Header graphic for print
Technology Law Source Mapping the evolving legal landscape

Category Archives: Privacy

Subscribe to Privacy RSS Feed

Privacy law in the U.S. and Europe: University of Amsterdam Summer Course explores current issues

Posted in Information Technology, Privacy, Social Media

On July 7-11, 2014, a group of 25 privacy lawyers met in a historic building overlooking the Keizersgracht, one of Amsterdam’s most beautiful canals, and spent five days learning about U.S. privacy law, European data protection law, and the complex interactions between them. The setting was the Summer Course on Privacy Law and Policy, presented by the University of Amsterdam’s Institute for Information Law (IViR), one of the largest information law research centers in the world. Course faculty included leading practitioners, regulators and academics from both sides of the Atlantic. Course participants came from an even wider geographic area that included Hungary, Greece, Poland, the Netherlands, Hong Kong, Kyrgyzstan, Switzerland, the UK, Belgium and Canada. I was lucky enough to serve as a co-organizer of, and faculty member in, the course. In this post, I describe presentation highlights and identify some cross-cutting themes that emerged during the week.

Dr. Kristina Irion, Marie Curie Fellow at IViR (and the other course organizer) started the course with “An Update on European Data Protection Law and Policy.” The Summer Course does not try to cover every aspect of privacy law. Instead, it focuses on law and policy related to the Internet, electronic communications, and online and social media. In her presentation, Irion analyzed the latest European legal and policy developments in these areas. The most important such development is the proposed General Data Protection Regulation (GDPR) — a major reform proposal that several of the faculty presenters believe will become law …


Continue Reading →

Florida ramps up data breach notification law

Posted in Data Breach Notification, Information Technology, Privacy

The Florida Information Protection Act of 2014, aimed at strengthening Florida’s data breach notification law, goes into effect tomorrow, July 1, 2014. The act contains major changes to Florida’s existing data breach notification statute and makes it one of the toughest in the nation.

Shortened notice period

For example, notice to consumers must be given within 30 days of the discovery of the breach or belief that a breach occurred, unless delayed at the request of law enforcement for investigative purposes or for other good cause shown. Previously, the law allowed 45 days for such notice. Fines may be imposed on private entities for failure to comply with the notice provisions ($1,000 per day for the first 30 days following a violation of the notification requirements; $50,000 for each subsequent 30-day period thereafter; and, if the violation continues for more than 180 days, an amount not to exceed $500,000). The notice requirement applies to personal information contained in any computerized data system and is triggered when unencrypted personal information may have been acquired by an unauthorized person.…


Continue Reading →

LinkedIn class suit proceeds because endorsement (spam) emails might cause users reputational harm

Posted in Information Technology, Privacy, Social Media

Have you ever received an email from LinkedIn with the invitation: “I’d like to add you to my professional network.”? If you did not respond, did you receive a reminder email a week later? And another one a few weeks after that? If you did, or if you were one of the LinkedIn users who (inadvertently) sent out one of these “endorsement emails,” then Perkins v. LinkedIn (N.D. Ca. June 14, 2014) is a class action lawsuit against LinkedIn you might want to keep an eye on.

The crux of the complaint, which has been brought by nine individual plaintiffs as a class suit, is that LinkedIn violated several state and federal laws by harvesting email addresses from the contact lists of email accounts associated with the class plaintiffs’ LinkedIn accounts and used the contacts to spam their users’ contacts with LinkedIn ads. The class complaint alleged five causes of action:

  1. violation of California’s common law right of publicity;
  2. violation of California’s Unfair Competition Law (“UCL”);
  3. violation of the Stored Communications Act (“SCA”);
  4. violation of the Wiretap Act; and
  5. violation of California’s Comprehensive Data Access and Fraud Act (“CCDAFC”).

