08/19/2010 Meeting - Litigation Holds and Security Breaches
1. The Virtual Trip Wire
Litigation Holds & the Duty to Preserve Data in Security Breaches
Tomas Castrejon, General Dynamics
Josh Gilliland, Esq., D4 LLC
Stephanie Sparks, Esq., Hoge Fenton Jones & Appel
2. From the Bench
“By now, it should be abundantly clear that the
duty to preserve means what it says and that
a failure to preserve records – paper or
electronic – and to search in the right places
for those records, will inevitably result in the
spoliation of evidence.”
The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., Amended Order, Case No. 05-cv-
9016 (SDNY Jan. 15, 2010)
3. Why this Matters
• In complex commercial litigation today, virtually all
discovery involves electronic discovery to some extent.
• It also is well known that absent affirmative steps to
preserve it, at least some electronically stored
information (“ESI”) is likely to be lost during the course
of litigation through routine business practices or
otherwise.
Vice Chancellor Parsons, Court of Chancery of Delaware, Beard Research, Inc. v. Kates, 2009 Del.
Ch. LEXIS 94, 21-22 (Del. Ch. May 29, 2009).
4. Agenda
• Security Breach
• Personal Identifiable Information
• Case Example
• Litigation Hold Definition
• Preservation Letters Defined
• Triggering Event: The Preservation Obligation
• Duty to Preserve
• Spoliation
• Hypothetical
• Litigation Hold Best Practices
• Question & Answers
6. Data Breach
•285 million records were
compromised in 2008
•A typical lost or stolen laptop cost
the business an average of
$50,000, 90% of which was for
data breach response
• Range of loss per individual:
$1,213 – $975,527
Source: Open Security Foundation, datalossdb.org
9. Patchwork of Federal Laws
• Gramm-Leach-Bliley Act (GLBA regulated by FTC)
• Federal Credit Reporting Act (FCRA regulated by FTC)
• Fair & Accurate Credit Transactions Act and Red Flags Rules
(FACTA regulated by FTC)
• Health Insurance Portability and Accountability Act (HIPAA) and the
Health Information Technology for Economic and Clinical Health Act
(HITECH Act) (regulated by HHS)
• The Children’s Online Privacy Protection Act
• The Communications Decency Act
• Foreign Intelligence Surveillance Act (FISA)
• Controlling the Assault of Non-Solicited Pornography and Marketing
Act (CAN-SPAM)
• Federal Identity Theft and Assumption Deterrence Act
10. Patchwork of 46 State Data Security Breach
Notification Laws
• 45 States and the District of Columbia
• 7 States added laws within last two years: Alaska,
District of Columbia, Iowa, Missouri, South Carolina,
Virginia, West Virginia
• State Agency Notification Requirement:
Massachusetts, New Hampshire, New Jersey, New
York, Maryland
11. California Was the First
In California . . .
• Financial Information Privacy Act (Fin. Code § 4052)
GLBA Counterpart
- Financial Institutions
- Nonpublic personal information
• Consumer Credit Reporting Agencies Act (Civ. Code §§ 1785.1
et seq.)
FCRA Counterpart
• Information Practices Act of 1977 (Civ. Code §§ 1798 et seq.)
• Data Breach Notification Law (Civ. Code § 1798.82)
12. Massachusetts Is the Most Stringent
• Data Security Regulations, 201 Code Mass. Regs (CMR) 17.00,
effective March 1, 2010
• Businesses must have:
-Written information security program
- Heightened security procedures, including encryption
- Vendor contract provisions re compliance are mandatory
*contracts signed prior to 3/1/10 = 2 yr grace period
*contracts signed after 3/1/10 = no grace period
- Must take “reasonable steps to select and retain third-party
providers that are capable of maintaining appropriate security
measures”
13. State Data Security Breach Notification Laws Generally
Notice Requirements:
• Data custodian to (i) data owner
• Data owner to (ii) affected resident and (iii) possibly
State Attorney General
• Timing: (i) “immediately following discovery of the
breach”
(ii) “most expedient time possible and without
unreasonable delay”
15. Definition of a Litigation Hold
• A litigation hold is a directive to your client
and others to preserve ESI or other
information pertaining to the litigation.
