WIXLIB

Inaccessible data – FRCP 26(b)(2)(B) Advisory Committee Notes: “A party’s identificationof sources of [ESI] as not reasonably accessibledoes not relieve the party of its common-law orstatutory duties to preserve evidence. Whether aresponding party is required to preserveunsearched sources of potentially responsiveinformation that it believes are not reasonablyaccessible depends on the circumstances of eachcase. It is often useful for the parties to discuss thisissue early in discovery.”30

Calixto v. Watson Bowman Acme Corp., 2009 WL3823390 (S.D.Fla. 2009) Defendant argued backup tapes were inaccessible becauseof undue burden or cost Vendor estimate for restoring and searching: 40,000 allexpense to review for relevance and privilege Found inaccessible No “good cause” found because material likely duplicativegiven time frame and evidence of defendant’s preservation But one backup tape from earlier time period found notinaccessible because cost of restoring and reviewing onetape not burdensome, and evidence of no duplication ofmaterial31

Starbuck’s v. ADT Security Services, 2009 WL 4730798(W.D. Wash.) Used a Zantaz e-mail archive system for certain timeperiod –Plasmon System 500 double sides DVDs accessed by a robot arm Very slow and laborious to retrieve – but still in use ADT argued that archive was inaccessible Court held archive not inaccessible Court did not find time or expense estimates credible Because still in use – held must be accessible Cannot relieve party of duty to produce those documentsmerely because has chosen a means to preserve whichmakes ultimate production of documents expensive32

Inaccessible DataLet’sCloudThe Issue Burden is on data owner to show inaccessibility Agreement should be specific about costs for litigationsupport Not inaccessible just because ESI hard/expensive to get Must understand what cloud provider has and how it works tosupport argument of inaccessibility Arguments that data is redundant Support specific arguments regarding expense33

Collection34

Collection of ESI Collect by custodian Full collection Self collection Collect by search terms Sweep and keep systems File shares Non-custodial sources Databases Cloud sources Preservation of metadata and filestructure35

CollectionLet’sCloudThe Issue Ability to collect completely as important under federal case law Understand where data is stored Need to be able to identify custodian material and track what iscollected Speed of collection Collection in bulk or custodian-by-custodian/document-by-document Format - does cloud storage change metadata What metadata is provided Will provider be able to prove nothing was deleted - audit36

Authentication37

Procedure of Authentication Authenticity under 104(b) Judge makes preliminary determination Based on admissible evidence Sufficient evidence to support a jury finding of relevance Court need not find that the evidence is necessarily what theproponent claims, but only that there is sufficient evidencethat the jury ultimately might do so38

Authentication Evidence rules on authentication apply to ESI in thesame way as other evidence Rules are the same for paper and ESI Three methods of authentication refer to computerbased evidence in advisory notes (federal) 901(b)(7) (public records and reports) 901(b)(8) (ancient documents or data compilations) 901(b)(9) (processes or systems)39

Rule 901. Requirement of Authentication orIdentification (a) General provision.—The requirement ofauthentication or identification as a conditionprecedent to admissibility is satisfied by evidencesufficient to support a finding that the matter inquestion is what its proponent claims. (b) Illustrations.—By way of illustration only, and notby way of limitation, the following are examples ofauthentication or identification conforming with therequirements of this rule:40

Available Methods to Authenticate ESI, cont’d. Rule 902: Self-Authentication: “Extrinsic evidence ofauthenticity as a condition precedent to admissibility isnot required with respect to the following:” Does not require the sponsoring testimony of anywitness Opposing party may still challenge authenticity Provisions most commonly used for ESI: 902(d): Official publications (e.g., Census Bureau) 902(g): Trade inscriptions (e.g. business e-mails)41

Internet Website Postings/Social Media 901(b)(1): Witness with personal knowledge901(b)(3): Expert testimony901(b)(4): Distinctive characteristics901(b)(7): Public records901(b)(9): System or process capable of producinga reliable result 902(5): Official publications 902(11): Business Records42

