Electronic Discovery & Information Governance 2014 TIPS OF THE MONTH – A CompilationTable of Contents Introduction................................................................................................................................................. 1 January – Social Media E-Discovery…………………………………………………………….............................................. 3 February – Managing the Risks of Bring Your Own Device……………………………………………........................... 6 March – Preserving Electronically Stored Information When Employees Depart........................................ 9 April – Data Privacy Concerns When Moving Email to the Cloud…............................................................12 May – Managing the Risks and Costs Associated with Governance of “Custodial” Data.......................... 15 June – Implementing An Information Governance Program….................................................................. 19 July – Managing the Risks and Costs Associated with Enterprise Social Networks................................... 22 August – Staying Informed About State Data Breach Laws....................................................................... 25 September – E-Discovery in Patent Litigation........................................................................................... 28 October – Managing the Electronic Discovery Vendor Relationship......................................................... 31 November – Managing E-Discovery in State Courts.................................................................................. 34 December – Proposed Amendments to the US Federal Rules of Civil Procedure.......................................37Mayer Brown LLP | 1 Introduction Mayer Brown’s Electronic Discovery & Information Governance Practice hopes you found our Tips of the Month series valuable in 2014. We wanted to take an opportunity to recap the major E-Discovery trends of 2014 and to provide last year’s tips in a single document for easy reference. We hope that our monthly updates continue to bring you value and, as always, welcome your comments and suggestions for future Tips of the Month in 2015. We’re here to serve your interests and we sincerely thank you for your continued comments. 2014: The EDIG Year in Review The trend in EDIG this year was convergence: convergence of electronic discovery with information governance; convergence of technology-assisted review and settled workflows; and convergence of cloud data into the electronic discovery workflow. Electronic discovery converges with information governance. Businesses are coming to recognize that the best way to manage electronic discovery issues is to take control of the information that they create. Much of the routinely created information generated in the course of a business day isn’t of any particular business use to anyone—it’s just “stuff.” And retaining it forever costs money, without delivering any identifiable business benefit. Further, once litigation is filed, having large quantities of this material can bog down your processes and increase the difficulty and cost of managing the litigation. TAR converges with settled workflows. In 2014, we saw growing consensus among judges that technology-assisted review is a viable component of an ediscovery strategy, in combination with human review and search-term based techniques. See generally Bridgestone Americas, Inc. v. Int. Bus. Machs. Corp., 2014 WL 4923014 (M.D. Tenn. July 22, 2014 (“In the final analysis, the use of predictive coding is a judgment call, hopefully keeping in mind the exhortation of Rule 26 that discovery be tailored by the court to be as efficient and cost-effective as possible.”); FDIC v. Bowden, 2014 WL 2548137 (S.D. Ga. June 6, 2014) (“Predictive coding has emerged as a far more accurate means of producing responsive ESI in discovery. Studies show it is far more accurate than human review or keyword searches which have their own limitations”) (quotation omitted); Progressive Cas. Ins. Co. v. Delaney, 2014 WL 2112927 (D. Nev. May 20, 2014) (noting the empirical accuracy of TAR but requiring transparency regarding TAR workflow); Federal Housing Finance Agency v. HSBC North America Holdings, 2014 WL 584300 (S.D.N.Y. Feb. 14, 2014) (endorsing use of TAR for responsiveness review). Cloud data converges with ediscovery. We also saw data at cloud providers move to front and center of the EDIG conversation. Large-scale commercial storage-as-a-service and email-as-a-service providers are getting enough traction with businesses that there is a good chance that any given business will store atMayer Brown LLP | 2 least some information responsive to a litigation requirement with a service provider as opposed to on servers that it owns. Finding elegant solutions to the problem of preserving and collecting information from a heterogeneous environment including resources outside the client’s physical control will take a couple more years—but the problem is squarely presented now. The big, long-term story for 2015 is how the amendments to the Federal Rules that are due in December will play out. We will be tracking that story, the trends above, and other surprises and developments in the EDIG world in our Tips of the Month. For inquiries related to this summary of 2014 Year in Review, please contact Eric Evans at eevans@mayerbrown, Ethan Hastert at firstname.lastname@example.org, Michael Lackey at email@example.com or Kim Leffert at firstname.lastname@example.org. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Eric Evans at eevans@mayerbrown, Ethan Hastert at email@example.com, Michael Lackey at firstname.lastname@example.org or Edmund Sautter at email@example.com. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 3 January 2014 Social Media E-Discovery Scenario A large corporation has been sued by former employees who allege that their supervisors harassed them and made inappropriate remarks in the workplace and on social media. During discovery, the corporation receives a document request for the supervisors’ social media postings, emails and related files. The corporation must determine how to access, review and produce the requested information and considers seeking similar social media discovery from the former employees. Understanding the Challenges of Social Media E-Discovery Although the concept of electronic discovery and the need to preserve emails and computer files in anticipation of litigation is familiar, the advent of social media has greatly increased the potentially relevant information that is available electronically. Similar to other forms of electronic discovery, information posted to social media sites such as Facebook, Twitter or LinkedIn can be subject to discovery. However, knowing when or how to request and/or produce social media information can be a challenge. The following basic principles can provide guidance with regard to social media discovery. Social Media Can Be Discoverable: The discovery of social media information is governed by the same procedural rules that govern other forms of electronic discovery in litigation. Although these rules differ from jurisdiction to jurisdiction, the general limiting discovery principle is whether the information being sought is reasonably calculated to lead to the discovery of admissible evidence. If the information being sought on a social media site will reasonably lead to the discovery of admissible evidence, it will likely be discoverable. Social Media Sites Constantly Evolve: The social media landscape is constantly evolving. Although Facebook and Twitter are currently popular social media sites in the United States, that may not be the case one year from now as new sites are developed. In addition, existing social media sites are frequently updated to provide their users with new ways to share and receive information. As a result, the information that is commonly shared on social media today may not be the same type of information that is shared in the future. Therefore, it is important to stay apprised of the new developments in social media. Social Media Sites Contain Different Types of Information: Social media sites also differ with regard to the information that is being shared. While sites such as Facebook, Twitter, and Instagram are primarily used to post photographs and status messages, or to hold online conversations, an employee or competitor is more likely to share confidential or proprietary company information using a site such as DropBox or Yammer. It is therefore important to understand how each social media site functions, the information likely to be shared on the site, and the various waysMayer Brown LLP | 4 to access that information. This will allow a company to assess whether social media discovery may be potentially necessary in litigation. Social Media Implicates Privacy Concerns: Social media sites are predominately used for personal reasons and social media accounts frequently contain private, nonpublic information. As a result, there is an inherent concern that broad requests for information on social media may invade an individual’s right to privacy. Recently, some courts addressing requests for social media have required the party seeking the information to first establish that a review of publicly available social media information revealed a reasonable likelihood that the review of private social media information would lead to the discovery of admissible evidence. These courts have stressed that simply requesting all forms of social media information without limitation is improperly overbroad and that requests must be tailored to the issues in the case. Accordingly, to ensure that the social media information being sought in discovery is potentially relevant, it is advisable to first determine the universe of information that is publicly available on social media and then consider whether additional discovery is needed. Managing Social Media E-Discovery As more people use social media, social media discovery has become more frequent. Given that employees are often accessing and posting to social media sites using personal and company-owned devices, companies should consider the following tips for developing social media discovery strategy. Employee Cooperation: Unlike work email accounts and network files, most companies do not have access to their employees’ personal social media accounts. In fact, a number of states have recently enacted laws prohibiting employers from requiring current or prospective employees to provide their social media passwords. As a result, if an employee’s social media posting becomes relevant in litigation, the company will likely need the employee’s cooperation to access the account. Therefore, companies should consider seeking out such cooperation at the onset of litigation in order to facilitate the discovery process. Preservation of Social Media: The requirement that relevant documents be preserved in anticipation of litigation also extends to relevant social media information. Because different social media sites contain different types of information, companies should evaluate how, and to what extent, their employees are using social media and whether their use potentially implicates company business. If it is reasonably foreseeable that an employee’s social media postings may be relevant in a future litigation, the company should consider taking steps to ensure that the relevant information is properly preserved. Moreover, if the company anticipates seeking social media discovery from the opposition, it should request early in the litigation that any relevant social media information should be preserved. Review Social Media Contextually: Social media postings are often impulse driven, and they do not always contain the same contextual clues as an email or internal memo. As a result, the relevance of social media information is not always readily apparent. For example, Twitter postings are limited to a finite number of characters and users frequently use abbreviations, nicknames and code words. Consequently, simply viewing a person’s Twitter account on its own without a full understanding of the issues in a case may result in relevant information being overlooked or disregarded. Accordingly, in order to ensure that the social media information is properly evaluated, it should be reviewed at the same time as the other discovery in the case.Mayer Brown LLP | 5 Conclusion Social media discovery presents its own unique set of challenges. Although social media sites are no longer a new phenomenon, social media discovery is a relatively new issue that is still being developed. To prepare for the challenge of social media discovery, companies should consider how social media affects their business and the types of information that is shared on different social media sites. By having an understanding of what social media is, how it is used and how it can be accessed, a company can be prepared when the issue of social media discovery arises in litigation. For inquiries related to this Tip of the Month, please contact Anthony Diana at firstname.lastname@example.org, Kim Leffert at email@example.com or Richard Nowak at firstname.lastname@example.org. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at email@example.com, Eric Evans at eevans@mayerbrown, Michael Lackey at firstname.lastname@example.org or Edmund Sautter at email@example.com. