In an increasingly globalized economy, the practice of law has expanded across borders as companies’ employees, actions and influence continue to spread across multiple jurisdictions. The differing privacy laws in place across different countries, industries and even between states have far-reaching implications for law practitioners within the electronic discovery sphere. The growth in big data and cloud storage has only compounded these challenges for e-discovery professionals.
In the first of three articles, we will explore the privacy challenges that exist within the United States for collecting, reviewing and processing data that may be potentially relevant to a lawsuit or investigation. Future articles will focus on different jurisdictional requirements in European Union and non-EU countries.
Requirements in the United, but Different, States
In-house counsel are often painfully familiar with the challenges of differing privacy laws in international jurisdictions. However, different states and localities in the United States often have their own regulations around privacy matters. This is particularly true when it comes to jurisdictions that license and limit which forensic examiners can handle evidence involved in lawsuits and investigations.
Many states require a private investigator license for any work that might involve handling digital information intended to be used as evidence in a litigation or investigation. To complicate the issue, there is no national standard that these licenses adhere to, and most states don’t recognize licenses issued by other states. While some states require licensing for those who perform analysis, others require it for collection and analysis. Along with state laws, some localities regulate who can serve as digital forensic experts.
Some of the states with the strictest licensing requirements that limit discovery-related tasks to private investigators include Michigan, Texas, South Carolina and Georgia. For example, in Michigan, a member of a forensic team preserving data is required by state law to have a PI license.
In 2008, the American Bar Association passed a resolution calling on jurisdictions across the country to do away with the requirement of PI licenses for those involved with “computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information, whether for purposes of obtaining or furnishing information for evidentiary or other purposes, or for providing expert testimony before a court.” The resolution also called for the creation of professional certification or competency requirements. So far, those calls have gone unheeded.
For many organizations today, it’s not always evident which state’s laws govern a company’s electronically stored information. The ever-increasing use of cloud, or off-site, data storage means that a company located in one state may actually have its data stored in an entirely different jurisdiction. This could mean that the discovery of an institution residing in one state may be subject to PI and other legislation from another state or locality. It would also significantly impact cost and timing during the preservation and collection phases since further travel and different licensing may be required to gather relevant data.
Along with different state and local laws, many in-house counsel are employed by companies that operate in highly regulated industries, which can be governed by specific privacy standards. Often, these companies have access to large volumes of personal or sensitive information that may be potentially responsive. These can include healthcare entities governed by The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which may prevent personal information pertaining to individuals — such as medical history documents — from leaving a company’s facilities without high levels of protection in the form of encryption, etc. Companies that operate in the financial services sector also have regulatory requirements governing how and with whom they can share data.
What this means
In order to comply with all the relevant U.S. laws, in-house counsel first need to know where potentially relevant data actually resides and what laws govern its preservation, collection, processing and review. The earlier the legal team can determine this, the quicker the discovery process can start.
Depending on which laws apply, data may have to be collected in a targeted approach and possibly even processed and reviewed on-site in order to satisfy these regulations. In some instances, it may be worth conducting these processes remotely, which can help cut travel costs and navigate around differing states’ legislation.
Organizations, their law firms and third-party legal providers may need to leverage local private investigator resources under their guidance, workflows and equipment in order to work with examiners on-site. This will not only increase expenses, but it can drain valuable time and attention away from early case assessment approaches.
While some foreign countries have notoriously stringent privacy laws regarding the electronic discovery, the United States is not exempt from domestic privacy issues. In-house counsel must therefore be prepared to comply with the laws of the state next door, as well as a jurisdiction halfway across the globe.