The district court is allowing the case to proceed on the California right of publicity claim, but not on any others. Here is how the court came to that decision.…


Continue Reading →

Porter Wright announces 2014 Technology Seminar Series

Posted in Data Breach Notification, Domain Names, gTLDs, HIPAA Compliance, HITECH Act Compliance, Information Technology, Intellectual Property, Porter Wright News, Privacy

Porter Wright continues its tradition of providing cutting-edge information about how technology affects your business with the 2014 Technology Seminar Series, beginning June 18. This year’s sessions are:

Social media in litigation: a shield and a sword

June 18

The worlds of social media and litigation have collided. Social media evidence is used in employment discrimination lawsuits, in divorce and custody cases, in criminal cases – and intellectual property cases are won and lost based on the information disclosed on social media sites. Like it or not, social media is an aspect of litigation that is here to stay. Sara Jodka, Colleen Marshall and Jay Yurkiw will walk you through how social media affects the way companies prepare for and engage in litigation, including the good, the bad and the ugly. This session will provide guidance about how you can make sure that your company’s social media use will not get the company into hot water. Presenters also will share helpful insights regarding what to do about social media when litigation is filed and identify the biggest social media in litigation hazards.…


Continue Reading →

Employers can learn from recent cases involving the Federal Trade Commission

Posted in Information Technology, Privacy

Two recent decisions – one from the federal district court in New Jersey and one from a federal Administrative Law Judge – potentially will have significant impact on the Federal Trade Commission’s (FTC) enforcement of business’s data security obligations. (Read more about these cases here and here.)

FTC v. Wyndam Worldwide

In FTC v. Wyndham Worldwide Corporation, the New Jersey federal district court upheld the FTC’s authority to find that a business that has sustained a data breach has committed an “unfair trade practice” in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45(a) when its privacy controls are found to be inadequate. Over the past several years, the FTC has regulated data privacy and security under Section 5(a) by bringing actions against businesses that have sustained data breaches on the ground that the business has committed a deceptive and/or an unfair trade practice. The deceptive trade practice claim typically alleges that the business has failed to live up to its promises to consumers about how it will secure the privacy of their data. More controversially, however, the FTC also has sought to regulate data security by bringing actions against businesses alleging that they had inadequate data security protections even in the absence of any consumer promises. Until Wyndham challenged the FTC authority, these “unfair trade practice” cases brought by the FTC have settled.…


Continue Reading →

Lack of reasonable efforts to maintain secrecy of trade secrets can undermine otherwise compelling claim of misappropriation

Posted in Intellectual Property, Privacy

If you believe that a former employee may have taken your trade secrets on his way out the door and you are considering court action to rectify the situation, it is important to have compelling evidence of the misappropriation. But as we discuss in this post, even with compelling evidence of misappropriation, the plaintiff’s failure to have taken “reasonable efforts” to maintain the secrecy of trade secret information may defeat the misappropriation claim.

Let’s review the following set of facts as an example:

An employee has left your company to work for a direct competitor. At that direct competitor, he does the same job he did while working for you. At his new company, he is attempting to contact some of your customers. When he left your company, he did not return his company-issued laptop or iPad. A forensic examination of those devices reveals that after he received a letter from you demanding the return of them, he opened 20 files that you contend contain highly confidential and proprietary information. That same analysis demonstrates that he connected more than 20 flash drives to the laptop after his employment was terminated. Indeed, on the day he returned the computer to you he connected six flash drives to it. He also emailed to his new colleagues a high-level competitive analysis of your company.…


Continue Reading →

Hashtag promotions could spell #trouble with FTC Endorsement Guides

Posted in Privacy, Social Media

The Federal Trade Commission’s Division of Advertising Practices has recently finalized its investigation into Cole Haan’s “Wandering Shoe” contest wherein contestants could enter the contest by creating Pinterest boards titled “Wandering Sole” and including five shoe images from Cole Haan’s Wander Sole Pinterest Board as well as five images of contestants’ “favorite places to wander.” Contestants also were instructed to use #WanderingSole in each pin description. The contestant with the most creative entry would, under the contest rules, be awarded a $1,000 shopping spree from Cole Haan.

In its investigation closing letter, the FTC stated that it believes “that participants’ pins featuring Cole Haan products were endorsements of the Cole Haan products, and the fact that the pins were incentivized by the opportunity to win a $1,000 spree would not reasonably be expected by consumers who saw the pins.” The FTC also stated that “Cole Haan did not instruct contestants to label their pins and Pinterest boards to make it clear that they had pinned Cole Haan products as part of a contest” and that the #WanderingSole hashtag did not adequately communicate “the financial incentive—a material connection—between contestants and Cole Haan.”…


Continue Reading →

FTC strikes back against virtual Peeping Tom

Posted in Privacy

Okay, folks, we won’t beat around the bush. This is just plain creepy! On Monday, the FTC finalized its order against Aaron’s, one of the country’s largest rent-to-own (RTO) stores, charging that its franchisees were spying on its customers.1 By the way, by spying, we mean to include taking webcam pictures every two minutes that the rented computer was connected to the Internet until directed to stop.

