In my search for ESI-centric information that would pique my readers’ interest, I came across an interesting article/blog about digital privacy written by Thorin Klosowski, in which he details seven (i.e., one per day) simple ways to secure your digital life.*  Because I found the plan easy to implement and steeped in wisdom, I decided to share Klowoski’s recommendations.  While today’s blog summarizes those ideas, I have provided below a link to Klowoski’s article because, when you sign up to read the full article, you will receive a daily email (one per day for seven days) with easy to follow instructions on how to implement each of the below seven suggestions.  There is no time like the present to implement these steps and secure your digital life.

  1. Install a Password Manager. A password manager is software that generates and then securely stores strong passwords for the websites you use. So for example, the manager will allow you to create and store Gx4$!kcF but not icecream!  Additionally, when you use a password manager, you will be notified to change a password if a website you access is compromised.  There are plenty of managers to choose from – some are free, others charge a fee – but it is important to find one that works on smartphones and in all major browsers.  If you opt not to do anything else, Klowoski recommends you install a password manager.  It is a simple way to have a significant impact on your e-security.
  2. Check Your Phone’s Privacy Settings. Smartphone applications often run in the background of your phone.  In doing so, they gather private data about you.  For example, they collect your location, your contact lists, your browsing history.  You can easily audit these permissions so that certain applications do not gain access to data that you prefer they not have access to (e.g., why does OpenTable or Words with Friends need access to your location?).
  3. Protect Your Browsing.  Companies can track everything we do on the internet.  Seriously.  They can (and do) track the advertisements we see, our physical location, our browsing habits, the buttons we click, etc.  All of this data gets collected for the purpose of targeted advertisement campaigns.  Ever wonder why after perusing the internet for a certain pair of sneakers that advertisements for that very sneaker appears in your Instagram and Facebook accounts?  The good news is there are various steps we can take to minimize companies’ ability to track us, without compromising your ability to use the internet.  And, all that is required is downloading browser extensions to your computer or phone.
  4. Protect Your Laptop. You’ve lost your laptop! Panic may likely set in because of the voluminous personal information on the laptop that will be available to the person who finds the lost computer.  Now what?  In an effort to prevent such a nightmare,  Klowoski recommends we all encrypt our hard drives. It is incredibly simple and can save you hours of worry and headache. What encryption allows is that no one can access the laptop without a password.  And, at the same time, nothing about the daily use of your laptop will change. Windows and MacBooks can both be encrypted relatively easily.  Critically important, however, is to keep the encryption password somewhere safe. Because while encrypting a laptop keeps a bad actor out, you can also lock yourself out.
  5. Anti-Virus Software is Key.  Antivirus software, while sometimes criticized as clunky and disruptive, is highly advisable. For example, if you share your computer with others, download software or visit websites that may not be secure, the recommendation is to install and maintain on your computer antivirus software.  And, if you are super-conscientious, consider additional protection (recommendation is Malwarebytes), which performs real-time scans of downloads and works in the background for additional protection.
  6. Stay Current.  Enabling automatic updates on a computer, smartphone and any other “smart” device ensures the device is current with security updates.  While some people ignore updates because the update can cause temporary issues (e.g., my internet got slower) the security improvements are really important.
  7. Double Down.  Set up dual-factor authentication for any accounts that are important.  What dual-factor authentication means is that any account requires two separate data entries: a password and a special one-time code that is typically sent by text messages to your phone.  Once set up, it becomes significantly more difficult for anyone to access your account because even if they learn/hack/guess your password, they cannot receive the special one-time numerical code unless they also have physical access to your phone.  There are many dual-authentication apps available to choose from.  And, despite claims that dual-authentication delays access to important accounts, it is really a seamless and secure process that should be implemented.

* Secure Your Digital Life in 7 (Easy) Days

Have questions?  Please contact me at kcole@farrellfritz.com.

 

As mentioned in my last blog post, there are data breach notification laws on the books in 48 states, including New York.  On July 25, Governor Cuomo signed into law Senate Bill 5575, the “Stop Hacks and Improve Electronic Data Security Act” (the SHIELD Act), which had passed the Legislature on June 17, 2019.

