Today’s Most Challenging Litigation Cost Issues: Privacy, Privilege And Over-Preservation Related To ESI

Thursday, March 28, 2013 - 15:24

The Editor interviews Mary Mack, Enterprise Technology Counsel, ZyLAB. Our readers may wish to note that ZyLAB presented a webinar on March 21. The webinar – titled “Privacy and Data Protection in E-Discovery” – offered practical approaches to reduce risk and cost of global data privacy and cross-border discovery challenges, and it included a presentation of how technology can help. The webinar is available on ZyLAB’s website for the next few months. To access the webinar, please click here.

Access Webinar Here!


Editor: Please tell us about your background, as well as ZyLAB.

Mack: I have been working in e-discovery for over 13 years and in information management and data processing for over 30 years. I am the enterprise technology counsel at ZyLAB and work mostly with corporations to normalize what has become a standard part of doing business for your readers. I help counsel defend lawsuits, assemble information required in government investigations and protect patents and trade secrets.

ZyLAB was the first vendor to offer desktop search of electronically stored information (ESI). ZyLAB has been working with information for about 30 years and has been called upon to assist in some of the most important trials both in the U.S. and around the world.

We do everything related to the discovery of electronic evidence. For example, we helped remedy a White House email problem some years ago. ZyLAB software provided the foundation for convictions in the criminal trials held by the U.N. War Crimes Tribunal. Having been developed and tested in such challenging situations, the software can easily support the needs of U.S. civil litigants.

Editor: ZyLAB recently offered a webinar reviewing data privacy and international issues. Please describe some highlights of that program.

Mack: Ken Rashbaum from Rashbaum Associates presided. Ken is well known in the field of privacy both in the United States and internationally. He is a leading authority on HIPAA, which delineates federal protections for personal health information held by covered entities and provides patients with a broad spectrum of privacy rights. In the webinar, he discussed some changes to privacy rules especially with Obamacare implementation.

Ken also mentioned upcoming changes to the EU Data Protection rules. These changes are designed to harmonize the ways that corporations and law firms handle protected data across borders, especially in the EU. Ken is working with the ABA to gain consensus within the United States legal community on how to handle incoming international data, to sensitize U.S. courts to what is happening overseas and to alert corporations to issues they may face in the countries where they do business. Ken pointed out that it is not only personal data that falls into the definition of “protected data” but that corporations have protections as well.

Also featured in the webinar was Johannes C. Scholtes, chief strategy officer at ZyLAB. He showed attendees how some machine-assisted techniques enable users to isolate and identify protected data, and suggested practical ways to handle such data.

Editor: Tell us about the Sedona Conference® publication on social media privacy.

Mack: The Sedona Conference does not yet provide formal guidelines because social media privacy is an emergent area. It points out that the many different court cases that have come down demonstrate conflicting opinions about handling social media, both among U.S. states and also internationally. One of the emerging trends is that in sexual harassment cases or hostile workplace cases, where emotional state or state of mind is important, judges are allowing access to plaintiff’s Facebook pages in their entirety rather than only what has been made public. However, there is a bit of a backlash. Some legislation, like that in California, forbids employers to use or even access that data. Overseas, the ethic is much more privacy-aware, with greater value being placed on personal privacy. 

Editor: You mentioned some exciting developments in reducing the cost of privilege review.

Mack: Yes, in the last few weeks, two judges, Judge Waxse and Judge Maas, both enforced FRE 502(d) clawbacks, although Judge Maas titled his a Rule 502(d) Stipulation Order. Most practitioners have started using FRE 502(b) clawbacks, which requires showing a standard of care in handling privileged information for a disclosure to be deemed an inadvertent waiver. With properly drafted 502 (d) clawbacks, if it is privileged and produced, it can be returned. While these cases needed court involvement to be enforced, as time goes on, I believe there will be much less cost and drama in getting privileged documents back.

Of course, the bell does not unring. The level of diligence should not be relaxed entirely. Judge Waxse’s case is Rajala v. McGuire Woods, LLP, Civil Action No. 08-2638-CM-DJW, USDC, Kansas, Jan. 3, 2013. The model order reads in part: “The inadvertent disclosure or production of any information or document that is subject to an objection on the basis of attorney-client privilege or work-product protection, including but not limited to information or documents that may be considered Confidential Information under the Protective Order (doc. 40) entered in this case on January 4, 2010, will not be deemed to waive a party’s claim to its privileged or protected nature or estop that party or the privilege holder from designating the information or document as attorney-client privileged or subject to the work product doctrine at a later date. Any party receiving any such information or document shall return it upon request from the producing party.”

