The law governing electronic discovery (e-discovery) is continually developing. US courts, administrative agencies and regulatory bodies often have an expansive view of discovery of electronically stored information (ESI). This view stems from the notion that broad discovery helps facilitate the quest for truth.
The Federal Rules of Civil Procedure (the Federal Rules), state procedural rules, the Federal Rules of Evidence, state evidentiary rules, regulatory agency rules, other local rules, and case law created by judicial and regulatory opinions, have created a patchwork of law governing e-discovery. Although courts and regulatory authorities are adapting evidentiary and procedural rules to the realities of e-discovery, courts, regulatory authorities and litigants have struggled to keep up with ever-changing technologies and data proliferation. The Federal Rules intentionally avoid defining the term 'electronically stored information' with precision in order to accommodate '[t]he wide variety of computer systems currently in use, and the rapidity of technological change'.2 Thus, the Rules envision the discovery of 'any type of information that is stored electronically',3 including forms of ESI not yet invented.
In the United States, the producing party typically bears the costs of producing ESI. For years, litigants struggled with increasing e-discovery costs. Explosions in data volumes coupled with expansive views of discovery resulted in e-discovery costs that threatened to overwhelm litigation. Moreover, courts took varying approaches in sanctioning parties that failed to preserve ESI – some courts granted adverse inferences that, in essence, determined the outcome of a matter when parties were deemed negligent or grossly negligent in failing to preserve ESI, while others only granted these sanctions when a party acted in bad faith to deprive the opposition of evidence. Litigants grew increasingly concerned that cases were being decided based upon the costs of discovery and threat of sanctions as opposed to the merits.
Recognising the need to rein in e-discovery costs and provide more uniformity and certainty for litigants, the Federal Rules were amended in December 2015 to explicitly make proportionality an element of the scope of discovery and to reserve outcome-determinative sanctions for those cases where a party acts in bad faith.
Generally, the scope of discovery is governed by Rule 26(b)(1), which allows a party to discover:
[A]ny nonprivileged matter that is relevant to any party's claim or defense and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties' relative access to relevant information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit.
Moreover, for years, parties were at odds with one another when it came to e-discovery. Despite the contentious nature of US litigation, courts and litigants are recognising the need for parties to work together to bring about the 'just, speedy, and inexpensive'4 determination of a matter. Thus, the Federal Rules and local rules have been amended to improve cooperation between parties through requiring meet and confers, and informal e-discovery discussions.
A party can help control its e-discovery costs as well as the entire e-discovery process through thoughtful, strategic planning, knowledge of the ESI landscape and understanding the needs of the case. Armed with this knowledge, responding parties may lessen the burdens placed upon them and might even seek to shift costs when requested data is thought to be inaccessible or seems to be duplicative of previously produced information, or when the costs associated with production are in excess of an amount thought to be reasonable and proportional.
II YEAR IN REVIEW
With the December 2015 amendments to the Federal Rules and related changes in e-discovery laws, litigation is more likely to be decided on the merits. The imposition of the harshest outcome-determinative sanctions has been dramatically reduced, with courts imposing harsh sanctions under Rule 37(e) only in those instances where there has been an intent to deprive. Increasingly, courts, regulatory authorities and parties are invoking proportionality when viewing preservation and production obligations, narrowing e-discovery to those areas of enquiry necessary to resolve a claim.
Courts continue to seek new ways to reduce the time and costs associated with e-discovery. The District of Arizona and the Northern District of Illinois are midway through the Mandatory Initial Discovery Pilot Project, which requires parties to respond to standard discovery requests before undertaking other discovery.
New rules and regulations on the horizon require parties to cooperate. Proposed Federal Rules amendments require that parties meet and confer before any 30(b)(6) deposition, which may be of particular importance when faced with the proverbial 'discovery about discovery' deposition, seeking testimony about how data was preserved, collected and produced. In addition, more and more courts are instituting local rules requiring meet and confers before e-discovery issues are raised with courts.