The SHIELD Act amends New York’s data breach notification statute, General Business Law §899-aa, to update its definitions.*  The Act also creates a new §899-bb, requiring substantive data security controls by any person or business that owns or licenses computerized data, including the defined “private information” of a New York resident.** In doing this, New York has brought itself into line with a number of states concerning how they define a data breach, and, where applicable, what substantive security controls they require. The SHIELD Act’s jurisdictional reach is expansive – if you own or license computerized private information concerning New York residents, you fall within the statute’s requirements.

When is a Company/Individual Compliant with SHIELD?

The SHIELD Act requires employers in possession of New York residents’ private information to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.”  “Private information” is robustly defined to include, among other things, a driver’s license number, credit or debit card number, financial account number, biometric information, and username or e-mail address with a password that permits access to an online account.  Because “private information” includes an individual’s name and their social security number, every employer with employees in New York must comply with the SHIELD Act.

While the SHIELD Act does not mandate specific safeguards, it does provide that a business will “be deemed to be in compliance with” the SHIELD Act if it implements a “data security program” that includes certain administrative and technical safeguards enumerated in the SHIELD Act.  Those elements include, for example:

  • Designating an employee or employees to coordinate a data security program.
  • Training all employees of the business in the data security program’s practices and procedures.
  • Assessing internal and external risks and implementing procedures to reduce those risks.
  • Vetting vendors and service providers to ensure they, too, safeguard private information.
  • Properly and securely disposing of private information after it is no longer needed for business purposes.

A person or business can also demonstrate compliance with SHIELD by being a “compliant regulated entity” (i.e., it is in compliance with other regulatory schemes requiring information security, such as the Health Insurance Portability and Accountability Act Security Rule, or the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies).

When Does a Company/Individual Have to Provide a Breach Notification to a New York Resident?

In addition to requiring reasonable safeguards to protect the private information of New York residents, the SHIELD Act also amends New York’s existing security breach notification law to broaden notification obligations.  As mentioned above, “private information” is robustly defined in the SHIELD Act. And, if private information is compromised, it could trigger notification obligations.   For example, the inclusion of biometric information as “private” means that employers who rely upon biometric time clocks to record employee time will have a disclosure obligation if that information is compromised.

The SHIELD Act also expands the definition of “breach,” to include unauthorized access, rather than unauthorized acquisition.

The SHIELD Act adds an important carve-out from the breach notification requirement for inadvertent disclosures of private information that are not likely to result in misuse of information. To benefit from this exception, the employer must:

  • Document its determination that the inadvertent disclosure is not likely to result in misuse.
  • Maintain that documentation for five years.

Moreover, if the incident were to involve the private information of more than 500 New York residents, the employer would be required to submit the documentation to the state’s attorney general within ten days of that determination.

While the SHIELD Act does not permit a private right of action, enforcement by the state’s attorney general is provided for. The SHIELD Act also doubles the penalty recoverable by the attorney general per failed notification, and increases the maximum penalty from $100,000 to $250,000.

Although what exactly the SHIELD Act means for individuals and businesses remains to be seen as enforcement actions are initiated and consent decrees and judicial interpretations are provided, I suspect many residents welcome the SHIELD Act, given that New York’s reporting obligations have lagged somewhat behind other states.

* The breach notification amendments take effect on October 23, 2019.

** The data security safeguard implementation takes effect on March 21, 2020.

Have questions?  Please contact me at kcole@farrellfritz.com.

