Hacking the Millennial Clerks and Attorneys to Navigate Cyber Security and E-Discovery Issues

Co-prepared for the Kansas City Metropolitan Bar Association’s 2017 CLE by the Hour Program by Montana V. Koenig, associate at Dysart Taylor, and Hon. J. Dale Youngs, 16th Judicial Circuit Court of Missouri, Jackson County

Introduction

The e-discovery landscape, as we all know, is constantly and rapidly changing. However, it is our job as attorneys to stay informed of the “benefits and risks associated with relevant technology” according to the Model Rules of Professional Conduct. So what is most relevant now with respect to e-discovery and client confidentiality as new social media platforms are being created each year and hacking is on the rise? If you do not have a teenager around to keep you apprised of such things, who are you going to ask? This year, KCMBA created “Task Force M” to try to bridge the gap between generations of attorneys. In keeping with that theme, our presentation is about giving you an idea of what you might not know but can follow up with your “millennial” associates or clerks about with respect to the discoverability of social media and cyber security risks.

1. Generally

One of the very first requests in discovery is “communications.” We all know that Facebook, Instagram, Twitter and the like are social media sites. However, they also have “email” capabilities. Depending on the case, it might be important to understand acronyms and “emojis” while reviewing communications because they could change the meanings of the words.  A recent online article says “emoji are more than emotional punctuation. They add context . . . insert nuance . . . [and] might also be changing written English.” “Emoji – Trendy Slang or a Whole New Language,” Nick Stockton, Wired.com, online at < https://www.wired.com/2015/06/emojitrendy-slang-whole-new-language/>.

For example, can you guess what is being communicated below?

2. Relevance & Privacy

The sensitivity of the courts regarding a party’s privacy concerns varies.

a. Largent v. Reed, 2011 WL 5632688

(Pa. Com. Pl. 2011)

Facts

On one end of the spectrum is Largent v. Reed – a personal injury case from 2011 in Franklin County, Pennsylvania, wherein the defendant filed a motion to compel the Facebook login information of the plaintiff. The judge granted the motion on defendant’s “good faith belief” that the information was relevant. According to the opinion, after the plaintiff testified in her deposition that she “uses a cane to walk,” the defendant searched for the plaintiff’s social media profiles, which revealed posts about her daily gym routines. The defendant requested social media information “related to Plaintiff’s ability to work and to enjoy the ordinary pursuits of life,” but the plaintiff answered that there was no such content.

Relevance Holding

Posts about going to the gym in a “serious injury” case are relevant to a defense. “[I]t is clear that material on social networking sites is discoverable in a civil case.”

Overbroad/Burdensome Objection

The judge overruled plaintiff counsel’s objection that the request for the login information was overbroad, burdensome, and “akin to asking her to turn over all

of her . . . personal emails;” the court noted that “this is one of the least burdensome ways to conduct discovery.”

“Embarrassing” Objection

The judge overruled this objection stating, the plaintiff “points to nothing specific that leads the Court to believe that discovery would cause unreasonable embarrassment. Bald assertions of embarrassment are insufficient. . . Facebook posts are not truly private and there is little harm in disclosing that information in discovery.”

Privacy Holding

The judge held that no social media privilege or reasonable expectation of privacy exists. “No court has recognized such a privilege, and neither will we. . . . Only the uninitiated or foolish could believe that Facebook is an online lockbox of secrets.” Lastly, because the party was seeking information directly from the social media user, the Stored Communications Act, which applies only to Internet Service Providers, did not apply.

Other state courts have willingly adopted the Largent approach. There appear to be no reported Missouri or Kansas state court cases on this issue. Kansas and Missouri federal cases, however, do not go as far as Largent.

b. Rhone v. Schneider, 2016 WL 1594453

(Mo. E.D. 2016)

Facts

On the other end of the spectrum is Rhone v. Schneider, a personal injury case in Missouri federal court in 2016. The defendant’s request encompassed all postings, including photographs and videos, made by the plaintiff on “Twitter, Facebook or another social media website since the date of the accident.” After the plaintiff objected, the defendant narrowed the request to postings “related to Plaintiff’s ability to work and to enjoy the ordinary pursuits of life.”