Michael R. Arkfeld, Arkfeld’s Best Practices Guide for Litigation Readiness and Hold, §3.2(A), page 62
(2008-2009 Ed.), citing, Zubulake v. UBS Warburg LLC 220 F.R.D. 212, 218 (S.D.N.Y.2003).
16. Preservation Letter Checklist
• Basic investigative work should
uncover appropriate points to
include in a litigation hold letter.
• Common sense should guide the
actual points to include in a
preservation letter.
• Not a discovery request.
Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)
17. Preservation Checklist
• A party can disregard the request to preserve, but
once the request has formally been made and
evidence disappears, a preservation letter may
place the discovering party in a superior position
to seek sanctions or other relief.
Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)
18. Preservation Letter Checklist
• At a minimum, a letter should begin with a general
statement that the discovering party expects the
party to preserve digital evidence that in all
probability will be relevant to the issues in a case,
or may lead to the discovery of such evidence.
Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)
19. Preservation Letter Checklist
• The preservation letter should include a request that the
other party suspend its regular document retention policy
pending discovery.
• The preservation letter should identify all of the possible
locations where such evidence might conceivably reside.
Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)
20. Preservation Letters
• The letter should inform the opposing party that a mere file backup of
the hard drive is not adequate preservation.
• The party must be instructed to image hard drive in bit-stream copies,
where all areas, used and unused, of the hard drive are copied.
• If a file is deleted before a backup is made, the deleted file will not be
copied unless it is a bit-stream copy.
• The letter should also request that deleted files that are reasonably
recoverable be immediately undeleted.
Stone v. Lockheed Martin Corp., 2009 U.S. Dist. LEXIS 12105 (D. Colo. Feb. 2, 2009)
21. A Very Bad Litigation Hold Letter
• Hank has asked me to send this out to everyone.
• All emails re Napster at this point are related to the litigation and
should contain the “a/c” (attorney communications) symbol in the
subject line and djohnson@fenwick.com should be ccd. We
should not be sending e-mails on this subject anyway. Items from
outsiders such as resumes do not require this.
• Hank Barry
UMG Recordings, Inc. v. Hummer Winblad Venture Partners (In re Napster, Inc. Copyright Litig.), 462 F. Supp. 2d 1060, 1064 (N.D. Cal. 2006).
22. A Very Bad Litigation Hold Letter, Part 2
1. we do not retain e-mails, it is your
responsibility to delete your handled e-mails
immediately
2. we do not us e-mail to chat about matters related
to public companies or matters such as the above
3. we do not retain written copies of e-mails in
our files
UMG Recordings, Inc. v. Hummer Winblad Venture Partners (In re Napster, Inc. Copyright Litig.), 462 F. Supp. 2d 1060,
1064 (N.D. Cal. 2006).
Please also be aware of our e-mail policy. As we have all
been required to surrender Napster e-mails, this should
reinforce compliance with our long standing policies.
23. A Very Bad Litigation Hold Letter, Part 3
4. our document retention policy is that we do
not retain documents on any public or
acquired company and retain limited
information on private companies. all retained
information is stored in central files, pls do not
retain other docs in your own files unnecessarily
5. we do not retain files separate from our central
files which are periodically checked for
compliance to policies
Please also review the above policies with any
summer associates.
UMG Recordings, Inc. v. Hummer Winblad Venture Partners (In re Napster, Inc. Copyright Litig.), 462
F. Supp. 2d 1060, 1064 (N.D. Cal. 2006).
24. Triggering Event for the Duty to Preserve
– “Reasonably Anticipated”
– Pending, imminent, reasonably foreseeable.
– A complaint has been filed
– Discovery requests have been served
Michael Arkfeld, Best Practices Guide for Litigation Readiness and Hold, §3.2(B) Preservation Obligation
25. Document Destruction Policies
No spoliation where
documents destroyed as
part of a routine
housecleaning operation
with no notice to enact a
litigation hold.
