The Curious Case of EMI v. Comerica: A Bellwether on the Issue of "Reasonable Security"?
Security breaches in the online banking world continue to yield interesting lawsuits (you can read about three others in this post). The latest online banking lawsuit filed by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”) provides some new wrinkles that could further illuminate the boundaries of “reasonable security” under the law. Brian Krebs has a good article summarizing the case. In addition, bankinfosecurity.com has a recent article on this matter (in which yours truly was quoted). In this post we take a look at the EMI Lawsuit, consider some legal questions that the case raises, and analyze how it might impact the question of what constitutes “reasonable security” under the law.
The Allegations
On a general level the EMI Lawsuit involves a basic fact pattern that is similar to several online banking security breach cases: criminals were able to obtain the login credentials of a bank’s business customer and wire transfer large sums of money from the customer’s account (in the EMI lawsuit approximately $560,000 was allegedly wired). Like other online banking cases, the bank in this case (Comerica) did not reimburse EMI for the unauthorized wire transfers, and this lawsuit was eventually filed.
However, the EMI Lawsuit differs in two substantial ways from the online banking cases InfoLawGroup previously reported on. First, unlike the other online banking breach suits, in the EMI Lawsuit, Comerica had implemented (and EMI was using) 2-factor authentication. In particular, Comerica had implemented a token-based 2-factor system. It appears that Comerica online banking customers where provided with a physical token that generated random numbers at various regular time intervals (e.g. the token number was always changing at regular interval). To utilize online banking, Comerica customers would have to input their username and password as well as the random number showing on their token. Without all three pieces of information, logging into Comerica's online banking would not be possible.
Second, in other the lawsuits, it was not known (or at least unclear from the compliant) how the criminals obtained the banking customer’s online banking credentials. In the EMI Lawsuit, however, the bad guys allegedly obtained EMI’s login credentials through a “phishing attack.” EMI alleges that one of its employees was tricked into giving those login credentials to the criminals via a spoofed email that purported to be from Comerica. This fake email was allegedly similar to those sent by Comerica to EMI in the past. Apparently the EMI employee would have provided not only user name and password, but also the random number from the token. The complaint alleges that the thieves were able to conduct about 97 money transfers over a period of approximately 6 ½ hours.
Analysis
This case raises several interesting legal issues. In fact, this case could ultimately illuminate how courts view the scope of a “reasonable security” duty.
Existence and Scope of a “Reasonable Security” Duty.
One of the issues that will be key in this case is whether the bank has a legal duty to prevent these types of phishing attacks. The Shames-Yaekel case has recognized a general duty to protect a customer's online banking accounts. In that case, however, it is unclear how the bad guys obtained the banking customer's online credentials. This case is a little different because phishers were able to trick the customer into volunteering its online banking credentials. Assuming a general duty exists, the question is whether that duty extends to preventing (or reducing the risk of) its customers from being duped by social engineering attacks like phishing.
On that issue, In the EMI Lawsuit (like many of the other online banking lawsuits) the plaintiffs allege that Comerica failed to comply with the “commercially reasonable” security procedure requirement under Michigan’s version of UCC 4A202 (MCLA 440.4702(2)), which provides in relevant part:
(2) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted.
Subsection (3) explains how “commercial reasonableness” is to be determined under MCLA 440.4702(2):
(3) Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated.
Significantly, the existence of a duty and whether Comerica's security procedures were commercially reasonable under MCLA 440.4702(2)) are questions of law, and will be decided by the Court, not a jury. Also of note, some of the plaintiffs’ allegations track to the factors laid out in MCLA 440.4702(3), including allegations that EMI had only performed two wire transfers in the two years prior to the attack. From a legal standpoint, assuming this case does not settle, since this is a question of law, we could see some actual briefings and a court decision on the issue of reasonable security.
One of the factors that courts look to in order to determine whether a duty exists and its scope is forseeability -- was this attack and/or the resulting harm foreseeable by the bank? In fact, EMI alleges that the secure token technology was one that was already known to fail. On this issue, in general, we know that phishing attacks have been around for awhile. We also know that banks and other organizations have developed approaches to try to prevent these types of attacks. Finally, security professionals tell me that use of phishing to foil two-factor authentication is also a risk that has been discussed in the past. In fact, a similar phishing attempt spoofing a Citibank online banking portal was reported back in 2006. As such, we will likely see significant arguments from both sides on this issue.
