Generally, the party producing discovery bears the costs of production. But, shifting to the non-producing party the costs of production is sometimes warranted.  This issue was recently tackled by a Kansas District Court in the matter Lawson v. Spirit AeroSystems, 2020 WL 3288058 (D. Kan. June 18, 2020).

Background

Following his retirement from Spirit AeroSystems, Inc.’s (“Spirit”), plaintiff Larry A. Lawson (“Lawson”), the former CEO of Spirit, began consulting for non-party Arconic, Inc. (“Arconic”).  Spirit contended this consulting amounted to a breach of Lawson’s retirement agreement, which contained a non-compete provision.  As a result, Spirit discontinued Lawson’s retirement benefits and demanded he reimburse Spirit the amounts already paid to him.  Lawson brought suit, arguing that Spirit and Arconic are not in the same “business,” and thus the non-compete provision in his retirement agreement was never triggered.

Discovery in the lawsuit was focused largely on the issue of whether Spirit and Arconic are in the same “business.”  In connection with discovery of electronically stored information (“ESI”), Lawson insisted on protocols that led to overbroad results, yielding low percentages of responsive documents, and even lower percentages of relevant documents.*

The parties then conducted a technology assisted review of the more than 300,000 collected documents, which yielded a 3.3% responsiveness rate.  The responsive documents were produced.  Dissatisfied, Lawson filed a motion to compel Spirit to produce the documents reviewed by TAR beyond those already produced.  In response, Spirit sought to shift all costs and attorney’s fees associated with the production to Lawson under Federal Rule 26(c). Spirit argued that it spent months collecting, processing, hosting, and searching millions of documents from custodians selected by Lawson and using search terms selected by Lawson; a process which cost hundreds of thousands of dollars and which resulted only in a small percentage of responsive or relevant documents. In opposition, Lawson argued that cost-shifting is only available for ESI that is not reasonably accessible, pursuant to Rule 26(b)(2)(B). The court did not agree.

Good Cause & Proportionality

The Lawson court instructs that Rule 26(c), “is not limited to non-reasonably accessible discovery,” but rather was “amended in 2015 to make clear that the court may allocate discovery expenses for good cause in order to protect a party from undue burden or expense.” To establish “good cause” the “moving party must make a particularized and specific demonstration of fact, as distinguished from stereotyped and conclusory statements,” and the court has “broad discretion” in whether good cause has been established.

In Lawson, the court, in deciding to shift costs, reviewed Rule 26(b)(1)’s proportionality factors.  Specifically, “the importance of the issues at stake in the action, the amount in controversy, the parties’ relative access to relevant information, the parties’ resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit.”  Here, the court concluded:

  • the action was a private lawsuit over an executive’s severance package, not a suit with significant public policy implications;
  • although the TAR expenses were not unreasonable compared to the amount in controversy, Spirit had already bore considerable amounts in discovery expenses;
  • both parties had adequate resources to bear their fair share of discovery expenses;
  • apart from the ESI/TAR process, Spirit produced substantial discovery collected the “old-fashioned way” of targeted productions via custodian interviews and collections;
  • Lawson had equal access to that discovery; and
  • Lawson had not articulated how the documents sought via the TAR process were important to resolving the issues above and beyond the discovery Spirit already produced.

Conclusion

The Lawson court reviewed all the factors, and in the end determined that Lawson’s “continued pursuit of the ESI dataset via TAR was not proportional to the needs of the case.” While the court was careful to mention that the 2015 amendment to Rule 26 does not imply that cost-shifting should become common practice, Lawson offers considerable insight into facts which warrant cost-shifting, and the court’s discretion in awarding the same.

 

*Lawson was also expansive in the custodial data he sought and the search terms he insisted upon.  For example, he demanded Spirit search sixty-nine (69) custodians’ ESI plus each custodian’s assistant’s ESI. Lawson also demanded using ninety (90) search terms, many of which containing “OR” connectors, resulting in the effective number of search terms in excess of 100. Of note, 85% of the documents yielded in result of these searches were irrelevant.

