| Date post: | 13-Apr-2018 |
| Category: |
Documents |
| Upload: | duongnguyet |
| View: | 214 times |
| Download: | 1 times |
Robert D. Brownstone, Esq.
© 2015
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS
SHOULD SEEK ADVICE OF COUNSEL.
'Deflategate' Lessons for eDiscovery &
Mobile Device Policies
1
October 23, 2015
C4CM
Webinar
EIM
GR
OU
P
© 2
Outline/ Agenda I. Introduction
• A. Definitions and Acronyms • B. Proactive Policies Help Downstream • C. “Smoking Guns” – Examples,
including “Deflategate”
II. Proactive Policies • A. Compliance Basics • B. Technology Acceptable Use Policy
(TAUP) – Some Key Aspects
1. No Employee Expectation of Privacy (not EU) 2. Broad Inspection Right
3. “Unauthorized” Access – CFAA
EIM
GR
OU
P
© 3
Outline/ Agenda
II. Proactive Policies (c’t’d)
• C. BYOD/COPE
III. Reactive Mode – eDiscovery Law/Process
• A. Discoverability
• B. Possession, Custody OR Control
• C. Employer Outer Bounds
• D. Preservation/Spoliation
• E. Forensics
IV. Internet of Things (IoT)
V. Conclusion
EIM
GR
OU
P
©
BYOD = bring your own device
COPE = corporate-owned, personally enabled
Assumptions
• Want exempt (non-OT) employees connected
• Elephant in room = data breaches
Brownstone, Data Breaches: Proactive Prevention and Reactive Remedies , AudioSolutionz (5/14/15)
• NLRA compliance
eWorkplace Materials, at .pdf pp. 37 & 51-54
I. Introduction – A. Definitions/Acronyms
4
EIM
GR
OU
P
©
1. Data Breaches risk/liability mitigation
2. Employees’ invasion of privacy claims
3. Incident-response without side
dispute as to employee privacy:
a. internal investigations
(including employee vs. employee)
b. eDiscovery in various contexts
I. Intro (c’t’d) – B. Proactive Policies Help Downstream
5
EIM
GR
OU
P
© I. Introduction (c’t’d) – C. “Smoking Guns”
6
Politicians . . . .
and their minions
Athletes
Ex-Leaders
from this link at zazzle.com
<wired.com/epicenter/2011/06/twitter-follow-weiner-dickish/all/1>
EIM
GR
OU
P
© 7
I(C). Smoking (c’t’d) – Social- Media eDiscovery
Now a big body of case-law: • Social-Media eDiscovery Biblio
• General eDiscovery Biblio
• Social-Media Ethics Bibliography
• See pp. B-19 to B-28 (.pdf pp. 76-85) at this link
Posts’ Search-ability:
• NEW! Sarah Frier, Twitter Reaches Deal to Show Tweets in Google Search Results, Bloomberg (2/4/15)
Posts’ Capture-ability (many ways): • Some low tech, e.g. screen capture
• Some high tech, e.g. X1 Social Discovery
EIM
GR
OU
P
© 8
Deflategate texts, e.g.:
• March Wells report, at pp. 102-04 (.pdf pp. 106-08)
• See also July ruling, at pp. 4 & 11-13
I(C). Smoking Guns (c’t’d)
EIM
GR
OU
P
©
Kompliance KUMBAYA?!
Clear, well-thought-out language regarding which
multiple constituencies have weighed in . . .
Compliance’s “3 E’s” = Establish/Educate/Enforce
(Nancy Flynn, ePolicy Institute, as discussed here)
II. Proactive Policies – A. Compliance Basics
9
EIM
GR
OU
P
©
ESTABLISH only those policy strictures that organization has culture and will to enforce
EDUCATE all employees (executives, managers and staff) on key aspects of major policies/protocols
ENFORCE policies:
• as consistently as possible
• based on dialogue with IT Dep’t (tech should not “wag the dog;” should align with policy goals)
II(A). Compliance’s Three E’s (c’t’d)
