Tagged: Compliance

Unintentional Consequences? The District Court of Maryland Holds Evidence Failed Rule 37(e)’s “Intent to Deprive” Requirement

A recent opinion from the District Court of Maryland highlights the challenges litigants face proving intent to deprive under Rule 37(e)(2) when seeking sanctions for spoliation of electronically stored information (ESI). In Gov’t Emps. Health Ass’n v. Actelion Pharm. LTD., et al., Magistrate Judge Mark Coulson set forth the requirements to prove entitlement to remedial measures or sanctions under Rule 37(e)(1) and (2) and then applied these requirements to decide the ESI spoliation claims before the court. This blog has written extensively on what is required to trigger Rule 37(e) and resulting sanctions. In June 2017, defendant Actelion (“defendant”) was purchased by Johnson & Johnson (“J&J”). Following the acquisition, Actelion migrated its data to J&J, which managed the data of both companies. On November 19, 2018, the plaintiff filed this antitrust litigation against Actelion alleging the plaintiff was forced to pay higher prices for one of Actelion’s drugs because of the unavailability of a cheaper generic version caused by the defendant’s blocking of competition. Soon after, J&J issued a legal hold to preserve relevant information for the antitrust litigation. The defendant’s custodians included in the legal hold were determined by the defendant’s then in-house counsel (“Thompson”). Absent from the legal hold were five former defendant employees (“at-issue custodians”) with documents relevant to the antitrust litigation....

The Risks of “Failed” Spoliation Efforts: The Southern District of New York Finds Severe Sanctions Available Under Rule 37(b)(2) and Inherent Authority for “Incompetent Spoliators”

We have previously blogged on the controversy regarding whether a court may still sanction a party for spoliation of ESI pursuant to its inherent authority following the amendments to Rule 37(e). But what happens when the attempted spoliation ultimately fails because the discovery is located and produced often after much unnecessary effort and expense by the requesting party? Abbott Laboratories v. Adelphia Supply USA involved just such a situation. The court’s decision reinforced that even when spoliation efforts are ultimately unsuccessful, and therefore Rule 37(e) does not apply because information is not “lost,” sanctions remain available under Rule 37(b)(2) and the court’s inherent authority to address litigant misconduct, including outright fraud on the court. This decision confirms that where improperly withheld documents are ultimately produced courts can “nevertheless exercise inherent authority to remedy spoliation under the circumstances presented.” CAT3, LLC v. Black Lineage, Inc., No. 14 Civ. 5511, 2016 WL 154116 (S.D.N.Y. Jan. 12, 2016). Plaintiffs Abbott Laboratories, Abbott Diabetes Care Inc., and Abbott Diabetes Care Sales Corp. (collectively “Plaintiffs”) filed a motion for case-ending sanctions against Defendants H&H Wholesale Services, Inc. (“H&H”), Howard Goldman, and Lori Goldman (collectively the “H&H Defendants”) based on electronic discovery-related violations of Federal Rule of Civil Procedure 37. The court referred Plaintiffs’ motion to the Honorable Magistrate Judge Lois...

Internal Investigations and Compliance in a Post-Pandemic Environment: Risks and Opportunities

The COVID-19 pandemic has presented not only novel challenges, but also opportunities for companies hoping to enhance or regain productivity while preventing wrongdoing and maintaining robust compliance functions. As workplaces reopen, historical challenges will persist and new risks will emerge. To be best positioned during this transition phase and beyond, companies should embrace the opportunity to evaluate their existing compliance processes and make the adjustments now that are necessary to adapt to a risk landscape that will likely never again be the same. Empower Legal, Compliance, and Investigative Resources Responsible companies will not be receptive to attempts to excuse misconduct due to the pandemic, nor will regulators. After all, there will be no “pandemic defense” to wrongdoing, and hindsight tends to be unforgiving—particularly through the lens of regulators looking at current events months or years from now. And as businesses emerge from state stay-at-home orders, an increased focus on productivity threatens to exacerbate the already heightened risk environment. It is critical that compliance, legal, and internal and external investigative resources be empowered to mitigate these risks effectively. Some immediate mitigation actions to be considered include: Conducting mandatory training on the enhanced risk environment and compliance best practices. Assessing existing policies and procedures, including those specific to internal investigations, and revamping them as needed to address...

