Ephemeral messaging applications are considered solutions for data protection and privacy concerns (Blink, And I’m Gone: E-Discovery Challenges and Considerations With Ephemeral Messaging).  However, courts are wary of ephemeral messaging applications given they can empower a litigant to avoid discovery obligations.  A recent decision from the District Court for the District of Arizona, details the consequences of using improperly ephemeral messaging applications (Fed. Trade Comm’n v Noland, 2021 WL 3857413 [D. Ariz. Aug. 30, 2021]).

Background

The Federal Trade Commission (the “FTC”) was conducting an investigation into the operations of Success By Health (“SBH”) and its principals James Noland (“Noland”), Thomas Sacca (“Sacca”), and Scott Harris (“Harris”).  On May 16, 2019, Noland learned, through the inadvertent disclosure of a bank subpoena, of the FTC’s investigation.  Soon thereafter, Noland, Sacca, Harris and SBH’s employees began using – at Noland’s direction – two messaging applications for the purpose of discussing important SBH business.  The first application, Signal, is a mobile messaging application with automated deletion functionality; and the second application, ProtonMail, is an encrypted email service provider.

On May 29, 2019, after learning that its investigation had been disclosed, the FTC instructed SBH, Noland, Sacca and Harris to “suspend any ordinary destruction of documents, communications and records.”  At the conclusion of the investigation, on January 8, 2020, the FTC filed a lawsuit against SBH, Noland, Sacca and Harris (collectively “Defendants”), alleging Defendants operated an illegal pyramid scheme and made false statements to consumers.  Soon thereafter, the FTC obtained a temporary restraining order (“TRO”) and the appointment of a receiver to operate SBH.  Pursuant to the TRO, Defendants were required to transfer to the receiver control of all methods for handling communications.  Defendants, however, failed to disclose the existence of Signal or ProtonMail. It was not until October 2020 that the FTC learned Defendants had used Signal and ProtonMail as means to communicate.

The FTC promptly filed a motion for sanctions pursuant to FRCP 37(e)(2), arguing Defendants intentionally spoliated documents when they migrated SBH’s communication platform to Signal and ProtonMail, and did so only after the duty to preserve arose.  In opposition, Defendants argued the decision was caused by security concerns presented by a former employee and his fellow saboteurs.

Analysis

As highlighted by the Court, FRCP 37(e) was “completely rewritten in 2015 to provide[] a nationally uniform standard for when courts can give an adverse inference instruction… to remedy the loss of ESI.”  Specifically, a party seeking sanctions under FRCP 37(e)(2) must first show “(1) the ESI should have been preserved in the anticipation or conduct of litigation; (2) the ESI is lost because a party failed to take reasonable steps to preserve it; and (3) the ESI cannot be restored or replaced through additional discovery” (Noland, 2021 WL 3857413, at *6).  If each of these elements are satisfied, courts then determine whether the nonmovant “acted with the intent to deprive another party of the information’s use in the litigation” (id.).

Here, the Court concluded that the FTC easily carried its burden in showing that “Defendants acted with the intent to deprive the FTC of the information contained in the Signal and ProtonMail messages.”  According to the Court, “the most decisive factor” in reaching this conclusion was the timing of Defendants’ migration to Signal and ProtonMail.  Further, the Court rejected Defendants’ argument that the use of these applications was in response to security concerns, as Defendants failed to provide any evidence that SBH was being hacked, or threatened.  As a result of Defendants’ systematic efforts to destroy relevant communications through Signal and ProtonMail, the Court granted the FTC’s motion for sanctions and granted the FTC an adverse inference instruction that the deleted Signal and ProtonMail communications were relevant to the litigation and supportive of the FTC’s position.

Conclusion

While ephemeral messaging technologies may be ideal security solutions, companies must avoid implementing such technologies, if a duty to preserve has been triggered or is ongoing.  Therefore, when advising a client about messaging applications, it is critical to be conversant with the client’s data retention policies and active litigation holds, if any.

