Page 7 - EDiscovery
P. 7



NYLJ.COM |
E-Discovery | MONDAY, MARCH 16, 2015 | S7






ers or patients to embarrassing personal of information produced in discovery contain or biometric veriication) and electronic secu- parties may also wish to establish a rigorous 

details of a company’s employees.
exactly these types of sensitive information rity (two-factor authentication, encryption, redaction protocol of redacting information 
and are being produced to a party who cur- passwords, limited or no remote access).
that is not relevant to the case, even when 
The Traditional View Is Insuicient
rently has no incentive to be concerned about • Require that information not be unneces- such information is contained in otherwise 
the exposure of such information.
sarily copied or stored on potentially more relevant documents.9 Of course, redaction 
Traditional protective orders serve an vulnerable hardware like removable media on a large scale can be expensive and a pro- 
important function. In 1984, the U.S. Supreme Upgrading Protective Orders
(USB drives), mobile devices, or laptops.
ducing party may opt to forgo such efforts 
Court recognized the need for protective • In the most sensitive circumstances, a for the sake of cost-effectiveness depend- 
orders aimed at preventing the disclosure Given the very real threat of corporate producing party may wish to allow review ing on the nature of the information and the 
of sensitive information by the request- espionage and hacking, producing parties of documents only on an isolated terminal 
security measures required of the request- 
ing party: “There is an opportunity . for should demand that their opponents use and at the producing party’s premises or digital ing party. The fact remains, however, that 
litigants to obtain—incidentally or purpose- secure their data in a reasonable manner. The discovery room.
the most reliable security measure available 
fully—information that not only is irrelevant power of discovery gives requesting parties, Parties should tailor speciic security mea- to producing parties is to limit the number 
but if publicly released could be damaging their counsel, and their vendors access to a sures to the speciic circumstances in the case of locations in which sensitive information 
to reputation and privacy.”5 Entering into a producing party’s information in a way no and parties in particularly complex litigation resides by preventing the production of sensi- 
protective order also eases the burden of a other vehicle does. In pursuit of the truth, may wish to consider establishing different tive information.
producing party’s review on the margin and we have created a system that allows broad security measures for different categories of 
allows the producing party potentially to be and deep access to an opponents’ information documents (matching the cost of security 
Conclusion
broader in its production because its data is before the merits of the dispute are often seri- and inconvenience to the value of the data 
secure from intentional misconduct by the ously tested. To paraphrase Spiderman, with at issue).
As discovery in U.S. litigation has become 
requesting party.
that great power, comes great responsibility.
Of course, like many traditional protec- predominately digital, the bench and bar must 
But traditional protective orders do not tive orders, data protective orders should acknowledge the tremendous risks that cyber 
properly incentivize litigants to protect their address how an opponent’s data will be threats pose to producing party’s sensitive 
opponents’ data from theft. It is typical for a appropriately returned or deleted once the information. If requesting parties are going 
protective order to simply deine what “Con- Hackers have already surmised litigation is resolved.
to seek sensitive, private, and potentially 
idential Information” is and order that an embarrassing information from their oppo- 
opponent cannot (1) use the “Conidential that highly sensitive client 
In the Event of a Breach
nents, they must be required to reasonably 
Information” except to prosecute his claims or information in the hands of protect this information from hacking and 
defenses; and (2) disclose that “Conidential attorneys and e-discovery ven- A protective order alone will not prevent corporate espionage. While this will likely 
Information” to anyone outside a deined mix a data breach; hacking can and will happen, require investments in better process and 
of people (usually the parties, their lawyers dors make an attractive target.
even with rigorous security measures in place. technology, as well as people who know how 
and experts, the discovery vendors, and the Moreover, opponents may inadvertently leave to manage both, it is necessary to prevent 
court). While there may be bells and whistles data in the open. For example, an expert could discovery from becoming an unwitting tool 
(which can be exceedingly complex) about leave his laptop at LaGuardia or a lawyer her of hackers.
how to designate the information, how those To properly incentivize opposing parties briefcase in a cab. If the laptop or the brief- 
designations will be challenged, how docu- to take care of each other’s sensitive informa- case contained an opponent’s data, there may • ••
•••••••••••••••••••••••••• 
ments will be iled with the court or used in tion, data protective orders should address be a breach.
1. Clients are increasingly demanding that their coun- 
depositions, and what should happen if a vio- two prongs: (1) what security measures the Therefore, a data protective order should sel secure their data from cyber attacks. See Jennifer 
lation occurs, the primary duty of one party requesting party must have in place to protect also detail what a party must do in the event Smith and Emily Glazer, “Banks Demand that Law Firms Harden Cyberattack Defenses,” Wall St. J., Oct. 26, 2014, 