Courts and parties must remain efficient in addressing the ever-changing landscape of e-discovery and technology itself. Because ESI subject to discovery encompasses information in any form, recent cases in the past few years have focused on newer technologies, including cloud computing, mobile devices and communication applications. Aside from general information governance and privacy concerns, as well as issues with trying to collect and produce this information, use of newer technologies, such as cloud file shares, can expose a party to the risk of waiving privilege.
While the laws governing e-discovery continue to evolve, there are still issues that must be resolved.
i State rules versus the Federal Rules
Although the Federal Rules were amended in 2015 to try to address proportionality and sanctions concerns, not all states have accordingly updated their respective rules. Therefore, parties may still face uncertainty with respect to discovery in state court litigation.
ii Redactions for irrelevant information
Some courts allow parties to redact non-responsive information, while others reject this practice.5 Courts denying redactions cite the lack of authority for them and the need for a party to see information in context, while courts allowing redactions often find compelling reasons for them, such as protecting unique business information, and believe that requesting parties are not entitled to irrelevant information.
iii Quick peeks
Courts appear to disagree on the scope and meaning of Federal Rule of Evidence 502 and its interplay with Rule 26. When faced with burden and proportionality arguments, some courts are requiring parties to provide a 'quick peek' under Rule 502(d), allowing the opposing party to view all documents without the producing party risking privilege waiver.6
iv Extraterritorial discovery
Cross-border discovery remains a moving target. In March 2018, Congress passed, and President Trump signed, the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act). The CLOUD Act has made clear that Stored Communications Act Section 2703 warrants apply to data held outside the United States. The CLOUD Act requires a company with US contacts to preserve and disclose the contents of a stored communication 'regardless of whether such communication, record or other information is located within or outside of the United States'.7 However, the CLOUD Act does contain comity provisions that may limit the US government's ability to access data stored abroad, including where the target customer is not a US person and does not reside in the US or where disclosure of the data would violate foreign law. Owing to the CLOUD Act's passage and issuance of a new subpoena thereunder, the highly publicised United States Supreme Court case United States v. Microsoft, dealing with issuance of a warrant seeking data stored overseas in Ireland, was dismissed as moot in a per curiam opinion.
Lower courts remain divided on the production of documents located outside the United States. Some courts are trying to remove data subject to foreign data regulations from the discovery process as much as possible.8 Others are applying proportionality concepts in determining whether foreign data is really relevant or can be narrowed in some manner,9 and still others are ordering extraterritorial discovery under other rules, such as 28 USC Section 1782.10
III CONTROL AND PRESERVATION
i The duty to preserve ESI
Generally, the duty to preserve arises whenever there is a reasonable anticipation of litigation. Reasonable anticipation of litigation includes not only traditional litigation filed by one party against another, but also any proceedings before administrative agencies or other regulatory bodies.
ii The scope of preservation
The general scope of discovery – which encompasses anything relevant and proportional to the needs of the case – governs the scope of preservation. Thus, whenever the duty to preserve arises, a party must take affirmative steps to identify and preserve unique, potentially relevant and proportional ESI in the party's possession, custody or control.
Preservation extends beyond the ESI within a party's physical possession to that over which the party has the 'legal right' to obtain the ESI upon demand. This legal right may be found when there are contractual provisions granting a right of access to ESI or when there is a principal–agent relationship that provides the principal with ownership of data in the agent's possession, such as the relationship between an employer and an employee, a client and an attorney, or a corporation and an officer or director. Furthermore, some jurisdictions expand the concept by finding that ESI is under a party's control when the party has the practical ability to obtain the ESI from a non-party, such as when a party could likely ask for the documents and obtain them from the non-party. Thus, parties may need to look to third parties for potential document preservation, including cloud storage providers, administrators of computer systems, payroll vendors, and individual employees or agents storing data on personal phones or home computers.
iii Limitations on the duty to preserve
Though very broad, preservation is not limitless. Parties are not required to preserve every piece of ESI. Preservation efforts should be proportional to the needs of the case 'considering the importance of the issues at stake in the action, the amount in controversy, the parties' relative access to relevant information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit'.11 ESI that has marginal utility or relevance is more likely to be found disproportional for purposes of preservation.
