In a few short weeks, the global loss attributable to cybercrime is expected to surpass $6 trillion.*  Therefore, in an effort to protect financial institutions and consumers from further loss, agencies including the United States Securities and Exchange Commission (A Cybersecurity Wake Up Call: SEC Sanctions Eight Firms for Cybersecurity Deficiencies) and the United States Department of the Treasury Financial Crimes Enforcement Network (“FinCEN”), are prioritizing cybersecurity enforcement actions and offering guidance on how to detect and report suspicious ransomware attacks (Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments) (the “Advisory”), respectively.

The chilling factual predicate for the Advisory involves a marked increase in both cybercriminal activity and the sophistication of ransomware methods used by criminals who have successfully attacked critical U.S. infrastructure. In its effort to educate financial institutions about identifying cyberattacks, the Advisory offers 12 financial “red-flag indicators” including: (i) detecting IT enterprise activity (i.e., malicious cyber activity), which is connected to ransomware cyber indicators (e.g., suspicious registry or system file changes); (ii) awareness that a payment is in response to a ransomware incident; (iii) a customer’s convertible virtual currency (“CVC”) address being connected to ransomware related activity; (iv) an irregular transaction between an entity in a high risk sector  (e.g., government, financial, healthcare), and cyber insurance companies (“CIC”); (v) receipt of funds by a CIC or incident response company that sends the equivalent amount to a CVC exchange; (vi) a customer who shows limited knowledge of CVC, yet requests information or purchases CVC; (vii) a large CVC transaction sent by a customer with limited history of CVC transactions; (viii) a customer who has not registered with FinCEN as a money transmitter, but who appears to be executing offsetting transactions between various CVCs; (ix) a customer using a foreign-located CVC exchanger in a high-risk jurisdiction; (x) a customer receiving CVC from an external wallet and immediately initiating multiple trades with no apparent related purpose; (xi) a customer initiating a transfer of funds through a “mixing service” (i.e., a mechanism used to launder ransomware payments); and (xii) a customer using an encrypted network to communicate with the recipient of a CVC transaction.     

Additionally, the Advisory provides updated guidance relevant to a financial institution’s obligation to file suspicious activity reports (“SARs”).   For example, the Advisory updates an October 2020 advisory to include an obligation to identify and immediately report any suspicious transactions associated with ransomware attacks. The importance of complying promptly with this new reporting obligation cannot be overstated because, according to FinCEN, ransomware attacks are serious and evolving and “require immediate attention.”   Similarly, information sharing among financial institutions about attacks, attempted attacks, and vulnerabilities is invaluable for preventing future attacks. And, financial institutions need not worry that such information sharing would run afoul of confidentiality requirements, as Section 314(b) of the USA Patriot Act explicitly permits financial institutions, upon notice to the Department of the Treasury, to share information with one another in order to identify and report suspicious activities.


As the Advisory suggests, financial institutions must take an active role in detecting and reporting ransomware attacks if we are going to thwart further ransomware attacks. An advisable first step for financial institutions is to update cybersecurity policies to include these “red-flag indicators” and require personnel file immediately SARs, especially those associated with ransomware attacks. And so, as noted by the Advisory “[p]roactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency is … the best defense against ransomware.”

* Cybercrime to Top $6 Trillion in 2021, According to Cybersecurity Ventures

** The Advisory notes a 42 percent increase in cyber-crime compared to 2020 and observes the new and more savvy methods include (i) extortion schemes; (ii) anonymity-enhanced cryptocurrencies (e.g., Bitcoin); (iii) unregistered convertible virtual currency (“CVC”) “mixing” services, (i.e. a mechanism used to launder ransomware payments); and (iv) the use of “fileless” ransomware, which embeds a malicious code directly into a computer’s memory, allowing cybercriminals to circumvent antivirus and malware defenses.

*** Because financial institutions are involved with processing ransom payments to cybercriminals, the institutions themselves are becoming more vulnerable to attacks.

