The Department of Justice and the Federal Trade Commission on April 10 issued Antitrust Policy Statement on Sharing of Cybersecurity Information, a joint policy statement that provides critical infrastructure industries the clarity they need to share cybersecurity information among themselves to combat cyber threats without violating the antitrust laws those agencies enforce. The agencies note that “properly designed cyber threat information sharing is not likely to raise antitrust concerns and can help secure the nation’s networks of information and resources.” The benefits of sharing this highly technical information are significant: sharing increases the security, availability, integrity, and efficiency of information systems, which in turn, leads to a more secure and productive nation. The agencies make clear that they “do not believe that antitrust is—or should be—a roadblock to legitimate cybersecurity information sharing.” This policy statement is meant to provide more certainty to the concerns private companies have raised as the threats to our nation’s infrastructure and information systems increase in number and sophistication. Continue Reading
In the latest and most important federal court decision on data security enforcement, District of New Jersey Judge Esther Salas broadly upheld the Federal Trade Commission’s authority to police data security under the “unfairness” prong of Federal Trade Commission Act Section 5. The decision, which rejected Wyndham Worldwide’s claims that the FTC lacked such authority, comes at a time when the FTC has received increasing criticism that its continued reliance on case-by-case adjudication (rather than rulemaking) to apprise companies of their data security responsibilities provides insufficient guidance regarding which data security standards apply. Indeed, the FTC’s increased enforcement trend coincides with efforts by the National Institute for Standards and Technology to establish more consistent voluntary standards regarding data security through its release of the cybersecurity framework as well as requests from the FTC to Congress for even more authority to police data breaches. Continue Reading
With cyber heists plundering $1 trillion in global intellectual property (per President Obama) and driving “the greatest transfer of wealth in human history” (per NSA Director Alexander), corporations face bet-the-company threats when cyber attacks and data breaches empty their intellectual property vaults, torpedo their mergers and business deals, and crush their stock prices. In our recent article, “Pillaging the Digital Treasure Troves: The Technology, Economics, and Law of Cyber Espionage,” published in the ABA’s The SciTech Lawyer (Winter 2014), we explore the methods employed by cyber spies to steal corporate IP and trade secrets, discuss the economic impact of cyber theft at the individual corporate level (i.e., the business case for cybersecurity), and the looming litigation, regulatory, and enforcement risks to corporations suffering technology and IP losses as a result of cyber thefts.
The New York Supreme Court’s Commercial Division has proposed sweeping changes to privilege logs that could bring simplicity and efficiency to what has long been viewed as a tedious, frustrating, and needlessly costly practice. The proposal, published for comment on April 3, 2014, would require litigants in the Commercial Division to “agree, where possible, to employ a categorical approach to privilege designations” rather than a “document-by-document log.” Under the current requirements, New York’s Civil Practice Law and Rules mandates that a party withholding documents on the basis of privilege produce a privilege log which: “(i) contains a separate entry for each document being withheld; (ii) provides ‘pedigree’ information for each such document; and (iii) sets forth the specific privileges or immunities that insulate the document from production.” As anyone involved in electronic discovery in complex litigation matters knows, this can translate to a large team of attorneys devoting hundreds of hours to recording detailed information about tens of thousands of documents, one document at a time. As recognized in the Commercial Division proposal, “the segregation, review, redaction, and document by-document logging of privileged communications is both time-consuming and costly,” and this cost is rarely justified by the “potential benefits a privilege challenge may have on the outcome of the litigation.” Continue Reading
In a much-anticipated decision, the U.S. District Court for the District of New Jersey upheld the FTC’s authority to regulate data security practices by denying Wyndham Worldwide Corporation’s motion to dismiss challenging the FTC’s authority to pursue unfair and deceptive trade practices claims arising from a cyber breach. The complaint against Wyndham asserts that Wyndham’s data security policies constituted unfair and/or deceptive trade practices, prohibited by Section 5(a) of the FTC Act, codified here. This is only the second challenge to the FTC’s data security regulatory authority under Section 5 in federal court. In the first, FTC v. Accusearch, the 10th Circuit supported the FTC’s authority under Section 5 of the FTC Act. Continue Reading