Unfortunately, proportionality can be an amorphous standard that can be difficult to apply, which means that parties faced with costly preservation efforts should seek to negotiate preservation obligations with opposing parties. If agreement cannot be reached, parties may be forced to seek court intervention, at which time they must be prepared to explain the specific burden or cost associated with preserving material along with why the information is of little benefit.
iv Penalties for failure to preserve ESI
If a party fails to preserve ESI in anticipation of litigation, Rule 37(e) governs the sanctions available. The Rule 'forecloses reliance on inherent authority or state law to determine when certain measures should be used'.12 Under this Rule, sanctions will only apply if a party had a duty to preserve information and failed to take reasonable steps to preserve; the information was lost because the party failed to take reasonable steps; the information could not be restored or replaced through additional discovery; and the loss of the information was prejudicial.
Assuming all criteria for sanctions have been met, any sanction granted must be no greater than necessary to cure the prejudice created from the loss. The determination of an appropriate sanction is left to the sound discretion of the judge and should be assessed on a case-by-case basis. Sanctions for failure to preserve may vary, and can include an award of attorney's fees, cost shifting, evidentiary restrictions, issue preclusion, striking claims and defences, special jury instructions, and default judgment or dismissal. However, Rule 37(e) imposes a uniform standard for the use of more severe sanctions, such as adverse inferences, dismissal or default judgment, limiting the most severe sanctions to only those instances when a party intentionally destroyed information with an intent to deprive another party from using the information in the litigation. Courts may not circumvent this standard by granting a 'lesser' sanction that would have the same effect as the harsher sanctions permitted only when there has been an intent to deprive, such as granting evidentiary restrictions that preclude a party from offering any evidence or striking an entire pleading so that the party no longer has claims or defences.
IV REQUESTS AND SCOPE
i Rule 26(f) – meet and confer
Rule 26(f) requires that parties meet and confer to discuss issues related to preserving discoverable ESI as well as to develop a discovery plan that will govern collection and production of ESI. This meet and confer provides litigants with an opportunity to control the discovery process and rein in discovery costs.
Among other items, the required discovery plan must include:
- the subjects on which discovery may be needed, when discovery should be completed, and whether discovery should be conducted in phases or be limited to or focused on particular issues;
- any issues about disclosure, discovery or preservation of ESI, including the form or forms in which it should be produced;
- any issues about claims of privilege or protection, including whether to ask for an order under Federal Rule of Evidence 502 to protect against waiver of privilege by production; and
- what changes should be made in the limitations on discovery imposed by the Federal Rules or local rules as well as what other limitations should be imposed.
Parties should be prepared to discuss the topics about which discovery will be sought; custodians from whom discovery will be sought; non-custodial sources of data from which discovery will be sought; inaccessible data; the preservation process and any limitation on preservation; the relevant time frame for ESI; methods for searching for relevant ESI; the format in which ESI should be produced; protection of confidential information or trade secrets; issues related to data located outside the United States; 502 privilege protections; and any proposed staging or limiting of discovery.
ii Making Rule 34 requests for production
Using the discovery plan as a framework, a litigant may request that the opposing party produce ESI within its possession, custody or control that is relevant to any party's claims or defences and proportional to the needs of the case, not just those that it may use to support its own claims or defences.
Requesting parties are obligated to seek ESI that is relevant and proportional to the needs of the case. Requests for ESI must be reasonably specific, as requests for 'any and all' emails or other ESI are typically disfavoured by courts and deemed disproportional to the needs of the case.
If the discovery plan has not adopted a production format for ESI, the discovery requests should also specify the form or forms in which different types of ESI should be produced.
iii Responding to Rule 34 requests for production
When responding to discovery requests, a party must either object to the requests or produce any responsive, non-privileged ESI within its possession, custody or control that has been requested. In determining whether to object, responding parties will need to assess whether the request seeks relevant and proportional information within its possession, custody or control in the format agreed to by the parties. If not, responding parties should object.
Objections and responses to requests should be specific, state whether the responding party is withholding any responsive documents on the basis of an objection, indicate whether the responding party is producing copies of documents or ESI, or instead is permitting inspection of the documents or ESI, and state whether the production or inspection will be made by the time specified in the request or at another reasonable time specified by the producing party. 'Boilerplate objections' or lists of very general objections made at the beginning of the responses are not allowed and are considered meaningless.