Background

Many of Aaron’s franchisees licensed and installed PC Rental Agent, a privacy-intrusion software, on computers rented to consumers. Unbeknownst to the renters, the software allowed the franchisees to collect private, confidential and personal information about them. Ostensibly, the information was to be used to gather data to assist franchisees in collecting on past-due accounts and recovering computers after default. Nonetheless, the software allowed much more. When in “Detective Mode,” the software logged keystrokes, captured screenshots and activated a computer’s webcam. The program also allowed franchisees to track the physical location of rented computers using WiFi hotspot information.

Quite obviously, the franchisees’ use of this software, without notice to computer users, compromised the renters’ personal, financial and medical information, not to mention the untoward “invasion into the peaceful enjoyment of their homes.” The consumers were also harmed, according to the FTC, by the surreptitious capture of the private details of their lives, including images of visitors, children, family interactions, partially undressed individuals and, as the FTC delicately put it, “people engaged in intimate conduct.” As Walter Dartland, a former deputy attorney general of …


Continue Reading →

Facebook updates policy regarding remembering loved ones, which begs the question: Is legislation over digital assets necessary or inevitable?

Posted in Privacy, Social Media

A few days after we posted “Facebook’s ‘Look Back’ videos send reminder: Get digital accounts in order before death,” which provided guidance to digital account users on how to make plans for their digital accounts before death, Facebook announced a policy change regarding how it would maintain the profiles of its users who have passed away in an effort to better preserve their legacies on the site.

As we explained in the post, before the change, when a user’s account was memorialized, the profile was restricted to “friends” only. This precluded anyone who was not a “friend” of the user from seeing or commenting on the profile. With Facebook’s new change, which became effective Feb. 21, 2014, Facebook will now maintain the visibility of the user’s content as-is, which will allow people to view the memorialized profiles in the same manner consistent with the user’s privacy settings.

The reason, as Facebook explained: “We are respecting the choices a person made in life while giving their extended community of family and friends ongoing visibility to the same content they could always see.” This means that if a user’s profile was publicly visible before death, it will remain that way after death. This gives Facebook user another reason to stay on top of Facebook’s privacy settings and adjust accordingly.

Facebook also announced that it will share the Look Back video of a loved one, which it created for users as part of its 10th Anniversary, upon a proper submission …


Continue Reading →

Top 10 e-discovery developments and trends in 2013: Part 2

Posted in Electronic Discovery, Information Technology, Privacy

Following is Part 2 of my third annual list of the top 10 e-discovery developments and trends from the past year. Read Part 1.

6. “It is malpractice to not seek a 502(d) order from the court before you seek documents.” U.S. Magistrate Judge Andrew Peck began last year at Legal Tech providing his thoughts on the importance of orders entered pursuant to Federal Rule of Evidence 502(d). He said: “I’ll give you a fairly straight takeaway on 502(d). In my opinion it is malpractice to not seek a 502(d) order from the court before you seek documents. That doesn’t mean you shouldn’t carefully review your material for privileged documents before production, but why not have that insurance policy?” Other judges echoed these sentiments as the year progressed.

As if hearing federal judges say malpractice and Rule 502(d) orders in the same sentence were not enough to convince federal court litigants to use them, cases throughout the year further highlighted the importance of securing these orders. Magistrate Judge Waxse enforced a Rule 502(d) order over the objection of the party that originally requested it in Rajala v. McGuire Woods, LLP, 08-2638 (D. Kan. Jan. 3, 2013). Earlier in the case, the defendant moved for a protective order that contained a clawback provision pursuant to Rule 502(d). Magistrate Judge Waxse entered the order which included language stating that “[t]he inadvertent disclosure or production of any information or document that is subject to an objection on the basis of attorney-client …


Continue Reading →

Top 10 e-discovery developments and trends in 2013: Part 1

Posted in Electronic Discovery, Information Technology, Privacy

Here is my third annual list of the top 10 e-discovery developments and trends from the past year.

1. The growth of Bring Your Own Device (BYOD) policies and work-related text messaging is creating litigation hold challenges. A Cisco survey found that 89% of companies are currently enabling employees to use their own electronic devices for work. Gartner predicts that by 2017 a half of all employers will require employees to provide their own devices. The growing prevalence and convenience of personal devices in the workplace is leading more employees to use text messaging for work-related purposes.

