LITIGATION SUPPORT TIP OF THE NIGHT

Two months ago, Magistrate Judge Laurel Beeler issued a decision in , Henson v. Turn, Inc., No. 15-cv-01497-JSW (LB) 2018 U.S. Dist. LEXIS 181037, (N.D. Cal. Oct. 22, 2018), a data privacy class action. The Plaintiffs in this suit allege that Turn, Inc. placed 'zombie cookies' on their devices which could not be blocked or deleted. Judge Beeler's order denied the Defendant's requests for production of the plaintiffs' mobile devices for forensic imaging; the full browsing history on the devices; and all cookies stored and deleted on the devices. She instead adopted the Plaintiffs' counter proposal that they only produce web browsing history and cookies for websites associated with Turn, and just the date fields for all other cookies.

Turn places cookies, or tracking beacons, on smartphones to gather information about a user's web browsing and app use. The Court noted studies showing that most Americans are uncomfortable with the amount of information that companies collect about them. Turn used a Verizon function that created a unique header (X-UIDH) for each of its customers that could be read in HTTP request made to sites run by Turn. Turn 'respawned' zombie cookies on smartphones that contained all of the values from old cookies which had X-UIDHs which matched those in a HTTP request.

Judge Beeler ruled that the request for a complete forensic image of the smartphones was not relevant and proportional to the needs of the case under Fed. R. Civ. P. 26(b)(1). A complete forensic image would include text messages, photos, and other data irrelevant to claims or defenses. Notably the decision states that, "While questions of proportionality often arise in the context of disputes about the expense of discovery, proportionality is not limited to such financial considerations. Courts and commentators have recognized that privacy interests can be a consideration in evaluating proportionality, particularly in the context of a request to inspect personal electronic devices." Henson, 2018 U.S. Dist. LEXIS 181037, at *15. Judge Beeler emphasized that the Defendant was asking for access to the forensic images, despite the fact that the Plaintiffs had imaged their own devices and were producing information from those images.

A request for the full browsing history on the Plaintiffs' devices was also ruled to not be relevant and proportional to the needs of the case, and raise similar privacy concerns. The Court decided that Turn could decide whether or not the Plaintiffs regularly deleted cookies from their smartphones by making reference to the date fields of the cookies and browsing histories, and the full content of each was not needed. There is an obvious contradiction between the basis of the Plaintiffs' suit and the nature of the ESI request:

"There is an Orwellian irony to the proposition that in order to get relief for a company's alleged surreptitious monitoring of users' mobile device and web activity, a person has to allow the company unfettered access to inspect his mobile device or his web browsing history. Allowing this discovery would further invade the plaintiffs' privacy interests and may deter current and future plaintiffs from pursuing similar relief." Id. at *27.

Earlier this year, Magistrate Judge Nancy Koppe issued a decision, Hinostroza v. Denny's, Inc., No. 2:17-cv-02561-RFB-NJK (D. Nev. June 29, 2018), granting in part and denying in part the Defendant's motion to compel. The case was notable because the motion included a request to produce data from a FitBit device worn by the Plaintiff.

The case concerned a slip and fall accident that occurred at a Denny's restaurant. The Motion to Compel included requests for medical records, property damage reports, and insurance policies and claims, or releases to obtain such information. Hinostroza objected on the basis that the request was irrelevant, overboard, and unduly burdensome. She was involved in a car accident in 2015. Noting the standard for discovery under Fed. R. Civ. P. 26(b), the Court ruled that these records should be produced and ordered the Plaintiff to sign the necessary releases. Judge Koppe ordered the production of text messages, emails, and telephone records requested by Denny's which were sent to individuals about her injuries shortly after the incident at the restaurant. The order also directed the production of Hinostroza's employment records.

Denny's requested data from a FitBit tracker worn by Hinostroza. Data was requested for five years prior to the incident at the restaurant through the present. The data could show how active Hinostroza was before and after the slip and fall. The Plaintiff objected on the basis that the data was not in her possession, custody, or control. The Court ruled that an objection to the request as overboard and unduly burdensome was waived because it was not made in the initial response to the request for production. The order required the Plaintiff to describe the search she performed for the requested data so it could determine if a reasonable inquiry was made.

Social media data, from the same time period, was also requested and Hinostroza objected on the grounds that it was irrelevant, overboard, unduly burdensome, and a violation of her right to privacy. Judge Koppe's decision states that, "information from social media is relevant to claims of emotional distress because social media activity, to an extent, is reflective of an individual's contemporaneous emotions and mental state." Id. at 10. Social media postings from a long data range are needed because a fleeting moment would not illustrate a party's physical and mental well being. "[S]ocial media discovery must allow the requesting party a sufficient sample size from which a potential pattern of content could reveal an emotional or mental state or physical capability that undermines a party’s claim." Id. The decision directs Hinostroza's attorney to review and produce relevant postings from 2015 to the present.

Last week, Judge Thomas B. Smith issued a decision in Clark v. FDS Bank, 6:17-cv-692-Orl-41TBS, 2018 U.S. Dist. LEXIS 190518 (M.D. Fla. Nov. 7, 2018), granting the Plaintiff's motion to compel the production of phone data. This is a class action suit brought for the violation of the Telephone Consumer Protection Act for using an automated telephone system to call cell phones in an effort to collect on credit card debt.

The Defendants contended that while they can download data on the phone numbers called, the number of calls made to those numbers, and the date, time and duration of the calls, they can only produce other information requested by the Plaintiff (where the numbers were obtained; whether the call produced a live answer, prerecorded message, or wrong number notification; whether the recipient asked not to call again; and information on when payments were made) by a manual search of records. 76 minutes were required to collect information for 28 accounts. It took one assistant 135 minutes to redact personal information from 17 accounts, and a paralegal 120 minutes to redact personal information from another 11 accounts. The total cost of the review was estimated to be between $1.5 - $1.8 million.

The Plaintiff had Jeffrey A. Hansen, a data analyst from Hansen Legal Technologies file a declaration attesting to his familiarity with the auto dialing system used by Defendants, and that it should take less than an hour to export the data requested by the Plaintiff. Attached to Hansen's declaration was a declaration by a certified computer forensic examiner (filed in another case) stating that often even IT professionals responsible for systems holding records of phone calls are unaware that the records can be searched and exported without special programming and in a short period of time. "Suppose a dialer database has 100 million records to search for text mentioning the words 'wrong number'. Such a search may take several hours on a particular unindexed system that is designed for day-to-day business use and not optimized for such a free-text search. But that same search can take just seconds on an optimized system like I operate for forensic analysis, once the data is loaded onto that system. . . I will be able to efficiently develop an objective algorithm to identify records containing DNC requests and wrong number calls." Id. at *11-12, quoting Doc. 122-2 at 91, 97-98.

The Court ordered the parties to hold a Rule 26(f) conference in 21 days in order to arrange for Hansen to search the Defendants' business records. The Court required the parties to sign a confidentiality agreement and directed, "the use of anonymizers to conceal account holders' identities and other personal information." Id. at *13-14. It left open to the parties to decide whether Hansen should work with mirror images of the data or use another methodology to search the data.

If the parties cannot come to an agreement in 35 days, the Court will dictate the procedure to be followed at an evidentiary hearing.