Current Issues in Technology Part II
This course is designed to expand on various issues under the umbrella of technology law. In every aspect of a lawyer’s career, technology plays a role. Technology is so important to today’s lawyer that state Bars are starting to add a technology element to required CLEs. This course provides a summary of issues related to e-discovery issues should litigation ensue and addresses attorney duties in regards to data security.
Jillian Kuehl - Hello, welcome to Quimbee CLE My name is Jillian and I'm a program attorney here at Quimbee Today, I am joined by Larry Kunin, who will be speaking with us about current issues in technology law that lawyers are facing today. Larry is a partner at Morris, Manning and Martin, and serves as chair of the firm's technology and intellectual property live litigation practice. His practice focuses in commercial, technology and intellectual property, litigation and consultation, and Larry's clients have ranged from publicly traded companies to startups and individuals. We are so excited to have you here with us today. Welcome Larry.
Larry Kunin - My pleasure.
Jillian Kuehl - All right, so why don't we just start off today, Larry, if you wanna just give us an overview of kind of what we'll be talking about.
Larry Kunin - Sure, we're gonna be talking about two high level technology topics today that are critical for attorney's current practice. And this is especially in the area of either litigation or data security. The first sub-topic we're gonna cover are eDiscovery issues, electronic discovery issues along with attorney ethical duties that go along with that. And then the second part will have to do with data security. We hear, you know every day about data breaches occurring in our world, and about how in the attorney's practice, there are actually ethical rules that make attorney's obligations related to data security, even higher than that of the public. And we're gonna be talking about what are those rules and the reasons why an attorney needs to pay attention to their own data security.
Jillian Kuehl - Okay, great. So let's just start off with that first section you mentioned eDiscovery. So Larry, why is eDiscovery so important?
Larry Kunin - That simply our world has changed from a paper world to an electronic world. So when we get into litigation specifically, litigation is all about evidence. Evidence in all forms is now stored electronically. It could be everything from an electronic photograph of a car accident to communications in a corporate deal. It could be telephone recordings, text messages, you name it. And now it's even complicated by the fact that we exist in the cloud. We have social social media. People communicate on social media. People say things on social media that are important. Those are stored on the cloud. And sometimes people are not aware that when they talk on social media, they're actually creating a record that could be evidence in a lawsuit. Just as one simple example. When I take a deposition of somebody, I usually prepare by actually going to their social media, if they have one that's public and see what their biases might be or what they might be saying possibly even about the case, but more importantly, because that information's usually anecdotal, it's finding the evidence, who said what to whom in an email. And so when we get into lawsuits, unlike the old days where we were going into file cabinets and pulling out letters and reviewing those letters, everything is now electronic and that's good and bad because it creates an easier way to search through information because you could do search terms for example, or you could electronically search for a file location as opposed to going into a warehouse.
At the other side of the coin is it's very, very large and sometimes unwieldy volume. And I'm gonna give one example that I tell people. You send in innocuous email to somebody. That's just one email. And I send it from my iPhone, while that email's on my iPhone, then it goes up to the Apple server, and then from the Apple server, it gets shifted over to whoever is the internet service provider for my law firm, which then downloads the email to my law firm, into its Microsoft exchange. I've already created four, five, maybe six copies of a single email just by sending a one sentence email to one person. Now imagine that person replies and copies two people. And then two of those people reply to that. Next thing you know a one line email has 40, 50, 60 copies to it. So it's a tremendous volume and we need to learn how to get through that volume and there are tools to do that and we'll talk about some of that today. Another reason why electronic discovery is important is because if you don't do it right, then your client and yourself potentially could be in trouble with the court and even get sanctioned by the court. Because if you fail to gather the appropriate evidence or preserve the evidence, and we'll talk a little bit about preservation later, but if you fail to do that, you are technically impeding the opposing party's ability to prove their case and so as a result the court may actually sanction you.
Jillian Kuehl - And Larry can you give us an example or a few examples of the kinds of things that can happen when attorneys are not paying attention especially regarding sanctions.
Larry Kunin - Yes and I'm gonna give you some example case law. And in this case law, I'll say it at high level is meant to scare you. And it's meant to scare you into making sure you do the right thing. But I will say that sanctions themselves are usually pretty rare. And here's why I say that. Let's say I have some emails exchange with somebody and I with intent destroy those emails. Well, there's still a recipient of those emails. And so to get sanctions, you have to show things like something was destroyed is not retrievable through a backup, or is not retrievable through another party who may have received it. You have to prove that the evidence was at least in theory relevant to your case not just the mere fact of destruction and that that value to the case is a material value. But these are cases that show the extreme of what can happen if you don't do things in the right, you know, right out of the box.
So, first one. This is a case outta Florida, it's called Coleman Holdings versus Morgan Stanley. And in this case, Morgan Stanley had failed to preserve and produce backup tapes, emails, and email attachments. The court granted an adverse inference, which is the thing you don't wanna get as far as sanctions, sanctions could be retaking a deposition that's not bad. It could be a warning from the court, that's not too bad, but an adverse inference means the jury can assume that the evidence that was destroyed was going to damage you. And the court said in this case, because of the broad failure to preserve, not only the emails, but the email attachments and the backup tapes along with it and the jury issued a $1.45 billion verdict, including $850 million of punitive damages. The punitive damages presumably going to the fact that there was an intentional destruction of evidence. The appellate court did reverse on grounds that the... There was lack of evidence of damages. So the appellate court reversed the damage award, but the appellate court did not touch the sanction order. So therefore the adverse inference still lives, but the plaintiff still had to prove damages.