**Thank you to first year associate, Jaclyn Ruggirello in the Firm’s Uniondale office, for her research assistance related to today’s blog.

Have questions?  Please contact me at kcole@farrellfritz.com.

When allegations of employee misconduct are alleged, companies must respond swiftly.  Indeed, “insider threats” can cause significant damage to a company.  These threats come in many different forms, including:

  • Accounting fraud;
  • Theft of assets;
  • Unauthorized access to or manipulation of data; and
  • Threats, sexual harassment or other inappropriate forms of behavior or communication.

And so, when a threat is perceived or reported, an internal investigation – which aims to assess the validity of the alleged misconduct within the organization – may be necessary.  Although such investigations necessarily involve different steps and goals as the facts require, a typical element of an investigation includes collection and examination of written or recorded evidence, interviews with suspects and witnesses, and computer and network forensics.

McDonald’s Corp. v Stephen J. Easterbrook, (Index No. 2020-0658, [Del. Ch. Aug. 12, 2020] [Complaint]) reminds us that collecting and reviewing electronically stored information (“ESI”) is a critical step in a thorough investigation.

Factual Background:

In October 2019, it was alleged that then-CEO of McDonald’s Corporation (“McDonald’s”) Stephen J. Easterbrook (“Easterbrook”) engaged in sexual conduct with a company employee in violation of McDonald’s standards of business conduct policy.  In response to these allegations, McDonalds’s hired outside independent counsel to perform an internal investigation.  The investigation included interviews of Easterbrook and the company employee, and a review of all images, videos, and text messages stored on Easterbrook’s company-issued cellphone.  The investigation, however, failed to include any collection or review of Easterbrook’s company email.

Because none of the evidence counsel reviewed contradicted Easterbrook’s allegation that the relationship at issue was consensual, McDonald’s and Easterbrook entered into a separation agreement, wherein Easterbrook was terminated “without cause” and pursuant to which he received severance compensation and benefits under his existing compensatory arrangement.

Less than a year later, in July 2020, however, McDonald’s received a complaint from a different company employee that Easterbrook had engaged in sexual conduct with her, in violation of McDonald’s standards of business conduct policy.  This complaint resulted in a second internal investigation, which included the collection of review of Easterbrook’s, now dormant, McDonald’s email account.  It was during this July 2020 investigation that McDonald’s discovered several photographs and emails relevant to both the 2019 and 2020 complaint that had been deleted from Easterbrook’s company cellphone.  Unbeknownst to Easterbrook, although he deleted these emails and photographs from his company cellphone, a copy of the emails and photographs remained accessible on McDonald’s servers.  These emails and photographs provided indisputable evidence that Easterbrook repeatedly violated McDonald’s standards of business conduct policy.

Clearly, had McDonald’s been aware of Easterbrook’s misconduct in 2019 as documented by email communications, it would not have entered the separation agreement with Easterbrook.  And so, McDonald’s was forced to commence an action against Easterbrook, alleging that he breached his fiduciary duty by violating McDonald’s standards of business conduct policy and fraudulently inducing McDonald’s to enter into the separation agreement.

Conclusion:

This lawsuit reminds us that in today’s age of e-everything, an internal investigation of any alleged misconduct must include collecting and reviewing ESI.  While efficiency and cost necessarily inform decisions, collecting and reviewing ESI (even if deemed a costly endeavor) must remain a priority in internal investigations.  Here, review of emails could have prevented subsequent litigation.

Have questions?  Please contact me at kcole@farrellfritz.com.

*Thank you to first year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

Rule 26(b)(5) of the Federal Rules of Civil Procedure provides that, when a party withholds information otherwise discoverable by claiming the information is privileged or subject to protection as trial-preparation material, the party must:

(i) expressly make the claim; and

(ii) describe the nature of the documents, communications, or tangible things not produced or disclosed—and do so in a manner that, without revealing information itself privileged or protected, will enable other parties to assess the claim. 

(id.) (emphasis added).

