U.S. Privacy Shield.

RelativityFest is an annual conference designed to educate and connect the eDiscovery community. The three-day festival will feature panel discussions, hands-on labs, and breakout sessions to discuss best practices for eDiscovery, Information Governance, and Data Privacy. For more information, or to register to attend, please visit https://relativityfest.com/.

When you bring to mind someone “hacking” a computer one of the images that likely comes up is a screen of complex code designed to crack through your security technology.  Whereas there is a technological element to every security incident, the issue usually starts with a simple mistake made by one person.   Hackers understand that it is far easier to trick a person into providing a password, executing malicious software, or entering information into a fake website, than cracking an encrypted network — and hackers prey on the fact that you think “nobody is targeting me.”

Below are some guidelines to help keep you and your technology safe on the network.

General Best Practices

Let’s start with some general guidelines on things you should never do with regards to your computer or your online accounts.

First, never share your personal information with any individual or website unless you are certain you know with whom you are dealing.  Hackers often will call their target (you) pretending to be a service desk technician or someone you would trust.  The hacker than asks you to provide personal information such as passwords, login ids, computer names, etc.; which all can be used to compromise your accounts.  The best thing to do in this case, unless you are expecting someone from your IT department to call you, is to politely end the conversation and call the service desk back on a number provided to you by your company.  Note, this type of attack also applies to websites. Technology exists for hackers to quickly set up “spoofed” websites, or websites designed to look and act the same as legitimate sites with which you are familiar.  In effect this is the same approach as pretending to be a legitimate IT employee; however, here the hacker entices you to enter information (username and password) into a bogus site in an attempt to steal the information.  Be wary of links to sites that are sent to you through untrusted sources or email.  If you encounter a site that doesn’t quite look right or isn’t responding the way you expect it to, don’t use the site.  Try to access the site through a familiar link.

Second, whether or not you have a Bring-Your-Own-Device (“BYOD”) program at work chances are you will at some point be using a mobile device to conduct to conduct business.  Don’t feel that your mobile phone is invulnerable to being compromised. (Every networked device — Apple, Microsoft, Android, Linux, etc. — can be compromised)  Mobile hacking is one of the fastest growing areas for exploiting individuals and companies.  This is largely because people do not typically have security programs — such as anti-virus software — on their mobile device.  Additionally, people often connect their mobile devices to public networks, like those available at coffee shops, hotels, etc. — these networks are not secure.  Your best defense against having your mobile device hacked is to install a decent security app and be sure to turn off the Wi-Fi, Bluetooth, and Hotspot settings when they are not in use.   Also, try to only install apps from companies you recognize.  Further, mobile banking and purchasing apps make life easy, but if you don’t have security software — or if you are conducting a larger transaction — you may want to do it on your computer.

Next, If your computer’s security software pops up a security warning, pay attention to it.   Often times we are in a hurry and tend to click through these types of warnings, but that is a mistake.  The warning is there for a purpose whether it is a flag indicating that a website is potentially dangerous or a notice that your computer has detected malware.  When you see a warning it is best to stop what you are doing, close down any open websites, and call your help desk.  You may also want to scan the computer with your security software.  However, be careful of “security warnings” that pop-up from websites.  If the warning does not look like the warnings you are used to, and does not indicate the name of your security software, it may be a malicious attempt to compromise your computer.

Finally, don’t plug USB drives into your computer unless you know where it comes from and where it has been.  Rouge USB drives are a method by which hackers get malicious programs onto your computer.  The drive may contain an enticing file that when clicked, loads a virus onto your computer, or in some cases the drive may load the malware simply by being plugged into your USB port.  So, if you find a USB lying around it is best to turn it into IT, or throw it away. Continue Reading Cyber Security Best Practices

Is your organization ready for the new EU General Data Protection Regulation?

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance.

What Are the Specific GDPR Provisions Effective May 25, 2018 and What Organizations Need to Prepare Now for Compliance
Webinar
September 20, 2017
12:00 p.m. – 1:00 p.m. Central Time
Presenters
Jason Priebe, Partner, Seyfarth Shaw LLP
Natalya Northrip, Counsel, Seyfarth Shaw LLP
Scott Carlson, Partner, Seyfarth Shaw LLP

What GDPR Requirements Will Be Associated With the Most Significant Sanctions?
Webinar
October 5, 2017
12:00 p.m. – 1:00 p.m. Central Time
Presenters
John P. Tomaszewski, Senior Counsel, Seyfarth Shaw LLP
Jason Priebe, Partner, Seyfarth Shaw LLP
M. James Daley, Senior Counsel, Seyfarth Shaw LLP

Is Your Organization Preparing for May 25, 2018 GDPR compliance?
Webinar
October 19, 2017
12:00 p.m. – 1:00 p.m. Central Time
Presenters
M. James Daley, Senior Counsel, Seyfarth Shaw LLP
Kathleen McConnell, Senior Counsel, Seyfarth Shaw LLP
John P. Tomaszewski, Senior Counsel, Seyfarth Shaw LLP

Register here.