Another case is ETrade versus Deutsche bank. This is a Minnesota case. And here the defendant wrongfully destroyed three categories of evidence after they knew about potential litigation. They destroyed company hard drives, they erased six hard drives. They re-erased telephone recordings, and they did not put a hold on destruction of email, which is something that you need to do, and I'm gonna talk a little bit more about preservation, but it's smart to put a hold on email, 'cause email tends to get deleted over time based on how your system's designed. They did not turn that off. The court said there would be a sanctions of an adverse inference to get an assumption that the evidence they destroyed is bad for them. $5,000 for failing to conduct a reasonable inquiry before responding to a request for production and $5,000 for failing to conduct a reasonable inquiry into voice recordings. And I can tell you it's very common for lawyers to not talk about text messages and voicemail recordings. I don't know if the listeners of this have a system similar to what my firm has now, but I now get my voicemails by email. An email will pop up and it'll say, it's from Cisco. And it's a voicemail from someone. So I don't have to go into my phone to get it. It's actually sitting there in my email. That makes it kind of easy to preserve. Well, if you don't have that system, people forget, they actually have to get their email box I'm soryy their voicemail box preserved if there are relevant voicemails to the lawsuit.
The next case example, and this is probably one of the seminal cases. There was a string of decisions in a case called Zubulake in the Southern District in New York, more than a decade ago. And this was the first case that really started talking about council's duty to address eDiscovery issues. And I'll give you some highlight guidance from this. And by the way, the federal rules that will go over a lot of the points in the federal rules came out of the Zubulake decisions. First council has a duty to properly communicate with its clients to ensure sources of information is discovered. Then to identify the sources, council should be familiar with the client's document retention policies, that includes auto delete, as well as client retention architecture. That in effort involves communicating with IT personnel if they've got IT personnel, or at least who is responsible, if there's an outside IT service firm, whoever is responsible for communicating with them and the key players in the litigation to understand how information is stored. Basically means attorneys have to do their homework.
Then there's this case last case I'll talk about. And this is to me a very scary case, and I don't necessarily agree with it, but it's a case that's out there, also Southern district in New York which happens to be a very stringent district so if you're in the Southern district in New York, really need to pay attention to electronically stored information or ESI as we call it. In Phoenix Four, the lawyer interviewed the clients regarding the need to locate and produce electronic information. Check, that's a good thing. After deposition started, information was located on a hidden hard drive petition on a computer that was no longer in use. So when they did their search for documents, they did not find this information because the computer was turned off and it was also in a partition that wasn't used. And I don't wanna go too much into detail on architecture, but you know, people think about a C drive being your hard drive. Well, it's possible to create virtual drives that really aren't a separate physical drive, but you map to them and you call part of that hard drive, like the D drive or the E drive. And maybe a user is using that. And then if the user leaves the firm, they no longer need that mapping and so nobody sees that drive. Well, the lawyers, when they discovered this and they discovered it because there was an IT service call and the IT person was working on the servers and said, "By the way, did you know that you had a hidden drive here?"
So they immediately looked at the hidden drive. They saw that there was stuff relevant to the lawsuit. They called the posting counsel and disclosed what they had just found and said that they would produce all of the information that they had just found and explained why they didn't find it. The court sanctioned them anyway. Now the sanctions weren't tremendous. The sanctions were that they had to pay a little bit of money and pay for the cost to retake some of the depositions to address this new information. Now think about how scary that is. How many lawyers do you think know what a hidden partition and drive mapping and all of that is. And here there were sanctions that included in order that the lawyers could not report to their malpractice carrier. Now, I don't know if that's valid and it probably was below the deductible anyway, but the point was, oh boy, the court really held these attorneys to their feet. You know, so those are case examples of how things can go bad if the lawyer does not properly counsel the client or the client destroys evidence notwithstanding the direction of the lawyer.
Jillian Kuehl - So that last case is interesting. It seems like the first few, there was a little bit of purposefulness between or behind the actions. So does intent not matter when it comes to sanctions?
Larry Kunin - Intent does matter. And intent goes to the severity of the sanctions and who gets sanctioned. It, you know, so you wouldn't see intent on most circumstances to the lawyer that wouldn't result in a lawyer being sanctioned. But if a party intentionally destroys evidence that could affect the severity of the sanctions. Now again, the court still has to go through was evidence truly destroyed? So if I destroy an email box, but there's a backup, or if I destroy an email box, but all communications were to somebody else and I can get the information from them, that's fine. Or if we're looking for a document that I know is an attachment to an email, but I can otherwise find that document. Intent alone does not get you sanctions. But if you meet all the elements, intent can increase the severity of the sanctions.
Jillian Kuehl - Okay...
Larry Kunin - I mentioned adverse inference is bad. The absolute worst is striking your pleadings.
Jillian Kuehl - Yeah. That would be the worst. That would be bad. And so what about state bars? How have state bar ethics rules sort of played in and progressed in the area of eDiscovery?
Larry Kunin - Sure. I'm gonna give two examples. And this has to do with more of the ESI electronic discovery part of this. Later on in our discussion we'll talk about ethical rules regarding data security, but after these Zubulake decisions, that there were some states that spoke up and I'm gonna give an example of two of 'em.
One is State of Florida. When cloud computing became big, which was after the Zubulake decisions, the Florida Board of Ethics issued this ethics opinion regarding cloud computing and said, "Lawyers may use cloud computing, "if they take reasonable precautions to ensure "the confidentiality of client information is maintained, "the service provider maintains adequate security, "the lawyer has adequate access "to the information stored remotely, "and the lawyer should research the service provider "to be used." So for example, most of us get these spam emails and calls every day about some guy who has some great cloud platform. And that all sounds well and good, but you should research, what are their security protocols? If you breach the contract, can they hold your data hostage? Do you have access to it? If you're using one of the larger data providers, you probably don't have that problem. You know, if you're using an epic or, you know, a curl or something like that, you don't need to deal with it.
And then California is another one that I've pulled out California ethics opinion. This is a 2015 opinion. And it says, "Attorneys who handle litigation "may not ignore the requirements "and obligations of electronic discovery." "Depending on the factual circumstances, "a lack of technological knowledge "in handling a discovery may render an attorney "ethically incompetent "to handle certain litigation matters involving eDiscovery." Absent curative assistance under what's their rule 3-11OC which is basically getting assistance. And it says, "Even where the attorney may otherwise "be highly experienced." "It may also result in violations "of the duty of confidentiality, "not withstanding the lack of bad faith conduct." Well, this sounds a little bit similar to that Phoenix Four case I mentioned. This is specifically calling out that you may be an experienced attorney, and if you lack technological knowledge, you may still be considered ethically incompetent. Now, some firms at larger firms have an advantage 'cause you usually have a litigation support in house. I know my firm has that and when it comes to collecting data, I usually get somebody from my lit support on the phone with the client to walk through their sources of information, where it is, how we could collect it, 'cause they're the experience person and as long as they're doing it at my direction, 'cause I'm the one with the ethical obligation. They're more in a paralegal role than you're covered. And what it's saying is just don't fly blind. If you're an attorney and you really don't know what you're doing. Now if you're just talking about emails, we all know what emails are. It's when things get a little bit more complicated, multiple emails, change systems, you know, the client changed systems a year ago, that type of thing. So lawyers just need to think about that.
