08/19/2010 meeting - litigation holds and security breaches
DESCRIPTION
TRANSCRIPT
The Virtual Trip WireLitigation Holds & the Duty to Preserve Data in Security Breaches
Tomas Castrejon, General Dynamics
Josh Gilliland, Esq., D4 LLC
Stephanie Sparks, Esq., Hoge Fenton Jones & Appel
From the Bench
“By now, it should be abundantly clear that the duty to preserve means what it says and that a failure to preserve records – paper or electronic – and to search in the right places for those records, will inevitably result in the spoliation of evidence.”
The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., Amended Order, Case No. 05-cv-9016 (SDNY Jan. 15, 2010)
Why this Matters
• In complex commercial litigation today, virtually all discovery involves electronic discovery to some extent.
• It also is well known that absent affirmative steps to preserve it, at least some electronically stored information (“ESI”) is likely to be lost during the course of litigation through routine business practices or otherwise.
Vice Chancellor Parsons, Court of Chancery of Delaware, Beard Research, Inc. v. Kates, 2009 Del. Ch. LEXIS 94, 21-22 (Del. Ch. May 29, 2009).
Agenda
• Security Breach
• Personal Identifiable Information
• Case Example
• Litigation Hold Definition
• Preservation Letters Defined
• Triggering Event: The Preservation Obligation
• Duty to Preserve
• Spoliation
• Hypothetical
• Litigation Hold Best Practices
• Question & Answers
© 2010 Hoge Fenton Jones & Appel
Personal Information Generally
• Individual’s first name or first initial and last name in combination with any one or more of the following:– Social security number– Driver’s license or identification number– Account number, credit or debit card number, in combination
with any required security code, access code or password– Medical information– Health insurance information
Data Breach•285 million records were compromised in 2008
•A typical lost or stolen laptop cost the business an average of $50,000, 90% of which was for data breach response
• Range of loss per individual:$1,213 – $975,527
Source: Open Security Foundation, datalossdb.org
Data Breach
Source: Open Security Foundation, datalossdb.org
Data Breach
Source: Open Security Foundation, datalossdb.org
Patchwork of Federal Laws
• Gramm-Leach-Bliley Act (GLBA regulated by FTC)• Federal Credit Reporting Act (FCRA regulated by FTC)• Fair & Accurate Credit Transactions Act and Red Flags Rules
(FACTA regulated by FTC)• Health Insurance Portability and Accountability Act (HIPAA) and the
Health Information Technology for Economic and Clinical Health Act (HITECH Act) (regulated by HHS)
• The Children’s Online Privacy Protection Act• The Communications Decency Act• Foreign Intelligence Surveillance Act (FISA)• Controlling the Assault of Non-Solicited Pornography and Marketing
Act (CAN-SPAM)• Federal Identity Theft and Assumption Deterrence Act
Patchwork of 46 State Data Security Breach Notification Laws
• 45 States and the District of Columbia• 7 States added laws within last two years: Alaska,
District of Columbia, Iowa, Missouri, South Carolina, Virginia, West Virginia
• State Agency Notification Requirement: Massachusetts, New Hampshire, New Jersey, New York, Maryland
California Was the First
In California . . .• Financial Information Privacy Act (Fin. Code § 4052)
GLBA Counterpart- Financial Institutions- Nonpublic personal information
• Consumer Credit Reporting Agencies Act (Civ. Code §§ 1785.1 et seq.)FCRA Counterpart
• Information Practices Act of 1977 (Civ. Code §§ 1798 et seq.)• Data Breach Notification Law (Civ. Code § 1798.82)
Massachusetts Is the Most Stringent
• Data Security Regulations, 201 Code Mass. Regs (CMR) 17.00, effective March 1, 2010
• Businesses must have:-Written information security program- Heightened security procedures, including encryption- Vendor contract provisions re compliance are mandatory*contracts signed prior to 3/1/10 = 2 yr grace period*contracts signed after 3/1/10 = no grace period
- Must take “reasonable steps to select and retain third-party providers that are capable of maintaining appropriate security measures”
State Data Security Breach Notification Laws Generally
Notice Requirements:• Data custodian to (i) data owner• Data owner to (ii) affected resident and (iii) possibly
State Attorney General• Timing: (i) “immediately following discovery of the
breach”(ii) “most expedient time possible and without
unreasonable delay”
Litigation Holds
Definition of a Litigation Hold
• A litigation hold is a directive to your client and others to preserve ESI or other information pertaining to the litigation.
