All posts tagged privacy

Crossing Borders: Where Discovery and Privacy Collide

international ediscovery

Litigation teams face new challenges when an ediscovery project crosses borders – from multilingual data and unique cultural norms to unfamiliar laws, regulations and data privacy practices. In addition, the international data protection landscape is changing and U.S. businesses with global operations need to be prepared. Companies need to think carefully about the risks of transferring data across borders.

To help practitioners navigate these challenges, Kroll Ontrack synthesized information on more than seventeen countries to create a succinct, new guidebook, A Practical Guide to Cross-Border Ediscovery: Insights for U.S. Lawyers.

This guide includes practical insights into how organizations all over the world are managing a wide range of business challenges using ediscovery technology, including:

  • Case studies on cross-border litigation and FCPA investigations;
  • An “At a Glance” visual map that shows the legal system, applicable rules and ediscovery practices for key countries in the Americas, EMEA and APAC regions;
  • Short summaries from experts on the ediscovery landscape in key countries; and
  • A timeline of EU Data Privacy and Protection milestones.

Litigation, compliance demands and investigations are part of the regular course of business for U.S. lawyers. With global considerations and cross-border implications, law firms and companies now rely on mobile ediscovery technologies, in-country data centers and local expertise to empower the processing and transferring of data in a compliant and cost-effective manner. This guide is just one way that Kroll Ontrack is here to help attorneys and their counsel thrive and adapt in a changing ediscovery world. Read the new cross-border guide today.

Discovery Implications of the EU Data Protection Regulation


A recent article by my Kroll Ontrack colleagues from across the pond, Lawrence Ryz and Tracey Stretton, details the new EU Data Protection Regulation, which aims to solidify and unify the European Union’s data protection laws. As the Regulation takes effect, American companies with operations or customers in the EU will soon find themselves having to comply witl_ryz2015h a new set of laws.

U.S. Discovery and EU Privacy Collide

In US litigation, the fundamental principle of broad discovery conflicts with the wide-ranging privacy framework of the European Union. US civil litigation under the Federal Rules of Civil Procedure (FRCP) is premised on the idea that expansive pre-trial discovery cuts to the heart of a dispute because it allows judges to focus on the legal issues with a well-developed record. European law is founded on the idea that citizens have a broad right to privacy, with little government intervention. The strengthened Regulation prohibits the transfer of any personal data processed in the European Union to a country whose privacy laws are considered inadequate by the EU’s determination such as the United States, which poses a significant conflict with US discovery obligations.

EU Gains Sword to go with its Shield

The extraterritoriality of the new Regulation is particularly worrisome for discovery in the United States. While the European Union has strengthened its shield against data collectors with the Regulation, it has also equipped itself with a shiny new sword. When the fundamental principles of American discovery and European privacy collide in a US court judges must choose between adhering to the traditional discovery rules of the FRCP and respecting an EU litigant’s legitimate right to privacy. Furthermore, with the addition of pending changes to the EU-US Privacy Shield agreement (a replacement for the Safe Harbor data transfer agreement which was invalidated by the European Court of Justice last October), the landscape of international data privacy and data transfer laws grows more complex by the day.

Impact on Ediscovery Providers

The current Directive only applies to data controllers, but the Regulation introduces a number of detailed obligations and restrictions on data processors and is therefore likely to have a significant impact on ediscovery providers and those that engage them. In the future, penalties can be imposed on data processors that do not comply with their new responsibilities and, if they act outside of the instructions received from data controllers, they could be held to be joint controllers subject to higher standards of accountability. The new obligations include the following:

  • Maintain documentation about the processing operations under their responsibility
  • Implement appropriate security measures
  • Carry out data protection impact assessments
  • Obtain prior authorization or undertake prior consultation
  • Comply with the international data transfer requirements
  • Cooperate with a supervisory authority

For more on the new EU Data Protection Regulation and its impact, be sure to read the full article, EU Data Protection Gains a Sword to go with its Shield.

The Deep Web: Into the Deep End of the Dark Side of the Web

Deep Web. Hidden Web. Invisible Web.

These are names for the underbelly of the Internet that most of us know nothing about. If you’re in that camp, below you will find a few deep Web facts that every legal professional should consider as the lines between security, privacy, data breach, fraud, computer forensics and ediscovery blur.