10
EIM
GR
OU
P
© II. Proactive Policies – B. TAUP Key Aspects
1. NO EMPLOYEE EXPECTATION OF PRIVACY – Why establish it? . . . .
On whole, same rules (two keys) continue to apply re: viability of “reasonable expectation” element for invasion claim theories based on:
• Constitution (federal and/or state)
• Statutes (federal and/or state)
• Common law (case law)
Seminal case: Ontario v. Quon, 560 U.S. 46 (U.S. 6/17/10); see my Top Ten Takeaways
11
EIM
GR
OU
P
©
II(B)(1). TAUP NoEEP (c’t’d) – Not re: EU workers
12
BUT . . . Privacy protected more in, e.g.:
• Europe (EU), incl.:
• Elsewhere: Argentina New Zealand
Brazil Switzerland Canada Ukraine Israel Uruguay
France Italy Germany UK
EIM
GR
OU
P
©
II(B)(1). TAUP NoEEP (c’t’d) – Not re: EU (c’t’d)
Cross-Border Data
ESI stored overseas, esp. in EU . . .
EU, “Directive 95/46/EC of the European
Parliament and of the Council”
“Processing” of “Personal Data”
“Transfer” of “Personal Data”
• See also individual EU countries’ rules;
compilations linked off my blog here
13
EIM
GR
OU
P
©
Revised EU Directive in progress:
• “adopted” January ’12; implemented ‘16 ?
• for home page, click here
• NEW! Safe Harbor invalidated
• Schrems decision by CJEU (10/6/15)
• As summarized here by F&W & there by A&O
II(B)(1). TAUP NoEEP (c’t’d) – Not re: EU (c’t’d)
14
EIM
GR
OU
P
©
II. Proactive Policies – B. TAUP Keys (c’t’d)
2. Broad Inspection Right
Don’t need to actually be Big-Brother/Sister
Sole discretion
For counsel and executives, client is entity
Hope policy never scrutinized, but . . . . If it
is . . . will help employer in front of judge
TIP: keep track of enforcement 15
EIM
GR
OU
P
©
II. Proactive Policies – B. TAUP Keys (c’t’d)
3. Unauthorized “Access” – CFAA What’s “authorized” access?
When is it exceeded?
What’s “unauthorized”?
9th-Cir. [U.S. v. Nosal, 676 F.3d 854 (4/10/12) (en banc); and LRVC Holdings v. Brekka, 581 F.3d 1127 (9/15/09)]
VS.
7th-Cir. [International Airport Centers v. Citrin, 440 F.3d 418 (3/8/06)]
See eWorkplace Materials, at .pdf pp. 34-36 16
EIM
GR
OU
P
©
1. Basics • Signed agreement/policy
• Creating a Successful BYOD Policy, Symantec (2/14/13)
• Mobile Device Management (MDM), e.g., MobileIron
• Research state law re: reimbursements
2. Different Approaches: • Big Brother/Sister
“all . . . devices . . . . provided, supported and/or costs-reimbursed . . .”
remote wipe right
Rajaee v. Design Tech Homes, 2014 WL 5878477 (S.D. Tex. 11/11/14)
broad inspection right
II. Proactive Policies – C. BYOD/COPE
17
EIM
GR
OU
P
©
2. Different Approaches (c’t’d)
• BYOD only re: certain devices and/or personnel –
• COPE only (so folks need 2 phones?)
Company-issued iPads?
• Containerization
• Good Technology, Mobile App Containerization (11/11/14)
• Dual-identity phones?
• Other articles in footnote 142 at .pdf p. 50 here
II(C). Proactive Policies – BYOD/COPE (c’t’d)
18
EIM
GR
OU
P
©
II(C)(2). BYOD – Different Approaches (c’t’d)
USSC 4th A. opinion’s potential impacts:
• Riley v. Cal., 134 S. Ct. 2473 (2014)
No diminishment of employer’s rights to its own devices or data stored on devices owned by employees
Public sector employees may now argue employers need to tread more carefully in investigatory searches
Quon v. Arch Wireless, 529 F. 3d 892 (9th Cir. 2009) –
dueling opinions re: O’Connor v. Ortega (U.S. 1987)
But see Liebeskind v. Rutgers Univ., 2014 WL 7662032,
(N.J. App. 1/22/15) (unpublished opinion upholding
state university’s extraction of employee’s internet
browsing activity in light of broad, clear TAUP)
19
EIM
GR
OU
P
© 20
Riley’s impacts (c’t’d)
Local storage concerns if . . .