“Reasonableness,” Industry Standards and Tug Boats
This case is interesting because Comerica was actually using 2-factor authentication. In the Shames-Yeakel matter, the court ruled that the failure of the bank to use two-factor authentication as suggested by FFIEC guidance created a question of fact appropriate for a jury. Thus, unlike Shames-Yeakel and other online banking cases, at least with respect to authentication, it appears that Comerica was meeting what some would call the "industry standard.”
However, at this point in time it is possible that a court could rule that 2-factor authentication only serves as a floor, and industry standards for online banking security may have evolved further. In other words, to the extent this “man in the middle” type of attack was known and there are methods for addressing it (especially in the phishing context), the “industry standard” for online banking may be 2-factor authentication PLUS other security measures. Again, plaintiffs allege several other measures they believe should have been in place, including verifying the computer sending the wire transfer instructions, security testing and fraud monitoring programs. The key issue here will be determining what other similar banks are doing to address this risk.
Moreover, even if 2-factor authentication is considered the “industry standard,” under the law an entire industry may not be implementing reasonable security. The rationale for this was explained by Judge Learned Hand in the famous (for first year law students at least) T.J. Hooper case. In T.J. Hooper, the plaintiffs were shipping two barges full of cargo when the ships encountered a storm. The barges were accompanied by two tugboats owned by the defendants. Unfortunately the tugs were unable to safely pull the barges from the storm and the cargo they carried was lost. The plaintiffs asserted that the defendants were negligent because their tugboats were not equipped with effective radio sets capable of receiving warning of the storm. The defendants argued that they did not owe the plaintiffs a duty to carry such a radio because they were a new technology and it was not a common practice in the tugboat industry to carry such radios. Judge Learned Hand disagreed:
Indeed in most cases reasonable prudence is in fact common prudence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices. . . . Courts must in the end say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission.
What is the import of this? Under the law for purposes of negligence, a defendant can avoid liability even if a plaintiff suffered harm as long as the defendant did not breach its duty of care. In this context if the bank's security measures where "reasonable" under the law it would not be liable. I think the fact that the bank used 2-factor authentication and can point to the FFIEC guidance will help its cause in this respect. Nonetheless, it is possible the court will rule either that industry standards have evolved further or that the entire online banking industry was “lagging” behind in its reliance on 2-factor authentication. From a legal perspective it will be very interesting to watch the court’s analysis on the issue of reasonableness as it relates to industry standards (and hopefully it will provide more guidance for lawyers and banks going forward).
What about EMI’s fault?
There is a concept in the law called contributory negligence (or comparative negligence). You can read more about it here. Essentially this concept recognizes that a plaintiff (the bank customer in this case) may have also been negligent and may have contributed to the harm it allegedly suffered. In some States if the plaintiff was more than 50% responsible, it would be barred from any recovery. Other states, including Michigan (where the EMI Lawsuit was filed) employ a “modified comparative negligence” approach. Using this approach, if the plaintiff was 60% negligent and the bank 40%, the bank would be responsible for only 40% of the plaintiff's loss. I think there is likely a good argument to be made that EMI should bear some of the responsibility for the unauthorized use of their online banking accounts. In fact, if you read Comerica’s answer to EMI’s complaint you will see that Comerica appears to be taking that position:
16. Denied that the alleged website “appeared to be a Comerica website” to any reasonably alert person who was responsible for safeguarding EMI’s financial records and digital credentials.
26. Denied that any perpetrators infiltrated EMI’s bank accounts. Valid credentials assigned to an EMI employee were used to authenticate a logon for purposes of online banking transactions. If some unknown criminals used those credentials, rather than the EMI employee to whom they had been entrusted, this was caused solely by the actions of that EMI employees.
Whether EMI bears some responsibility will be a very fact-intensive inquiry that will include an analysis of the spoofed email, Comercia's previous practices concerning requests for login-credentials and the actions and decision-making process of the employee that provided the credentials to the criminals.
Conclusion
In general, I believe that these online banking cases have more legs than other types of security breach lawsuits because the plaintiffs have suffered actual damages/harm. Evidence of this is the Shames-Yeakel case, which proceeded past a motion for summary judgment. Contrast this with the numerous security breach cases brought by consumers that have been dismissed relatively early in litigation. In those cases, the plaintiffs whose information was stolen have argued that they suffered harm because they had to pay for credit monitoring. Courts have more or less consistently rejected this argument. For online banking cases, plaintiffs don’t have that problem. In this case the plaintiff is out hundreds of thousands of dollars, so damages are clear.
