Legal Technology Journal

Data management and compliance issues are presenting huge challenges, and firms with offices in the US would do well to take note of the FRCP electronic discovery rules.

In a world where the use of electronic data is rapidly increasing, managing this data to effectively control compliance risks is important in all jurisdictions. Unfortunately, of course, compliance rules differ from country to country. The aim here is to provide an overview of how firms (and, indeed, the companies they advise) should approach this in the US.

There is little wonder that 86% of general counsel in a survey conducted last year by the Association of Corporate Counsel (ACC) listed their main concern as ‘keeping track of company activities that may have legal implications’.₁ A separate survey found that 24% of companies had had e-mail subpoenaed and 15% had gone to court over lawsuits triggered by just employee email. While one would expect law firms to be particularly careful, it pays to remain alert to the risks that electronic means of communication present. According to the same survey, 10% of e-mail at work contained sexual, romantic, or pornographic content.₂

Even before the electronic discovery rules of the Federal Rules of Civil Procedure (FRCP) became effective on 1 December 2006, more than one in five companies had electronic communications subpoenaed during the course of litigation or a government investigation in 2004. This figure is more than double the percentage reported in 2001.₃ In fact, US firms spent $1.2bn on outside electronic discovery services in 2005. That number is estimated at $1.9bn in 2006.₄ With the passage of the FRCP on electronic discovery, one could expect such statistics to be eclipsed in short order. Surprisingly, however, in a survey conducted only two months before the FRCP amendments’ effective date, only 7% of corporate counsel indicated that their companies were prepared for the amended Rules and 54% were not even aware that the amendments would take effect in December 2006.₅

Companies operating in the US must also comply with an increasing number of other laws regulating electronic communications, and new legislative proposals abound.₆ Much regulation concerns the protection of sensitive personal information, eg the Electronic Communications Privacy Act 1986,₇ the Health Insurance Portability and Accountability Act 1996,₈ the Children’s Online Privacy Protection Act 1998,₉ the Gramm-Leach-Bliley Act 1999,₁₀ the Controlling the Assault of Non-Solicited Pornography and Marketing Act 2003,₁₁ the California Security Breach Notification Act 2002,₁₂ the California Security of Personal Information Act 2004,₁₃ and numerous others.₁₄

In addition to laws regulating document destruction and retention, companies must increasingly guard against hackers and loss of valuable intellectual property through electronic means.₁₅ The internet can expose the company’s most valuable resources to third parties. Outside parties can hack into the company’s trade secrets and confidential information, steal passwords, and redirect users to download sites. Of these attacks, 33% are reportedly generated by internal users.₁₆ In 2004, unsolicited e-mails accounted for 73% of all inbound e-mails; this was increased to 93% by 2006.₁₇

In a recent National Center for Supercomputing Applications (NCSA) survey, 40% of respondents said they visit social networking sites at work, thereby exposing their employer’s network to hackers.₁₈ Sixty-eight per cent of surveyed companies reported they had electronic crime in 2004; of those companies, 43% reported unauthorised access to information, systems or networks, and 14% reported a theft of IP.₁₉ In recently unsealed court papers, it was disclosed that a senior DuPont scientist had downloaded, over the course of less than five months, 22,000 sensitive documents, and had transferred 180 DuPont documents to a laptop computer and then to his new employer covering DuPont’s ‘major technologies and product lines as well as new and emerging technologies in the research and developmental stage,’ valued at as much as $400m.₂₀

Who cares or needs to care?

Management of electronic data affects nearly everyone in a law firm: compliance officers, internal auditors, finance, IT managers, HR and benefits personnel, IP and licensing personnel, as well as solicitors and their legal support staff. To broaden the example, US publicly traded companies have a host of reporting, auditing, and transparency obligations as a result of Sarbanes-Oxley (SOX) and the record-keeping and accounting obligations under the Foreign Corrupt Practices Act 1977. Companies in federal court litigation, or just ‘threatened’ by such litigation, must also be poised to leap into action to preserve relevant electronically stored data. Companies in banking and finance or health industries are subject to detailed laws and regulations governing collection, use, access, and dissemination of information. Those companies that operate internationally or export hardware or software products will find themselves obligated to manage their data, including encryption, in complex and sometimes conflicting manners.

But even for those companies that are not publicly traded, faced with actual or threatened litigation, engaged in particularly regulated industries or operating in the international market, the age of electronic data imposes challenges. Studies have indicated that one-third of data thefts are committed by current employees and the overwhelming number of actionable disparagement, discrimination, and harassment allegations arise from authorised employee users.₂₁ No company is immune. Smaller and medium-sized companies should also think ahead and implement systems now to safeguard their IP from theft, protect their employees from claims of a hostile work environment, and prepare for document destruction overrides in the event of threatened litigation.

