Is the popular Dropbox file sharing application a huge eDiscovery risk?


First let me say the Dropbox file sharing program is one of the greatest applications I’ve run across in a long time and to date has approximately 25 million users world-wide. What is Dropbox? Dropbox is a cloud storage application which synchronizes files between computers and other electronic devices like iPhones. Installing Dropbox creates a special folder on your computer. Anything that you put in this folder is automatically synchronized with any other computer or iPhones on which you’ve installed the service. The files you drop in for synchronization are also located on a remote server, which means you can download files even when all of your other devices are turned off or offline. It’s easy to understand why instant synchronization across all your computers and iPhones is inherently fantastic. You drop a file into your Dropbox folder on say your work computer and it’s almost instantly on all your other computers (with an internet connection) and iPhones, be it at home, work, on the road or on vacation. What’s greater than that?

You need to be aware of a couple of potential problem areas if you are going to install Dropbox; first when you delete a file in your Dropbox folder on your computer it is not really deleted from the Dropbox cloud. It is classified as “Deleted” and will disappear out of your desktop folder but in the Dropbox cloud it still exists and can be “Undeleted”.

Dropbox saves a history of all deleted and earlier versions of files for 30 days for all Dropbox accounts by default. If you have the Pack-Rat add-on, Dropbox saves those files for as long as you have the Pack-Rat add-on. With Pack-Rat, you never have to worry about losing an old version of a file. You can permanently delete files inside of the 30 days but that must be done in your web account.

Another capability to be aware of is the “Events” tab in the web account.

The Events window shows you all of the recent(?) activity that has taken place in your account. This includes a wide variety of data such as the addition and deletion of files, moving files, adding and removing folders, sharing files and folders, linking computers to your account and more. At this point I’m not sure how long this history is available in a given account but in my account, the history is showing info back to when I created the account 6 months ago.

All of these great capabilities point out two areas of concern that organizations need to be aware of. First, could intellectual property theft get any easier? A worst case scenario would be the following; an employee decides to leave the company and wants to take some IP he or she has been working on for the last 7 months. The employee can simply drag the electronic files to his Dropbox folder on their company supplied computer and later that night access it from their computer at home or even worse, give their new employer the password to their Dropbox account and within seconds all that IP is sitting on the new employer’s desktop…it can happen in a matter of seconds, would the current employer even be able to tell if that IP was copied?

An even more interesting concern arises around eDiscovery risk. Would the fact that a custodian has or had at one time a Dropbox account, make all of their non-business supplied computers and iPhones a target of eDiscovery if they were a party to litigation in their organization?

An opposing counsel’s questioning might go something like this;

Opposing counsel: “Bill, do you now or did you during the time period in question have a Dropbox account?”

Bill: “Possibly…I’ve had one for sometime”

Opposing counsel: “While you’ve had the Dropbox account, have you ever copied work related documents or emails to your Dropbox account for whatever reason?”

Bill: “Yes I have”

Opposing counsel: “Could you have copied files that are relevant to the current case?”

Bill: “Maybe…I don’t remember”

Opposing counsel: “You don’t remember…is that the truth?

Bill: “Is that the truth? …YOU CAN’T HANDLE THE TRUTH!! (Jack Nicolson flashback)”

Opposing counsel: “Judge, I would like to include every computer and iPhone Bill has access to in the eDiscovery request as well as Bill’s  Dropbox account to view any deleted files as well as his “Events” history.”

Bill: “You’ve got to be kidding…Judge?”

Judge: “Do I look like I’m kidding? …Makes sense, approved”

Is the preceding example a possibility? Sure it is. So how would your organization defend against this type of eDiscovery risk?

In my experience, if you inform employees (in writing) that by using the Dropbox application from their work as well as personal computers and company supplied iPhone, they open themselves to having their personal home computers or any computer that had the Dropbox application installed on to be potentially accessed and reviewed by attorneys, most employee will refrain from installing it on their work related computers. It would also be a good insurance policy to create a computer use policy which includes a directive against installing the Dropbox application on work owned assets.

Again, let me stress that I think the Dropbox application is fantastic and has great uses for everyday life but employees and organizations need to be aware of the risks associated with it in litigation.