Although there are data breach notification laws on the books in 48 States that require companies to inform consumers about potential breaches, companies are loathe to make such disclosures.  In fact, a data breach disclosure opens the door to litigation, invites scrutiny from investors and the consuming public, and hardly bodes well for a company’s reputation.  But, the harsh reality is that, data breaches happen, happen often, and will likely happen with greater frequency as businesses and individuals become more digital.  Consider the below statistics:

  • In 2018, the total cost of cybercrime was estimated to be $600 billion, with more than 143 million US customers impacted (that does not take into account consumers outside of the United States). *
  • In 2018, $7.9 million was the average cost to a company to respond to a data breach.**
  • One in five small and medium businesses are targeted in cyber-attacks.
  • The average number of days that an “attacker” stays undetected in a network is 146.
  • The Federal Bureau of Investigations stated that losses caused by BEC scams doubled in 2018 and reached $1.3 billion, based on victim reports received by the agency’s Internet Crime Complaint Center.

When it comes to calculating the costs of a cyber-attack, there are many considerations you must take into account: the cost of any ransom you may be expected to pay, the cost of any data that may be lost, sustained system outages, downtime, non-compliance fines, legal fees – not to mention potential lawsuits.  And, if the above figures aren’t alarming enough, it was reported recently that business email compromise (BEC) has surpassed data breaches as the main reason companies filed a cyber-claim. In 2018, 23% of all cyber insurance claims insurance-giant, AIG, received were BEC-related insurance filings.    https://www.zdnet.com/article/bec-overtakes-ransomware-and-data-breaches-in-cyber-insurance-claims/

In fact, the Federal Bureau of Investigations stated that losses caused by BEC scams doubled in 2018 and reached $1.3 billion, based on victim reports received by the agency’s Internet Crime Complaint Center.

According to various secondary sources, the rise in BEC-related cyber insurance claims is directly attributable to poor security measures victim companies had in place.  But what is a company to do?  Below are some suggestions to consider to protect your email system and your system’s security.

  • Secure a Cyber Liability Insurance Policy (which often includes access to an array of experts should an attack occur).
  • Educate your staff – train everyone on email-based attacks, phishing awareness, suspect domain addresses.  And, after training, deploy tests to assess risk. Mechanical drawing incorporated by reference to MSA states Employees who lack the knowledge or training to avoid cyber threats are in positions to unwittingly put your company at risk by something as simple as clicking on the link in one phishing email.
  • Require complex passwords – those that require a combination of numbers, symbols, and capitalized letters – that must be managed/changed regularly.
  • Encourage all employees to implement different passwords for each online account they maintain/access (i.e., work email login vs. personal email login vs. credit card login vs. online banking login vs. Amazon login).
  • Implement advanced endpoint protection (i.e., those that protect endpoints against known and unknown threats).
  • Discourage use of public Wi-Fi.
  • Password protect thumb drives and other external media.
  • Implement a robust firewall that allows for site blocking and web filtering.
  • Devise an Internet usage policy.
  • Devise a computer use policy.
  • Consider email encryption where the email contains confidential information (protected health information, payment card data, Social Security numbers, dates of birth, phone numbers, email addresses, confirmation numbers, travel reward numbers – hackers want it all).
  • Require multi-factor authentication when using remote access, website logins.
  • Consider regular backups (i.e., hourly backups of data during business hours, and at least daily backups).
  • Ensure that backup is not connected to your system so as to not compromise its integrity in the event the system is compromised.
  • Deploy network penetration testing.
  • Implement patches as soon as available, and be sure to keep software and operating systems up to date.
  • Install a program that can remotely lock and/or wipe a lost device.
  • Create an incident response plan detailing steps to follow in the event of a compromise (i.e., who to call, what to do, what to implement).
  • Perform due diligence on all third parties and vendors with whom you work.

The above suggestions are hardly exhaustive but worth considering and implementing to create multi-layered protection for your small-medium business.

* See new report

** https://www.forbes.com/sites/niallmccarthy/2018/07/13/the-average-cost-of-a-data-breach-is-highest-in-the-u-s-infographic/#362e43152f37

For a particularly interesting article about cybersecurity and cyberwar consider reading, Warzel, Charlie, “The Privacy Project.” The New York Times, 10 Sept. 2019.

Have questions?  Please contact me at kcole@farrellfritz.com.