Ironically, the same technologies that have created the data proliferation headaches may also present a solution through well-designed and maintained electronic data management systems, tailored to meet the legal requirements posed by relevant laws and jurisdictions. Such electronic systems should include software systems with document retention and archiving features, document destruction overrides, encryption access restrictions when required, and monitoring and web-filtering capabilities when permitted. In addition to installing such a system, it is imperative that the proper legal parameters be identified and that personnel be trained in advance of a legal crisis to understand how to properly manage such data on a business-as-usual basis, so that electronic data can be quickly, properly, and easily captured and addressed when the legal need arises. Selection and implementation of electronic data management systems, creation and enforcement of policies, and ongoing personnel training and auditing to ensure that the system is in fact working before the legal crisis arises, all require the co-ordinated and thoughtful collaboration of company personnel.

Legal requirements to maintain electronic records

Absent a ‘litigation situation’, there is generally no universal duty in the US to preserve electronically stored data (or other records), although certain types of record preservation such as for tax, employment, and corporate records may be required under various federal or state laws. A ‘litigation situation’, on the other hand, will trigger information-preservation obligations, requiring a company to override its normal document destruction processes. The new amendments to the FRCP codify the need for a ‘litigation hold’ of documents the company reasonably believes are discoverable in anticipation of litigation.

The ‘litigation hold’ can be triggered long before the filing of an actual lawsuit, such as when the company receives any internal complaint to a ‘managing agent’; a preservation letter from a potential party or attorney threatening future litigation; pre-litigation correspondence; notice of an investigation by a governmental agency; subpoena or governmental request for information; or filing of an administrative charge. Once there is a ‘litigation situation’, the company has a duty under the amendments to take affirmative steps to suspend immediately all routine document destruction and to preserve all records, including electronic data and possibly metadata therein, that it knows or reasonably should know will be relevant to the action or reasonably calculated to lead to the discovery of admissible evidence.

Even before the recent amendments to the FRCP, courts have had little patience with companies that failed to preserve data when they knew or should have known of impending legal challenge. In Broccoli v Echostar Communications Corp [2005] the court held that the employer had a duty to preserve electronic documents 11 months before the plaintiff/employee’s termination. Such duty arose because the future plaintiff had made verbal and e-mail complaints to his employer alleging sexually harassing behavior. The company was ordered to pay costs and the plaintiff ’s attorney fees from the time of its failure to suspend its e-mail and data destruction policy and preserve relevant documents upon the employee alleging the harassment. In a series of decisions in Zubulake v UBS Warburg LLS [2004- 05], the court held that the company had a duty to preserve electronic documents four months before the plaintiff had even filed a charge of discrimination (and ten months before she filed a federal court action) because the company knew or should have known that its document destruction policy would result in relevant document destruction. In Zubulake it was held that the defendant’s network backup tapes were a likely source of relevant evidence, but that employees outside the legal department took it upon themselves to delete relevant documents that the defendant later recovered through expensive metadata recovery.

In Wiginton v CB Richard Ellis [2003] the court held that the company had been put on notice of a ‘class action’ by just a letter from the plaintiff’s counsel identifying documents and multiple alleged harassers days after the lawsuit had been filed. Specifically, the court held that the company had a duty to preserve computer hard drives, e-mail accounts, and internet records of anyone who had been accused of sexual harassment or who was involved in the case. In addition, the court permitted the plaintiff to renew a motion for sanctions for failure to retain electronic data relating to the plaintiff and ten alleged harassers if the relevant missing electronic documents were found on the backup tapes of the company. In Consolidated Aluminum Corp v Alcoa Inc [2006] the court ordered Alcoa to pay for the re-deposition of all ‘key players’ and for costs and fees of bringing the motion and investigating discovery shortfalls because Alcoa waited approximately two-and-a-half years after it had sent its own demand letter to Consolidated Aluminum before suspending its own routine document destruction policy.

In Samsung Elecs Co v Rambus Inc [2006] defendant and cross-complainant Rambus had contemplated litigation by identifying its most likely litigation target, its possible legal theories, and relevant documents for both preservation and destruction before it had initiated its ‘shred day’. Having concluded that Rambus had improperly destroyed relevant data, the court indicated that it would impose discovery sanctions. Rambus in turn voluntarily dismissed its cross-complaint before the court imposed sanctions.

