08/19/2010 meeting - litigation holds and security breaches

The Virtual Trip WireLitigation Holds & the Duty to Preserve Data in Security Breaches

Tomas Castrejon, General Dynamics

Josh Gilliland, Esq., D4 LLC

Stephanie Sparks, Esq., Hoge Fenton Jones & Appel

From the Bench

“By now, it should be abundantly clear that the duty to preserve means what it says and that a failure to preserve records – paper or electronic – and to search in the right places for those records, will inevitably result in the spoliation of evidence.”

The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., Amended Order, Case No. 05-cv-9016 (SDNY Jan. 15, 2010)

Why this Matters

• In complex commercial litigation today, virtually all discovery involves electronic discovery to some extent.

• It also is well known that absent affirmative steps to preserve it, at least some electronically stored information (“ESI”) is likely to be lost during the course of litigation through routine business practices or otherwise.

Vice Chancellor Parsons, Court of Chancery of Delaware, Beard Research, Inc. v. Kates, 2009 Del. Ch. LEXIS 94, 21-22 (Del. Ch. May 29, 2009).

Agenda

• Security Breach

• Personal Identifiable Information

• Case Example

• Litigation Hold Definition

• Preservation Letters Defined

• Triggering Event: The Preservation Obligation

• Duty to Preserve

• Spoliation

• Hypothetical

• Litigation Hold Best Practices

• Question & Answers

© 2010 Hoge Fenton Jones & Appel

Personal Information Generally

• Individual’s first name or first initial and last name in combination with any one or more of the following:– Social security number– Driver’s license or identification number– Account number, credit or debit card number, in combination

with any required security code, access code or password– Medical information– Health insurance information

Data Breach•285 million records were compromised in 2008

•A typical lost or stolen laptop cost the business an average of $50,000, 90% of which was for data breach response

• Range of loss per individual:$1,213 – $975,527

Source: Open Security Foundation, datalossdb.org

Data Breach

Source: Open Security Foundation, datalossdb.org

Patchwork of Federal Laws

• Gramm-Leach-Bliley Act (GLBA regulated by FTC)• Federal Credit Reporting Act (FCRA regulated by FTC)• Fair & Accurate Credit Transactions Act and Red Flags Rules

(FACTA regulated by FTC)• Health Insurance Portability and Accountability Act (HIPAA) and the

Health Information Technology for Economic and Clinical Health Act (HITECH Act) (regulated by HHS)

• The Children’s Online Privacy Protection Act• The Communications Decency Act• Foreign Intelligence Surveillance Act (FISA)• Controlling the Assault of Non-Solicited Pornography and Marketing

Act (CAN-SPAM)• Federal Identity Theft and Assumption Deterrence Act

Patchwork of 46 State Data Security Breach Notification Laws

• 45 States and the District of Columbia• 7 States added laws within last two years: Alaska,

District of Columbia, Iowa, Missouri, South Carolina, Virginia, West Virginia

• State Agency Notification Requirement: Massachusetts, New Hampshire, New Jersey, New York, Maryland

California Was the First

In California . . .• Financial Information Privacy Act (Fin. Code § 4052)

GLBA Counterpart- Financial Institutions- Nonpublic personal information

• Consumer Credit Reporting Agencies Act (Civ. Code §§ 1785.1 et seq.)FCRA Counterpart

• Information Practices Act of 1977 (Civ. Code §§ 1798 et seq.)• Data Breach Notification Law (Civ. Code § 1798.82)

Massachusetts Is the Most Stringent

• Data Security Regulations, 201 Code Mass. Regs (CMR) 17.00, effective March 1, 2010

• Businesses must have:-Written information security program- Heightened security procedures, including encryption- Vendor contract provisions re compliance are mandatory*contracts signed prior to 3/1/10 = 2 yr grace period*contracts signed after 3/1/10 = no grace period

- Must take “reasonable steps to select and retain third-party providers that are capable of maintaining appropriate security measures”

State Data Security Breach Notification Laws Generally

Notice Requirements:• Data custodian to (i) data owner• Data owner to (ii) affected resident and (iii) possibly

State Attorney General• Timing: (i) “immediately following discovery of the

breach”(ii) “most expedient time possible and without

unreasonable delay”

Litigation Holds

Definition of a Litigation Hold

• A litigation hold is a directive to your client and others to preserve ESI or other information pertaining to the litigation.

Michael R. Arkfeld, Arkfeld’s Best Practices Guide for Litigation Readiness and Hold, §3.2(A), page 62 (2008-2009 Ed.), citing, Zubulake v. UBS Warburg LLC 220 F.R.D. 212, 218 (S.D.N.Y.2003).