 

 

Technology has revolutionized, among other things, the way people conduct business, store information and communicate with others.  And, despite the many efficiencies and benefits of technology, a downside of this “revolution” is the creation of countless files that may later be subject to review and potential production during litigation /investigation proceedings.  Indeed, even relatively small cases routinely involve the collection of tens and hundreds of thousands of documents and files.  This in turn makes for a costly, and potentially complicated discovery process.  And so, it is critically important to identify early in the litigation life-cycle, defensible ways to cull this data and isolate relevant material without sacrificing accuracy.

Although many attorneys have different approaches to electronic discovery, I believe certain steps should be taken in every litigation involving ESI (which, let’s face it, is every litigation in today’s E-age).  In my opinion, among the most effective tools for reducing e-data is early case assessment efforts to analyze the data collected.  More specifically, after the data collection is complete, one should review a file extension report with an eye toward eliminating file types that are not relevant.  Another report that can provide actionable insight for counsel is a search term report.  Indeed, this report can illustrate what search “hits” are likely to yield documents responsive to the litigation/investigation and which terms are more likely “misses.”  Revising search terms (often multiple times) based upon this report is highly recommended and a sound way to cull data.

Another step that should be implemented to minimize the data universe is deduplication (either within or across custodian).  What this means is that identical duplicates of documents (or near duplicates should you opt for same) will be eliminated from the data set.  If you opt to deduplicate within a custodian, then any identical duplicate in an individual’s data will be eliminated and only one copy of the document available for review and production.  If you opt to de-duplicate across custodians, then, for example, only one copy of the email that appeared in three different custodians’ email, will be available for review and production.  However, in the latter situation, it will be disclosed through the meta-data that the document existed in the other two custodians’ mailboxes.

A final tool to implement in any review is email threading.  Threading allows for only the most inclusive versions of email documents to be included in the review whereby reducing the attorney hours required to review documents.  For example, the attorney will review only the most inclusive email chain of ten, rather than each of the ten chains leading up to the most inclusive version.

There are ample other opportunities to introduce additional efficiencies into the review (clustering, bulk-coding, etc., to name a few), but it is advisable to work with an attorney or vendor to develop a defensible methodology and workflow to achieve the most efficient and effective discovery outcome for the client.

Have questions?  Please contact me at kcole@farrellfritz.com.

In recent years, there has been a dramatic increase in e-discovery vendors.  While having more vendor options to choose from may seem like a good thing, the surge in vendors can make it difficult to differentiate among them, and to compare the relative strengths and weaknesses of each. It is therefore critical that law firms and legal departments who seek to leverage efficiently data for purposes of litigation understand that selecting an e-discovery vendor is more than an isolated transaction and must be approached with some key considerations in mind.  Below are a few topics that are worth considering when choosing among vendors.

  1. Is data security a priority for the vendor?  Data security is an issue.  Think Marriott, Equifax, Anthem, Yahoo, EmblemHealth, Target … Therefore, before retaining a vendor, it is important to be confident that the vendor has robust security measures in place to ensure data access is controlled.  A lack of proper security measures exposes the firm/legal department client’s data to security vulnerabilities.  In addition to assessing what security credentials the vendor has (i.e., SOC 2 Type II) you should inquire of the vendor’s employee training and preventative efforts like intrusion detection, data encryption, cloud security controls and penetration testing.
  2. Is innovation a priority for the vendor?  Technology is constantly evolving and so, too, are the data sources that may be relevant for a litigation.  For the purpose of illustration, consider text messages. Five years ago there were rarely text messages as a data source involved in litigation. Today, much business is performed via text message.  And so, it is critical that the vendor you retain is always innovating and regularly developing new capabilities to address the growing amounts of, and varying sources of, data.  At a minimum, you want a vendor whose solution(s) seamlessly integrates with modern data sources so that things like text messages are easy to collect, review and produce.
  3. Are efficiency and automation priorities for the vendor?  There is nothing more frustrating than a review platform that is slow or clunky.  When the task at hand is to review 50,000 emails, the time it takes to process the data (including to de-dupe, deNIST, OCR) is a relevant consideration.  All of the small delays along the way can easily add up to big delays, big costs, and big concerns.  Therefore, it is important to understand the vendor’s infrastructure.  For example, what sort of processes are in place such that the time from data ingestion to production is expedient?  Similarly, it is worth speaking with existing clients of the vendor to understand any issues encountered with the platform.  For example, how is the speed of document to document load time?  What artificial intelligence is available to leverage (i.e., predicting coding, clustering).  The solution should be efficient, user-friendly and easy to use.