Michael R. Arkfeld, Arkfeld’s Best Practices Guide for Litigation Readiness and Hold, §3.2(A), page 62 (2008-2009 Ed.), citing, Zubulake v. UBS Warburg LLC 220 F.R.D. 212, 218 (S.D.N.Y.2003).
Preservation Letter Checklist
• Basic investigative work should uncover appropriate points to include in a litigation hold letter.
• Common sense should guide the actual points to include in a preservation letter.
• Not a discovery request.
Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)
Preservation Checklist
• A party can disregard the request to preserve, but once the request has formally been made and evidence disappears, a preservation letter may place the discovering party in a superior positionto seek sanctions or other relief.
Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)
Preservation Letter Checklist
• At a minimum, a letter should begin with a general statement that the discovering party expects the party to preserve digital evidence that in all probability will be relevant to the issues in a case, or may lead to the discovery of such evidence.
Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)
Preservation Letter Checklist
• The preservation letter should include a request that the other party suspend its regular document retention policypending discovery.
• The preservation letter should identify all of the possible locations where such evidence might conceivably reside.
Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)
Preservation Letters
• The letter should inform the opposing party that a mere file backup of the hard drive is not adequate preservation.
• The party must be instructed to image hard drive in bit-stream copies, where all areas, used and unused, of the hard drive are copied.
• If a file is deleted before a backup is made, the deleted file will not be copied unless it is a bit-stream copy.
• The letter should also request that deleted files that are reasonably recoverable be immediately undeleted.
Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)
A Very Bad Litigation Hold Letter
• Hank has asked me to send this out to everyone.• All emails re Napster at this point are related to the litigation and
should contain the “a/c” (attorney communications) symbol in the subject line and [email protected] should be ccd. We should not be sending e-mails on this subject anyway. Items from outsiders such as resumes do not require this.
• Hank Barry
UMG Recordings, Inc. v. Hummer Winblad Venture Partners (In re Napster, Inc. Copyright Litig.), 462 F. Supp. 2d 1060, 1064 (N.D. Cal. 2006).
A Very Bad Litigation Hold Letter, Part 2
1. we do not retain e-mails, it is your responsibility to delete your handled e-mails immediately
2. we do not us e-mail to chat about matters related to public companies or matters such as the above
3. we do not retain written copies of e-mails in our files
UMG Recordings, Inc. v. Hummer Winblad Venture Partners (In re Napster, Inc. Copyright Litig.), 462 F. Supp. 2d 1060, 1064 (N.D. Cal. 2006).
Please also be aware of our e-mail policy. As we have all been required to surrender Napster e-mails, this should reinforce compliance with our long standing policies.
A Very Bad Litigation Hold Letter, Part 3
4. our document retention policy is that we do not retain documents on any public or acquired company and retain limited information on private companies. all retained information is stored in central files, pls do not retain other docs in your own files unnecessarily
5. we do not retain files separate from our central files which are periodically checked for compliance to policies
Please also review the above policies with any summer associates.
UMG Recordings, Inc. v. Hummer Winblad Venture Partners (In re Napster, Inc. Copyright Litig.), 462 F. Supp. 2d 1060, 1064 (N.D. Cal. 2006).
Triggering Event for the Duty to Preserve
– “Reasonably Anticipated”
– Pending, imminent, reasonably foreseeable.
– A complaint has been filed
– Discovery requests have been served
Michael Arkfeld, Best Practices Guide for Litigation Readiness and Hold, §3.2(B) Preservation Obligation
Document Destruction Policies
No spoliation where documents destroyed as part of a routine housecleaning operation with no notice to enact a litigation hold.
