The e-Discovery and Information Governance Law Review: USA
The law governing electronic discovery (e-discovery) is continually developing. US courts, administrative agencies and regulatory bodies often have an expansive view of discovery of electronically stored information (ESI). This view stems from the notion that broad discovery helps facilitate the quest for truth.
The Federal Rules of Civil Procedure (Federal Rules), state procedural rules, Federal Rules of Evidence, state evidentiary rules, regulatory agency rules, other local rules, and case law created by judicial and regulatory opinions form a patchwork of law governing e-discovery. Although courts and regulatory authorities are adapting evidentiary and procedural rules to the realities of e-discovery, courts, regulatory authorities and litigants struggle to keep up with ever-changing technologies and data proliferation. The Federal Rules intentionally avoid defining the term electronically stored information with precision in order to accommodate '[t]he wide variety of computer systems currently in use, and the rapidity of technological change'.2 Thus, the Federal Rules envision the discovery of 'any type of information that is stored electronically',3 including forms of ESI not yet invented.
In the United States, the producing party typically bears the costs of producing ESI. For years, litigants struggled with increasing e-discovery costs. Explosions in data volumes coupled with expansive views of discovery resulted in e-discovery costs that threatened to overwhelm litigation. Moreover, courts took varying approaches in sanctioning parties that failed to preserve ESI: some courts granted adverse inferences that, in essence, were outcome-determinative when parties were negligent or grossly negligent in failing to preserve ESI, while others only granted these sanctions when a party acted in bad faith. Litigants grew increasingly concerned that cases were being decided based upon e-discovery costs and threat of sanctions as opposed to the merits.
Recognising the need to rein in e-discovery costs and provide more uniformity and certainty for litigants, the 2015 Amendments to the Federal Rules explicitly make proportionality an element of the scope of discovery and reserve outcome-determinative sanctions for those cases where a party acts in bad faith.
Generally, Rule 26(b)(1) governs the scope of discovery. A party may discover:
[A]ny nonprivileged matter that is relevant to any party's claim or defense and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties' relative access to relevant information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit.
Moreover, for years parties were at odds over e-discovery. Despite the contentious nature of US litigation, courts and litigants are recognising the need for parties to cooperate to bring about the 'just, speedy, and inexpensive'4 determination of a matter. Thus, the Federal Rules and local rules have been amended to improve cooperation between parties through requiring meet and confers and informal e-discovery discussions.
A party can help control its e-discovery costs as well as the entire e-discovery process through thoughtful strategic planning, knowledge of the ESI landscape and an understanding of the needs of a case. Armed with this knowledge, responding parties may lessen their e-discovery burdens, and might even seek to shift costs when the production costs exceed a reasonable and proportional amount.
Year in review
Courts continue to seek new ways to reduce e-discovery burdens and expenses. The Mandatory Initial Discovery Pilot Project, which requires parties to respond to standard discovery requests before undertaking other discovery in the District of Arizona and Northern District of Illinois, should end in mid-2020. Thus far, participants have reported that parties are producing relevant information earlier, but the Project has not lessened e-discovery burdens.5
New rules and regulations require cooperation. Proposed amendments to the Federal Rules require that parties meet and confer before any 30(b)(6) deposition, which may be of particular importance when faced with the proverbial 'discovery about discovery' deposition seeking testimony about data preservation, collection and production. In addition, more courts are instituting local rules requiring meet and confers before e-discovery issues are raised with courts.
Courts and parties must remain cognisant of the ever-changing technology landscape. Because ESI subject to discovery encompasses information in any form, recent cases have focused on newer technologies, including cloud computing, mobile devices and communication applications. Newer technologies can create unique challenges for organisations, including issues associated with information governance, privacy, collection and production, and potential waiver of privilege or confidentiality.
Data privacy remains a major concern for organisations facing a myriad of regulations. The California Consumer Privacy Act (CCPA) went into effect in January 2020. The potential enactment of additional privacy regulations elsewhere will require continued agility in e-discovery and information governance.