Legal professionals should do their homework before retaining an e-discovery vendor as no two vendors are the same.  While there are many areas to explore before retention, the issues of security, innovation and efficiency are critical among them.  Asking thoughtful and difficult questions during the vetting process gives legal professionals a greater likelihood for a seamless engagement.

Have questions?  Please contact me at kcole@farrellfritz.com.

 

The issue of production format when dealing with ESI is often the subject of discussion and disagreement.  If possible, the parties to the litigation should agree at the outset to the production format.   In fact, a conversation about production format, metadata and redactions (among other things) should occur at the preliminary conference and/or the Rule 26 conference. However, this “meet and confer” process often gets short-changed or skipped entirely, leaving the producing parties to respond to unexpected and often costly production demands.  Irrespective of whether the parties agree upon a production format, it is important to understand the more common formats and their respective benefits/shortcomings.

1. Native File Production

A native production consists of electronically stored information in the format in which it is maintained ordinarily by the producing party.  The benefits of native file production include savings of money and time compared to other formats, which require conversion of the ESI into images and associated load files.  However, some files cannot be produced in native file format because they require conversion in order to allow them to be reviewable (i.e., certain email formats and databases).  Additional drawbacks of a native production include the inability to brand individual pages (i.e., with a bates stamp or confidential legend) or to apply redactions.  Perhaps the most concerning aspect of a native production, however, is the producing party’s inability to control the metadata produced because the document is “live.”  Consider for example an Excel document.  The metadata produced with it would necessarily include any hidden text, track changes, and comments.  An additional concern with native files is the challenges attendant to applying redactions.

3. TIFF Production

TIFF is an acronym for tagged image format file. It is a common graphic file format and the extension related to this format is .tif.  In a TIFF production, all documents are converted from their native format to black and white, single-page .tif files.  It is as if a “picture” of the ESI is taken such that is appears to the end user in the same way one would view it on screen or if printed.  For each record, document level text, an image (.opt) load file, and a metadata (.dat) load file is provided.  By producing the image with the accompanying extracted text and metadata in load files the image is viewable and searchable in a review tool.** Although converting native files to .tif involves a cost, the advantages of an image production include the ability to number, redact and mark documents as confidential, as well as the ability to control the metadata fields that are produced. Imaged files also carry less risk of accidental alteration because they are not capable of being edited.  However, the costs attributable to, and the time involved in, converting the ESI to images may be viewed as a negative.

3. Text/Searchable PDF Production

A searchable PDF is effectively the same as a .tif production.  However, rather than simply exporting the converted images to a review tool, the images are converted to PDFs and then OCR’d* to incorporate searchability.  Often one requests PDFs if they plan on reviewing the production outside of a review tool.  However, even an OCR’d PDF can suffer from incomplete and imprecise search functionality.  And so, PDF productions are less desirable than a .tif.

4. Paper Production

Paper documents are physical documents copied from other physical documents or printed from ESI.  Paper production is often the least expensive and shares many of the same advantages of .tif and .pdf productions.  For example, papers can be easily bates stamped, redacted and branded.  However, a paper production can be laborious and inefficient when you are on the receiving end.  For example, paper cannot be searched or indexed electronically. Rather, one is left to sort through, and manually organize, bankers’ boxes of documents.  And because paper has no metadata associated with it, reducing ESI to a paper format with no searchable text or metadata may not meet the requirement of producing ESI in a reasonably usable form as many of the discovery rules require.