Jillian Kuehl - And you know, you mentioned you're at a larger firm, you would be able to call your lit support team. What about someone who's maybe a solo or out on their own, you know, what would you suggest they do for this type of situation?
- That there is no shortage of outside vendors that can help you and people think they're expensive, but not necessarily so. If you're just helping them identify or they're helping you identify sources of information and gathering that information, it is not nearly as expensive as what people think. Usually the cases are a lot more. I will say that back when Zubulake came out, there was a lot of discussion about, "Whoa, wait a minute." "If I have to do everything that's in the Zubulake case, "that's gonna cost me between my time "and my expert's time it's gonna cost 50, "$100,000 and I've got a $30,000 lawsuit, "that doesn't make any sense." While Shira Scheindlin, who is the judge there, I've seen speak at a few things. She goes, "Now obviously at the end of the day, "there is a level of practicality, "that you're not gonna spend more money "than the case is worth." You know, they don't actually say that in these rules, but that's built into everything when it comes to what's your level of diligence? Well, if your level of diligence exceeds the value of the lawsuit, it's probably not worth that level of diligence. I say that with great caution, but I also do say that as time passes, more and more lawyers are becoming more familiar with, you know, what is a text message and what is an email and where are you storing your email? Chances are the small outfits, not representing Nike and IBM. They're representing smaller businesses or individuals that probably don't have this massive spider of information. And they're probably just using a single source of the cloud. So, you know, in a way this sounds scary. It's really not scary. It just means, think about it.
Jillian Kuehl - Fair enough. So now that we've touched on a couple of state rules, what about the federal rules? How does this...
Larry Kunin - Okay so... So the federal rules were modified maybe about a decade or more ago to build in the concept of electronic discovery. Frankly, when I first read them, I didn't think they added anything because if you have an obligation to search for relevant information and produce relevant information and that relevant information happens to be in ESI, Electronically Stored Information, then it's produceable and something you gotta talk about. But the federal rules did, however, was it brought it to the forefront and made it express and blatantly obvious that you gotta look at this stuff.
And then state courts were fairly slow to follow. Not every state courts has ESI rules. They're in process. State courts are ahead of the game with regard to rules. They're somewhat patterned after the federal rules. So I'm not gonna go over state specific rules, but I'm gonna cover the federal rules, 'cause it pretty much gives you the idea of what you need to do. So first of all, if you're familiar with federal practice rule 16 is the rule that says that the court can issue a scheduling order and those of us that have practiced in federal court know that virtually every time the court issues a scheduling order. Well, two provisions got added when they amended the rules to put in the ESI. They put in a part five that says one of the things in the scheduling order is provisions for disclosure of discovery of electronically stored information. And they also addressed number six, a new one, any agreement of the party's reach for asserting claims of privilege or of protection as trial preparation material after production. The purpose of that is when we are producing electronic information, it is very easy for the inadvertent production of privileged information. And so what the court is saying is, "You guys should talk about that because "the purpose of this whole thing is not "for somebody to get a gotcha "and get it inadvertently produced information."
So you should talk about how do you deal with protecting privilege when you're producing ESI, because stuff is going to get through. So talk about it and I'll come back to that in a few minutes. Rule 26 is your discovery plan. That's a actually what you do before the court issues the rule 16 order and added to that rule was a statement that you need to talk about issues related to preserving discoverable information. And that means that you have to have done your homework before that so that you know where discoverable information is and what you're doing to preserve it. They also added this provision. Any issue that you should discuss any issues regarding disclosure discovery, including the form or forms in which it should be produced. In the old days, the way we produced things was we ran it through a copy machine and here's your boxes of paper. Well, now we could produce in native format, meaning a native word file, Excel file, photo file. We could produce them in PDF format, you know, Adobe Acrobat. We could produce them in what's known as TIF format, which is what a lot of document repositories like to use. And there's a lot of technicality to that. So if the parties can reach agreement to those forms in advance it avoids disputes later. And then it repeats what was stated in rule 16 about talking about how you predict privilege.
Alright, I wanna talk about I mentioned preserving evidence, I wanna stop on this. The duty to preserve of evidence starts as soon as you are aware of actual or potential litigation. So actual litigation's easy, you get a complaint. All right, I'm ensued, that's easy. What about the potential litigation? Well, if I'm a defendant and I get a demand letter in advance of a lawsuit, that puts me a notice of potential litigation, the duty preserve arises. If you're a plaintiff, the minute as a lawyer your client says, "I think I wanna sue these people, or "I want you to send a demand letter," the duty to preserve arises, even though I haven't actually filed a lawsuit yet, maybe haven't even drafted one. That's when the duty to preserve arises. And here are some common mistakes when the duty to preserve arises and this is by no means an exhaustive list. One is text messages. People forget about text messages and most phones including iPhones are automatically set to delete text messages after a fixed period of time. On iPhones it's usually a year, but you've gotta turn those off. You just go right into your settings and you turn off the auto delete and make sure you save them.
Another is there are these temporary communication platforms like Slack, where you communicate with someone, it might be a support ticket or something like that and then the message disappears shortly thereafter. You gotta turn off the feature that automatically deletes those if those Slack messages are relevant. If they're not relevant, you don't have to worry about at it. And then probably two things that I think are the most common. One is you have your document hold, everything's hunky dory, nothing's being deleted and an employee, a relevant employee leaves the company and someone in IT goes into autopilot, grabs their laptop and reformats it and reissues it to another new employee. You just destroyed everything that was on the laptop. If an employee who has relevant evidence leaves the company, their laptop needs to be grabbed and put into a safe or turned over to the lawyer, and that's just something nobody did with intent. It's just a mistake. The other mistake that happens is where somebody gets a demand and before they call their lawyer to find out what to do, they immediately delete what might be the offending thing such as, "We think that you "copied some of our copywritten material "and you did so with unauthorized access to our system," and you go "Oh Oh," so you go into your system, you delete the material. You just delete the evidence. And so that you can't do. Once you get a direction to not to delete, don't delete. Those are again just the common mistakes but there's a lot more out there.
