New York Law Journal
Andy G. Gandhi (A&M), Mauricio Paez (Jones Day) and Mark Kindy (A&M)
Digital transformations are fueling data growth, including passively capturing personal information. Over recent years, the complexity in responding to broad based discovery requests pose difficulties due to developing data technologies, cloud and mobile applications, cross-border data disbursement, and increased data volumes. Global legal developments that provide greater privacy protections exacerbates these difficulties. The continuous expansion of privacy laws and adoption of privacy regulations for specific industries (e.g., HIPPA) increased obligations to understand customer and employee data thoroughly throughout the data lifecycle. Failure to know when private data is received, used, stored, retained, or inadvertently transferred to a third party can pose financial and reputational liabilities beyond the merits of the litigation matter.
Corporate litigation events need to consider the inclusion of legal and technology experts who can assist parties address personal data privacy obligations well before the information is disclosed to an opposing party, including the government. Neutral Data Experts and advanced data analytic techniques can help the parties and courts understand the personal data privacy risks posed on the information contained in the underlying data production. This article explores the discovery challenges and technical solutions that can mitigate the data risk posed by the exponential growth of emerging technologies, corresponding data and the persistent obligations under privacy regulations.
Under the U.S. Federal Rules of Civil Procedure (FRCP), a litigant has the obligation to, among other things, identify, preserve, and produce information in all forms potentially responsive to the issues at hand in the litigation. This is referred to as litigation discovery. For multinational litigants, U.S. litigation discovery obligations could extend to information maintained in other countries and about their respective citizens. Often a litigant is faced with conflicting privacy obligations that can significantly complicate the litigant’s ability to comply with U.S. litigation discovery obligations. The litigant must seek appropriate legal counsel and advice that could and often does include multiple law firms depending on the countries implicated. A thorough review of the applicable legal and regulatory obligations are warranted and advised so as not to complicate further and expand the litigant’s exposure and risk beyond the issues in the specific litigation matter.
The General Data Protection Regulation (GDPR), effective as of May 25, 2018, and more recently, the California Consumer Protection Act (CCPA) effective as of Jan. 1, 2020, are recent examples of very restrictive privacy regulations. These types of regulations will have far-reaching obligations and will impact organizations beyond the jurisdiction where the litigation matter is pending. In general, these regulations can apply to organizations regardless of where they are domiciled if they trigger the extraterritorial jurisdictional provisions. In other words, organizations can be subject to these laws without having a physical presence in the jurisdiction. Generally, these jurisdictions protect their citizens’ personally identifiable information (PII) (as defined in the respective regulation) from certain types of processing and sharing, and provide their citizens the right to be notified of the disclosure, have their PII deleted, be given access to their PII, and object to the disclosure under certain circumstances. The GDPR, for example, makes it illegal to disclose PII without a legal basis, which in some cases requires individual consent or a balancing of risks to the individual’s data protection rights.
What constitutes PII under privacy regulations vary, with some jurisdictions expanding the definition beyond static data attributes (e.g., Social Security numbers) to include broader categories, such as behavioral characteristics (e.g., location data tracked on mobile device management software). Illinois, Texas, and Washington have specific biometric privacy regulations, and may require companies to obtain affirmative consent to collect biometric markers from their employees and customers, including fingerprints and facial recognition data models. Failure to comply with these laws make the collection and disclosure of the PII illegal. While these regulations contemplate protecting the use of private information (e.g., finger-print timekeeping machines for payroll), they are unclear in defining the risks to individuals when third parties use cloud-based technologies to process or store their data indefinitely as part of their solutions. In the state of Illinois, for example, there is significant pending litigation on the scope and limits of its biometric information privacy law, known as the Illinois Biometric Information Privacy Act.
There appears to be some momentum for a national comprehensive personal data privacy law in the United States, which could address some of the conflicting issues related to PII disclosures in litigation discovery. Potentially this could avoid the legal complexity and uncertainty that exists under State data breach notification obligations. Until then, in the United States we are left with managing the data privacy legal uncertainty and complexity on a State by State basis.
(Personal) Big Data
Consumer data is flourishing both in size and data category. Advancements in AI and machine learning technologies that process data for insights will pervasively create personal data iterations that are more voluminous than ever before. The types of data that will be derivatives of consumer habits will need to be understood, mapped, and secured through their respective lifecycles. From a data privacy perspective, this means the privacy compliance obligations will evolve, and the intersection of discovery obligations (e.g., preservation) with data privacy protection’s (e.g., personal data destruction) will expand.