Other Methods of Establishing Authenticity Examples listed in Rules 901 and 902 are illustrativeonly, not exhaustive Court may hold that documents produced by a partyin discovery are presumed to be authentic, shifting theburden to the producing party to show that theevidence they produced was not authentic Court may take judicial notice under Rule 201 ofcertain foundational facts needed to authenticate anelectronic record43

Other Approaches to Authenticity Request opponent to admit the genuineness of theevidence through CR 36 Requests for Admission Make request at pretrial conference that opponentagree to stipulate “regarding the authenticity ofdocuments” Disclose electronic evidence in ER 904 pretrialdisclosures of documents; if opponent does notobject within 14 days, any authenticity objectionsare waived44

Deal with Authentication Early Party’s own records At time of collection, production When identifying/interviewing witnesses Subpoenas Limited access and leverage on witnessesSend form declarationsUse records depositionsGet stipulations45

Use and AdmissibilityLet’sCloudThe Issue Will you have the information to satisfy theauthentication under 901 and 902 Key is security and access controls Is there visibility into this for provider Who at provider will execute a declaration requiredunder authentication rules Contract should provide for this support46

Jurisdiction47

Where is your data? Location of data may control conditions ofdisclosure EU & Other data protection laws could affect youruse and transfer of data48

Can cloud computing affect personal jurisdiction?Perhaps.Forward Foods LLC v. Next Proteins, Inc, 873 N.Y.S.2d 511(N.Y. Sup. Ct. 2008) In furtherance of sale of business, defendant set up“virtual data room” which made important documentsavailable to interested parties Plaintiff utilized data room to view documents beforefinalizing purchase Purchased business underperformed, Plaintiff filed suit Defendant moved to dismiss for lack of personaljurisdiction49

Forward Foods LLC v. Next Proteins, Inc.Here, Defendants’ contacts with New York amount to a visit byJason Stephens, Director of Health and Fitness sales channel, avirtual data room where Defendants uploaded documents forEmigrant to review in New York, and several emails containingadditional documents sent to Emigrant in New York. It isundisputed that the meeting between Jason Stephens and Emigrantin New York did concern the sale of Defendants’ business to Plaintiffand that Defendants followed up on the meeting with additionalemails to New York. Plaintiffs correctly argue that Defendantsmaintained sufficient contacts with the state of New York andhave clearly transacted business within the state such thatpersonal jurisdiction over Defendants under CPLR § 302(a)(1)would be appropriate.* Case dismissed for forum non conveniens50

Third-PartySubpoenas51

The Stored Communications Act: 18 U.S.C. § 2701 et seq. Regulates disclosure of content and non-content information by twotypes of providers: Electronic Communication Service (ECS) Remote Computing Service (RCS) Regulations differ depending on provider type Generally content will not be disclosed absent consent (who can giveconsent depends on provider) Other more rarely used exceptions may also apply Civil subpoena is not an exception requiring disclosure: See e.g., SpecialMarkets Ins. Consultants, Inc. v. Lynch, No. 11 C 9181, 2012 WL 1565348(N.D. Ill. May 2, 2012) Non-content information, however, may be disclosed pursuant to asubpoena52

Seeking Content? Compel Consent (or Use Rule 34):Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008) Defendants alleged SCA prohibited any disclosure of content of text messagesabsent consent, which Defendant sought to withhold Court ruled that City could be compelled to provide necessary consent fordisclosure:“In any event, even if Defendants are correct in their contention that SkyTelcannot produce any communications in this case without the “lawful consent”called for under § 2702(b)(3), the Court finds that the Defendant City has boththe ability and the obligation to secure any such consent that the SCA mayrequire.” Courts analysis relied heavily on question of “control” pursuant to Rule 34 –Defendants had control of the content such that they could consent to disclosure Court counseled that a Rule 34 request directly to a party was a more“straightforward path” and avoided many sticky questions under the SCA53