It should also be noted that document productions often include a combination of the above formats.  For example, the lion’s share of a production may be .tif files, however, any Excel file in the production may be produced in native so that is it is more usable.  Similarly, databases may be produced in a native file format with any item needing redaction converted to an image.  Given the variables and the associated benefits and drawbacks, one should engage in a meaningful conversation with their adversary at the preliminary conference /Rule 26(f) conference to devise a production plan and chart a course that lays out what is being requested and the production expectations.

*OCR stands for Optical Character Recognition.  It is the process of converting images of printed pages into electronic text.  It is typically done so that a file is text-searchable.

**Reference to a “review tool” is meant to describe the database/repository where ESI documents are located for purposes of review and production.  These “tools” are necessary because it is impractical and inefficient to open on one’s computer each file in their many different source applications . It is therefore necessary to load the ESI into an application that allows it to be reviewed, searched and analyzed. Some companies that are frequently involved in litigation choose to purchase such applications for their own use, but many use applications hosted on their law firm’s or an e-discovery vendor’s systems. Review tools usually require the ESI to be processed before loading.

Have questions?  Please contact me at kcole@farrellfritz.com.

I am often asked by clients and subscribers to the blog, What is E-discovery?  And so, this week’s post is intended to respond to that question.

E-discovery is the abbreviated term for electronic discovery and refers to the process in which electronic data (as compared to paper or object information) is sought, located, secured, reviewed and produced for use as evidence in a civil or criminal lawsuit. Although the “E-discovery” nomenclature is far more common, one may also see this concept referred to as EDD, electronic discovery. It is important to understand that all types of electronic data can serve as evidence including, for example, text, images, calendar files, databases, spreadsheets, audio files, animation, Web sites, e-mails, voicemails and computer programs.  It is important to understand E-discovery and the various sources of data so that we, as attorneys, can efficiently process the information and construct legal arguments and defenses using this data and documents.  The explosion in the amount of data being generated and how this impacts the legal process is something no one is immune from.  Indeed, E-discovery is here to stay.  It is a process that Fortune 500 companies, “Ma and Pa” shops, and individual parties to lawsuits will be required to participate in.   And so, litigators and clients must better understand data, how it is stored, how it can be searched, how it can be reviewed, and how technology can be applied to the process to promote cost effective ways to conduct document discovery and wade through the large volumes of data. It is my hope that this blog – historical posts and those to come – will help provide subscribers with the information necessary to achieve this goal.

Have questions?  Please contact me at kcole@farrellfritz.com.

Whether we like it or not, a reality of today’s world is that often important business is conducted by text messages. And so, when it is time to issue a litigation hold notice, you must include an instruction to preserve text messages as well as the devices from which they are sent/received (i.e., smartphones).  Your failure to do so can be a costly mistake as learned by defendants in the Paisley Park case — a litigation involving the Estate of the late musical artist known as Prince — in the district of Minnesota.

In Paisley Park Enters. v. Boxill, No. 0:17-cv-01212, (D. Minn., 3/5/19) (copy here: Prince_Discovery_Order), Magistrate Judge Tony N. Leung reminded us of the obligation to preserve electronically stored information (“ESI”) that is relevant to the lawsuit, including text messages.* 

Simply stated, Plaintiffs claimed they were deprived of relevant discovery; defendants argued they did what was required by the law (i.e., preserve emails and computer data).  Defendants claimed ignorance that they had any obligation to preserve their text messages.

In reaching the merits of the spoliation motion filed by Plaintiffs, the Court concluded that Defendants’ failure was intentional and sanctions appropriate.  In reaching this conclusion the Court made a number of salient observations.

First, the Court observed that the executives – as principals of the corporate defendant – were they types of individuals likely to have relevant information.

