A business within the United States is generally required to preserve, collect and produce data within the organisation's possession, custody or control. Unlike in other jurisdictions throughout the world, where an employee or data subject about whom information relates has privacy rights to the data, US employees and individuals have far more limited rights. Businesses that are considered the owners of data within their possession will be required to produce this information to opposing parties and the courts.
Various federal and state privacy laws and rules create a patchwork of regulations that govern the management of certain consumer and employee information. This legal patchwork may limit or prevent a company from disclosing protected personal information to third parties, including in discovery. However, the definition of what must be protected and when it must be protected is still far narrower than in other jurisdictions.
One of the more common examples of information that must be protected is personally identifiable health information that the healthcare industry must protect under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Yet, such information may still be required to be produced in certain circumstances. HIPAA includes a provision for the entry of a qualified protective order that allows a party to produce records that contain protected personal health information as long as the records are produced in accordance with the entered qualified protective order.
Another example of information that must be protected is personally identifiable financial information that financial institutions must protect under the Gramm-Leach-Bliley Act of 1999. However, this Act contains a carve-out provision for a financial institution to comply with subpoenas or 'respond to judicial process'. Still, many parties will agree that this information may be redacted from produced documents when the information is irrelevant to the claims or defences in the matter.
A best practice when producing HIPAA or Gramm-Leach-Bliley protected information is to produce the data in encrypted form to protect against any potential unauthorised disclosure of information. The same can be said for other information that may be protected under various state laws, such as social security numbers, driver's licence numbers and financial account information.
While the United States has not enacted sweeping privacy laws like the European Union's General Data Protection Regulation (GDPR), more jurisdictions within the United States are beginning to assess the need for further data privacy protections. California enacted sweeping consumer data protections under the California Consumer Privacy Act of 2018. This Act provides for a right to know what data is being collected and shared, the right to request deletion of information, and the right to opt out of the sale of personal information to third parties. The city of Chicago is also considering the enactment of a Personal Data Collection and Protection Ordinance.
Moreover, data breaches have been the subject of much scrutiny in Congress, the courts and elsewhere. Numerous class actions have been filed in recent years owing to consumer data breaches. Parties should have plans in place for responding to data breaches implicating personal information.
Even when US privacy laws are not implicated in a matter, owing to increases in data globalisation, companies operating in the global economy are routinely finding that data stored outside the United States is relevant in US legal proceedings. However, obtaining data located outside the United States for US discovery purposes can be problematic. Many countries have laws that protect privacy rights – including in corporate data – and that act as a barrier to US discovery. Data protection laws found throughout much of the rest of the world that limit cross-border transfers of ESI, including in the Asia-Pacific region, the Americas, Europe and the Middle East, do not exist in the United States. As such, many US courts have been resistant to claims that data privacy prevents the disclosure of information in litigation or apply their own understanding of data privacy regulations.