Some objections are unique to ESI requests. For example, a party should object if the other side seeks direct access and inspection of the party's computer systems. Direct access to a party's electronic systems is typically not permitted without a finding of some sort of discovery misconduct or the presence of unique factual circumstances that might necessitate access, such as when theft or misappropriation of trade secret data has been alleged. A party should also object when the opposing party seeks inaccessible ESI, such as data that requires restoration or forensic recovery. Whenever lodging an inaccessibility objection, the party must identify the data that is not being searched and produced. Similarly, another unique ESI objection is an objection to the format of production requested. If a responding party objects to the requested form of production, the responding party must state the form in which it intends to produce ESI. This form must be either the form in which the ESI is ordinarily maintained or a reasonably usable form.
More general objections that apply to all discovery can take on further importance when ESI is implicated. A responding party should object to any request that is disproportional to the needs of the case when the information sought is of marginal utility to resolving the issues. When lodging a proportionality objection, the responding party must be prepared both to quantify the costs associated with collecting and producing the ESI and to demonstrate the ESI's lack of usefulness to the litigation. Another common objection is that requests are overly broad, such as when they seek 'all' of a type of data, or are not reasonably limited in time frame or the number of sources to be searched. Given the proliferation and redundancy of data, a responding party should object to a request seeking ESI that is cumulative or duplicative of ESI already produced, or that might be obtained from another more convenient source.
iv Rule 45 subpoenas
ESI may also be sought by subpoena from a third party, though like discovery from parties, the breadth and scope of discovery from non-parties is limited by the relevance and proportionality requirements of Rule 26. Courts often find that third parties should be afforded more proportionality protections. Parties issuing subpoenas are required to take steps to minimise the burden on third parties and protect third parties from undue expense.
As with parties responding to discovery requests, a third party responding to a subpoena has a duty to preserve relevant data and may object to requests seeking data that is disproportionate to the needs of the case or that is not reasonably accessible. The party responding to a subpoena has the burden of demonstrating any burden associated with the subpoena and why the subpoena should be modified or quashed.
V REVIEW AND PRODUCTION
i ESI production timing
Parties are required to make initial disclosures within 14 days of the parties' Rule 26(f) conference. The initial disclosures must describe or provide copies of ESI that the disclosing party 'may use to support its claims or defenses'.13
Parties are further required to respond to Rule 34 requests for production within 30 days of being served or within 30 days of the Rule 26(f) conference, if served beforehand. In practice, parties will provide their written objections to requests and written responses within 30 days. However, the actual production of documents may come much later. The Federal Rules require that production be completed 'no later than the time for inspection specified in the request or another reasonable time specified in the response'.14 Given the time often necessary to collect and review ESI, responding parties may negotiate timelines for production with opposing parties. Alternatively, absent an ability to agree, responding parties may specify a time to begin making productions and may continue to make supplemental 'rolling' productions of documents until review is completed.
ii Review tools
There are many tools litigants may use to analyse data to determine what must be produced, including objective filtering (such as filtering by date), term and phrase searching, domain analysis, message threading, near-duplicate identification, concept clustering and visualisation tools. In addition, many US litigants employ technology-assisted review (TAR), which refers to machine-assisted classifying technologies, to facilitate review and analysis.
The rationale for using any analytic tool, and particularly TAR, is to reduce the cost of review by assisting individuals in identifying the documents most likely to be responsive while helping individuals separate out and avoid reviewing non-responsive documents.
US courts are increasingly encouraging the use of TAR to promote the aims of Rule 1 – a just, speedy and inexpensive determination of the action. Yet, courts have been reluctant to require the use of TAR thus far, deeming the producing party to be in the best position to determine how to search for, review and produce responsive ESI.