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 6 February 2014 Managing the Risks of Bring Your Own Device Scenario: A multi-national financial institution has decided to implement a Bring Your Own Device (or BYOD) program due to increasing demand from business personnel and a desire to reduce IT costs. The General Counsel’s Office is asked whether there are any legal, regulatory or compliance risks that the organization needs to consider when implementing a BYOD program and developing the policies and procedures governing BYOD. What is BYOD? BYOD refers to the policy of allowing employees to use their personal mobile devices to access their employer’s information systems and applications for business purposes. In recent years, there has been a fundamental shift in the way people understand and interact with electronic information. First, the ability of employees to access information at any time and from any location has become essential to most business operations. Second, the technology used to access that information has become a matter of personal choice; no longer are employees satisfied with acquiescing to their employer’s choice of technology (i.e., BlackBerrys). Instead, employees expect to be able to work with the device of their choice and dislike the inconvenience of maintaining two separate mobile devices for business and personal use. And not only are employers largely powerless to stem the tide of this trend, but many employers appreciate the cost savings and flexibility that a BYOD program brings to the organization. The Risks of BYOD As with any technology, there are risks associated with implementing a BYOD program. There are legal risks, such as the ability to access information responsive to document requests for preservation or production. There are regulatory risks associated with information on those devices that may be subject to regulatory retention and supervision requirements. There are information security risks associated with lost or stolen devices, as well as many different devices having access to the organization’s networks. There are data privacy risks associated with the mix of personal information with business information on one device. The question for any organization is how to best mitigate and balance these risks in light of the business demand for BYOD flexibility. BYOD represents a significant change in the way organizations manage the risks associated with information governance. Traditionally, an organization’s approach was to centralize the storage and retention of that information so that the organization had ultimate control over its distribution, management and retention. BYOD, however, undermines that basic approach. Organizations are now dealing with de-centralized data sources where the organization has little operational control over storage, management and retention. Instead, many organizations find themselves almost entirely dependent on policies and theirMayer Brown LLP | 7 employees’ compliance with such policies to manage the considerable risks associated with electronic data. Consider the use of text messaging in a BYOD program. With an organization-owned device, the organization has the option of centralizing control of its employees’ text messaging by disabling text or instant messaging capabilities on the device or capturing such messages for business purposes on the organization’s centralized infrastructure. With a BYOD program, however, an organization loses its ability to easily block or capture businessrelated text messages and is forced to rely more heavily on employee participation and compliance with policies to manage risk. It is important to note that while BYOD programs are a relatively new trend, organizations have been managing similar risks by relying on employee compliance with policy for many years. Personal home computers also allow remote access to an organization’s network, and organizations rely on employees to abide by policies against downloading or creating business records on those personal home computers. Organizations also rely on employee compliance with policy in addressing the risks of business being conducted on personal email or personal social media sites. There may be heightened risks associated with B.Y.O.D. programs, arising primarily from the portable nature of those devices, the frequency with which such devices are used, and the potential volume of data transmitted to or from those devices, but the risk mitigation strategies associated with B.Y.O.D. programs are not new to the business enterprise. Tips for Managing the Risks of BYOD Because an employee’s use of his or her personal device is largely outside of the employer’s control, critical components of any BYOD program include a clear, concise policy that is developed with the input of all the relevant stakeholders, together with audit procedures that validate and ensure compliance with that policy. When developing and implementing those policies and procedures, there are a number of issues the organization may want to consider. Involve all Relevant Stakeholders. BYOD implicates many aspects of the organization’s operations, and all of those stakeholders should have input into the policies and procedures governing BYOD. Those relevant stakeholders may include personnel from Legal, IT, Human Resources, Data Privacy, Information Security, Compliance, and the relevant Business Lines. Authorized BYOD Users. Careful consideration should be given to which employees the organization will permit to participate in a BYOD program and whether special procedures are needed for certain types of employees participating in a BYOD program. For example, because of retention and supervision requirements, the risks may be higher for regulated employees participating in a BYOD program than for non-regulated employees. Special consideration may need to be given to whether or under what conditions to allow nonexempt employees to conduct business on their personal devices. And the organization’s need and ability to access information on an individual’s personal device may raise data protection concerns for non-US. employees in certain jurisdictions. The organization should consider whether and how to adjust its policies to address high-risk employees, and whether special training, security, or audit procedures are needed. Uses of the Device. When developing policies and procedures relating to BYOD, consider the types of applications that employees will be authorized to use for business purposes, as well as any restrictions on the use of those applications. This includes the type of information that may be exchanged or distributed using theMayer Brown LLP | 8 application, the ability to ensure data security, the ability or need for the organization to capture the information exchanged through the application on its own systems, and the ability to quickly access, preserve, retrieve or delete data stored on the device itself. Employees should be provided with clear and specific guidance on the appropriate use of authorized applications, as well as uses that are prohibited. Ownership of the Data. Most organizations have data retention policies or electronic communication policies notifying all employees that all data on organization’s systems belongs to the organization and is subject to monitoring or use by the organization. An organization implementing a BYOD program should clearly convey to participating employees the organization’s policy regarding ownership of data on devices that are part of a BYOD program. For example, the organization may have a policy that all business-related data on a BYOD program belongs to the organization, regardless of where on the device that data is stored. Access to the Device. The organization’s ability to access information on an employee’s personal device as part of BYOD program is critical to the organization’s ability to meet its legal, regulatory and compliance obligations. The organization should consider the extent and nature of such access, including whether: (i) remote access to data on the device is needed for collection or supervision, (ii) the organization may have to take possession of the physical device under certain circumstances and (iii) the organization wants the ability to remotely delete information from a lost or stolen device, or from a device belonging to a former employee. Compliance & Audit Procedures. Given the challenges of monitoring and controlling the data on devices in a BYOD program, organizations should consider the need for specialized and enhanced training and audit procedures. Specialized training on the proper use of authorized applications may help to minimize confusion and inadvertent user error. Enhanced audit procedures, such as signed acknowledgements of the policy, periodic certifications of compliance or random testing for compliance, should also be considered. Incorporating these steps as part of a BYOD program provides additional assurance of compliance and strengthens the defensibility of the overall program. For inquiries related to this Tip of the Month, please contact Anthony Diana at firstname.lastname@example.org or Therese Craparo at email@example.com. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at firstname.lastname@example.org, Eric Evans at eevans@mayerbrown, Michael Lackey at email@example.com or Edmund Sautter at firstname.lastname@example.org. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 9 March 2014 Preserving Electronically Stored Information When Employees Depart Scenario: A large company has reorganized its operations and plans to terminate or reassign a number of employees. The company’s head of litigation knows that some of the affected employees are subject to a litigation hold and wants to ensure that data is not lost or misplaced as a result of employees leaving the company. There is a particular concern as the company permits employees to use their own devices for company communications and other purposes. Planning for Employee Departures It is unlikely that an employee in career transition (for whatever reason) is thinking about a former employer’s legal obligation to preserve electronically stored information (ESI). Likewise, the IT department is focused on managing assets (e.g., PC’s, laptops, tablets, smartphones) and server space (e.g., email servers and personal drives on network), and views an employee departure as an opportunity to reduce IT-related costs. Nevertheless, a company’s obligation to preserve ESI relating to current or anticipated litigation remains in place regardless of any employee terminations or transitions. Courts and regulators require that companies make good faith, reasonable efforts to preserve ESI of departing employees that is subject to a legal hold. Therefore, it is important for a company to implement procedures aimed at preserving and collecting, if necessary, ESI associated with its departing and transitioning employees. The Employee Leaves, But the Hardware Stays While it is common for a company to reuse electronic equipment after an employee leaves the organization, doing so can result in the inadvertent destruction of ESI subject to a legal hold. IT departments managing a company’s computers, storage devices and smartphones, or similar devices, often do not learn that information stored on a departing employee’s device may be subject to a legal hold until after the equipment has been wiped clean and reissued. One way to preserve ESI is to institute a waiting period before reintroducing previously used electronic devices back into the current workforce. The exact length of any waiting period depends on the size and culture of the company, but it should be long enough to allow the company to determine whether any departed employees were subject to an existing legal hold. The waiting period should also provide sufficient time to coordinate any necessary data preservation measures. During this waiting period, a company should not delete any of the departing employee’s emails or other ESI. Ensuring your company has enough time to determine whether it should preserve a former employee’s electronic data before reusing the electronicMayer Brown LLP | 10 equipment (or deleting the data) is an excellent way to help avoid the inadvertent destruction of ESI. If possible, the company should develop standard operating procedures around the management of ESI of departing employees, so that the business, IT, records management, compliance and legal department each has a clearly defined role in making sure that ESI that should be retained, is retained, and, equally as important, that any ESI that need not be retained is destroyed in a timely manner consistent with the organization’s document retention policies. The Employee Leaves and Takes the Hardware It is becoming more commonplace for companies to permit employees to use their own devices for company communications and other company purposes. The email and documents accessed on these devices may be stored on the company’s server, on the device, or both. If a company permits employees to “bring-your-own-device,” or even if employees are permitted to retain some devices (i.e., smartphones or tablets) upon termination, the company can consider developing a policy or practice ensuring that all company-related ESI is in the company’s control before the employee departs with the device. Alert New Employees that a Litigation Hold Is In Place Another risk can occur when a new or reassigned employee is unaware that a legal hold is in place. Therefore, it is important to promptly identify those new employees who inherit data that is subject to a legal hold. That new or reassigned employee should be informed of the company’s obligation to preserve the data in the former employee’s files and, if applicable, of any continuing obligation to preserve future information. Keep Litigation Hold Lists