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

In a few short weeks, the global loss attributable to cybercrime is expected to surpass $6 trillion.*  Therefore, in an effort to protect financial institutions and consumers from further loss, agencies including the United States Securities and Exchange Commission (A Cybersecurity Wake Up Call: SEC Sanctions Eight Firms for Cybersecurity Deficiencies) and the United States Department of the Treasury Financial Crimes Enforcement Network (“FinCEN”), are prioritizing cybersecurity enforcement actions and offering guidance on how to detect and report suspicious ransomware attacks (Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments) (the “Advisory”), respectively.

The chilling factual predicate for the Advisory involves a marked increase in both cybercriminal activity and the sophistication of ransomware methods used by criminals who have successfully attacked critical U.S. infrastructure. In its effort to educate financial institutions about identifying cyberattacks, the Advisory offers 12 financial “red-flag indicators” including: (i) detecting IT enterprise activity (i.e., malicious cyber activity), which is connected to ransomware cyber indicators (e.g., suspicious registry or system file changes); (ii) awareness that a payment is in response to a ransomware incident; (iii) a customer’s convertible virtual currency (“CVC”) address being connected to ransomware related activity; (iv) an irregular transaction between an entity in a high risk sector  (e.g., government, financial, healthcare), and cyber insurance companies (“CIC”); (v) receipt of funds by a CIC or incident response company that sends the equivalent amount to a CVC exchange; (vi) a customer who shows limited knowledge of CVC, yet requests information or purchases CVC; (vii) a large CVC transaction sent by a customer with limited history of CVC transactions; (viii) a customer who has not registered with FinCEN as a money transmitter, but who appears to be executing offsetting transactions between various CVCs; (ix) a customer using a foreign-located CVC exchanger in a high-risk jurisdiction; (x) a customer receiving CVC from an external wallet and immediately initiating multiple trades with no apparent related purpose; (xi) a customer initiating a transfer of funds through a “mixing service” (i.e., a mechanism used to launder ransomware payments); and (xii) a customer using an encrypted network to communicate with the recipient of a CVC transaction.     

Additionally, the Advisory provides updated guidance relevant to a financial institution’s obligation to file suspicious activity reports (“SARs”).   For example, the Advisory updates an October 2020 advisory to include an obligation to identify and immediately report any suspicious transactions associated with ransomware attacks. The importance of complying promptly with this new reporting obligation cannot be overstated because, according to FinCEN, ransomware attacks are serious and evolving and “require immediate attention.”   Similarly, information sharing among financial institutions about attacks, attempted attacks, and vulnerabilities is invaluable for preventing future attacks. And, financial institutions need not worry that such information sharing would run afoul of confidentiality requirements, as Section 314(b) of the USA Patriot Act explicitly permits financial institutions, upon notice to the Department of the Treasury, to share information with one another in order to identify and report suspicious activities.

Conclusion

As the Advisory suggests, financial institutions must take an active role in detecting and reporting ransomware attacks if we are going to thwart further ransomware attacks. An advisable first step for financial institutions is to update cybersecurity policies to include these “red-flag indicators” and require personnel file immediately SARs, especially those associated with ransomware attacks. And so, as noted by the Advisory “[p]roactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency is … the best defense against ransomware.”

* Cybercrime to Top $6 Trillion in 2021, According to Cybersecurity Ventures

** The Advisory notes a 42 percent increase in cyber-crime compared to 2020 and observes the new and more savvy methods include (i) extortion schemes; (ii) anonymity-enhanced cryptocurrencies (e.g., Bitcoin); (iii) unregistered convertible virtual currency (“CVC”) “mixing” services, (i.e. a mechanism used to launder ransomware payments); and (iv) the use of “fileless” ransomware, which embeds a malicious code directly into a computer’s memory, allowing cybercriminals to circumvent antivirus and malware defenses.

*** Because financial institutions are involved with processing ransom payments to cybercriminals, the institutions themselves are becoming more vulnerable to attacks.