But what exactly is a sufficient description such that opposing counsel will be able to assess the validity of a claim of privilege?  And, when is an in camera review to determine the validity of a privilege claim appropriate?  Although the sufficiency of a description is necessarily subjective, and in camera review discretionary, a recent decision from the Northern District of Illinois is a worthwhile read for anyone confronting these thorny subjects.*

Background

Washtenaw County Employees’ Retirement System v. Walgreen Co., 2020 WL 3977944 (N.D. Ill. July 14, 2020) is a securities fraud class action lawsuit involving allegations that Walgreens and its former Chief Executive and Chief Financial officers violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934.  During discovery, lead plaintiff moved for an in camera inspection of 75 documents listed among 5,700 identified on defendants’ log as privileged.  Plaintiffs argued that the Court’s review of the documents was necessary because it would guide the parties’ approach to other privileged claims.  Defendants, however, asserted an in camera review was not necessary as Plaintiffs failed to establish a “well-founded basis for challenging the logs’ privilege descriptions,” which were the result of thousands of attorney hours.

In reaching its decision not to review in camera the documents at issue, the Court devoted significant effort to the history of the attorney-client privilege and the obligation to log privileged communications withheld from production.  The Court then observed that the sufficiency of a log description is a delicate balance.  Indeed, it is difficult to describe “the basis for the privilege with sufficient detail yet without disclosing what the legal advice was.  Preserving the privilege requires recognizing that there are limits to the specificity that courts ought to require in a privilege log.”  The Court went on to hold that entries on a log that use the word privilege without any description of what the communication was about, is “unacceptable.”  However, descriptions that describe, at least, the subject matter to which the legal advice was directed “come closer to being sufficient, and in many cases will be sufficient.”  In sum, a privilege log “need only provide a form of penultimate proof, by way of a short summary statement that conveys at least a basis for the Court to believe that the content of the communication is privileged.”

The Court further observed that while it is within its discretion to engage in an in camera review, this, too, is fraught with challenges.  For example, courts deciding issues concerning privilege log descriptions “can reach two correct yet contrary conclusions based on identical fact patterns.”  (Walgreens, 2020 WL 3977944 at *3 (citing Surgery Ctr. at 900 N. Michigan Ave., LLC v Am. Physicians Assurance Corp., 317 F.R.D. 620, 629 (N.D. Ill. 2017).

Analysis

Here, the Court was tasked specifically with determining whether to perform an in camera review of six categories of communications: (i) those between non-attorney employees; (ii) those copying in-house counsel; (iii) those disseminated “widely” within the company and through distribution lists; (iv) those “reflecting,” “circulating” or “discussing” legal advice; (v) those Plaintiffs claim are simply not privileged; and (vi) attachments that were withheld.

The Court declined to exercise its discretion to review in camera the 75 documents at issue, but examined the categories of log entries included in the motion.  In assessing the privilege log descriptions for the first five categories, the Court determined that the Defendants’ privilege log entries sufficiently established the documents and communications concerned legal advice or legal issues relevant to the matter and were properly logged.  With respect to the “withheld attachments” category, the Court found that Defendants’ failed to include in the log a separate description providing the legal basis for withholding the attachments.  And so, because attachments need to have their own privilege bases in order for them to be properly withheld under a claim of privilege, the Court directed the parties to meet and confer to determine an approach that supplies Plaintiffs with the information necessary about the withheld attachments.

Conclusion

The attorneyclient privilege is a deeply rooted doctrine that protects from disclosure privileged communications.  And, the importance of creating a privilege log with sufficient particularity such that opposing counsel can assess the validity of the asserted privilege cannot be overstated.  This case is an important reminder that inadequate, vague or generic privilege log descriptions can put the privilege in peril and practitioners must take an organized and methodical approach in formatting specific descriptions for withholding privileged documents.  By doing so, one may avoid defending against a motion to compel for in camera review.

*It is important to consult the local rules of the Court in which you are appearing.  For example, in the Southern and Eastern Districts of New York, Local Civil Rule 26.2, Assertion of Claim of Privilege, is applicable.

Have questions?  Please contact me at kcole@farrellfritz.com.