9 Deep Web Facts

  1. Underneath the World Wide Web lies a whole other Internet where sites are hidden unless you know how to use them and exactly what to look for.
  2. This underside of the web is known as the deep Web, and it contains many, many layers of content. (See an infographic explaining the layers of the deep Web.)
  3. Ninety-nine percent of all the data on the Internet is stored in the deep Web.
  4. The deep Web is a place on the Internet where search engines have not indexed the information.
  5. The deep Web is “invisible” to the mainstream public – especially sites behind private networks, archived sites or standalone pages that connect to nothing at all.
  6. The vast majority of the deep Web holds pages with valuable information – databases, internal corporate websites, government documents, academic journals, etc.
  7. Some parts of the deep Web are associated with illegal or black market transactions – drugs, fake identifications, stolen credit card numbers, counterfeit cash and weapons.
  8. The anonymous nature of the deep Web makes it a breeding ground for unconventional conduct, such as: geeky or esoteric forums, information sharing in censored or turbulent political environments and leakages of confidential documents by whistleblowers or intellectual property (IP) thieves.
  9. The deep Web holds future potential as a place to securely communicate, especially for individuals deeply concerned about privacy or security.

What do the Impacts of the Deep Web mean for Lawyers?

One of my Kroll Ontrack colleagues, Michele Lange, recently sat down with Inside Counsel to explain the deep Web and when it can be a valuable source of evidence in litigation. To learn more about the deep Web, read Michele’s full Inside Counsel interview, “The source that ESI lawyers need to stop overlooking.”

Social Media in the Workplace – You Be the Judge

Social Media in the Workplace – You Be the Judge

It seems there is simply no avoiding it – social media is everywhere. From PCs to smartphones, for the young and the old, social media pervades every aspect of modern communication. As of June 2010, Americans spent 22.7% of their time online using social networking sites and blogs, representing a 43% increase from June 2009. The growing ubiquity of social media means that it is becoming increasingly prevalent in circumstances where it may not necessarily be welcome, such as the workplace.

In 2009, 53% of employee respondents to a Deloitte survey believed their social media activity was none of their employers’ business, and 61% reported that they would not alter their social media behavior even if their employers were monitoring it. Employers everywhere are grappling with the fuzzy ethical, legal and security issues presented by social media as they try to effectively manage this growing phenomenon. Permitting social media use under the guidelines of a well-written employee policy seems to be the best solution, but does it necessarily obviate the potential risks, and perhaps more importantly, is it worth it?

“Liking” Social Media in the Workplace?

Permitting the use of social media in the workplace undoubtedly has its benefits. As of 2009, 56% of business executives believed that using social networking sites helped their employees achieve a better work-life balance. This will become increasingly true as social media continues to make bold strides toward overtaking e-mail as the predominant form of communication. Evidence shows that a large portion of social media’s growth in online time has already come at the expense of e-mail, which took a whopping 28% decline from 2009 to 2010. According to a recent Gartner publication, social media is predicted to replace e-mail as the predominant form of communication by as early as 2014.

In light of social media’s growing importance, companies are striving to permit and control its use, which at least in theory seems plausible. Because social media is still relatively new, case law directly on point is scarce. However, given social media’s similarity to (and predicted succession of) e-mail, the principles applied in cases discussing e-mail in the employment context can likely be extrapolated to the treatment of social media in coming years. Well-written employee usage policies have gone a long way toward providing employers authorization to monitor e-mail activity as well as insulation from potential liability for abuse. Some policies have even been enough to extinguish claims of privilege – both attorney-client and marital – made over employer computer systems. In Alamar Ranch, LLC v. County of Boise, the court found that the company placed all employees on notice that e-mails would become the employer’s property, and determined that privilege was therefore waived with respect to the e-mails sent using the client’s work account. In a recent case out of the Southern District of New York, the court similarly found that marital privilege did not extend to communications made over the employer’s systems because the defendant was aware of the policy that expressly banned personal use and reserved the rights of routine e-mail monitoring and third party access to employee e-mails.

Extending these principles to social media, it seems probable that employers can effectively reserve the right to monitor social media activity and extinguish any expectation of privacy through well-written employee use policies – as all responsible employers wishing to permit social media use should. But while most employers concerned about social media liability tend to end the analysis here, perhaps it is where they should begin.