**** During the November 8, 2021 arrest of two cybercriminals for a series of ransomware attacks on Kaseya, a multi-national information technology software company, Deputy Attorney General Lisa Monaco stated that the FBI was able to identify the two cybercriminals because Kaseya acted “almost immediately after [it] was hit” by the ransomware attacks (Attorney General Merrick B. Garland, Deputy Attorney General Lisa O. Monaco and FBI Director Christopher Wray Deliver Remarks on Sodinokibi /REvil Ransomware Arrest

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

 

 

For some, discovery is merely a necessary evil in the litigation process.  And so, it should come as no surprise that the discovery process is often ripe with gamesmanship.  A recent decision reminds practitioners, however, that discovery is meant to be cooperative, and gamesmanship – especially repetitive and intentional gamesmanship – may be met with “death penalty sanctions” (Heslin v Jones, (2021 WL 4571198 [Tex Dist, Travis County, Sept. 27, 2021]).

Background:

The facts of the underlying litigation are not relevant.  Rather defendants’ flagrant refusal to comply with their discovery obligations is what warrants discussion.  On October 18, 2019, the Court ordered expedited discovery, including written discovery and depositions, to be conducted with respect to a particular cause of action. For two months defendants failed in “numerous respects” to comply with the Court’s order, necessitating motion practice.  On December 20, 2019, the Court held “[d]efendants in contempt for intentionally disobeying [a discovery] order” (“Order”), but reserved “all additional remedies” based on defendants’ representations that they would promptly remediate any discovery deficiencies.  Defendants, however, reneged on their promise.

In response, the Court entered a default judgment on liability as against defendants.  In issuing this severe sanction, Justice Gamble detailed defendants’ history of contumacious and intentional discovery failures and concluded that the imposition of “lesser remedies…would be inadequate in light of the history of the Defendants conduct in this court” given the reality that “judicial admonishments, monetary penalties, and non-dispositive sanctions have all been ineffective at deterring the [discovery] abuse” and “general bad faith approach to litigation” engaged in by defendants.  Therefore, because lesser sanctions had proven ineffective when previously ordered, the Court determined that anything shy of the default judgment on liability “would not adequately serve to correct the Defendants’ persistent discovery abuses” and “unwarranted disregard for the Court’s authority.”

Conclusion:

Although this case illustrates egregious discovery misconduct, it serves as an important reminder that discovery gamesmanship and win-at-all-costs tactics will not be tolerated during the discovery process.  And where, as here, the games are indicative of a bad faith approach to litigation, judges can, and will, reach into their arsenal and impose significant sanctions.

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

The U.S. Securities and Exchange Commission (“SEC”) recently identified cyberthreats as an enforcement priority (see 2021 Examination Priorities).  Within months of the Commission’s announcement, the Commission brought three enforcement actions* which resulted in sanctions against eight investment advisory firms who failed to report cyber related attacks, failed to adopt,  or failed to implement proper cybersecurity policies in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”).**

In each of the three matters, the various firms had their email accounts compromised causing customer data – including personal identifiable information – to be exposed.  A common thread tying the breaches together was that the firms’ compromised email accounts failed to comply with firm policy (i.e., did not implement multi-factor authentication despite policy requirements or recommendations to implement)*** and the firms’ respective responses to the breaches were insufficient according to the Commission.  In exchange for agreeing to cease and desist from future violations of the charged provisions, the firms paid penalties of between $200,000 to $300,000.

A mid-year report on the state of cybercrime, conducted by a cyber investigation response team, revealed that over 70% of ransomware attacks targeted organizations with over $1 billion in revenue.****  In addition, a recent survey conducted by the U.S. Small Business Administration found that “88% of small business owners felt their business was vulnerable to a cyberattack.”*****  These statistics suggest that cybercriminals more often take a “go big or go home” approach presumably to secure a maximum ransom payment through each cyberattack.  And so, it is crucial that companies focus on having and implementing cybersecurity policies, such as (a) an Incident Response Plan, which outlines instructions on how to respond to and resolve data breaches; and (b) a Cyber Liability Insurance Policy, which covers costs associated with data breaches, including lost income due to a cyberattack.  By doing so, companies can avoid the business, financial, and reputational risks posed if they fall prey to a cyberattack.

*Matter of Cetera Advisor Networks LLC et. al., SEC 1940 Act Release No. 5834 [Aug. 30, 2021]; Matter of Cambridge Investment Research, Inc. et. al., SEC 1940 Act Release No. 5839 [Aug. 30, 2021]; Matter of KMS Financial Services, Inc., SEC 1940 Release Act No. 5840 [Aug. 30, 2021]).