Cook Assocs. v. PCS Sales (USA), Inc., 271 F. Supp. 2d 1343, 1357 (D. Utah 2003)
Duty to Preserve Includes the Following:
• Relevant in the action;
• Reasonably calculated to lead to the discovery of admissible evidence;
• Reasonably likely to be requested during discovery, and/or
• Subject of a pending discovery request.
Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 216 (S.D.N.Y.2003); Wm. T. Thompson Co. v. General Nutrition Corp., 593 F. Supp. 1443, 1555 (C.D.Cal.1984)
What the Duty to Preserve Doesn’t Include
Relevant Documents to Preserve
• [A]ny documents or tangible things (as defined by [Fed. R. Civ. P. 34(a))] made by individuals "likely to have discoverable information that the disclosing party may use to support its claims or defenses."
Goodman v. Praxair Servs., 2009 U.S. Dist. LEXIS 58263 (D. Md. July 7, 2009)
Relevant Documents to Preserve, 2
• Documents prepared for those individuals, to the extent those documents can be readily identified (e.g., from the "to" field in e-mails).
• Information that is relevant to the claims or defenses of any party, or which is "relevant to the subject matter involved in the action." Thus, the duty to preserve extends to those employees likely to have relevant information--the "key players" in the case.
Goodman v. Praxair Servs., 2009 U.S. Dist. LEXIS 58263 (D. Md. July 7, 2009)
Spoliation
Sanction Flavors
• Sanctions can be imposed for negligent, gross negligent, willful and bad faith conduct.
• Bad Faith - “[w]here a party destroys evidence in bad faith, that bad faith alone is sufficient circumstantial evidence from which a reasonable fact finder could conclude that the missing evidence was unfavorable to that party,” and thus the jury may be instructed that the lost evidence was adverse to the spoliating party.
• Negligence or gross negligence: a judge may impose an adverse inference instruction or “less severe sanctions-such as fines and cost-shifting,”even without a showing that particular materials were lost.
Pension Committee, at *18.
Demonstrating Spoliation
Moving Party Must Show:
1) That its adversary had control of the evidence and a duty to preserve it at the time it was lost or destroyed;
2) That the adversary had a "culpable state of mind"when the evidence was lost or destroyed; and
3) That the lost or destroyed evidence was "relevant" to the moving party's claims such that a reasonable trierof fact could find that it would support a claim.
Arista Records LLC v. Usenet.com, Inc., 2009 U.S. Dist. LEXIS 5185 (S.D.N.Y. Jan. 26, 2009)
Possible Sanctions
• Adverse evidence jury instruction;
• Excluding greater or lesser parts of the destroying party's evidence;
• Dismissing a party's claims in whole or in part: or
• Granting default judgment against a party in whole or in part.
Toth v. Parish, 2009 U.S. Dist. LEXIS 16116, 7-8 (W.D. La. Mar. 2, 2009)
Determining Sanctions
• Factors in determining the appropriate sanctions for wrongful destruction of evidence include:
• "1) the degree of fault of the party who altered or destroyed the evidence;
• 2) the degree of prejudice suffered by the opposing party; and
• 3) whether there is a lesser sanction that will avoid substantial unfairness to the opposing party and if the fault is serious, will serve to defer such conduct by others in the future."
Toth v. Parish, 2009 U.S. Dist. LEXIS 16116 (W.D. La. Mar. 2, 2009)
Speculation is Not Spoliation
• Defendants asserted that Plaintiff's "concern"amounted to nothing more than mere speculation.
• Plaintiff did not produced any evidence that suggested Defendants have not complied or do not intend to comply with their duty to preserve evidence.
• Preservation order was not warranted.
Gregg v. Local 305 IBEW, 2008 U.S. Dist. LEXIS 99075 (N.D. Ind. Dec. 8, 2008)
Willful Conduct
• Defendant was put on notice of a lawsuit because of unlicensed software usage.