Many US organisations rely on the Privacy Shield to comply with the European Union's General Data Protection Regulation (GDPR). As a result, the Federal Trade Commission (FTC) has escalated its review of Privacy Shield participants, enforcing the framework by issuing record-breaking penalties, bringing claims against companies that signed up for the framework but did not complete the process, and taking action against companies that allowed certifications to lapse but misrepresented their continued participation. The FTC has affirmed its commitment to 'continue to do its part to ensure that the Privacy Shield remains a robust mechanism for protecting privacy and enabling transatlantic data flows'.6
While the laws governing e-discovery and information governance continue to evolve, there are still issues that must be resolved.
i State rules versus the Federal Rules
Although the 2015 Federal Rules amendments address proportionality and sanction concerns, not all states have updated their respective rules. Therefore, parties may still face uncertainty as to discovery in state court litigation.
ii Redactions for irrelevant information
Some courts allow parties to redact non-responsive information, while others reject this practice.7 Courts denying redactions cite the lack of authority for them and the need for a party to see information in context, while courts allowing redactions often find compelling reasons for them, such as protecting unique business information, and believe requesting parties are not entitled to irrelevant information.
iii Quick peeks
Courts appear to disagree on the scope and meaning of Federal Rule of Evidence 502 and its interplay with Rule 26. When faced with burden and proportionality arguments, some courts are requiring parties to provide a 'quick peek' under Rule 502(d), allowing the opposing party to view all documents without the producing party risking privilege waiver.8
iv Extraterritorial discovery
Cross-border discovery remains a moving target. The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) has made clear that Stored Communications Act Section 2703 warrants apply to data held outside the United States. The CLOUD Act requires a company with US contacts to preserve and disclose the contents of a stored communication 'regardless of whether such communication, record or other information is located within or outside of the United States'.9 However, the CLOUD Act does contain comity provisions that may limit the government's ability to access data stored abroad. The Act allows service providers to move to quash when the subscriber 'is not a United States person and does not reside in the United States; and . . . the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government', but does not provide subscribers with a similar right.10
Lower courts remain divided on the production of documents located outside the United States. Some courts are trying to remove data subject to foreign data regulations from the discovery process as much as possible.11 Others are applying proportionality concepts in determining whether foreign data is really relevant or can be narrowed in some manner,12 and still others are ordering extraterritorial discovery under other rules, such as 28 USC Section 1782.13
Control and preservation
i The duty to preserve
Generally, the duty to preserve arises whenever there is a reasonable anticipation of litigation. Reasonable anticipation of litigation includes not only traditional litigation, but also any proceedings before administrative agencies or other regulatory bodies.
ii The scope of preservation
The general scope of discovery – which encompasses anything relevant and proportional to the needs of a case – governs the scope of preservation. Thus, whenever the duty to preserve arises, a party must take affirmative steps to identify and preserve unique, potentially relevant and proportional ESI in its possession, custody or control.
Preservation extends beyond the ESI within a party's physical possession to that over which the party has the 'legal right' to obtain the ESI upon demand. This legal right may be found when there are contractual provisions granting a right of access to ESI or when there is a principal–agent relationship that provides the principal with ownership of data in the agent's possession, such as the relationship between an employer and an employee, a client and an attorney, or a corporation and an officer or director. Furthermore, some jurisdictions expand the concept by finding that ESI is under a party's control when that party has the practical ability to obtain the ESI from a non-party, such as when a party could likely ask for documents and obtain them from the non-party. Thus, parties may need to look to third parties for potential document preservation, including cloud storage providers, computer system administrators, payroll vendors, and individual employees or agents storing data on personal phones or home computers.
iii Limitations on the duty to preserve
Although very broad, preservation is not limitless. Parties are not required to preserve every piece of ESI. Preservation efforts should be proportional to the needs of a case 'considering the importance of the issues at stake in the action, the amount in controversy, the parties' relative access to relevant information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit'.14 ESI of marginal utility or relevance is more likely to be found disproportional for purposes of preservation.