Preservation Letter Checklist

• Basic investigative work should uncover appropriate points to include in a litigation hold letter.

• Common sense should guide the actual points to include in a preservation letter.

• Not a discovery request.

Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)

Preservation Checklist

• A party can disregard the request to preserve, but once the request has formally been made and evidence disappears, a preservation letter may place the discovering party in a superior positionto seek sanctions or other relief.



• At a minimum, a letter should begin with a general statement that the discovering party expects the party to preserve digital evidence that in all probability will be relevant to the issues in a case, or may lead to the discovery of such evidence.



• The preservation letter should include a request that the other party suspend its regular document retention policypending discovery.

• The preservation letter should identify all of the possible locations where such evidence might conceivably reside.


Preservation Letters

• The letter should inform the opposing party that a mere file backup of the hard drive is not adequate preservation.

• The party must be instructed to image hard drive in bit-stream copies, where all areas, used and unused, of the hard drive are copied.

• If a file is deleted before a backup is made, the deleted file will not be copied unless it is a bit-stream copy.

• The letter should also request that deleted files that are reasonably recoverable be immediately undeleted.


A Very Bad Litigation Hold Letter

• Hank has asked me to send this out to everyone.• All emails re Napster at this point are related to the litigation and

should contain the “a/c” (attorney communications) symbol in the subject line and [email protected] should be ccd. We should not be sending e-mails on this subject anyway. Items from outsiders such as resumes do not require this.

• Hank Barry

UMG Recordings, Inc. v. Hummer Winblad Venture Partners (In re Napster, Inc. Copyright Litig.), 462 F. Supp. 2d 1060, 1064 (N.D. Cal. 2006).

A Very Bad Litigation Hold Letter, Part 2

1. we do not retain e-mails, it is your responsibility to delete your handled e-mails immediately

2. we do not us e-mail to chat about matters related to public companies or matters such as the above

3. we do not retain written copies of e-mails in our files


Please also be aware of our e-mail policy. As we have all been required to surrender Napster e-mails, this should reinforce compliance with our long standing policies.

A Very Bad Litigation Hold Letter, Part 3

4. our document retention policy is that we do not retain documents on any public or acquired company and retain limited information on private companies. all retained information is stored in central files, pls do not retain other docs in your own files unnecessarily

5. we do not retain files separate from our central files which are periodically checked for compliance to policies

Please also review the above policies with any summer associates.


Triggering Event for the Duty to Preserve

– “Reasonably Anticipated”

– Pending, imminent, reasonably foreseeable.

– A complaint has been filed

– Discovery requests have been served

Michael Arkfeld, Best Practices Guide for Litigation Readiness and Hold, §3.2(B) Preservation Obligation

Document Destruction Policies

No spoliation where documents destroyed as part of a routine housecleaning operation with no notice to enact a litigation hold.

Cook Assocs. v. PCS Sales (USA), Inc., 271 F. Supp. 2d 1343, 1357 (D. Utah 2003)

Duty to Preserve Includes the Following:

• Relevant in the action;

• Reasonably calculated to lead to the discovery of admissible evidence;

• Reasonably likely to be requested during discovery, and/or

• Subject of a pending discovery request.

Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 216 (S.D.N.Y.2003); Wm. T. Thompson Co. v. General Nutrition Corp., 593 F. Supp. 1443, 1555 (C.D.Cal.1984)

What the Duty to Preserve Doesn’t Include

Relevant Documents to Preserve

• [A]ny documents or tangible things (as defined by [Fed. R. Civ. P. 34(a))] made by individuals "likely to have discoverable information that the disclosing party may use to support its claims or defenses."

Goodman v. Praxair Servs., 2009 U.S. Dist. LEXIS 58263 (D. Md. July 7, 2009)

Relevant Documents to Preserve, 2

• Documents prepared for those individuals, to the extent those documents can be readily identified (e.g., from the "to" field in e-mails).

• Information that is relevant to the claims or defenses of any party, or which is "relevant to the subject matter involved in the action." Thus, the duty to preserve extends to those employees likely to have relevant information--the "key players" in the case.

Goodman v. Praxair Servs., 2009 U.S. Dist. LEXIS 58263 (D. Md. July 7, 2009)

Spoliation

Sanction Flavors

• Sanctions can be imposed for negligent, gross negligent, willful and bad faith conduct.

