Jurisdiction, Digital Discovery, Digital
Security & Encryption
Todd Krieger & Cyrus Daftary
April 6 th , 2015
Encryption and Information
Questions & Answers
A court’s power to adjudicate a controversy.
Defined by ‘ long-arm ’ statute and due process clause of constitution.
1945 - International Shoe vs Washington: defendant must maintain ‘ minimum contacts ’ with forum state – if it doesn’t offend the traditional notions of fair play and substantial justice.
Due process requires fairness and justice.
Example: Out of state salesperson who does business in California.
Gave courts some discretion.
1980 - World Wide Volkswagen vs Woodson:
Plaintiff buys car in New York and is injured in Oklahoma. The court finds conduct must be directed towards forum state not merely placing a product in the stream of commerce.
(Helicopteros Nacioinales de
Colombia, S.A. vs Hall)
Continuous and systematic contacts with the forum state. Controversy need not arise out of the defendant's activities in the state.
(Burger King vs Rudzewics)
Cause of action arises directly from defendant’s contact with the forum state.
Early websites were informational, online brochures.
Early on, disputes were independent of the websites.
Plaintiffs tried to use the websites to assert jurisdiction, usually with little success; they needed to show something more.
Lawyers and judges were still learning about the technology.
Website and toll free number
– (Graphic Controls Corp. vs Utah Med. Prods. Inc.)
– (Inset Sys. vs Instruction Set, Inc.)
Soliciting and maintaining a website for future business with knowledge of in-state access
– (Hearst Corp. vs Goldberger)
– (State by Humphrey vs Granite Gate Resorts)
Source: Todd D. Leitstein - A Solution for Personal Jurisdiction on the Internet, 59 La. L. Rev. 565, 1999
Zippo vs Zippo.com :
– Lighter Company vs Online E-mail/Content provider.
– 3,000 customers in PA; 7 agreements with PA based ISPs.
Sliding scale of jurisdiction
(1) The defendant must have sufficient minimum contacts with the forum state.
(2) The claim asserted against the defendant must arise out of those contacts.
(3) The exercise of jurisdiction must be reasonable.
Courts in the 5 th , 9 th , and 10 th Circuits have used the Zippo sliding scale consistently, but some courts have attempted to refine the test.
Court in Cybersell, Inc. vs Cybersell, Inc . stated while the level of interactivity was a crucial factor for jurisdiction, interactivity alone did not provide grounds for jurisdiction, but instead required something more to establish minimum contacts.
– “ Something more ” consisted of ‘ targeting ’ or intentional Internet activity expressly aimed at the forum state.
S. Morantz, Inc. vs Hang , using Zippo and targeting approach found an interactive website that did not allow for online sales and was not directed at PA residents did not provide minimum contacts with PA over a NY defendant.
An alternative to the Zippo sliding scale test is the effects-based approach.
Courts focus their analysis on the actual effects a website had in a particular jurisdiction and do not focus on the technology used.
The effects test originated in Calder vs Shirley
Jones, in which a CA entertainer sued a FL publisher for libel.
The effects test has been applied in Blumenthal vs Drudge and Pavolich vs DVD Copy Control
Eli’s Cases marketing employee Hillary struggles with the company VPN and e-mail.
Has e-mails forwarded to her personal
Gmail account and responds through Gmail.
Sets up a home server to host and manage her personal and work e-mails.
Six months later she quits and goes to work for a competitor.
– Maybe she had access to new product plans?
– Any way to monitor or check her communications?
Unpaid marketing vendor sues for contract breach and during discovery asks for a copy of Hillary’s e-mails.
– No way to manage discovery from personal emails.
What is Discovery?
“Discovery” refers to the process of compelling another party to provide information, which may include documents, during the course of litigation.
Gives litigants access to information relevant to the dispute.
Discovery requests may be very broad and burdensome, especially in business litigation.
Facebook postings and other seemingly private information can be within the scope of a discovery request.
– Case discussion: Gatto v United
Most new information is electronic.
Companies need codified policies for retention of digital and printed information or they could be overwhelmed by a discovery request.
Define retention periods based on legal, business, and personal obligations.
Must follow policies carefully.
Third party solutions available.
Federal Rules of Civil Procedure For
Electronic Discovery Implemented
Rules put in place process for party to demand access to information that is claimed to be ‘burdensome to access and produce.’