Current A company’s personnel will not likely remain static for the duration of a lawsuit or an investigation. Thus, companies should periodically review their litigation hold lists to determine whether any departed employees remain among the listed document custodians and, if so, whether any new employees who took possession of the departed employee’s data should be added to the list. Companies that do not maintain lists of employees subject to a legal hold should consider implementing a process to retain this information in a convenient and accessible manner. Investigate ESI Issues through Exit Interviews It is prudent to institute a practice where all departing employees are asked, prior to leaving, whether their data is subject to a legal hold. Not only does this provide an opportunity to confirm where the data resides, but it also prompts the company to be alert to preserving a departing employees’ information while transitioning employees out of the company. If the departing employees’ responses are documented, this helps to create a record of the company’s good faith efforts at preserving ESI. In certain circumstances, a legal hold may extend to information stored on an employee’s personal email, home computer or other personal device. For this reason, companies should also ask whether the departing employee ever used personal email or personal storage devices (such as thumb drives) to store company ESI that is subject to a legal hold. With this knowledge, companies are better equipped to determine whether additional steps may be needed to preserve such data to ensure compliance with an existing legal hold.Mayer Brown LLP | 11 Collecting ESI in Advance of Terminations or Transitions Employee terminations can put any company in a temporary state of flux. However, a company’s ongoing duty to comply with legal holds remains unaffected. Consider taking proactive steps during this period to ensure that ESI is not accidentally lost along the way. These steps could include: Backing up the electronic data of employees subject to a legal hold in advance of any downsizing event; Collecting responsive ESI from departing employees; and Promptly revoking any former employee’s ability to access company email or electronic devices immediately upon termination in order to prevent the accidental (or intentional) deletion of ESI by employees whose interests may no longer be aligned with the company’s. Dealing proactively with departing employees’ ESI is good records governance regardless of any legal holds; however, the stakes are raised considerably when the ESI is subject to such a hold. When ESI subject to a legal hold goes missing, courts can respond by issuing sanctions, and regulators can respond by refocusing their investigation on the company’s compliance with subpoenas. Departing employees can compromise a company’s ability to comply with its obligation to preserve responsive data. Therefore, companies should consider taking steps to ensure that changes in the makeup of its workforce do not impact the company’s ability to satisfy its obligation to preserve ESI. For inquiries related to this Tip of the Month, please contact Anthony J. Diana at email@example.com or Kim Leffert at firstname.lastname@example.org. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at email@example.com, Eric Evans at eevans@mayerbrown, Michael Lackey at firstname.lastname@example.org or Edmund Sautter at email@example.com. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 12 April 2014 Data Privacy Concerns When Moving Email to the Cloud Scenario: In an effort to reduce costs and leverage the latest advances in technology, the chief information officer of a multinational company decided to use a cloud computing vendor to host the company’s email. After identifying a handful of vendors that appeared to meet the company’s needs, the CIO asked each vendor to submit bids and proposed service agreements. Aware of the strict data privacy laws that applied to the company’s European offices, the CIO brought the contracts to the company’s general counsel for review. Cloud Computing and SaaS Solutions Cloud computing is the use of computing resources, including both hardware and software, that are made available over the Internet by a subscription-based service provider. Software as a service (SaaS) is one type of cloud computing service that provides companies with remote access to software being hosted by a third party. Companies often adopt SaaS solutions for email because doing so allows employees to access corporate email from any device connected to the Internet. In addition to providing increased mobility and accessibility, cloud-based email may reduce the costs associated with acquiring and maintaining email servers. To stay current with the latest technology, minimize their own hardware, development and support costs, attract the widest customer base possible, vendors providing cloud-based email services often offer a standardized product with little or no customization. Given the nature of off-the- shelf SaaS solutions—a single product being offered to a large number of customers—vendor services are often provided to many customers simultaneously. Because highly negotiated contracts would make implementation and support impracticable, SaaS contracts also tend to be standardized. This does not, however, mean that companies seeking to use cloud-based email should give up on negotiating the contractual terms, especially those that may require modification to comply with data privacy laws. On the contrary, they should expect to negotiate the terms, particularly with respect to provisions assuring compliance with data privacy laws. Cloud Computing and EU Data Privacy Laws While moving email to a cloud provider presents a number of data privacy risks for all companies, it presents a more complicated challenge for companies with operations in both the United States and the European Union, especially if the potential cloud provider’s facilities are located in the United States. The EU has implemented a comprehensive regulatory framework that, among other things, sets forth the circumstances under which personal data (encompassing a broad range of information, including name, age, gender, marital status, nationality, citizenship, veteran status, personal or business contact information—including email addresses—and identification numbers) may be lawfullyMayer Brown LLP | 13 transferred to parties residing in foreign jurisdictions. In the context of cloud computing, the EU maintains that these laws are triggered when either the company or the cloud provider is located within the EU. Other laws that could potentially affect email in the cloud are the so-called blocking statutes, instituted by a number of EU member nations, which prohibit the transfer of data requested in the course of foreign legal proceedings. Location of Data Companies assessing the risks of migrating their email to the cloud need to know which laws will be triggered. To make that assessment, they must know where the data will be hosted. The answer, however, is not always clear. Depending on how a vendor has configured its network, a client’s email could be separated and stored on multiple servers in various locations. When evaluating potential cloud providers, it is crucial that vendors disclose where a company’s data will be hosted. Use of Subcontractors A SaaS solution consists of various components that may be beyond the control of company using the solution, such as the hardware, the operating system and the network infrastructure. However, the vendor might not be the entity that operates each of these elements. Instead, the SaaS provider may subcontract with a third party to provide one or more of them. Additionally, there are a number of services required to provide cloud solutions, including hosting, processing, transmission and security, which also may be subcontracted to third parties. Not only does the use of subcontractors make it harder to determine where the data is hosted; if not handled properly, it may also run afoul of EU data privacy laws. Tips for Managing Risk To properly assess the data privacy risks associated with using cloud-based email, a company with data hosted in the EU needs to know who will be handling the data and where the data will be hosted. Once the company has this information, it will be in a better position to request certain contractual terms designed to ensure compliance with EU data privacy laws. When negotiating a contract for cloud-based email, consider the following: Region-specific servers: The company should require that email for EU-based operations reside on a server in the EU. Similarly, the company should require that a server be based in the United States to host all US email. Keeping all US email within the United States will make it easier for the company to comply with any applicable state or federal data privacy laws and prevent possibly subjecting that email to the blocking statutes of EU member nations. Identify subcontractors: The company should ask the cloud services provider for both the identity and location of any subcontractors that will be working with the company’s email. EU data privacy laws require cloud providers to disclose the identity of any subcontractors that will be used to provide services in connection with a SaaS contract. Subcontractor agreements: Cloud providers must provide the company with assurances that all subcontractors will comply with EU data privacy laws, which can be accomplished through an agreement between the cloud provider and each subcontractor reflecting the data privacy safeguards appearing in the contract between the cloud provider and the company. Additionally, the company should have recourse for any breach caused by a subcontractor. This can be accomplished through either (1) a provision contained in the agreement between the cloud provider and the company stating that the cloud provider remains liable forMayer Brown LLP | 14 any work done by a subcontractor in connection with the agreement or (2) a provision in each contract between the cloud provider and a subcontractor that names the company as a third-party beneficiary. Cross-border data transfers: The European Commission has adopted model contractual clauses designed to provide adequate safeguards in the context of crossborder data transfers. If a cloud provider cannot guarantee that email will be hosted within the borders of EU member countries or if the cloud provider uses subcontractors located outside of the EU, then such model clauses should be included in the SaaS contract. For inquiries related to this Tip of the Month, please contact Eric Evans at firstname.lastname@example.org or Michael D. Battaglia at email@example.com. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at firstname.lastname@example.org, Eric Evans at eevans@mayerbrown, Michael Lackey at email@example.com or Edmund Sautter at firstname.lastname@example.org. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 15 May 2014 Managing the Risks and Costs Associated with Governance of “Custodial” Data Scenario: A large organization is selling one of its business units. Questions arise about how to define the scope of data associated with employees in the business unit being sold that may need to be transferred to the new owner and whether to implement a process for remediating “custodial” data associated with those same soon-to-be-departing employees. As part of this process, the organization is attempting to compile records identifying all current and former employees associated with the business unit, including any “custodial” data associated with those employees and any employees on legal hold. The organization does not have an identity management system that would help track data associated with those employees. The General Counsel’s Office is working with Compliance and IT to determine how to compile the necessary information. “Custodial” Data and Identity Management As the technology landscape changes, so does an organization’s perspective of who is responsible for managing specific data sources within the organization. With the increased use of collaborative technologies for information exchange, more data may be considered shared data, rather than data that is exclusively associated with one person. However, most organizations today still tend to view data as “custodial” (i.e., data associated primarily or exclusively with one individual employee), or “non-custodial” (i.e., data that is shared by and accessible to multiple employees within an organization). In any organization, there are numerous sources of information associated primarily with one individual employee that may be pertinent to data management and retention. And those data points may change over time. For example: Employees are constantly joining, leaving, or changing positions within an organization. Custodial data is often transferred among incoming and outgoing employees as needed for business purposes. Employees frequently have the same or similar names, or have name changes (and corresponding email alias changes) throughout their careers. Employees may be subject to varying retention requirements for regulatory or business reasons. Employees are often subject to multiple legal holds, often at the same time.Mayer Brown LLP | 16 Employees are often issued multiple devices (e.g., mobile, desktop and other) throughout their careers, or their network data may be moved over time, depending on the IT needs of the organization. Employees may be authorized to access different systems or sources of information, or may be assigned different