**** During the November 8, 2021 arrest of two cybercriminals for a series of ransomware attacks on Kaseya, a multi-national information technology software company, Deputy Attorney General Lisa Monaco stated that the FBI was able to identify the two cybercriminals because Kaseya acted “almost immediately after [it] was hit” by the ransomware attacks (Attorney General Merrick B. Garland, Deputy Attorney General Lisa O. Monaco and FBI Director Christopher Wray Deliver Remarks on Sodinokibi /REvil Ransomware Arrest

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

Have questions?  Please contact me at



For some, discovery is merely a necessary evil in the litigation process.  And so, it should come as no surprise that the discovery process is often ripe with gamesmanship.  A recent decision reminds practitioners, however, that discovery is meant to be cooperative, and gamesmanship – especially repetitive and intentional gamesmanship – may be met with “death penalty sanctions” (Heslin v Jones, (2021 WL 4571198 [Tex Dist, Travis County, Sept. 27, 2021]).


The facts of the underlying litigation are not relevant.  Rather defendants’ flagrant refusal to comply with their discovery obligations is what warrants discussion.  On October 18, 2019, the Court ordered expedited discovery, including written discovery and depositions, to be conducted with respect to a particular cause of action. For two months defendants failed in “numerous respects” to comply with the Court’s order, necessitating motion practice.  On December 20, 2019, the Court held “[d]efendants in contempt for intentionally disobeying [a discovery] order” (“Order”), but reserved “all additional remedies” based on defendants’ representations that they would promptly remediate any discovery deficiencies.  Defendants, however, reneged on their promise.

In response, the Court entered a default judgment on liability as against defendants.  In issuing this severe sanction, Justice Gamble detailed defendants’ history of contumacious and intentional discovery failures and concluded that the imposition of “lesser remedies…would be inadequate in light of the history of the Defendants conduct in this court” given the reality that “judicial admonishments, monetary penalties, and non-dispositive sanctions have all been ineffective at deterring the [discovery] abuse” and “general bad faith approach to litigation” engaged in by defendants.  Therefore, because lesser sanctions had proven ineffective when previously ordered, the Court determined that anything shy of the default judgment on liability “would not adequately serve to correct the Defendants’ persistent discovery abuses” and “unwarranted disregard for the Court’s authority.”


Although this case illustrates egregious discovery misconduct, it serves as an important reminder that discovery gamesmanship and win-at-all-costs tactics will not be tolerated during the discovery process.  And where, as here, the games are indicative of a bad faith approach to litigation, judges can, and will, reach into their arsenal and impose significant sanctions.

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

Have questions?  Please contact me at

The U.S. Securities and Exchange Commission (“SEC”) recently identified cyberthreats as an enforcement priority (see 2021 Examination Priorities).  Within months of the Commission’s announcement, the Commission brought three enforcement actions* which resulted in sanctions against eight investment advisory firms who failed to report cyber related attacks, failed to adopt,  or failed to implement proper cybersecurity policies in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”).**

In each of the three matters, the various firms had their email accounts compromised causing customer data – including personal identifiable information – to be exposed.  A common thread tying the breaches together was that the firms’ compromised email accounts failed to comply with firm policy (i.e., did not implement multi-factor authentication despite policy requirements or recommendations to implement)*** and the firms’ respective responses to the breaches were insufficient according to the Commission.  In exchange for agreeing to cease and desist from future violations of the charged provisions, the firms paid penalties of between $200,000 to $300,000.

A mid-year report on the state of cybercrime, conducted by a cyber investigation response team, revealed that over 70% of ransomware attacks targeted organizations with over $1 billion in revenue.****  In addition, a recent survey conducted by the U.S. Small Business Administration found that “88% of small business owners felt their business was vulnerable to a cyberattack.”*****  These statistics suggest that cybercriminals more often take a “go big or go home” approach presumably to secure a maximum ransom payment through each cyberattack.  And so, it is crucial that companies focus on having and implementing cybersecurity policies, such as (a) an Incident Response Plan, which outlines instructions on how to respond to and resolve data breaches; and (b) a Cyber Liability Insurance Policy, which covers costs associated with data breaches, including lost income due to a cyberattack.  By doing so, companies can avoid the business, financial, and reputational risks posed if they fall prey to a cyberattack.