Unfortunately, proportionality can be an amorphous standard that can be difficult to apply, meaning that parties faced with costly preservation efforts should seek to negotiate preservation obligations with opposing parties. If agreement cannot be reached, parties may be forced to seek court intervention, at which time they must be prepared to explain the specific burden or cost associated with preserving material along with why the information is of little benefit.
iv Penalties for failure to preserve ESI
If a party fails to preserve ESI in anticipation of litigation, Rule 37(e) governs the sanctions available. The Rule 'forecloses reliance on inherent authority or state law to determine when certain measures should be used'.15 Under this Rule, sanctions will only apply if:
- a party had a duty to preserve information and failed to take reasonable steps to preserve;
- the information was lost because the party failed to take reasonable steps;
- the information could not be restored or replaced through additional discovery; and
- the loss of the information was prejudicial.
Assuming the above criteria for sanctions are met, any sanction granted must be no greater than necessary to cure the prejudice created from the loss. Judges retain discretion to determine an appropriate sanction, which should be assessed on a case-by-case basis. Sanctions for failure to preserve may vary, and can include an award of attorneys' fees, cost shifting, evidentiary restrictions, issue preclusion, striking claims and defences, special jury instructions, and default judgment or dismissal. However, Rule 37(e) imposes a uniform standard for imposing severe sanctions, such as adverse inferences, dismissal or default judgment, limiting the most severe sanctions to only those instances when a party intentionally destroyed information with the intent to deprive another party from using the information in the litigation. Courts may not circumvent this standard by granting a lesser sanction that has the same effect as the harsher sanctions permitted only when there has been an intent to deprive, such as granting evidentiary restrictions that preclude a party from offering any evidence or striking an entire pleading so that the party no longer has claims or defences.
Requests and scope
i Rule 26(f): meet and confer
Rule 26(f) requires that parties meet and confer to discuss issues related to preserving discoverable ESI and to develop a discovery plan governing the collection and production of ESI. This meet and confer provides litigants with an opportunity to control the discovery process and lessen discovery costs.
Among other items, the required discovery plan must include:
- the subjects on which discovery may be needed, when discovery should be completed, and whether discovery should be conducted in phases or be limited to or focused on particular issues;
- any issues about disclosure, discovery or preservation of ESI, including the form or forms in which it should be produced;
- any issues about claims of privilege or protection, including whether to ask for an order under Federal Rule of Evidence 502 to protect against waiver of privilege by production; and
- what changes should be made in the limitations on discovery imposed by the Federal Rules or local rules, as well as what other limitations should be imposed.
Parties should be prepared to discuss:
- the topics about which discovery will be sought;
- custodians and non-custodial sources from which discovery will be sought;
- inaccessible data;
- the preservation process and any limitation on preservation;
- the relevant time frame for ESI;
- methods for searching for relevant ESI;
- the format in which ESI should be produced;
- the protection of confidential information or trade secrets;
- issues related to data located outside the United States;
- 502 privilege protections; and
- any proposed staging or limiting of discovery.
ii Making Rule 34 requests for production
Using the discovery plan as a framework, a litigant may request that the opposing party produce ESI within its possession, custody or control that is relevant to any party's claims or defences and proportional to the needs of the case, not just those that it may use to support its own claims or defences.
Requests for ESI must be reasonably specific, as requests for 'any and all' emails or other ESI are typically disfavoured by courts and deemed disproportional to the needs of a case.
If a discovery plan has not adopted an ESI production format, the discovery requests should also specify the form or forms of production for different types of ESI.
iii Responding to Rule 34 requests for production
When responding to discovery requests, a party must either object to the requests, or produce responsive, non-privileged ESI within its possession, custody or control. In determining whether to object, responding parties should assess whether a request seeks relevant and proportional information within its possession, custody or control in the format agreed to by the parties. If not, the responding parties should object.
Objections and responses to requests should:
- be specific;
- state whether the responding party is withholding any responsive documents on the basis of an objection;
- indicate whether the responding party is producing copies of documents or ESI, or instead is permitting inspection of documents or ESI; and
- state whether production or inspection will be made by the time specified in the request or at another reasonable time specified by the producing party.
'Boilerplate objections' or lists of very general objections made at the beginning of responses are not allowed and are considered meaningless.
