Do You Comply with the New Massachusetts Information Security Regulation?
March 11, 2010
By Bruce H. Nielson, K&L Gates Partner, Washington D.C.
What Does the Regulation Require?
Every business that “owns or licenses personal information” about a Massachusetts resident must “develop, implement, and maintain” a comprehensive written information security program (WISP). “Owns or licenses” is defined as “receives, stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment.” “Personal information” (PI) means first name (or initial) and last name combined with a Social Security number, driver’s license or state-issued ID card number, or financial account or credit or debit card number (with or without any required password, security or access code, or personal identification number).
The WISP must contain administrative, technical and physical safeguards for PI that are “appropriate to (a) the size, scope and type of business . . .; (b) the amount of resources available . . .; (c) the amount of stored data; and (d) the need for security and confidentiality” of the PI.
WISP – Required Elements
The elements required in a WISP include:
- Designating one or more employees to maintain the program
- Identifying and assessing foreseeable internal and external risks to the security, confidentiality or integrity of records containing PI
- Evaluating and improving safeguards for limiting risks, including employee training and compliance and means for detecting and preventing security failures
- Developing security policies regarding storage, access and transportation of records containing PI outside of business premises
- Imposing disciplinary measures for violations of security rules
- Preventing terminated employees from accessing records containing PI
- Imposing restrictions on physical access to records containing PI
- Regular monitoring of the operation of the WISP
- Reviewing security measures annually or whenever a material change in business practices implicates the security or integrity of records containing PI
- Documenting responsive actions taken in connection with any security breach incident and conducting post-incident reviews
- Selecting service providers capable of maintaining appropriate measures to protect PI
- Contractually requiring service providers to maintain appropriate security measures (every service provider contract entered into before March 1, 2010 is deemed to comply)
Computer System Requirements
For businesses that electronically store or transmit personal information, the WISP must also include the establishment and maintenance of a computer security system (including any wireless system) that, “at a minimum, and to the extent technically feasible,” contains:
- Secure user authentication protocols, including control of user IDs, a “reasonably secure” method of assigning and selecting passwords (or use of unique identifier technologies), control of data security passwords, restricting access to active users, and blocking access after multiple unsuccessful attempts
- Secure access control measures that restrict access to PI to only those who need such information to perform their jobs and that assign unique identifications plus passwords that are designed to maintain the security of access controls
- Encryption of all transmitted records and files that contain PI and travel across public networks
- Encryption of all PI transmitted wirelessly or stored on laptops or other portable devices
- Reasonable monitoring of systems for unauthorized use of or access to PI
- For files containing PI on a system connected to the Internet, reasonably up-to-date firewall protection and operating system security patches designed to maintain the integrity of the PI
- Reasonably up-to-date versions of system security agent software, including malware protection and patches and virus definitions
- Education and training of employees on the proper use of the computer security system and the importance of PI security
What is the Penalty for Non-Compliance?
Violators may be subject to a $5,000 civil penalty for each violation. How violations will be counted for purposes of the penalty is unclear. If violations are counted on a per-record basis, businesses with thousands of records containing PI of Massachusetts residents could potentially face fines of millions of dollars.
How Can My Business Comply?
The revised, final regulation is not quite as demanding as earlier versions, but it is still a tough regulation that may require businesses to revise existing – or create new – WISPs. The regulation is also indicative of the direction in which state and federal information security laws are heading. Because of this, even businesses not subject to the regulation may want to consider creating and implementing WISPs that comply with the standards of the Massachusetts regulation.
Plan Ahead: Proposed Amendments to Rule 26 Would Extend Work-Product Protection
March 4, 2010
One of the great things about the current rule-making process is the ability to see change on the horizon and adapt accordingly. This year, absent any unforeseen objection or delay, Rule 26 will be amended to extend the scope of the work-product doctrine to encompass draft expert reports and most communications between experts and counsel. Currently, the proposed amendment (and all proposed rule amendments, for that matter) is being considered by the Supreme Court. Pursuant to statute, the Court must transmit prescribed amendments to Congress by May 1st. Thereafter, absent legislation to reject, modify, or defer the rules, the prescribed amendments will take effect as a matter of law on December 1st.