Companies may have hundreds of unorganized legacy back-up tapes with year of e-mails and other information
New rules provide exceptions for good faith inadvertent destruction.
New Rules Harmonize Electronic
Attorneys involved in litigation must address electronic discovery at the earliest stage of discovery planning.
New rules provide a framework for courts and easier guidance to assist clients.
Some Specific Requirements:
Rule 26(a)(1)(B) changes ‘ data compilations ’ to
‘ electronically stored information ’.
– (similar amendments to other rules)
Rule 16(b) amended to require that scheduling order may include electronically stored information.
Rule 26(f) requires parties to confer and discuss issues related to electronic information.
Rule 26(b)(2)(B) addresses the burden for data that is not readily accessible. Party receiving request must establish unreasonableness of request.
Rule 37(f) accommodates the accidental loss or destruction during a routine operation of electronic information if the party took reasonable steps for preservation.
– Keep in mind other changes as well.
Courts Have Defined Expectations of
“Now that the key issues have been addressed and national standards are developing, parties and their counsel are fully on notice of their responsibility to preserve and produce electronically stored information.”
– Judge Shura Scheindlin, Zubulake v. Warburg
– Final jury verdict: $29 million.
Complying with digital discovery requests may be very expensive, time consuming and implicating.
Coleman v. Morgan Stanley: $1.45 Billion jury verdict for overwriting e-mails, failing to timely process backup tapes, failure to produce relevant e-mails and attachments.
U.S. v. Philip Morris , 327 F. Supp. 2d 21: $2.75
Million in sanctions for failure to follow order to preserve e-mails and other e-discovery violations.
In Re Information Management Services,
Inc. Derivative Litigation
Digital discovery + employee e-mail privacy
+ attorney client privilege (oh my).
Metadata = ‘data about data’
Metadata must remain intact:
– History (date of creation and modification)
– Tracking (who created the document and where does it reside)
– Comments and annotation.
Metadata may leave an implicating trail.
– Previously deleted text
– Identity of those who worked on document
– Dates and times of work.
– Changes in date in Windows may not be the same in the underlying DOS.
Average may be $1-3 million
Litigants need efficient data search and management strategies
– Law firms bill for searches on an hourly basis
Data may not be in a common or searchable format
Company computers may house sensitive consumer data and trade secrets.
Failure to adequately protect consumer data has led to high profile settlements with the FTC:
– Choicepoint: $15 million
– BJs Wholesale Club
– Hannafords - 4 million credit card numbers compromised
Failure to adequately protect trade secrets can also create a corporate disaster.
Section 4 of this bill requires a business entity or a data collector to ensure that any personal information which is stored on the data storage device of a copier, facsimile machine or multifunction device in the possession of the business entity or data collector is securely encrypted or destroyed by certain approved methods before the business entity or data collector relinquishes ownership, physical control or custody of the copier, facsimile machine or multifunction device to another person. http://openstates.org/nv/bills/76/SB267/documents/NVD00008333/
Most states require notification of residents if personal data is compromised and many other states are not far behind.
– Massachusetts 93H
Hundreds of data breaches have been reported
Reporting has led to bad publicity and fines.
Marriott reported the loss of 200,000 names in missing backup tapes.
Some reporting requirements are exempted if the data was encrypted.
How does an entity respond to a breach?
– Security for prevention and protection
– Intrusion detection
– Analysis of access
– Response to breach
– Resolution of incident
U.S. consumers lost billions to identity theft in 2014
ID Theft consumes time and money.
Consumers are more careful with their personal information.
– Vulnerable to phishing attacks
– As safe as the company where they used their credit card.
IRS Criminal Investigation Targets Identity Theft Refund Fraud
FS-2013-4, February 2015
The IRS has seen a significant increase in refund fraud that involves identity thieves who file false claims for refunds by stealing and using someone's Social Security number.
May use e-mail viruses to crack networks
Target specific applications to get sensitive data
– Once the perimeter security is cracked, the entire network may be available.
Hijack remote computers to anonymously attack sites.
Physical security of laptops and portable media.
Manage local administrative access
– Removing local access limits bypassing security mechanisms
Lock introduction of unauthorized applications
Automatic logging of administrative actions
– Review logs!
Implement role based control
Virus protection and other software control