1

Legal Research, Issues, and Practice in Cyberspace

-

Jurisdiction, Digital Discovery, Digital Security & Encryption

Todd Krieger & Cyrus Daftary

April 6th, 2015

2

Agenda

Administrative Discussion Jurisdiction Digital Discovery Encryption and Information

Security Questions & Answers

3

Jurisdiction

A court’s power to adjudicate a controversy. Defined by ‘long-arm’ statute and due

process clause of constitution.

4

Jurisdiction - History

1945 - International Shoe vs Washington: defendant must maintain ‘minimum contacts’ with forum state – if it doesn’t offend the traditional notions of fair play and substantial justice.

Due process requires fairness and justice. Example: Out of state salesperson who

does business in California. Gave courts some discretion.

5

Jurisdiction - History (cont’d)

1980 - World Wide Volkswagen vs Woodson: Plaintiff buys car in New York and is injured in Oklahoma. The court finds conduct must be directed towards forum state not merely placing a product in the stream of commerce.

6

Specific v. General Jurisdiction

General jurisdiction: (Helicopteros Nacioinales de

Colombia, S.A. vs Hall) Continuous and systematic contacts with the forum state. Controversy need not arise out of the defendant's activities in the state.

Specific jurisdiction: (Burger King vs Rudzewics) Cause of action arises directly from defendant’s contact with the forum state.

7

Evolution of Online Jurisdiction

Early websites were informational, online brochures.

Early on, disputes were independent of the websites.

Plaintiffs tried to use the websites to assert jurisdiction, usually with little success; they needed to show something more.

Lawyers and judges were still learning about the technology.

Early Conflicting Cases – Sporadic Internet Activities

Website and toll free number– (Graphic Controls Corp. vs Utah Med. Prods. Inc.)– (Inset Sys. vs Instruction Set, Inc.)

Soliciting and maintaining a website for future business with knowledge of in-state access– (Hearst Corp. vs Goldberger)– (State by Humphrey vs Granite Gate Resorts)

Source: Todd D. Leitstein - A Solution for Personal Jurisdiction on the Internet, 59 La. L. Rev. 565, 1999 8

9

First Rational Framework

Zippo vs Zippo.com : – Lighter Company vs Online E-mail/Content provider.– 3,000 customers in PA; 7 agreements with PA based ISPs.

Sliding scale of jurisdiction

Doing Business/InteractivityJurisdiction

10

Zippo Three Prong Test

(1) The defendant must have sufficient minimum contacts with the forum state.

(2) The claim asserted against the defendant must arise out of those contacts.

(3) The exercise of jurisdiction must be reasonable.

Courts in the 5th, 9th, and 10th Circuits have used the Zippo sliding scale consistently, but some courts have attempted to refine the test.

11

Expanding Zippo

Court in Cybersell, Inc. vs Cybersell, Inc. stated while the level of interactivity was a crucial factor for jurisdiction, interactivity alone did not provide grounds for jurisdiction, but instead required something more to establish minimum contacts. – “Something more” consisted of ‘targeting’ or intentional Internet activity

expressly aimed at the forum state.

S. Morantz, Inc. vs Hang, using Zippo and targeting approach found an interactive website that did not allow for online sales and was not directed at PA residents did not provide minimum contacts with PA over a NY defendant.

12

The “Effects” Test

An alternative to the Zippo sliding scale test is the effects-based approach.

Courts focus their analysis on the actual effects a website had in a particular jurisdiction and do not focus on the technology used.

The effects test originated in Calder vs Shirley Jones, in which a CA entertainer sued a FL publisher for libel.

The effects test has been applied in Blumenthal vs Drudge and Pavolich vs DVD Copy Control Assn.

13

E-mail Technology Perils – Practical Introduction

Eli’s Cases marketing employee Hillary struggles with the company VPN and e-mail.

Has e-mails forwarded to her personal Gmail account and responds through Gmail.

Sets up a home server to host and manage her personal and work e-mails.

14

Legal Trouble

Six months later she quits and goes to work for a competitor.– Maybe she had access to new product plans?– Any way to monitor or check her

communications? Unpaid marketing vendor sues for contract

breach and during discovery asks for a copy of Hillary’s e-mails. – No way to manage discovery from personal e-

mails.

15

What is Discovery? “Discovery” refers to the process of

compelling another party to provide information, which may include documents, during the course of litigation.

Gives litigants access to information relevant to the dispute.

Discovery requests may be very broad and burdensome, especially in business litigation.

Facebook postings and other seemingly private information can be within the scope of a discovery request.– Case discussion: Gatto v United

Airlines

16

Digital Discovery and Data Retention

Most new information is electronic. Companies need codified policies for retention of

digital and printed information or they could be overwhelmed by a discovery request.

Define retention periods based on legal, business, and personal obligations.

Must follow policies carefully. Third party solutions available.

17

Federal Rules of Civil Procedure For Electronic Discovery Implemented

12/06 Rules put in place process for party to

demand access to information that is claimed to be ‘burdensome to access and produce.’

Companies may have hundreds of unorganized legacy back-up tapes with year of e-mails and other information

New rules provide exceptions for good faith inadvertent destruction.

18

New Rules Harmonize Electronic Discovery Practices

Attorneys involved in litigation must address electronic discovery at the earliest stage of discovery planning.