The proposed amendment to Rule 26 would “apply work-product protection to the discovery of draft reports by testifying expert witnesses, and, with three important exceptions, communications between those witnesses and retaining counsel.” The exceptions would allow for discovery of communications between the lawyer and expert regarding: “(1) compensation for the expert’s study or testimony; (2) facts or data provided by the lawyer that the expert considered in forming opinion; and (3) assumptions provided to the expert by the lawyer that the expert relied upon in forming an opinion.”
Among the reasons cited in support of the proposal was evidence of lawyers and experts taking “elaborate steps to avoid creating any discoverable record”, including, for example, the retention of two experts: “one for consultation, to do the work and develop the opinion, and one to provide the testimony…” The Judicial Conference also cited evidence showing that lawyers often devote significant time at deposition attempting to uncover evidence showing that the expert’s opinion was shaped by the retaining lawyer, rather than on the substantive strength or weakness of that opinion. On a more positive note, the Judicial Conference also provided information that the State of New Jersey was successful in implementing a rule like the one proposed and that “practitioners reported a remarkable degree of consensus in enthusiasm for and approval of the amended rule.”
Briefly addressing concerns that the proposed amendment could “prevent a party from learning and showing that the opinions of an expert witness were unduly influenced by the lawyer retaining expert’s services”, the Judicial Conference concluded that “the best means of scrutinizing the merits of an expert’s opinion is by cross-examining the expert on the substantive strength and weaknesses of the opinions and by presenting evidence bearing on those issues.”
The full Report of the Judicial Conference discussing all proposed amendments is available here.
Court Provides Detailed Analysis of Law of Spoliation, Orders Adverse Inference Instruction, Monetary Sanctions for Intentional Spoliation of ESI
March 2, 2010
Rimkus Consulting Group, Inc. v. Cammarata, 2010 WL 645253 (S.D. Tex. Feb. 19, 2010)
For intentional spoliation, the court declined to order terminating sanctions but ordered an adverse inference instruction and for defendants to pay plaintiff’s attorneys fees and costs.
In this litigation arising from accusations of misappropriation of trade secrets, violation of non-compete agreements, and related claims, plaintiff accused defendants of spoliating relevant evidence, including electronically stored information (“ESI”). The court found that defendants had indeed participated in intentional spoliation of evidence, including failing to preserve relevant ESI, manually deleting ESI, and destroying or giving away laptops containing relevant ESI, among other things. The court nonetheless declined to grant plaintiff’s request for terminating sanctions because plaintiff was unable to show a sufficiently high degree of resulting prejudice. Specifically, the court found that because defendants had produced a large volume of evidence despite their spoliation of other ESI, because plaintiff had obtained some of the deleted evidence from other sources, and because evidence revealed that some of the deleted records would have been favorable to defendants, the resulting prejudice was “far from irreparable” – the necessary showing to justify terminating sanctions: “The sanction of dismissal or default judgment is appropriate only if the spoliation or destruction of evidence resulted in “irreparable prejudice” and no lesser sanction would suffice.” [Citation omitted.]
Accordingly, the court ordered an adverse inference instruction to be given to the jury. The instruction would allow the jury to determine whether the destruction was intended to prevent the use of the destroyed evidence at trial and, if so, would allow the jury to further determine whether to infer that the content of the deleted evidence would have been unfavorable to the defendants. The court also ordered monetary sanctions and ordered defendants to pay plaintiff’s reasonable costs and attorney’ fees “required to identify and respond to the spoliation.”