The use of open file sharing platforms in business continues to increase in 2017; Dropbox alone has over 200,000 active business accounts. Unfortunately, the convenience of these platforms and the increase in use by businesses attracts the attention of hackers a well.  File sharing platforms and accounts have a high “hack value” — the overall value of the accounts on the dark web — due to the relative ease with which account can be obtained and the sensitivity of the information stored on these platforms. The risk associated with the use of file share platforms is twofold.  First, company supported file share is attractive to attackers because it is guaranteed to contain sensitive information.  Second, file share platforms available to employees outside of the company — e.g. the employee Google Drive account — may be used to store company information, but likely do not use the same security standards as those enforced by the company. Attacks on file share platforms are also very real.  In August of 2016 Dropbox forced users to reset their passwords based on a breach — 60 million account credentials compromised — that had been discovered but was executed four years earlier in 2012.

Thus, it is important that businesses educate their employees on the risks of sharing information on these platforms and apply strict administrative and technical safeguards mitigate the risk of attack.

Common File Share Attack Approach

The most common approach attackers use to compromise file share platforms is phishing. Phishing is a technique by which the attackers sends out a legitimate looking (albeit fake) email which entices the employee to click on a link and provide information — such as login credentials — which goes directly to the attacker. Alternatively, the phishing attack may convince the employee to download an infected file to the same ends.  Once the attacker has compromised the file share, he or she can either steal information directly, escalate privileges to access more information, obtain additional account credentials, or sell the information on the dark web.  Access to the file share can also be used to perform a Denial of Service (“DoS”) attack by downloading or uploading large volumes of data thus congesting the network and preventing legitimate use.

Despite Google’s perceived safety, two major phishing attacks have been reported on Google accounts in the last two years. In late 2016, over a million google accounts were compromised by a malware attack known as Gooligan, designed to steal credentials allowing access to the victims Google services. Gooligan infected an estimated 13,000 devices per day during its lifecycle.  Again in early 2017, Google accounts were targeted with a message requesting the user to download a file.  When the user selected the link to download the file a face service that looked like a legitimate google service would request access to the users Gmail account.

Mitigating Risk

Businesses can mitigate the risk of file share attacks by implementing strict policies and sanctions regarding their use.  For example, all non-business file share sites can be blocked on the company’s network. Strict policies and monitoring should be in place to gain access to file share sites and employee accounts with such access should be closely monitored. Businesses should also implement test “phishing campaigns” — sending out company controlled phishing emails — to educate employees on what these email look like and how to avoid them.  Phishing tests also help businesses understand their risks by monitoring the number of employees who click on the bogus links. Whereas businesses have less control over employees loading data on to personal file share accounts, strict sanctions should be in place regarding this activity and employees should be aware of these sanctions.

Court Denies Plaintiff’s Motion to Compel

In Mirmina v. Genpact LLC, 2017 BL 260425, D. Conn., Civil No. 3:16CV00614 (AWT), the Court denied Plaintiff’s motion to compel additional responsive electronic communications despite the fact that an individual directly involved in the underlying claims of the suit “self-identified” potentially responsive emails.  The Court based its decision a number of important  factors:

  • Defendant Genpact’s in-house counsel produced an affidavit outlining the process used to preserve and search potentially responsive emails;
  • Genpact’s in-house counsel supervised the preservation and search process;
  • Plaintiff Mirmina was unable to identify any authority stating that self-identification was improper;
  • Mirmina was also unable to identify any emails that Genpact had not produced and was merely speculating that Genpact’s email production was deficient.

Case Background

Scott Mirmina, a former Genpact recruitment manager, sued his previous employer, a professional services firm, alleging age, race, and gender discrimination.

In May of 2017, Plaintiff Mirmina filed a Motion to Compel additional responses to specific discovery requests.  This motion was denied in June 2017, except for materials described in Genpact’s initial disclosures that had not yet been produced.

In July of 2017, Mirmina filed another Motion to Compel asking the court to force Genpact to produce additional responsive emails.  Mirmina stated that he was “concerned” that Genpact had withheld responsive emails and that Genpact’s search for responsive emails was inadequate because an employee directly involved with the underlying issues in the litigation had self-identified potentially responsive emails.

The Court denied Mirmina’s Motion to Compel after Genpact’s counsel described the process used to identify responsive emails.  Specifically, Genpact’s in-house counsel averred that they:

  • issued a timely and detailed litigation hold to potential ESI custodians;
  • provided instructions to the custodians on how to search for potentially responsive emails;
  • provided custodians with specific search parameters to identify potentially responsive emails;
  • explained importance of thoroughly searching for potentially responsive emails; and
  • provided guidance to custodians when they had questions about the search process.

The Court also determined that Mirmina’s allegations that responsive emails had not been produced was based on mere speculation.  The court held that this speculation was insufficient to require Genpact to conduct additional searches for potentially responsive emails.

Practical Takeaways

Self-identification of potentially responsive documents by custodians is not usually recommended.  There are obvious risks involved, including custodians not wanting to produce documents that could be damaging for themselves or their employer.  Further, there are risks involved in having custodians determine what may or may not be responsive to document requests. However, the Court’s decision in this matter describes a scenario in which self -identification of emails may be defensible.

The Court indicated that the primary driver for denying Mirmina’s Motion to Compel was the affidavit provided by Genpact’s in-house counsel detailing Defendant’s document identification and preservation process.  The most important practical takeaway from the Court’s ruling was that self-identification can be defensible, so long as a rigorous process is followed and documented.  This process includes drafting a timely and detailed litigation hold notice, providing instruction to custodians on how to identify potentially relevant documents, and answering questions that custodians may have throughout the process.

Finally, the Court made clear that purely “speculating” that an opposing party’s production is deficient is not enough to compel additional searches or document productions.  In order to compel an additional search for communications, a moving party must provide evidence to support its claim of a deficient production.