If employers want to permit social media use, then they must reserve the right to monitor it. However, does that right to monitor implicate any concomitant duties they may be less willing to take on?

Employer Liability for Employee Abuse?

One of the most distinguishing characteristics of social media is that users tend to be more forthcoming and candid than on traditional forms of media. This can, and has in fact already, led to many situations where employees inadvertently disclose confidential information or make inappropriate remarks. If an employer has reserved the right to monitor social media use, then to what extent are they responsible for inappropriate activity? Take for example, Amira-Jabbar v. Travel Services, where an employee argued that her employer was responsible for discriminatory comments made by coworkers on Facebook because it permitted access to the site during company time. The court ultimately determined the employer was not liable based on their prompt reaction to completely block access to the social networking site from its systems, but no indication was given that it could not have otherwise been responsible had it acted differently.

Discovery Obligations?

Another concern should be whether allowing employee access to social networking sites extends the employer’s duty to preserve and produce electronically stored information into this realm. One can only imagine the litany of ethical and legal issues such a situation could spawn. The scope of discovery is notoriously broad, permitting an opposing party to request any non-privileged, relevant information, or information reasonably calculated to lead to the discovery of admissible evidence. At face value at least, it appears reasonable that an opponent could seek discovery from social networking sites. However, relatively few companies currently archive social media. Could the failure to preserve this evidence lead to spoliation charges?

Perhaps more challenging, to what extent does the reservation to monitor social media activity grant an employer the right to access an employee’s personal account? As technology continues to evolve, “the line separating business from personal activities can easily blur” the Supreme Court of New Jersey aptly noted in the opening of its opinion in Stengart v. Loving Care Agency, Inc. The case addressed the question of whether an employee use policy granted an employer the right to access e-mail communications conducted via an employee’s personal account but over an employer-issued laptop. The court ultimately ruled that the employer was not entitled to privileged e-mail communications made between a former employee and her attorney through her personal Yahoo! account. However, the trial court originally found that the employee use policy effectively converted the communications into company property, and had it not been for the underlying privilege issues upon which the Appellate Division and Supreme Court relied on in reversing the decision, the original ruling may well have stood. This is especially true in light of the view held by some courts that sharing personal information is “the very nature and purpose of these social networking sites,” so any hope for “privacy is no longer grounded in reasonable expectations, but rather some theoretical protocol better known as wishful thinking.” Nonetheless, while some employees may be comfortable with their employer monitoring their social media activity, most would certainly be unwilling to concede ownership – and surprised to learn of the possibility.

You Be the Judge

While the issues presented here are only theoretical, they point up the uncertainty surrounding social media. As an employer, should you allow social media use? As an employee, should you exercise that permission? For both, is it even worth the risk?

Tell us what you think.

Case Law: Offenback v. L.M. Bowman, Inc

Case Law

Court Chides Plaintiff for Not Reviewing Own Facebook Account for Responsive Information

Offenback v. L.M. Bowman, Inc., 2011 WL 2491371 (M.D. Pa. June 22, 2011). In this personal injury case, the defendants requested an in camera review of the plaintiff’s Facebook and MySpace accounts, arguing the plaintiff’s claims of physical and psychological impairment made relevant any evidence that documented the plaintiff’s social life, physical capabilities and emotional state of mind. To the extent that such information was relevant under Fed.R.Civ.P. 26, the plaintiff agreed that limited public information on his Facebook account was discoverable and provided the password to the court (the plaintiff claimed he could no longer access his MySpace account). Upon review, the court agreed to the relevance of a limited amount of photographs and postings that reflected the plaintiff continued to ride motorcycles, went hunting and rode a mule, and ordered production of this information. In a closing footnote, the court stated it was confused as to why intervention was necessary since the parties agreed that at least some of the information was relevant. The court further noted the plaintiff should have reviewed his own Facebook account for potentially responsive information, only soliciting the court’s assistance if a dispute remained.


The discoverability of social media continues to be a popular topic throughout the industry. Now we want to know – what is your company or firm doing to address social media? Have you encountered the need to preserve, review and produce this evidence?

Case Law: Muniz v. United Parcel Service, Inc.