*Matter of Cetera Advisor Networks LLC et. al., SEC 1940 Act Release No. 5834 [Aug. 30, 2021]; Matter of Cambridge Investment Research, Inc. et. al., SEC 1940 Act Release No. 5839 [Aug. 30, 2021]; Matter of KMS Financial Services, Inc., SEC 1940 Release Act No. 5840 [Aug. 30, 2021]).

**The Safeguards Rule requires registered broker-dealers and investment companies to adopt written policies and procedures reasonably designed to “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial hardship or inconvenience to any customer.”

***See The Invaluable Benefits of Multi-Factor Authentication

****See First Half of 2021 Sees Triple Digit Rise in Cybercrime

*****See Stay Safe From Cybersecurity Threats

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

Have questions?  Please contact me at

When confronted with an issue of first impression – how to authenticate text messages – the Colorado Court of Appeals chose not to reinvent the wheel.  Rather, it wisely borrowed from the Federal Rule of Evidence (“FRE”) 901.

Factual Background

In People v Heisler, the defendant and victim had been romantically involved.  They remained in touch after they broke up but eventually, the victim began dating another person and requested Heisler stop texting her.

Heisler ignored the victim’s request and continued – with increasing frequency – to text and write letters to the victim, who did not respond or reciprocate.  Approximately nine months later, uninvited and unannounced, Heisler traveled from his home in Florida to the victim’s doorstep in Colorado. The victim called the police and Heisler was charged with felony stalking and harassment.

At trial, the court admitted into evidence Heisler’s text messages to the victim. Ultimately, Heisler was found guilty of harassment but acquitted of the stalking charge. Heisler appealed, arguing the court’s decision to admit his text messages was error as the text messages were not properly authenticated under CRE 901(a).*

The Two-Step Process

In upholding the trial court’s decision to admit into evidence the text messages, the appellate court noted the burden to authenticate evidence is low, and requires a prima facie showing only. Then, after considering a two-leveled approach used to authenticate emails and social media posts,** the appellate court propounded the following two-step process to authenticate text messages:

Step 1: A witness with personal knowledge must testify that printouts of the text messages accurately reflect the content of the text messages; and

Step 2: A witness with personal knowledge must provide testimony establishing the identity of the purported sender of the text message.

Seems simple, right?  Not really.  How, for example, do you establish the “identity of the purported sender?” Fortunately, the appellate court identified four methods and held the proponent must establish at least two of the four methods:

(a) the phone number was assigned to or associated with the purported sender;

(b) the substance of the text message(s) was recognizable as being from the purported sender;

(c) the purported sender responded to an exchange in such a way as to indicate circumstantially that he or she was in fact the author of the communication; and/or

(d) any other corroborative evidence under the circumstances.

In Heisler, the victim satisfied Step 1 when she testified she recognized the pictures of the text messages and that they were a fair and accurate depiction of the texts she personally received.  The victim satisfied Step 2(a) when she testified she recognized the phone number as belonging to Heisler because that was the number she used to communicate with him.  Finally, the victim satisfied Step 2(b) when she testified she recognized the content of the text messages as being from Heisler.

Interestingly, Heisler did not object that the text messages were not his or that the printouts were not accurate. Rather, Heisler objected to the text messages because the victim had deleted her responses to his messages.

The appellate court was unpersuaded, stating that prosecution established the printouts accurately reflected the content of the messages the victim received and that Heisler authored the text messages. The court further reasoned that the text messages were admitted as evidence of texts the victim received from Heisler, not as evidence of a conversation between the two. Thus, the text messages were properly authenticated.