Advertisements

Placing a “Computer Illiterate” in charge of eDiscovery is not a winning strategy for the defense


A case that had been decided for the plaintiff years earlier was reopened due to eDiscovery process questions. In the case of Green v. Blitz U.S.A., No. 2:07-CV-372 (TJW), 2011 WL 806011 (E.D. Tex. Mar. 1, 2011), the original attorney for the plaintiff was a plaintiff’s attorney on another case against the same defendant. During discovery for this other trial, the plaintiff’s attorney found out that evidence that should have been turned over for the previous plaintiff’s trial had not been. Because of this fact, the original lawsuit was reopened. In this second trial it was revealed the defendant had placed a single person in charge of electronic discovery for several ongoing cases. The problem with this was the person put in charge of eDiscovery was less than experienced. In fact, it was revealed that the employee “solely responsible for searching for and collecting ESI relevant to litigation between 2004 and 2007 issued no litigation hold, conducted no electronic word searches for emails, and made no effort to speak with defendant’s IT department regarding how to search for electronic documents.  In fact, the employee himself stated that he was “about as computer illiterate as they get.”

Making matters worse, some of the information discovered after the close of plaintiff’s case would have easily been identified with a simple word search, as the target words were in the subject line of one of the undisclosed emails specifically discussed by the court.  Also of note, as to the specific email discussed by the court, was the fact that the employee tasked with discovery was a recipient of the email and still failed to disclose it in discovery.  Despite failing to produce relevant material, the defendant made the certification that “full and complete disclosure ha[d] been made in accordance with the Federal Rule’s of Civil Procedure and the Court’s orders.”

The court also discussed defendant’s failure to issue a litigation hold to its employees and its failure to cease rotation of its backup tapes, two other actions expected when litigation is reasonable anticipated.  Accordingly, the court concluded that “it will never be known how much prejudice against the plaintiff was actually caused by the defendant’s failure to preserve documents” and found that sanctions were warranted.

Given the context and type of documents not disclosed, the court found that defendant’s conduct was a willful violation of the Court’s Discovery Order and that plaintiff had been prejudiced as a result. In other words, the original award would have been much higher if the ESI was found and turned over.

I don’t know if the defendant’s counsel choose a totally inexperienced person to run the eDiscovery process was just stupid or was part of a strategy to insure responsive ESI was not found. I think, minus proof of the second, we will have to go with the first explanation.

That being said, litigation hold and eDiscovery is a serious business and should never be taken lightly. Having control of your organization’s ESI is an important responsibility expected by the courts.

Case summary from eDiscoverylaw.com

Adequately Securing ESI


The law firm of Gibson Dunn has just published their mid-year Electronic Discovery and Information Law Update and pointed out some interesting trends. The report can be viewed here.

From the Gibson Dunn report:

Of the 103 opinions Gibson Dunn analyzed, litigants sought sanctions in 30% (or 31)–compared to 42% in all of 2009–and received sanctions in 68% of those cases (or 21)–compared to 70% in all of 2009.

Courts have continued to impose monetary sanctions on outside counsel for failing to adequately supervise a client’s collection and preservation of electronically stored information (“ESI”). In re A&M Florida Properties, the court sanctioned both the client and its outside attorney, noting that although neither had acted in bad faith, sanctions were appropriate because outside counsel “simply did not understand the technical depths to which electronic discovery can sometimes go.”

Similarly, in Wilson v. Thorn Energy, LLC, No. 08 Civ. 9009 (FM), 2010 WL 1712236 (S.D.N.Y. Mar. 15, 2010) (Maas, Mag. J.), the court imposed an adverse inference sanction for gross negligence where the defendants had lost all data relevant to a large transaction when a USB drive was erased.  Id. at *3.  The Wilson decision declined to apply the protections of Federal Rule of Civil Procedure 37(e), which provides a “safe harbor” “for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system,” as the erasure occurred outside of any routine document management procedures.  Id.

Based on these findings, sanctions for eDiscovery failures are still rising and the courts are holding outside counsel responsible for the discovery practices of their clients.

The Wilson v. Thorn Energy case is interesting for the fact that the responsive data in question was stored entirely on a “USB Thumb drive” with no backup. This brings up the question; what is an acceptable procedure for securing responsive or potentially responsive ESI? Is dumping it to a legal department share drive enough? How about storing it solely on a backup tape? How about putting it on an attorney’s laptop hard disk? The main question that I will address in the next blog post is; What do you need to do to ensure the ESI will be available later on?