New rules provide a framework for courts and easier guidance to assist clients.

19

Some Specific Requirements: Rule 26(a)(1)(B) changes ‘data compilations’ to

‘electronically stored information’.– (similar amendments to other rules)

Rule 16(b) amended to require that scheduling order may include electronically stored information.

Rule 26(f) requires parties to confer and discuss issues related to electronic information.

Rule 26(b)(2)(B) addresses the burden for data that is not readily accessible. Party receiving request must establish unreasonableness of request.

Rule 37(f) accommodates the accidental loss or destruction during a routine operation of electronic information if the party took reasonable steps for preservation.– Keep in mind other changes as well.– http://www.ims-expertservices.com/newsletters/nov/eddrules-111406.htm

20

Courts Have Defined Expectations of Digital Discovery

“Now that the key issues have been addressed and national standards are developing, parties and their counsel are fully on notice of their responsibility to preserve and produce electronically stored information.”– Judge Shura Scheindlin, Zubulake v. Warburg– Final jury verdict: $29 million.

Complying with digital discovery requests may be very expensive, time consuming and implicating.

21

High Profile Cases Have Led to Big Verdicts

Coleman v. Morgan Stanley: $1.45 Billion jury verdict for overwriting e-mails, failing to timely process backup tapes, failure to produce relevant e-mails and attachments.

U.S. v. Philip Morris , 327 F. Supp. 2d 21: $2.75 Million in sanctions for failure to follow order to preserve e-mails and other e-discovery violations.

22

In Re Information Management Services, Inc. Derivative Litigation

Case discussion: Digital discovery + employee e-mail privacy

+ attorney client privilege (oh my).

23

Meta-data May Be Critical Metadata = ‘data about data’ Metadata must remain intact:

– History (date of creation and modification)– Tracking (who created the document and where

does it reside)– Comments and annotation.

Metadata may leave an implicating trail. – Previously deleted text– Comments– Identity of those who worked on document– Dates and times of work.– Changes in date in Windows may not be the same

in the underlying DOS.

Electronic Discovery Can be Very Expensive

Average may be $1-3 million Litigants need efficient data search and

management strategies– Law firms bill for searches on an hourly basis

Data may not be in a common or searchable format

24

Data Security is a Relatively New Area of Liability

Company computers may house sensitive consumer data and trade secrets.

Failure to adequately protect consumer data has led to high profile settlements with the FTC:– Choicepoint: $15 million – TJX – BJs Wholesale Club– Hannafords - 4 million credit card numbers compromised– Target

Failure to adequately protect trade secrets can also create a corporate disaster.

25

Sensitive Digital Data May Reside in Surprising Places

http://www.cbsnews.com/8301-18563_162-6412439.html

http://business.ftc.gov/documents/bus43-copier-data-security

26

Nevada SB 267 Was Passed in Response

Section 4 of this bill requires a business entity or a data collector to ensure that any personal information which is stored on the data storage device of a copier, facsimile machine or multifunction device in the possession of the business entity or data collector is securely encrypted or destroyed by certain approved methods before the business entity or data collector relinquishes ownership, physical control or custody of the copier, facsimile machine or multifunction device to another person. http://openstates.org/nv/bills/76/SB267/documents/NVD00008333/

27

Companies are Obligated to Protect Sensitive Data and

Report Breaches Most states require notification of residents if

personal data is compromised and many other states are not far behind.– Massachusetts 93H– http://www.mass.gov/ocabr/business/identity-theft/requirements-for-security-

breach-notifications.html

Hundreds of data breaches have been reported Reporting has led to bad publicity and fines. Marriott reported the loss of 200,000 names in

missing backup tapes. Some reporting requirements are exempted if the

data was encrypted.28

29

Breach Response Plans

How does an entity respond to a breach?– Security for prevention and protection– Intrusion detection– Analysis of access– Response to breach– Resolution of incident

30

What is Encryption?

https://www.youtube.com/watch?v=vCDe14NxSY0

ID Theft Has Impacted Millions of Americans

U.S. consumers lost billions to identity theft in 2014

ID Theft consumes time and money. Consumers are more careful with their

personal information.– Vulnerable to phishing attacks– As safe as the company where they used their credit

card.

IRS Criminal Investigation Targets Identity Theft Refund FraudFS-2013-4, February 2015The IRS has seen a significant increase in refund fraud that involves identity thieves who file false claims for refunds by stealing and using someone's Social Security number.http://www.irs.gov/uac/Newsroom/IRS-Criminal-Investigation-Targets-Identity-Theft-Refund-Fraud-2014

31

Phishing Attacks Can Be Cleverly Disguised

32

Data Thieves Actively Target Websites and Corporate

Networks

May use e-mail viruses to crack networks

Target specific applications to get sensitive data– Once the perimeter security is cracked, the entire

network may be available.

Hijack remote computers to anonymously attack sites.

33

Reasonable Measures To Protect Sensitive Information

Policies– http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf

Encryption Intrusion detection Firewalls Password protection Anti-virus programs Physical security of laptops and portable media.

34

35

Some Other Protective Measures Manage local administrative access

– Removing local access limits bypassing security mechanisms

Lock introduction of unauthorized applications Automatic logging of administrative actions

– Review logs!

Implement role based control Virus protection and other software control Security audits.

36

Questions & Answers