Text messages, like any other evidence, must be authenticated to be properly admitted into evidence.  Now, practitioners in Colorado state court, like those in the federal courts and countless other state courts, can rest soundly knowing that the process of authenticating text messages involves a fairly straightforward two-step process.

* CRE 901(a) requires that the evidence be sufficiently authenticated by the proponent and authentication “is satisfied by evidence sufficient to support a finding that the [evidence] in question is what its proponent claims [it to be].”  FRE 901(a) states the same.

** Under CRE 901, an e-mail and a social media post may be authenticated (1) through the testimony of a witness with personal knowledge that the e-mail is what it is claimed to be or (2) “through consideration of distinctive characteristics shown by an examination of [the] contents and substance” of the e-mail under the circumstances of the case (see People v Bernard, People v Glover).

Thank you to second year associate, Jaclyn Ruggirello in the Firm’s Uniondale office, for her research assistance related to today’s blog.

Have questions?  Please contact me at

It is estimated that more than 100 million people are wearing an Apple Watch* and another approximately 31 million people are using the Fitbit.** It is further predicted that sales and use of these devices will continue to grow. And so, as people increasingly look for wearables that both “make technology more personal” and include a “cool factor”*** we are reminded that wearables are a repository of information (The Document Demand That Seeks Electronically Stored Information) that could be discoverable in a litigation depending on the relevance of the data.  The Bartis case, pending in the Eastern District of Missouri, is an interesting decision on point. (Bartis v. Biomet, Inc., 2021 WL 2092785 [E.D. Mo. May 24, 2021]).

In Bartis, multiple plaintiffs alleged they sustained personal injuries, including permanent mobility issues, as a result of the implantation of an artificial hip manufactured by Biomet, Inc. (“Biomet”).  During discovery, plaintiff Guan Hollins (“Hollins”) advised, in response to an interrogatory, that he wore continuously a Fitbit to track his number of steps, heart rate, and sleep.  As a result, defendants demanded Hollins produce “all data from the Fitbit and any other wearable device or other fitness tracker.”  Hollins objected claiming such data was “unreliable” because he began wearing the Fitbit after revision surgery removing the Biomet artificial hip.

Defendants filed a motion to compel the production of Hollins’ Fitbit data, arguing the data was relevant to Hollins’ alleged permanent, physical injuries resulting from implantation of Biomet’s defective artificial hip.  In opposition, Hollins claimed the request was a “fishing expedition” and reiterated his objection that the data was unreliable.

The Court ordered Hollins to produce the demanded data.  Noting, specifically, that Hollins had provided inconsistent responses as to whether he experienced difficulty or pain walking/ jogging due to the alleged defective hip implant, the Court found Biomet’s demand for Fitbit data was hardly a fishing expedition where, as here, the data was relevant and could reveal whether Hollins was walking or jogging substantial distances.  Further, the Court rejected Hollins argument that the Fitbit data was unreliable, stating that this argument went to the admissibility and weight of the data.

Although Judge Ross aptly observed there was “surprisingly little precedent” involving wearable devices, there can be no doubt that these wearable devices – and the data they store – are here to stay.  Therefore, the next time you issue a litigation hold or craft a document demand, you should consider the various wearable devices that may be repositories for potentially relevant information.

*There are more than 100 million people wearing an Apple Watch, says analyst

**Fitbit Revenue and Usage Statistics (2021)

***There are more than 100 million people wearing an Apple Watch, says analyst

Have questions?  Please contact me at

A prior post (Keyword Searching – What is it? And How Do I Do It (Well)?) offered some tips for crafting effective search terms for use in the e-discovery process. Although those tips still hold true, today’s blog offers ways to utilize an ESI protocol to promote a more seamless electronic search process.*

An ESI protocol is intended to allow parties to agree on, among other things, how data will be accessed and produced in connection with a litigation. As part of the protocol, parties should negotiate the process for crafting search terms, identifying the universe of data to be searched, and validating search term results. Critical to the negotiation process is understanding that the goal is to discover data that will support the party’s arguments at summary judgment or trial.