Case Law

Court Quashes Subpoena Seeking Information from Social Networking Sites Related to Fee Request

Muniz v. United Parcel Service, Inc., 2011 WL 311374 (N.D. Cal. Jan. 28, 2011). In this gender discrimination litigation, the plaintiff moved to quash the defendants’ subpoena seeking additional documentation related to the plaintiff’s previous motion for attorneys’ fees. Among the documentation sought by the defendants were postings by the attorney on listservs and social media networks (including LinkedIn and Facebook). To demonstrate the relevancy of the demand, the defendants submitted postings from the attorney’s Facebook page and listservs. Denying the defendants’ request, the court found the subpoena was not appropriately geared toward revealing information relevant to the fee dispute and ordered the postings submitted by the defendants to be removed from the record.


Although this particular opinion does not address direct ediscovery issues, it does present a growing challenge faced by lawyers and corporations alike – the increasing impact of social media in the courtroom. Social networking sites continue to grow in popularity and use for both personal and business reasons, which is clearly demonstrated by the fact that Americans spend 22.7 percent of their time using these sites (in addition to blogs) as of June 2010, which represents a 43 percent increase from June 2009.[1]

Muniz raises a novel issue posed by social networking sites, wherein opposing counsel seeks justification for fees sought by referencing the attorney’s thoughts, opinions and statements made on various social media outlets. Although the court denied the request in this case, courts in various jurisdictions are increasing being pulled into the virtual world as the content on these sites become integral to disputes. In the civil context, the primary driving issue has been the distinction between private versus public content. For example, in Romano v. Steelcase, the New York State Supreme Court granted the defendant’s request to access the plaintiff’s current and historical Facebook and MySpace pages after finding the content contained within the public portions of those sites to be relevant. A popular quote from that case carries an advisory tone for those hoping to rely on privacy settings within the social networking sphere: “privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking.”

Likewise, in Equal Employment Opportunity Commission v. Simply Storage Management, LLC, the Southern District of Indiana granted the production request that sought profiles (including postings, pictures, blogs, messages, personal information, list of friends or causes) from Facebook and the MySpace accounts. The court denied the party’s privacy claim, finding “Facebook is not used as a means by which account holders carry on monologues with themselves.” The court also determined that content on these sites will not be shielded from discovery simply because it is listed as private.

Although the body of case law in this area is sparse, the fact remains that social networking sites are indeed discoverable. Corporations and practitioners should undertake efforts to manage social media effectively, and determine how this new found evidence gold mine impacts discovery strategies, including the preservation, collection and production stages of the e-discovery process. Proactive measures, including education and consulting with an expert service provider, will go a long way to ensuring you are ready to address this challenging issue when it inevitable arises.

[1] The Neilson Company, “What Americans Do Online: Social Media and Games Dominate Activity”, available at Last accessed March 18, 2011.

Case Law: United States v. Warshak

Case Law

Court Upholds Government’s Search and Seizure Despite Acknowledging Right to Privacy in E-Mail Communications

United States v. Warshak, 2010 WL 5071766 (C.A.6 (Ohio) Dec. 14, 2010). In this criminal case, the defendants appealed their numerous convictions for fraud claiming the government violated the Fourth Amendment prohibition against unreasonable search and seizures by obtaining private e-mails without a warrant. The defendants also argued that the government turned over immense quantities of discovery in a disorganized and unsearchable format, that the government violated its Brady obligations by producing “gargantuan ‘haystacks’ of discovery” and that the district court erroneously denied a 90-day continuance to allow the defendants to finish sifting through the “mountains of discovery.” Addressing the Fourth Amendment concerns, the court first found the defendant plainly manifested an expectation that his e-mails would remain private given the sensitive and “sometimes damning substance” of the e-mails, viewing it as highly unlikely the defendant expected the e-mails to be made public as people “seldom unfurl their dirty laundry in plain view.”  Next, the court determined that it would defy common sense to treat e-mails differently than more traditional forms of communication and found that neither the possibility nor the right of access by the Internet Service Provider (ISP) is decisive to the issue of privacy expectations. Based on these conclusions, the court held the government may not compel an ISP to turn over e-mails without obtaining a warrant first. However, the court ultimately found the government relied in good faith on the Stored Communications Act in obtaining the e-mails and determined the exclusionary rule does not apply. Turning to the “prodigious” volume of discovery that consisted of millions of pages, the court disagreed with the defendants’ arguments, noting in particular that Fed.R.Crim.P. 16 is silent on what form discovery must take.