The plaintiff maintained the objection that the request sought information that was “irrelevant and not reasonably calculated to lead to the discovery of admissible evidence.” The plaintiff also responded

“subject to those objections” that the plaintiff had “none.” However, after looking into it, the defendant found that the plaintiff had a Facebook profile with “relevant, non-cumulative information;” thus, the defendant filed a motion to compel, arguing that despite the plaintiff’s objections, she “did not disclose the existence of any social media accounts,” and it was discovered that she had a public Facebook profile revealing relevant, non-cumulative information.

Holding

In its Order, the Court stated that it was “mindful of any request that would be an improper intrusion upon Plaintiff’s privacy;” however, because the defendant’s “independent examination ha[d] already uncovered relevant information; specifically, comments and photos regarding physical activity such as dancing,” the Court ordered the plaintiff to disclose “a complete list of Plaintiff’s social media accounts” for the relevant time period and to provide the defendant with a “Download Your Info” report to be submitted to Facebook. However, the Court also acknowledged that “such a broad disclosure might not be appropriate in all circumstances.” The plaintiff was not required to provide passwords or usernames, and the court found sanctions to be inappropriate at that time because there was no proof that any posts had been deleted. The Court lastly declined to make findings about relevancy but cited cases holding that social media is relevant insofar as it relates to that which plaintiff has put at issue. (i.e., Giacchetto v. Patchogue-Medford Union Free Sch. Dist., 293 F.R.D. 112, 116 (E.D.N.Y. 2013) (requiring plaintiff’s counsel to review all of plaintiff’s social media content during the relevant period and produce any content that reveals or refers to plaintiff’s mental disability and emotional state previously put at issue by plaintiff)).

Takeaways

Without the defendant’s “independent examination” of the public social media profile in Rhone, the court might not have ordered any disclosure at all.  The opinion acknowledges that parties may still have reasonable expectations of privacy with respect to social media profiles – even if public; requests may therefore improperly intrude upon a party’s privacy.

The Court did not look favorably upon the argument that the plaintiff engaged in misconduct by failing to disclose the existence of social media profiles. And the court suggested that the requests may have been properly objected to as overbroad and burdensome if the court had been given more explanation.

The opinion also suggests a party may utilize a user’s publicly available social media content to make a threshold showing that the requested information is reasonably calculated to lead to the discovery of admissible evidence.

Related Case Law

This was the holding in Doe v. Rutherford County, Tenn., Bd. of Educ., 2014 WL 4080159, at *3 (M.D. Tenn. Aug. 18, 2014) (threshold showing of relevancy met by offering screenshots of public posts). In other words, if a user makes his or her profile public, a court in Missouri would likely not order any kind of disclosure of the information. However, maybe a court would be receptive to the idea of “sampling” a party’s activity for a defined period or in camera review. See Caputi v. Topper Realty Corp., 2015 WL 893663, at *8 (E.D.N.Y. Feb. 25, 2015).

c. Held v. Ferrellgas, Inc., 2011 WL 3896513

(D. Kan. 2011)

Facts

Somewhere in the middle is Held v. Ferrellgas, Inc., which presents a tactical solution. The plaintiff’s claim in that case was that defendant Ferrellgas subjected him to a hostile environment prior to his termination. The plaintiff testified in his deposition that he “could not recall whether he posted anything on Facebook that may be relevant to this case.” The defendant submitted a set of discovery requests seeking the plaintiff’s Facebook login information.

The plaintiff objected that the request was irrelevant and asked for confidential and private information. The defendant then narrowed its request and asked the plaintiff to download and produce the account data himself. The parties attempted to resolve the dispute to no avail. The defendant then filed a motion to compel, requesting that the court order the plaintiff to download and produce the information and informing the Court that Facebook provides an “online job search engine” that the plaintiff may or may not have used as would be relevant to a defense.

Holding

The court granted the motion and agreed with the defendant that “information from Plaintiff’s Facebook page during Plaintiff’s tenure at Ferrellgas is relevant.” Further, according to the court, the defendant “is attempting to mitigate the plaintiff’s privacy concerns;” the defendant is not seeking “unfettered or unlimited access to Plaintiff’s Facebook, but rather limited access during the relevant time frame.”