Cook Assocs. v. PCS Sales (USA), Inc., 271 F. Supp. 2d 1343, 1357 (D. Utah 2003)
26. Duty to Preserve Includes the Following:
• Relevant in the action;
• Reasonably calculated to lead to the discovery of admissible
evidence;
• Reasonably likely to be requested during discovery, and/or
• Subject of a pending discovery request.
Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 216 (S.D.N.Y.2003); Wm. T. Thompson Co. v. General Nutrition Corp., 593 F. Supp. 1443, 1555 (C.D.Cal.1984)
28. Relevant Documents to Preserve
• [A]ny documents or tangible things (as
defined by [Fed. R. Civ. P. 34(a))] made by
individuals "likely to have discoverable
information that the disclosing party may
use to support its claims or defenses."
Goodman v. Praxair Servs., 2009 U.S. Dist. LEXIS 58263 (D. Md. July 7, 2009)
29. Relevant Documents to Preserve, 2
• Documents prepared for those individuals, to the extent those
documents can be readily identified (e.g., from the "to" field in e-
mails).
• Information that is relevant to the claims or defenses of any party,
or which is "relevant to the subject matter involved in the action."
Thus, the duty to preserve extends to those employees likely to
have relevant information--the "key players" in the case.
Goodman v. Praxair Servs., 2009 U.S. Dist. LEXIS 58263 (D. Md. July 7, 2009)
31. Sanction Flavors
• Sanctions can be imposed for negligent,
gross negligent, willful and bad faith conduct.
• Bad Faith - “[w]here a party destroys evidence in
bad faith, that bad faith alone is sufficient
circumstantial evidence from which a reasonable
fact finder could conclude that the missing
evidence was unfavorable to that party,” and thus
the jury may be instructed that the lost evidence
was adverse to the spoliating party.
• Negligence or gross negligence: a judge may
impose an adverse inference instruction or “less
severe sanctions-such as fines and cost-shifting,”
even without a showing that particular materials
were lost.
Pension Committee, at *18.
32. Demonstrating Spoliation
Moving Party Must Show:
1) That its adversary had control of the evidence and a
duty to preserve it at the time it was lost or
destroyed;
2) That the adversary had a "culpable state of mind"
when the evidence was lost or destroyed; and
3) That the lost or destroyed evidence was "relevant" to
the moving party's claims such that a reasonable trier
of fact could find that it would support a claim.
Arista Records LLC v. Usenet.com, Inc., 2009 U.S. Dist. LEXIS 5185 (S.D.N.Y. Jan. 26, 2009)
33. Possible Sanctions
• Adverse evidence jury instruction;
• Excluding greater or lesser parts of the destroying party's
evidence;
• Dismissing a party's claims in whole or in part: or
• Granting default judgment against a party in whole or in
part.
Toth v. Parish, 2009 U.S. Dist. LEXIS 16116, 7-8 (W.D. La. Mar. 2, 2009)
34. Determining Sanctions
• Factors in determining the appropriate
sanctions for wrongful destruction of evidence
include:
• "1) the degree of fault of the party who altered
or destroyed the evidence;
• 2) the degree of prejudice suffered by the
opposing party; and
• 3) whether there is a lesser sanction that will
avoid substantial unfairness to the opposing
party and if the fault is serious, will serve to
defer such conduct by others in the future."
Toth v. Parish, 2009 U.S. Dist. LEXIS 16116 (W.D. La. Mar. 2, 2009)
35. Speculation is Not Spoliation
• Defendants asserted that Plaintiff's "concern"
amounted to nothing more than mere speculation.
• Plaintiff did not produced any evidence
that suggested Defendants have not complied or
do not intend to comply with their duty to preserve
evidence.
• Preservation order was not warranted.
Gregg v. Local 305 IBEW, 2008 U.S. Dist. LEXIS 99075 (N.D. Ind. Dec. 8, 2008)
36. Willful Conduct
• Defendant was put on notice of
a lawsuit because of unlicensed
software usage.