• Instead of enacting a litigation hold, the Defendant ordered the “software deleted immediately.”
KCH Servs. v. Vanaire, Inc., 2009 U.S. Dist. LEXIS 62993 (W.D. Ky. July 21, 2009).
Willful Conduct, 2
• The Defendant’s actions deprived the Plaintiff any opportunity to inspect relevant evidence once the lawsuit began.
• The Court ordered the spoliation sanction of an adverse inference instruction, instead of a default judgment, for the Defendant’s obstructionism.
KCH Servs. v. Vanaire, Inc., 2009 U.S. Dist. LEXIS 62993 (W.D. Ky. July 21, 2009).
A Picture is worth a 1,000 words…
• Defendants attempted to purchase $4.2 million painting.
• Divorce and lawsuit for breach of contract.
• Excel file with unknown origin.
• Friend of Defendant’s kid reinstalled computer operating system.
Green v. McClendon, 2009 U.S. Dist. LEXIS 71860 (S.D.N.Y. Aug. 13, 2009).
…but sanctions are priceless.
• Lawyer and Defendant both failed in their duty to preserve.
• Plaintiff entitled to additional discovery and costs.
Green v. McClendon, 2009 U.S. Dist. LEXIS 71860 (S.D.N.Y. Aug. 13, 2009).
California e-Discovery & Litigation Hold Failures
• Defendant failed to produce email messages & PST’s.
• Defendants did not enact a litigation hold.
• During the middle of trial, it was learned that the manufacturer still had not complied with discovery orders and directives.
Doppes v. Bentley Motors, Inc., 174 Cal. App. 4th 967, 969 (Cal. App. 4th Dist. 2009)
SanctionsCase remanded:
(1) Strike Defendants’ answer and enter a default and default judgment against them on the fraud cause of action;
(2) Made an express finding in the judgment that Defendants intentionally violated the Song-Beverly Consumer Warranty Act;
(3) Entered an order granting the post-trial motion for attorney fees in the total amount of $ 402,187;
(4) Reconsider the post-judgment motion for attorney fees in accordance with this opinion; and
(5) Ordered further proceedings not inconsistent with the opinion, including a default prove-up on the fraud cause of action, imposition of civil penalties under Civil Code section 1794, and consideration of other relief sought in the complaint.
Doppes v. Bentley Motors, Inc., 174 Cal. App. 4th 967, 1003 (Cal. App. 4th Dist. 2009)
Resetting the Gold Standard
• Pension Committee
• 89 page opinion
• Securities Litigation
• Judge Scheindlin
Gross Negligence
The failure to issue a written litigation hold when litigation is reasonably anticipated is gross negligence.
The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., Amended Order, Case No. 05-cv-9016 (SDNY Jan. 15, 2010)
What Happened?
• Plaintiffs’ counsel's emails and memoranda “did not meet the standard of a litigation hold” because plaintiff's counsel failed to direct employees to preserve all relevant records and failed to create a mechanism for collecting records.
• Memo required employees to determine what was relevant and to respond without supervision by counsel.
• Memo did not instruct employees to suspend the destruction of potentially relevant records.
• Plaintiffs did not issue a formal written litigation hold until 2007 – nearly four years after the triggering event.
The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., Amended Order, Case No. 05-cv-9016 (SDNY Jan. 15, 2010)
Production Gaps
• Defendants found gaps in document production from 13 plaintiffs
• Requested declarations describing the preservation efforts
• Found that “almost all of the declarations were false and misleading and/or executed by a declarant without personal knowledge of its contents.”
Pension Committee, Amended Order, at *32-33
The Hammer Falls: Gross Negligence• Six plaintiffs found grossly negligent
– Failure to issue a written litigation hold prior to 2007;
– Deleting ESI after the trigger event;
– Failing to request documents from key players;
– Delegating search efforts without any supervision from management;
– Destroying backup tapes relating to key players where other ESI was not readily available; and/or
– Submitting misleading or inaccurate declarations.Pension Committee, Amended Order, at *42-43
“Merely” Negligent
• 7 found merely negligent
– “failure to institute a written litigation hold” was “not yet generally required” in early 2004 in Federal court in Florida.