seizure + warrant
Implicitly sends message to
employers to be quite clear in
policies (and training),
including as to BYOD
Ontario v. Quon, 560 U.S. 46 (U.S. 6/17/10)
II(C)(2). BYOD – Different Approaches (c’t’d)
EIM
GR
OU
P
© 21
Discoverable? YES. • Compelled production examples:
• Small v. Univ. Med. Ctr. of S. Nev., 2014 WL 4079507 (D. Nev. 8/18/14) (spoliation regarding BYOD and COPE)
• Ngai v. Old Navy, 2009 WL 2391282 (D.N.J. 7/31/09) (compelling production of text messages)
• Martin v. Redline Serv. LLC, 2009 WL 959635 (N.D. Ill. 4/1/09) (ordering production of 188 voice message recordings and all existing recordings of telephone calls made by Defendant's employee)
• Smith v. Café Asia, 246 F.R.D. 19 (D.D.C. 10/2/07) (compelling production of phonecam photos)
III. Reactive/eDiscovery A. Discoverability
EIM
GR
OU
P
© 22
TO LEARN MORE
• Andrew Scurria, 5 Tips For Tackling Smartphone
E-Discovery, Law360 (8/7/14) (by subscription)
• Search on smartphone or “mobile device” here
• See MANY preservation decisions in § III(D).
III(A) . Reactive/eDisco – Discoverability (c’t’d)
EIM
GR
OU
P
© 23
III. eDisco (c’t’d) – B. Possession, Custody OR Control . . .
eDiscovery: “possession/ custody/ control” issue
re: workers’ own devices, webmail or texts
• Small v. Univ. Med. Ctr. of S. Nev., 2014 WL
4079507 (D. Nev. 8/18/14), as discussed here
• Puerto Rico Telephone v. San Juan Cable, 2013 WL 5533711 D.
P.R. 10/7/13) (YES where presumably knew 3 officers used
personal email accounts to manage company business)
• Cotton v. Costco Wholesale Corp., 2013 WL 3819974 (D. Kan.
7/24/13) (NO as to texts sent from personal phones;
harassment/discrimination case)
Deflategate – what if it were a lawsuit?
EIM
GR
OU
P
©
III. Reactive/eDisco (c’t’d) – C. Employer Outer Bounds
1. Electronic Communications Privacy Act
(ECPA) – Invasion as a Liability Issue
• Possible criminal and civil exposure:
Undisclosed key-logging (web mail too)
Brahmana v. Lembo, 2009 WL
1424438 (N.D. Cal. 5/20/09)
Logging in as current employee (& reading):
Van Alstyne v. Electronic Scriptorium, 560 F.3d
199 (4th Cir. 3/18/09) (webmail)
Pietrylo v. Hillstone Rest. [Houston‘s], 2009 WL
3128420 (D. N.J. 9/25/09)(MySpace group) 24
EIM
GR
OU
P
©
III(C)(1). Employer Outer Bounds – ECPA (c’t’d)
Logging in as current employee (c’t’d)
• Brautigam v. East Whittier Sch. Dist., Minute Order, No. BC541803 (Super. Ct. L.A. 1/5/15)
Marisa Kendall, Blurring of Work, Personal Tech Drives Privacy Disputes, Recorder (1/30/15) [quoting me ]
$275K Settlement (3/26/15)
Logging in as former employee • Lazette v. Kulmatycki, 2013 WL 2455937 (N.D. Ohio 6/5/13)
(SCA – but not Wiretap – claim survived motion to dismiss; Gmail server was “facility” accessed via Blackberry)
Inadvertently receiving ex-employee’s texts • Sunbelt Rentals v. Victor, 2014 WL 4274313 (N.D. Cal.