Does control and consent analysis apply to non-parties? Yes.Thomas v. Deloitte Consulting LP, 2004 WL 1372954 (N.D. Tex.June 14, 2004) Defendant sought production of bank records from non-parties Court ordered production of documents or authorization for bank todisclose:Rule 45(a) requires a person served with a subpoena to produceall responsive, non-privileged documents in his “possession,custody or control.” FED. R. CIV. P. 45(a)(1)(C). This rule isbroadly construed to encompass both actual and constructivepossession. . . . CHS and FPI make no argument that they do nothave a legal right to obtain bank statements and checks from Bankof America and Regions Bank. The court will require that they doso or, alternatively, execute authorizations to enable defendant toobtain these documents directly from the banks.54

Criminal Investigations are Different:Twitter v. Harris, 2011NY080152 (N.Y. Crim. Ct. 2012) NY Court ordered production of content and non-contentinformation from Twitter Held account owner did not have standing to quash Twittersubpoena No proprietary interest No privacy interest Production was ordered pursuant to 18 U.S.C. § 2703(d)(court order): court order is available to “governmentalentities” under this provision Despite objection, Twitter finally produced the materials afterbeing threatened with contempt and sanctions55

Seeking Non-Content Information? Serve a Subpoena:Achte/Neunte Boll Kino Beteiligungs GMBH & Co. v. Does1-4577, 736 F. Supp. 2d 212 (D.D.C. 2010) Court granted leave to serve Rule 45 subpoenas on ISPsseeking to obtain “information sufficient to identify eachDefendant, including name, current (and permanent)addresses, telephone numbers, email addresses andMedia Access Control addresses” District Court denied subsequent Motion to Quashbrought by non-parties whose information would beproduced56

Beluga Shipping GMBH & CO. KS “Beluga Fantastic” v. SuzlonEnergy, Ltd., 2010 WL 3749279 (N.D. Cal. Sept. 23, 2010) Foreign party sought to compel emails and records related to accountsof foreign cross-defendantsGoogle, based on inability to comply, sought to intervene Court held contents of emails could not be disclosed withoutsubscriber’s consent and granted motion to intervene, but orderedproduction of documents reflecting: when the accounts were created,the names of the account holders as provided to Google, the countriesfrom which the specific email accounts were created Google instructed to “preserve the snapshot of the emails in thespecific Gmail accounts set forth above” pending further showing ofconsent by account holders57

www.ediscoverylaw.com58

2012Cloud Computing E-Discovery ChallengesImplications for Cloud Computing ContractsOctober 24, 2012Tanya L. Forsheit, Esq., CIPP/USFounding Partner, InfoLawGroup 10.706.4121

SEGALIS PLLCE-Discovery Implications for Cloud Computing Contracts Contractual Considerations ntegrity/AuthenticationReturn and Secure DisposalSubpoenas, Control and Access Extended/Multi-Level Relationships Right to Conduct Forensic Exam Cross-Border Data Transfers Sample Provisions60

SEGALIS PLLCSearchability/Availability/Forensics “Searchability” and availability of data in cloud Forensic assessment (identifying, collecting andpreserving data) in cloud context Metadata61

SEGALIS PLLCPreservation, Authentication and Data IntegrityFor purposes of meeting evidence preservationrequirements, and discovery obligations in litigation andgovernment investigations, it may be important for a cloudservices contract to require that a cloud provider preserveinformation and provide the customer with access to theinformation in the form in which it is maintained in theordinary course of business, sometimes on short notice.62

SEGALIS PLLCPreservation, Authentication and Data Integrity (cont.) Duplication/Replication Issues. You may have many extracopies of data in many additional locations. This could increasethe scope of company preservation obligations (especially ifinformation is not disposed of pursuant to routine recordsretention schedule). Data Authentication and Integrity. If multiple copies are made(without your knowledge), it may be difficult to ascertain whichis the “original” (also consider timing issues/server settings).63