This lengthy opinion contains several critical holdings and is certainly worth a thorough read. In particular, it is interesting that this decision holds the SCA to be unconstitutional to the extent it permits disclosure of e-mails without the use of a search warrant. In addition, although the court held the officers relied on the SCA in good faith, moving forward, law enforcement officials can no longer rely on those provisions in good faith moving forward as the SCA was deemed unconstitutional with respect to the warrant requirement. This serves as a significant caution and warning to law enforcement officers in the Sixth Circuit and elsewhere (despite the fact that the holding is only mandatory with respect to officers in the Sixth Circuit seeking to compel disclosure under the SCA)

2010: A Year in Review


Minneapolis, MN – Dec. 7, 2010 Kroll Ontrack, the leading provider of information management, data recovery, and legal technologies products and services, today announced its analysis of the reported electronic discovery opinions and five notable discovery themes in 2010. Among the dominant topics reoccurring in the 2010 judicial opinions were the pervasive struggle companies and practitioners continue to have with proper preservation techniques, the continued growth in intolerance by the judiciary for discovery failures and the renewed call for cooperation amongst counsel.

From Jan. 1, 2010 to Oct. 31, 2010, Kroll Ontrack summarized 84 of the most significant ediscovery cases. The number of discovery-related opinions continues to increase exponentially. These 84 opinions represent the trends demonstrated in jurisdictions across the nation. The breakdown of the major issues involved in these cases is as follows:

  • 39 percent of cases addressed sanctions
    • 49 percent of sanctions involved preservation and spoliation issues
    • 27 percent of sanctions involved production disputes
    • 24 percent of sanctions involved withholding discovery and other abuses
  • 18 percent of cases addressed various production considerations
  • 17 percent of cases addressed various procedural issues (such as searching protocol and cooperation)
  • 11 percent of cases addressed privilege considerations and waivers
  • 8 percent of cases addressed computer forensics protocols and experts
  • 2 percent of cases addressed cost considerations
  • 2 percent of cases addressed preservation and spoliation issues (but not sanctions)
  • 2 percent of cases addressed discoverability and admissibility issues

Almost every case that discussed preservation and spoliation issues also included a conversation regarding sanctions. This is not surprising given that 24 percent of respondents to the Fourth Annual ESI Trends Report published by Kroll Ontrack ranked preservation and collection difficulties as their number one concern.

Similar to both 2008 and 2009, the dominant pain point for courts and counsel was sanctions. Of the 33 sanctions cases summarized, 23 opinions (70 percent) awarded sanctions, while only 10 opinions (30 percent) denied sanctions.

“Information management and discovery protocols and processes are far from clear for most organizations. The lack of defined rules leaves organizations relying on case law, which can be contradictory depending on the jurisdiction,” said Michele Lange, director of discovery, Kroll Ontrack. “Consequently, organizations should not underestimate the value of conducting proactive measures with a discovery expert – from creating and communicating clear policies to testing those policies – so they are in the best possible position when required to respond to a request for ESI from a government agency or opposing party in a lawsuit, regulatory matter or investigation.”

Five notable cases themes from 2010 included:

Pension Comm. of the Univ. of Montreal Pension Plan v. Banc of Am. Sec., LLC, 2010 WL 184312 (S.D.N.Y. Jan. 15, 2010). Seven plaintiffs who eventually issued written holds were found to have acted negligently, while the six plaintiffs who failed to issue any written litigation hold were found grossly negligent and subject to a permissive adverse inference sanction. The court found all thirteen plaintiffs worthy of monetary sanctions since they “conducted discovery in an ignorant and indifferent fashion,” and awarded the defendants reasonable attorneys’ fees and costs associated with the motion.