**The Safeguards Rule requires registered broker-dealers and investment companies to adopt written policies and procedures reasonably designed to “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial hardship or inconvenience to any customer.”

***See The Invaluable Benefits of Multi-Factor Authentication

****See First Half of 2021 Sees Triple Digit Rise in Cybercrime

*****See Stay Safe From Cybersecurity Threats

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

When confronted with an issue of first impression – how to authenticate text messages – the Colorado Court of Appeals chose not to reinvent the wheel.  Rather, it wisely borrowed from the Federal Rule of Evidence (“FRE”) 901.

Factual Background

In People v Heisler, the defendant and victim had been romantically involved.  They remained in touch after they broke up but eventually, the victim began dating another person and requested Heisler stop texting her.

Heisler ignored the victim’s request and continued – with increasing frequency – to text and write letters to the victim, who did not respond or reciprocate.  Approximately nine months later, uninvited and unannounced, Heisler traveled from his home in Florida to the victim’s doorstep in Colorado. The victim called the police and Heisler was charged with felony stalking and harassment.

At trial, the court admitted into evidence Heisler’s text messages to the victim. Ultimately, Heisler was found guilty of harassment but acquitted of the stalking charge. Heisler appealed, arguing the court’s decision to admit his text messages was error as the text messages were not properly authenticated under CRE 901(a).*

The Two-Step Process

In upholding the trial court’s decision to admit into evidence the text messages, the appellate court noted the burden to authenticate evidence is low, and requires a prima facie showing only. Then, after considering a two-leveled approach used to authenticate emails and social media posts,** the appellate court propounded the following two-step process to authenticate text messages:

Step 1: A witness with personal knowledge must testify that printouts of the text messages accurately reflect the content of the text messages; and

Step 2: A witness with personal knowledge must provide testimony establishing the identity of the purported sender of the text message.

Seems simple, right?  Not really.  How, for example, do you establish the “identity of the purported sender?” Fortunately, the appellate court identified four methods and held the proponent must establish at least two of the four methods:

(a) the phone number was assigned to or associated with the purported sender;

(b) the substance of the text message(s) was recognizable as being from the purported sender;

(c) the purported sender responded to an exchange in such a way as to indicate circumstantially that he or she was in fact the author of the communication; and/or

(d) any other corroborative evidence under the circumstances.

In Heisler, the victim satisfied Step 1 when she testified she recognized the pictures of the text messages and that they were a fair and accurate depiction of the texts she personally received.  The victim satisfied Step 2(a) when she testified she recognized the phone number as belonging to Heisler because that was the number she used to communicate with him.  Finally, the victim satisfied Step 2(b) when she testified she recognized the content of the text messages as being from Heisler.

Interestingly, Heisler did not object that the text messages were not his or that the printouts were not accurate. Rather, Heisler objected to the text messages because the victim had deleted her responses to his messages.

The appellate court was unpersuaded, stating that prosecution established the printouts accurately reflected the content of the messages the victim received and that Heisler authored the text messages. The court further reasoned that the text messages were admitted as evidence of texts the victim received from Heisler, not as evidence of a conversation between the two. Thus, the text messages were properly authenticated.

Conclusion

Text messages, like any other evidence, must be authenticated to be properly admitted into evidence.  Now, practitioners in Colorado state court, like those in the federal courts and countless other state courts, can rest soundly knowing that the process of authenticating text messages involves a fairly straightforward two-step process.

* CRE 901(a) requires that the evidence be sufficiently authenticated by the proponent and authentication “is satisfied by evidence sufficient to support a finding that the [evidence] in question is what its proponent claims [it to be].”  FRE 901(a) states the same.

** Under CRE 901, an e-mail and a social media post may be authenticated (1) through the testimony of a witness with personal knowledge that the e-mail is what it is claimed to be or (2) “through consideration of distinctive characteristics shown by an examination of [the] contents and substance” of the e-mail under the circumstances of the case (see People v Bernard, People v Glover).

Thank you to second year associate, Jaclyn Ruggirello in the Firm’s Uniondale office, for her research assistance related to today’s blog.