8/28/14) (iCloud synch confusion; all claims dismissed)
25
EIM
GR
OU
P
©
But case law all over the place, e.g.:
• Garcia v. City of Laredo, 702 F.3d 788 (5th Cir. 12/12/12) (SCA not violated by unauthorized access to data stored on employee’s personal cell phone)
• Sitton v. Print Direction, 718 S.E.2d 532 (Ga. App. 9/28/11) (state law claims failed due to TAUP’s broad investigation rights encompassing looking at webmail via BYOD laptop when employee away from desk)
III(C)(1). Employer Outer Bounds – ECPA (c’t’d)
26
EIM
GR
OU
P
©
2. Asking for Employees’ Passwords
• 21 states’ new statutes (since 2012) forbidding asking (applicant or) employee for login/password to own web, social-media or email • But some have investigation exceptions . . .
• NCSL compilation of those laws and > 11 other states’ pending bills . .
• NEW! SEC v. Huang, 2015 WL 5611644 (E.D. Pa. 9/23/15) District Court Rules That Smartphone Passcodes
Are Testimonial; Protected by Fifth Amendment, Proskaeur Privacy Law Blog (10/7/15)
III(C). Employer Outer Bounds (c’t’d)
27
EIM
GR
OU
P
©
III. Reactive/eDisco (c’t’d) – C. Employer Outer Bounds
3. (Ex-)employee’s own Attorney- Client Privilege (ACP)
• ACP vs. TAUP (NoEEP) Biblio (case law split)
• Ex: Holmes v. Petrovich, 191 Cal. App. 4th 1047 (3 Dist. 1/13/11): Communications via work email NOT
confidential because employee: knew of company TAUP re: no personal use
warned that company would monitor
warned of NoEEP
• Tips:
broad but clear policy language (wouldn’t expressly mention ACP)
training
investigation protocol 28
EIM
GR
OU
P
©
III. Reactive/eDisco (c’t’d) – D. Preservation/Spoliation
“Litigation-Hold” Duty
• Obstruction Crimes – fed. & states
• Attorney Ethics Rules
• Case-Law
Preservation (Destruction-
Suspension) Obligation . . .
Reasonable anticipation of litigation
29
EIM
GR
OU
P
© 30
FRCP 37(e) to change 12/1/15 this color-coded mark-up of key
changes, at slides 15-19
clean version of rules set as sent to Congress by U.S. Supreme Court (4/29/15), at pp. 24-26 (.pdf pp. 27-29)
full report with Advisory Committee Notes (5/1/14), at pp. 306-30, et seq.
GREAT flow chart by Eric P. Mandel
• But even under the new regime . .
III(D). Spoliation (c’t’d) – “Reasonable Steps”
EIM
GR
OU
P
©
Monetary
• Penalties
• Attorney fees and costs
• Pay-for-proof sanctions
III(D). Spoliation (c’t’d) – Types of Civil Sanctions
31
EIM
GR
OU
P
©
Litigation-Related: • Delay of start of trial
• Exclusion of evidence
• Privilege waiver [FRCP 26(g)]
• Declaration of mistrial
• Adverse inference jury instruction(s)
• “Terminating sanction”, e.g.:
Default judgment; or
Dismissal
III(D). Spoliation (c’t’d) – Civil Sanctions (c’t’d)
32
EIM
GR
OU
P
© III(D). Spoliation (c’t’d) –
Sanctions (c’t’d)
Jail of CEO for contempt?!
• Victor Stanley v. Creative Pipe II, 06-2662
(D. Md. 9/9/10) (“Fuvista” products;
thousands of files deleted from laptop)
• BUT SEE partial reversal via orders:
Linked off of Carnathan, Jail Time for
Spoliation?, ABA Lit News (11/29/10)
33
EIM
GR
OU
P
© 34
Deletions (texts too):
• Painter v. Atwood, 2014 WL 1089694 (D. Nev.