• Bad Faith - “[w]here a party destroys evidence in bad faith, that bad faith alone is sufficient circumstantial evidence from which a reasonable fact finder could conclude that the missing evidence was unfavorable to that party,” and thus the jury may be instructed that the lost evidence was adverse to the spoliating party.

• Negligence or gross negligence: a judge may impose an adverse inference instruction or “less severe sanctions-such as fines and cost-shifting,”even without a showing that particular materials were lost.

Pension Committee, at *18.

Demonstrating Spoliation

Moving Party Must Show:

1) That its adversary had control of the evidence and a duty to preserve it at the time it was lost or destroyed;

2) That the adversary had a "culpable state of mind"when the evidence was lost or destroyed; and

3) That the lost or destroyed evidence was "relevant" to the moving party's claims such that a reasonable trierof fact could find that it would support a claim.

Arista Records LLC v. Usenet.com, Inc., 2009 U.S. Dist. LEXIS 5185 (S.D.N.Y. Jan. 26, 2009)

Possible Sanctions

• Adverse evidence jury instruction;

• Excluding greater or lesser parts of the destroying party's evidence;

• Dismissing a party's claims in whole or in part: or

• Granting default judgment against a party in whole or in part.

Toth v. Parish, 2009 U.S. Dist. LEXIS 16116, 7-8 (W.D. La. Mar. 2, 2009)

Determining Sanctions

• Factors in determining the appropriate sanctions for wrongful destruction of evidence include:

• "1) the degree of fault of the party who altered or destroyed the evidence;

• 2) the degree of prejudice suffered by the opposing party; and

• 3) whether there is a lesser sanction that will avoid substantial unfairness to the opposing party and if the fault is serious, will serve to defer such conduct by others in the future."

Toth v. Parish, 2009 U.S. Dist. LEXIS 16116 (W.D. La. Mar. 2, 2009)

Speculation is Not Spoliation

• Defendants asserted that Plaintiff's "concern"amounted to nothing more than mere speculation.

• Plaintiff did not produced any evidence that suggested Defendants have not complied or do not intend to comply with their duty to preserve evidence.

• Preservation order was not warranted.

Gregg v. Local 305 IBEW, 2008 U.S. Dist. LEXIS 99075 (N.D. Ind. Dec. 8, 2008)

Willful Conduct

• Defendant was put on notice of a lawsuit because of unlicensed software usage.

• Instead of enacting a litigation hold, the Defendant ordered the “software deleted immediately.”

KCH Servs. v. Vanaire, Inc., 2009 U.S. Dist. LEXIS 62993 (W.D. Ky. July 21, 2009).

Willful Conduct, 2

• The Defendant’s actions deprived the Plaintiff any opportunity to inspect relevant evidence once the lawsuit began.

• The Court ordered the spoliation sanction of an adverse inference instruction, instead of a default judgment, for the Defendant’s obstructionism.

KCH Servs. v. Vanaire, Inc., 2009 U.S. Dist. LEXIS 62993 (W.D. Ky. July 21, 2009).

A Picture is worth a 1,000 words…

• Defendants attempted to purchase $4.2 million painting.

• Divorce and lawsuit for breach of contract.

• Excel file with unknown origin.

• Friend of Defendant’s kid reinstalled computer operating system.

Green v. McClendon, 2009 U.S. Dist. LEXIS 71860 (S.D.N.Y. Aug. 13, 2009).

…but sanctions are priceless.

• Lawyer and Defendant both failed in their duty to preserve.

• Plaintiff entitled to additional discovery and costs.

Green v. McClendon, 2009 U.S. Dist. LEXIS 71860 (S.D.N.Y. Aug. 13, 2009).

California e-Discovery & Litigation Hold Failures

• Defendant failed to produce email messages & PST’s.

• Defendants did not enact a litigation hold.

• During the middle of trial, it was learned that the manufacturer still had not complied with discovery orders and directives.

Doppes v. Bentley Motors, Inc., 174 Cal. App. 4th 967, 969 (Cal. App. 4th Dist. 2009)

SanctionsCase remanded:

(1) Strike Defendants’ answer and enter a default and default judgment against them on the fraud cause of action;

(2) Made an express finding in the judgment that Defendants intentionally violated the Song-Beverly Consumer Warranty Act;

(3) Entered an order granting the post-trial motion for attorney fees in the total amount of $ 402,187;

(4) Reconsider the post-judgment motion for attorney fees in accordance with this opinion; and

(5) Ordered further proceedings not inconsistent with the opinion, including a default prove-up on the fraud cause of action, imposition of civil penalties under Civil Code section 1794, and consideration of other relief sought in the complaint.