Jillian Kuehl - Larry, do you have, I guess, tips for attorneys or people sort of at this stage, like what do you have a checklist? You know, is there something that they can like think about and look at so that they're not making these mistakes?
Larry Kunin - Yes, there is. and you can actually see some of these in the federal rules if you read through the comments and you know, why don't we talk about some of these things and then we'll back up a little bit and talk about a couple of the rules and how they align with that. So, before your conference, these are things that you should consider. And when I say to your conference, I'm talking about your rule 26 planning conference with opposing council. So before that conference, I need to learn where my client's information is stored. Are there emails in the cloud? Are they local? Have they changed systems? If they changed systems, do we have an archive of the old system? Did people communicate by text message, et cetera. Two, identify the individuals who are most familiar with the client's computer system and can educate the lawyers regarding these issues. Three, identify who are what we call the document custodians. Who are the people who have information relevant to this dispute? So if it's, you know, let's say it's a software implementation project. I have a company that develops software. The people who have relevant information are most likely gonna be the project manager and the project managers team on my side. And then maybe a contract manager who manages the contract and maybe the sales people who sold the contract, but it wouldn't be everybody in the company who never touched them. So identify who has relevant knowledge and this includes importantly includes former employees who might have worked on the project and aren't there anymore. And maybe we can capture their email box, even though they've already left.
Think about how you would search for those documents. And again this is where litigation support personnel or IT personnel could help you. What search terms would I look for? You know, if somebody's got, you know, a terabyte of emails, nobody wants to go through a terabyte of emails. The easy way is to search electronically for information. I'm gonna pause on that. When this concept first came up over a decade ago, there was a knee jerk reaction to the old way of doing business which is how we would take boxes and go through page after page after page reading documents. And people would say, "We don't like electronic searches because "there's a chance that you're gonna miss something "through the electronic search." While studies showed very clearly that the error rate on manual search was about 30%, and the error rate on your search terms, depending on how finite you get to your search terms is only an average of 10% or less. And again it depends how finite you get on your search terms. You can even search for what they call fuzzy searching, where you don't have to spell the word exactly. You could search for terms within another term. You could search for terms that are right next to each other. These are not difficult things.
Anyone who knows about database management can help you. And so normally it's not a big risk to do search terms. And in fact, there is technology out there. if your case is worth it called Technology Enhanced Review, TER, and this is where you take requests for production, and you put those into the software and then search and you keep searching with an algorithm to try to get to an error rate, that's like under a certain percent that the parties agree to. And then once you get that, then boom you're running through your database and you're done. And of course it should always be without prejudice. Like if somebody says, "Well, I didn't see X document that I know exists." Well, then we could do a targeted search for that. And then also when you're preparing for the conference think about what form you would like your documents when you get them from the other side. Or what's easier for you to provide to the other side. And then you get into the conference itself, and here's your conference checklist.
We gotta talk about the mandatory disclosures, which is in the federal rules. Been there forever. We have to identify your witnesses, your documents. You have to identify a calculation of your damages. And if insurance will cover the claim. Well, in those discover... You do that in the conference talk about it. You talk about the form of document production, the production logistics. What do you do about information that's not reasonably accessible? This usually has to do with information that was properly deleted through a preservation policy, or because you switch systems and you're no longer using a legacy system. Talk about your word search capability. Talk about because of privilege inadvertent disclosure and how you claw back information. You might wanna talk about cost sharing issues and cost shifting issues that usually ends up as a dispute.
But let's say somebody wants me to search something that I don't think is relevant and not worth the cost I may turn that around and say, "If you really want it, you pay for it." Usually that requires court intervention. People normally don't agree to pay, but it happens. Protective orders are important, more and more litigation involves the production of confidential information. And you could put a clawback clause in your protective order that also says that if you get inadvertently produced info, you have to give it back. You could talk about deduplication. This is an outstanding function of a lot of document management databases. Remember I said, you send one email and it creates multiple copies and then it's two people respond and two people respond to that. Next thing, you know, one email turns into 50 emails. Deduplication is an electronic process that compares all these emails and eliminates all the duplicates. So it significantly reduces your production without reducing a single document. It just reduces the copies and documents. And then you might wanna talk about organization of the production. So that's your checklist. And then, you know, there are some rules that kind of talk about that and lead you to that checklist. And would you like me to go through some of those?
Jillian Kuehl - I absolutely would love that.
Larry Kunin - Okay, so, when we were talking about rule 26, which is where you have your conference. Rule 26 also gives some hints about how you protect privilege. And so under rule 26 , if information is produced in discovery that is subject to a claim of privilege or protection as trial prep material, the party making the claim may notify any party that received the information of the claim and the basis for it. After being notified, a party must return sequester or destroy the information. After a receiving party may promptly present the information to a court under seal if they disagree with the fact that it's privileged and they want the court to decide it. If the receiving party disclosed the information before being notified, the disclosing party must take steps to retrieve it. And then the producing party must preserve the information until the claim is resolved. All right, there's an easy way to override all of this. So that goes into that element of talk about, go ahead and talk about how you're gonna protect privilege. Well, you could put that procedure right in the protective order. I could tell you that Florida... And it only applies to state courts, but in Florida, they've got an ethical rule that says if I as a lawyer, get inadvertently produced material, I can't wait for the other side to raise it. I have an affirmative obligation to raise it and tell the other side, "I think you gave me something privileged."