Takeaways

The request for Facebook profile information was reasonably calculated to lead to the discovery of admissible evidence because it was limited in time. An independent investigation of the profile was not required for disclosure.

The opinion suggests that a party may make a threshold showing of relevancy by informing the court of, as it relates to the case, certain Facebook services that were available and may or may not have been utilized by a party and/or automatic features that Facebook provides depending on a user’s private interaction with the platform (i.e., the marketing feature, friendship history, suggested “friend requests,” suggested places of employment, and automatic tagging). The court acknowledged privacy concerns with respect to public profiles and looked favorably upon the defendant’s attempt to mitigate those concerns.

What if a party has deleted posts or deactivated his or her profile after litigation has begun?

3. Preservation

First of all, technology has increased the chances of spoliation and the number of spoliation accusations. How should you protect yourself from a spoliation accusation? You should first, conduct a client interview to determine where potentially relevant

information may be stored and ask questions concerning the following: (1) older phones and tablets; (2) social media; (3) chat applications (Snapchat, WeChat, GroupMe, Skype, gaming platforms); 4) storage (Dropbox, Evernote, Google Drive); automatic sync (iCloud, iTunes, Outlook). You should also ask about acronyms, code words, abbreviations, and emoji to help evaluate potential witnesses and the strength of your client’s case.

Most importantly, counsel should specifically instruct clients not to destroy or alter social media content where it may be relevant to an anticipated or ongoing litigation.

a. Allied Concrete Co. v. Lester, 285 Va. 295 (2013)

In Allied, the attorney instructed his paralegal to tell the client to “clean up” his Facebook page. In response to a discovery request, the client stated “I do not have a Facebook page on the date this is signed.” Allied filed a motion to compel. The attorney then instructed his paralegal to obtain the information requested in the motion from the client, and the client subsequently reactivated his Facebook page. The paralegal printed out copies of the pages. The client later testified in his deposition that he never deactivated his Facebook account. Allied then hired experts to determine how many pictures had been deleted; 16 photos were ultimately produced. The “trial court sanctioned Murray in the amount of $542,000 and Lester in the amount of $180,000 to cover Allied Concrete’s attorney’s fees and costs in addressing and defending against the misconduct.” This was affirmed on appeal.

b. Elements for Social Media Spoliation

The elements are as follows: (1) the content was in the alleged spoliator’s control; (2) the alleged spoliator had an obligation to preserve the content (or could reasonably foresee that the content would be discoverable); (3) the content was destroyed or significantly altered with a culpable state of mind (some courts require only negligence); and (4) the content was relevant to claims or defenses. Painter v. Atwood, 2014 WL 1089694 (D. Nev. 2014) (sanctions imposed on plaintiff, who intentionally deleted posts relevant to sexual harassment claims after retaining counsel).

c. Remedies for Spoliation

Substantial fines. Allied Concrete Co. v. Lester, 285 Va. 295 (2013) ($180,000 against plaintiff; $542,000 against plaintiff’s counsel).

An adverse inference jury instruction that the altered social media content was harmful to the spoliating party’s case. See Painter v. Atwood, 2014 WL 1089694, at *8 (D. Nev. Mar. 18, 2014) (adverse inference instruction was appropriate where the plaintiff deactivated his Facebook account, resulting in the loss of all associated data during ongoing litigation).

Evidence preclusion. See Torres v. Lexington Ins. Co., 237 F.R.D. 533, 534 (D.P.R. 2006) (the plaintiff was precluded from introducing evidence of ongoing mental anguish where she deleted social media accounts depicting an active social life).

Dismissal of claims or a judgment in favor of the prejudiced party. See Painter, 2014 WL 1089694, at *7-8 (acknowledging that dismissal may be a remedy for social media spoliation but declining to impose that “harsh” remedy).

Fines or attorneys’ fees and costs. Katiroll Co. v. Kati Roll & Platters, Inc., 2011 WL 3583408, at *4 (D.N.J. Aug. 3, 2011).

4. Application to Other Social Media Platforms and Areas of the Law

These e-discovery holdings can be applied to other social media platforms as well. This includes Snapchat. Most assume that Snapchat “evidence” completely disappears; however, forensics examiners can recover Snapchat photos directly from the user’s phone.