The State Bar of California may soon deem an otherwise highly skilled attorney to be “incompetent” in the practice of law if he or she does not know the basic steps to take with respect to electronic discovery and does nothing to fill that gap in knowledge. On February 28, 2014, California’s State Bar Standing Committee on Professional Responsibility and Conduct tentatively approved a Proposed Formal Interim Opinion for a 90-day public comment distribution, which analyzes a hypothetical fact pattern of an attorney who makes egregious mistakes in e-discovery. Continue Reading
On March 27, 2014, the EU Court of Justice (CJEU) ruled in the UPC Telekabel Wien-case that national courts may impose website blocking orders to internet access providers (IAPs) requiring them to prevent their subscribers from accessing a website containing copyright infringing material, without specifying the concrete blocking measures to be taken. The Court also emphasized that the measures taken by the IAPs must strike a fair balance between all fundamental rights involved. The IAPs may find themselves in the unenviable position of having to determine the adequacy and proportionality of the blocking measures to be taken. This risks leading to additional litigation regarding the measures taken to implement website blocking orders. Continue Reading
Emails often provide key evidence in conspiracy-related investigations and subsequent litigation. More recently, social media and text messages have provided additional evidence for such matters. In response, most companies have enacted policies to educate their employees about using these communication mediums. However, recent antitrust investigations and federal lawsuits in the financial services industry are utilizing electronic communications made via Bloomberg Terminal as key evidence. The reported Bloomberg chat evidence in these cases makes clear that companies should reassess whether their internal compliance policies and training need to be updated to mitigate the risk that Bloomberg Terminal evidence – and not just emails and social media content – could create legal liability for the company. Continue Reading
I recently published an article for InsideCounsel addressing ways companies can reduce risk and costs in litigation. I advocate appropriate self-help.
Unfortunately, the courts, regulators, and legislators have not fully kept up with the extraordinary pace of technological developments, the proliferation of ESI, and the growing use of social media, cloud computing, and other ESI-related measures that can drive up costs and increase risk in litigation. As I note in the article, companies primarily used to fear the single “smoking gun” document that might turn up in discovery. Now, the sheer volume of documents collected, reviewed, and produced in discovery can impose crippling costs and burden on even the largest companies, even in meritless cases – and of course, the more documents created and produced, the greater the risk that a “smoking gun” document turns up in discovery.
There are a variety of steps companies can take to reduce litigation expense and exposure. This includes dramatically reducing the volume of ESI maintained by the company, adopting litigation readiness plans that identify sources of ESI within the company and that assign responsibility for specific discovery-related tasks, and using available technological tools, such as technology-assisted review (or predictive coding). You can read the brief article here.
A colleague and I recently published an article in BNA’s Digital Discovery & e-Evidence® discussing the recent sanctions against Quinn Emanuel Urquhart & Sullivan LLP, in Apple, Inc. v. Samsung Electronics Co. Ltd, et. al., 5:11-cv-01846 (N.D. Cal. Jan. 29, 2014). Our article, “Protecting Confidential Information: Lessons from the Apple v. Samsung Firestorm,” tells a cautionary tale, in which a court found that one law firm’s failure to implement certain quality control measures transformed a single associate’s omitted redaction into grounds for costly motion practice and sanctions against both the law firm and its client.
As Quinn Emanuel and Samsung learned the hard way, serious consequences await those who are found to have mishandled confidential information received from other parties in the course of litigation. Avoiding these consequences begins with implementing appropriate quality control measures, including multi-tiered reviews of highly sensitive documents. But it also requires vigilance by in-house counsel, who circulate potentially confidential information internally at their own peril. Continue reading here.