I actually have an example of this happening recently, where we were given in production. It was an attorney's client memo from a law firm to our opposing party. And so I flagged it, I called opposing counsel. I sent it back to them and I said, "For some reason I've got this document "that is sent by your client's other attorneys "to them on a subject." That didn't seem to be relevant to our lawsuit. And he thanked me and said he would look into it. Well it turns out that his client voluntarily gave my client that document as part of their discussions to get into a deal. So it was a properly disclosed document. The privilege was waived and we were entitled to it. But that's an example of the process you go through to make sure everybody is acting ethically and safe. Another thing you can do to protect privilege. And I'm gonna repeat a really important line that a federal judge in New York once told me. It was at a conference we were on the panel together. But there's a rule of evidence. It's 408... I'm sorry, 504, which addresses privilege. 504 is a fairly new provision that got put in. And it says that the court can issue an order that says the inadvertent production of privileged information does not waive the privilege.
Basically that's it, period. And if the court enters that order, it also applies to any state court that may get that same discoverable material. And this federal judge says to the audience, "That rule is sitting right there to protect you." "If you do not ask for a 502 order, "you have committed malpractice, any questions?" Now, it doesn't mean you're gonna get a 50D order. It doesn't mean the other side's gonna agree to the 50D order. It doesn't mean the judge is not gonna give you a 50D order, but his point was no it's there and ask for it because that overrides everything we've talked about here. There is no waiver. Then with regard to rule 34 is the scope of a request for production. And it specifically put in... the fairly new rules put in the ability to test or sample or get any electronically stored information and getting compilations stored in any medium from which they can be obtained. And then in the procedure, you can actually say, what form you wanna get it in. And as long as you get it in that form, that's good. The other side has an opportunity to object to that form and then you have to talk about it. If you fail to say what form you're in, and I can tell you the vast majority of request productions I see don't say the form. Then the recipient party can choose the form. Now that still goes into the conference section about talking about the form upfront. 'Cause if you reach that agreement, you don't have to worry about this procedure. This is the default procedure. And then--
Jillian Kuehl - What are some different types of forms?
Larry Kunin - Well, that again would be, you're gonna produce it in paper, native, you know, PDF. Usually people wanna Bate label things. Let me talk a little bit more about the pitfalls, the pros and cons of those forms. The disadvantage of producing a native Word file or Excel file, is one they can be modified. Now they'll be caught if they modify them because you're gonna have the original and you're gonna see where there's a modification, but it takes some effort to notice that. Two, you can't put a Bate number on it because to put a Bate number on it is altering the document. So what they normally do is the file will have a unique file name in your document management system. Also, if the information is confidential, you can't go in the document mark it confidential, 'cause that's not the original marking of the document. So again, the file name might be document 1250-confidential. So you could do that. And so that's a disadvantage of native format. Whereas if you go with PDF you just Bate label it it's not part of the original document you could put a confidential mark on it. A TIFF, T-I-F-F is very similar to a PDF. They can both be searchable. T-I-F-F is a lot smaller file.
And generally it's like one massive file that's produced with what's called a load file and the load file tells the system where to divide the documents, getting a little legally technical here, not legally technical computer technical, but the litigation supporter puts us together, will know what they're doing. Trust me, the lawyer's not putting together that database. The con of a PDF and where you would want a native is spreadsheets especially. You know, spreadsheets have cell formulas behind them. Spreadsheets get massively long and wide. They don't print very friendly unless it's a small spreadsheet. And so sometimes it's just better to produce spreadsheets in native format. And so these are the kind of things you need to think about. And sometimes you have to do it on the fly. You know, some spreadsheets may be small and you just wanna do it by PDF or TIFF. And then you're gonna have one or two spreadsheets that are just so massive. You gotta pick up a phone call the other side and say, "Look, "I'm gonna produce this one in native format, "but I need your agreement it's confidential "we'll put that name in the file."
So, and the other interesting thing about native is native will carry with it metadata. Metadata are your things about the document. You know, when was it modified? Who created it? You know, when was it created? There were interpretation problems with those. I'm not gonna go into all of that, but this is why things should remain untouched until IT actually grabs it. You know, but it depends sometimes metadata, I think metadata is frankly overused, but every now and then it's important. It's important to know that a contract in 2015 was actually not created until 2018. You know, that would be interesting.
Jillian Kuehl - Yeah, that's a good one.
Larry Kunin - But that could also happen if I take a native file and I move it, it's gonna take on a create date of the place where I moved it to. So there are explanations as to why create date would be after. A modified date is a different story. Modified date is a modified date. So we'd have to go into a presentation that's a lot more detailed to get into that.
Jillian Kuehl - So sorry, I diverted you back to, you know, back to the rules. I think we were just finishing up with 34 in procedure.
Larry Kunin - Yep. Yeah, and I'm not gonna go over the other rules in particular but there... A lot of these rules are also duplicated in third party discovery as well and specifically rule 45, which is the subpoena power with third party. The rules also enable the ability or I shouldn't say enable, 'cause I think you are always allowed to but make it express that you could request electronically stored information from a third party as well. So, you know, the recognition is we live in an electronic world and it's here to stay and cloud computing's gonna continue to get larger.
Jillian Kuehl - Okay, so let's move into, you know, our second part of our presentation today, really going into attorney duties regarding data security and data breach. So what is a data breach?
Larry Kunin - All right, data breach, you know, most people think of a data breach as somebody hacked into the system and you know, stole information, stole your information and it is, online hacking basically. And we hear that word hacking all the time, but it's an awful lot more than that. And it's things that affect not only our clients, but also affect lawyers as well. So online hacking is one form. It's the one that makes the news most often, but it also can be interception of data transmission. So somebody finds out the protocols under which you are transmitting information and they kind of like a wire tapping intercept that information. It could be lost or stolen equipment. This means I leave my laptop in my car, somebody smashes the window, they take the laptop, and on that laptop is a list of all my employees' social security numbers, and bank accounts for depositing their checks. That's a data breach.
Accidental disclosure is a data breach. It's not a major problem, but it could be. And here's an example, we've all done this. And if you haven't done this, I don't believe you. You start typing out somebody's name and in your email and then auto complete takes over and completes the name, and then you hit send and as you hit send you go, "Oh oh, that was the wrong John," or the wrong John emails you back and goes, "I don't think this was meant for me." Well, what if I'm really sending it to the wrong person? You know what if it's somebody who sent me some spam message or something like that so their name got into my mailbox and I auto completed and I sent them my employee list, you know, or a medical claim, which is covered by HIPAA. So that can happen. I could tell you that and I'm sure this is what everyone will say on here is when you have an autocomplete it's usually not a big deal. You know the person you sent it to it is an inadvertent. They'll tell you I've destroyed it or you asked them to destroy it, but you'd have to pay attention to who you sent it to.
