By Eduard Goodman
Consider this scenario: Litigation against your company produces a discovery request for an executive's smartphone records. But the executive accessed his work email, voicemail, texts and cloud-based services such as Salesforce all from his personal smartphone.
How do you comply when the request raises questions about the executive's privacy rights?
The litigation process is rife with these types of privacy dilemmas. The proliferate use of smartphones and Internet-based or cloud services has had a significant impact on our culture--and, by extension, on our business litigation environment.
Companies are increasingly managing discovery that involves electronic evidence, information that's stored on devices and in the cloud. But in many cases the law, which struggles to keep up with emerging technology, provides no clear remedy.
The iPhone age
For a little perspective, let's review two key developments that have influenced our sense of privacy: the advent of the smartphone and state of data breach notification laws.
The first smartphone--Nokia's Communicator--came out in 1996. But the introduction of the iPhone in 2007 revolutionized the industry. Since then, we've evolved into an always-connected society. More than one billion people worldwide carry these mini-computers that let us play interactive games, send email, post to social networks, take pictures, record videos, pay bills and track our location around the globe.
It's the biggest thing since the Internet--and it isn't considered in the Federal Rules of Civil Procedure's rules of discovery. The last round of substantive changes made to the discovery rules took place in 2006--a year and a half before the iPhone emerged. For attorneys in traditional practices, that's pretty recent. But for lawyers who specialize in data security, technology and privacy, that may as well have been the dark ages.
Another development that has shaped our understanding and expectation to privacy is the advent of state data breach notification laws. In 2003, California became the first state to pass data breach notification requirements.
SB1386, as it became known, required companies to notify consumers when their personal information--Social Security numbers and financial account numbers--were exposed in a security breach. Other states followed, and now this requirement is law in 46 states, Washington D.C., Puerto Rico, Guam, the U.S. Virgin Islands and for entities covered under the federal law for HIPAA.
Smartphones at Work
Now take these advances and extend them to the workplace. In recent years, the concept of BYOD--or Bring Your Own Device--has become a familiar practice in corporate America. Businesses let employees use their personal smartphones, tablets and more to access company information and applications. I prefer to call it Bring Your Own Disaster because while this practice may increase productivity and be convenient, it poses security risks.
Companies that consider a BYOD policy also must be able to answer some key questions such as:
What kinds of pertinent company data may an employee have on his/her smartphone?
What happens to company smartphone data when an employee leaves the company?
Do you back up the data on his/her device and how do you properly document it without impacting his private banking apps, e-mail, browsing history, texts, etc.?
Do you require former employees to delete all company content from their personal phone and how do you document that?
Is the smartphone back-up data that you stored part of your document retention and destruction program, and how long should you retain this information?
Have you obtained written consent to access private information on the smartphone in the course of back ups and the like?
In the end, the threshold question is whether any company policies account for these considerations related to employee smartphone use. You at least know the answer to that question along with most businesses and again, it isn't good.
Risks in the Cloud
To be sure, smartphones raise serious privacy issues. When we talk about cloud computing--services delivered over a network like the Internet--we're dealing with a privacy black hole. From a litigation standpoint, we know something is there but no one can actually see it.
Back in 2006 when the discovery rules were amended, the cloud was hardly the buzzword that it is today. Most people were exposed to the cloud through Web-based mail such as Google's Gmail. But it wasn't until 2007--also after the discovery rules update--that Gmail synched to Google Docs as a true cloud-based resource. Now, the cloud has many definitions but essentially it's the concept of paying someone else to store and manage your business's information at a reasonable price.
So what happens when you get served with a litigation hold and all of your documents are remotely stored and hosted in the cloud? How do you account for preservation of cloud-based documents, and how do you manage and document data retention and disposal? Can you even verify if the data is truly deleted and when? Then, there are questions surrounding collection of data as well as control and access during the discovery process. How do you ensure that the discovery process doesn't stray into the data of unrelated, third parties? And in the end, what is all this discovery going to cost?
Again though, there is a threshold question that really needs to be addressed first. The real elephant in the room is the question of whether or not cloud service agreements with your providers cover these topics. And again the problem is that you are probably not going to like the answer since most cloud service providers are nonspecific about how they deal with discovery requests.
Most agreements are non-negotiable boilerplate agreements without the ability to add your own terms. So unless you happen to be a large company with a certain level of bargaining position, your agreements are probably as silent about cloud-related discovery processes as are the FRCP's discovery rules.
Preparing for the inevitable threat of litigation and thereby discovery in 2013 is a revised exercise in preparation compared with 2006. Preparation and specific privacy-related issues must be considered based on your specific business practices and industry type.
For example, those in medical services need to look closely to the solutions they choose for moving from paper records to Electronic Health Records (EHRs), as well as the language in the various agreements they sign, especially with respect to cloud-based storage of these EHRs. Experienced counsel needs to be chosen to ensure that HIPAA privacy rules area not at odds with discovery requests.
Of course, these considerations are different for a company that processes automobile insurance claims in the field from smartphones using a cloud-based document storage database for instance.
Businesses need to spend time looking at the new ways in which they generate data both in the cloud and via smartphones and tablet technologies that could be subject to discovery. In addition, they need to recognize that certain types of information now are due certain protections. For instance, private data should be provided under discovery requests in a secure and encrypted manner to the other side to prevent accidental disclosure and a data breach during the litigation process itself.
Company processes need to make sure that the access to this data in the context of litigation takes privacy rights into consideration. This should be done by obtaining prior consent from employees and ensuring that service providers have considered these issues when it comes to locating the actual servers that house this information in jurisdictions with laws consistent with the U.S. approach to privacy, versus say, the European Union's more stringent approach.
Unfortunately, the law will always be playing catch up to technology since it is merely a delayed reflection of trends within society at large. This means that general, flexible policy-based approaches are the best way to cope with the disconnect between theoretical legal rules of procedure and the reality of practice. One can only hope that upcoming rule changes begin to consider the changing technology and data protection landscape, providing better guidance to all of us in the process.
EDUARD GOODMAN is chief privacy officer at IDentity Theft 911. He can be reached at firstname.lastname@example.org
April 12, 2013
Copyright 2013© LRP Publications