• Instead of enacting a litigation
hold, the Defendant ordered the
“software deleted immediately.”
KCH Servs. v. Vanaire, Inc., 2009 U.S. Dist. LEXIS 62993
(W.D. Ky. July 21, 2009).
37. Willful Conduct, 2
• The Defendant’s actions
deprived the Plaintiff any
opportunity to inspect relevant
evidence once the lawsuit
began.
• The Court ordered the spoliation
sanction of an adverse inference
instruction, instead of a default
judgment, for the Defendant’s
obstructionism.
KCH Servs. v. Vanaire, Inc., 2009 U.S. Dist. LEXIS 62993 (W.D. Ky. July 21, 2009).
38. A Picture is worth a 1,000 words…
• Defendants attempted to purchase $4.2
million painting.
• Divorce and lawsuit for breach of contract.
• Excel file with unknown origin.
• Friend of Defendant’s kid reinstalled
computer operating system.
Green v. McClendon, 2009 U.S. Dist. LEXIS 71860 (S.D.N.Y. Aug. 13, 2009).
39. …but sanctions are priceless.
• Lawyer and Defendant both failed in
their duty to preserve.
• Plaintiff entitled to additional discovery
and costs.
Green v. McClendon, 2009 U.S. Dist. LEXIS 71860 (S.D.N.Y. Aug. 13, 2009).
40. California e-Discovery & Litigation Hold Failures
• Defendant failed to produce email messages & PST’s.
• Defendants did not enact a litigation hold.
• During the middle of trial, it was learned that the
manufacturer still had not complied with discovery
orders and directives.
Doppes v. Bentley Motors, Inc., 174 Cal. App. 4th 967, 969 (Cal. App. 4th Dist. 2009)
41. Sanctions
Case remanded:
(1) Strike Defendants’ answer and enter a default and default judgment against them on the
fraud cause of action;
(2) Made an express finding in the judgment that Defendants intentionally violated the Song-
Beverly Consumer Warranty Act;
(3) Entered an order granting the post-trial motion for attorney fees in the total amount of $
402,187;
(4) Reconsider the post-judgment motion for attorney fees in accordance with this opinion;
and
(5) Ordered further proceedings not inconsistent with the opinion, including a default prove-up
on the fraud cause of action, imposition of civil penalties under Civil Code section 1794,
and consideration of other relief sought in the complaint.
Doppes v. Bentley Motors, Inc., 174 Cal. App. 4th 967, 1003 (Cal. App. 4th Dist. 2009)
42. Resetting the Gold Standard
• Pension Committee
• 89 page opinion
• Securities Litigation
• Judge Scheindlin
43. Gross Negligence
The failure to issue a written litigation
hold when litigation is reasonably
anticipated is gross negligence.
The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., Amended Order,
Case No. 05-cv-9016 (SDNY Jan. 15, 2010)
44. What Happened?
• Plaintiffs’ counsel's emails and memoranda “did not meet the standard of
a litigation hold” because plaintiff's counsel failed to direct employees to
preserve all relevant records and failed to create a mechanism for
collecting records.
• Memo required employees to determine what was relevant and to
respond without supervision by counsel.
• Memo did not instruct employees to suspend the destruction of potentially
relevant records.
• Plaintiffs did not issue a formal written litigation hold until 2007 – nearly
four years after the triggering event.
The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., Amended Order, Case No. 05-cv-9016 (SDNY Jan. 15, 2010)
45. Production Gaps
• Defendants found gaps in document production
from 13 plaintiffs
• Requested declarations describing the preservation
efforts
• Found that “almost all of the declarations were
false and misleading and/or executed by a
declarant without personal knowledge of its
contents.”
Pension Committee, Amended Order, at *32-33
46. The Hammer Falls: Gross Negligence
• Six plaintiffs found grossly negligent
– Failure to issue a written litigation hold prior to 2007;
– Deleting ESI after the trigger event;
– Failing to request documents from key players;
– Delegating search efforts without any supervision from management;
– Destroying backup tapes relating to key players where other ESI was not
readily available; and/or
– Submitting misleading or inaccurate declarations.