So if a plaintiff can get past the motion to dismiss phase on the issue of damages, do the defendants have an opportunity to get a summary judgment (rather than risk having to present their case to a judge and jury – something every company likes to avoid, if possible). The problem for banks is that the issue of whether a bank’s security measures were “reasonable” is likely a “question of fact.” Courts are typically not willing to grant summary judgment where questions of fact exist for a jury to decide.
That said, this case is a little different than those in my other blog post because of the phishing issue and because the issue of commercial reasonableness is a question of law under MCLA 440.4702(2). Whether a duty exists under the law is typically a question of law that Courts (as opposed to juries) typically decide. I think there will be a battle at both the pleading and summary judgment phase with the banks trying to argue that they have no duty under the law to prevent their customers from being duped and that their practices were commercially reasonable 440.4702(2). If Comerica does not win these argumenst then this case could go to a jury, which poses legal risk.
Massachusetts's Highest Court Delivers BJ Wholesalers (and other Retailers) a Data Breach Liability Gift
While the proverbial jury is still out concerning retailers’ sales success this 2009 holiday season, Massachusetts’s highest court (the Supreme Judicial Court or “Supreme Court” as referenced herein) delivered retailers a significant holiday gift in the form of an opinion slamming the door on some financial institutions seeking to recover reissuance costs arising out a retailer’s payment card data breach. The Cumis Insurance Society, Inc. v. B.J. Wholesale Club, Inc. decision (“Supreme Court Decision”) analyzed and ruled upon most of the mainstream legal theories issuing banks have used to attempt to recover card reissuance costs, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). We have previously commented on multiple decisions involving retailer payment card breaches similar to the BJ Wholesale breach and PCI liability in general, including a 3rd Circuit federal appellate decision that allowed issuing banks to proceed forward with a third party beneficiary breach of contract theory. This blog post dives into and analyzes the Supreme Court Decision, and looks at it in context against similar decisions. Overall, in terms of issuing banks recovering for payment card breaches, the game does not appear to be litigation in the courts, but rather in the backroom contracts and recovery processes contained in the card brand operating regulations that most retailers agree to comply with.
Relevant Facts
The Supreme Court Decision arises out of a payment card breach of BJ’s Wholesale Club, Inc. (“BJs”) involving approximately 9.2 million payment cards and millions of dollars in fraud. The plaintiffs in this case are credit unions and their insurer who incurred costs to reissue the payment cards that were impacted by the breach (as well as costs for fraudulent charges that arose out of the breach). The plaintiffs allege that thieves were able to compromise BJ Wholesale Club’ s systems because BJs and their acquiring bank (Fifth Third Bank) breached two sets of contractual obligations. With respect to BJs, the plaintiffs alleged that BJs breached their contract with Fifth Third bank, which prohibited the storage of the magnetic stripe data after authorization of card transactions. In turn, the plaintiffs alleged that Fifth Third breached its Membership Agreement with Visa and Mastercard requiring Fifth Third to ensure that merchants like BJs did not store magnetic strip data post-authorization.
Alleged Claims and the Supreme Court’s Decision
The plaintiffs alleged several causes of action against BJs and Fifth Third, including breach of contract under a third party beneficiary theory, fraud, negligence, negligent misrepresentation and breach of unfair/deceptive practices laws (in this case M.G.L. Chapter . 93A, section 11). The lower court had granted the defendants a motion to dismiss all of the plaintiff’s causes of action, and the Supreme Court was asked to review the lower court’s decision. Ultimately, as described below, the Supreme Court agreed with the lower court’s decision and upheld it.
Breach of Contract – 3rd Party Beneficiary Theory
The plaintiff’s alleged that they were the intended third party beneficiary of two separate contracts. First, the Merchant Agreement between BJs and Fifth Third prohibited the storage of magnetic card data, and the plaintiffs alleged they were the beneficiaries of, and should be able to enforce, the agreement against BJs. Second, the plaintiffs also alleged that they were the intended third party beneficiaries of the Membership Agreement between Fifth Third and Visa/Mastercard. Pursuant to the Membership Agreement, Fifth Third agreed to ensure that its merchants did not store magnetic stripe data.
Unfortunately for the plaintiffs, the Merchant Agreement contained the following language:
This Agreement is for the benefit of, and may be enforced only by [Fifth Third] and [BJ’s] and their respective successors and permitted transferees and assignees, and is not for the benefit of, and may not be enforced by, and third party.