The consequences of failing to override information destruction systems and institute a litigation hold immediately are staggering. In Zubulake the court not only ordered the defendant to pay discovery costs, but also, even more critically, it issued an ‘adverse inference instruction’ to the jury. Specifically, the court ruled that the jury could infer that the destroyed documents would have assisted the plaintiffs in their discrimination claim because documents were not retained after the date of the Equal Employment Opportunity Commission (EEOC) charge, filed ten months before any lawsuit. The jury in turn slapped the defendant with a $29m verdict. In United States v Philip Morris [2004] the court sanctioned Philip Morris $2.75m based upon $250,000 multiplied by the 11 managers who failed to comply with the company’s record-retention policies. In addition, the court precluded all 11 managers who failed to comply with the retention policy from testifying at trial regarding defences to the claims. In Krumwiede v Brighton Associates LLC [2006] the court entered default judgment when the plaintiff/cross-defendant failed to put a litigation hold on a laptop and continued to delete, alter, modify, and access files before turning the laptop over to a forensic examiner because the metadata had been altered through continued use even though it had not been entirely deleted. In the case of Dempsey v Pfizer [1991] the Texas court dismissed a $42m claim as a sanction for document destruction.₂₂

In addition to monetary sanctions and adverse inference instructions painfully demonstrated by the cases above, courts have also imposed tort liability for spoliation of evidence and criminal sanctions. Frank Quattrone, a former hi-tech investment banker at Credit Suisse First Boston, was permanently barred from the securities industry and fined $30,000 by the National Association of Securities Dealers. Previously, he was convicted of obstruction of justice and sentenced to 18 months’ jail for sending an e-mail to others in his group about ‘cleaning up their files’ during an SEC investigation.

As the cases above demonstrate, the FRCP codify what many federal courts and some state courts have been ordering for several years.₂₃ But the amendment of the FRCP also impacts on litigants in at least two other fundamental ways:

1. it expressly addresses electronic discovery and mandates parties and their attorneys to investigate, preserve, produce, and respond regarding electronic data, leaving no further lingering question whether electronic data is implicated; and
2. it mandates adverse parties to expressly discuss and cooperate with each other about electronic data from the outset and throughout the litigation.

Parties will be required to ‘meet and confer’ generally within the first few months of litigation about the preservation of discoverable information, the form in which electronic information will be produced (eg PDF, TIFF, ‘native’ format, paper, etc), whether a party asserts the data is ‘inaccessible’, and how they anticipate dealing with ‘unduly costly or burdensome’ data retrieval and the handling of inadvertent production of attorney- client, trade secret, or other privileged or protected information that might be buried in produced electronic or paper documents under Rules 16(b) and 26. Unless a party has implemented and understands its document retention policies and practices before a lawsuit is filed, it could be at a distinct disadvantage at the mandatory ‘meet and confer’ conference to those parties that have planned ahead and therefore know what proposals are most beneficial to them.

The amended Rules also expressly address the role of electronic data when parties are required to answer written questions (interrogatories) or physically produce documents. For instance, FRCP 33(d) allows the answering party to specify that the responsive information is in ‘business records, including electronically stored information’ if:

• the answers can be ascertained from such records;
• the burden of ascertaining the information is essentially the same for both parties; and
• the records are specified.

Amended FRCP 34 now expressly allows for a party to specify the desired form of production of electronic information (paper or electronic), although absent agreement or a court order, the amended rules presume that electronically stored data will be produced in the form in which it is ‘ordinarily maintained’ or in a reasonably usable form.

One can anticipate that the form of electronic production will be a hotbed of dispute today and for many years going forward. Some have argued that the ‘manner in which it is ordinarily maintained’ will require ‘native file’ production. Others object because ‘native form’ will not allow privileged or protected information to be easily removed or to control-number the produced documents. Some courts and parties have taken the position that documents must be produced with all their metadata.₂₄

Increasingly, however, courts and others take the position that the presumption should be against production of metadata.₂₅ In fact, the American Bar Association issued a formal opinion in 2006 (06-442) that puts the burden upon the lawyer sending potential protected metadata to ‘scrub’ the metadata or send a different version of the document without metadata to avoid the likelihood of inadvertent production of privileged or otherwise protected metadata. The State Bars of Florida and Maryland have imposed similar obligations on counsel to ‘scrub’ protected metadata before production. However the courts and the State Bars ultimately sort out the debate of metadata, one thing is clear: companies and their lawyers must understand how their electronic information is stored and what metadata, if any, is included, before production, and are well advised to be prepared to address such issues well before the federal court mandatory ‘meet and confer’ conference.