Although relatively straightforward in its facts (at least those surrounding defendants’ spoliation), the court’s lengthy analysis of “the framework for analyzing spoliation allegations” (the title of section II of the court’s opinion) provides an insightful discussion of spoliation much like that found in the recent opinion from the Honorable Judge Shira Scheindlin in Pension Comm. of Univ. of Montreal Pension Plan v. Bank of Am. Secs., LLC, 2010 WL 184312 (S.D.N.Y. Jan. 15, 2010) and, in fact, specifically remarks upon the analysis of that opinion throughout. Unlike Judge Scheindlin’s opinion in Pension, though, the facts of this case involve intentional spoliation. Accordingly, this case provides a unique perspective that makes it well worth the time to read it.
A copy of the full opinion is available here.
[Note: this opinion also addresses a motion for summary judgment and includes analysis of claim and issue preclusion.]
Court Sanctions Plaintiff for Accessing Password-Protected Documents and Other Violations, Reduces Sanction based on Behavior of Plaintiff’s Counsel and Defendant
February 19, 2010
Lawson v. Sun Microsystems, Inc., 2009 WL 5842136 (S.D. Ind. Oct. 16, 2009); Lawson v. Sun Microsystems, Inc., 2010 WL 503054 (S.D. Ind. Feb. 8, 2010)
Where plaintiff accessed privileged, password-protected documents in defendant’s production, “carelessly” produced poor and incomplete copies of relevant taped conversations, and intentionally lied regarding taped conversations in deposition, the magistrate judge declined to recommend dismissal but recommended monetary sanctions instead. The amount of sanctions recommended was reduced by 25% upon the magistrate judge’s finding that plaintiff’s counsel mitigated plaintiff’s violations by ignoring plaintiff’s emails regarding the password-protected documents. The magistrate judge also found plaintiff’s “improprieties” mitigated “by the part [the defendant] and its counsel played in creating this perfect storm of a disaster” and reduced the sanction an additional 25%. While the magistrate judge recommended plaintiff’s counsel be ordered to pay monetary sanctions equal to a 25% reduction in plaintiff’s maximum sanction, the district court declined to adopt that recommendation. The recommendation was otherwise adopted.
In the course of discovery, defendant produced to plaintiff a hard drive containing large volumes of electronically stored information, some of which was privileged and password-protected. Prior to this production, the parties entered into a protective order and an agreement that plaintiff would provide defendant with fourteen days notice before using any information on the hard drive and that defendant would have seven days to object. It was apparently upon these agreements that defendant relied when producing privileged materials as well as a prior arrangement in which plaintiff had been allowed to return his company issued computer with privileged material encrypted to maintain its protection. Plaintiff's counsel denied the existance of any agreement regarding password-protected documents.
In the transmittal letter accompanying the hard drive, defendant indicated the password-protected documents were privileged. Later, there was disagreement as to whether this letter was provided to plaintiff by his attorneys.
Plaintiff accessed the password-protected documents. Thereafter, he sent an email to counsel disclosing his access with the subject line “Password protected files – Unlocked!” Although disputed amongst the parties, the magistrate judge determined that plaintiff’s attorneys did not open the email and remained unaware of plaintiff’s access. It was also determined that counsel did not see a later email in which the “unlocked documents” were mentioned. Counsel later withdrew.
Upon learning of plaintiff’s activities, defendant moved for sanctions. In addition to the password-protected documents, the magistrate judge was asked to consider defendant’s allegations that plaintiff intentionally produced an incomplete and low quality copy of a recorded conversation, failed to reveal the existence of other relevant tape recordings, and lied about those recordings in deposition.
Sifting through the contradictory assertions from all interested parties (plaintiff, former counsel, and defendant), the court found the following:
- plaintiff’s attorneys did not read the email from plaintiff indicating he had accessed password-protected materials;
- plaintiff did not speak with his attorneys prior to accessing the password-protected documents;
- plaintiff intentionally accessed and viewed password-protected documents meant to remain confidential and privileged;
- plaintiff’s attorneys had no knowledge of plaintiff’s activities;
- plaintiff acted carelessly in responding to discovery when he produced an incomplete and poorly reproduced copy of a relevant taped conversation;
- plaintiff’s failure to disclose the existence of other taped conversation was “careless and sloppy” but not intentional;
- plaintiff intentionally lied about taped conversations at deposition.