Despite this language, the plaintiffs maintained that the prohibition against storing magnetic stripe data was intended to benefit them. Citing a lower court judge who had indicated that any benefits to the plaintiffs in the Merchant Agreement were incidental, and relying on the specific intent referenced in the disclaimer, the Supreme Court upheld the dismissal of the breach of contract claim based on BJs Merchant Agreement.
With respect to the Membership Agreements between Fifth Third and the card brands, the Supreme Court held that the plaintiffs’ third party beneficiaries allegations were conculsory in nature and not supported by any facts establishing Visa or Mastercard’s intent to have them as beneficiaries able to enforce the Membership Agreemwent. While Visa and Mastercard’s operating regulations did not have a specific third party beneficiary disclaimer, both Visa and Mastercard, reserved the right to interpret and enforce such regulations. The Supreme Court viewed this as indicating an intent to prohibit enforcement of the Membership Agreement by others like the plaintiff (the Supreme Court viewed that as consistent with the TJX decision). Interestingly, this case involved the same facts as another BJ Wholesale Club in federal court that allowed the plaintiff-banks to proceed with a third party beneficiary claim. In the Federal case, Visa and Mastercard representatives actually testified at deposition that operating regulations around magnetic stripe data were intended to protect the participants in the system, including issuers. However, the Supreme Court found that the plaintiffs failed to submit that deposition testimony into the court record so that testimony apparently was not considered by the Supreme Court.
Negligence – Economic Loss Doctrine
The Supreme Court did not address whether BJs or Fifth Third, for purposes of a negligence theory, had a duty to employ reasonable security with respect to cardholder data. Rather, the Supreme Court relied on the economic loss doctrine to dismiss the plaintiff’s negligence claim. Under the economic loss doctrine, plaintiffs cannot recover using a theory of negligence unless physical harm or harm to property exists (as opposed to pure “economic loss”). The plaintiffs argued that tangible harm did exist because the physical credit cards had to be reissued after the BJs breach. On this issue, the Supreme Court again followed the BJ Wholesaler’s decision rendered in Federal district court (see the 3rd Circuit Appellate Decision upholding that rationale), which held that reissuance costs are economic in nature even if related to a physical card. In this case the cards themselves were not harmed since consumers could still use them after the breach. Rather, the Supreme Court found that the plaintiffs chose to cancel the cards for the purpose of avoiding future economic loss.
Fraud and Negligent Misrepresentation
The Supreme Court also rejected the plaintiff’s fraud and negligent misrepresentation claims. The basis for these claims was again tied to the defendant’s contractual promises to comply with the card brands’ operating regulations. In disposing of the fraud claim, the Supreme Court noted that the plaintiffs admitted neither BJs nor Fifth Third made any direct representations to the plaintiffs indicating that they were storing magnetic stripe data. Moreover, despite alleging that they would have changed their behavior had they known about the risk of magnetic stripe exposure, the reality was that the plaintiffs continued to participate in the Visa and Mastercard system. There was no evidence that the plaintiffs would have acted any differently had they been aware that BJs was storing magnetic stripe data.
With respect to the negligent misrepresentation claim, the Supreme Court cited case law indicating that failure to perform a contract does not equate to a negligent misrepresentation claim. Moreover, false statements of opinion or conditions to exist in the future cannot support a negligent misrepresentation claim. In this case, dismissal was warranted because there was no evidence that BJs never intended to comply with its Merchant Agreement at the time it entered into it.
In addition, the Supreme Court held that even if entering into an agreement constituted a representation of compliance with the magnetic stripe disposal requirements, there was no evidence that plaintiffs’ alleged reliance on that representation was justifiable. The Supreme Court essentially held that no reasonable person would rely on the regulations prohibiting the storage of magnetic stripe data. The court pointed to evidence indicating that the participants in the payment card system expected that the operating regulations would be breached because Visa and Mastercard instituted a system of fines and penalties for non-compliance. In addition, the plaintiffs’ purchase of insurance to cover credit card fraud was listed as evidence that plaintiffs anticipated this type of fraudulent activity. Finally, the plaintiffs had received numerous alerts from Visa and Mastercard concerning payment card breaches and fraud involving compromised magnetic stripe data (I find this reasoning very convoluted, at best. The existence of rules to deter certain behavior seems to create some certainty that such behavior should not be happening).