More importantly, our duties as attorneys also apply to all social media.

a. Duty to Preserve & Litigation Holds

If litigation is anticipated, any potentially relevant social media content should be preserved. See Howell v. Buckeye Ranch, Inc., 2012 WL 5265170, at *1-2 (S.D. Ohio 2012).

As with other potentially relevant ESI, social media content should not be overlooked in preservation or collection efforts. Caputi v. Topper Realty Corp., 2015 WL 893663, at *8 (E.D.N.Y. 2015) (directing plaintiff “to preserve all of her Facebook activity for the duration of [the] litigation”); Hawkins v. Coll. of Charleston, 2013 WL 6050324, at *3 (D.S.C. 2013); Reid v. Ingerman Smith, 2012 WL 6720752, at *1 (E.D.N.Y. 2012) (“there is no dispute that social media information may be a source of relevant information that is discoverable”).

b. Duty to Resolve Discovery Disputes

Without Intervention of Court

Litigants should consider hiring an e-discovery expert with appropriate expertise to report on the full range of content and metadata associated with the social media. See The Sedona Conference, Primer on Social Media, at 37-39 (Oct. 2012), available at thesedonaconference.org.

5. Conclusion

a. Steps

Client interviews – what social media platforms do you use? Does your phone automatically sync with iTunes or iCloud? With whom do you primarily communicate and by what method? Do you often use acronyms or code words? Advise of the duty to preserve!

Conduct an “independent investigation” of social media. Save posts. Do not send a friend request or “follow” an account or otherwise use deception to gain access. Model Rules of Professional Conduct 4.1.

Be as specific as possible in your request; ask Plaintiff to list all social media accounts; do not request Facebook login information

If opposing counsel objects to a request, provide a “Download Your Info” form with instructions.

If opposing counsel maintains objection and/or if you suspect posts have been deleted or profile has been deactivated, depose the party on his or her social media habits.

File motion to compel incorporating, where applicable, arguments based on cost-saving, compromise, and Facebook’s operation and automatic functions.

b. Bridging the Gap

Millennial attorneys can help draft the instructions for downloading Facebook profiles; if your client is the one producing, they can walk the client through the steps.  Millennials can ask questions about deleting posts and deactivating profiles in depositions:

• How much time does it take for a Facebook page to reactivate after it has been deactivated? How do you know that? Have you ever deactivated your Facebook before?
• Do you change the privacy settings on certain posts so family members cannot see? Why?

Millennials can help explain to the Court how Facebook operates, what it automatically records, what services a party may or may not have utilized, and how it is one of the most inexpensive ways of conducting discovery. See EEOC v. Original Honeybaked Ham Co. of Ga., 2012 WL 5430974, at *1 (D. Colo. Nov. 7, 2012) (likening certain social media content to an “Everything About Me” folder that is voluntarily shared with others).

PART II

CONFIDENTIALITY V. CYBER SECURITY/HACKING

1. Law Firm Liability for Hacking “Vulnerabilities”

a. Shore v. Johnson & Bell, 2017 WL 714123

(N.D. Ill. Feb. 22, 2017)

Facts

This was a 2015 class action lawsuit against a Chicago-based law firm known as “Johnson & Bell.” It was the first lawsuit filed against a law firm for failing to secure client data when an actual data breach had yet to occur. The class consisted of many of Johnson & Bell’s clients, with the exception of insurance clients and clients operating in the healthcare industry since those clients’ data security measures were already heavily regulated. The complaint alleged “injury” in the form of cyber security “vulnerability” in three areas of the firm’s web-based operations. No actual attack or hacking had occurred at the time of filing; thus, the lawsuit was essentially based entirely on hypotheticals.

Allegations in the Complaint

The three “vulnerabilities” named in the Complaint included: (1) the firm’s web server, which was an application to remotely login and record time; (2) the firm’s Virtual Private Network (VPN), which was a server used to remotely access the company’s information in an encrypted and secured manner; and (3) the firm’s email encryption service, which created an encrypted tunnel between the web server and browser to protect information.