Pension Committee, Amended Order, at *64.
Lessons Learned
Lesson Learned: Self-Collection
• Counsel must give direction and supervision to custodians on preservation.
– One custodian said he had “no experience conducting searches, received no instruction on how to do so, had no supervision during the collection, and no contact with Counsel during the search.”
• Employee must not search their own files since they become the sole decision maker as to the relevance of the search terms used.
Pension Committee, Amended Order, at *62, 66.
Lessons Learned: Finding Gross Negligence
“[T]he following failures support a finding of gross negligence, when the duty to preserve has attached:
[1] to issue a written litigation hold;
[2] to identify all of the key players and to ensure that their electronic and paper records are preserved;
[3] to cease the deletion of email or to preserve the records of former employees that are in a party's possession, custody, or control; and
[4] to preserve backup tapes when they are the sole source of relevant information or when they relate to key players, if the relevant information maintained by those players is not obtainable from readily accessible sources.”
The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., Amended Order, Case No. 05-cv-9016 (SDNY Jan. 15, 2010)
Rimkus: Litigation Holds…Texas Style!
• Intellectual property case.
• Group of employees left and filed suit against their former employer to release them from their non-compete agreements.
• In countersuit, Rimkus Consulting claimed the former employees violated their non-competes and additionally made off with “trade secrets and proprietary information.”
Rimkus Consulting Group, Inc. v. Cammarata, 2010 U.S. Dist. No. 07-cv-00405 (SDTX Feb. 19, 2010)
Rimkus Result
• Concluded willful destruction of evidence, although a significant amount of the incriminating evidence was recovered by the plaintiff.
• Court was unwilling to issue an adverse inference instruction.
• Would allow the jury to determine the implications of the defendants’ misconduct based on the facts.
Rimkus Consulting Group, Inc. v. Cammarata, 2010 U.S. Dist. No. 07-cv-00405 (SDTX Feb. 19, 2010)
Culpability Insight
“Permissive” adverse inference sanction that instructed the jury to decide if the defendants intentionally deleted emails… and whether to infer that the lost information would have been unfavorable to the defendants.
Data Breach Adventures
Digital Forensics
• Core: data collection, preservation, documentation and court room presentation– Defensible processes– Use methods that yield most accurate results (Gates
Rubber Co. v. Bando American, Inc., 798 F.Supp. 1499, 1511 (D.Colo.1992).
• Differences between forensic collection versus backup
• Be proactive: have plan before you need the data
Places to hide
Forensic View of Empty Recycle Bin
The files in the Recycle Bin were wiped…
Wiping Sample
Deleted Files (Free Space)
Hidden Data in MS Word
Analyzing hidden data sample from Letter Template.doc
Document Name: hidden data sample from Letter Template.docPath: C:\Documents and Settings\tcastrejon\My Documents\MetaData DeckDocument Format: Word Document
Built-in document properties: Built-in Properties Containing Metadata: 2
Title: Deloitte Letter.dotComments: Word Template v2004.1 08/22/2004Document Statistics: Document Statistics Containing Metadata: 6