passwords for accessing certain types of data All of this information about an individual employee may be associated with “identity management”: the management and control of information about individual employees, including authentication, authorization, regulation and privileges within the organization. Yet this information is rarely consolidated or centralized in one location (if it is managed at all). Where some systems of record do exist, the disparate systems containing the information seldom communicate or link to one another, and they often do not retain information about individual employees in a consistent or systematic way. Further, each aspect of identity management may be the responsibility of different departments or individuals within an organization, leading to inconsistent or ad hoc procedures for managing this information. The Importance of Managing Custodial Data The implications of a decentralized and ad hoc approach to managing custodial data may be profound, especially given today’s heightened sensitivities toward data security and data management. Appropriate identity management can help an organization improve security, simplify compliance with legal and regulatory obligations, and enhance business opportunities. Effectively secure data. An organization that knows where data is, how sensitive that data is and who has access to the data, may be better able to implement policies, procedures and safeguards to ensure that the data is appropriately protected and to manage and detect security risks. Comply with legal and regulatory obligations. An organization that can easily and accurately identify key employees (including employees subject to specific regulatory requirements), locate the data sources to which they have access, collect data from those sources, and apply appropriate levels of protection to data sent outside of the organization may be better able to ensure that it is meeting its legal requirements and is prepared for regulatory inquiries or litigation. Ensure efficient business operations. An organization that can provide efficient access to business data, is able to effectively mine the available data, and can get rid of that data when it is no longer needed may be better able to realize cost-effective data management while still supporting its business units and leveraging the available information for business purposes. Tips for Managing the Costs and Risks of Custodial Data For the reasons articulated above, centralized and integrated identity management is likely to become a critical component of the business operations of most large organizations. Thus, it may be wise to begin to assess the challenges associated with custodial data and identity management. Know Your Custodial Data: To understand how an organization is (or should be) managing its custodial data sources, the organization must first have an understanding of what data sources within the organization are considered custodial. This may be significant to understanding who has control over, access to or responsibility for the data, where the data is located and how the data is treated within the organization. For example, understanding what data is solely associatedMayer Brown LLP | 17 with an employee who is leaving the organization is critical to ensuring that the information is appropriately retained, destroyed or transferred as needed for business, legal or regulatory purposes. Understand How Your Organization Manages Custodial Data Today: Often the risks associated with the failure to manage custodial data sources are not apparent until an event triggers the need for the information (e.g., the need to transfer data to an entity purchasing a business unit, the need to implement legal holds, the need to respond to regulator inquiries about employees with prescribed retention periods, etc.). While it may be impracticable for an organization to truly track, on an ongoing basis, the location and nature of all custodial data, it is prudent to at least understand how the organization currently is managing and recording information about its employees’ data—before the need arises to access and compile this information. Develop Policies and Procedures Regarding Custodial Data Sources: Organizations should consider developing policies and procedures centered on management of custodial data—including who is responsible for establishing, managing and tracking information about employees and their data sources. This may include controls around assignment of employee IDs, how retention periods or access authorizations are assigned, implementation of retention settings, the handling of data sources associated with departing employees, implementing legal holds, etc. Establish a Unique Identifier for Each Employee: A unique identifier for each employee (e.g. employee ID) is a basic requirement of identity management. These identifiers should be truly unique and should not be re-used regardless of employment status or name changes. Many organizations do assign employee IDs, or other unique identifiers, for gaining access to network systems, but may not continue to use these unique identifiers to track an employee’s associated data throughout the data's lifecycle. Even without a consolidated system for identity management, simply integrating the use of employee IDs across various functions, including IT, asset management, records retention, human resources and legal, can help improve efficiency and accuracy in identifying and isolating custodial data. Identify High-Risk Employees and High-Risk Data Sources: Implementing a comprehensive program for identifying all data associated with each employee can be daunting. Consider focusing efforts on high-risk employees within your organization who are subject to specific retention requirements, or who frequently handle highly sensitive data. Instituting controls around high-risk designations and ensuring that relevant stakeholders within the organization have a systematic and efficient way to identify high-risk employees will enable the organization to take the necessary steps to mitigate any risk: IT and Information Security will know when to implement special security, access or retention settings; Audit will know to assess whether appropriate controls are in place; Legal and Compliance will be better able to respond to regulatory inquiries or know to use special handling when collecting and processing the data of those employees. Consider Identity Management Software: There is software that may help an organization systematize and centralize its identity management. Such software can assist with streamlining asset management, monitoring changes in employment or identity, providing an audit trail of assets and information associated with each employee, or linking different sources of information about employees. An organization should carefully weigh the costs and benefits of employing such software for its business.Mayer Brown LLP | 18 Consider Document Management for Key Information: Custodial data tends to be less centralized and more difficult to manage than non-custodial data. As such, it may be more efficient for an organization to have key business information stored in non-custodial data sources. But employees need to have convenient and realistic options for where and how to store their custodial data. An organization should clearly define where and how key business information must be stored, and should take steps to train employees on the appropriate storage of that information. For inquiries related to this Tip of the Month, please contact Anthony J. Diana at email@example.com or Therese Craparo at firstname.lastname@example.org. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at email@example.com, Eric Evans at eevans@mayerbrown, Michael Lackey at firstname.lastname@example.org or Edmund Sautter at email@example.com. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 19 June 2014 Implementing An Information Governance Program Scenario The IT department of a retail company implements email account volume limits in attempt to control growing data proliferation. In response, employees in the data analytics department begin using off-system cloud storage options to store their data. The cloud storage company announces that there has been a data breach exposing data stored in their cloud to hackers. Some of the company’s stored information was included in the breach, including names, addresses and credit card information of customers. The massive breach severely damages the company’s reputation among customers and shareholders and requires considerable resources to resolve. The Problem: Data and Information Silos that Focus on Departmental, rather than Enterprise, Goals Many organizations utilize multiple (four or more) records management systems. Departments like IT, HR, and Legal often have different record keeping policies and procedures based on department goals rather than organization-wide goals. This siloed approach can lead to higher costs and risks, security breaches, inefficiency and decreased compliance. Common examples of this silo approach include: Individual business departments making independent decisions about information technology tools, resulting in technology duplication and extra costs; An IT department imposing email account volume limits, leading users to save files on local drives or media, creating data security risks and difficulties in preserving emails for litigation; Personnel conducting business on their own laptops and smart phones without sufficient policies and controls to keep data secure and properly retain records; Records departments instituting a comprehensive data and email retention program, without regard to technological limitations or costs. The Solution: Information Governance Policies and Procedures to Enforce Record Management, Privacy Standards, and Storage Optimization “Information governance” (IG) is a set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information at an enterprise level. IG supports an organization’s current and future regulatory, legal, risk, environmental and operational requirements. It encompasses more than traditional records management by incorporating privacy attributes, electronic discovery requirements, storage optimization and metadata management.Mayer Brown LLP | 20 Although data generation and retention has expanded in recent years, few organizations have developed IG policies and procedures to keep up with it. With storage costs consuming nearly 20 percent of a typical IT budget, and enterprise data continuing to grow, the lack of a companywide policy and commitment to IG may expose companies to unnecessary risks of data leaks, security breaches, litigation costs, loss of intellectual property and reputation damage. Organizations can minimize these risks and costs and may gain business advantages by implementing an enterprise-wide IG program. An IG program’s primary goal is typically to create and maintain processes and procedures that enable a coordinated, overall approach to decisions about information. When disagreements arise between stakeholders, the program should provide a decision-making method to resolve conflict. A focus on transparency, efficiency, integrity, accountability and compliance are keys to enabling the program to function effectively and withstand such conflicts. Best Practices for IG Programs Below are some suggested best practices for organizations considering implementing or maintaining an IG program: Independence from other departments: Consider making the IG program and decision maker independent from any one department to encourage decision-making that prioritizes the entire organization’s needs. Where possible, the decision maker should be provided with the requisite resources and authority to attempt to obtain organization-wide buy-in and compliance. Stakeholder input: While the independence of the decision-making body and program is important, the interests of all stakeholders should be represented, including IT, legal, compliance, risk, audit, records and information management, operations and critical business units. An initial step in designing an effective IG program is to collect information from all key stakeholders about their current practices regarding records and information management, privacy and data security, and litigation preservation. Next, the organization should consider reconciling any differing practices with a goal to implement, if possible, one legally compliant, comprehensive program. Finally, a program that is regularly monitored can respond more quickly as the organization’s objectives and its stakeholders’ needs evolve. Structure, direction, resources and accountability: If possible, an IG program should have structure, direction, resources and accountability. This can include direction provided to users through policies, contracts, protocols and training. Many organizations already have multiple policies governing information management, including computer use, information security, legal hold and electronic discovery. Consider reviewing such policies to eliminate conflicts and inconsistencies. Sufficient resources for an IG program can include appropriate personnel, technology and budget to support the program. Finally, accountability measures can include support from senior leadership, program objectives and regular compliance audits to evaluate if program expectations are met. Using new technologies: Organizations can consider optimizing their IG programs through the use of emerging technologies. These technologies can make it easier to access information for ediscovery, compliance and open records laws, and increase business intelligence. For example, machine learning tools like predictive analytics can enable machines to learn what information may be relevant to an organization. Tools that autocategorize content can help implement an IG policy by taking the burden (and risk of error) off the end user. These tools can eliminate the need for an end user to manually identifyMayer Brown LLP | 21 records, and can provide automatic identification, classification, retrieval, archival and disposal capabilities for electronic business records. These emerging technologies may also function as an early warning system to predict and prevent wrongful or negligent conduct that might lead to data breach or loss. Each new technology has its merits and risks and should be considered individually for each organization. Periodically reviewing and updating the IG program: Organizations and environments change, so the IG program should be revised to reflect these changes as soon as administratively possible. An organization should consider periodically reviewing and updating the program, analyzing whether its rules and risk controls remain appropriate as the organization faces changed circumstances and challenges. Conclusion Information Governance is more than records management, as it attempts to provide a coordinated, interdisciplinary approach to managing the information needs of an organization. Where possible, Information Governance should involve a top-down, overarching framework, informed by the information needs of a company’s stakeholders, with a target of helping the organization to make decisions about information for the good of the overall organization and consistent with its strategic goals. For inquiries related to this Tip of the Month, please contact Anthony J. Diana at firstname.lastname@example.org, Kim A. Leffert at email@example.com or DominiqueChantale Alepin at firstname.lastname@example.org. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at email@example.com, Eric Evans at eevans@mayerbrown, Michael Lackey at firstname.lastname@example.org or Edmund Sautter at email@example.com. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 22 July 2014 Managing the Risks and Costs Associated with Enterprise Social Networks Scenario An international company has decided to launch an enterprise social network to facilitate a more collaborative work environment. The Chief Data Officer is tasked with forming and leading a committee to assess any risks associated with the implementation of the new technology, to encourage employee participation and to develop policies and procedures for the governance of the enterprise social network. Uses of Enterprise Social Networks The way that people communicate is constantly evolving. The current trend favors collaborative communication via social media or social networks. Recognizing this trend, businesses see potential value in employing social networking technology within their organizations. These internal social networks are often referred to as “enterprise social networks” (ESNs). ESNs refer to internally deployed software designed to promote collaboration, communication and knowledge-sharing among employees in a group setting. Examples of such software include Jive, Yammer and Chatter. According to Deloitte, the adoption of these enterprise social networks has been on the rise; in early 2013, Deloitte predicted that more than 90 percent of Fortune 500 companies would partially or fully implement an ESN by the end of 2013. But how companies use their ESNs can vary widely. Some organizations are limiting the use of ESNs to community building or promoting a common corporate culture by, for example, coordinating charitable activities or encouraging communication among affinity groups. Some organizations are using ESNs to centralize communications about corporate activities such as human resources, benefits, policies or strategic initiatives. And some organizations are using ESNs to improve workplace productivity through collaboration around projects, clients or products. Dumping Grounds of Information and Hotbeds of Legal Risk A company’s intended use of its ESN will dictate not only implementation and deployment of the software, but also the policies and procedures governing the network. The biggest risks associated with ESNs lie in ESNs that are not governed—that is, networks that are allowed to develop organically or as directed by individual employees as opposed to corporate management. Such ESNs inevitably become dumping grounds for corporate information and hotbeds of legal risk. The idea that improperly managed data can lead to legal risk is hardly revolutionary. But the dynamic and interactive nature of ESNs, their expansive reach and their non-traditional format combine to complicate the company’s ability to ensure that data stored in such networks can be retained, organized, retrieved and disposed of by the company as needed to meet the company’s business, legal and regulatory needs.Mayer Brown LLP | 23 Retention. ESNs, with their non-traditional format and diversity, create a conundrum for records management. Ungoverned use of ESNs may make identifying categories or types of information stored within the social network difficult to locate or isolate. And questions frequently arise as to whether the company can assign a standard retention period for the entire ESN, or whether the company must find ways to assign retention periods on a subject or content basis. Litigations/Investigations. ESNs do not fit neatly into the traditional e-discovery concepts or technologies used for preservation and collection of electronic communications. On the one hand, ESNs contain the type of employee communications traditionally associated with “custodial” data, which are typically preserved, at least in part, by issuing legal hold notices. On the other hand, ESNs are not like traditional custodial data, are not controlled by the custodian and are more akin to dynamic structured databases. The changing nature of the ESN content, the potential difficulties in identifying relevant data within the ESN and the ESN’s unique technology all combine to increase the risk that relevant data may not be properly preserved or collected. Employment. ESNs also raise unique employment concerns. Inappropriate posts that may violate the company’s acceptable use polices are magnified given the extensive reach and interactive nature of such networks. At the same time, companies need to be careful that any monitoring of the ESN does not infringe on their employees’ privacy rights (whether based on state, federal or foreign laws) or result in employment action based on posts that may amount to protected activity Intellectual Property/Confidential Information. The expansive reach of ESNs can also raise unexpected intellectual property issues. Employees may unwittingly post subscription articles to an ESN without realizing that such actions may violate the company’s licensing arrangements for those publications. Or employees may post confidential or privileged information to an ESN that does not have restricted access, inadvertently exposing that information to employees who are not authorized to view that information. Tips for Managing Enterprise Social Networks To avoid the corporate dumping ground and to effectively manage the risks of an ESN, it is critical that the company clearly define (i) the purpose for the ESN; (ii) the audience for the ESN; (iii) the rules and guidelines governing the ESN; and (iv) the roles and responsibilities for managing the ESN. These issues should be thoroughly assessed and considered by the company before the enterprise social network goes live. Define the Purpose. As noted above, there are various uses for an ESN. Those uses impact the risks associated with the network and inform the types of policies and controls that are appropriate to manage the risks. Take the time to consider the intended purpose of the ESN—and any particular sections or sites within the ESN—so that all relevant stakeholders understand, and agree on, the appropriate use of the ESN. Consider the Audience. Careful consideration should be given to the intended audience for any ESN. Evaluate whether the ESN is intended for use by all company employees, or whether access to certain sites within the ESN must be restricted for confidentiality, business or legal reasons. For regulated employees or employees subject to special retention requirements, consider what the company’s retention obligations are, and whether those obligations include sites that the regulated employee viewed or posts that the employee made. Additionally, use of, or accessMayer Brown LLP | 24 to, the ESN by non-U.S. employees may raise data protection concerns in certain jurisdictions, so such access should be carefully vetted before launching the ESN. Tailor Policies and Training Programs. A company’s general electronic communications or acceptable use policies may be insufficient to address the nuances of ESNs. While those policies can and should incorporate ESN use, additional policies and training tailored to the ESN and its authorized uses should be developed and clearly communicated to employees. For example, if establishing social or community-building ESNs, there should be clear directives not to engage in business activities on the site, and clear notice provided concerning any monitoring activities as well as the consequences for violating the company’s policies. For clear business activities, policies should be developed on whether and how a document would become a record, subject to normal record retention and storage requirements, whether the network will be moderated or collaborative and whether it is designed to replace other authorized forms of communications. Finally, policies and procedures regarding legal hold obligations, regulatory retention requirements and acceptable use that are specific to ESNs are critical to manage the legal and regulatory risks, regardless of the defined purpose. Delineate Roles and Responsibilities. It is important to clearly establish roles and responsibilities for the ESN. While many groups within the company will have some role in the operation of the ESN, from IT to business lines, someone within the company must be accountable for ensuring that the content of the ESN is properly managed by the company. This includes responsibility for ensuring, inter alia, that (i) new sites are approved by the company; (ii) appropriate measures are in place with respect to security and access to the ESN; (iii) policies and procedures are in place and updated on a regular basis; (iv) regular training is conducted for employees on the appropriate use of the ESN; and (v) inactive sites are shut down on a timely basis. For inquiries related to this Tip of the Month, please contact Anthony J. Diana at firstname.lastname@example.org or Therese Craparo at email@example.com. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at firstname.lastname@example.org, Eric Evans at eevans@mayerbrown, Michael Lackey at email@example.com or Edmund Sautter at firstname.lastname@example.org. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 25 August 2014 Staying Informed About State Data Breach Laws Scenario A growing consumer products company is expanding its sales from brick and mortar stores to the Internet. The general counsel, who is charged with overseeing information governance at the company, is interested in keeping abreast of state data breach laws as the company grows and expands into new markets. State Data Breach Laws Several US states have recently passed or proposed new or amended data breach notification laws. As a result, there are now 47 states that have laws requiring businesses to notify individuals when data security breaches compromise their personal information. Enacted and proposed changes range from a broader definition of “personal information” to expanding the notification requirement to include all affected individuals rather than just affected state residents. The following is a summary of recently enacted breach notification laws, as well as other proposed laws being considered. Kentucky: Protection for Student Data in the Cloud Kentucky’s new breach notification law became effective on July 15, 2014. It differs from other state breach notification laws in that it also provides protection for student data that is stored in the cloud. Cloud computing service providers should be aware of the new requirements, as they must certify in their agreements with educational institutions that they will comply with these provisions. Student data means any information “in any medium or format” that concerns a student and is created or provided by the student in the course of their use of the cloud computing services or “by an agent or employee of the educational institution.” Student data includes names, email addresses and messages, phone numbers, photos and other unique identifiers relating to the student. The law prohibits cloud computing service providers from processing student data “for any purpose other than providing, improving, developing or maintaining the integrity” of their computing services, unless the parents give express permission. Cloud computing service providers also may not process student data for advertising purposes, nor sell, disclose or otherwise process student data for any commercial purpose. Florida: Expanded Definition of Personal Information Florida recently amended its data breach notification law, which became effective on July 1, 2014. The Florida Information Protection Act of 2014 replaces Florida’s current breach