The Honorable Shira Scheindlin once opined against allowing custodians of ESI to collect their data stating “[s]earching for an answer on Google (or Westlaw or Lexis) is very different from searching for all responsive documents in the FOIA or e-discovery context…” and “most custodians cannot be ‘trusted’” to effectuate a legally sufficient collection.  National Day Laborer Org. Network v US Immigration and Customs Enf. Agency, (10 Civ. 3488 [SAS] [SDNY 2012]) (See The Perils of Self-Collection).  Recently, another federal Court also cautioned counsel about the dangers of self-collecting albeit this caution was predicated upon the substantial risks attorneys may face when clients self-collect data. Equal Employment Opportunity Commission v. M1 5100 Corp., 2020 WL 3581372 (S.D. Fla. July 2, 2020).  These two cases, coupled with counsel’s obligation to be technologically competent,* serve as good reminders of what not to allow.   

Background

In M1 5100 Corp., Plaintiff filed a motion to compel “better discovery responses.”  In connection with that motion, Plaintiff sought the opportunity to inspect how Defendant’s electronically stored information (“ESI”) was searched, collected and produced based upon (1) a mere 22 page production; and (2) defense counsel’s concession that he did not manage or oversee his clients’ collection efforts.  Critically, the individuals responsible for collecting the potentially relevant data were two self-interested employees of the Defendant, who operated without any supervision by, or involvement of, Defendant’s counsel.

In reaching its decision to grant, in part, Plaintiff’s motion, the Court devoted significant effort to the importance and effect under Federal Rule of Civil Procedure 26 (g), of an attorney’s signature on a discovery response.  Specifically:

A party’s discovery obligations also include the duty to use reasonable efforts to locate and produce ESI responsive to the opposing party’s requests and within the scope of discovery.  To enforce these responsibilities, the attorney’s signature on a discovery response certifies that the lawyer has made a reasonable effort to assure that the client has provided all the information…responsive to the discovery demand and has made reasonable inquiry into the factual basis of his response.

Id.

According to the Court, because counsel cloaked Defendant and its employees with unfettered discretion in determining (i) custodians, (ii) search terms, (iii) ESI sources, and (iv) what documents to collect, counsel failed to exercise the requisite supervision.  The Court further identified as “very problematic” counsel “sign[ing] off on the completeness and correctness of his client’s discovery responses” when, in actuality, the attorney exercised neither supervision nor involvement in the process.  According to the Court, such discovery practices are rife with concerns including incomplete discovery productions and the destruction of responsive information.

In spite of these discovery failures, the Court acknowledged that “[i]inspection of an opposing party’s computer system under [FRCP] Rule 34 and state equivalents is the exception and not the rule for discovery of ESI.”  Therefore, and in part due to the parties being ahead of the discovery deadlines, the Court gave Defendant’s counsel an opportunity to comply with its discovery obligations and directed “Defendant’s attorneys [to] counsel and supervise Defendant and Defendant’s employees during the discovery search, collection, and production process and become knowledgeable of that process.”  In conclusion, the Court advised that it “intend[ed] to closely supervise the discovery process” to ensure counsel complies with all discovery obligations.

Conclusion

This case is a good reminder to counsel that we cannot simply delegate discovery to clients.  Rather, we must actively participate in and supervise all aspects of discovery.  Moreover, a counsel who delegates discovery as here likely cannot comply with his/her obligations to participate meaningfully in a 26(f) conference, which should be embraced as an opportunity to reach agreement and engage in a cooperative discovery process that will promote proportionality.**

Have questions?  Please contact me at kcole@farrellfritz.com.

 

*See previous blog post series discussing counsel’s obligation to be technologically competent below:

A Lawyer’s Obligation to be Technologically Competent – Part I

A Lawyer’s Obligation to be Technologically Competent – Part 2

A Lawyer’s Obligation to be Technologically Competent – Part 3

A Lawyer’s Obligation to be Technologically Competent – Part 4

**See previous blog post discussing FRCP 26(f) below:

Rule 26 and How It Applies to Electronically Stored Information

***Thank you to first year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

 

In New York, it is widely recognized that the duty to preserve documents arises once a party “reasonably anticipates litigation” (see Voom HD Holdings LLC v EchoStar Satellite, 93 AD3d 33, 41-42 [1st Dept 2012]).  And so, issuing timely a litigation hold notice is critical for preserving information relevant or potentially relevant to an actual or threatened litigation.