Amended Rule 37 also allows for a limited safe harbour from discovery sanctions for failure to produce electronically stored data, if such data is lost as a result of routine operation of an electronic information system and the operation is in good faith. As noted above, however, a court is unlikely to find such good faith if a party fails to impose a timely ‘litigation hold’. The retention issues go beyond the mainframe to include backup tapes, hard drives, laptops and other electronic depositories. Such matters are not nearly as clear as they might seem at first blush. Does your company use PDAs such as BlackBerrys? Are any e-mails stored only on them and not the company’s servers? Do employees print and retain hard copies of documents even though they are periodically purged electronically, and do you know where these copies are kept? Do any employees access bulletin boards, IM programs or personal e-mail at work, of which your company’s electronically managed system might have retained a copy? Does the company keep track of how often it destroys or overwrites electronic data, and can those systems be halted as to specific types of data based on search terms (such as the potential plaintiff’s name, job title, or product purchased)?

Does your company have clearly communicated policies regarding which e-mails are saved in personal folders in company computers, and are those policies routinely followed by employees? Does the company know what metadata is on its computers? An effective electronic data management system needs to address each of these issues well in advance of litigation to ensure that once the ‘litigation situation’ presents itself, a company can immediately identify and preserve all relevant data in whatever form it takes.₂₆ The electronic data affected by the litigation hold should include not only documents that were created by the person on whom the potential litigation apparently would focus, but also any documents to or about such person, and in the case of possible disparate treatment discrimination or class action claims, any persons in similar circumstances.

Hostility-free work environment

In the US it has become almost a given that proper filters and employee monitoring are best practice in preventing hostile work environment claims. As Eugene Volokh, professor of law at UCLA, has stated: ‘The suggestion that filters are needed to avoid liability appears to have become conventional wisdom.’₂₇ This opinion is in line with that of Wendy R Leibowitz, who commented earlier: ‘Many of the e-mail harassment cases could have been prevented if filters had been used because the e-mail would not have been sent.’₂₈

As the statistics suggest, and even the most cursory review of hostile work environment cases demonstrates, e-mail systems have been the source of innumerable discrimination and harassment complaints:

• EEOC v Freddie Mac [1997] – claim filed and pending for at least three years regarding derogatory electronic messages about ‘ebonics’ circulated in the workplace; the employer had a duty to ‘take prompt and effective remedial action to eradicate’.
• Olivant v Dept of Environmental Protection [1999] – distribution of sexist ‘humour’ over e-mail systems constitutes sexual harassment.
• Trout v City of Akron [1998] – $260,000 judgment against the city based on co-workers viewing pornographic materials on their computers.

In contrast, in Delfino v Agilent [2006] the court found no company liability for an employee’s use of the employer’s computer system to send threatening messages over the internet because the company took prompt action when it learned of the misconduct. In addition, federal law regulates child pornography, treating it as ‘contraband’, making it illegal to handle, possess, distribute, etc such material under 18 USC 2251 et al, so a company is under a legal obligation to report any known use of such material to the FBI immediately or it risks its own violation of child pornography laws.

To defend and protect against abuses, companies in the US are increasingly using screening devices or filters. A US employer’s failure to monitor electronic communications from and into its equipment can result in significant liability.

Accordingly, US employers should inform US employees that computers are the employer’s property, that they exist for business purposes, that communications are subject to monitoring at any time, and that employees should have no expectation of privacy in the use of a job-related personal computer.₂₉ Furthermore, courts are becoming increasingly fond of filtering as the least restrictive means of protecting persons from offensive internet content. For example, on 22 March 2007 a district court in Pennsylvania struck down the Child Online Protection Act₃₀ as unconstitutional in part because filters were a less restrictive means of preventing children from accessing offensive content on the internet than the ways Congress required in the statute.₃₁ The court found that filters ‘generally block about 95% of sexually explicit material’. They are also ‘fully customizable and may be set for different ages and for different categories of speech or may be disabled altogether…’