M.G.L. Chapter . 93A, section 11
Since the plaintiffs’ M.G.L. Chapter . 93A, section 11, equitable indemnification and subrogation claims were all based on the dismissed fraud and negligent misrepresentation claims, they were also dismissed. Interestingly, unlike the First Circuit Appellate court’s decision in the TJX matter, the Supreme Court did not consider whether the plaintiffs had a viable cause of action based on the “unfairness” prong of the Massachusetts’ law (e.g. whether BJs information security was so poor that it constituted an “unfair practices).
Conclusion
This case is yet another in the increasingly long series of cases that allow retailer plaintiffs to escape liability arising out of data breach litigation at the motion to dismiss phase. What lessons does it hold for the various payment card stakeholders?
On the merchant side, for any agreement where the merchant is making promises about data security or PCI compliance, make sure there is a strong disclaimer of third party beneficiaries. This will cut issuing banks off on that theory fairly early. Also on the merchant side, be careful of what you say about security and compliance with card brand rules and operating regulations. To the extent a merchant makes representations concerning security (especially direct representations), they may be opening themselves up to misrepresentation claims. The consequences could be serious since negligent misrepresentation and fraud claims are not barred by the economic loss doctrine (and at least one court has provided those theories some legs).
From the issuing banks’ point of view, the question becomes whether litigation is worth it in this context. This is especially true now that both VISA and Mastercard (*I believe, their regulations are not all public) have explicit recovery mechanisms within their systems that can allow an issuing bank to recover without going to court. VISA and Mastercard have both tightened up their contracts and operating regulations to disclaim third party beneficiary theories (although if an issuing bank is to pursue such a theory make sure to get the deposition testimony from the Visa and Mastercard officials referenced in the 3rd Circuit’s BJs Wholesale case). One area for issuing banks to take a harder look at is State unfair/deceptive trade practice acts. As mentioned above at least one high court has indicated that inherently poor security may amount to an unfair practice. This line of thinking also happens to be consistent with several high profile FTC actions , including of course one involving BJ Wholesale Club.
The Merchants Strike Back?
With the recent news of several restaurants teaming up to sue point-of-sale system provider Radiant Systems (a copy of the complaint can be found here) for failing to comply with the PCI Standard, it appears that some merchants may be in a mood to strike back in the aftermath of a payment card security breach. This lawsuit comes in the wake of a couple lawsuits against payment card security assessor Savvis for allegedly failing to properly validate a processors' Visa CISP compliance (admittedly in this case it is the merchant bank suing the assessor, but a similar cause of action could exist for a merchant if its assessor makes a mistake in verifying PCI compliance). While two instances certainly don’t indicate a trend, they do indicate a potential route that merchants may consider to deflect liability arsing out of a payment card security breach.
It is possible that we will see more lawsuits by merchants against service providers, payment processors, and application/point-of-sale system providers in the coming months and years. Part of the reason is that the PCI regulatory system imposes a form of “strict liability” on merchants that suffer a security breach. Fines, penalties and the availability of recovery processes are contingent (in part) on whether or not a merchant was PCI-compliant at the time of the breach (see e.g. Visa’s ADCR). Thus, when a Qualified Incident Response Assessor ("QIRA") comes in after a credit card breach to do an audit one of its main tasks (if not its primary goal) is to ascertain whether the merchant was PCI-compliant.
Lost in the shuffle sometimes, however, is the issue of “causation.” The question that is not being asked is whether or not PCI compliance would have prevented the breach, or whether the lack of PCI-compliance was the cause of the breach. In other words would PCI-compliance have made a difference. In some cases the answer is obvious. For example, if a merchant is holding onto sensitive authentication information, clearly PCI compliance (which requires the deletion of such data after a transaction) would have precluded a payment card breach. In other situations, however, the answer might not be as clear cut.
Moreover, even where a merchant is found not PCI compliant, the question still remains whether any other party was fully or partially responsible for the breach itself. Was the merchant’s payment application the source of the breach? Was the merchant working with a service provider, gateway or processor that could have been the source of a virus or attack by a hacker? Unfortunately, with their focus on PCI compliance, a QIRA may not have cause to investigate further into these possibilities (and a separate forensic assessment by an independent forensic firm may be necessary). In fact, I have seen an audit report where the auditor literally indicated that it could not determine how malware got onto a merchant’s system or whether cardholder data ever left (and in the report decided to speculate that it may have been porn or file sharing sites).
Beyond the entities involved in storing, processing or transmitting payment cards, merchants may also begin to target companies assisting their efforts to achieve and validate compliance with PCI. Consultants that help merchants become PCI compliant or remediate PCI violations may be targets if they make a mistake. Moreover, as Savvis shows, qualified security assessors that make mistakes in their validation of PCI compliance are also potential defendants.