CCPA Amendments Expand Private Right of Action and AG’s Enforcement Power

On February 22, 2019, another proposed amendment to the California Consumer Privacy Act (CCPA) was published. If enacted, this amendment will increase businesses’ potential exposure under the CCPA by, among other things, expanding the scope of private rights of action under the Act and eliminating a cure period prior to a civil enforcement action by the California Attorney General. The CCPA, originally enacted in June 2018 and first amended in September 2018, sets forth an entirely new privacy and security regime for many entities doing business in California. It imposes extensive requirements on the collection, use, and storage of consumer personal information, and applies to many businesses located both in and outside of the state. The deadline for all businesses to comply with the CCPA’s requirements is January 1, 2020, and the California Attorney General may bring an enforcement action six months after the passage of implementing regulations, or July 1, 2020, whichever comes first. The clock is ticking … The CCPA applies to any for-profit entity that (i) does business in California, (ii) collects “personal information” and/or determines the purposes and means of processing “personal information,” and (iii) satisfies at least one of the following threshold criteria: Has annual gross revenues of $25,000,000; Annually buys, receives, sells or shares “personal information” of 50,000 or...

Final Cybersecurity Framework Released in Furtherance of President Obama’s Executive Order

On Wednesday, February 12, the White House released the National Institute of Standards and Technology’s (NIST) Final Cybersecurity Framework: a set of industry best practices and standards to help owners and operators of critical infrastructure develop better cybersecurity programs. It is accompanied by a Roadmap which discusses NIST’s next steps with the Framework and identifies key areas of development, alignment, and collaboration. The Framework stems from President Obama’s February 2013 Executive Order on cybersecurity, previously covered on October 1, 2013. The overall core of the Framework is essentially unchanged from earlier drafts, also previously discussed on October 28, 2013.

In Today’s World, Companies Face Large Exposure from a Wide Variety of Possible Data Breaches

As the world becomes more interconnected, data breaches and cyber-attacks are increasingly becoming an unfortunate reality for many organizations. The stakes are high: a data security breach can disrupt a company’s operations, damage the business’s reputation, cause its stock price to fall, lead to the loss of business, and attract government investigations, agency action, and class action lawsuits. Complicating matters is the fact that a patchwork of state and federal laws can apply to the same data security breach incident.

Preliminary Cybersecurity Framework Released in Furtherance of President Obama’s Executive Order

The National Institute of Standards and Technology (NIST) has just released its Preliminary Cybersecurity Framework: a set of best practices to help owners and operators of critical infrastructure reduce cybersecurity risks. This voluntary framework provides both private and public-sector organizations with a common language for understanding and managing cybersecurity risks internally and externally. The framework stems from President Obama’s February 2013 Executive Order on cybersecurity, previously covered by this blog. The Final Framework is due to be released in February 2014, following a 45-day public comment period on the Preliminary Framework.

Update of Proposed Rule Changes: A Universal Federal Sanctions Standard for the Failure to Preserve ESI Could be a Reality

The United States Courts’ Advisory Committee on Civil Rules (“the Committee”) has proposed various amendments to the Federal Rules of Civil Procedure that, if adopted, will profoundly affect the range and scope of sanctions a court may impose for failures to preserve electronically stored information (“ESI”). F.R.C.P. 37(e), which currently addresses sanctions in those instances, is one of several rules slated for amendment.

An International Standard for E-Discovery?

The International Organization for Standardization (“ISO”) is forming a new e-discovery committee tasked with the development of standards for e-discovery processes and procedures. The international standard “would provide guidance on measures, spanning from initial creation of [electronically stored information] through its final disposition which an organization can undertake to mitigate risk and expense should electronic discovery become an issue” according to a draft committee charter.

Netflix Case Illustrates Potential Social Media Pitfalls Facing Public Companies

As we reported in the Gibbons E-Discovery Law Alert in May 2012, “Reg FD” could present a potential pitfall for those that post material non-public information via social media platforms. In early December 2012, that “pitfall” became a reality for Netflix Inc. CEO Reed Hastings. In July 2012 Hastings published on his public Facebook page a 43-word post concerning viewership statistics, including that Netflix subscribers had watched one billion hours of video the previous month.