With these trends, it is no wonder that there were a number of decisions last year addressing whether an employer must produce ESI (mainly text messages) from its employees’ devices (mainly cell/smart phones). One of the key issues in these cases is whether the employer has “possession, custody, or control” over the devices. To decide this issue, courts have looked at whether the employer provided the devices, whether the employees used the devices for work-related purposes, and whether the employer otherwise had any legal right to obtain ESI from the devices on demand. Other issues that have been raised are the privacy rights of the employees and the employer’s obligations if its employees refuse to turn over their devices during discovery.

In ordering the production of business-related text messages on employees’ cell/smart phones, a court rejected the argument that the failure to preserve text messages should not be sanctioned because they are …


Continue Reading →

Forensic computer examination is where the rubber hits the (off) road

Posted in Electronic Discovery, Information Technology, Privacy

Forensic computer examinations can be expensive and therefore may prompt the question during litigation – are they worth it? A recent decision from the Southern District of Ohio illustrates why the answer is “yes” in many trade secret cases. In H&H Industries, Inc. v. Miller, the court relied heavily on the results of the forensic examination of the defendant’s computers to enter a preliminary injunction that prohibited the defendant, the plaintiff’s former employee, not only from divulging or using the plaintiff’s trade secrets but also from working for his new employer.

The plaintiff, H&H Industries, retreads and repairs off-the-road (“OTR”) tires and sells used OTR tires. The defendant, Erik Miller, began working for H&H in 2006, and since 2007 had worked as a salesperson of OTR tires. Miller had access to H&H’s confidential information, including pricing information, and, as such, H&H required him to sign a confidentiality agreement. On July 26, 2013, Miller notified H&H that he was leaving the company to join one of H&H’s direct competitors, Polar Rubber Products.…


Continue Reading →

Key e-discovery cases in December

Posted in Electronic Discovery, Privacy

The end of the year brought another decision that impacts Bring Your Own Device (BYOD) policies as well as another Court of Appeals decision addressing the recoverability of e-discovery costs under 28 U.S.C. § 1920(4), which permits a court to award “the costs of making copies of any materials where the copies are necessarily obtained for use in the case.” In addition to these decisions, there were key cases in December involving document preservation letters, search terms and clawback provisions.

Bring your own device (BYOD)

In Re Pradaxa (Dabigatran Etexilate) Products Liability Litigation, MDL No. 2385 (S.D. Ill. Dec. 9, 2013). The court fined the defendants $931,500 for various e-discovery failures and ordered them to produce additional documents and ESI, including business-related text messages on their employees’ cell/smart phones. “The defendants raised the issue that some employees use their personal cell phones while on business and utilize the texting feature of those phones for business purposes yet balk at the request of litigation lawyers to examine these personal phones.” The court rejected that concern and made clear that “[t]he litigation hold and the requirement to produce relevant text messages, without question, applies to that space on employees’ cell phones dedicated to the business which is relevant to this litigation.” The court further stated that employees refusing to provide their phones to the defendant-employer would be subject to a show cause order to appear personally before the court to explain why they should not be held in contempt.…


Continue Reading →

Key e-discovery cases in November

Posted in Electronic Discovery, Information Technology, Privacy

Last month, Magistrate Judge David J. Waxse decided an issue that we likely will see more of in the age of big data. He rejected a defendant’s undue burden argument even though even though the “data warehouses” at issue contained over 100 terabytes of data and the production would take several months to develop a process to extract and pull the data in the manner requested by the plaintiffs. In addition to that case, there were key cases in November involving BYOD issues, cooperation, the form of production, and spoliation.

