Today I was at the Hilton in New York City for Legaltech, the largest litigation support / electronic discovery trade show in the world. I attended a Judges' Panel hosted by Driven, called,"INFORMATION GOVERNANCE IN THE AGE OF PROPORTIONALITY". The judges panel consisted of four federal judges who have issused landmark decisions on the electronic discovery process.
Hon. Andrew J. Pack, U.S. Magistrate Judge S.D.N.Y. - the judge in Da Silva Moore v. Publicis Groupe & MSL Group the first case approving the use of TAR.
Hon. James Francis, U.S. Magistrate Judge S.D.N.Y. - the judge in Rowe Entertainment, Inc. v. William Morris Agency, Inc. which introduced an eight factor test for determining when cost shifting should take place.
Hon. Elizabeth LaPorte U.S. Magistrate Judge N.D. Cal. - the judge in Datel Holdings, LTD v. Microsoft Corp. which held that the production of privileged documents as a result of a software error was inadvertent and excusable.
Hon. Frank Maas, U.S. Magistrate Judge S.D.N.Y. who announced that meta data is the 'new black' in Aguilar v. Immigration and Customs Enforcement Div. of U.S. Dept. of Homeland Sec., and stated that, “‘the more interactive the application, the more important the metadata is to understanding the application’s output.’
Phil Favro of Driven was the moderator of the panel.
The agenda for the panel was to discuss the interplay between proportionality and information governance; address what counsel and clients should do to handle clouds and mobile devices; and talk about how clients and counsel should address cybersecurity issues.
The panel considered a series of hypotheticals. In the first hypo, the panel was to assume that company XYZ sued Acme for fraud and breach of contract for 20 million in damages, and Acme counterclaimed for 10 million in damages. While both XYZ and Acme had both updated their information retention policies concerning th use of cloud networks, each had questions about the effectiveness of the other's policies.
judge Francis noted that if a company had a rational policy its responses were more likely to be considered proportional than if they were cavalier about information governance. A court would not be sympathetic if a company had hoards of information it was not aware of and then complained about the cost to produce it. The court will not make allowances for self-imposed burdens.
Judge LaPorte agreed with Judge Francis. She noted that it would be most cost effective to have information retention policies activated quickly when the need for preservation arises when litigation is reasonably anticipated. The judge remarked that the use of devices like cell phones could not be ignored and policies that did so were not likely to be considered proportional. Choosing a cheaper way to preserve data that is more or less as effective may be fine, but retention policies that were not neutral about the type of data being preserved could not be considered defensible.
The second hypothetical asked the panel to consider a scenario where Acme updated its retention policy to be more aggressive in destroying documents. Email would be deleted from the deleted items folder after 7 days, and all other email would be copied on backup tapes after 30 days. Note was made of Orbit One Commc’ns, Inc. v. Numerex Corp.in which Judge Francis described proportionality was an amorphous concept and advised to retain all relevant data until a more precise definition was created under a Rule.
Judge Maas said that proportionality should be tied to legitimate business reasons, and that it would be perfectly defensible to erase deleted email after 7 days if the industry had some reason why this was done in the course of business. He characterized corporations as pack rats that often leave damaging information around needlessly. Judge Maas declared, 'full speed ahead to corporate America' [with respect to deleting data] if you don't need it for business reasons.
Judge Peck noted that before litigation is reasonably anticipated, a company could get rid of data if it wasn't needed, but wondered if such companies exist. He discussed the changes to FRCP 37(e) specifying that if there is evidence of good faith remedial measures may be possible and dismissal or adverse inference instructions can be avoided.
Judge Francis described reasonableness as an elastic term, and said in the context of his decision in Orbit that parties needed to be a little conservative about destroying information.