3/18/14) (harassment/discrimination case
Deflategate Adverse Inference [both quoting me a lot ]:
• Rebekah Mintzer, 'Deflategate' Lessons for E-
Discovery Device Policies, Corp. Counsel (5/18/15)
• Rebekah Mintzer, Deflation to Spoliation? Tom Brady
and E-Discovery, Corp. Counsel (7/31/15)
III(D). Spoliation (c’t’d) – Mobile Device Decisions
EIM
GR
OU
P
© 35
Some recent decisions: • Cognate Bioservs. v. Smith, 2015 WL
5158732 (D. Md. 8/31/15) (finding D’s failure to preserve contents of a discarded smartphone willful but not in bad faith)
• First Mariner Bank v. Resolution Law Group, P.C., 2014 WL 1652550 (D. Md. 4/22/14) (granting default judgment based on Ds’ bad-faith spoliation of evidence stored on individual defendant's laptop and smartphone having caused significant prejudice)
• Petition of Boehringer Ingelheim Pharmaceuticals (Pradaxa), 745 F.3d 216 (7th Cir. 1/24/14) (upholding bad faith inference where text-messages auto-delete not disabled on co.-issued smartphones)
III(D). Spoliation (c’t’d) – Mobile Device Decisions (c’t’d)
EIM
GR
OU
P
© 36
Some older decisions: • Petition of John W. Danforth Group, Inc., 2013 WL
3324017 (W.D.N.Y. 7/1/13) (denying pre-complaint order of preservation as to anticipated witness’ personal smartphone)
• Moreno v. Ostly, No. A127780, 2011 WL 598931 (Cal. App. 2/22/11) (text messages)
• Passlogix, Inc. v. 2FA Technology, LLC, 708 F. Supp. 2d 378 (S.D.N.Y. 2010) (sanctioning party for failing to preserve text messages)
• Southeastern Mech. Servs., Inc. v. Brody, 657 F. Supp. 2d 1293 (M.D. Fla., 2009) (sanctioning party for producing wiped blackberries)
• Vagenos v. LDG Fin. Servs. LLC, No. 09-cv-2672 (BMC), 2009 WL 5219021 (E.D.N.Y. Dec. 31, 2009) (entering adverse inference instruction for Ps’ failure to preserve original of key voicemail)
III(D). Spoliation (c’t’d) – Mobile Device Decisions (c’t’d)
EIM
GR
OU
P
© 37
Some older decisions (c’t’d)
• Wangson Biotechnology Group, 2008 WL
4239155 (N.D. Cal. 9/11/08) (ordering data
preservation, including voicemail, “regardless of
storage or retention medium or method”)
• In re Seroquel Prod. Liab. Litig., 244 F.R.D. 650,
661 (M.D. Fla. 2007) (sanctioning party for, inter
alia, failing to produce any voice mails when
unified voice mail system had delivered
messages to employees' email inboxes)
III(D). Spoliation (c’t’d) – Mobile Device Decisions (c’t’d)
EIM
GR
OU
P
© 38
“The Only Thing You Can Erase is Your Good Faith” – Christopher J. Cannon . . . :
People claim they can wipe their computers and cell phones
FBI has demonstrated on multiple occasions that even best (self-help) wiping may not be effective
Maybe different re: newer iPhone models?
Text messages different?
Look at your phones . . .
Bet there are a few embarrassing messages
III(D). Preservation (c’t’d) – Some Practicalities
EIM
GR
OU
P
© 39
Messages may be only on phone OR may be stored with the carrier
Verizon claims 10 days but some practitioners have seen longer periods
AT&T claims 48 hours, but may have them longer
Apple messages in Cloud or SMS.db or Call-History.db But see ECPA
Even if remote wipe (“kill signal”) works, . . . recipient of email or text may still have it (Deflategate)
III(D). Practicalities (c’t’d) – Erasing and “Wiping”
EIM
GR
OU
P
©
III. Reactive/eDisco (c’t’d) – E. Computer Forensics (CF)
What is CF? • Specialized techniques for Collection,
Preservation, Analysis, Recovery, Authentication and Reporting of ESI
• As to:
information not available elsewhere
deletions, changes and alterations (timing, scope and nature)
Kucala Enters. v. Auto Wax, 2003 WL 21230605, 56 Fed. R. Serv. 3d 487 (N.D. Ill. 5/27/03) (dismissing with prejudice based in part on 11th hour deletion of 14,000 files from computer)
40
EIM
GR
OU
P
©
Exs. of types of cases:
• Bribery
• Confidential information
• Fraud
• IP infringement and/or theft
• Sexual harassment
• Trade secrets
Smartphone/tablet forensics iffy and may be very difficult (especially with latest encryption regime)
• See Leatha & Garcia, Mobile Device Forensics: The New Frontier, Met. Corp. Counsel (1/14/14)
III(E). CF (c’t’d) – What? (c’t’d)
41
EIM
GR
OU
P
© III(E). CF (c’t’d) – Few Tips . . .