Creation Date: 7/18/2006 11:16:00 PMLast Save Time: 7/18/2006 11:29:00 PMTime Last Printed: 5/1/2002 4:04:00 PMLast Saved By: John DoeRevision Number: 5Total Edit Time (Minutes): 13 MinutesCustom document properties: No Custom Document Properties
Last 10 authors: NOT PROCESSED
Document Metadata Sample
Outlook Metadata
EXIF Metadata
Disk;;USB_DISK_2.0;077515B0166B&0;USB DISK 2.0 USB Device;06/03/09 07:54:59AM;04/04/09 09:29:41PM;7&1e544ac1&0
Disk;;USB_DISK_2.0;077516B01804&0;USB DISK 2.0 USB Device;04/04/09 09:29:41PM;04/04/09 09:29:41PM;7&11a53745&0
Disk;;USB_DISK_20X;074712910134&0;USB DISK 20X USB Device;06/17/09 04:40:12PM;04/04/09 09:29:41PM;7&1c48d21e&0
Disk;Apple;iPod;000A2700146E70D2&0;Apple iPod USB Device;04/04/09 09:29:41PM;04/04/09 09:29:41PM;7&d9cbdb&0
Disk;I-Stick2;IntelligentStick;FCA4B93FF2BFE451&0;I-Stick2 IntelligentStick USB Device;04/04/09 09:29:41PM;04/04/09 09:29:41PM;7&699ed73&0
\DosDevices\E:;;0;\??\STORAGE#RemovableMedia#7&1c48d21e&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};074712910134&0
USB Devices
Link File Name Created Written Accessed Volume Label
Media Type Serial # Path
14aren.lnk 02/11/09 03:03:05PM
02/11/09 03:03:06PM
03/05/10 12:00:00AM
NEW VOLUME Removable 14 F7 C2
E4 E:\file_Rename\14aren
Customer_lists.pdf.lnk 03/05/10 06:51:58PM
04/15/09 06:16:26PM
03/05/10 12:00:00AM
NEW VOLUME Removable 14 F7 C2
E4 E:\secret_documents\
Customer_lists.pdf
secret_documents.lnk 03/05/10 06:51:57PM
03/05/10 06:51:58PM
03/05/10 12:00:00AM
NEW VOLUME Removable 14 F7 C2
E4 E:\secret_documents
Company_research_new_design.doc.lnk
03/05/10 06:51:57PM
06/02/05 09:39:22PM
03/05/10 12:00:00AM
NEW VOLUME Removable 14 F7 C2
E4
E:\secret_documents\Company_research_n
ew_design.doc
Links Recently Accessed via Removable Media
Encryption & PW Protection
Live Memory
•Encryption keys and passwords•Email fragments•Document fragments•Malware
Legal Considerations
• Acceptable use policy• Subpoena• 4th Amendment• Cross border data transfer and privacy
considerations– EU Safe Harbor– Local laws and regulations
Complex world of laws and regulations present challenges for records and information management
AustraliaFederal Privacy Amendment BillState Privacy Bills in Victoria, New South Wales and Queensland, new email spam and privacy regulations
Numerous State LawsBreach Notification 41States from CA to NY
European UnionEU Data Protection Directive and Member States Data Protection Laws, Safe Harbor
South AfricaElectronic Communications and Transactions Act
USSOX, HIPAA, COPPA, FRCP, 21 CFR 11, ISO 15489, ANSI/AIIM TR48‐2004, PCI Data Security
Hong KongPersonal Data Privacy Ordinance
Canada Federal/ProvincialPIPEDA, FOIPPA, PIPA
ChileLaw for the Protection of Private Life
South KoreaAct on Promotion of Information and Communications Network Utilization and Data Protection
IndiaLaw pending currently under discussion
New ZealandPrivacy Act
ArgentinaPersonal Data Protection Law, Confidentiality of Information Law
PhilippinesData Privacy Law proposed by ITECC
TaiwanComputer-Processed Personal Data Protection Law
JapanPersonal Information Protection Act
Regulatory Considerations
Trends
• Data will continue to expand to mobile side of your enterprise
• Cloud computing
Cloud Computing
• Evidence Collection in the Cloud
• Security in the Cloud
• E-Discovery in the Cloud
Thank You
Tomas CastrejonGeneral Dynamics Advanced
Information Systems
Network Defense and Digital
Forensics
408.220.3113
Josh Gilliland, Esq.
D4 LLC
650-576-3298
www.bowtielaw.com
Twitter @bowtielaw
Stephanie Sparks, Esq.
Hoge Fenton Jones &
Appel
408.947.2431
www.hogefenton.com