But, what happens to that litigation hold notice during discovery?  Is it a document that one produces?  Is it privileged?  Ordinarily, hold notices are protected from disclosure by the attorney-client privilege and the attorney work product doctrine.  However, a recent New York case illustrates that when there are allegations of spoliation, the privilege a litigation hold normally enjoys may be undermined.

In Radiation Oncology Services of Central New York, P.C., v Our Lady of Lourdes Memorial Hospital, Inc., 2020 WL 3246747 (Sup Ct, Cortland County 2020), involving a contentious contract dispute, the parties engaged in nearly five years of discovery, including countless discovery disputes.  In one instance, Plaintiffs identified two emails that Defendants produced in hardcopy but failed to produce electronically. These emails were sent after Plaintiffs informed Defendants that it intended to pursue litigation; and thus, after a litigation hold should have been issued.  Believing Defendants spoliated evidence, Plaintiffs filed a motion to compel the production of Defendants’ litigation hold, including all related electronically stored information (“ESI”).  In response, Defendants contended there was no spoliation of evidence in either instance because they were able to produce the hard copies of the emails.

The Court was not persuaded by Defendants’ paper production of the emails.  Rather, the Court found that “printing paper copies of the emails and permanently deleting the associated ESI potentially deprived the emails of significant evidentiary value.”  Moreover, the Court held that Defendants failed to prove, as a matter of law, that its litigation hold should be protected from disclosure.  Specifically, (i) Defendants did not dispute its duty to preserve the emails at the time they were destroyed; (ii) Defendants failed to show there was no culpable conduct involved in the deletion of the emails; and (iii) the emails were potentially related to claims in the matter.  And so, the Court granted Plaintiffs’ motion to compel.*

This decision reminds us of a few lessons.  First, preserving paper copies of ESI that has been deleted will not necessarily defeat a claim of spoliation.  Second, within one’s hold notice it is advisable to include a provision outlining the consequences of failing to preserve documents related to the matter and, language that the obligation to preserve includes documents in existence and yet to be created.

Have questions?  Please contact me at kcole@farrellfritz.com.

*The Court permitted further submissions on the issue of whether Defendants’ conduct warranted sanctions.

**Thank you to first year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

***See previous blog posts discussing legal holds below:

Failure to Implement a Proper and Timely Legal Hold Notice Results in Plaintiff Being Sanctioned

Practical Tips for an Effective Litigation Hold Notice 

Your Litigation Hold Must be Generally Broad and Specifically Tailored

E-Discovery Best Practices to Avoid Discovery Sanctions

Sanctions in Two New York Courts for Party’s Failures to Preserve

Aldinger v. Alden State Bank is a good reminder of counsel’s obligation to be cooperative in the discovery process.

Aldinger, an employment discrimination case pending in the United States District Court for the Western District of New York, involved a series of discovery disputes including Plaintiff’s motion to compel Defendant to respond to her First Request for the Production of Documents and First Set of Interrogatories (Docket 21).  A second similar motion was filed four months later (Docket 31), which the Court eventually granted, directing Defendant to fully respond to Plaintiff’s interrogatories and requests for production (“Order”) (Docket 32).  Thereafter, Defendant sought to depose Plaintiff and sent her several letters requesting dates for a deposition.

Plaintiff, however, unsatisfied with Defendant’s disclosure pursuant to the Court’s Order, refused to schedule depositions until Defendant fully complied with its discovery obligations.  Frustrated with Plaintiff’s refusal, Defendant moved for an order compelling Plaintiff’s deposition.  And, Plaintiff cross-moved to compel Defendant to comply with the Court’s prior Order.