Storage media could be, you know, again, walking around with a hard drive or flash drives, you know, we've all seen people walk around with a little teeny flash flash drives. They plug it in, they're in Starbucks and then they leave it on the counter. That's very easy to do. Dispose the equipment. There is an actual Florida ethical opinion that calls out the fact that copy machines and fax machines have hard drives in them. And how they're actually copying is it's not the camera going over it's taking a snapshot and it's going straight onto another piece of paper. There's actually a hard drive in there. And what it's doing is it's scanning into the hard drive. And then the hard drive is queuing this stuff up and then making the copies. So you've got copies of attorney client privilege documents there. And when you replace your copy machine, you're getting rid of attorney client information to be recycled out there. This also includes, and this happened to me. You know, I'm like a lot of people I replace my computer every few years and what I tend to do, 'cause you know, a computer that's three, four years old has no value. They accumulated in my basement. And one day my wife said, "Hey, there's a school, "you know, down the road, "that's looking for donations of computer equipment." "I'm gonna bring your computer equipment down there," And I went "Stop." "Do you know how many attorney client communications "I have on those laptop, "I mean on those computers?" So I took my screw driver, took me all of 15 minutes, pop open the cases and pull out the hard drives. You can get a new hard drive for, you know, 50, $75, maybe even less, you know, especially for school use. And I popped out the hard drives and I said, "Now you can give these to the school, "just tell 'em they gotta buy hard drives." And then I took.
Jillian Kuehl - Did you smash it? How do you destroy it?
Larry Kunin - No, I brought, we... at least in my firm we use services that do destruction of computer equipment and other equipment. And so I brought 'em in, I gave 'em to IT and IT had them properly recycled, which means completely destroyed. It involves a fancy magnet is what I think it is, but it's not a smashing of a hammer.
Jillian Kuehl - Okay.
Larry Kunin - And then they send back a certification that it's been destroyed. So we'll also do this with evidence and things like that but it's something we have to think about. And then unsecured papers is also a data breach. People don't think about that, but there was a story about somebody was working on a deal. It was a confidential deal. They were doing what typically is done is you go draft after draft and you're sitting there with your pen and you're writing this up and then you fix it up and you retype it. And you know, of throw all the stuff in a bin. And they had so many pages, they filled up the bin that was out to be picked up by the garbage and all of these confidential documents were stacked up.
Jillian Kuehl - Oh my God.
Larry Kunin - That's a data breach. Okay so,
Jillian Kuehl - Yeah.
Larry Kunin - There are... That's where people get in trouble and then we all know, know about phishing. I didn't call that out specifically here, but phishing with a P-H, phishing is where you get an email that looks real. And if you open up a link or respond to it and then they send you a file to look at and you open up the file, next thing you know, they're in your system, that's a data breach that's preventable. It's preventable through training. And then some of these result in what's called ransomware, which is becoming the new thing du jour, which is they're not really interested in getting your information, they're interested in shutting down your system and then they charge you a lot of money to set it back up of which the FBI and others recommend you don't ever pay those because all of those keep coming back at you and you just gotta grin and bear it and try to rebuild your system best you can and hopefully you have backups and stuff like that to do it. But there's a lot to talk about in ransomware. I might talk about it in a sprinkly manner, you know, a little bit later today. So all of those kinds of data breaches, you know, can subject you to different kinds of liability. This applies to everybody.
So I don't wanna go into too much detail, but your personal information is subject to state laws that protect you. There's some federal laws that protect you. Your payment card information is subject to payment card industry standards, which is not law, but everybody who accepts credit cards has to sign contracts that says that they will comply with that. And then if information has health information, that's covered by HIPAA, which then brings in federal laws. If it violates a state, you might have to give notification depending on the state law and every state now except one has a data breach state. And then again PCI your contracts with your providers could result in you getting like really big fines, just for letting payment card information get out. Now to cover this is a high level. Encrypted data is normally not subject to any of these laws. So, if your data is encrypted, then you're pretty much protected. If it's not encrypted, you better get it encrypted or at least make sure it's really stored strong because it's unencrypted data that gets people in trouble. So the real purpose of this time that we have is why should lawyers care? Well, everybody has a duty to protect personal information in your possession and everybody has an obligation to protect health information. Lawyers have ethical duties that sit on top of all of that. And people don't think about that, but lawyers or businesses just like everybody else. And almost all of our business is holding information for other people and we create attorney client privilege documents. I mean, we certainly wouldn't wanna have a data breach that announces that Apple's about to acquire Microsoft. I don't ever see that happening, but can you imagine how earth-shattering that is and what kind of insight information that would be? And so something that we lawyers have to protect, and there are estimates out there by experts. that say up to about 80% of the largest law firms have been breached in some way fashion or another, most of 'em don't even know it. Most of it innocuous, but it happens.
The number one way and I said I might touch up back on phishing. These are these emails you get "Dear council, can you help me?" Well, first of all, if you ever see an email says, dear council, you probably need to unless you get rid of it. They will try to get you to at least respond, inquire, and some of 'em are really, really good. And my firm sends out, I know a lot of other companies do this, we send out fake phishing emails else to our employees. Partly to test them and partly as training, because if they fall for it, then they get a phone call and this is what you fell for. And, you know, we never get 100% compliance, but you know, high 90s is pretty damn good and that's what we get. And so, you know, it might be a FedEx email, it looks like it's a FedEx email. I've seen an email that tried to spoof my own email. And here's how it did it. My email is L-H-K. Well, if you do that in lowercase, a lowercase L looks like a upper case I. And I've actually had people read back to me my email and say, "So your email is I-H-K or I-KUNIN And I'm like, "No, "actually that's a lowercase L you're looking at." So I always try to spell my name with a capital L if I can. Well, I saw somebody send something and I... It was to me and it said in the body, the information I needed to put in there and it converted the L to an I.