Tip 1: Let the party with the data determine the best search terms.

It is common practice for the requesting party to propose search terms. However, this often means that the attorney, with more limited facts than the party in possession of the data, is left to guess at search terms that are likely to identify potentially responsive data. And so, it may be valuable to incorporate into one’s ESI protocol a mechanism that allows the responding party to propose initial search terms based on each document request. After all, it is the responding party who has access to the data and the custodians and who, therefore, may be best situated to understand which search terms to use.  Because the process is an iterative one, the parties can meet and confer to discuss refinement and iterations as necessary (see Tip 3).

Tip 2: Tailor your search terms to the type of system and data being searched. 

When formulating an ESI protocol, it is important to identify the data to be searched. For example, are the search terms being run across a party’s entire network? Only e-mail servers? Text messages?

Knowing the data to be searched will also help inform a party’s search terms. For example, communication styles differ between formal work emails and informal messaging applications like Skype for Business. And so, search terms should be tailored to reflect these distinctions.

Tip 3: Detail how the iterative process will work.  

An adversary may contend you have but a single bite at the search term apple.  But, no matter how deliberate the initial bite is, revisions are almost always necessary. And so, to afford your client the greatest protection against an adversary who refuses to permit revisions, be sure to delineate an iterative process in your ESI protocol. This process may include iterative sampling, measurement of results, and validation that the technology worked as expected.

Tip 4: Keep the final product in mind.

Throughout the often tedious process of crafting search terms, be sure not to lose sight of the ultimate goal—how will I use the data at summary judgment or trial? Take into consideration how the data will physically look, fit together to form cohesive evidence, and best support your arguments. Thinking about how discovered data will be presented to a judge or jury should inform your decisions when crafting search terms and your ESI protocol.

*For clarity, today’s blog discusses search terms in connection with processing and reviewing data, not identifying data for preservation.

Thank you to second year associate, Jaclyn Ruggirello in the Firm’s Uniondale office, for her research assistance related to today’s blog.

Have questions?  Please contact me at

The need to input a username and password when logging into a computer is a “single factor” authentication. But, from a security perspective, that single factor authentication only goes so far. Consider, for example, the ramifications if a hacker steals or guesses your username and password. What information could be compromised?

For law firms, cybercrime and data breaches have become a major concern because of the confidential and sensitive information lawyers have access to and often store on their computers.* Recently, the New York City Law Department, a 1,000 lawyer agency responsible for representing the City of New York and guarding the personal information for thousands of city employees, was snakebit by a cyber-attack. The cause of the cyber-attack was a stolen email password from a Law Department employee. The aftermath, however, has been devastating in many respects.  First, attorneys for the Law Department have been unable to access files.  This in turn has necessitated requests for adjournments and compromised counsel’s ability to represent zealously its clients. Second, the security lapse revealed the Law Department was alarmingly disorganized in its handling of confidential information, such as clients’ medical records. Third, as a result of the hack, the Law Department’s Chief Information Technology Officer was reassigned and replaced.

Regrettably, the incident may have been avoidable.  Indeed, the Law Department was sluggish in maintaining its network’s systems and failed to comply with a 2019 directive from New York City’s Cyber Command Division to implement multi-factor authentication on all systems. Specifically, multi-factor authentication requires a user to enter multiple credentials to verify their identity within a system. Multiple factors may include confirmation of (a) something known to the user (password); (b) something a user possesses (phone or code); or (c) other personal identifiers (biometrics or voice recognition).  The benefits of implementing multi-factor authentication is rudimentary in nature, as increasing the amount of layers of security will decrease the likelihood of cyberattacks.  For example, had the Law Department implemented multi-factor authentication prior to the breach, the cyber-criminal would have needed the employee’s password and cell phone to access the network.  Further, multi-factor authentication can protect a law firm’s network from more sophisticated cyberattacks such as phishing.**

In sum, with many law firms still working remotely, improving the security of a firm’s network may feel like a moving target.  Nevertheless, as the title of this blog post suggests, implementing multi-factor authentication will not only help law firms protect clients’ interests, but also save them the embarrassment of spending a significant amount of money and time to resolve a preventable disruption.