The Motions to Compel:

In deciding the two motions to compel, the Court reminded counsel of their obligation to engage one another in good faith and to act cooperatively during discovery.  First, the Court directed the parties had thirty days to agree on a date certain for Plaintiff’s deposition and concluded that even if Plaintiff was correct in alleging Defendant failed to comply with the Order, Plaintiff “cannot unilaterally refuse to fulfill its discovery obligations as retaliation for another party’s discovery violations.” (quoting John Wiley & Sons, Inc. v. Book Dog Books, LLC, 298 F.R.D. 145, 148 [S.D.N.Y. 2014]).

Second, in resolving Plaintiff’s cross-motion to compel the Court was guided by the principles set forth in Federal Rule of Civil Procedure 26(b)(1) regarding relevance and one’s obligation to produce not only documents in their physical possession, but also documents the party has the “right, authority, or practical ability to obtain,…including from…former outside counsel” (quoting  Woodward v Holtzman, 16 cv 1023A(F), 2018, WL 5112406, at *8 [WDNY October 18, 2018]).  The Court further concluded that if any documents requested by Plaintiff do not exist, then Defendant is required to make “a direct, individualized response” stating that to be the case.

Having granted both motions, the Court refused to grant either party’s request for attorneys’ fees.  Although the Court observed that Rule 37 obligated the Court to require a party who failed to provide information in discovery to “pay the reasonable expenses, including attorney’s fees, caused by the failure…” the Court concluded “[b]oth attorneys in this case have failed to be cooperative in the discovery process.”  The Court went on to conclude it was their collective “absence of good faith and collegial understanding of one another’s discovery needs” that has greatly increased  “the duration and expense of this litigation.”  In conclusion, the Court “warned” the parties that the “next discovery dispute will be resolved in a court hearing at which both parties and their attorneys will be present.”

Conclusion:

This decision serves as a good reminder that courts expect parties and counsel to proceed cooperatively and professionally during discovery, with an emphasis on good faith and efficiency.  As attorneys, we should strive to be known as one who resolves discovery issues rather than one who creates unnecessarily discovery issues.

Have questions?  Please contact me at kcole@farrellfritz.com.

In the span of a few short months, the number of phishing attacks targeting smartphones as the entry point to enterprise networks has risen by more than a third.  Indeed, one cybersecurity company found a 37% increase in mobile phishing attacks worldwide between November 2019 and early 2020.*

As previous blog posts have observed,** phishing emails have long been an issue for desktop/laptop users.   Typically, these attacks – to the extent they target desktop/laptop email applications – can be avoided because they often come with observable indicia that something may not be right.  For example, the email purportedly from “Katy Cole,” originates from an email address that is noticeably not one belonging to Katy Cole or the URL is palpably suspicious.

Now, however, people are using with increased frequency their mobile devices to respond to emails where the tell-tale signs of a phishing scam are harder to spot due, in part, to smaller screens. That smaller screen, coupled with a growing trend of cybercriminals to replicate login pages so as to resemble one’s organization (especially with so many businesses relying on cloud platforms like Office 365), is cause for concern.  If, under such circumstances, a user enters their username and password into a phishing page, the device user effectively gives the attacker potential access to their corporate accounts.  And so, as we all multitask, work remotely, and rely more upon our mobile devises, we must be mindful of these risks when accessing content from our mobile devices.

Have questions?  Please contact me at kcole@farrellfritz.com.

*https://www.lookout.com/phishing-spotlight-report-lp

**See previous blog posts discussing phishing below:

Phishing Risks Associated with Social Media

What do Lady Gaga, LeBron James and the Texas Courts Have in Common?

Industry Forecast for Data Breaches 2020: What All Smartphone Users Should Know

The Department of Homeland Security Reminds us of the Importance of Cybersecurity

Some Cyber-Musts for Maximizing Security

 

Smart speakers – like Google Home and Amazon Echo – have changed the way our homes/offices function.  Indeed, these voice-activated speakers execute simple commands provided by voice or smartphone application.  With nothing more than a question, one can direct the smart speaker to, among other things, play music and podcasts, provide a weather forecast, or set an alarm.