The Complaint alleged four causes of action: (1) breach of implied contract; (2) negligence; (3) unjust enrichment; and (4) breach of fiduciary duty. The class claimed “injuries” in the nature of diminished value of services and risk of hacking in the future. The damages were to be measured by the portion of fees each client paid to the firm hypothetically covering the cost of securing client information.

Motion to Dismiss

Johnson & Bell filed a motion to dismiss, arguing that the potential vulnerability was not actionable. Otherwise, according to Johnson & Bell, “every lawyer who carries a briefcase, takes notes in court or in a deposition … could be subject to being named in a class action lawsuit, because in each instance a client’s confidential information was ‘exposed’ or ‘vulnerable.’”

Disposition

The plaintiffs ultimately voluntarily dismissed the class action complaint in order to pursue arbitration under a provision of their retainer agreement with the firm. Since Shore, similar cases have been filed against other businesses; however, they have been voluntarily or involuntarily dismissed due to “standing issues” if no hacking has yet occurred. This was the case in Spokeo v. Robins.

2. Concrete and Particularized Injury Still Required for Standing

a. Spokeo v. Robins, 136 S. Ct. 1540 (May 16, 2016)

In Spokeo v. Robins, the U.S. Supreme Court reaffirmed that standing requires both a concrete and particularized injury. 136 S. Ct. 1540 (May 16, 2016). This is unless there is a “de facto injury” as was the case in In re Horizon Healthcare Servs., wherein a consumer reporting agency violated the Fair Credit Reporting Act (FCRA) by disseminating private information without authorization. The Court held that this was “the very injury that the FCRA is intended to prevent . . . This is a de facto injury that satisfies the concreteness requirement for Article III standing.” In re Horizon Healthcare Servs. Inc. Data Breach Litigation, 2017 WL 242554 (3rd Cir. Jan. 20, 2017).

b. Other Possible “De Facto” Injuries

Other possible de facto injuries might conceivably be found in Missouri’s Wiretapping & Computer Tampering Statutes or the federal Electronic Communications Privacy Act, which prohibit unauthorized use of electronic information. Both Kansas and Missouri also recognize invasion of privacy as a cause of action for “unreasonable intrusion[s] upon the seclusion of another.”

3. Other Considerations

No matter the circumstances, Shore v. Johnson & Bell will likely lead to similar claims against other law firms in various states. Those law firms will likely suffer reputational damage as a result. Realistically, law firms are ideal targets. Small firms might not have strong security in place. All firms have access to bank accounts and thousands of clients’ personal information.

A hacker’s motivation can be monetary, political, social, or personal. Disgruntled clients or opposing parties who are technologically savvy may be motivated by a firm’s handling of a particular case.

Common types of hacking include phishing, ransomware, DDoS, and what is referred to as “Man in the Middle.” Phishing is the attempt to obtain sensitive information by disguising as a trustworthy entity. Ransomware is when data is encrypted and the hacker demands ransom payments to release the data. A Distributed DoS attack is when multiple systems flood the bandwidth of a targeted system with traffic. A “man in the middle” attack happens when a hacker intercepts messages between two people and injects new ones – thereby controlling the entire conversation.

Recent high-profile hacks include the “panama papers” breach of a law firm, and the Target breach where 40 million credit card numbers were stolen. 117 million LinkedIn accounts have been hacked. “Hacking tools” belonging to the National Security Agency were stolen and sold to other hackers. 500 million Yahoo accounts have been stolen. 25 gigabytes of user data has been stolen from the extramarital affair website, AshleyMadison.com.

4. Prevention – Bridging the Gap

Needless to say, this is likely to be a valid claim against law firms and other businesses in the future. Everyone should take the necessary steps to protect client confidential information, including but not limited to, protecting your laptop with a password, encrypting your information, implementing security policies, having employees sign a Terms of Use statement, and training and raising awareness in the workplace regarding risks and best practices. Going one step further, a firm can apply for “ISO 27001 Certification.” This is third-party validation that a firm’s data security guidelines, policies and procedures meet international standards for best practices. Sound like too much work? Just ask your millennial for help!

Contact Montana V. Koenig at mkoenig@dysarttaylor.com or 816-931-2700.

< BACK TO NEWS & EVENTS