Some objections are unique to ESI requests. For example, a party should object to requests for direct access and inspection of its computer systems. Direct access to a party's electronic systems is typically not permitted without a finding of discovery misconduct or the presence of unique factual circumstances that might necessitate access, such as alleged theft or misappropriation of trade secret data. A party should also object to requests seeking inaccessible ESI, such as data that requires restoration or forensic recovery. Whenever lodging an inaccessibility objection, the party must identify the data that is not being searched and produced. Similarly, another unique ESI objection is an objection to the requested production format. If a responding party objects to the requested production format, the responding party must state the form in which it intends to produce ESI. This form must be either the form in which the ESI is ordinarily maintained or a reasonably usable form.
Objections applicable to all discovery can take on further importance when ESI is implicated. A responding party should object to any request that is disproportional to the needs of a case when the information sought is of marginal utility to resolving the issues. When lodging a proportionality objection, the responding party must be prepared both to quantify the costs associated with collecting and producing the ESI and to demonstrate the ESI's lack of usefulness to a litigation. Another common objection is that requests are overly broad, such as when they seek all of a type of data, or are not reasonably limited in time frame or the number of sources to be searched. Given the proliferation and redundancy of data, a responding party should object to a request seeking ESI that is cumulative or duplicative of ESI already produced, or that might be obtained from another more convenient source.
iv Rule 45 subpoenas
Parties may use subpoenas to seek ESI from third parties, although like discovery from parties, the breadth and scope of discovery from non-parties is limited by Rule 26's relevance and proportionality requirements. Courts often afford third parties more proportionality protections, and parties issuing subpoenas are required to take steps to avoid imposing undue burden or expense on third parties.
Like responding parties, third parties responding to subpoenas have a duty to preserve relevant data and may object to requests seeking data that is not reasonably accessible or that is disproportionate to the needs of the case, in which case third parties have the burden of demonstrating any burden associated with a subpoena.
Review and production
i ESI production timing
Parties are required to make initial disclosures within 14 days of the Rule 26(f) conference. The initial disclosures must describe or provide copies of ESI that the disclosing party 'may use to support its claims or defenses'.16
Parties are further required to respond to Rule 34 requests for production within 30 days of being served or within 30 days of the Rule 26(f) conference, if served beforehand. In practice, parties will provide their written objections and responses to requests within 30 days. However, the actual production of documents may come much later. The Federal Rules require that production be completed 'no later than the time for inspection specified in the request or another reasonable time specified in the response'.17 Given the time often necessary to collect and review ESI, responding parties may negotiate timelines for production with opposing parties. Alternatively, absent an agreement, responding parties may specify a time to begin making productions and may continue to make supplemental 'rolling' productions until review is completed.
ii Review tools
Litigants may use many tools to analyse data to determine what must be produced, including objective filtering (such as filtering by date), term and phrase searching, domain analysis, message threading, near-duplicate identification, concept clustering and visualisation tools. In addition, many US litigants employ technology-assisted review (TAR), which refers to machine-assisted classifying technologies, to facilitate review and analysis.
The rationale for using any analytic tool, and particularly TAR, is to reduce the cost of review by assisting individuals in identifying the documents most likely to be responsive while helping individuals separate out and avoid reviewing non-responsive documents.
US courts are increasingly encouraging the use of TAR to promote the aims of Rule 1 – a just, speedy and inexpensive determination of an action. However, courts have been reluctant to require the use of TAR, deeming the producing party to be in the best position to determine how to search for, review and produce responsive ESI.
While many litigants embrace TAR, technologies are constantly evolving, with new review technologies on the horizon. Artificial intelligence (AI) technologies are being developed to assist in analysing data for US litigation. Ultimately, no matter what technology is chosen, a litigant must be able to explain any technology used, old or new, and how that technology produced defensible results.
iii Protecting privileged ESI in e-discovery
Parties need only produce non-privileged, responsive ESI to another party. Therefore, privileged documents, including those protected by attorney–client privilege and work-product immunity, need not be produced. Parties may employ technological tools to assist attorneys in locating privileged documents requiring protection from disclosure.
Whenever privileged ESI is withheld, the withholding party must 'describe the nature of the documents, communications, or tangible things not produced or disclosed – and do so in a manner that, without revealing information itself privileged or protected, will enable the other parties to assess the claim'.18 This Rule has led to parties creating logs of privileged documents being withheld. The contents of these logs may be the subject of local rules and can also be the subject of an agreement between the parties.