Jillian Kuehl - Wow.
Larry Kunin - And I was like, "That's very clever." Well, I've had a couple other people fall for phishing emails because they also got emails that looked like it had an I, and it was actually a capital, I mean a lower case L. You know so those are very clever. So testing your employees is the best way to prevent it. But I would say most ransomware and most hacking initiates with a... That somebody felt for and opened up attachment. And to be clear...
Jillian Kuehl - We just did a phishing to here at Quimbee, we just did one we had a LinkedIn. It looked so real. These emails it's amazing.
Larry Kunin - Yeah, yeah. You just really gotta do a double take if you don't know who it is you're getting it from. And even if you do, it might be something a little odd, you know, somebody all they have to do is like go to your Facebook page, see somebody you're friends with, go do a LinkedIn on them, and then create a profile and then send you an email that looks like that person's emailing you.
Jillian Kuehl - It's crazy.
Larry Kunin - It's that easy. And you you can't get any kind of malware by opening the email itself, that that's just HTML file.
Jillian Kuehl - Okay.
Larry Kunin - You have to click on a link or open up an attachment to do it. So that's what you gotta be careful of. So, let's go over some of the rules and might not cover all of these, but the rules that would apply to what, why a lawyer must be competent about data security. All right, this is Georgia Rule 1.1. It's basically the same 1.1 as in almost every state, which is competence, "A lawyer shall provide competent representation. "Competence requires legal knowledge, "skill, thoroughness, and preparation, "reasonably necessary for the representation." And that in combination with 1.6, again most states have a rule 1.6 or a version of it. "Confidentiality of information." "A lawyer shall maintain confidence all information "gained in the relationship, "including information "which the client has requested to be held in violate, "or the disclosure of which would be embarrassing "or likely be detrimental to the client "unless the client gives informed consent." And then, "The studio confidentiality survives "after the client lawyer relationship is terminated." Well, read in combination, there have been comments that this basically means your competence and your holding attorney client information also includes data security to make sure that it's not just you who's affirmatively disclosing it but you're not allowing it to be disclosed. Rule 5.3, again, similar if not the same as most other states, "Our responsibilities regarding non-lawyer assistance."
Now this includes the litigation support that I mentioned working without outside vendors, working with paralegals at the end of the day, the lawyer is the one on the hook for the ethics, not the person who is working for the lawyer, 'cause they're not a member of the bar. And that rule says that with respect to non-lawyer retained by the lawyer, the partner and a lawyer who individually are together with other lawyers, possess managerial authority in the law firm shall make reasonable efforts to ensure the firm is in effect measures giving reasonable assurance that the person's conduct is compatible with professional obligations of the lawyer. A lawyer having supervisory authority over non-lawyer shall make reasonable efforts to ensure that a person's conduct is compatible with the professional obligations of the lawyer. So again, the lawyer is responsible for these people. So the lawyer needs to make sure, "Oh, I didn't just hire a lit support person, "now I'm safe it's on them." No, make sure you at least interview them. They understand what they're doing. They're... You know, it seems like they're given the right questions to somebody, they got the right certifications, that type of thing. You just can't punt to a non-lawyer and say, "I'm now covered." Let's talk about ethical opinions. These are various states and this kind of gives you an idea of where the states are going. I had mentioned the Florida Ethics Opinion at 10-2 if people are interested, but that's the one that says, "If you use printers, copiers, scanners, fax machines, "you must make sure that confidentiality is maintained "and that the device is sanitized "before disposition." Florida Ethics Opinion 12-3 which we also touch on earlier. "Cloud computing is okay as long as you take "reasonable precautions that includes adequate security."
New York their Opinion 842. "Due diligence for cloud computing "ensures that online data storage provider "has an enforceable obligation to preserve "confidentiality and security." I can tell you that it wasn't a lawyer thing, but I've had a number of clients who've gotten into contract disputes with online providers and the online provider cuts off their access when the license is over. It would've helped if there was language that said they are not permitted to cut off access without first delivering all data in their possession. Well, could you imagine if a lawyer was using online storage and this is especially true for data in discovery. And all of a sudden you couldn't get to it and you had a court deadline that would be a problem. Alabama has spoken up. They say a lawyer must take reasonable steps to ensure data is protected.
Arizona said something similar lawyer must take reasonable precautions to protect confidentiality. Iowa says a lawyer must take a due diligence steps to ensure adequate access to information, restrictions, encryption, password protection, and dictates what happens to data upon default or termination of an online provider. Nevada spoke to a third party agreement regarding confidentiality. Of course, if you're gonna hire a vendor, make sure that you've got very strong confidentiality language in that including statement that they are serving the lawyer and therefore there is not a waiver of the attorney client privilege. Pausing there, when you hire a third party, always try to retain them through the lawyer for that reason as opposed to through the client. If it's retained through the client, it's probably still privileged. It's just easier to show if the lawyer is the one that contracted with the third party provider. Pennsylvania said, "Materials must remain confidential "and the lawyer has to maintain reasonable safeguards "to prevent breach and data loss." As we know you can't prevent every breach, but as long as you've taken appropriate steps and appropriate protocols, then hopefully you're okay and then it's up to the plaintiff's attorneys to argue that you haven't. So those are pretty strong statements about the lawyer's obligations.
Jillian Kuehl - Absolutely and so what are some steps you can follow? What do you do if something like this happens?