# 1: Difference between collecting “active” files (“cloning”) vs. bit-by-bit copying
# 2: NEVER let other side get ORIGINAL device, drive or portable media
# 3: Likely not going to be able to get the whole image from the other side
So seek court-ordered stipulation re: neutral forensics expert . . .
Re: privacy (see Deflategate), balancing of interests
E.g., Gateway Logistics, Inc. v. Smay, 302 P.3d 235 (Colo. 4/15/13) (remanding for application of balancing test to non-party’s smartphone)
42
EIM
GR
OU
P
©
The future is now?
• $4T to $11T by 2025
McKinsey Report (6/24/15)
How many of you have:
• Apple watch or similar device?
• Nest product?
• Car with adaptive cruise control?
How many of you have a WYOD Policy?
IV. Internet of Things (“IoT”)
43
EIM
GR
OU
P
©
Information Security – Ghost of Data Past
Individuals’ Privacy – Ghost of Data Present
Electronic Discovery – Ghost of Data Future
• Robert D. Brownstone, A “Wearables" Carol – Beware The
Three Ghosts, Digital Mountain E-Newsletter (6/1/15)
See generally .pdf p. 8 (n. 3) in eWorkplace Materials
IV. “IoT” (c’t’d) –The Three Ghosts
44
EIM
GR
OU
P
©
What?
Where
• collected?
• does data go?
When does vendor support stop?
• end of life?
IV. “IoT” (c’t’d) – What’s Saved/Collected?
45
EIM
GR
OU
P
©
Governmental Concerns
• FTC Report on Internet of Things Urges Companies to Adopt Best
Practices to Address Consumer Privacy and Security Risks, News
Release (1/27/15) (“Report Recognizes Rapid Growth of Connected
Devices Offers Societal Benefits, But Also Risks That Could
Undermine Consumer Confidence”)
• FTC, internet of things, FTC Staff Report (1/26/15)
(“Privacy & Security in a Connected World”)
• TRENDNet, Inc. , FTC Matter/File No. 122 3090 (2/7/14)
IV. “IoT” (c’t’d) – InfoSec and Data-Privacy
46
EIM
GR
OU
P
©
Employees
Consumers
Others suffering injury or property damage
Pending Suit:
• Cahen v. Toyota Motor, Ford Motor Co. & General Motors LLC, No. 2015 cv 01104 (N.D. Cal. 3/3/15)
IV. “IoT” (c’t’d) – Risks of Corporate Liability to . . .
47
EIM
GR
OU
P
© V. Conclusion/ Questions
Q&A
Robert D. Brownstone • Blog (“IT Law Today”)
• Bio | Biblio (articles, press & speeches, Oh My!)
• Twitter ("@eDiscoveryGuru") | Facebook | LinkedIn | Google+
• 650.335.7912 or [email protected]
Please visit home pages for F&W’s EIM, Privacy/InfoSec & Employment Groups
THESE MATERIALS ARE MEANT TO ASSIST IN A GENERAL
UNDERSTANDING OF CURRENT LAW AND PRACTICES.
THEY ARE NOT TO BE REGARDED AS LEGAL ADVICE.
THOSE WITH PARTICULAR QUESTIONS
SHOULD SEEK ADVICE OF COUNSEL.
48