Despite sometimes having a variety potential targets to recover from, merchants still face obstacles to actual recovery post-security breach. The biggest obstacles are the contracts that merchants enter into with the entities mentioned above. In most cases these contracts contain terms that effectively limit the liability of these entities and make it very difficult to recover under any theory of recovery.
So is there an answer for merchants to these contract clauses? Thinking ahead might make all the difference in this case. When entering into a contract with any of the various entities described above, at the Request for Proposal phase, merchants should make indemnification and other favorable contract terms (e.g. no limit of liability/disclaimer of consequential damages for security breaches) part of the bidding process. Merchants' propsective service providers, assessors and application providers should be forced to compete on the issue of taking responsibility when they are fully or partially at fault for a security breach or inaccurate/improper PCI validation. Proper levels of cyber insurance should be in place to allow merchants to recover if there is a breach. If merchants don’t take these steps early on and in a disciplined fashion they may find themselves holding the bag even in situations where others may have contributed to their security breach.
Legal Implications of Cloud Computing -- Part Four (E-Discovery and Digital Evidence)
Back by popular demand, this is Part Four in our ongoing series, Legal Implications of Cloud Computing. This installment will focus on digital evidence and e-discovery, and follows up on Part One (the Basics), Part Two (Privacy), and Part Three (Relationships). After all, what better topic than the cloud to tackle on the day after Thanksgiving, recovering from tryptophan and wine? As with many other areas previously discussed in this series, the cloud does not necessarily change the legal analysis, it just highlights the need to think through and anticipate the many areas of legal concern that could/are likely to arise when using the cloud. As a litigator, when I think about the challenges posed by the cloud, the one that seems most intuitive is e-discovery/digital evidence. It is always difficult to fully appreciate and digest the scope and volume of information that may be called for in litigation or in an investigation. The presence of corporate data in the cloud multiplies those considerations.
Some, but by no means all, of the digital evidence issues that should be considered in negotiating cloud arrangements and contracts (whether you are putting data in the cloud or designing and marketing a cloud offering), are as follows:
- preservation/retention/disposal;
- control/access/collection;
- metadata;
- admissibility; and, cutting across all of the foregoing
- cost.
As I will discuss below, like other forms of electronically stored information (ESI), one of the best ways for addressing data in the cloud in the discovery and evidentiary context is to plan ahead and discuss treatment of cloud data (a) in records retention policies well in advance of litigation; and (b) at the Rule 26 conference once litigation has commenced. And, if you read to the end, I will comment on the paucity of case law referencing the cloud (and describe the few references that have appeared in federal and state case law to date).
1. Preservation/Retention/Disposal
Organizations often have records retention policies and procedures in place to promote accessibility of information, protect sensitive information, and reduce the costs associated with storage of data that no longer serves any business or legal purpose. Those policies and procedures often call for the routine elimination of electronic information when it has outlived its business purpose and is no longer required to be retained for any legal reason. Numerous statutes and regulations, federal and state, including but not limited to tax, securities, SOX, and employment regulations, mandate that different categories of documents be maintained for certain periods of time. Making matters more complicated, numerous additional regulations require that information that is no longer needed for a business or legal purpose be destroyed such that it cannot be read or reconstructed (see, e.g., the FACTA data disposal rule).
Organizational records retention policies and procedures also address the need to suspend routine disposal and recycling of information in the event of a litigation hold requiring the ongoing preservation of certain categories of data that may be relevant to current or future litigation. These litigation holds are put in place pursuant to an organization's duty (not created by, but conveniently restated in, Zubulake IV, Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2003)) to preserve relevant evidence if they are sued or reasonably anticipate litigation or an investigation. “The obligation to preserve evidence arises when the party has notice that the evidence is relevant to litigation or when a party should have known that the evidence may be relevant to future litigation.” Zubulake IV, 220 F.R.D. at 216.
Needless to say, data preservation, retention, and disposal obligations extend to data in the cloud. Data in the cloud is just one more category of discoverable ESI. One of the unique attributes of the cloud is the ability to quickly and inexpensively replicate data for backup and disaster recovery purposes. Cloud users may not even realize how many copies of their data exist in a cloud environment (or where, but we discussed that in Part Two).