*An October 2020 American Bar Association report found 29% of law firms reported a security breach, with 36% reporting past malware infections to their systems  (

** See Rise of Mobile Phishing Scams ; Phishing Risks Associated with Social Media

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

Have questions?  Please contact me at



We have heard it many times before – document review in today’s e-ubiquitous world is expensive.  But imagine a client’s surprise when it learns an already expensive litigation task was plagued by associate over-billing.

According to a recent complaint filed with the Illinois Attorney Registration and Disciplinary Commission (“IADRC”) (see In the Matter of Stephanie Alexandra Gerstetter), an associate litigation attorney at Reed Smith, LLP, Stephanie Gerstetter (“Gerstetter”), was assisting a more senior associate with two separate document review projects.  Specifically, Gerstetter was tasked with using the software program Relativity to analyze and code for production digitally stored documents.  Unbeknownst to Gerstetter, Relativity was tracking and logging the time she spent reviewing documents.

In June 2020, Reed Smith performed an internal inquiry into Gerstetter’s billing practices, and learned Gerstetter billed materially more time to the two document review projects than Relativity indicated she invested in conducting the review.  Specifically, the complaint alleges that for a document review in August 2019, Gerstetter billed 29.2 hours despite logging only 23.5 hours in Relativity; and for a second project in March 2020 Gerstetter “recorded billing entries on 49 separate days totaling 197.7 hours of purported time that she claimed to have spent reviewing and coding documents” but “only worked 33 separate days totaling 113.1 hours.”*  As a result of Gerstetter’s overbilling, Reed Smith billed its client for approximately $42,000 of legal services Gerstetter never performed.*


While the need for accurate time keeping cannot be overstated, this case is an interesting reminder of that obligation.  Moreover, in a world where attorney compensation and success are often judged by productivity and the billable hour, it is critically important that firms, too, comply with their responsibility to monitor attorney billing practices to avoid ethical pitfalls and malpractice issues, obligations attendant to time keeping and billing entries.

*The complaint asserts one claim against Gerstetter for “Creation of False Billing Entries, Charging and Collecting Unreasonable Fees” and cites violations of Rules 1.5(a) (Fees) and 8.4(c) (Misconduct) of the Illinois Rules of Professional Conduct.

**Reed Smith offered a refund or a credit to its client.

Have questions?  Please contact me at

Bursztein v Best Buy Stores, L.P., (2021 WL 1961645 [SD NY 2021]) involves a personal injury lawsuit arising from plaintiff Perla Bursztein’s slip and fall accident in a New York City Best Buy store.

During discovery, Bursztein requested: (i) video surveillance footage of the accident; (ii) maintenance, and repair records for the location of the accident; and (iii) Best Buy’s customer safety policy. In response, Best Buy produced two documents, interposed boilerplate specific objections to Plaintiff’s requests and claimed it did not maintain surveillance footage of the accident and other critical records.

However, this claim was at odds with deposition testimony provided by Spencer Stanfield (“Stanfield”), the general manager of the store where the accident occurred, who testified repair and maintenance requests were logged on a Facilities’ Request System and surveillance footage of the incident had been preserved by him. And so, Plaintiff served post-deposition demands seeking the surveillance footage and the relevant entries on the Facilities’ Request System.  Best Buy, however, responded with the same boilerplate objections as previously interposed and further stated it no longer had possession of the requested materials.

Fatigued by Best Buy’s discovery games, Plaintiff filed a Rule 37 motion seeking sanctions against defendants for failure to comply with discovery obligations and spoliation of evidence. In opposition, Best Buy submitted an affidavit from Stanfield, claiming he misunderstood at deposition the question concerning the video footage.