The magistrate judge held that Rule 37 and “the inherent power of the court” provided authority for sanctions and that sanctions were appropriate. Plaintiff’s inappropriate behavior was “mitigated” however, by his own behavior, as well as that of his attorneys and the defendant. Specifically, for example, the magistrate judge credited plaintiff with his decision to volunteer certain information at deposition and his apparent lack of effort to hide his access to the privileged documents (as evidenced by his email to counsel). The magistrate judge also found plaintiff’s behavior mitigated by that of his attorneys because counsels’ failure to read or respond to plaintiff’s email “contributed to the situation” and because “[Plaintiff] cannot be blamed for the lack of attention paid to him by his attorneys.” Finally, the magistrate judge found that defendant’s behavior mitigated that of the plaintiff where defendant and defense counsel contributed to the “perfect storm of a disaster” by failing to remove the privilege documents from production in the first place, among other things.
Accordingly, having determined the maximum appropriate sanction to be $54,500, the magistrate judge recommended plaintiff’s sanction be discounted by 25% to account for the contributory behavior of his counsel and recommended counsel be ordered to pay an amount equal to the reduction. Similarly, the magistrate judge further reduced plaintiff’s sanction by another 25% to account for defendant and defendant's counsel's contributions to the problem.
Upon the district court’s consideration of these recommendations, counsels’ objections to the recommended sanction were sustained and the order of sanctions modified to reflect that counsel should not be sanctioned.
A copy of the magistrate judge’s Report and Recommendation is available here.
A copy of the district court’s opinion is available here.
Court Finds Non-Party’s Claims of Privilege Waived, Rejects Assertions of Undue Burden, Grants Defendant’s Motions to Compel
February 12, 2010
Seger v. Ernest-Spencer, Inc., 2010 WL 378113 (D. Neb. Jan. 26, 2010)
In this personal injury case, the court found a non-party had waived its claims of privilege as to already-produced documents and granted defendant’s motion to compel their production upon finding that disclosure was “knowing and intentional” as evidenced by the non-party’s failure to establish reasonable precautions to prevent disclosure and its failure to timely assert a claim of privilege, among other things. Rejecting claims of undue burden, the court also granted defendant’s motion to compel the non-party’s production of emails after reducing defendant’s proposed search terms to eliminate those deemed irrelevant or overly broad.
Upon receipt of a subpoena for documents, non-party Valmont Industries, Inc (“Valmont”) retained counsel to review documents and identify those that were privileged. Relying on counsel’s determinations, Valmont then produced responsive discovery to the defendant. Six months later, Valmont produced its privilege log. Upon receipt of that log, defendant notified Valmont that certain documents identified as privileged had already been produced. Valmont responded by declaring the documents privileged and seeking the return of at least one particularly sensitive document. Valmont received no response to its attempts to negotiate (via correspondence) the return of the documents but did not seek judicial intervention. Defendant eventually sought to compel production of the disputed documents.
The court took the “middle of the road approach” to its determination of waiver and identified the appropriate five-step analysis:
These considerations are (1) the reasonableness of the precautions taken to prevent inadvertent disclosure in view of the extent of document production, (2) the number of inadvertent disclosures, (3) the extent of the disclosures, (4) the promptness of measures taken to rectify the disclosure, and (5) whether the overriding interest of justice would be served by relieving the party of its error.
Taking each consideration in turn, the court found that Valmont’s claims of privilege had been waived and granted defendant’s motion to compel:
Reliance on a law firm to advise a client about privilege is an insufficient basis to find inadvertent disclosure. Many documents in this case were disclosed in error according to Valmont. This factor, despite the large volume of documents, weighs in favor of waiver. Valmont argues prompt measures were taken to remedy the inadvertence once current counsel became aware of the disclosures. However, no initial claim of privilege for any document was made prior to June, 2009, the disclosed documents had been circulated by the defendants for approximately six months prior to any claim of privilege, and Valmont never sought court assistance to protect the documents. Valmont shows no overriding interest of justice would be served by relieving it of the errors. In fact, Valmont sought to enforce the privilege with regard to only two documents in negotiations with the defendants. Accordingly, the court finds the evidence shows Valmont's disclosure of documents for which privilege was later claimed was knowing and intentional. Therefore, Burns & McDonnell's motion to compel is granted.
