Page 6 - EDiscovery
P. 6
S6 | MONDAY, MARCH 16, 2015 | E-Discovery
| NYLJ.COM
Protective Orders
systems and choose advisors with appropri-
ate security,1 but they cannot choose their
Age of Hacking
opponents, their opponents’ counsel, or
In the their opponents’ discovery vendors. Tradi-
tional protective orders do not account for
this new threat, and, absent explicit obliga-
tions, requesting parties have little incentive
to defend against the threat of hacking and
implement security measures to protect their
opponents’ data.
To address this new threat, protective
orders should be upgraded to require
reasonable levels of security to protect
an opponents’ data and more stringent
notiication requirements if unauthorized
access does occur, and more liberal use
of redactions to eliminate irrelevant per-
sonal information and irrelevant coniden-
tial information (data that is not provided
cannot be stolen). In the digital age, the
bench and bar should recognize that pro-
tective orders should be drafted not only
to prevent misuse of sensitive information
by parties to a litigation, but to reduce the
risk of avoidable data breaches committed
by nefarious third parties. From a producing
party’s perspective, it rarely matters if an
opposing party intentionally disclosed their
conidential information to a third party or
lost it to a third party because it did not take
reasonable precautions. Protective orders
drafted to address cyber threats are thus
becoming valuable tools for litigants and
counsel to use to force receiving parties to
secure sensitive data.
Law Firms Are Attractive Hacking Targets
Hackers have already surmised that
highly sensitive client information in the
hands of attorneys and e-discovery ven-
dors make an attractive target. In 2010, a
group of hackers based in China breached
the security of seven prominent Canadian
law irms in an attempt to derail the acqui-
sition of Potash Corp. of Saskatchewan by
BHP Billiton.2 In 2013, hackers introduced a
keylogger virus into the computer network
of another Canadian irm, enabling them to
abscond with funds from the irm’s trust
account.3 These episodes have caused
clients to scrutinize law irms’ security
measures, realizing that hackers may view CK
STO
law irms as desirable targets for several BIG
reasons. First, the legal practice has lagged
behind major institutional clients when also concentrated the value of the informa- discovery to satisfy their curiosity or obtain
it comes to technology and cyber secu- BY DAVID J. KESSLER, tion being produced because, by removing information to use elsewhere. Thus, protec-
rity.4 Second, law irms have uniquely inti- JAMI MILLS VIBBERT the irrelevant, the production contains more tive orders are traditionally drafted to protect
mate access to client information. Clients AND ALEX ALTMAN
information that is commercially sensitive against one party using an opponent’s produc-
entrust their secrets to law irms precisely or potentially embarrassing. Used inappro- tion outside of the litigation or intentionally
because of the protective mantle of the Discovery is a process whereby infor- priately, the production could signiicantly disclosing the production to a third party.
attorney-client privilege. Third, when sensi- mation relevant and responsive to a injure the producing party.
In the age of cyber attacks, hacking, and
tive information is collected and stored in litigation is distilled from larger sets Protective orders were designed to protect digital corporate espionage, however, this tra-
a single location—either at a law irm or of data in the possession of the producing against exactly this issue. For example, in ditional view of protective orders no longer
with a document review vendor—much of party. This responsive information becomes a federal court action, Federal Rule of Civil protects the producing party. Traditionally,
the work of isolating and culling the most increasingly concentrated as the process Procedure 26(c) allows a court to “issue an the biggest threat to the produced data was
important information has already been moves from preservation to collection to order to protect a party or person from annoy- intentional misuse from an opponent, not
done for potential hackers. When docu- culling to review. Finally, after essentially boil- ance, embarrassment, oppression, or undue someone breaking into a lawyer’s ofice to
ments are gathered by a litigant and hand- ing off the irrelevant data, the concentrated burden or expense.” Similarly, under New York steal their opponent’s documents. The risks
ed over to a requesting party en masse, responsive information is produced to the law, N.Y. C.P.L.R. §3103(b) allows a court to have increased. As discovery has become
the result is a highly concentrated store requesting party. The discovery process has
issue a protective order “designed to prevent predominately digital, producing parties must
of valuable, sensitive information with unreasonable annoyance, expense, embar- now face the threat of third parties stealing
potentially less-than-ideal protection. This rassment, disadvantage, or other prejudice.” highly sensitive information not just from
gives hackers a ripe target for plundering DAVID J. KESSLER is a partner, JAMI MILLS VIBBERT is It is well understood that while parties are their and their advisor’s computer systems,
everything from trade secrets to nonpublic a senior associate and ALEX ALTMAN is an associate entitled to discovery to prosecute their claims but their opponents’ data systems as well.
personal information of third-party custom-
at Norton Rose Fulbright US in New York.
or defenses, they are not entitled to conduct
Companies can build their own data security