It is estimated that more than 100 million people are wearing an Apple Watch* and another approximately 31 million people are using the Fitbit.** It is further predicted that sales and use of these devices will continue to grow. And so, as people increasingly look for wearables that both “make technology more personal” and include a “cool factor”*** we are reminded that wearables are a repository of information (The Document Demand That Seeks Electronically Stored Information) that could be discoverable in a litigation depending on the relevance of the data.  The Bartis case, pending in the Eastern District of Missouri, is an interesting decision on point. (Bartis v. Biomet, Inc., 2021 WL 2092785 [E.D. Mo. May 24, 2021]).

In Bartis, multiple plaintiffs alleged they sustained personal injuries, including permanent mobility issues, as a result of the implantation of an artificial hip manufactured by Biomet, Inc. (“Biomet”).  During discovery, plaintiff Guan Hollins (“Hollins”) advised, in response to an interrogatory, that he wore continuously a Fitbit to track his number of steps, heart rate, and sleep.  As a result, defendants demanded Hollins produce “all data from the Fitbit and any other wearable device or other fitness tracker.”  Hollins objected claiming such data was “unreliable” because he began wearing the Fitbit after revision surgery removing the Biomet artificial hip.

Defendants filed a motion to compel the production of Hollins’ Fitbit data, arguing the data was relevant to Hollins’ alleged permanent, physical injuries resulting from implantation of Biomet’s defective artificial hip.  In opposition, Hollins claimed the request was a “fishing expedition” and reiterated his objection that the data was unreliable.

The Court ordered Hollins to produce the demanded data.  Noting, specifically, that Hollins had provided inconsistent responses as to whether he experienced difficulty or pain walking/ jogging due to the alleged defective hip implant, the Court found Biomet’s demand for Fitbit data was hardly a fishing expedition where, as here, the data was relevant and could reveal whether Hollins was walking or jogging substantial distances.  Further, the Court rejected Hollins argument that the Fitbit data was unreliable, stating that this argument went to the admissibility and weight of the data.

Although Judge Ross aptly observed there was “surprisingly little precedent” involving wearable devices, there can be no doubt that these wearable devices – and the data they store – are here to stay.  Therefore, the next time you issue a litigation hold or craft a document demand, you should consider the various wearable devices that may be repositories for potentially relevant information.

*There are more than 100 million people wearing an Apple Watch, says analyst

**Fitbit Revenue and Usage Statistics (2021)

***There are more than 100 million people wearing an Apple Watch, says analyst

A prior post (Keyword Searching – What is it? And How Do I Do It (Well)?) offered some tips for crafting effective search terms for use in the e-discovery process. Although those tips still hold true, today’s blog offers ways to utilize an ESI protocol to promote a more seamless electronic search process.*

An ESI protocol is intended to allow parties to agree on, among other things, how data will be accessed and produced in connection with a litigation. As part of the protocol, parties should negotiate the process for crafting search terms, identifying the universe of data to be searched, and validating search term results. Critical to the negotiation process is understanding that the goal is to discover data that will support the party’s arguments at summary judgment or trial.

Tip 1: Let the party with the data determine the best search terms.

It is common practice for the requesting party to propose search terms. However, this often means that the attorney, with more limited facts than the party in possession of the data, is left to guess at search terms that are likely to identify potentially responsive data. And so, it may be valuable to incorporate into one’s ESI protocol a mechanism that allows the responding party to propose initial search terms based on each document request. After all, it is the responding party who has access to the data and the custodians and who, therefore, may be best situated to understand which search terms to use.  Because the process is an iterative one, the parties can meet and confer to discuss refinement and iterations as necessary (see Tip 3).

Tip 2: Tailor your search terms to the type of system and data being searched. 

When formulating an ESI protocol, it is important to identify the data to be searched. For example, are the search terms being run across a party’s entire network? Only e-mail servers? Text messages?

Knowing the data to be searched will also help inform a party’s search terms. For example, communication styles differ between formal work emails and informal messaging applications like Skype for Business. And so, search terms should be tailored to reflect these distinctions.

Tip 3: Detail how the iterative process will work.  