The technology is straight forward.  For example, Google Assistant—the voice-activated software associated with the Google Home—“listens” for a hotword. When the smart speaker hears the hotword, the device switches to “active listening” mode, records and analyzes the provided audio, and executes the command provided.  While the audio is used to effectuate the user’s commands, the recorded data is also used to (1) target personalized advertising to end-users, and (2) improve the voice recognition capabilities of the device.

Given these competing uses, it should come as no surprise that privacy concerns may be implicated by the use of smart speakers.  Recently, certain privacy concerns received attention in a class action lawsuit filed in California.** At issue in that lawsuit was the smart speakers’ recording and storing of users’ private conversations without the knowledge or consent of the specific user, potentially violating privacy rights and expectations.***

Smart speakers, while fun and convenient, are not without risk.  Users should consider the following:

Devices with Cameras – Certain smart speakers include cameras that can be used to video-conference or chat with friends and family.  Just as the device can listen without one’s knowledge or consent, with a camera, it may secure visual recordings as well.  And so, to avoid unintended data collection, it may be a good practice to deactivate the camera when not in use.

Vulnerability to Hackers – Like any other computer/smart device, smart speakers and their software are susceptible to hackers.  Deactivating the camera and microphone when not in use is good practice to minimize vulnerability to hackers.  For those who desire additional safeguards, consider covering the camera or unplugging the device when not in use.  Although these protective measures take away from the convenience of the technology, it may be a precaution worth considering.

Personal Information – Some smart speakers and voice activated software can be used to pay bills, transfer money, check balances, etc.  However, this functionality requires users to provide the smart speaker access to their confidential banking information.  Due to the various privacy issues mentioned above and discussed in the California class action, using the speakers for banking and similar tasks introduced an additional layer of potential risk because now, your financial information (not just your kitchen conversations) may be accessible to hackers who infiltrate the software on the device.

Many of us welcome new technology to make our daily lives more convenient.  In seeking this convenience, however, we must also be mindful of the attendant privacy risks.  And so, before you enter your kitchen and ask, “Hey Google, what time is it?” understand people may be watching and listening.

* The “hotwords” or “wake words” that call Google Assistant to attention are commonly “Okay Google” or “Hey Google.” And, for the Amazon Echo, the wake word is usually, “Alexa.”

** In In re Google Assistant Privacy Litigation, the class, consisting of purchasers of any Google Assistant-enabled device, brought various privacy violation claims under both federal and California state law.

*** For a full recitation of the facts at issue in the lawsuit, consult In re Google Assistant Privacy Litigation,  Briefly stated, however, the class brought suit because the various smart speakers were recording and storing audio when it “heard” what it thought was (but actually was not) a “hotword” or “wake word.”  And so, unintended activations, known as “false accepts,” were resulting in recordings and transcripts that the end-user never intended to be recorded.  And, rather than delete the recordings and transcripts generated by “false accept” activations, Google used them for its own purposes, as if it were an authorized recording.  Additionally, plaintiffs alleged that many of the recordings obtained by Google contained conversations of children who could not consent to being recorded.  Amazon has been the subject of similar lawsuits concerning its Amazon Echo device (see https://nypost.com/2019/06/13/amazon-sued-for-recording-childrens-voices-via-alexa/).

Have questions?  Please contact me at kcole@farrellfritz.com.

Thank you to Kyle Gruder, a commercial litigation associate in the Firm’s Water Mill office, for his research assistance related to today’s blog.

 

Give up?  Each recently made headlines in connection with ransomware — a form of malware that encrypts a victim’s electronic files.  The attacker then demands a ransom – typically payable in bitcoin – from the victim to restore access to the data upon payment.*

In fact, in the span of one week, the Texas Office of Court Administration announced that the online Court network had fallen victim to ransomware, which caused the Court website and case management system to be disabled temporarily** and a prominent New York law firm, Grubman Shire Meiselas & Sacks, was also the victim of a ransomware attack.  The cybercriminals who attacked Grubman Shire claim they stole highly confidential information of the firm’s high profile clients; they also threatened to release that information unless paid $42 million in ransom.***

These cyberattacks come at an inopportune time, as courts and law firms have become increasingly reliant on virtual and electronic means of conducting business during the current pandemic.  Although no evidence suggests these attacks were the result of the recent increase in a remote work environment, the attacks serve as a good reminder that we all must remain vigilant and implement as many defensive steps as possible to prevent ransomware infection.