Rimkus Consulting Group, Inc. v. Cammarata, 2010 WL 645253 (S.D.Tex. Feb. 19, 2010). Court noted that “spoliation of evidence – particularly of electronically stored information – has assumed a level of importance in litigation that raises grave concerns” and “distract[s] from the merits of a case, add[s] costs to discovery, and delay[s] resolution.” Imposed a permissive adverse inference instruction and awarded the plaintiff attorneys’ fees and costs. Distinguished Pension Committee, finding the differences between circuits in relation to culpability of parties limited the applicability of the approach taken in that case and identified an additional distinction in regard to the burden of proof in relation to relevance and prejudice of spoliated evidence.

Victor Stanley, Inc. v. Creative Pipe, Inc., 2010 WL 3703696 (D. Md. Sept. 9, 2010). Court remarked the eight discrete preservation failures of the defendant “collectively constitute the single most egregious example of spoliation [that he has] encountered in any case . . . in nearly fourteen years on the bench.” Discussed preservation standards and spoliation laws among the Circuits, including in Pension Committee and Rimkus Consulting Group and issued a default judgment for one claim and held that the defendant president pervasively and willfully violated court orders in civil contempt of court, ordering him to be imprisoned for up to two years, or until he paid the attorneys’ fees and costs – estimated to be a “significant amount.”

Camesi v. Univ. of Pittsburgh Med. Ctr., 2010 WL 2104639 (W.D.Pa. May 24, 2010). Court ordered the parties to meet and confer and issued the defendants a “wake-up call” to “tighten up their discovery practices.” Court emphatically directed opposing counsel to act reasonably and in good-faith, working through “disagreements amicably whenever possible” as the court “has neither the time nor the resources to resolve every discovery agreement that surfaces in this or any other case.”

Privacy in the Workplace
City of Ontario, California v. Quon, 2010 WL 2400087 (U.S. June 17, 2010). United States Supreme Court declined to issue a “broad holding concerning employees’ privacy expectations vis-á-vis employer provided technological equipment.” However, the court found the employee should have understood or anticipated that it might be necessary for the City to audit the pager messages and deemed the employer’s search of the employee’s text messages reasonable.

Mt. Hawley Ins. Co. v. Felman Prod., Inc., 2010 WL 1990555 (S.D.W.Va. May 18, 2010). Despite citing numerous steps the plaintiff undertook to prevent disclosure and the existence of a clawback agreement, the court found the plaintiff failed to perform critical quality control sampling and concluded the plaintiff did not take reasonable steps to prevent disclosure. As such, the efforts did not satisfy Fed.R.Evid. 502(b) and privilege was waived. In making its decision, the court also noted the e-mail was “a bell which cannot be unrung,” which influenced the defendants’ discovery requests and deposition questions. 

Discoverability of Additional Mediums
Romano v. Steelcase Inc., 907 N.Y.S.2d 650 (Sept. 21, 2010). Court found public portions of the plaintiff’s social networking sites contained content that was material and necessary to the litigation, and discerned a reasonable likelihood that the same would hold true as to the private portions. Noting commentary that “privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking,” and that sharing personal information with others “is the very nature and purpose” of social networking sites the court ordered the plaintiff to provide necessary authorization for access to private Facebook and MySpace accounts.

Case Law: Romano v. Steelcase Inc.

Case Law

Privacy in Social Networking Sites Grounded in ‘Wishful Thinking’

Romano v. Steelcase Inc., 907 N.Y.S.2d 650 (Sept. 21, 2010). In this personal injury action, the defendants sought access to the plaintiff’s current and historical Facebook and MySpace accounts, including all deleted pages and related information, which may have contained information inconsistent with claims the made concerning the extent and nature of the plaintiff’s injuries. The court found that the public portions of the plaintiff’s social networking sites contained content material and necessary to the litigation, and discerned a reasonable likelihood that the same would hold true as to the private portions. Despite the plaintiff’s objections on privacy grounds, the court cited privacy disclaimers in the MySpace and Facebook policies and held that production of the plaintiff’s social network account entries would not violate her privacy rights. The court also found the defendant’s need for the information outweighed any privacy concerns, and determined that preventing access would directly contravene the strong public policy in favor of open disclosure and condone attempts “to hide relevant information behind self-regulated privacy settings.” Noting that “privacy is no longer grounded in reasonable expectations, but rather in some theoretical protocol better known as wishful thinking,” and that sharing personal information with others “is the very nature and purpose” of social networking sites, the court ordered the plaintiff to provide necessary authorization for access.