Eleven years into the court order levied on the NSA to preserve backup tapes containing data about the NSA surveillance efforts, it’s come to light that the NSA failed to take adequate steps to ensure the data was not deleted. Tapes containing data between 2001-2007 were deleted in 2009, 2011, and 2016, showing a systemic problem with proper data preservation. For an agency that arguably “saves everything,” this news is rather comical. The NSA’s deputy director of capabilities apologized for the failure in an October declaration, while another NSA official claimed the tapes were deleted during “housecleaning efforts aimed at making space for incoming information.” Oddly enough, there was no explanation as to why live incoming information would have been put on backup tapes, adding to the mystery of the real cause of the tape destruction. Thus far, there have been no discussions of sanctions and no requests on U.S. District Court Judge Jeffrey White to do so, at least yet. The NSA isn’t in a great position, however, since in May 2014, an NSA official assured the court that the data on the tapes was safe. The NSA now claims they are using “extraordinary” effort to try and recover the lost data. However, anyone familiar with how tape rotation works should understand it’s quite likely that the tapes were overwritten with new data, effectively making the old data permanently unreadable. The facts seem to point to a clear case of spoliation, and this time, it’s by one of the U.S. Government agencies that possessed data storage capabilities unsurpassed by any in the world.
Seyfarth eDiscovery attorneys Jason Priebe and Natalya Northrip will present “A Practical Roadmap for EU Data Protection and Cross-Border Discovery” at this year’s RelativityFest on October 24, 2017.
This presentation will provide attendees with practical tips for leveraging the new Sedona International Principles to help in your compliance with stringent GDPR requirements, and in seeking immediate help under the EU-U.S. Privacy Shield.
RelativityFest is an annual conference designed to educate and connect the eDiscovery community. The three-day festival will feature panel discussions, hands-on labs, and breakout sessions to discuss best practices for eDiscovery, Information Governance, and Data Privacy. For more information, or to register to attend, please visit https://relativityfest.com/.
Natalya Northrip and Emily Dorner will be presenting on two interesting eDiscovery topics this April; presentations will focus on litigation hold maintenance and best practices, as well as recordkeeping for human resources professionals. Presentations will take place on April 6, and April 26, respectively. Summaries of presentation content and links to sign up are provided below! Friends of Seyfarth can use the following promo code for 35% off: SPKR35
Effectively Drafting and Managing Litigation Holds
When an organization becomes a party to a lawsuit or when it reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a “litigation hold” to ensure the preservation of potentially relevant documents. In this webinar, you will learn what a litigation hold is, how to draft and manage a litigation hold, and the consequences of failing to satisfy your preservation obligations. Among other things, you’ll learn about:
- The duty to preserve
- Scope and timing of preservation
- Possession, custody and control of relevant information
- Effective preservation strategies
- How to draft litigation hold notices
- The dangers of self-identification of relevant information
- How to ensure proper management of legal holds
- Sanctions for spoliation of evidence
Document Retention and Destruction for HR Professionals
Every HR department will have a variety of records with varying retention requirements. Failure to keep these records for the prescribed periods of time may lead to evidence spoliation, fines, and the inability to properly respond to a governmental investigation or audit. In this webinar, you will learn how to develop an effective records program for HR that supports good information management and helps an organization manage risk. Among other things, you will learn about:
- How to create and implement a records retention program
- What are records retention schedules
- Special handling for employee medical records
- When to retain I-9 Forms, and for how long
- Document retention in the face of pending or current litigation
- Retention or disposition of former employee personnel files
Recently, the U.S. Court of Appeals for the Second Circuit sided with Microsoft Corporation and global privacy advocates in the case of In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, No. 14-2985, 2006 WL 3770056 (July 14, 2016), by holding that the issuance of a warrant to obtain private emails stored on a Microsoft server in Dublin, Ireland, constituted an impermissible extraterritorial application of the Stored Communications Act, 18 U.S. Code §§ 2701 et seq. (“SCA”).
The Microsoft decision coincides with a rise of international tension over the data privacy interests of foreign customers of U.S. electronic communications providers. This tension was heightened by the Snowden revelations in 2013, sparking EU concerns about “unfettered” U.S. government surveillance, reaching a crescendo last October, when the Court of Justice of the EU, invalidated the fifteen year-old U.S.-EU Safe Harbor as not providing an “adequate” level of data protection. Thereafter, the U.S. and EU Commission rushed to develop a new EU-U.S. Privacy Shield Framework to replace Safe Harbor.
As some commentators have noted the Second Circuit’s ruling may incidentally help EU/U.S. data transfer mechanisms, including model contract clauses and the Privacy Shield program to survive this scrutiny. See Kenneth Withers, M. James Daley, and Taylor Hoffman, In Re Microsoft: U.S. Law Enforcement Not Entitled to Email Stored in Ireland (Aug. 28, 2016). While the Second Circuit’s ruling temporarily defused an explosive issue in EU/U.S. data protection relations, it left unresolved a number of practical issues regarding cross-border government investigations under the outdated SCA.
On August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website. More than 115 U.S. companies have already self-certified. The Privacy Shield was designed to provide U.S. and European companies with a mechanism to comply with EU data protection requirements for cross-border transfers of personal data in the wake of the invalidation of the previously-used U.S.-EU Safe Harbor Framework.
As with the prior Safe Harbor Framework, U.S. companies that self-certify under the Privacy Shield are identified on Department of Commerce’s website as “active” participants in the program. To avail itself to the benefits of the Privacy Shield, a company must self-certify annually that it agrees to adhere to additional new Privacy Shield requirements, which expand the protection previously provided by Safe Harbor with respect to long-standing EU data protection principles of notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access, recourse, enforcement and liability. Organizations that self-certify under the new Privacy Shield will need to revise their policies and practices to ensure compliance with the new framework.
On May 25, 2018, the EU General Data Protection Regulation (GDPR) will come into effect requiring companies that process personally identifiable information of EU residents to comply with a significant number of enhanced data-protection requirements. One of these requirements is an individual’s “right to explanation” of an algorithmic decision made about him or her by a machine. Continue Reading European Restrictions on Computer Profiling