Next, the Court observed that the text messages of the individual defendants were likely to contain relevant information because, as demonstrated by text messages secured by Rule 45 subpoena, the executives often discussed the very matters in the lawsuit by text message.  The Court therefore concluded that under the Federal Rules the parties were required to take reasonable steps to preserve ESI, including text messages (which are included in the standard, expansive term “documents”).**

Despite this obligation to take reasonable steps to preserve relevant information, the Court observed the defendants failed entirely to take any reasonable steps.  Indeed, the defendants failed to take any number of simple, basic steps including:

  • the executives did not suspend the auto-delete functionality on their respective phones —  a failure that the Court observed “takes, at most, only a few minutes” to implement;
  • the executives did not put in place a litigation hold to ensure that they preserved text messages; and
  • the executives failed to take any number of  “relatively simple options to ensure that their text messages were backed up to cloud storage” – processes that would have cost “little, particularly in comparison to the importance of the issues at stake and the amount in controversy here.”

The Court concluded that defendants’ failure to follow these simple steps alone was sufficient to show defendants acted unreasonably.   However, if the defendants’ absence of reasonable efforts was not enough, the evidence submitted demonstrated the defendants each wiped and intentionally destroyed their phones after the lawsuit was commenced (and, in the instance of one executive, he wiped a second phone and discarded it after the Court ordered the parties to preserve all relevant electronic information and after receipt of a letter advising of the need to produce text messages).

And so, having concluded both that the defendants failed to take reasonable steps to preserve relevant information and intended to destroy relevant ESI, the Court analyzed the prejudice caused to plaintiff.  Specifically, was the destroyed ESI able to be replaced from any other source Fed. R. Civ. P. 37(e).

Defendants argued there was no prejudice because plaintiffs were able to secure from third-parties some text messages sent to or received by the executive defendants.  The Court dismissed this argument and observed  these were “scattershot texts and [e-mails],” rather than “a complete record of defendants’ written communications from defendants.”  According to the Court, Plaintiffs were, for example, unable to recover text messages that the two individual defendants sent only to each other.  The Court therefore concluded the missing text messages could not be replaced or restored by other sources making it “impossible to determine precisely what the destroyed documents contained or how severely the unavailability of these documents might have prejudiced [Plaintiffs’] ability to prove the claims set forth in [their] Complaint.” Telectron, Inc. v. Overhead Door Corp., 116 F.R.D. 107, 110 (S.D. Fl. 1987).  Therefore, the Court concluded sanctions were appropriate under Rule 37(e)(1).

Because the Court concluded that the executive defendants acted with the intent to deprive Plaintiffs of evidence, the Court ordered sanctions, pursuant to each of Rules 37(b)(2)(C), 37(e)(1), and 37(e)(2) and directed the executive defendants to pay reasonable expenses, including attorney’s fees and costs, that Plaintiffs incurred as a result of the defendants’ misconduct.  The Court further directed the defendants pay into the Court a fine of $10,000.

While this case is an egregious example of discovery violations, the message to internalize is to include text messages (and other forms of messaging) in your hold notice.

*For those of you interested in the specifics of the lawsuit, the case involved the Estate of the late Prince Rogers Nelson (“Prince”) and the Estate’s interest in various songs created by Prince, including certain ones not released to the public.

**In rendering his decision to impose sanctions, Judge Leung provided a useful summary of the relevant law:

The Federal Rules of Civil Procedure require that parties take reasonable steps to preserve ESI that is relevant to litigation. Fed. R. Civ. P. 37(e). The Court may sanction a party for failure to do so, provided that the lost ESI cannot be restored or replaced through additional discovery. Id. Rule 37(e) makes two types of sanctions available to the Court. Under Rule 37(e)(1), if the adverse party has suffered prejudice from the spoliation of evidence, the Court may order whatever sanctions are necessary to cure the prejudice. But under Rule 37(e)(2), if the Court finds that the party “acted with the intent to deprive another party of the information’s use in the litigation,” the Court may order more severe sanctions, including a presumption that the lost information was unfavorable to the party or an instruction to the jury that it “may or must presume the information was unfavorable to the party.” The Court may also sanction a party for failing to obey a discovery order. Fed. R. Civ. P. 37(b). Sanctions available under Rule 37(b) include an order directing that certain designated facts be taken as established for purposes of the action, payment of reasonable expenses, and civil contempt of court.

Have questions?  Please contact me at kcole@farrellfritz.com.