The court next addressed defendant’s motion to compel production of emails in response to its subpoena. Valmont claimed the requests were overly broad and that responding would be unduly burdensome. As to the first disputed request, the court rejected Valmont’s assertions upon its determination that the burden was “overstated.” For example, the initial estimate of six to nine hours “per user” included “several hours for manual activities because [the Director of Information Technology Architecture for Valmont] does not trust the margin of error in the software (estimating two to three hours as opposed to one to several minutes) and organizing the CD after copying the information (estimating one to two hours as opposed to minutes)”. The estimate also included “processing time by the computer for which the technician need not be involved.” As to the second disputed request in which defendant sought production of all emails containing any one of 24 specified terms, the court held that defendant “failed to meet its burden of showing the searches are relevant and not overly broad” and reduced the number of search terms to 11. The motion to compel was otherwise granted.
Regarding costs and defendant’s prior offer to pay for the retention of an independent consultant to cull the requested data as a means of decreasing the burden to Valmont, the court left the details to the parties but noted its willingness to resolve any issues upon appropriate motion.
A full copy of the opinion is available here.
Defendant “Fails to Show that it is Settled Law that the Party Requesting Discovery Must Bear the Cost of Production,” Court Denies Motion for A Protective Order
February 11, 2010
MBIA Ins. Corp. v. Countrywide Home Loans, Inc., 2010 WL 519753 (N.Y. Sup. Ct. Jan. 14, 2010)
Upon defendant’s motion for a protective order to require plaintiff to bear the cost of defendant’s production of electronically stored information (“ESI”), the court declined to follow the purportedly “well settled rule” in New York that the party seeking discovery should bear the cost and denied defendant’s motion. (See T.A. Ahern Contractors Corp. v. Dormitory Auth. of State of N.Y., 875 N.Y.S.2d 862 (N.Y. Sup. Ct. 2009) declining to overturn the “well settled” rule in New York that the party seeking discovery bears the cost.)
In the course of discovery, plaintiff requested that defendant produce relevant ESI. The parties disagreed as to who should bear the cost of such production; each felt the other should be responsible.
To settle the dispute, the court undertook an analysis of several New York cases in which allocation of cost had been addressed and which had resulted in competing findings regarding who should properly bear discovery costs. In one recent case, Clarendon Natl. Ins. Co. v. Atlantic Risk Mgt., Inc., 59 A.D.3d 284 (N.Y. App. Div. 2009), the court indicated that “it saw ‘no reason to deviate from the general rule that, during the course of the action, each party should bear the expenses it incurs in responding to discovery requests.’” In another case, Waltzer v. Tradescape & Co., LLC, 31 A.D.3d 302 (N.Y. App. Div. 2006), despite affirming the rule that under the CPLR, the party seeking discovery should bear the cost, the court declined to place the cost of production with the requesting party “and instead, distinguished its facts on the basis that (1) it did not deal with deleted electronically stored material and (2) the information sought was readily available.” In that case, the court also stated that the “cost of an examination by the [producing party] to see if [material] should not be produced due to privilege or relevancy grounds should be borne by [the producing party].” Declining plaintiff’s request to view Clarendon as an “anomaly”, the court in the present case stated:
Far from being an anomaly, it is consistent with Waltzer in that application of the relevant rule in both resulted in cost allocation determinations only when the electronically-stored information to be produced was not readily available. While producing readily-available electronically- stored information (Clarendon --all of an insurance company's claims files; Waltzer--data stored on 2 compact discs) will not warrant cost-allocation, the retrieval of archived or deleted electronic information has been held to require such additional effort as to warrant cost allocation (Samide, 5 AD3d at 466; Delta Fin. Corp., 13 Misc.3d at 614; Etzion, 7 Misc.3d at 944- 45). Furthermore, under CPLR 3103(a), the lodestar in granting a protective order granting allocation of discovery costs is the prevention of "unreasonable annoyance, expense, embarrassment, disadvantage, or other prejudice to any person or the courts." Hewing to this principle and the applicable case law, it is eminently reasonable to refrain from allocating discovery costs at this juncture.