Below are some helpful ways to protect yourself and your employer from cyberattacks:

  • Keep your operating system patched and up to date to ensure you have fewer vulnerabilities to exploit.
  • Exercise caution when opening emails, even if you believe it is from a known source.  And, if you receive an email that seems unusual or is from an unfamiliar sender, consider deleting it, or reporting it to your information technology department.  Under no circumstances should you click any links or open any attachments in the email.
  • Install antivirus software, which detects malicious programs like ransomware, and whitelisting software, which prevents unauthorized applications from executing.
  • And, back up your files frequently!  While this will not prevent a malware attack, it can minimize the damage that results from an attack.

In addition to the tips above, prior posts provide more detailed information:

Have questions?  Please contact me at kcole@farrellfritz.com.

*There are a number of ways in which ransomware can access a computer.  One of the more common delivery systems is phishing spam – an email or attachment that masquerades as a file the email recipient should trust.

**See https://www.washingtonpost.com/national/texas-high-courts-hit-by-ransomware-attack-refuse-to-pay/2020/05/12/f4d35fa4-948f-11ea-87a3-22d324235636_story.html.

***The firm, which specializes in entertainment and media law, represents many high profile celebrities, including Lady Gaga, Madonna, and LeBron James.

As we continue to conduct business virtually, non-traditional means of document execution are becoming increasingly popular. It is critical, however, to understand the laws and requirements associated with these non-traditional means so that a document that is electronically signed, or remotely notarized enjoys the same legal validity and effect as if signed, or attested to in person.

In New York, electronic signature laws have long been in place.  The current realities of remote business, however, has required more frequent electronic execution of documents.   Because electronic execution requirements vary among states and differ from their federal counterpart, it is important to consult the laws of the jurisdictions that may govern the document, especially when the parties sign the same document in different jurisdictions.

The operative law in New York is the Electronic Signatures and Records Act (“ESRA”), which permits electronic signatures on various legal documents, with limited exceptions.  The federal counterpart to ESRA is the Electronic Signature in Global and National Commerce Act (ESIGN).   Generally speaking, provided that the signer(s) demonstrate a proper intent and no other defect exists, the electronic signature gives the document the same legal validity and effect as if it were signed by hand.

Less common among states are laws allowing for the remote and electronic notarization of documents.*  Prior to the COVID-19 pandemic, only a handful of states permitted remote notarization of documents.  Many states, including New York, required the signer and notary to be physically present together when the document was signed, as well as the notary’s hand-written signature on the document.  This changed when New York Governor Andrew Cuomo issued Executive Order Number 202.7 (“E.O. 202.7”).  Recently extended through June 6, 2020, E.O. 202.7 temporarily permits the remote notarization of documents subject to various conditions set forth therein.  For example, the virtual meeting must allow for direct interaction between the signer and the notary, the signer must be physically present within the State of New York, and the notary must notarize the original signed document within thirty days of its execution.  Notably, E.O. 202.7 does not permit a notary to electronically sign a document (see Footnote *).  Rather, after the signatory transmits an electronic copy of the executed document to the notary, the notary must sign that copy by hand and transmit a notarized copy back to the signatory.  Like the laws governing electronic signatures, the temporary measures allowing for remote notarization also vary by state.  And so, it is critical to understand the laws of your jurisdiction before remotely notarizing a document.

As we move forward into reopening and the new realities attendant thereto it will be important to remain aware of the laws associated with these remote /electronic methods including whether EO 202.7 is further extended.

Have questions?  Please contact me at kcole@farrellfritz.com.**

*Do not confuse remote notarization with electronic notarization.  Remote notarization involves notarizing a document when the signatory and notary are not physically present in the same location.  Electronic notarization is the use of a notary’s electronic, rather than hand-written, signature on the document.

**Thank you to Kyle Gruder, a commercial litigation associate in the Firm’s Water Mill office, for his research assistance related to today’s blog.