An adversary may contend you have but a single bite at the search term apple.  But, no matter how deliberate the initial bite is, revisions are almost always necessary. And so, to afford your client the greatest protection against an adversary who refuses to permit revisions, be sure to delineate an iterative process in your ESI protocol. This process may include iterative sampling, measurement of results, and validation that the technology worked as expected.

Tip 4: Keep the final product in mind.

Throughout the often tedious process of crafting search terms, be sure not to lose sight of the ultimate goal—how will I use the data at summary judgment or trial? Take into consideration how the data will physically look, fit together to form cohesive evidence, and best support your arguments. Thinking about how discovered data will be presented to a judge or jury should inform your decisions when crafting search terms and your ESI protocol.

*For clarity, today’s blog discusses search terms in connection with processing and reviewing data, not identifying data for preservation.

Thank you to second year associate, Jaclyn Ruggirello in the Firm’s Uniondale office, for her research assistance related to today’s blog.

The need to input a username and password when logging into a computer is a “single factor” authentication. But, from a security perspective, that single factor authentication only goes so far. Consider, for example, the ramifications if a hacker steals or guesses your username and password. What information could be compromised?

For law firms, cybercrime and data breaches have become a major concern because of the confidential and sensitive information lawyers have access to and often store on their computers.* Recently, the New York City Law Department, a 1,000 lawyer agency responsible for representing the City of New York and guarding the personal information for thousands of city employees, was snakebit by a cyber-attack. The cause of the cyber-attack was a stolen email password from a Law Department employee. The aftermath, however, has been devastating in many respects.  First, attorneys for the Law Department have been unable to access files.  This in turn has necessitated requests for adjournments and compromised counsel’s ability to represent zealously its clients. Second, the security lapse revealed the Law Department was alarmingly disorganized in its handling of confidential information, such as clients’ medical records. Third, as a result of the hack, the Law Department’s Chief Information Technology Officer was reassigned and replaced.

Regrettably, the incident may have been avoidable.  Indeed, the Law Department was sluggish in maintaining its network’s systems and failed to comply with a 2019 directive from New York City’s Cyber Command Division to implement multi-factor authentication on all systems. Specifically, multi-factor authentication requires a user to enter multiple credentials to verify their identity within a system. Multiple factors may include confirmation of (a) something known to the user (password); (b) something a user possesses (phone or code); or (c) other personal identifiers (biometrics or voice recognition).  The benefits of implementing multi-factor authentication is rudimentary in nature, as increasing the amount of layers of security will decrease the likelihood of cyberattacks.  For example, had the Law Department implemented multi-factor authentication prior to the breach, the cyber-criminal would have needed the employee’s password and cell phone to access the network.  Further, multi-factor authentication can protect a law firm’s network from more sophisticated cyberattacks such as phishing.**

In sum, with many law firms still working remotely, improving the security of a firm’s network may feel like a moving target.  Nevertheless, as the title of this blog post suggests, implementing multi-factor authentication will not only help law firms protect clients’ interests, but also save them the embarrassment of spending a significant amount of money and time to resolve a preventable disruption.

*An October 2020 American Bar Association report found 29% of law firms reported a security breach, with 36% reporting past malware infections to their systems  (https://www.americanbar.org/groups/law_practice/publications/techreport/2020/cybersecurity/

** See Rise of Mobile Phishing Scams ; Phishing Risks Associated with Social Media

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.

 

 

We have heard it many times before – document review in today’s e-ubiquitous world is expensive.  But imagine a client’s surprise when it learns an already expensive litigation task was plagued by associate over-billing.

According to a recent complaint filed with the Illinois Attorney Registration and Disciplinary Commission (“IADRC”) (see In the Matter of Stephanie Alexandra Gerstetter), an associate litigation attorney at Reed Smith, LLP, Stephanie Gerstetter (“Gerstetter”), was assisting a more senior associate with two separate document review projects.  Specifically, Gerstetter was tasked with using the software program Relativity to analyze and code for production digitally stored documents.  Unbeknownst to Gerstetter, Relativity was tracking and logging the time she spent reviewing documents.