Finding “[Defendant] fail[ed] to show that it is settled law that the party requesting discovery must bear the cost of its production or that cost allocation here is warranted”, defendant’s motion for a protective order was denied.
A full copy of the opinion is available here.
Ontario’s New Rules of Civil Procedure Address Electronic Discovery
February 10, 2010
As of January 1, 2010, Ontario’s new Rules of Civil Procedure became effective, including significant changes to the rules of discovery. Among the changes/additions is Rule 29.1.03(4) Principles re Electronic Discovery, which states that “In preparing the discovery plan,” as is required by Rule 29.1.03 (1), “the parties shall consult and have regard to the document titled ‘The Sedona Canada Principles Addressing Electronic Discovery’ developed and available from The Sedona Conference.” In its explanation of the provisions of the newly effective Rules of Civil Procedure, the Ministry of the Attorney General specifically identified several of the Sedona Principles to be considered:
• Discovery steps should be proportionate. Parties should consider the nature of litigation; relevance of electronic evidence; importance to adjudication; and the cost and delay that may be imposed to deal with electronic documents.
• Parties should meet and confer as soon as possible regarding identification, preservation, collection and production of electronic documents.
• Parties should be prepared to disclose all relevant electronic documents.
• Parties should agree as early as possible on the format in which electronic information will be produced.
As evidenced in the Sedona Principles highlighted by the Ministry of the Attorney General, the newly effective rules also establish the importance of proportionality in discovery and therefore identify several mandatory considerations for the court when “making a determination as to whether a party or other person must answer a question or produce a document.” Pursuant to Rule 29.2.03, those considerations are whether:
(a) the time required for the party or other person to answer the question or produce the document would be unreasonable;
(b) the expense associated with answering the question or producing the document would be unjustified;
(c) requiring the party or other person to answer the question or produce the document would cause him or her undue prejudice;
(d) requiring the party or other person to answer the question or produce the document would unduly interfere with the orderly progress of the action; and
(e) the information or the document is readily available to the party requesting it from another source. O. Reg. 438/08, s.25.
The rule also requires consideration of “the overall volume of documents”: “[I]n determining whether to order a party or other person to produce one or more documents, the court shall consider whether such an order would result in an excessive volume of documents required to be produced by the party or other person. O. Reg. 438/08, s. 25.”
The newly effective rules contain many other important revisions, including changes to the scope of discovery, the duration of oral exams, and the expert evidence rules, among others.
To read the Ministry of the Attorney General’s discussion of all changes to the Ontario Rules of Civil Procedure, click here.
To be taken directly to the Ontario Rules of Civil Procedure, click here.
Court Compels Production of Foreign Data and Re-Production of “Already-Produced” Electronic Discovery in a Reasonably Usable Form
February 3, 2010
Accessdata Corp. v. ALSTE Tech. GMBH, 2010 WL 3184777 (D. Utah Jan. 21, 2010)
In this breach of contract case, the court granted plaintiff’s motion to compel and ordered defendant (a German company) to produce responsive third-party, personal data, despite objections that such production would violate German law. The court also granted plaintiff’s motion to compel the re-production of previously produced electronic discovery where defendant’s initial production did not conform to the requirements of Fed. R. Civ. P. 34.
Plaintiff, an American company, sought to compel defendant’s production of documents, including information related to customer complaints and defendant’s technical support of non-customers. Defendant objected to the interrogatories and requests for production on the grounds that they were overly broad, unduly burdensome, and seeking irrelevant information and because “disclosure of information relating to third parties’ identities would violate German law.”