Bring your own device (BYOD)

Ewald v. Royal Norwegian Embassy, No. 11-cv-2116 (D. Minn. Nov. 20, 2013). In my summary of key October cases, I discussed how the magistrate judge in this case denied the plaintiff’s motion to compel discovery, including a request for forensic images of certain laptops, phones, memory cards and tablets. The district court judge largely affirmed the magistrate judge’s order but reversed the order as it related to the discovery of text messages and voice messages contained on two work-provided mobile phones. The court held that the plaintiff was entitled to receive responsive text messages and voice messages contained on the mobile phone the defendant-employer provided to her and another employee. Accordingly, the court ordered the parties to meet and confer and agree on a protocol to conduct a search for responsive text messages and voice messages contained on their work-provided mobile phones used between Nov. 1, 2008 and Nov. 1, 2011. Interestingly, the …


Continue Reading →

LabMD joins Wyndham in challenging FTC’s data privacy authority

Posted in HIPAA Compliance, HITECH Act Compliance, Information Technology, Privacy

Section 5 of the Federal Trade Commission Act — the Act that established the FTC in the first place — makes it unlawful to engage in “unfair methods of competition … and unfair or deceptive acts or practices…” Though the words seem simple enough, its application in today’s world is anything but simple, particularly when you talk about data privacy. Two companies — Wyndham Worldwide Corp. and LabMD Inc. — are publicly, and independently, challenging the FTC’s authority over their data security policies (and subsequent lapses). This post is a quick update about LabMD’s challenge.

In August 2013, the FTC filed an administrative complaint against LabMD, alleging that it lacked appropriate data security and unreasonably exposed the health and personal data of its consumers. LabMD conducts clinical laboratory tests on patients and reports its finding to patients’ health care providers. In performing the needed tests, LabMD typically obtains personal information, including names, addresses, dates of birth, SSNs, bank account or credit card information, laboratory tests, test codes and results, diagnoses, clinical histories, and health insurance company names and policy numbers. LabMD possesses such data for approximately 1 million consumers.

The FTC charged that LabMD “failed to provide reasonable and appropriate security for personal information on its computer networks.” Among other things, the complaint states that LabMD failed to:…


Continue Reading →

A Trans-Atlantic exploration of emerging privacy law and policy issues

Posted in Information Technology, Privacy, Social Media

This past summer, the University of Amsterdam launched a new, week-long Privacy Law and Policy Summer Course related to the Internet, electronic communications, and online and social media. Course faculty included European and U.S. academics, European regulators and the head of the global privacy law practice at an international law firm, among others. Course participants consisted of 25 legal practitioners and post-graduate researchers from the Netherlands, Spain, Italy, Slovakia, the United States, Japan, Brazil, Kenya and other countries. I was lucky enough to serve as a co-organizer and faculty member for the course.

Taken together, the nine mini-seminars that constituted the backbone of the course provide a snapshot of developments in privacy law and policy in Europe and in the United States, and how they relate to one another. This should be of interest to U.S. lawyers and others who work in the areas of privacy law, compliance and management. What follows is a brief description of some key takeaways from the week, and an attempt to pull them together into a broader perspective.

Doing business over the Internet

Daniel Cooper, head of the Global Privacy Practice at Covington & Burling, discussed emerging legal and policy challenges facing European companies that seek to do business over the Internet. Cooper’s comprehensive presentation stressed that companies face a wide array of matters, including privacy issues related to online behavioral advertising and business use of social media, facial recognition technology, mobile apps, and big data. The 1995 Data Protection Directive pre-dates these technological …


Continue Reading →

Defensible deletion: No spoliation where defendant destroyed emails and documents pursuant to its records retention policies

Posted in Electronic Discovery, Privacy

When I present on e-discovery, I often use EDRM’s Electronic Discovery Reference Model to explain how decisions made about the creation, storage and deletion of electronically stored information (ESI) can affect how e-discovery is conducted in a lawsuit. The EDRM model illustrates how a company’s records and information management policies can impact the volume of ESI that may be relevant in a case, and how this volume can impact the overall cost of e-discovery.

Records retention policies that are carefully thought out and followed by a company can lower the volume of ESI that needs to be preserved, collected and reviewed during litigation, and also can reduce the risk of keeping records that the company no longer needs and carry inherent risks, such as documents with personally identifiable information. If a company is not making decisions about records retention at the organizational level, then it is leaving it up to individual employees to make ad hoc decisions about what is kept and deleted, and is likely increasing its long-term legal risks and costs.

Defensible deletion

An essential part of an effective records retention policy is the defensible deletion of data. Defensible deletion refers to the process of disposing of information that is no longer needed for business or legal reasons within the framework of an overall information governance strategy.…


Continue Reading →

Privacy on the go: California’s recommendations for the mobile ecosystem

Posted in Information Technology, Privacy

Privacy policies are often lengthy, difficult to read and even more complicated to understand. Facebook’s data use policy, for instance, fills 16 pages and contains more than 9,000 words. The idea of reading through an entire privacy policy on the small screen of a mobile device exemplifies the need for a different, more user-friendly approach. In addition, mobile devices pose unique privacy challenges such as GPS tracking, text messages and call logs.