to the other is not to intentionally misuse the the data and (2) what the requesting party of a data breach. The simplest, and likely http://www.wsj.com/articles/banks-demand-that-law- 
data. Even protective orders that provide for a must do in response to a breach of its secu- most common, requirement should be that irms-harden-cyberattack-defenses-1414354709.
two-tiered conidentiality designation, requir- rity. Clients will thus gain some measure of the breached party disclose the existence 2. See Michael A. Riley and Sophia Pearson, “China- 
ing that “Highly Conidential” documents be assurance that opposing parties and counsel and extent of the breach to the producing Based Hackers Target Law Firms to Get Secret Deal 
for attorneys’ eyes only, only protect the pro- will handle their sensitive data securely and party immediately—usually within 24 to 48 Data,” Bloomberg Bus., Jan. 31, 2012, http://www.bloom- berg.com/news/articles/2012-01-31/china-based-hack- 
ers-target-law-irms.
ducing party from intentional disclosure by appropriately and will address data breaches hours. The data protective order could also 3. See Martha Neil, “Hacker Steals ‘Large 6-Figure’ 
the requesting counsel to their client. No duty promptly.
compel the requesting party to investigate Sum from Law Firm Trust Account Using Trojan Banker 
of care is required in how the parties handle Tailoring a Security Obligation. There and remediate the effects of a breach and Virus,” ABA J., Jan. 7, 2013.
and secure the data.
are a variety of ways to draft protective provide reports to the court and the produc- 4. The security situation at many irms is improving, in large part due to larger clients who insist that counsel 
Accidental disclosure to a malevolent non- orders to address security measures from ing party. It may be advisable to require that take speciic security measures. Many inancial institu- 
party in the commission of a cyber attack, the broad to the speciic, though how these parties agree to cooperate with the produc- tions, for example, require that all email between the 
however, can be far more harmful than inten- issues should be addressed will depend on ing party (and maybe even law enforcement) irm and the institution be encrypted. See Smith and 
tional disclosure by an opponent. A nonparty the nature of the litigation and of the informa- in the event of a breach. Depending on the Glazer, supra note 1.
competitor, for example, could engage in tion relevant to the dispute.8 For example:
nature of the data at issue, the data protective 5. Seattle Times v. Rhinehard, 467 U.S. 20, 35 (1984).
6. See Rachel Emma Silverman and Ben Fritz, “Data 
Breach Sets Off Upheaval at Sony Pictures,” Wall St. J., 
cyber espionage and reap a treasure trove • “A party shall exercise the same care with order could go further, requiring, for example, Dec. 4, 2014, http://www.wsj.com/articles/data-breach- 
of trade secrets. Cyber terrorists can virtually regard to the storage, custody, or use of such that the breached party engage in speciic, sets-off-upheaval-at-sony-pictures-1417657799.
hold an entire company hostage; one need Protected Information as they would apply to enhanced security measures above and 7. See, e.g., Elizabeth A. Harris, “Data Breach Hurts Proit at Target,” N.Y. Times, Feb. 26, 2014, http://www. 
look no further than the recent Sony breach their own material of the same or comparable beyond the pre-breach measures stipulated.
nytimes.com/2014/02/27/business/target-reports-on- 
to see how hackers can steal valuable intellec- sensitivity.” Between organizations of similar fourth-quarter-earnings.html?_r=0; Anna Wilde Mathews 
tual property, expose private conversations sophistication and size, this would be more Greater Use of Redactions
and Danny Yadron, “Health Insurer Anthem Hit by Hack- 
of dozens of individuals, uncover executive useful than against an individual who has little ers,” Wall St. J., Feb. 4, 2015, http://www.wsj.com/ar- 
pay, and completely disrupt a company’s busi- to no security over his own data.
It is axiomatic in data security that less data ticles/health-insurer-anthem-hit-by-hackers-1423103720.
8. Parties engaging in cross-border discovery may 
ness and systems.Potentially worse than • Establish that parties must act “reason- in fewer places is less vulnerable. In cases of also ind a measure of protection by insisting that secu- 
6 rity measures and breach responses comport with data 
that, hackers can reveal personal information ably” or use “industry standard practices” very sensitive information, the most powerful protection regimes such as the E.U. Data Protection Di- 
given to a company by its customers—Social or “best efforts.” While easy to write, these security measure remains nondisclosure. A rective 95/46/EC or the individual data privacy laws for 
Security numbers, credit card numbers, and standards are not bright lines and may be hacker cannot steal data that does not exist. It the countries from which data will be processed.
9. For a discussion on using redaction to protect per- 
passwords.7 Even “well-meaning” hacktivists dificult to enforce.
is therefore wise for a producing party to care- sonal or sensitive information, see The Sedona Confer- 
can usurp sensitive personal information of a • Create a list of speciic precautions or fully review the documents it produces and, ence, “International Principles on Discovery, Disclosure 
company’s employees for the purpose of dox- measures that an opponent needs to use or where justiied, resist disclosure entirely of & Data Protection: Best Practices, Recommendations & 
ing or other forms of harassment. The stores
apply, including physical security (keycards
nonrelevant, sensitive documents. Producing
Principles for Addressing the Preservation of Discovery 
of Protected Data in U.S. Litigation” (December 2011).

Reach your peers to generate referral business
LAWYER TO LAWYER



ConCtaocnt tMacitchael Kalbfell a1t 2(2) 1425)74-9557-39or 
Indera [email protected]




   5   6   7   8   9