Addressing the production of third-party, personal data and defendant’s claim that such production “would be a huge breach of fundamental privacy laws in Germany,” the court found that defendant “failed to demonstrate the verity of this assertion” by failing to cite a particular provision of German law that would prohibit such disclosure. Moreover, the court cited to a section of the German Data Protection Act (GDPA) that seemed to allow for such a transfer of third party information upon meeting certain conditions, including receipt of consent of the third party. Further, the court reasoned that even if the GDPA prohibited such disclosure, the United States Supreme Court has held that “[i]t is well settled that such [blocking] statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” Turning to defendant’s assertion that plaintiff should be required to comply with the rules set forth in the Hague Convention for Taking Evidence Abroad with respect to private customer information, the court acknowledged that “[p]arties might properly be required to resort to Hague Convention procedures ‘in suits involving foreign states, either as parties or as sovereigns with a coordinate interesting the litigation’ or if ‘the additional cost of transportation of documents…to or from foreign locations…increase[s] the danger that discovery [is] sought for [an] improper purpose,” but reasoned that “neither circumstance is present [here] where the costs of transmitting information and electronic documents ought to be relatively minimal.”
After addressing several other discovery requests, the court then turned to plaintiff’s request for the re-production of certain electronic discovery in native format. Plaintiff claimed that defendant failed to produce electronic discovery “in a form or forms in which they are ordinarily maintained or in a reasonably usable format” as is required by Fed. R. Civ. P. 34. Defendant argued that its production of scanned documents converted to PDF format was sufficient. The court disagreed, noting its confidence that “most (if not all) of the documents already produced would have been ordinarily maintained in an electronic format.” The court further noted the rule’s Advisory Committee Notes, which state that “[i]f the responding party ordinarily maintained the information it is producing in a way that makes it searchable by electronic means, the information should not be produced in a form that removes or significantly degrades this feature.” Accordingly, the court ordered defendant to re-produce the already-produced electronic discovery “in its native format or, at least, in an electronically-generated PDF format.”
A copy of the full opinion is available here.
Personal Emails Retained by Public School’s Email System Not Subject to Michigan’s Freedom of Information Act
January 29, 2010
Howell Educ. Assoc. MEA/NEA v. Howell Board of Educ., 2010 WL 290515 (Mich. Ct. App. Jan. 26, 2010)
In this “reverse” Freedom of Information Act (FOIA) case, the trial court held that personal emails generated by and stored on a public school’s email system were public records subject to FOIA. Upon plaintiffs’ appeal, the appellate court reversed the trial court and held that such emails were not public records and thus not subject to FOIA. Moreover, the appellate court concluded that violation of an acceptable use policy barring personal use of an email system – “at least one that does not expressly provide that emails are subject to FOIA” – does not render personal emails subject to FOIA.
Intervenor/Counter-plaintiff Chetly Zarko submitted a series of FOIA requests seeking production of emails sent to and from three specific teachers beginning in January 2007 and emails between those teachers and an employee of the Michigan Education Association. The teachers were all members of and officials for Howell Education Association MEA/NEA (“HEA”). HEA objected to the release of “union communications” between the teachers arguing the emails were not “public records” as defined under FOIA. To settle the issue, plaintiffs sought declaratory judgment that the emails were not subject to FOIA, among other issues. The trial court held the emails were subject to FOIA. Plaintiffs appealed.
Michigan FOIA requires the disclosure of public records upon proper request. A “public record” is defined as “a writing prepared, owned, used, in the possession of, or retained by a public body in the performance of an official function, from the time it is created.” [Emphasis added.] Defendants argued that the retention of electronic data was “an official function where it is required for the operation of an educational institution” and cited Michigan precedent in which the court held that the magnetic tape which was the school’s record of student names, addresses, etc. was retained in performance of an official function because the university could not have functioned without such a list of its students.
