Litigants navigating the conflict between U.S. discovery
obligations and foreign data protection laws have a new ally, the
American Bar Association ("the ABA"). The ABA
recently passed Resolution 103, which "urges" that:
[W]here possible in the context of the proceedings before them,
U.S. federal, state, territorial, tribal and local courts consider
and respect, as appropriate, the data protection and privacy laws
of any applicable foreign sovereign, and the interests of any
person who is subject to or benefits from such laws, with regard to
data sought in discovery in civil litigation.
The full text of the resolution and accompanying report (the
"Report") can be found here. In supporting its resolution,
the ABA noted that "[l]itigants often face a Hobson's
Choice: violate foreign law and expose themselves to enforcement
proceedings that have included criminal prosecution, or choose
noncompliance with a U.S. discovery order and risk U.S. sanctions
ranging from monetary costs to adverse inference jury instructions
to default judgments." Report at p. 2. As
"U.S. law already provides a clear and workable standard for
resolving the conflict" the ABA believes that Courts should
give more consideration "to the national interests behind the
non-U.S. laws" such that the comity factors are weighed and
applied "in a manner that demonstrates respect for those laws
and the principles of international comity." Report at p.
The ABA's involvement with this issue is particularly
timely, as it has recently become apparent that new data analytic
technologies have weakened the effectiveness and reliability of
anonymization, one of the primary mechanisms available to litigants
to navigate cross border discovery conflicts. See
e.g., The Practice of Law in the Age of Big Data, Nat.
L. J., April 11, 2011.
Despite the apparent strength of this Resolution, it is worth
noting that the ABA appears to have watered down the original
intended language, restricting its statement to data that is
"sought," i.e. affirmatively requested by an opposing
litigant, as compared to the original language, which applied
broadly to data that is subject to preservation, disclosure, or
discovery." The intent of this change is unclear, as the
ABA continues to acknowledge that preservation related-activities
can, by themselves, run afoul of foreign data protection
obligations, even in the absence of actual production or
cross-border transfer. Report at p. 12. For example, the
European Data Protection Directive, defines regulated
"processing" to include mere "storage," and
further provides that data shall be kept in a form which permits
identification of data subjects for no longer than is necessary for
the purposes for which the data were collected." See Directive 95/46/EC, Articles 1 and
6. Such restrictions can be inconsistent with broad U.S.
preservation obligations, and non-compliance would seem to present
many of the same risks that are a concern when it comes to cross
border data transfer.
Regardless of any limited intent, it is hoped that the ABA's
position will be taken to heart by the judiciary, as litigants in
possession of protected data should not have to unnecessarily fear
litigating in U.S. Courts.
On Friday, November 13, Federal Trade Commission ("FTC" or the "Commission") Chief Administrative Law Judge ("ALJ") D. Michael Chappell issued an Initial Decision in In the Matter of LabMD, Inc. (FTC Docket No. 9357), dismissing the Commission's Complaint against LabMD, Inc. ("LabMD"), upon a finding that the FTC had failed to "demonstrate a likelihood that [LabMD's] computer network will be breached in the future and cause substantial computer injury."
Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down.
Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York.
High-profile data breaches seem to hit the headlines almost every day. These breaches have proved terrifying for many companies, particularly as the attackers release embarrassing emails and other information.