Cloud users should incorporate such cloud data into records retention policies, data maps, litigation holds, and disposal procedures. Further, in the event of a litigation hold, a cloud user may need to take special steps to ensure that data in the cloud, which may be continuously replicated and/or overwritten, is preserved in a forensically sound manner. If data is already subject to a litigation hold, potential users of the cloud should evaluate whether such data should be placed in the cloud in the first instance.
2. Control/Access/Collection
Under Rule 34 of the Federal Rules of Civil Procedure, a party may serve on any other party a request within the scope of Rule 26(b): (1) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party's possession, custody, or control. Who has control of data in the cloud? Well, the data owner. Ordinarily, that will be the organization that is putting data in the cloud, not the cloud provider. However, both users and providers of cloud services should carefully review and negotiate the terms of service level agreements to specify who technically owns the data in the cloud.
Service level agreements should also address how the cloud user and cloud provider will cooperate in responding to party or non-party discovery requests. The agreement should address the following questions, among others: In the event of a Rule 34 request to the cloud user, how will the cloud user access the data in the cloud? Rule 34(b)(2)(A) provides 30 days to respond in writing to a document request. How quickly will the cloud user be able to access the data in order to review it for discovery purposes? In the event of a subpoena to a non-party cloud provider, how will the cloud provider respond? Will the cloud provider notify the cloud user, and how quickly? Will the cloud provider seek a protective order to prevent and/or limit the disclosure of the cloud user's data? Is the cloud provider even legally required to turn over the data under the Stored Communications Act or other statutes?
This blog post does not address itself to the even more complex considerations that arise if the EU Data Protection Directive applies to the cloud data that is the subject of the document request (e.g., if the data involves EU residents and is being transferred between the EU and the US, and who knows what other jurisdictions, while swirling around in the cloud). The mere processing of such information could very well violate the Directive and member country laws. That is the subject of past and future posts.
3. Metadata
Of course, litigants may also discover metadata. The default rule, in the absence of a stipulation or court order, is that a party must produce ESI in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms. Rule 34(b)(2)(E)(2). Almost inevitably, ESI in the form in which it is ordinarily maintained will contain metadata.
Cloud users responding to Rule 34 requests need to determine in what form they will produce ESI in the cloud. They also need to consider, in advance, the potential need for special protections and objections with respect to that cloud metadata -- it may be too late to consider such objections once the cloud data review is underway. Further, cloud providers (and users alike) need to consider the possibility that certain metadata will only reside with the cloud provider and how that affects the parties' discovery obligations (especially if the cloud provider might be considered the data owner for purposes of that metadata).
4. Admissibility
The flipside of the explosion of case law and commentary addressing e-discovery over the past several years, particularly since the amendments to the Federal Rules in late 2006, is the stunning lack of case law addressing admissibility of ESI. One of my favorite decisions, for that very reason, is United States Magistrate Judge Paul W. Grimm's treatment of these issues in Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534 (D. Md. 2007). Lorraine was an unlikely candidate to spawn a 100-page opinion on authentication of electronic evidence -- it involved a yacht struck by lightning. However, Judge Grimm, clearly disappointed by the parties' failure to authenticate even basic e-mails (they were simply attached to the parties’ motions as exhibits), took the opportunity to provide much needed guidance.
I am unaware of any case law specifically addressing admissibility of ESI in the cloud. (More on that lack of case law regarding the cloud generally below.) In the interim, Judge Grimm's guidelines, going back to basics, are well worth a read. Like any other litigant purporting to introduce ESI as evidence, a litigant introducing cloud data must be able to demonstrate that the ESI is relevant and authentic, that it is not precluded by the hearsay rule (or fits within one of its exceptions) or the best evidence rule, and that its probative value is not substantially outweighed by the danger of unfair prejudice. As noted by the court in Lorraine,
Whether ESI is admissible into evidence is determined by a collection of evidence rules that present themselves like a series of hurdles to be cleared by the proponent of the evidence. Failure to clear any of these evidentiary hurdles means that the evidence will not be admissible. Whenever ESI is offered as evidence, either at trial or in summary judgment, the following evidence rules must be considered: (1) is the ESI relevant as determined by Rule 401 (does it have any tendency to make some fact that is of consequence to the litigation more or less probable than it otherwise would be); (2) if relevant under 401, is it authentic as required by Rule 901(a) (can the proponent show that the ESI is what it purports to be); (3) if the ESI is offered for its substantive truth, is it hearsay as defined by Rule 801, and if so, is it covered by an applicable exception (Rules 803, 804 and 807); (4) is the form of the ESI that is being offered as evidence an original or duplicate under the original writing rule, of if not, is there admissible secondary evidence to prove the content of the ESI (Rules 1001-1008); and (5) is the probative value of the ESI substantially outweighed by the danger of unfair prejudice or one of the other factors identified by Rule 403, such that it should be excluded despite its relevance.