While many litigants have embraced TAR, technologies are constantly evolving, with new review technologies on the horizon. Artificial intelligence (AI) technologies are being developed to assist in analysing data for US litigation. Ultimately, no matter what technology is chosen, a litigant must be able to explain any technology used, old or new, and how that technology produced defensible results.
iii Protecting privileged ESI in e-discovery
Parties need only produce non-privileged, responsive ESI to another party. As such, privileged documents, including those protected by attorney–client privilege and work-product immunity, need not be produced. Technological tools may be employed to assist attorneys in locating privileged documents requiring protection from disclosure.
Whenever ESI is withheld because of an applicable privilege, the party must 'describe the nature of the documents, communications, or tangible things not produced or disclosed – and do so in a manner that, without revealing information itself privileged or protected, will enable the other parties to assess the claim'.15 This Rule has led to parties creating logs of privileged documents being withheld. The contents of these logs may be the subject of local rules and can also be the subject of an agreement between the parties.
Yet, even when technological tools are employed and documents have been logged, the vast quantity of ESI poses significant challenges when trying to protect privileged information from being disclosed. For years, courts embarked on varied analyses to determine whether the disclosure of privileged ESI through mistaken production constituted a privilege waiver. Now, parties may avoid these varied analyses altogether by seeking an order under Federal Rule of Evidence 502(d) to protect against the waiver of attorney–client privilege or work-product immunity by the mere production of ESI. This order can protect a party from incurring protracted arguments over whether a privilege has been waived under the default Federal Rule of Evidence 502(b) standard, including arguments over whether the disclosure was inadvertent, whether the holder of the privilege took reasonable steps to prevent disclosure and whether the holder of the privilege took reasonable steps to rectify the disclosure.
iv Challenging an opponent's production
If a party believes an opponent's production is incomplete, the party should raise the issue with the opponent. Should the parties be unable to resolve the issue, the requesting party may file a motion to compel production under Rule 37(a). Failure to meet and confer before filing the motion to compel will preclude the moving party from seeking costs for making the motion.
Other mechanisms for challenging a production can be found in Rule 37. If the court has entered a discovery order and the opponent fails to comply, the requesting party should file a motion under Rule 37(b). A requesting party might file a motion under Rule 37(c) if its opponent fails to supplement responses and provide information requested in discovery. Under Rule 37(d), a requesting party may seek sanctions if its opponent wholly fails to serve its answers, objections or written responses to a request for production.
VI PRIVACY ISSUES
A business within the United States is generally required to preserve, collect and produce data within the organisation's possession, custody or control. Unlike in other jurisdictions throughout the world, where an employee or data subject about whom information relates has privacy rights to the data, US employees and individuals have far more limited rights. Businesses that are considered the owners of data within their possession will be required to produce this information to opposing parties and the courts.
Various federal and state privacy laws and rules create a patchwork of regulations that govern the management of certain consumer and employee information. This legal patchwork may limit or prevent a company from disclosing protected personal information to third parties, including in discovery. However, the definition of what must be protected and when it must be protected is still far narrower than in other jurisdictions.
One of the more common examples of information that must be protected is personally identifiable health information that the healthcare industry must protect under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Yet, such information may still be required to be produced in certain circumstances. HIPAA includes a provision for the entry of a qualified protective order that allows a party to produce records that contain protected personal health information as long as the records are produced in accordance with the entered qualified protective order.
Another example of information that must be protected is personally identifiable financial information that financial institutions must protect under the Gramm-Leach-Bliley Act of 1999. However, this Act contains a carve-out provision for a financial institution to comply with subpoenas or 'respond to judicial process'.16 Still, many parties will agree that this information may be redacted from produced documents when the information is irrelevant to the claims or defences in the matter.
A best practice when producing HIPAA or Gramm-Leach-Bliley protected information is to produce the data in encrypted form to protect against any potential unauthorised disclosure of information. The same can be said for other information that may be protected under various state laws, such as social security numbers, driver's licence numbers and financial account information.
While the United States has not enacted sweeping privacy laws like the European Union's General Data Protection Regulation (GDPR), more jurisdictions within the United States are beginning to assess the need for further data privacy protections. California enacted sweeping consumer data protections under the California Consumer Privacy Act of 2018. This Act provides for a right to know what data is being collected and shared, the right to request deletion of information, and the right to opt out of the sale of personal information to third parties. The city of Chicago is also considering the enactment of a Personal Data Collection and Protection Ordinance.