However, even when technological tools are employed and documents are logged, the vast quantity of ESI poses significant challenges when trying to protect privileged information from disclosure. For years, courts embarked on varied analyses to determine whether the disclosure of privileged ESI through mistaken production constituted a privilege waiver. Now, parties may avoid these varied analyses altogether by seeking an order under Federal Rule of Evidence 502(d) to protect against the waiver of attorney–client privilege or work-product immunity by the mere production of ESI. This order can protect a party from incurring protracted arguments over whether a privilege has been waived under Federal Rule of Evidence 502(b), including arguments over whether the disclosure was inadvertent, whether the privilege holder took reasonable steps to prevent disclosure and whether the privilege holder took reasonable steps to rectify the disclosure.
iv Challenging an opponent's production
If a party believes an opponent's production is incomplete, that party should raise the issue with its opponent. Should the parties be unable to resolve the issue, the requesting party may file a motion to compel production under Rule 37(a). Failure to meet and confer before filing the motion to compel will preclude the moving party from seeking costs for making the motion.
Rule 37 provides other mechanisms for challenging a production. If a court has entered a discovery order and the opponent fails to comply, the requesting party should file a motion under Rule 37(b). A requesting party might file a motion under Rule 37(c) if its opponent fails to supplement responses and provide information requested in discovery. Under Rule 37(d), a requesting party may seek sanctions if its opponent wholly fails to serve its answers, objections or written responses to a discovery request.
A business within the United States is generally required to preserve, collect and produce data within the organisation's possession, custody or control. Unlike in other jurisdictions throughout the world, where an employee or data subject about whom information relates has privacy rights to the data, US employees and individuals have far more limited rights. Organisations, considered the owners of data within their possession, will be required to produce this data to opposing parties and the courts.
Various federal and state privacy laws and rules create a patchwork of regulations that govern the management of certain ESI. This legal patchwork may limit or prevent a company from disclosing protected personal information to third parties, including in discovery. However, the definition of what must be protected and when it must be protected is usually far narrower than in other jurisdictions.
One common example of information that must be protected is personally identifiable health information that the healthcare industry must protect under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, such information may still be required to be produced in certain circumstances. HIPAA includes a provision for the entry of a qualified protective order that allows a party to produce records that contain protected personal health information as long as the records are produced in accordance with the entered qualified protective order.
Another example of information that must be protected is personally identifiable financial information that financial institutions must protect under the Gramm-Leach-Bliley Act of 1999. However, this Act contains a carve-out provision for a financial institution to comply with subpoenas or respond to judicial process.19 Still, many parties will agree to the redaction of this information when the information is irrelevant to the claims or defences in a matter.
Various state laws may protect other information, including social security numbers, driver's licence numbers and financial account information.
A best practice when producing protected information is to produce the data in encrypted form to protect against any potential unauthorised disclosure of information.
While the United States has not enacted sweeping privacy laws like the GDPR, more jurisdictions within the United States are beginning to assess the need for further data privacy protections. The CCPA, which came into effect this year, provides for a right to know what data is being collected and shared, the right to request deletion of information and the right to opt out of the sale of personal information to third parties. Litigation claims have already been filed under the CCPA. Other states, including New York and Washington, are considering similar data privacy laws.
The absence of such laws can leave individuals without rights to assert claims for the disclosure of personal information.20 To address the lack of uniformity, the Uniform Law Commission has begun drafting a proposed uniform law: the Collection and Use of Personally Identifiable Data Act.
Data breaches have been the subject of much scrutiny by Congress, state agencies and the courts. Numerous data breach class actions have been filed in recent years. Parties should have plans in place for responding to data breaches implicating personal information.
Even when US privacy laws are not implicated, because of data globalisation, companies operating in the global economy are routinely finding that data stored outside the United States is relevant in US legal proceedings. However, obtaining data located outside the United States for US discovery purposes can be problematic. Many countries have laws protecting privacy rights – including in corporate data – that act as a barrier to US discovery. Data protection laws limiting cross-border transfers of ESI found throughout much of the rest of the world, including in the Asia-Pacific region, the Americas, Europe and the Middle East, do not exist in the United States. As such, many US courts resist claims that data privacy prevents the disclosure of information in litigation or apply their own understanding of data privacy regulations.21 Parties objecting to discovery based on foreign data privacy laws must be prepared to show the court that foreign laws bar production.22
Outlook and conclusions
Upcoming changes in e-discovery law will be focused on bringing about the just, speedy and inexpensive determination of matters in accordance with Rule 1. Courts and litigants will continue to look for ways to speed up the e-discovery process while reducing costs. Future e-discovery technologies and AI tools will be aimed at achieving this goal.