Doppes v. Bentley Motors, Inc., 174 Cal. App. 4th 967, 1003 (Cal. App. 4th Dist. 2009)

Resetting the Gold Standard

• Pension Committee

• 89 page opinion

• Securities Litigation

• Judge Scheindlin

Gross Negligence

The failure to issue a written litigation hold when litigation is reasonably anticipated is gross negligence.


What Happened?

• Plaintiffs’ counsel's emails and memoranda “did not meet the standard of a litigation hold” because plaintiff's counsel failed to direct employees to preserve all relevant records and failed to create a mechanism for collecting records.

• Memo required employees to determine what was relevant and to respond without supervision by counsel.

• Memo did not instruct employees to suspend the destruction of potentially relevant records.

• Plaintiffs did not issue a formal written litigation hold until 2007 – nearly four years after the triggering event.


Production Gaps

• Defendants found gaps in document production from 13 plaintiffs

• Requested declarations describing the preservation efforts

• Found that “almost all of the declarations were false and misleading and/or executed by a declarant without personal knowledge of its contents.”

Pension Committee, Amended Order, at *32-33

The Hammer Falls: Gross Negligence• Six plaintiffs found grossly negligent

– Failure to issue a written litigation hold prior to 2007;

– Deleting ESI after the trigger event;

– Failing to request documents from key players;

– Delegating search efforts without any supervision from management;

– Destroying backup tapes relating to key players where other ESI was not readily available; and/or

– Submitting misleading or inaccurate declarations.Pension Committee, Amended Order, at *42-43

“Merely” Negligent

• 7 found merely negligent

– “failure to institute a written litigation hold” was “not yet generally required” in early 2004 in Federal court in Florida.

Pension Committee, Amended Order, at *64.

Lessons Learned

Lesson Learned: Self-Collection

• Counsel must give direction and supervision to custodians on preservation.

– One custodian said he had “no experience conducting searches, received no instruction on how to do so, had no supervision during the collection, and no contact with Counsel during the search.”

• Employee must not search their own files since they become the sole decision maker as to the relevance of the search terms used.

Pension Committee, Amended Order, at *62, 66.

Lessons Learned: Finding Gross Negligence

“[T]he following failures support a finding of gross negligence, when the duty to preserve has attached:

[1] to issue a written litigation hold;

[2] to identify all of the key players and to ensure that their electronic and paper records are preserved;

[3] to cease the deletion of email or to preserve the records of former employees that are in a party's possession, custody, or control; and

[4] to preserve backup tapes when they are the sole source of relevant information or when they relate to key players, if the relevant information maintained by those players is not obtainable from readily accessible sources.”


Rimkus: Litigation Holds…Texas Style!

• Intellectual property case.

• Group of employees left and filed suit against their former employer to release them from their non-compete agreements.

• In countersuit, Rimkus Consulting claimed the former employees violated their non-competes and additionally made off with “trade secrets and proprietary information.”

Rimkus Consulting Group, Inc. v. Cammarata, 2010 U.S. Dist. No. 07-cv-00405 (SDTX Feb. 19, 2010)

Rimkus Result

• Concluded willful destruction of evidence, although a significant amount of the incriminating evidence was recovered by the plaintiff.

• Court was unwilling to issue an adverse inference instruction.

• Would allow the jury to determine the implications of the defendants’ misconduct based on the facts.

Rimkus Consulting Group, Inc. v. Cammarata, 2010 U.S. Dist. No. 07-cv-00405 (SDTX Feb. 19, 2010)

Culpability Insight

“Permissive” adverse inference sanction that instructed the jury to decide if the defendants intentionally deleted emails… and whether to infer that the lost information would have been unfavorable to the defendants.

Data Breach Adventures

Digital Forensics

• Core: data collection, preservation, documentation and court room presentation– Defensible processes– Use methods that yield most accurate results (Gates

Rubber Co. v. Bando American, Inc., 798 F.Supp. 1499, 1511 (D.Colo.1992).