Moreover, data breaches have been the subject of much scrutiny in Congress, the courts and elsewhere. Numerous class actions have been filed in recent years owing to consumer data breaches. Parties should have plans in place for responding to data breaches implicating personal information.
Even when US privacy laws are not implicated in a matter, owing to increases in data globalisation, companies operating in the global economy are routinely finding that data stored outside the United States is relevant in US legal proceedings. However, obtaining data located outside the United States for US discovery purposes can be problematic. Many countries have laws that protect privacy rights – including in corporate data – and that act as a barrier to US discovery. Data protection laws found throughout much of the rest of the world that limit cross-border transfers of ESI, including in the Asia-Pacific region, the Americas, Europe and the Middle East, do not exist in the United States. As such, many US courts have been resistant to claims that data privacy prevents the disclosure of information in litigation or apply their own understanding of data privacy regulations.17
VII OUTLOOK AND CONCLUSIONS
Upcoming changes in e-discovery law will be focused on bringing about the just, speedy and inexpensive determination of matters in accordance with Rule 1. Courts and litigants will continue to look for ways to speed up the e-discovery process while reducing costs. Future e-discovery technologies and AI tools will be aimed at achieving this goal.
Data privacy will continue to be a focus. The intersection between broad-based US discovery and foreign data privacy regulations, such as the GDPR, will continue to play out in courts. Data breaches and privacy concerns could also result in the passage of more stringent regulations governing privacy in various jurisdictions. Even Congressmen from both parties have expressed interest in passing data privacy legislation in 2019.
1 Jennifer Mott Williams is an associate at Morgan, Lewis & Bockius LLP.
2 Fed. R. Civ. P. 34 advisory committee's note (2006).
4 Fed. R. Civ. P. 1.
5 Compare IDC Financial Publications, Inc. v. Bonddesk Group, LLC, No. 15-cv-1085-pp, 2017 WL 4863202 (E.D. Wis. Oct. 26, 2017), with In re Takata Airbag Products Liability Litigation, 14-24009-CV-MORENO, 2016 WL 1460143 (S.D. Fla. Feb. 24, 2016).
6 See, e.g., Fairholme Funds, Inc. v. United States, 134 Fed. Cl. 680 (Fed. Cl. 2017). Others have rejected this reasoning, noting that the scope of discovery is governed by Rule 26(b), which explicitly excludes privileged information. See Winfield v. City of N.Y., 15-cv-05236, 2018 WL 2148435 (S.D.N.Y. May 10, 2018).
7 CLOUD Act Section 103(a)(1).
8 See Ex. B. to N.Y. Commercial Division Part 53 Practice Rule (providing that data subject to the EU General Data Protection Regulation or other foreign laws restricting the processing or transfer of data to the United States need not be searched and produced).
9 See In re Bard IVC Filters Products Liability Litigation, 317 F.R.D. 562 (D. Ariz. 2016); and In re Davol, Inc./C.R. Bard, Inc. Polypropylene Hernia Mesh Products Liability Litigation, 2019 WL 341909 (S.D. Ohio Jan. 28, 2019).
10 See In re Accent Delight International Ltd., 16-MC-125, 2018 WL 2849724 (S.D.N.Y. June 11, 2018), appeal filed (rejecting claim that Section 1782 only permits discovery of information located in the United States in ordering production of information from offices of a foreign affiliate because Section 1782 allows a court to order any person who 'resides or is found' in the district to produce documents).
11 Fed. R. Civ. P. 26(b)(1).
12 Fed. R. Civ. P. 37 advisory committee's note (2015).
13 Fed. R. Civ. P. 26(a)(1)(A)(ii).
14 Fed. R. Civ. P. 34.
15 Fed. R. Civ. P. 26(b)(5).
16 15 U.S.C. Section 6802(e)(8).
17 See Finjan, Inc. v. Zscaler, Inc., 2019 WL 618554 (Feb. 14, 2019) (concluding that the GDPR did not preclude discovery).