ESI often contains confidential data, such as trade secrets, financial information, and personal data, and attorneys need to be aware of their obligations to protect this information and prevent unauthorized disclosure.
In the June 8, 2023 edition of The Legal Intelligencer, Kelly A. Lavelle wrote “Safeguarding Data Privacy in the E-Discovery Process.“
The issue of data privacy is a growing concern as the generation and storage of electronically stored information (ESI) continues to increase. The challenges of handling digital evidence will only increase as companies expand their use of artificial intelligence (AI). In litigation, sensitive information is often involved, making data security a top priority for corporations and law firms during e-discovery. E-discovery also plays a role in internal investigations, regulatory compliance audits, shareholder disputes, and trademark infringement claims, further highlighting the importance of data protection and privacy throughout the e-discovery process.
The e-discovery process, which involves collecting, copying, and transferring data outside of an organization, raises significant concerns of data protection at every stage. ESI often contains confidential data, such as trade secrets, financial information, and personal data, and attorneys need to be aware of their obligations to protect this information and prevent unauthorized disclosure. Hacking, malware attacks, and internal security breaches can compromise ESI, leading to unauthorized access and misuse of sensitive information. Additionally, the use of ESI raises privacy concerns for individuals whose data is being collected and used in legal proceedings. Attorneys must be mindful of their client’s privacy rights and take steps to protect them.
Although ESI raises valid concerns regarding data privacy, the e-discovery process can provide significant advantages in terms of data protection and privacy. There are several steps attorneys can take to reduce e-discovery risks. First, attorneys should be well-versed in relevant privacy laws and regulations to protect their client’s privacy rights. Data privacy laws have become more abundant and complex in recent years. This year alone, five states will implement new privacy laws, representing a comprehensive approach to privacy protection across the United States. Data privacy laws such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in the European Union are already in place and impose strict requirements on the collection and disclosure of personal data. Compliance with these laws is crucial, as they can significantly affect how ESI is managed during litigation. It is critical to know where custodians are located and where data originates from to determine if any data privacy laws will affect the typical process of preservation and collection. Attorneys must be aware of their obligations and potential liability under data privacy laws.
Second, effective protocols should be established at all stages of the e-discovery process, including collection, processing, review, and production, to facilitate the retrieval and analysis of relevant data while safeguarding individuals’ privacy rights. The ESI protocol can serve as a tool to ensure the preservation and security of data privacy. Its purpose is to simplify the e-discovery process and promote efficient information exchange while ensuring data privacy and mitigating the risks of data breaches. To achieve this, attorneys need to establish the scope of discovery in a proportional and reasonable manner and balance legal discovery obligations with privacy considerations. There are several ways the ESI protocol can be utilized to safeguard data privacy during the collection, review, and production of ESI.
The ESI protocol should establish the data to be collected and how it should be processed. The primary objective is to minimize the duplication of documents and reduce the overall amount of data collected. This aligns with the requirements set forth by current and new data privacy laws which emphasize the importance of data minimization. In response to increasing regulations, companies are now required to minimize the volume of data they store and retain. However, businesses involved in litigation or reasonably anticipating litigation, tend to retain and preserve data due to concerns about being sanctioned for unintentional data deletion or a lack of knowing what issues might arise as the case progresses. Ensuring that the legal basis for collecting the ESI is clearly defined and collecting only the minimum amount of ESI necessary is the best practice. From an e-discovery perspective, data minimization is a valuable tool for reducing the costs and burdens associated with litigation.
Documenting the collection process and keeping track of how data is collected, reviewed, and preserved is essential to maintain the integrity of the evidence. Maintaining a proper chain of custody is crucial in the e-discovery process to protect data privacy. A well-defined chain of custody process helps protect data by documenting its origins and handling within the organization. It also helps identify potential tampering or unauthorized access and provides accountability. Encryption and secure transfers should be utilized to ensure the privacy and integrity of ESI during the e-discovery process.
The ESI protocol should provide guidelines for the identification and redaction of privileged data and personally identifiable information (PII). The use of AI technology in e-discovery platforms can help identify and redact confidential data while ensuring compliance with privacy laws. Privilege logs play significant roles in safeguarding data privacy during the e-discovery process. Privilege logs facilitate the balance between privacy rights and discovery obligations, allowing parties to shield sensitive or confidential information while meeting their duty to disclose relevant evidence. They establish a clear record of withheld documents or information, demonstrating efforts to protect sensitive data and comply with legal obligations.
To ensure that adequate security measures are in place, attorneys should negotiate a comprehensive protective order. Protective orders can act as an important control on how data will be transferred and accessed. The protective order should include several key provisions regarding who will have access to the ESI, implementing “clawback provisions” to prevent inadvertent disclosure of privileged documents, and establishing protocols for handling confidential and highly sensitive materials. The protective order should also establish a clear retention policy. It is essential to have provisions in the protective order for data destruction, sanitization, and confirmation of data deletion at the end of litigation. Regularly checking with clients about data removal, implementing user access controls, and timely data deletion or removal are important steps to protect data privacy. The involvement of an e-discovery vendor can help with the removal and destruction of opposing parties and third-party productions while segregating client data.
Recent court cases highlight the increasing consideration of data privacy concerns in the digital age, emphasizing the need for proper data protection measures. Addressing data privacy concerns associated with ESI is essential. By following guidelines outlined in ESI protocols and protective orders, attorneys can navigate the complexities of the discovery process while mitigating privacy risks.
Kelly A. Lavelle is an associate at Kang Haggerty. She focuses on e-discovery and information management, from preservation and collection to review and production of large volumes of electronically stored information. Contact her at klavelle@kanghaggerty.com.
Reprinted with permission from the June 8, 2023 edition of “The Legal Intelligencer” © 2022 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-257-3382 or reprints@alm.com.