1. 1 Legal Research, Issues, and Practice in Cyberspace - Jurisdiction, Digital Discovery, Digital Security & Encryption Todd Krieger & Cyrus Daftary April 6 th, 2015

2. 2 Agenda  Administrative Discussion  Jurisdiction  Digital Discovery  Encryption and Information Security  Questions & Answers

3. 3 Jurisdiction  A court’s power to adjudicate a controversy.  Defined by ‘long-arm’ statute and due process clause of constitution.

4. 4 Jurisdiction - History  1945 - International Shoe vs Washington: defendant must maintain ‘minimum contacts’ with forum state – if it doesn’t offend the traditional notions of fair play and substantial justice.  Due process requires fairness and justice.  Example: Out of state salesperson who does business in California.  Gave courts some discretion.

5. 5 Jurisdiction - History (cont’d)  1980 - World Wide Volkswagen vs Woodson: Plaintiff buys car in New York and is injured in Oklahoma. The court finds conduct must be directed towards forum state not merely placing a product in the stream of commerce.

6. 6 Specific v. General Jurisdiction  General jurisdiction: (Helicopteros Nacioinales de Colombia, S.A. vs Hall) Continuous and systematic contacts with the forum state. Controversy need not arise out of the defendant's activities in the state.  Specific jurisdiction: (Burger King vs Rudzewics) Cause of action arises directly from defendant’s contact with the forum state.

7. 7 Evolution of Online Jurisdiction  Early websites were informational, online brochures.  Early on, disputes were independent of the websites.  Plaintiffs tried to use the websites to assert jurisdiction, usually with little success; they needed to show something more.  Lawyers and judges were still learning about the technology.

8. Early Conflicting Cases – Sporadic Internet Activities  Website and toll free number –(Graphic Controls Corp. vs Utah Med. Prods. Inc.) –(Inset Sys. vs Instruction Set, Inc.)  Soliciting and maintaining a website for future business with knowledge of in-state access –(Hearst Corp. vs Goldberger) –(State by Humphrey vs Granite Gate Resorts) Source: Todd D. Leitstein - A Solution for Personal Jurisdiction on the Internet, 59 La. L. Rev. 565, 1999 8

9. 9 First Rational Framework  Zippo vs Zippo.com : –Lighter Company vs Online E-mail/Content provider. –3,000 customers in PA; 7 agreements with PA based ISPs. Sliding scale of jurisdiction Sliding scale of jurisdiction Doing Business/Interactivity Jurisdiction

10. 10 Zippo Three Prong Test  (1) The defendant must have sufficient minimum contacts with the forum state.  (2) The claim asserted against the defendant must arise out of those contacts.  (3) The exercise of jurisdiction must be reasonable.  Courts in the 5 th, 9 th, and 10 th Circuits have used the Zippo sliding scale consistently, but some courts have attempted to refine the test.

11. 11 Expanding Zippo  Court in Cybersell, Inc. vs Cybersell, Inc. stated while the level of interactivity was a crucial factor for jurisdiction, interactivity alone did not provide grounds for jurisdiction, but instead required something more to establish minimum contacts. –“Something more” consisted of ‘targeting’ or intentional Internet activity expressly aimed at the forum state.  S. Morantz, Inc. vs Hang, using Zippo and targeting approach found an interactive website that did not allow for online sales and was not directed at PA residents did not provide minimum contacts with PA over a NY defendant.

12. 12 The “Effects” Test  An alternative to the Zippo sliding scale test is the effects-based approach.  Courts focus their analysis on the actual effects a website had in a particular jurisdiction and do not focus on the technology used.  The effects test originated in Calder vs Shirley Jones, in which a CA entertainer sued a FL publisher for libel.  The effects test has been applied in Blumenthal vs Drudge and Pavolich vs DVD Copy Control Assn.

13. E-mail Technology Perils – Practical Introduction  Eli’s Cases marketing employee Hillary struggles with the company VPN and e-mail.  Has e-mails forwarded to her personal Gmail account and responds through Gmail.  Sets up a home server to host and manage her personal and work e-mails. 13

14. Legal Trouble  Six months later she quits and goes to work for a competitor. –Maybe she had access to new product plans? –Any way to monitor or check her communications?  Unpaid marketing vendor sues for contract breach and during discovery asks for a copy of Hillary’s e-mails. –No way to manage discovery from personal e- mails. 14

15. 15 What is Discovery?  “Discovery” refers to the process of compelling another party to provide information, which may include documents, during the course of litigation.  Gives litigants access to information relevant to the dispute.  Discovery requests may be very broad and burdensome, especially in business litigation.  Facebook postings and other seemingly private information can be within the scope of a discovery request. –Case discussion: Gatto v United Airlines

16. 16 Digital Discovery and Data Retention  Most new information is electronic.  Companies need codified policies for retention of digital and printed information or they could be overwhelmed by a discovery request.  Define retention periods based on legal, business, and personal obligations.  Must follow policies carefully.  Third party solutions available.

17. 17 Federal Rules of Civil Procedure For Electronic Discovery Implemented 12/06  Rules put in place process for party to demand access to information that is claimed to be ‘burdensome to access and produce.’  Companies may have hundreds of unorganized legacy back-up tapes with year of e-mails and other information  New rules provide exceptions for good faith inadvertent destruction.

18. 18 New Rules Harmonize Electronic Discovery Practices  Attorneys involved in litigation must address electronic discovery at the earliest stage of discovery planning.  New rules provide a framework for courts and easier guidance to assist clients.

