LITIGATION SUPPORT TIP OF THE NIGHT

Today, in Babcock Power v. Kapsalis, 2018 U.S. Dist. LEXIS 1973 (W.D. Ky.), the United States District Court for the Western District of Kentucky, approved, in part, a motion to amend a scheduling order, so additional expert discovery could be conducted. The plaintiff in this case moved for additional expert discovery on the basis of finding six previously undisclosed documents on a server after the review of a post-discovery production of hash values ordered by a magistrate judge. The plaintiff wanted to conduct depositions about production of the hash value data. The court granted the motion to conduct additional discovery from the electronic discovery vendor, but not from a subsequent third party purchaser of the server. Discovery is to be permitted when additional document that "hash values identified were transferred onto Express' server, how they were transferred, whether other files were transferred at the same time, where they were transferred to and whether they have been opened ." (Id. at 12-13).

The court approved a motion by the plaintiff for additional discovery of actual data. The defendant only produced Bates numbers, hash values, and file names of 760 files identified by the plaintiffs. A prior order by a magistrate judge required the production of all of the hash values on a server including, "LNK files, jump lists, and registry hives", at the time the server was analyzed by an electronic discovery vendor. (Id. at 4) The court ordered the production of the rest of the data specified in the magistrate's order under Federal Rule of Civil Procedure 26(a)(2)(B)(ii), which requires, "the facts or data considered by" an expert witness. The court would not however order the production of a copy of the server itself.

Make note of the American Bar Association's Formal Opinion 477, published this past May. The summary states that:

A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.

The opinion does not recommend specific technical cyber security measures that should be taken, but requires attorneys to take reasonable steps specific to different factual circumstances. A lawyers should follow these guidelines:

1. Understand if a particular case presents a high threat for cyber intrusion. "[H]ighly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft."

2. Understand how data is transferred and stored. "Each access point, and each device, should be evaluated for security compliance."

3. Take Reasonable Security Measures. Such as, "using secure internet access methods to communicate, access and store client information (such as through secure Wi-Fi, the use of a Virtual Private Network, or another secure internet portal), using unique complex passwords, changed periodically, implementing firewalls and anti-Malware/AntiSpyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software." An attorney is specifically charged with understanding that deleted files can be recovered.

4. Protect Electronic Communications - "If client information is of sufficient sensitivity, a lawyer should encrypt the transmission and determine how to do so to sufficiently protect it, and consider the use of password protection for any attachments."

5. Label electronic media as confidential.

6. Lawyers and their nonlawyer assistants should receive formal cyber security training.

7. Do due diligence on vendors hired to assist with electronic communications including checking their security policies and protocols.

Judge Paul Grimm of the District of Maryland, is widely known in the e-discovery world for his influential decisions, in Victor Stanley v. Creative Pipe, 250 F.R.D. 251 (D. Md. 2008) where he ruled that a privilege claim on inadvertently produced privileged documents was waived because a party could not explain the method of its review for privileged material, and in Lorraine v. Markel, 241 F.R.D. 534, 563 (D. Md. 2007) in which he provided guidelines for the admission of electronic evidence.

Judge Grimm collaborated with Dan Capra and Gregory Joseph on a 2016 West Academic publication, Best Practices for Authenticating Digital Evidence, which is available online here. It discusses how to authenticate emails, text messages, social media postings, web pages, and other social media direct messages.

Emails are deemed authenticated because their actual production is the statement of party opponent, but authentication can also accomplished with the testimony of the author or a records custodian; the jury's comparison of an email with other authenticated emails; or other circumstantial evidence. A key point that Grimm makes is that, "Authentication has also been found when an adversary produces in discovery a third party’s email received by the producing party in the ordinary course of business, and the email is offered against the adversary."

Text messages can be authenticated in the same manner as email messages, but also by establishing that they are the product of a system which records them accurately. Grimm cites to a decision by the United States District Court for the Eastern District of Michigan that texts where authenticated by a showing that, "they are automatically saved on SkyTel’s server with no capacity for editing."

Government and newspaper websites are self-authenticating, and web pages generated in the ordinary course of business of a company may quality as self-authenticating business records.

Social media posts are usually authenticated when it can be proven that, "the pages and accounts can be tracked through internet protocol addresses associated with the person who purportedly made the post."

Chatroom conversations, or social media direct messages are difficult to authenticate because users often communicate with aliases. Testimony may be necessary from participants in the conversations as to the identity of a person using an account, and the accurateness of a transcript of the communications.