S6 | MONDAY, MARCH 16, 2015 | E-Discovery
| NYLJ.COM





Protective Orders 
systems and choose advisors with appropri- 

ate security,1 but they cannot choose their 
Age of Hacking
opponents, their opponents’ counsel, or 
In the their opponents’ discovery vendors. Tradi- 
tional protective orders do not account for 
this new threat, and, absent explicit obliga- 
tions, requesting parties have little incentive 
to defend against the threat of hacking and 
implement security measures to protect their 
opponents’ data.

To address this new threat, protective 
orders should be upgraded to require 
reasonable levels of security to protect 
an opponents’ data and more stringent 
notiication requirements if unauthorized 
access does occur, and more liberal use 
of redactions to eliminate irrelevant per- 
sonal information and irrelevant coniden- 

tial information (data that is not provided 
cannot be stolen). In the digital age, the 
bench and bar should recognize that pro- 
tective orders should be drafted not only 
to prevent misuse of sensitive information 
by parties to a litigation, but to reduce the 
risk of avoidable data breaches committed 
by nefarious third parties. From a producing 
party’s perspective, it rarely matters if an 

opposing party intentionally disclosed their 
conidential information to a third party or 
lost it to a third party because it did not take 
reasonable precautions. Protective orders 
drafted to address cyber threats are thus 
becoming valuable tools for litigants and 
counsel to use to force receiving parties to 
secure sensitive data.


Law Firms Are Attractive Hacking Targets

Hackers have already surmised that 
highly sensitive client information in the 
hands of attorneys and e-discovery ven- 
dors make an attractive target. In 2010, a 
group of hackers based in China breached 
the security of seven prominent Canadian 

law irms in an attempt to derail the acqui- 
sition of Potash Corp. of Saskatchewan by 
BHP Billiton.2 In 2013, hackers introduced a 
keylogger virus into the computer network 
of another Canadian irm, enabling them to 
abscond with funds from the irm’s trust 
account.3 These episodes have caused 
clients to scrutinize law irms’ security 
measures, realizing that hackers may view CK
STO
law irms as desirable targets for several BIG
reasons. First, the legal practice has lagged 
behind major institutional clients when also concentrated the value of the informa- discovery to satisfy their curiosity or obtain 
it comes to technology and cyber secu- BY DAVID J. KESSLER, tion being produced because, by removing information to use elsewhere. Thus, protec- 
rity.4 Second, law irms have uniquely inti- JAMI MILLS VIBBERT the irrelevant, the production contains more tive orders are traditionally drafted to protect 
mate access to client information. Clients AND ALEX ALTMAN
information that is commercially sensitive against one party using an opponent’s produc- 
entrust their secrets to law irms precisely or potentially embarrassing. Used inappro- tion outside of the litigation or intentionally 
because of the protective mantle of the Discovery is a process whereby infor- priately, the production could signiicantly disclosing the production to a third party.
attorney-client privilege. Third, when sensi- mation relevant and responsive to a injure the producing party.
In the age of cyber attacks, hacking, and 

tive information is collected and stored in litigation is distilled from larger sets Protective orders were designed to protect digital corporate espionage, however, this tra- 
a single location—either at a law irm or of data in the possession of the producing against exactly this issue. For example, in ditional view of protective orders no longer 
with a document review vendor—much of party. This responsive information becomes a federal court action, Federal Rule of Civil protects the producing party. Traditionally, 
the work of isolating and culling the most increasingly concentrated as the process Procedure 26(c) allows a court to “issue an the biggest threat to the produced data was 
important information has already been moves from preservation to collection to order to protect a party or person from annoy- intentional misuse from an opponent, not 
done for potential hackers. When docu- culling to review. Finally, after essentially boil- ance, embarrassment, oppression, or undue someone breaking into a lawyer’s ofice to 
ments are gathered by a litigant and hand- ing off the irrelevant data, the concentrated burden or expense.” Similarly, under New York steal their opponent’s documents. The risks 
ed over to a requesting party en masse, responsive information is produced to the law, N.Y. C.P.L.R. §3103(b) allows a court to have increased. As discovery has become 

the result is a highly concentrated store requesting party. The discovery process has
issue a protective order “designed to prevent predominately digital, producing parties must 
of valuable, sensitive information with unreasonable annoyance, expense, embar- now face the threat of third parties stealing 
potentially less-than-ideal protection. This rassment, disadvantage, or other prejudice.” highly sensitive information not just from 
gives hackers a ripe target for plundering DAVID J. KESSLER is a partner, JAMI MILLS VIBBERT is It is well understood that while parties are their and their advisor’s computer systems, 
everything from trade secrets to nonpublic a senior associate and ALEX ALTMAN is an associate entitled to discovery to prosecute their claims but their opponents’ data systems as well. 
personal information of third-party custom-
at Norton Rose Fulbright US in New York.
or defenses, they are not entitled to conduct
Companies can build their own data security