• Differences between forensic collection versus backup

• Be proactive: have plan before you need the data

Places to hide

Forensic View of Empty Recycle Bin

The files in the Recycle Bin were wiped…

Wiping Sample

Deleted Files (Free Space)

Hidden Data in MS Word

Analyzing hidden data sample from Letter Template.doc

Document Name: hidden data sample from Letter Template.docPath: C:\Documents and Settings\tcastrejon\My Documents\MetaData DeckDocument Format: Word Document

Built-in document properties: Built-in Properties Containing Metadata: 2

Title: Deloitte Letter.dotComments: Word Template v2004.1 08/22/2004Document Statistics: Document Statistics Containing Metadata: 6

Creation Date: 7/18/2006 11:16:00 PMLast Save Time: 7/18/2006 11:29:00 PMTime Last Printed: 5/1/2002 4:04:00 PMLast Saved By: John DoeRevision Number: 5Total Edit Time (Minutes): 13 MinutesCustom document properties: No Custom Document Properties

Last 10 authors: NOT PROCESSED

Document Metadata Sample

Outlook Metadata

EXIF Metadata

Disk;;USB_DISK_2.0;077515B0166B&0;USB DISK 2.0 USB Device;06/03/09 07:54:59AM;04/04/09 09:29:41PM;7&1e544ac1&0

Disk;;USB_DISK_2.0;077516B01804&0;USB DISK 2.0 USB Device;04/04/09 09:29:41PM;04/04/09 09:29:41PM;7&11a53745&0

Disk;;USB_DISK_20X;074712910134&0;USB DISK 20X USB Device;06/17/09 04:40:12PM;04/04/09 09:29:41PM;7&1c48d21e&0

Disk;Apple;iPod;000A2700146E70D2&0;Apple iPod USB Device;04/04/09 09:29:41PM;04/04/09 09:29:41PM;7&d9cbdb&0

Disk;I-Stick2;IntelligentStick;FCA4B93FF2BFE451&0;I-Stick2 IntelligentStick USB Device;04/04/09 09:29:41PM;04/04/09 09:29:41PM;7&699ed73&0

\DosDevices\E:;;0;\??\STORAGE#RemovableMedia#7&1c48d21e&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};074712910134&0

USB Devices

Link File Name Created Written Accessed Volume Label

Media Type Serial # Path

14aren.lnk 02/11/09 03:03:05PM

02/11/09 03:03:06PM

03/05/10 12:00:00AM

NEW VOLUME Removable 14 F7 C2

E4 E:\file_Rename\14aren

Customer_lists.pdf.lnk 03/05/10 06:51:58PM

04/15/09 06:16:26PM

03/05/10 12:00:00AM


E4 E:\secret_documents\

Customer_lists.pdf

secret_documents.lnk 03/05/10 06:51:57PM

03/05/10 06:51:58PM

03/05/10 12:00:00AM


E4 E:\secret_documents

Company_research_new_design.doc.lnk

03/05/10 06:51:57PM

06/02/05 09:39:22PM

03/05/10 12:00:00AM


E4

E:\secret_documents\Company_research_n

ew_design.doc

Links Recently Accessed via Removable Media

Encryption & PW Protection

Live Memory

•Encryption keys and passwords•Email fragments•Document fragments•Malware

Legal Considerations

• Acceptable use policy• Subpoena• 4th Amendment• Cross border data transfer and privacy

considerations– EU Safe Harbor– Local laws and regulations

Complex world of laws and regulations present challenges for records and information management

AustraliaFederal Privacy Amendment BillState Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations

Numerous State LawsBreach Notification 41States from CA to NY

European UnionEU Data Protection Directive and Member States Data Protection Laws, Safe Harbor

South AfricaElectronic Communications and Transactions Act

USSOX, HIPAA, COPPA, FRCP, 21 CFR 11, ISO 15489, ANSI/AIIM TR48‐2004, PCI Data Security

Hong KongPersonal Data Privacy Ordinance

Canada Federal/ProvincialPIPEDA, FOIPPA, PIPA

ChileLaw for the Protection of Private Life

South KoreaAct on Promotion of Information and Communications Network Utilization and Data Protection

IndiaLaw pending currently under discussion

New ZealandPrivacy Act

ArgentinaPersonal Data Protection Law, Confidentiality of Information Law

PhilippinesData Privacy Law proposed by ITECC

TaiwanComputer-Processed Personal Data Protection Law

JapanPersonal Information Protection Act

Regulatory Considerations

Trends

• Data will continue to expand to mobile side of your enterprise

• Cloud computing

Cloud Computing

• Evidence Collection in the Cloud

• Security in the Cloud

• E-Discovery in the Cloud

Thank You

Tomas CastrejonGeneral Dynamics Advanced

Information Systems

Network Defense and Digital

Forensics

408.220.3113

[email protected]

Josh Gilliland, Esq.

D4 LLC

650-576-3298

[email protected]

www.bowtielaw.com

Twitter @bowtielaw

Stephanie Sparks, Esq.

Hoge Fenton Jones &

Appel

408.947.2431

[email protected]

www.hogefenton.com