notification statute and imposes several new requirements on covered entities. The amended law expands the law’s definition of personal information to also include usernames and email addresses in combination with passwords or security questions and answers that permit access to an online account (similar to California’s recently amended law, discussedMayer Brown LLP | 26 below), health insurance policy numbers and medical history. The definition of a breach has also been expanded from an “unlawful and unauthorized acquisition” of personal information to a broader “unauthorized acquisition” of such information. The amended law requires businesses to notify affected individuals within 30 days of a breach (unless good cause is shown, in which case a business may receive an additional 15 days to provide notice). This is one of the shortest individual notification deadlines among state data breach notification laws. Businesses must also notify the Florida Attorney General within 30 days if a breach affects 500 or more individuals and provide copies of forensic reports and “policies regarding breaches” to the Florida Attorney General upon request. Additionally, if a business is required to notify more than 1,000 individuals at a single time as a result of a breach, it must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. Florida’s amended law also now requires businesses to use “reasonable measures” to protect and securely dispose of personal information. Iowa: Expanded Scope that Includes Paper Documents SF 2259, which was signed into law in April 2014, modifies Iowa’s breach notification law in two significant ways. First, the legislation expands the definition of “breach of security” to include the unauthorized acquisition of personal information maintained in any medium— including on paper—that was transferred to that medium from computerized form. Second, the law requires covered businesses to notify the Iowa Attorney General’s office if a security breach affects more than 500 Iowa residents. This written notice must be given within five business days after notifying consumers of the breach. The amended law took effect on July 1, 2014. Minnesota: Proposed Law Expands Scope of Notification and Would Make Businesses Liable for Other Data-Breach-Related Costs Minnesota is proposing legislation that would considerably expand the scope of its current breach notification law. Minnesota’s current law requires notification of security breaches to state residents when their unencrypted personal information has been compromised. The proposed legislation would expand notification requirements to any individual whose unencrypted personal information was compromised by a covered entity’s security breach. Entities conducting business in Minnesota would potentially be required to notify individuals across the country of breaches. Additionally, these notifications would need to occur within 48 hours of discovery or notification of a security breach. The Minnesota bill, if passed, would also make businesses responsible for other costs related to data breaches. After giving notice to individuals, businesses would need to provide one year of credit monitoring services at no charge to those affected by the breach. Retailers or wholesalers of consumer goods and services would be required to provide each individual a $100 gift card for future use, valid for at least one year. Finally, businesses would need to reimburse individuals who incur any charges or fees as a result of the breach. California: Proposed Law Increases Encryption Standard and Requires Businesses to Provide Theft Prevention and Mitigation Services California recently amended its data breach notification statute to expand the definition of personal information to include online account information, such as an email address and password. California is now considering amending its data breach statute further, with the Consumer Data Breach Protection Act (AB 1710). The current California law does not require businesses to notify individuals affected by security breaches if the data is encrypted (using any encryption method). However, if AB 1710 is passed in its current form, it will require businesses to notify California residents of any data breach unless the data is encrypted “in conformance with the Advanced Encryption Standard of the National Institute of StandardsMayer Brown LLP | 27 and Technology, Federal Information Processing Standards Publication 197, as amended from time to time.” This higher encryption standard, along with the requirement that businesses provide theft prevention and mitigation services to affected persons after a breach, aims to address increased retailer breaches in a manner similar to Minnesota’s proposed approach. AB 1710 would also prohibit the sale, advertisement for sale or offer to sell any individual’s Social Security number. In addition, the proposed law would require retailers and other businesses to notify consumers of a breach at the same time they notify data owners. AB 1710 previously had provisions that would have made businesses liable for breach notification and card replacement costs, but these provisions have since been removed. New Mexico: Proposed Law Includes Payment Card Breach Notification Requirements New Mexico, one of three states that currently do not have breach notification laws, has proposed legislation that would require businesses to notify New Mexico residents of security breaches involving their unencrypted personal information within 45 days after discovering a breach. In cases where a breach would require notice to more than 1,000 residents, businesses would also need to notify the New Mexico Attorney General and consumer reporting agencies. The proposed law also contains payment card breach notification requirements. Credit or debit card issuers would need to notify all merchants to which credit or debit card numbers were transmitted, if there was a breach of payment card information. Conclusion Because data breach notification laws are constantly changing, businesses should consider the statutes of all states in which they do business or of whose residents they have personal information. Businesses without incident response plans should consider developing one, and businesses with such plans should consider annually reviewing and updating their plans and testing aspects of such plans by running simulation events. These plans can help reduce breach investigation and response times, which is essential given the tight notification time frames now required by some states. In addition, businesses should consider encrypting all personal information wherever possible or practical, not just the information currently required by data breach notification laws, since these laws are constantly being updated to include more elements of personal information within their scope. To comply with new state requirements, businesses should also consider implementing a data destruction program to securely destroy data that is no longer needed. For inquiries related to this Tip of the Month, please contact Rebecca Eisner at email@example.com, Lei Shen at firstname.lastname@example.org or Kim Leffert at email@example.com. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at firstname.lastname@example.org, Eric Evans at eevans@mayerbrown, Michael Lackey at email@example.com or Edmund Sautter at firstname.lastname@example.org. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 28 September 2014 E-Discovery in Patent Litigation Scenario The general counsel of a technology company has received a complaint alleging patent infringement by the company’s highest-grossing product. The potential amount of damages is not yet calculated, and the general counsel wants to minimize the costs of preserving, collecting, reviewing and producing electronically stored information (ESI) as part of the investigation and discovery process. Factors Impacting eDiscovery Costs in Patent Litigation The number of patent lawsuits filed nationwide is increasing yearly. The complexity of the substantive issues with regard to the patents and technologies involved, as well as the related damages issues, are ever increasing. Patent litigation is particularly high cost litigation. This is in part due to extensive costs associated with the discovery process and, in particular, the time and effort involved in searching, reviewing and producing large quantities of electronically stored information. Patent litigation costs are driven by the complexity of the technology at issue, the prevalence of prior art, the number of claims asserted, whether the companies are competitors, the products at issue, damages exposure, the assigned judge’s standing orders, and the extent to which the parties cooperate in discovery. Two Proposed Approaches to Patent Reform 1. The Federal Circuit Model Order Limiting E-Discovery in Patent Cases In September 2011, Chief Judge Rader and the Federal Circuit Advisory Counsel released the Model Order Limiting E-Discovery in Patent Cases. The model order included the following key provisions intended to promote just, speedy and inexpensive determination of eDiscovery in patent cases: Cost shifting for disproportionate ESI production requests; Parties must propound specific e-mail production requests served only after an exchange of “initial disclosures and basic documentation about the patents, the prior art, the accused instrumentalities, and the relevant finances”; Parties are limited to five e-mail custodians and five search terms per custodian; Inadvertent production of electronic documents later claimed to be privileged or protected does not constitute waiver; and Metadata other than sent/received dates and distribution lists need not be produced.Mayer Brown LLP | 29 2. The Sedona Conference – Commentary on Patent Litigation Best Practices In August 2014, the Sedona Conference issued its Commentary on Patent Litigation Best Practices. This commentary included four principles with respect to discovery: Cooperation: Cooperation with the opposing party is consistent with zealous representation; Focus on proportionality: Based on proposed amendments to Federal Rule 26(b)(1) emphasizing the concept of proportionality as central to the scope of discovery, proportionality should be central to the resolution of all discovery disputes. For example, where the monetary amount or impact of a potential injunction is less, then the level of discovery should be proportionately tailored; Early development and disclosure of legal contentions: Parties should develop and disclose legal contentions earlier in the litigation to facilitate meaningful negotiations with a focus on early deadlines for contentions regarding infringement and validity; and Increased court intervention: Courts should convey their expectations as to discovery conduct and should actively intervene to remedy discovery misconduct including the imposition of sanctions and fee shifting. There is an ongoing tension between the Sedona Conference’s approach focusing on cooperation between the parties and the Model Order’s approach which places strict limits on discovery so that costs can be limited. The Federal Circuit ceased providing the Model Order on its website in late 2013 on the basis that the court neither sponsored nor endorsed the order and has generally pulled back on encouraging courts to endorse this approach. However, despite this removal and the release of the Sedona Conference commentary, the Model Order continues to influence district courts. The District of Oregon adopted the Model Order wholesale in June 2013 while other District Courts, including the Northern District of California and Federal Courts in Texas, New York and Delaware, have adopted the Model Order with limited modifications. Best Practices for eDiscovery in Patent Litigation The key features of both suggested methodologies for patent reform can be effective tools for limiting expensive and unnecessary eDiscovery. Even if you are litigating outside of the jurisdictions that have adopted a model order for eDiscovery in patent cases, you should consider employing a custom Rule 26(f) discovery plan applying some or all of the following themes: Awareness: Be aware of the applicable ESI constraints in the district where the case is being litigated – numerous courts have adopted some form of the Model Order and at least14 are participating in the Patent Pilot Program and are likely to have patentspecific rules for eDiscovery. Cooperation: Cooperate with opposing counsel in a good faith effort to agree on the terms governing eDiscovery in each action. Courts are increasingly intolerant of leveraging ESI and using it as a litigation tactic. Abusive practices in discovery of ESI can lead to higher costs and exposure to sanctions. Agreeing to terms can also decrease initial discovery costs.Mayer Brown LLP | 30 Role of Judges: Consider the increasing role of judges in constraining the scope of ESI requests. For example, request that the judge issue an order on ESI issues as opposed to merely reaching agreement between the parties. Proportionality: Both the Sedona Principles and the Model Order incorporate the idea of proportionality of discovery requests. The proposed amendments to the Federal Rules also include adoption of this concept. Incorporating considerations of proportionality into your eDiscovery plan will appeal to judges and ideally decrease costly litigation over the scope of requests. Preservation: While the Model Order and Sedona Principles both suggest limitations on eDiscovery, neither impacts a party’s preservation obligations. Failure to meet these obligations can result in sanctions. Conclusion While neither of these conflicting approaches to limiting the costs of eDiscovery has eclipsed the other or been universally adopted, it is clear that the topic of increasing costs of eDiscovery is a focus of attorneys, legislators, clients and the courts. Practitioners and the various district courts have begun to implement measures intended to promote efficiency in eDiscovery in patent litigation. While Congress has yet to act in this space, applying these principles to litigation in the interim will be appealing to judges and can substantially decrease litigation costs. For inquiries related to this Tip of the Month, please contact Eric B. Evans at email@example.com or Jennifer T. Lorch at firstname.lastname@example.org. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at email@example.com, Eric Evans at eevans@mayerbrown, Michael Lackey at firstname.lastname@example.org or Edmund Sautter at email@example.com. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 31 October 2014 Managing the Electronic Discovery Vendor Relationship Scenario A large international company is in the midst of antitrust litigation. After carefully selecting the electronic discovery vendor that will handle the processing, hosting, review and production of the responsive documents, the company’s counsel needs to manage the vendor relationship throughout the case to ensure success. Does the Vendor Relationship Really Need Managing? Even though you may have selected the best eDiscovery vendor for your case, that is just the first step. Actively managing the relationship with the vendor is important to ensuring a positive outcome at an acceptable cost. At the onset of every case, the vendor will try to set expectations of costs, timelines and deliverables. But, although litigants may attempt to anticipate the case needs during this preliminary assessment, the course of a litigation is unpredictable and surprises are likely. Issues arise throughout the matter that must be addressed. Establishing a few key processes and procedures with an eDiscovery vendor allows a company to identify and respond to the substantial costs and risks associated with the unpredictable issues that can arise during discovery. Prepare Defensible Documentation Documentation of the steps taken in electronic discovery is an important component of managing the vendor relationship. Counsel is advised to communicate the discovery plans with the eDiscovery team, and someone on that team should be designated to track the tasks, processes and decisions. Frequent communications and defensible documentation can be essential to a successful engagement with an eDiscovery vendor. These materials may include: Comprehensive training materials for the attorney review team stating the issues of the case, claims and defenses and the mechanics of the document review tool. Documentation of the data processing protocol listing the use of filters, such as date ranges and search terms. A detailed, written description of the use of advanced analytical tools, such as nearduplicate identification, concept clustering and predictive coding. While this information is covered by the attorney-client and attorney work product privileges, it should be prepared with the understanding that, under extreme circumstances, it may need to be disclosed in defense of the party’s discovery decisions and conduct. Also, this documentation makes it easier to manage the discovery process, making systemic mistakes and resulting cost overruns less likely.Mayer Brown LLP | 32 Managing Expectations, Roles and Responsibilities Managing the expectations, roles and responsibilities of in-house personnel, outside counsel and the vendor can facilitate success in complying with electronic discovery obligations. It can also be invaluable in controlling costs. Steps to take can include: Creating or updating a Services Agreement or Statement of Work with the vendors and outside counsel so that each can gain a broad understanding of the other’s roles and responsibilities—in particular, these documents should identify deliverables and performance guarantees. Communicating realistic expectations for meeting discovery obligations. Establishing a pre-defined escalation plan that includes a master team list with contact details that allows you to reach the key decision-makers on the team on a 24-7 basis, as necessary. An increasingly important area for managing vendor relationships concerns indemnification and insurance coverage. Vendors should understand how possible coverage limitations may impact the delivery of services. A key portion of the management and planning process is outside counsel’s definition of the scope of collection through negotiation and litigation with the adverse party. Staging and otherwise limiting the scope of discovery may narrow the scope of the eDiscovery process substantially, making it easier to manage and less likely to result in large costs. Managing the Workflow by Staging the Discovery Process Managing the workflow by splitting it into distinct stages may also help contain discovery costs and ensure that the individuals responsible for handling discovery are not trying to accomplish too much at once. Steps to take can include: Consciously defining stages for processing the data and setting up the attorney review workflow. Identifying distinct populations of documents may make wholesale processing of all client data unnecessary and may give reviewers the benefit of human- or machine-generated analysis. By loading data in a designated order and applying early case assessment (ECA) techniques, a party may be better able to control and manage discovery services. Holding a kick-off meeting with all parties to review the goals of the case, timelines and strategy and to establish an electronic discovery processing workflow. Be sure to consider the end-to-end process from litigation hold and collections all the way to productions and possible trial. Scheduling conference calls on discovery planning and establishing clear lines of communication between the client, vendors and law firms. Establishing a standing meeting time. Too much time is wasted trying to bring the team together for discussions on a hot issue. Take the question of when can we meet out of the equation. Circulating supporting documentation in advance and finalize “to do” items during the calls. Establishing a primary point of contact with the vendor and clear guidance from the case team.Mayer Brown LLP | 33 Consider a Managed Services Partnership with a Vendor An eDiscovery managed services partnership can enable a litigant to offload discovery management operations and systems to a dedicated eDiscovery vendor, who then assumes an ongoing responsibility for hosting and supporting that organization’s data through multiple years and matters. The advantages of this partnership can include: A predictable, fixed subscription-based price, which can offer considerable cost efficiency over buying such services on a project-by-project basis. A single overarching Master Services Agreement that precludes the need to negotiate case-by-case contracts. Access to a dedicated support team provided by the vendor, which gains experience handling the client organization’s discovery needs over the life of the contract. The cost and burden of maintaining the discovery management software and storage space is wholly or largely borne by the vendor. The managed services provider market has greatly matured over the last few years. Providers now exist that can maintain successful partnerships with several corporations and/or law firms. Managing Services Provides Necessary Protections for All It is important that clients, outside counsel and vendors discuss confidentiality and privilege issues as part of the increasingly complex relationships that arise with the delivery of electronic discovery services. While it is the client who holds the reins on maintaining privilege, providers of legal and technical services must be careful to maintain these vital, legal protections. These protections require lawyers to actively participate in the process because many of the decisions made throughout the eDiscovery process constitute legal advice that may not be provided by non-lawyers. Consider, too, whether service providers will be called upon to provide expert testimony or to prepare an affidavit on some aspect of discovery. Discuss with providers which employees might be capable of testifying to defend the process, or can be relied upon for support when challenging the other side’s discovery. Importantly, while managing performance, consider auditing the vendor’s data security and safeguards negotiated as part of the master services agreement. Although a formal audit is sometimes needed, generally, a thorough review of the evolving documentation surrounding the engagement ensures that procedures are being followed. Remember that it is far easier and cost-effective to maintain proper documentation from the start than to re-create it when the need arises. For inquiries related to this Tip of the Month, please contact Patrick Garbe at firstname.lastname@example.org or Chris Hansen at email@example.com from Mayer Brown's Electronic Discovery Services Department, which supports the Firm’s case teams and its clients in handling the demands of collecting and managing electronic discovery, or Kim Leffert at firstname.lastname@example.org. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at email@example.com, Eric Evans at eevans@mayerbrown, Michael Lackey at firstname.lastname@example.org or Edmund Sautter at email@example.com.Mayer Brown LLP | 34 November 2014 Managing E-Discovery in State Courts Scenario A large American manufacturer is facing multiple lawsuits in state courts throughout the country. The plaintiffs issue broad discovery requests seeking, among other things, electronically stored information (ESI) from multiple custodians, databases and even backup tapes. The company, knowing that failure to comply with discovery rules can have disastrous consequences, is concerned with the prospect of complying with the e-discovery rules in each of these state courts. E-Discovery Regimes in State Courts In 2006, the Federal Rules of Civil Procedure were amended to provide a uniform set of rules across the federal courts to govern the preservation, collection and production of ESI. The Federal Rules are updated frequently and most companies that regularly litigate complex disputes are familiar with them. At the state level, however, counsel must navigate an often unfamiliar and disparate legal landscape. Some states, such as California, Delaware and Illinois, largely mirror the approach taken by the 2006 Federal Rules. However, even in these states there can be important nuances and idiosyncrasies. Other states, such as Connecticut and Wisconsin, have modeled their rules on the Uniform Rules Relating to Discovery of Electronically Stored Information. And many other states are doing something else entirely. New York, for instance, has adopted very few specific rules concerning ESI and has dealt with the issue almost entirely within the rubric of its pre-existing rules, allowing judges to develop an ESI doctrine in a common law fashion. Disparity Among State E-Discovery Rules States often take differing approaches to the same e-discovery issues, such as the form in which ESI must be produced. In Illinois, for example, a recent rule change deleted the provision that allowed for ESI to be produced in “printed form.” The new rule requires that, unless the request specifies some other form, ESI must be produced in the form in which it is kept in the ordinary course of business. California has a similar rule. New York, by contrast, has no such presumptive rules and merely requires the parties to discuss the issue at the preliminary conference. The availability of sanctions for failures to preserve or produce ESI is another significant area in which states often differ. In many states, such as Illinois and New York, the availability of sanctions is almost entirely determined by case law. California has adopted specific provisions dealing with sanctions for ESI issues that mirror the “safe harbor” of Federal Rule 37(e). The Delaware Complex Commercial Litigation Division’s safe harbor ruleMayer Brown LLP | 35 provides that, so long as you comply with the court’s e-discovery orders, destruction of ESI pursuant to routine procedures cannot be sanctioned. With regard to cost shifting, many states, such as Delaware, Illinois and New York, roughly follow the traditional “American Rule” where the producing party is presumed to bear to costs of production. Other states, however, have deviated significantly from this rule in the context of certain types of ESI requests. Texas, for instance, requires the requestor to pay costs for any extraordinary steps that the producing party has to take in order to retrieve or produce the requested ESI. Similarly, California requires the requesting party to pay for recovery of information from backup tapes or other data compilations that need to be translated into a “usable form” before being produced. Navigating State Court E-Discovery Organizations faced with frequent litigation in state courts should consider developing ediscovery strategies that take into account the specific rules in the jurisdictions in which they litigate the most. Organizations that routinely find themselves litigating in many different state courts should also consider developing e-discovery strategies that reflect the disparate nature of the various states’ rules. To assist in that effort, some