Larry Kunin - Okay. So when you have a data breach, like the company should already have in place an Incident Response Plan or an IRP as we call it. In addition that Incident Response Plan should include it's identification. Who is the lawyer they're gonna call when they have a data breach problem? So that they don't have to start calling around and saying, "Anybody got a lawyer that could recommend?" You already know who you're gonna call. And anyone who touches electronic information, definitely law firms should have cyber coverage. E&O coverage, insurance coverage does not save you anymore, except for limited circumstances where it's truly a human error that caused something. You need cyber coverage that kicks in specifically when there is a data breach or a threat of data breach or a suspected data breach. And so when you are suspicious that there's an incident, it happens many different ways. Sometimes the bells and whistles go off in your security system, identifying that somebody's logging in from an unknown IP address. It could be that email that says, "I have access to your system." "Here's a sampling of your data." "I'm gonna shut down the rest of your system, "unless you pay me." It could be an email that says, "Hey, did you notice your system's not working anymore?" "You know, I shut it down." But whenever is that first indication, the very first call should be to your lawyer. And the reason... And this includes law firms not calling themselves. The law firm should have a data security lawyer, that's independent. The reason or well I should say this, let me stop. Some law firms do have a general counsel. So you can form your own internal attorney client privilege by involving your general counsel. When you contact a lawyer, you form an attorney client relationship regarding the data breach. And this is important because the investigative steps that are about to begin can then be protected by the attorney-client privilege. This was tested in the target case years ago, where a class action plaintiffs tried to get investigation documents. And the judge said, "No." Because they called the lawyer and the lawyer dictated what they were gonna do in the investigation. And therefore it's a privileged work product investigation. So call your lawyer.
The very next call almost immediately should be to your carrier. Get the carrier on notice. You don't wanna be accused of any delay that in any way implicates your coverage. Now that carrier may appoint their own lawyer. They might go to panel counsel and that's okay. And then your original lawyer may either just oversee things or you know, depending on the confidence and the insurance carrier's lawyer go with that lawyer. And you should immediately contact forensic firm to start investigation. Again, your cyber carrier if they act fast enough may require you to hire a forensic firm if they're choosing. But if they delay, you need to start looking into this. And that includes with your own internal IT staff if possible. Then you contact criminal authorities and you can even file Not that a lot will come out of it immediately, but there's a thing called an IC3, which means Internet Crime Complaint Center. So I and three Cs. It's on the FBI website. And all you need to do is just Google FBI IC3, and you'll get right to the page where you fill out the name of the company and what happened. Usually the client does that on their own. Of course, if they want the lawyer's assistance, that's fine too. But just fill that out. And then the investigation should follow this particular order. First of all the cause of the breach, the cure of the breach, then identify what was the data affected and then the persons affected. And the reason you want to do that kind of order is finding out what got compromised is actually not as important as stopping the compromise. Let's put the lock, let's find out what happened and lock it down and get it fixed and then we're gonna figure out who might have been affected and what data might be out there. I am finding more and more. 'Cause I get data breach calls all the time. I'm finding more and more that the data breach ends up not being something major.
Jillian Kuehl - Well, that's positive.
Larry Kunin - That's only a good news, but you have to still go through the process. And then from a lawyer's perspective, you know, who wants to make the call that by the way, you know that project where we're gonna require Apple? Well, turns out somebody actually got in and downloaded all of our documents there. I don't wanna make that call.
Jillian Kuehl - No.
Larry Kunin - You know but it could be out there. And even in litigation, I should say even in litigation, especially in litigation, I may have my client's documents because I'm in a lawsuit and the lawsuit might be about whether, you know, something to do with employee benefits. And so I get the employee benefits file and I put them in a document repository and somebody gets in there and now they get HIPAA information from my clients. Not my clients, they got them from me. That's not good. So, you know, so these are all the again the steps. And like I said, encryption is really important. And when you transmit documents to an opposing council, I'm gonna produce, you know, a thousand documents I've already processed them. I've selected what's relevant, they're Bate labeled. We use a encrypted file transfer protocol, where we get the specific email addresses of the people who are authorized to get it. And then it gets encrypted and sent up through the file transfer. And then as long as their email address then lasts... I mean, matches. Then they can download it and access it. And if somebody else in their firm wants to get it, we've actually gotta get their email address too.
Jillian Kuehl - Got it.
Larry Kunin - You know, they can't now just go, Well, you know, they send it around that's part of encryption. So it's almost like a two factor authentication.
Jillian Kuehl - Sure.
Larry Kunin - You know, which is another thing we do in my firm and a lot of firms to do. Everyone knows you can get your work email in one of these,
Jillian Kuehl - Yap.
Larry Kunin - You know, my iPhone. I cannot get my work email unless I do two things. One, I have to register my phone with my IT department. I have to download a app that enables me to hook in. And then there is a secondary app that it then gets registered to called Duo. And once that--
Jillian Kuehl - Okay, yeah.
Larry Kunin - Once that's set up, then I can get my email. Now, if I lose my iPhone, I can call my IT. and they just deactivate it and nobody can use my iPhone to get to it. And then if my phone's just laying around and I don't know it's missing, and somebody hacks into my email, or let's say, I'm not by my computer, someone hacks into my email and they try to log into the email, I get through Duo ding, ding "Somebody's logging into your system, is it okay?" Well, if I'm sitting in Starbucks and my computer's nowhere near me, I'm gonna go, "No," they're not gonna be to--
Jillian Kuehl - Not okay.
Larry Kunin - Yeah, so all those things, the more you can do the better and, you know, and if I'm ever asked, you know, "Well, what can I do to ensure that I'm absolutely solid?" You know, you can't, you can't. There's no way to be a hundred percent. We use the phrase, data breaches are not a matter of if, it's a matter of when. It's just a matter of how much did I lock it down and minimize the odds of it happening and what they could get a hold of.
Jillian Kuehl - Excellent. Larry, this was wonderful. Super informative, I really appreciate it. I'm sure our audience did, I learned a ton. So hopefully a lot of people will be able to take these and sort of implement some of these best practices and tips. If you want, I'll turn it over to you now just to sort of give the audience your contact information if they have any questions, things like that.
Larry Kunin - All right, great. Well, well, thanks everyone for listening. So again, I'm Larry Kunin and I work for the law firm, Morrison, Manning and Martin in Atlanta. My specialty is litigation or any kind of dispute litigation. I'd say a large number of my clients are technology based clients. But the type of work I do is not limited to that. In fact, you know, things like license agreements are another form of contract. And I also counsel clients with regard to updating their agreements and matching things that are changes in the law. My practice is national. I'm in federal courts and state courts all across the country. And if anyone wants to reach me, my number is 404-504-7798. And my email address is [email protected] And as you heard earlier, the first L is an L not a capital I. Thank you everyone.
Jillian Kuehl - Thank you, Larry. And thank you all for watching, bye.