With respect to Cloud computing and mobile devices, Judge Maas observed that even before the advent of cloud computing CIOs would say they didn't know where data was, and didn't have funds to find out. Today the problem is much worse. Companies need to get their arms around what is out there in their enterprise and to what extent it is preserved, and what their rights of access are. If one has very limited rights, a company may want to use another cloud provider – not having access is not always a valid excuse. He brought up the decision in Brown v.Tellermate where salesforce.com faced a series of calamities from its misrepresentation of its ability to access data and on what its software could do. If a party is using resources like Dropbox they have to come into court able to accurately represent what they can and cannot do. Maas also noted that judges are not allowed to use Dropbox.
Judge Peck said that while there may be good business reasons to select cloud services, some thought must be given to how to conduct ediscovery with them before getting them. He recalled a case involving a Fortune 500 company, contemplating a move for email services to a cloud provider. They had concerns about security and the ability to get selective data from mailboxes for legal cases, and determined that the use of cloud services would not save money. He noted that saying services like Dropbox were not particularly secure was putting it mildly. He wondered about a problem arising in a company with a 'Bring Your Own Cloud' policy where an employee refused to cough up data needed for a case. Does a company have to threaten to fire employee to comply with its obligations? How will this situation look to the court? Will they think there is a rogue employee or will they think the company is winking at such refusals?
The panel also considered issues arising from electronic discovery from mobile devices. Judge Francis thought that there would be resistance by employees when there is a need to examine a personal device for litigation. Very amusingly he told a story about how his wife just took a new job and was offered the option to use her own device for work. Judge Francis urged his wife to use a company supplied device. His wife ignored him and is using her own smartphone at work.
Judge LaPorte note that when the government issued devices, they tell recipients that they have the right to get your password. Even when under BYOD policies, users make an effort to segregate personal from business ESI as much as possible, they sometimes make mistakes. Judges will be sensitive to the use of devices with private medical information or information concerning children. Companies can't merely trust that custodians are disclosing all relevant information, they must verify this. The key is to not repeatedly lie to the judge that you can't do something that you in fact can do. That is the No. 1 sin, and most likely to be punished. She emphasized, "It's the cover up stupid."
Judge Francis said companies had to weigh business Interests against legal concerns. They needed to decide whether to attract millennials with BYOD or if doing this is more trouble than it's worth. BYOD Policies need to be memorialized to tell employees what the line is. If employees choose to bring their own devices, they may incur risks as well.
In response to a hypothetical considering if company XYZ's BYOC (Bring Your Own Cloud) now led to concerns about not having the manpower or funds to enforce its policies, Judge Peck said he was not sure whether it was worse to have policy you can't enforce or to have no policy at all. Even if an employee manual discusses the issue and it is signed by employees, if the business knew rules were broken, its actions will not be looked upon kindly the by the court.
Judge Maas repeated the point that it was better to have no policy than one you don't audit and enforce.
The panel also considered a hypothetical about cybersecurity, in which there were cross motions for sanctions under FRCP 37(e) for a massive breach to a network. XYZ employees smuggled info to a hacker group named, 'Incognito'. XYZ seeks to stay discovery and continue the trial date, but
Acme opposes for failure to monitor the employees' actions.
Judge Maas said he would view these facts one way if GM was the party with the compromised network, and another way if it was a company with 50 to 100 employees. He mentioned that a big corporation facing a cybersecurity problem when arguing before a judge who had been hacked because of poor government policies, would not be sympathized with if he complained that the necessary protective measures were too expensive. Protection against intrusions must be done in real time and not six months later.
Judge Peck called outside counsel and vendors the weakest link in terms of data security. One issue which he has fortunately not seen come up would be a situation where plaintiffs' counsel is a two person office with no data security defenses, and defense counsel would be reluctant to give over data unless the plaintiff's counsel got ISO certification.
Judge LaPorte noted that all judges on the panel had been hacked. She joked that the best defense was to be boring.
Favro questioned a prosecutor who happened to be in the audience about proportionality in the elimination of documents. In her response, she noted that the first custodians a company selects were not always the most relevant. When she talks with corporate personnel she concludes that they have no time to investigate and so must make arbitrary choices.
Judge Peck noted how the changes to FRCP allow early document requests under FRCP Rule 34. One can't attest at the meet and confer that you will produce something at some time. You must have specific objections to document requests