Similarly, future privacy regulation across the world will need to balance individual privacy rights (e.g., consent, purpose limitations, and retention/disposal requirements) with reasonable policies promoting amicable and expedient resolution of disputes, and digital transformations that are critical to a successful digital economic strategy.
Crossroads of Organization vs. Individual Data Compliance
As noted above, legal, regulatory and compliance obligations often will conflict with one another. Litigation compliance or government inquiries that require companies to produce information related to both employees and customers require stringent legal and technical procedures to adequately collect and process data for relevancy. This inherently poses challenges in relation to what obligations a company has to the individual under the relevant data privacy law; in this case a disclosure that potentially violates their data privacy rights under local law. Peripheral data, such as customer locations geo-mapping of IP addresses, text and chat message data, behavioral data, and other persistent identifiers are aggregated by organizations for legitimate business reasons, but sometimes inadvertently and unintentionally. The risks once PII leaves a company through the natural course of discovery are significantly intensified, as the company no longer can commit to what and where consumer data is going. For example, a third party that takes possession of the personal data to support the litigant may not have the rigorous security protocols that the organization committed to when it first collected the personal information. While some current privacy regulations address liability for privacy violations by processors or third-party recipients of personal data, some do not. The litigants will need to address indemnification of privacy claims and liabilities on their own. Thus, it has become a commonsense data governance practice to proactively implement protections for the collection, storage, and disclosure of PII, including obtaining reasonable indemnification protections where possible. Along with these implementations, individual company policies and procedures can be established to lessen the data and compliance risk burden on the company.
Data Compliance and Discovery Risk Mitigation
Significant corporate spend due to cyber threats is empowering Chief Information Security Officers, Chief Data Officers and Chief Privacy Officers. However, the common theme in corporations today is still a disparate approach to data management, security, and production during discovery events. Frequent enterprise data mapping exercises should be performed by organizations to identify locations, content, formats, and the lifespan of all data they possess. Often referred to as Knowing Your Data (KYD), these exercises should leverage advancements in data governance, pseudo-anonymization, and differential privacy technologies, to help segregate and protect all PII resident across the enterprise. Many software technologies now “track” individual pieces of unstructured and structured data across an organization for purposes of records management, discovery compliance, and defensible data destruction procedures. These same technologies can also be applied to help identify privacy data or to better understand the exposure of private data risk across organizations. Compliance and legal personnel need to define consistent organization taxonomies using these technologies, while the IT and Security professionals assist in classifying and securing the data to effectuate compliant privacy policies and practices.
Similarly, when developing a discovery response strategy, the legal, compliance, and technology teams should cohesively leverage the knowledge gained of the data in the organization through the data mapping and classification efforts. This discovery strategy can eliminate the risk posed by the release of irrelevant data to external parties, assist in significant discovery cost reduction, and/or mitigate against privacy compliance risks.
Beyond this internal data governance approach, discovery events commonly require independent data arbitrators, who are domain experts and data scientists, to help take possession of, categorize and define defensible production protocols and protection measures. For example, during a litigation a Neutral Data Expert can be engaged jointly by disputing parties to develop pseudo-anonymization parameters of potentially relevant data required for production, or sampling methodologies to identify relevancy in masked PII data sets. There have been significant advancements in differential privacy techniques that can also apply to the identification of relevant information before production. (“Differential privacy (DP) is a strong, mathematical definition of privacy in the context of statistical and machine learning analysis.” An Nguyen (2019) “Understanding Differential Privacy From Intuitions behind a Theory to a Private AI Application”). Legal privacy and cybersecurity professionals can ensure risk-based compliance in meeting discovery obligations, while also helping companies meet their data protection compliance obligations.
The creation, consumption, and reliance on data is persistent and exponential in growth. As the data universe continues to increase in parallel with identifiable data categories, so will the associated risks with using that data in competing regulations and legal discovery requirements. The use of technologies and legal and technology experts to trace, identify and map customer data as part of the compliance and the legal program will not only assist in meeting regulatory obligations, it will also significantly reduce the costs of privacy and legal compliance in the data processing, review, and production during discovery events.
Reprinted with permission from the “January 31, 2020” edition of the “New York Law Journal”© 2020 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. ALMReprints.com – 877-257-3382 - firstname.lastname@example.org.
New York Law Journal