19. 19 Some Specific Requirements:  Rule 26(a)(1)(B) changes ‘data compilations’ to ‘electronically stored information’. –(similar amendments to other rules)  Rule 16(b) amended to require that scheduling order may include electronically stored information.  Rule 26(f) requires parties to confer and discuss issues related to electronic information.  Rule 26(b)(2)(B) addresses the burden for data that is not readily accessible. Party receiving request must establish unreasonableness of request.  Rule 37(f) accommodates the accidental loss or destruction during a routine operation of electronic information if the party took reasonable steps for preservation. –Keep in mind other changes as well. –http://www.ims-expertservices.com/newsletters/nov/eddrules-111406.htm

20. 20 Courts Have Defined Expectations of Digital Discovery  “Now that the key issues have been addressed and national standards are developing, parties and their counsel are fully on notice of their responsibility to preserve and produce electronically stored information.” –Judge Shura Scheindlin, Zubulake v. Warburg –Final jury verdict: $29 million.  Complying with digital discovery requests may be very expensive, time consuming and implicating.

21. 21 High Profile Cases Have Led to Big Verdicts  Coleman v. Morgan Stanley: $1.45 Billion jury verdict for overwriting e-mails, failing to timely process backup tapes, failure to produce relevant e-mails and attachments.  U.S. v. Philip Morris, 327 F. Supp. 2d 21: $2.75 Million in sanctions for failure to follow order to preserve e-mails and other e-discovery violations.

22. In Re Information Management Services, Inc. Derivative Litigation  Case discussion:  Digital discovery + employee e-mail privacy + attorney client privilege (oh my). 22

23. 23 Meta-data May Be Critical  Metadata = ‘data about data’  Metadata must remain intact: –History (date of creation and modification) –Tracking (who created the document and where does it reside) –Comments and annotation. Metadata may leave an implicating trail. –Previously deleted text –Comments –Identity of those who worked on document –Dates and times of work. –Changes in date in Windows may not be the same in the underlying DOS.

24. Electronic Discovery Can be Very Expensive  Average may be $1-3 million  Litigants need efficient data search and management strategies –Law firms bill for searches on an hourly basis  Data may not be in a common or searchable format 24

25. Data Security is a Relatively New Area of Liability  Company computers may house sensitive consumer data and trade secrets.  Failure to adequately protect consumer data has led to high profile settlements with the FTC: –Choicepoint: $15 million –TJX –BJs Wholesale Club –Hannafords - 4 million credit card numbers compromised –Target  Failure to adequately protect trade secrets can also create a corporate disaster. 25

26. Sensitive Digital Data May Reside in Surprising Places  http://www.cbsnews.com/8301-18563_162- 6412439.html http://www.cbsnews.com/8301-18563_162- 6412439.html http://www.cbsnews.com/8301-18563_162- 6412439.html  http://business.ftc.gov/documents/bus43- copier-data-security 26

27. Nevada SB 267 Was Passed in Response Section 4 of this bill requires a business entity or a data collector to ensure that any personal information which is stored on the data storage device of a copier, facsimile machine or multifunction device in the possession of the business entity or data collector is securely encrypted or destroyed by certain approved methods before the business entity or data collector relinquishes ownership, physical control or custody of the copier, facsimile machine or multifunction device to another person. http://openstates.org/nv/bills/76/SB267/documents/NVD00008333/ 27

28. Companies are Obligated to Protect Sensitive Data and Report Breaches  Most states require notification of residents if personal data is compromised and many other states are not far behind. –Massachusetts 93H –http://www.mass.gov/ocabr/business/identity-theft/requirements-for-security- breach-notifications.html  Hundreds of data breaches have been reported  Reporting has led to bad publicity and fines.  Marriott reported the loss of 200,000 names in missing backup tapes.  Some reporting requirements are exempted if the data was encrypted. 28

29. Breach Response Plans  How does an entity respond to a breach? –Security for prevention and protection –Intrusion detection –Analysis of access –Response to breach –Resolution of incident 29

30. What is Encryption?  https://www.youtube.com/watch?v=vCDe14 NxSY0 30

31. ID Theft Has Impacted Millions of Americans  U.S. consumers lost billions to identity theft in 2014  ID Theft consumes time and money.  Consumers are more careful with their personal information. –Vulnerable to phishing attacks –As safe as the company where they used their credit card. IRS Criminal Investigation Targets Identity Theft Refund Fraud FS-2013-4, February 2015 The IRS has seen a significant increase in refund fraud that involves identity thieves who file false claims for refunds by stealing and using someone's Social Security number. http://www.irs.gov/uac/Newsroom/IRS-Criminal-Investigation-Targets-Identity-Theft-Refund-Fraud-2014 31

32. Phishing Attacks Can Be Cleverly Disguised 32

33. Data Thieves Actively Target Websites and Corporate Networks  May use e-mail viruses to crack networks  Target specific applications to get sensitive data –Once the perimeter security is cracked, the entire network may be available.  Hijack remote computers to anonymously attack sites. 33

34. Reasonable Measures To Protect Sensitive Information  Policies –http://www.mass.gov/ocabr/docs/idtheft/compliance-checklist.pdf  Encryption  Intrusion detection  Firewalls  Password protection  Anti-virus programs  Physical security of laptops and portable media. 34

35. Some Other Protective Measures  Manage local administrative access –Removing local access limits bypassing security mechanisms  Lock introduction of unauthorized applications  Automatic logging of administrative actions –Review logs!  Implement role based control  Virus protection and other software control  Security audits. 35

36. 36 Questions & Answers