With this new legal tool, technology-assisted review, predictive coding and sampling, the total cost of electronic discovery should plummet.

Editor: What is new in international privacy?

Mack: The EU is now on the tail-end of harmonizing data protection laws. What we face now in e-discovery and e-commerce in the international business world is a hodgepodge of local rules for each country, whether in the EU or the Far East or South America. Each country has its own standards of privacy. It is much like the effort here in the U.S. to amend the Rules of Civil Procedure with respect to electronic information so that basic uniform rules apply in all federal courts, and as much as possible within the states.

It has been very difficult for companies to move data for legal purposes across borders and in a timely manner. The EU is now trying to clarify the rules with respect to data protection, but in doing so it has opened up a whole can of worms and a world of opportunity. Under the EU draft, there are permissions to get and standards to achieve with respect to things such as apps, cookies and cloud computing. Silicon Valley has been lobbying quite a bit on this issue because apps and cloud are international, just as the Internet is international.

Also, the EU is working with APEC (Asian Pacific Economic Cooperation) on privacy rules. Therefore, it is doubly important that there be U.S. involvement during this inflection time.

Multinationals are currently using something called Binding Corporate Rules, which allow the certain transfers of data across borders. However, questions have been raised with respect to whether the Binding Corporate Rules are sufficient. There are moves to make the Binding Corporate Rules more difficult to use and, on the other hand, to make them easier to use and more institutionalized.

The Safe Harbor provides self-certified status for cross-border transfers. It requires that a company certify to the Department of Commerce that it meets certain standards for data handling and that it agrees to a possible audit. Then the company’s name is listed on the DOC’s website as being certified.

As you might imagine, self-certification doesn’t assure compliance. As a result, the Department of Commerce is working very closely with the Working Party of the EU to make sure that U.S. companies are able to compete and serve their EU customers. If the multinationals are impacted in the ability to use the Binding Corporate Rules or the Safe Harbor, more e-discovery processing and review would need to be done in-country. ZyLAB has a European headquarters in the Netherlands, and our software can work independently in-country if it needs to be deployed in a particular country and meet particular security and privacy standards.

It probably indicates a need to partner with an organization like ours or others in the business if you have a court telling you that you must move data cross border into another country. It gets even more complicated when you don’t have a judge ordering you to do it and are moving data cross border simply for internal business reasons. The threat of the Safe Harbor and Binding Corporate Rules being called into question is just the tip of the iceberg for U.S. business. If the Safe Harbor is taken away, or if there is a more stringent qualification or audit process, the global information flow will need more corporate resources, not only for compliance purposes but also to keep the business running. There is talk of putting considerable teeth into punishing violations. The proposed penalties should be “effective, proportionate and dissuasive,” and the information commissioner has called for criminal penalties (jail) in addition to much larger fines.

Editor: What is going on in Alberta, Canada?

Mack: The province of Alberta’s SEC is considering proposed rules in order to provide guidance to companies faced with e-discovery requests. Elaine Balestra, evidence support specialist at Alberta Securities Commission, drafted an entire set of rules and put them out for comment. While not a committee effort, she was able to put together quite an interesting group of rules, drawing from the work of others and her own insights. Most intriguing about the draft rules is the care they demonstrate about the soaring cost of preservation. There is great uncertainty about what you need to preserve – and for how long – in both the U.S. and Canada. The reasonable anticipation of litigation standard and the broad discovery laws here have resulted in companies bearing the soaring cost of over-preservation. To be able to reduce the cost of over-preservation is the goal of corporations. What practitioners are now trying to do is to get some proportionality in the preservation, not just in the production.

Until recently, the community standard was, preserve broadly and produce narrowly. The proposed rules in the Alberta draft trigger the legal hold (the preservation) at the receipt of the production order. Magistrate Judge Paul Grimm (now Federal District Judge Grimm) provided a twelve-page chart of legal hold, spoliation and penalties landscape by circuit in Victor Stanley, Inc. v. Creative Pipe, Inc., "Victor Stanley II", 269 F.R.D. 497 (D. Md. Sept. 9, 2010). The need for a twelve-page chart demonstrates that legal hold decisions are not uniform across circuits, let alone state lines or national borders, so what is a national or multinational company to do?

Due to the existing uncertainties and heavy penalty for spoliation, many have concluded that the only safe course is to save everything. Others are piloting “data disposition” projects as they move to the cloud.  Let’s hope that Alberta paves the way to more certainty.

Please email the interviewee at with questions about this interview.