SEGALIS PLLCReturn/DisposalLike other outsourcing agreements, cloudcontracts should provide for return and/orsecure disposal of the information inaccordance with the customer’s directions.64

SEGALIS PLLCAccess-Extended/Multi-Level Relationships Extended Cloud Relationships- Cloud providers useother cloud providers Ensure ability to access data when several levelsremoved Where is the data actually being stored, processedand transmitted? Has the “direct” cloud provider secured rights toensure that it can preserve/gather data?65

SEGALIS PLLCCross-Border Data Transfers What happens when the data resides in another country?Conflicting EU Privacy Laws and Blocking StatutesContracts Insufficient to AddressNeed Safe Harbor/Standard Contractual Clauses/BCRsStill may not be able to process data for US discovery66

SEGALIS PLLCSAMPLE PROVISIONS67

SEGALIS PLLCPreservation, Return, and Secure Disposal of Information“Service Provider shall preserve any information provided byCustomer to Service Provider, including but not limited to anymetadata, in accordance with Customer’s instructions andrequests, including without limitation any retention schedulesand/or litigation hold orders provided by Customer to ServiceProvider, independent of where the information is stored(specifically, and without limitation, even where suchinformation resides with or is held, processed or stored by aservice provider, sub-contractor, vendor, or other third party).”68

SEGALIS PLLCPreservation/Integrity, Return and Secure Disposal of Information (cont.)“Service Provider shall take reasonable steps toensure proper destruction (such that information isrendered unusable and unreadable) and return ofinformation to Customer in a format requested byCustomer and at Service Provider’s expense when itis no longer needed to perform services pursuant tothe Agreement or [x] days following termination ofthe Agreement. Service Provider shall providewritten certification that all such information hasbeen returned and deleted.”69

SEGALIS PLLCSubpoenas, Control and Access“Service Provider shall cooperate with Customer in responding to any party, nonparty, or government request for information, including but not limited tometadata, provided by Customer to Service Provider. In the event that suchrequests are served on Customer, Service Provider shall provide Customer withaccess to such information in the format in which it is maintained in the ordinarycourse of business (or, on Customer’s request, with copies) within [x] hours ofreceipt of any request by Customer for such access or copies. In the event thatsuch a request (in the form of a subpoena, order or otherwise) is provided to orserved on Service Provider, Service Provider shall notify Customer in writing byelectronic mail to [INSERT EMAIL ADDRESS] immediately and in no event morethan [x] hours after receiving the request, subpoena or order. Such notificationmust include a copy of the request, subpoena or court order.”70

SEGALIS PLLCSubpoenas, Control and Access (cont.) “Service Provider also shall immediately inform in writing thethird party who caused the request, subpoena or order toissue or be provided or served on Service Provider thatsome or all the material covered by the request, subpoenaor order is the subject of a nondisclosure agreement.” “Service Provider shall cooperate with Customer in seekingany protection from disclosure for such information thatCustomer shall deem appropriate.”71

SEGALIS PLLCAuthentication“In the event that Customer is required to authenticate any ofthe information, including without limitation metadata, providedby Customer to Service Provider, Service Provider shallcooperate with Customer in providing any requestedassistance with such authentication, including withoutlimitation testifying (by affidavit, declaration, deposition, incourt, or otherwise) as a custodian of records to authenticatethe information, establish chain of custody, and/or provide anyother requested information.”72

SEGALIS PLLCWant More? Please feel free to contact:Tanya L. Forsheittforsheit@infolawgroup.com(310) 706-412173

2012Cloud Computing E-Discovery ChallengesImplications for Cloud Computing ContractsOctober 24, 2012Tanya L. Forsheit, Esq., CIPP/USFounding Partner, InfoLawGroup LLPwww.infolawgrou

What is Cloud Computing? "The very definition of cloud computing remains controversial. Consulting firm Accenture has crafted a useful, concise definition: the dynamic provisioning of IT capabilities (hardware, software, or services) from third parties over a network." "Cloud computing is a computing model, not a technology."