Litigants may find a number of these evidentiary hurdles particularly challenging when it comes to cloud data, especially authenticity and hearsay. The proponent of even an email, blog post, IM, tweet, or other communication that resides only in the cloud may need to secure declarations, deposition testimony, or even live testimony of the author(s), the recipient(s), the data custodian, and/or the cloud provider itself. The same analysis must be considered for each and every such communication.
5. Cost
The costs associated with any e-discovery can be substantial. In the absence of well-drafted agreements between cloud users and providers, the presence of data in the cloud can only exacerbate those e-discovery costs. The parties to a cloud services agreement must determine which party will cover the costs associated with preserving, accessing, collecting, reviewing, and establishing admissibility of data in the cloud. Parties considering use of the cloud for certain kinds of data should evaluate whether the cost savings associated with using the cloud for that particular purpose outweigh the costs associated with processing data for discovery purposes if and when that becomes necessary.
Some Final Thoughts -- Current Lack of Case Law on the "Cloud"
I sometimes get questions about existing case law regarding the cloud. There is very little case law that actually uses the terminology.
Up until late July of this year, a search of Westlaw for "cloud computing" in all federal and state cases produced only one hit, Rearden LLC v. Rearden Commerce, Inc., 597 F. Supp.2d 1006 (N.D. Cal. Jan. 27, 2009). That case did not actually involve the substance of cloud computing. It was a trademark infringement matter. As one of the arguments in support of their position that defendant's "Personal Assistant" software directly competed with plaintiffs' incubation and/or movie production services, plaintiffs maintained that both parties used "Cloud Computing" (the court's opinion used the term in quotes and initial caps). The court, referring to a party declaration, described "Cloud Computing" as "a term used to describe a software-as-a-service (SAAS) platform for the online delivery of products and services." (Compare the court's description to the NIST definition of cloud computing discussed in Part One.) It rejected plaintiffs' argument that defendant's primary business was "Cloud Computing," finding that "Cloud Computing" was merely the platform, not the end product: "plaintiffs erroneously conflate[d] a platform by which defendant launches its end service to consumers (i.e., software) with the end product itself (i.e., a web-based marketplace). Indeed, plaintiffs state that it is the technology developed on the SAAS platform that will likely compete with other SAAS/ Cloud Computing companies. Plaintiffs do not discuss the product itself, but merely the underlying platform used to create it." Rearden LLC, 597 F.Supp.2d at 1021.
There are two more recent decisions that now come up in the same Westlaw search for "cloud computing": an unpublished procedural ruling in International Business Machines Corp. v. Johnson, 2009 WL 2356430 (S.D.N.Y. July 30, 2009), and an Oregon state court opinion in a criminal matter, State v. Bellar, 231 Or.App. 80, 217 P.3d 1094 (Sept. 30, 2009).
Johnson only mentions cloud computing in passing. The court rejected IBM's second attempt to obtain a preliminary injunction that would stop a former Vice President of Corporate Development from working in any role at his new employer, Dell, that would involve mergers and acquisitions, "as well as any role that would require him to advise Dell on its strategies related to such matters as enterprise services, servers, storage, so-called ‘Cloud’ computing and business analytics." The court rejected the second preliminary injunction request on procedural grounds.
The most recent opinion mentioning cloud computing, Bellar, involved an appeal regarding a motion to suppress in a prosecution for 40 counts of encouraging child sexual abuse in the second degree. The dissent discussed the defendant's privacy rights with respect to information in the cloud:
Nor are a person's privacy rights in electronically stored personal information lost because that data is retained in a medium owned by another. Again, in a practical sense, our social norms are evolving away from the storage of personal data on computer hard drives to retention of that information in the “cloud,” on servers owned by internet service providers. That information can then be generated and accessed by hand-carried personal computing devices. I suspect that most citizens would regard that data as no less confidential or private because it was stored on a server owned by someone else.
In 2010, we will undoubtedly start to see judges using cloud terminology and analyzing the consequences of the rapid spread of different kinds of data (trade secrets, privileged information, PII) in the cloud, both in pretrial discovery, at trial, and with respect to the merits of cases involving such information. In the meantime, as always, technology races ahead of the law.
