If e-discovery wasn't already difficult enough, U.S. data privacy laws are adding yet another challenge for corporate legal teams. Attorneys David Sorensen and John Rosenthal discussed the topic on a recent Exterro webcast U.S. Privacy Laws and E-Discovery: Navigating a Brave New World. “There historically have not been that many laws on the books to protect individuals' privacy," said Rosenthal during the presentation. “That all is in a fundamental shift. We are seeing both at the federal and the state level not just the adoption of new laws but the interpretation of existing laws, statutes and provisions to provide for greater privacy over individuals' information."
This represents a major paradigm shift for corporations. Traditionally, information stored on a company server has been, under most conditions, the sole property of the company. The situation has become far more nebulous in the digital age. According to Rosenthal, there are now approximately 25 federal laws and regulations that assert privacy either over employee or customer information. These include overarching federal laws, such as the 4th amendment of the constitution, as well as industry specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) that governs patient privacy.
For e-discovery issues in particular, one federal law that has become especially pertinent is the Stored Communications Act (SCA) U.S.C. 18 §§ USC 2701-12. The SCA applies specifically to electronically stored information (ESI) stored by third parties, such as cell phone companies and social media sites (e.g. Facebook and MySpace). In addition to these federal mandates, all but four states have passed their own legislation addressing data privacy issues.
More and more, organizations are faced with the difficult task of being able to produce responsive ESI to opposing counsel, while making sure not to run afoul with the various laws and regulations that prohibit the dissemination of certain employee and customer information. This presents a catch-22 for corporate legal teams, according to Rosenthal and Sorensen, since private data is still subject to discovery under the relevancy standards set forth by the Federal Rules of Civil Procedure (FRCP). They advocate a number of proactive measures organizations should take to limit exposure to risk, including:
- Data Assessment: As the saying goes, if you can't measure it, you can't manage it. Companies should conduct a full assessment to identify what private information they possess, where it is stored and how it is generated and used within the company. Understanding the breadth and location of private information is the first step to developing comprehensive policies and procedures on how that information can be used in legal actions.
- Review Privacy Policies: It is essential that companies establish and communicate clear policies when it comes to how personal information will be used. These policies must account for circumstances where an e-discovery request encompasses private information and include procedural safeguards, such as confidentiality agreements and protective orders. Moreover, companies must also understand the data privacy policies of their vendors. Many organizations now store at least some of their ESI in the cloud. Before entering into a storage agreement, companies should make sure they fully understand what protections the vendor provides and whether the vendor reserves the right to access/use the ESI.
- Employ Technology: While technology has created many of the problems legal teams experience when it comes to e-discovery and data privacy issues, it can also help these teams more efficiently and defensibly manage them when required. A few examples include:
- Data Mapping: By proactively inventorying and tracking key data sources, legal teams can quickly identify the location of private or protected information when litigation arises.
- Early case assessment: As soon as an e-discovery request is made, organizations have the ability to analyze data sources in-place, prior to collection, allowing for a quick evaluation of whether private information exists within a particular matter, thus establishing cost controls and scope limitations early in the discovery process.
- Automated Audit trails and Chain-of-Custody Logs: Legal teams can easily document the measures that taken to prevent the disclosure of private information, significantly bolstering defensibility and creating a thorough paper trail should issues arise.
To learn more about how data privacy laws are impacting e-discovery practices, watch a full replay of the webcast “U.S. Privacy Laws and E-Discovery: Navigating a Brave New World" here.