Pension Committee, Amended Order, at *42-43
47. “Merely” Negligent
• 7 found merely negligent
– “failure to institute a written litigation hold” was
“not yet generally required” in early 2004 in
Federal court in Florida.
Pension Committee, Amended Order, at *64.
49. Lesson Learned: Self-Collection
• Counsel must give direction and supervision to
custodians on preservation.
– One custodian said he had “no experience
conducting searches, received no instruction on
how to do so, had no supervision during the
collection, and no contact with Counsel during the
search.”
• Employee must not search their own files since they
become the sole decision maker as to the relevance
of the search terms used.
Pension Committee, Amended Order, at *62, 66.
50. Lessons Learned: Finding Gross Negligence
“[T]he following failures support a finding of gross negligence, when the duty to
preserve has attached:
[1] to issue a written litigation hold;
[2] to identify all of the key players and to ensure that their electronic and paper records are
preserved;
[3] to cease the deletion of email or to preserve the records of former employees that are in a
party's possession, custody, or control; and
[4] to preserve backup tapes when they are the sole source of relevant information or when
they relate to key players, if the relevant information maintained by those players is not
obtainable from readily accessible sources.”
The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., Amended Order, Case No. 05-cv-9016 (SDNY Jan. 15, 2010)
51. Rimkus: Litigation Holds…Texas Style!
• Intellectual property case.
• Group of employees left and filed suit against their
former employer to release them from their non-compete
agreements.
• In countersuit, Rimkus Consulting claimed the former
employees violated their non-competes and additionally
made off with “trade secrets and proprietary information.”
Rimkus Consulting Group, Inc. v. Cammarata, 2010 U.S. Dist. No. 07-cv-00405 (SDTX Feb. 19, 2010)
52. Rimkus Result
• Concluded willful destruction of evidence, although a
significant amount of the incriminating evidence was
recovered by the plaintiff.
• Court was unwilling to issue an adverse inference
instruction.
• Would allow the jury to determine the implications of the
defendants’ misconduct based on the facts.
Rimkus Consulting Group, Inc. v. Cammarata, 2010 U.S. Dist. No. 07-cv-00405 (SDTX Feb. 19, 2010)
53. Culpability Insight
“Permissive” adverse inference sanction
that instructed the jury to decide if the
defendants intentionally deleted
emails… and whether to infer that the
lost information would have been
unfavorable to the defendants.
55. Digital Forensics
• Core: data collection, preservation,
documentation and court room presentation
– Defensible processes
– Use methods that yield most accurate results (Gates
Rubber Co. v. Bando American, Inc., 798 F.Supp. 1499, 1511
(D.Colo.1992).