Data privacy will continue to be a focus. The intersection between broad-based US discovery and foreign data privacy regulations, such as the GDPR, will continue to play out in the courts. Data breaches and privacy concerns could also result in the passage of more stringent regulations governing privacy in various jurisdictions. Even members of Congress from both major parties have proposed data privacy bills.
1 Jennifer Mott Williams is of counsel at Morgan, Lewis & Bockius LLP.
2 Fed. R. Civ. P. 34 advisory committee's note (2006).
4 Fed. R. Civ. P. 1.
5 Report on the Mandatory Initial Discovery Pilot, available at https://www.fjc.gov/sites/default/files/materials/49/Mandatory%20Initial%20Discovery%20Pilot%20Report.pdf.
6 See Prepared Remarks of Chairman Joseph Simons, Privacy Shield annual review (Sept. 12, 2019).
7 Compare IDC Financial Publications, Inc v. Bonddesk Group, LLC, No. 15-cv-1085-pp, 2017 WL 4863202 (E.D. Wis. Oct. 26, 2017), with Dixon v. Bank of America, NA, 2019 WL 4805964 (S.D. Fla. Oct. 1, 2019).
8 See, e.g., Fairholme Funds, In. v. United States, 134 Fed. Cl. 680 (Fed. Cl. 2017). Others have rejected this reasoning, noting that the scope of discovery is governed by Rule 26(b), which explicitly excludes privileged information. See Winfield v. City of NY, 15-cv-05236, 2018 WL 2148435 (S.D.N.Y. May 10, 2018).
9 CLOUD Act Section 103(a)(1).
10 See In re Search of Records, Information, and Data Associated with 14 Email Addresses Controlled by Google, LLC, -- F. Supp. 3d --, 2020 WL 556205 (D. Minn. Feb. 4, 2020) (denying the subscriber motion to quash finding the subscriber lacked standing to bring a motion).
11 See Ex. B. to N.Y. Commercial Division Part 53 Practice Rule (providing that data subject to the EU General Data Protection Regulation or other foreign laws restricting the processing or transfer of data to the United States need not be searched and produced).
12 See In re Bard IVC Filters Products Liability Litigation, 317 F.R.D. 562 (D. Ariz. 2016); and In re Davol, Inc/CR Bard, Inc Polypropylene Hernia Mesh Products Liability Litigation, 2019 WL 341909 (S.D. Ohio Jan. 28, 2019).
13 See In re Accent Delight International Ltd, 16-MC-125, 2018 WL 2849724 (S.D.N.Y. June 11, 2018), affirmed 791 Fed. Appx. 247 (2d Cir. 2019) (rejecting a claim that Section 1782 only permits discovery of information located in the United States in ordering the production of information from offices of a foreign affiliate because Section 1782 allows a court to order any person who 'resides or is found' in the district to produce documents).
14 Fed. R. Civ. P. 26(b)(1).
15 Fed. R. Civ. P. 37 advisory committee's note (2015).
16 Fed. R. Civ. P. 26(a)(1)(A)(ii).
17 Fed. R. Civ. P. 34.
18 Fed. R. Civ. P. 26(b)(5).
19 15 U.S.C. Section 6802(e)(8).
20 See Department of Labor v. McConnell, 828 S.E.2d 352 (Ga. 2019) (the party failed to state a claim under Georgia law when a state department inadvertently disclosed personal information).
21 See Finjan, Inc v. Zscaler, Inc, 2019 WL 618554 (Feb. 14, 2019) (concluding that the GDPR did not preclude discovery).
22 See In re Mercedes-Benz Emissions Litigation, 2020 WL 487228 (D.N.J. Jan. 30, 2020) (the court weighed national interests in broad discovery versus the GDPR in requiring the production of data subject to the GDPR).