California, a state with consumer protection laws that are among the strongest in the country, has had explicit legislation governing online privacy since 2004 when the California Online Privacy Protection Act1 (“CalOPPA”) was enacted. CalOPPA § 22575(a) forces all operators of websites or online services to post their privacy policies in a conspicuous manner assuming they target individuals residing in California.

The California Attorney General, Kamala Harris, concluded in 2012 that, with regard to mobile devices and the apps they employ, the “conspicuous” display of privacy notices required an app-specific version and that a mere link to the company’s website was insufficient to meet the posting requirements referenced above. Harris sent notices to mobile developers Oct. 30, 2012, warning that they were not in compliance with California privacy law if their apps did not contain a conspicuously posted privacy notice. Shortly thereafter, California filed suit against Delta Airlines Inc., alleging the airline’s “Fly Delta” app lacked the requisite privacy notice despite collecting extensive personally identifiable information (PII) of its customers.…


Continue Reading →

Facebook eases requirements for sweeps and contest promotions

Posted in Privacy, Social Media

For many years, we have been advising our clients that, in addition to the laws addressing sweepstakes and contest promotions, they must also be aware of the Facebook’s promotion guidelines if they wished to link their sweepstakes promotion to the company Facebook presence. While that remains true, Facebook has now made it much easier for companies to run promotions through Facebook. Prior to Facebook changing the terms of their guidelines on Aug. 27, promotions were not allowed to be run directly through Facebook or Facebook’s functionality. Instead, running a contest or sweepstakes promotion required companies to use a third-party (or in-house created) application run on Facebook’s platform. Facebook posted an announcement of the changes which also explained some of the remaining limitations (such as prohibitions in the new guidelines against encouraging inaccurate tagging for purposes of a promotion). The amended guidelines also include certain other requirements with respect to clarifications that Facebook is not a sponsor of and does not endorse the promotion and a release of Facebook from all liability.

Whether a company would be wise to take advantage of this new freedom depends in part on a number of factors — including the nature and complexity of the promotion, the notoriety of the particular company and anticipated participation. It may prove extremely difficult to reasonably and fairly sort through thousands of entries without running them through some kind of application in order to verify, count, review or otherwise manage the entries. Further, running the promotion directly through Facebook …


Continue Reading →

Subpoenas seeking identifying information and login data associated with email addresses did not violate First Amendment or privacy rights

Posted in Electronic Discovery, Information Technology, Privacy, Social Media

A federal court in California has held that subpoenas served on Google and Yahoo! seeking the subscriber and usage information associated with 68 email addresses did not infringe on the subscribers’ First Amendment rights or their right to privacy. Chevron Corp v. Donziger, No. 12-mc-80237 (N.D. Cal. Aug. 22, 2013). The subpoenas also did not violate the Stored Communications Act (SCA). According to the court, the subscribers “vastly overestimate[d] the amount of legal protection accorded to the subscriber and usage information associated with their email addresses.” Chevron, slip op. at 32.

The court reasoned that:

Although the [subscribers] may believe that using their email addresses will protect their identities, that belief is simply not reflected by the reality of the world we live in. Email addresses are labels we voluntarily present to the outside world, through which we allow the world to contact us, and in that way identify us.

Id. at 14.

The court’s decision is a reminder of how much information is being collected and stored electronically about a subscriber each time that person establishes and logs into an internet account — whether that account is webmail, a social media site or a customer profile — and how that information may become discoverable and accessed years later during litigation. It also shows how valuable metadata can be not only to internet marketers and service providers but also to litigants.…


Continue Reading →

Implementing cloud strategies

Posted in Data Breach Notification, Information Technology, Privacy

As companies struggle with how to develop cloud strategies that are both cost effective and protect sensitive consumer and corporate data, the National Institute of Standards and Technology (NIST) can provide hands-on information to the private sector to help implement a reasonable cloud computing solution. Though NIST provides guidelines to the U.S. Government, the private sector can learn, too. Recently, NIST has stressed that the three major challenge areas for adoption of cloud computing are security, portability and interoperability.