• Differences between forensic collection versus
backup
• Be proactive: have plan before you need the data
65. Analyzing hidden data sample from Letter Template.doc
Document Name: hidden data sample from Letter Template.doc
Path: C:Documents and SettingstcastrejonMy DocumentsMetaData Deck
Document Format: Word Document
Built-in document properties:
Built-in Properties Containing Metadata: 2
Title: Deloitte Letter.dot
Comments: Word Template v2004.1 08/22/2004
Document Statistics:
Document Statistics Containing Metadata: 6
Creation Date: 7/18/2006 11:16:00 PM
Last Save Time: 7/18/2006 11:29:00 PM
Time Last Printed: 5/1/2002 4:04:00 PM
Last Saved By: John Doe
Revision Number: 5
Total Edit Time (Minutes): 13 Minutes
Custom document properties:
No Custom Document Properties
Last 10 authors: NOT PROCESSED
Document Metadata Sample
68. Disk;;USB_DISK_2.0;077515B0166B&0;USB DISK 2.0 USB Device;06/03/09 07:54:59AM;04/04/09 09:29:41PM;7&1e544ac1&0
Disk;;USB_DISK_2.0;077516B01804&0;USB DISK 2.0 USB Device;04/04/09 09:29:41PM;04/04/09 09:29:41PM;7&11a53745&0
Disk;;USB_DISK_20X;074712910134&0;USB DISK 20X USB Device;06/17/09 04:40:12PM;04/04/09 09:29:41PM;7&1c48d21e&0
Disk;Apple;iPod;000A2700146E70D2&0;Apple iPod USB Device;04/04/09 09:29:41PM;04/04/09 09:29:41PM;7&d9cbdb&0
Disk;I-Stick2;IntelligentStick;FCA4B93FF2BFE451&0;I-Stick2 IntelligentStick USB Device;04/04/09 09:29:41PM;04/04/09 09:29:41PM;7&699ed73&0
DosDevicesE:;;0;??STORAGE#RemovableMedia#7&1c48d21e&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b};074712910134&0
USB Devices
69. Link File Name Created Written Accessed
Volume
Label
Media
Type
Serial # Path
14aren.lnk
02/11/09
03:03:05PM
02/11/09
03:03:06PM
03/05/10
12:00:00AM
NEW
VOLUME
Removable
14 F7 C2
E4
E:file_Rename14aren
Customer_lists.pdf.lnk
03/05/10
06:51:58PM
04/15/09
06:16:26PM
03/05/10
12:00:00AM
NEW
VOLUME
Removable
14 F7 C2
E4
E:secret_documents
Customer_lists.pdf
secret_documents.lnk
03/05/10
06:51:57PM
03/05/10
06:51:58PM
03/05/10
12:00:00AM
NEW
VOLUME
Removable
14 F7 C2
E4
E:secret_documents
Company_research_new
_design.doc.lnk
03/05/10
06:51:57PM
06/02/05
09:39:22PM
03/05/10
12:00:00AM
NEW
VOLUME
Removable
14 F7 C2
E4
E:secret_documents
Company_research_n
ew_design.doc
Links Recently Accessed via Removable Media
72. Legal Considerations
• Acceptable use policy
• Subpoena
• 4th Amendment
• Cross border data transfer and privacy
considerations
– EU Safe Harbor
– Local laws and regulations
73. Complex world of laws and regulations present challenges
for records and information management
Australia
Federal Privacy Amendment Bill
State Privacy Bills in Victoria, New
South Wales and Queensland, new
email spam and privacy regulations
Numerous State Laws
Breach Notification 41
States from CA to NY
European Union
EU Data Protection Directive and
Member States Data Protection
Laws, Safe Harbor
South Africa
Electronic
Communications and
Transactions Act
US
SOX, HIPAA,
COPPA, FRCP, 21
CFR 11, ISO 15489,
ANSI/AIIM TR48‐
2004, PCI Data
Security
Hong Kong
Personal Data
Privacy
Ordinance
Canada
Federal/Provincial
PIPEDA, FOIPPA, PIPA
Chile
Law for the
Protection of Private
Life
South Korea
Act on Promotion of
Information and
Communications Network
Utilization and Data
Protection
India
Law pending
currently under
discussion
New Zealand
Privacy Act
Argentina
Personal Data
Protection Law,
Confidentiality of
Information Law
Philippines
Data Privacy
Law proposed
by ITECC
Taiwan
Computer-
Processed Personal
Data Protection
Law
Japan
Personal Information
Protection Act
Regulatory Considerations
74. Trends
• Data will continue to expand to mobile
side of your enterprise
• Cloud computing
76. Thank You
Tomas Castrejon
General Dynamics Advanced
Information Systems
Network Defense and Digital
Forensics
408.220.3113
Tomas.Castrejon@gd-ais.com
Josh Gilliland, Esq.
D4 LLC
650-576-3298
jgilliland@d4discovery.com
www.bowtielaw.com
Twitter @bowtielaw
Stephanie Sparks, Esq.
Hoge Fenton Jones &
Appel
408.947.2431
sos@hogefenton.com
www.hogefenton.com