Finding Rule 37 (e) the “sole source” to address the loss of relevant ESI, the Court observed sanctions are appropriate when (a) there was anticipated or actual litigation triggering the duty to preserve ESI; (b) the relevant ESI should have been preserved at the time the litigation was anticipated or ongoing; (c) the ESI must have been lost because a party failed to take reasonable steps to preserve it; and (d) the lost ESI cannot be replaced through other discovery.

Ultimately, the Court granted Plaintiff’s motion and held she was entitled to the fees and costs associated with the motion and “permitted to present evidence at an eventual trial regarding the spoliation of liability-related ESI.”  In concluding sanctions were appropriate, the Court noted that Best Buy: “thwarted and disrupted discovery throughout the life of this case” by using dilatory and obstructive tactics; “repeatedly flouted their discovery obligations, failed to promptly communicate with opposing counsel, and repeatedly lodged baseless boilerplate objections to Plaintiff’s discovery requests;” and engaged in nothing short of a “paradigm of discovery abuse.”  Further, given the conflict between Stanfield’s deposition testimony and his affidavit, the Court concluded that video surveillance of the incident likely existed at one point and that Best Buy failed to preserve relevant ESI.

This decision serves as an important reminder that preservation obligations and discovery obligations must be taken seriously.  Indeed, as more and more decisions are demonstrating, there is no room for boilerplate objections, discovery games, or negligent/willful failures to preserve potentially relevant ESI.

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

Have questions?  Please contact me at

Riddle me this:  Is a document that resides on your network and which you embed in an email via a hyperlink the functional equivalent of an attachment to that email?

Magistrate Judge Katherine H. Parker, in a recent decision out of the Southern District of New York (Nichols v. Noom, Inc., No. 20-CV-3677 (LGS) (KHP) (S.D.N.Y. Mar. 11, 2021), holds hyperlinked documents are not attachments.


The Nichols case is a class action lawsuit involving allegations of a “deceptive and illegal automatic renewal scheme” for Noom’s weight-loss service.  As part of the discovery process, the parties agreed to an ESI protocol that authorized Noom to use Google Vault as the mechanism for collecting documents and emails from its Google Drive and Google Mail accounts.

In reviewing documents, plaintiffs realized Noom employees used hyperlinks to reference internal documents rather than downloading a copy of that document and attaching it to their email.  According to Plaintiffs, this practice precluded them from understanding the family association among produced documents (i.e., the production lacked metadata associating the hyperlinked documents with the transmittal email).  And so, notwithstanding the ESI protocol in place, plaintiffs requested the Court direct Noom to re-collect the potentially responsive data using a different vendor so that “hyperlinked documents [were] pulled as part of the document ‘family.’”

In opposition Noom claimed “hyperlinks are not attachments.”   Noom further argued it was producing all of the linked documents and a re-collection, which carried a $180,000 cost, would be disproportional.

Hyperlinked Documents Are Not Attachments

The Court ruled in Noom’s favor and held that hyperlinked documents are not the same as attachments.  Specifically, the Court opined that an attachment, unlike a hyperlinked document, is “a necessary part of” the email.  In support of this conclusion, the Court cited to various illustrative examples when a hyperlink would not be relevant (i.e., a phone number, another part of the document). The Court went on to conclude that because hyperlinked documents are not the equivalent of an attachment, family associations among emails and hyperlinks are not critical.  The Court further found that the existing procedure – which involved the production of all hyperlinked documents with plaintiff reserving the right to request any hyperlinked documents they could not locate in the production – was sufficient.

This decision is interesting.  Many businesses – like Noom – link to internal documents rather than downloading and attaching that document to the email communication at issue.  And so, there is an argument that a hyperlinked document is the functional equivalent of an attachment and is, therefore, a necessary part of the communication.  If you accept that premise, then one would presumably want to understand the relationship between the transmittal email and the hyperlinked document.  Given the increasing use of hyperlinks, it is only a matter of time until other Courts weigh in on this issue.

Have questions? Please contact me at