Rejecting the comparison, the court noted that defendants in the present case could “function without the personal emails” and that “given their very definition they have nothing to do with the operation of schools.” The court further rejected defendants’ argument that retention was sufficient to subject the emails to FOIA where the school district did not assert that the back-up system was purposely designed to retain and store personal emails or that such emails had an official function:
It appears that the system is intended to retain and store emails relating to official function, but that it is simply easier technologically to capture all the emails on the system rather than have some mechanism to distinguish them. We do not think that because the technological net used to capture public record emails also automatically captures other emails we must conclude that the other emails are public records. To rule as defendants request would essentially render all personal emails sent by governmental employees while at work subject to public release upon request. We conclude that this was not the intent of the Legislature when it passed FOIA.
The court went on to cite a federal case in which the court determined that the electronic calendar for the chairman of the SEC was not an “agency record” despite containing both business and personal information and being stored on the agency’s computer system. In that case, SEC employees were permitted limited personal use of their office equipment. The court in the present case found the personal emails at issue analogous to the chairman’s electronic calendar.
Recognizing the lack of permission for personal use in the present case as evidenced by defendants’ Acceptable Use Policy, the court nonetheless rejected defendants’ argument that the policy put users on notice that their personal emails were subject to FOIA:
Although the use policy certainly gives notice to the users that school officials may look at their email, and that the documents could be released pursuant to a subpoena, it in no way indicates that users' emails may be viewed by any member of the public who simply asks for them.
The court further rejected the argument that violation of the policy rendered the otherwise personal emails public records.
The court next decided that the emails at issue, i.e., emails involving “internal union communications” were personal emails and thus not subject to disclosure.
A copy of the full opinion is available here.
Court Finds Data “Not Reasonably Accessible,” Denies Motion to Compel
January 28, 2010
Rodriguez-Torres v. Gov. Dev. Bank of Puerto Rico, 2010 WL 174156 (D.P.R. Jan. 20, 2010)
In this employment discrimination case, the court found the electronically stored information (“ESI”) requested by the plaintiffs “not reasonably accessible because of the undue burden and cost” and that plaintiffs had failed to show good cause to compel production of the ESI and denied plaintiffs’ motion to compel.
Plaintiffs filed a motion to compel defendants’ production of “all email communications and calendar entries describing, relating or referring to plaintiff Vicky Rodriquez, both inbound and outbound from defendant GDB’s messaging system servers” for the years 2007, 2008, and 2009. Moreover, plaintiffs sought to compel such production “in native format with its original metadata…” Defendants objected and indicated that plaintiffs’ request was likely to produce “hundreds if not thousands of documents which will include irrelevant, confidential, and potentially privileged information.”
Prior to ruling, the court ordered additional briefing on the issue. The parties' submissions included a report from a consulting service indicating an approximate cost of $35,000 to retrieve the requested ESI. Defendants also indicated the need to perform a privilege and confidentiality review of the ESI prior to production. Accordingly, the court found the requested ESI “not reasonably accessible” reasoning that the proposed cost was “too high of a cost for the production of the requested ESI in this type of action.” Moreover, the court indicated its concern over the increased cost that would result from the need to review the documents prior to production stating, “the volume of such information along with the form in which the information is stored makes privilege determinations more difficult and, correspondingly, more expensive and time consuming.”
The court continued its analysis, however, noting that “under FRCP 26(b)(2)(B), the party requesting the information that is not reasonably accessible can still acquire the information if the requesting party shows good cause.” Attempting to show good cause, the plaintiffs indicated they expected to find “communications showing discriminatory animus such as derogatory and demeaning references, exclusion from meetings, communications and work activities, and general disregard for plaintiff Rodriguez’s abilities.” Their “only basis” for this belief was “three articles which suggest that e-mail encourages senders to write unguarded, unwise, and often inappropriate comments.”
The court found no good cause to compel the production and stated “the court determines that Plaintiffs’ request is merely a fishing expedition to find out if there is any evidence that supports their claim. Discovery is not meant to serve as a fishing expedition. As such the court concludes this is not good cause.”
A full copy of the opinion is available here.