By Jim Gill
U.S. based companies are finding that their multinational operations are increasingly subject to employee privacy regulations. Perhaps nowhere is this problem more acute than in cross-border litigation where these companies must comply with the Federal Rules of Civil Procedure (FRCP) during discovery in spite of potential exposure to civil and criminal liability in foreign jurisdictions.
Whether it’s the Data Protection Directive in Europe, the APEC Privacy Framework in Asia or a constellation of privacy regulations in South America, the challenges of obtaining foreign electronically stored information (ESI) for use in U.S.-based legal actions has never been greater (If you are unsure of how privacy policies vary from country to country, there is a great resource provided at privacypolicies.com that breaks down privacy laws country by country in a clear and concise manner).
Attorney U.S. Privacy Laws and E-Discovery: Navigating a Brave New World: “There historically have not been that many laws on the books to protect individuals' privacy. That all is in a fundamental shift. We are seeing both at the federal and the state level not just the adoption of new laws but the interpretation of existing laws, statutes and provisions to provide for greater privacy over individuals' information."
Traditionally, information stored on a company server has been, under most conditions, the sole property of the company, but now information can exist in multiple locations in servers spanning continents simultaneously. Orin Kerr describes how this affects the way a warrant can be carried out in his excellent Washington Post article: “Data can be anywhere and nowhere. For example, a U.S. provider could take an e-mail and divide it into five pieces. Each individual 'piece' would be meaningless zeros and ones; the e-mail would exist in readable form only when all five pieces were combined together. Imagine the U.S. provider stores the five pieces on five different servers: one in the U.S., one in France, one in Russia, one in Madagascar, and on a ship in international waters. And the provider's network automatically moves the pieces around in unpredictable ways so the different pieces of data are in different locations at different times. If Microsoft is right that the location of the data is what matters, then what privacy protection would apply for such an e-mail?"
To add more complexity, Rosenthal states there are now approximately 25 federal laws and regulations that assert privacy either over employee or customer information. These include overarching federal laws, such as the 4th amendment of the constitution, as well as industry specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) that governs patient privacy.
For e-discovery issues in particular, one federal law that has become especially pertinent is the Stored Communications Act (SCA) U.S.C. 18 §§ USC 2701-12. The SCA applies specifically to electronically stored information (ESI) stored by third parties, such as cell phone companies and social media sites (e.g. Facebook and MySpace). In addition to these federal mandates, all but four states have passed their own legislation addressing data privacy issues.
More and more, organizations are faced with the difficult task of being able to produce responsive ESI to opposing counsel, while making sure not to run afoul with the various laws and regulations that prohibit the dissemination of certain employee and customer information. This presents a catch-22 for corporate legal teams, according to Rosenthal and Sorensen, since private data is still subject to discovery under the relevancy standards set forth by the Federal Rules of Civil Procedure (FRCP). They advocate a number of proactive measures organizations should take to limit exposure to risk, including:
- Data Assessment: As the saying goes, if you can't measure it, you can't manage it. Companies should conduct a full assessment to identify what private information they possess, where it is stored and how it is generated and used within the company. Understanding the breadth and location of private information is the first step to developing comprehensive policies and procedures on how that information can be used in legal actions.
- Review Privacy Policies: It is essential that companies establish and communicate clear policies when it comes to how personal information will be used. These policies must account for circumstances where an e-discovery request encompasses private information and include procedural safeguards, such as confidentiality agreements and protective orders. Moreover, companies must also understand the data privacy policies of their vendors. Many organizations now store at least some of their ESI in the cloud. Before entering into a storage agreement, companies should make sure they fully understand what protections the vendor provides and whether the vendor reserves the right to access/use the ESI.
- Employ Technology: While technology has created many of the problems legal teams experience when it comes to e-discovery and data privacy issues, it can also help these teams more efficiently and defensibly manage them when required. A few examples include:
- Early case assessment: As soon as an e-discovery request is made, organizations have the ability to analyze data sources in-place, prior to collection, allowing for a quick evaluation of whether private information exists within a particular matter, thus establishing cost controls and scope limitations early in the discovery process.
- Automated Audit trails and Chain-of-Custody Logs: Legal teams can easily document the measures that taken to prevent the disclosure of private information, significantly bolstering defensibility and creating a thorough paper trail should issues arise.
- Data Mapping: By proactively inventorying and tracking key data sources, legal teams can quickly identify the location of private or protected information when litigation arises.
To learn more about how data privacy laws are impacting e-discovery practices, download Exterro's White Paper: Putting Cross-Border Privacy Compliance into Practice.