practical guidelines can be used to navigate state court litigation regardless of where the case is filed: Understand the nuances of the e-discovery rules in particular state courts. There is no uniform body of rules governing e-discovery at the state level. Some states lack rules specifically addressing e-discovery and those states that have adopted such rules may not track the Federal Rules of Civil Procedure. Counsel should, therefore, become familiar with the statutes, rules and case law that govern the collection, review and production of ESI in the state court’s in which they litigate most often. Be aware of preservation requirements. In many states, courts can impose devastating sanctions for failures to preserve and produce ESI. Failure to be aware of a state’s preservation rules, particularly when and under what circumstances the duty to preserve arises, can lead to early missteps from which a party cannot easily recover. Many states follow the federal rule, under which the duty to preserve can arise well before a lawsuit is filed. In other states, like Illinois, there is generally no pre-litigation duty to preserve evidence. Facilitate discussions between outside counsel and the company’s information technology personnel regarding the company’s technological systems. To ensure that outside counsel is prepared to negotiate reasonable e-discovery protocols that reflect the organization’s capabilities—as well as to defend that plan in court—in-house counsel should take steps to ensure that outside counsel becomes familiar with the company’s electronic information systems, including legacy and disaster recovery systems. In-house counsel may want to consider designating an employee who is thoroughly knowledgeable about these systems to educate outside counsel (and the court), if necessary. Develop an e-discovery plan in anticipation of a meet-and-confer with opposing counsel and a preliminary conference with the court. Being prepared to address ediscovery issues early in the litigation can avoid later motion practice and complications. Counsel should work together to develop an e-discovery strategy as soon as the complaint is served—or even before if the organization reasonably anticipates litigation—and prior to contacting opposing counsel. Craft a list of questions regarding e-discovery to ask opposing counsel at the meet-and-conferMayer Brown LLP | 36 session and prepare answers to these questions in the event the court asks similar questions at the preliminary conference. Be aware of cost allocation rules. Cost allocation rules will inform not only discovery strategy but also motion practice and ultimately settlement discussions. Where a state offers no clear rules on cost-shifting and instead applies a judicially created multi-factor test, counsel may want to seek a stipulation on cost allocation that the court can “so-order” at a preliminary conference to ensure clarity on this all important issue. If a cost allocation dispute cannot be resolved among the parties, counsel should seek court intervention before any ESI costs have been incurred. For inquiries related to this Tip of the Month, please contact Ethan Hastert at firstname.lastname@example.org or Corwin Carr at email@example.com from Mayer Brown's Electronic Discovery Services Department, which supports the Firm’s case teams and its clients in handling the demands of collecting and managing electronic discovery, or Kim Leffert at firstname.lastname@example.org. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at email@example.com, Eric Evans at eevans@mayerbrown, Michael Lackey at firstname.lastname@example.org or Edmund Sautter at email@example.com. Please visit us at www.mayerbrown.com.Mayer Brown LLP | 37 December 2014 Proposed Amendments to the US Federal Rules of Civil Procedure Scenario On September 16, 2014, the Judicial Conference of the United States approved several proposed amendments to the Federal Rules of Civil Procedure. The revised rules, now pending before the Supreme Court and to be transmitted to Congress, will take effect on December 1, 2015, absent some Congressional action. The general counsel of a financial services company has inquired whether the proposed amendments to the Federal Rules of Civil Procedure will result in a reduction in discovery costs. Cooperation In its current form, Rule 1 states that the Federal Rules of Civil Procedure “should be construed and administered to secure the just, speedy, and inexpensive determination of every action and proceeding.” While the rule encourages the efficient administration of all matters in federal court, it is seldom invoked by either the court or the parties to rein in behavior that may cause delay or increase cost. As amended, the proposed rule specifically calls upon the parties and the court to cooperate to ensure that the rules are employed in a manner that promotes efficiency. Driving the Pace Unnecessary delays, lack of planning or non-cooperation at the outset of a case can result in inefficiency and expense. The proposed amendments to Rules 4, 16, 26 and 34 try to address these problems by shortening timelines and requiring parties to identify and discuss discovery issues early in the course of litigation. Proposed Rule 4(m) reduces the time permitted to serve a defendant with a summons and complaint from 120 days to 90 days. If service has not occurred within the prescribed period, then the court must either dismiss the action without prejudice or order that service be completed by a date certain. To further reduce delay at the outset of a case, proposed Rule 16(b)(2) would require courts to issue a scheduling order 90 days after any defendant is served, or 60 days after any defendant makes an appearance, whichever is earlier. Issuance of the scheduling order may be delayed, however, if the court finds good cause. In comparison, the current rule requires a scheduling order to be issued by the earlier of 120 days after service or 90 days after an appearance. An amendment to Rule 16(b)(1), aimed at encouraging productive discussions during the scheduling phase, removes the current reference to conferences being conducted by “telephone, mail, or other means.” A note from the Advisory Committee on Federal Rules of Civil Procedure (the “Committee”) explains the deletion of this language, particularlyMayer Brown LLP | 38 discussions by mail, by stating that “[a] scheduling conference is more effective if the court and the parties engage in direct simultaneous communication.” Proposed changes to Rule 26(f)(3) add “preservation” and “privilege” as topics to discuss at the Rule 16 conference. The proposed amendment requires parties to discuss whether they will seek an order under Federal Rule of Evidence 502—a valuable but underutilized rule that allows courts to prevent waiver of privilege. A coordinating proposed amendment to Rule 16(b) explicitly allows scheduling orders to include terms related to preservation and Rule 502 orders. To further facilitate discussions during the Rule 26(f) conference, a proposed amendment to Rule 26(d)(2) permits the parties to serve document requests under Rule 34 before the conference, but no earlier than 21 days after service of the summons and complaint. This change to the current rule, which prohibits any discovery requests before the Rule 26(f) conference, allows the parties to address issues presented by the document requests at the Rule 26(f) conference. The early Rule 34 requests will be considered served at the first Rule 26(f) conference. Finally, a proposed revision to Rule 16(b) allows a scheduling order to include terms requiring the parties to confer with the court before bringing any discoveryrelated motions. Proportionality Discovery under current Rule 26(b)(1) is extraordinarily broad: parties may obtain information “regarding any non-privileged matter that is relevant to any party’s claim or defense,” including any information that “appears reasonably calculated to lead to the discovery of admissible evidence.” With the increasing volume of data created and maintained by companies, significant time and money can be spent responding to discovery requests. When the parties have similar discovery exposure, they each have an incentive to narrow discovery without court intervention. Such self-regulation does not exist, however, when the parties’ discovery obligations are asymmetrical. Current Rule 26(b)(2)(C) requires the court to limit discovery when it finds that the “burden or expense of the proposed discovery outweighs its likely benefit,” but discovery limitations are rarely raised by the court on its own and, when objections to scope are raised by a producing party, courts can be reluctant to impose restrictions. The Committee has proposed a few significant changes to combat the problems associated with asymmetric discovery. First, proposed Rule 26(b)(1) deletes the phrase that discovery may include information that is “reasonably calculated to lead to the discovery of admissible evidence.” Second, amended Rule 26(b)(1) limits discovery to that which is “proportional to the needs of the case.” Third, proposed Rule 26(b)(2)(C) will require court intervention if “the proposed discovery is outside the scope permitted by Rule 26(b)(1).” Cost Allocation Current Rule 26(c)(1) authorizes protective orders to preclude unduly burdensome or expensive discovery. Although not stated in the rule, courts may issue protective orders that allocate some of the cost to the requesting party. Because the current rule is silent on cost allocation, parties sometimes dispute the court’s authority to shift costs. Proposed Rule 26(c)(1) states that the protective order may include “specifying terms, including time and place or the allocation of expenses, for the disclosure of discovery.” As the Committee explained, “[e]xplicit recognition [of cost shifting] will forestall the temptation some parties may feel to contest this authority.” The Committee was careful to note, however, that this proposed change does not alter the standard practice of having the responding party bear the cost of responding to discovery requests.Mayer Brown LLP | 39 Responses and Objections to Document Requests Parties responding to Rule 34 production requests typically list a litany of objections and often fail to specify whether any of the stated objections will be relied on as grounds to withhold any of the documents sought be the requesting party. Amended Rule 34 requires responding parties to state the specific grounds on which the party is objecting and whether any documents are being withheld on the basis of a given objection. The Committee intends this change to facilitate meaningful meet-and-confer discussions between the parties. Failure to Preserve The ability of courts to sanction a party for the spoliation of evidence is limited under the Federal Rules. Rule 37(e) permits such sanctions, but only when a party fails to provide electronically stored information in violation of a court order. Because Rule 37(e) applies to such a narrow set of circumstances, courts have turned to their inherent authority or state laws to sanction parties for their failure to preserve evidence resulting in disparate standards for what constitutes a party’s duty to preserve and wide-ranging sanctions for violations of that duty. Without clear guidance on what sanctions may be imposed for the spoliation of evidence, companies often over-preserve data to avoid the risk of severe penalties. To provide clarity and consistency on sanctions for failure to preserve, Rule 37(e) was completely rewritten. The proposed rule sets forth what sanctions a court may impose if electronically stored information is lost because of a party’s failure to “to take reasonable steps to preserve it” and the lost information cannot be “restored or replaced through additional discovery.” Under the proposed amended rule, sanctions are not permitted if evidence is lost despite a party’s reasonable efforts to preserve it. Further, even if a party failed to try to preserve information, sanctions are not automatic. Under Proposed Rule 37(e)(1), a court may order “curative measures,” but only upon a finding that another party was prejudiced from losing the information. More severe sanctions, such as an adverse inference or the entry of default judgment, are permitted under proposed Rule 37(e)(2), but only when the court finds that a party “acted with the intent to deprive another party of the information’s use in the litigation.” Conclusion The proposed amendments to the Federal Rules encourage early and enhanced case management and cooperation, which should provide an opportunity for counsel who are familiar with a client’s electronic systems and well-versed in the real world issues of discovery to obtain substantial savings in time and money. Negotiation points can include the scope of discovery, use of certain agreed technologies, the clawback of privileged material and the preservation (or agreement not to preserve) certain documents. The proposed amendments relating to proportionality and sanctions may result in a reduction in the costs associated with overly broad discovery and over-preservation of data. For inquiries related to this Tip of the Month, please contact Michael D. Battaglia at firstname.lastname@example.org or Kim A. Leffert at email@example.com. Learn more about Mayer Brown’s Electronic Discovery & Records Management practice or contact Anthony J. Diana at firstname.lastname@example.org, Eric Evans at eevans@mayerbrown, Michael Lackey at email@example.com or Edmund Sautter at firstname.lastname@example.org. Please visit us at www.mayerbrown.com.