In June 2020, Reed Smith performed an internal inquiry into Gerstetter’s billing practices, and learned Gerstetter billed materially more time to the two document review projects than Relativity indicated she invested in conducting the review.  Specifically, the complaint alleges that for a document review in August 2019, Gerstetter billed 29.2 hours despite logging only 23.5 hours in Relativity; and for a second project in March 2020 Gerstetter “recorded billing entries on 49 separate days totaling 197.7 hours of purported time that she claimed to have spent reviewing and coding documents” but “only worked 33 separate days totaling 113.1 hours.”*  As a result of Gerstetter’s overbilling, Reed Smith billed its client for approximately $42,000 of legal services Gerstetter never performed.*

Conclusion

While the need for accurate time keeping cannot be overstated, this case is an interesting reminder of that obligation.  Moreover, in a world where attorney compensation and success are often judged by productivity and the billable hour, it is critically important that firms, too, comply with their responsibility to monitor attorney billing practices to avoid ethical pitfalls and malpractice issues, obligations attendant to time keeping and billing entries.

*The complaint asserts one claim against Gerstetter for “Creation of False Billing Entries, Charging and Collecting Unreasonable Fees” and cites violations of Rules 1.5(a) (Fees) and 8.4(c) (Misconduct) of the Illinois Rules of Professional Conduct.

**Reed Smith offered a refund or a credit to its client.

Bursztein v Best Buy Stores, L.P., (2021 WL 1961645 [SD NY 2021]) involves a personal injury lawsuit arising from plaintiff Perla Bursztein’s slip and fall accident in a New York City Best Buy store.

During discovery, Bursztein requested: (i) video surveillance footage of the accident; (ii) maintenance, and repair records for the location of the accident; and (iii) Best Buy’s customer safety policy. In response, Best Buy produced two documents, interposed boilerplate specific objections to Plaintiff’s requests and claimed it did not maintain surveillance footage of the accident and other critical records.

However, this claim was at odds with deposition testimony provided by Spencer Stanfield (“Stanfield”), the general manager of the store where the accident occurred, who testified repair and maintenance requests were logged on a Facilities’ Request System and surveillance footage of the incident had been preserved by him. And so, Plaintiff served post-deposition demands seeking the surveillance footage and the relevant entries on the Facilities’ Request System.  Best Buy, however, responded with the same boilerplate objections as previously interposed and further stated it no longer had possession of the requested materials.

Fatigued by Best Buy’s discovery games, Plaintiff filed a Rule 37 motion seeking sanctions against defendants for failure to comply with discovery obligations and spoliation of evidence. In opposition, Best Buy submitted an affidavit from Stanfield, claiming he misunderstood at deposition the question concerning the video footage.

Finding Rule 37 (e) the “sole source” to address the loss of relevant ESI, the Court observed sanctions are appropriate when (a) there was anticipated or actual litigation triggering the duty to preserve ESI; (b) the relevant ESI should have been preserved at the time the litigation was anticipated or ongoing; (c) the ESI must have been lost because a party failed to take reasonable steps to preserve it; and (d) the lost ESI cannot be replaced through other discovery.

Ultimately, the Court granted Plaintiff’s motion and held she was entitled to the fees and costs associated with the motion and “permitted to present evidence at an eventual trial regarding the spoliation of liability-related ESI.”  In concluding sanctions were appropriate, the Court noted that Best Buy: “thwarted and disrupted discovery throughout the life of this case” by using dilatory and obstructive tactics; “repeatedly flouted their discovery obligations, failed to promptly communicate with opposing counsel, and repeatedly lodged baseless boilerplate objections to Plaintiff’s discovery requests;” and engaged in nothing short of a “paradigm of discovery abuse.”  Further, given the conflict between Stanfield’s deposition testimony and his affidavit, the Court concluded that video surveillance of the incident likely existed at one point and that Best Buy failed to preserve relevant ESI.

This decision serves as an important reminder that preservation obligations and discovery obligations must be taken seriously.  Indeed, as more and more decisions are demonstrating, there is no room for boilerplate objections, discovery games, or negligent/willful failures to preserve potentially relevant ESI.

Thank you to second year associate, James Maguire in the Firm’s Uniondale office, for his research assistance related to today’s blog.