In June, NIST released draft Special Publication (SP 500-299) as part of its ongoing obligation to develop technical and security standards for federal agencies as they adopt cloud computing solutions. This draft has been undergoing further comment and review. While these standards will establish protocol for procurement of cloud services by the federal government, they are likely to impact the use of cloud services and contractual terms in the private sector.

Cloud computing — the big picture

Companies adopting cloud solutions may struggle with setting a framework for their analysis of how to adopt a cloud solution. Exactly what is the cloud? According to the NIST definition:…


Continue Reading →

Sanctions for spoliation of evidence

Posted in Electronic Discovery, Information Technology, Privacy

This article was published originally at InsideCounsel.com. The article is the final installment of a six-part series focusing on evidence spoliation. Read more here, here and here.

Spoliation of evidence occurs when an individual or entity violates its duty to preserve relevant evidence. A finding of spoliation will often result in the imposition of sanctions and can significantly impact a litigation. Understanding how courts determine the appropriate spoliation sanction to impose is essential when this issue arises.

Courts have two sources of authority for sanctioning spoliation of evidence. Under the rules of civil procedure, courts have broad discretion to impose a variety of sanctions against a party that fails to produce evidence in violation of the civil rules. The primary limitation on this authority is that the discovery rules apply only to acts of spoliation that occur during the pendency of a lawsuit or following a court order. Courts also rely upon their inherent power to control the administration of justice to sanction pre-litigation spoliation. This authority allows courts to preserve their independence and integrity, since the destruction of evidence inhibits a court’s ability to hear evidence and accurately determine the facts.…


Continue Reading →

Court denies employer’s access to social media posts in FLSA collective action and sends warning: If you want access to social media, come with both barrels loaded … leave the water gun at home

Posted in Electronic Discovery, Information Technology, Privacy, Social Media

A federal court has denied a defendant-employer’s request that plaintiffs sift through and turn over all their social media posts made during their work hours in an FLSA collective action in which the plaintiffs claim their employer failed to give them meal breaks. How did that happen? I thought you’d never ask.

By way of background, Jewell v. Aaron’s Inc., is a nationwide,1,700+ FLSA collective action pending in the Northern District of Georgia. In the suit (Complaint accessible here), the class plaintiffs (current and former employees of Aaron’s) claim they were not paid for their 30-minute meal periods. As you might imagine, with that many plaintiffs discovery has been difficult. So with that, the parties got creative. They were able to work together to narrow the issues and determined that of the 1,700+ class members, discovery would only be served and responded to by 87 of the opt-in plaintiffs (the “Discovery Plaintiffs”). I won’t go into all the details about that discovery (you may read the Defendant’s Memorandum in Support of Motion for Court Approval of Discovery Request to a Small Number of Randomly-Selected Opt-In Plaintiffs here), because I want to focus on the social media portion of the discovery dispute.

Specifically, in one request for production, Aaron’s asked the Discovery Plaintiffs to produce:

“All documents, statements, or any activity available that you posted on any internet Web site or Web page, including, but not limited to Facebook, MySpace, LinkedIn, Twitter, or a blog from 2009 to the …


Continue Reading →

New Jersey Supreme Court holds police must obtain warrants for cell-phone tracking data

Posted in Information Technology, Privacy

Today’s cell phones enable people to stay connected to work, family and friends in ways that would have sounded like science fiction to past generations. But even some of the savviest of cell-phone users are unaware of the ways in which their devices may be used against them. To police and prosecutors, a cell-phone, which registers its location with the nearest cell phone tower every seven seconds, is like an individual tracking device. And, as the landscape of cell-phone towers becomes denser, the radius served by each tower becomes smaller, allowing police to track cell-phone users with greater and greater precision. In some areas served by “micro cell sites,” police are able to track cell-phone users within buildings, and even within individual floors and rooms within buildings.

Not surprisingly, law enforcement across the country have made increasing use of cell-phone tracking data to nab criminal suspects as well as to compile evidence in the cases against them — showing exactly where they were when the crime in question was committed. A recent study by the American Civil Liberties Union found that police use of cell-phone tracking data is so widespread that wireless companies now provide police departments with a menu of “surveillance fees” for tracking data and other types of information. Police typically are able to obtain such tracking data without a warrant, but this is where the New Jersey Supreme Court, in State v. Earls, drew the line.…


Continue Reading →