In the face of increased regulation and litigation, and the costs of avoidable error, companies are using workplace policies, in addition to technology, to manage productivity, protect resources, and motivate employee compliance. Reportedly, 80% or more of US companies inform workers that they monitor content, keystrokes and time spent at the keyboard; 76% monitor employees’ website activity; 65% block connections to inappropriate websites; 82% make clear that the company stores and reviews computer files; 86% alert employees to email monitoring; and 89% notify employees that their web usage is being tracked.32 In 2005 reportedly 84% of US companies had established policies governing personal e-mail use, 81% had policies governing internet use, 42% had in place policies regarding personal use of IM, 34% addressed the operation of personal websites on company time, 23% had policies regarding personal postings on corporate blogs, and 20% of corporate policies restricted the operation of personal blogs in company time. In the same year, 26% of employers acknowledged firing workers for misusing the internet and 25% terminated employees for e-mail misuse.₃₃

Protecting IP is fundamental to a successful enterprise

E-mail volume is growing 30% per year and contains as much as 80% of a company’s intellectual property.₃₄ The potential for disaster is no longer academic. In Sonoco Products v Johnson [2001] the company was awarded almost $7m in a trade secret misappropriation action where the former employee and new employer conspired to use electronic and physical proprietary information of Sonoco stolen by an employee.₃₅ Courts have not only found the employee who absconded with the electronic data liable, but also the new employer.

In Shurgard Storage v Safeguard Self-Storage [2000] the plaintiff stated a claim against a subsequent employer under the Computer Fraud and Abuse Act (CFAA) where a former employee of the plaintiff used its computers to e-mail proprietary information of the plaintiff to the defendant company, which then hired the employee. In Charles Schwab v Carter [2005] the court found that the plaintiff successfully pleaded a cause of action against a former employee’s new employer according to the CFAA under a theory of vicarious liability. While the employee was working for plaintiff Schwab, he e-mailed proprietary information of Schwab to his subsequent employer, Acorn. Schwab alleged that Acorn urged the employee to access Schwab’s computer system beyond his authorisation.

In Lowry’s Reports v Legg Mason [2003] an employee circulated and reprinted copyrighted material within the workplace. The court noted that it was irrelevant that the employer did not know about the employee’s continuing bad acts (after the employer asked the employee to cease the distribution of the copyrighted material). The jury returned a $20m verdict.₃₆

Each of these cases demonstrates that, had the US company/ victim monitored outgoing proprietary information and trapped or filtered unauthorised sending of such information, it could have avoided not only years of litigation but also the loss of its proprietary information in the first place. After all, attempting to put the proprietary ‘toothpaste back into the tube’ is rarely successful, with or without a court victory. Privacy: when too much information is a bad thing Unlike countries in the EU and in some other regions of the world, the US does not have a comprehensive data privacy scheme. Rather, it tends to address data privacy issues on a sectoral or industry basis, with discrete laws pertaining to creation, retention, use, and access of personal privacy data. In contrast to the record-retention focus of the FRCP, or monitoring lessons from hostile work environment and CFAA cases, privacy laws regulate and restrict the data that a company is able to collect, process, transfer, retain, use or disseminate.

As a result, it is important that an effective information management system not only has the ability to retain and archive data when necessary and to monitor within the US when possible, but it should also have the ability to restrict and limit the use of, and access to, privacy information that is imparted to the company for only limited, expressed purposes. Companies need to carefully select electronic data management systems to address the quickly expanding regimes of data privacy protections. Firewalls and limited access must be installed to avoid unauthorised or over-broad dissemination. Monitoring ability must exist so that if a security breach is detected, proper notice and remedial measures can be taken immediately. Violations of US and state data privacy laws not only often carry criminal penalties, but also impugn the integrity of a company’s business and its brand. Once again, planning ahead to avoid the breach is far preferable to simply attempting to repair the damage thereafter.₃₇

Encryption

Encryption is a vital, yet all too often underused technology. It isvirtually essential to protect trade secrets and confidential information that may be sent over the internet.

Without having in place encryption capabilities, a company is leaving its secrets out in the open. As an online article in Computer Business Review commented: ‘In the security world, 2005 will be remembered as the year in which data leakage became a front-page story, spurred mainly by new US laws mandating public disclosure when customer data is stolen or lost._’38 What’s even more frightening is that employees with access to confidential data of their employer either aren’t prioritising data security or are unfamiliar with how to use it. Companies must take proactive steps to acquire user-friendly encryption systems that match their security needs, and then train employees on how to use the technology.

Data storage systems storing unencrypted information expose companies to risks of hackers stealing customer information, potentially leading to bad public relations, loss of customers and costly litigation.

Mid-market companies may be particularly vulnerable to attack. Hackers are no longer going for the notoriety of having spawned a global virus. Instead they are in it for the money. Because hackers know that mid-market companies generally spend less on security and encryption, it is estimated that over 4,000 mid-market companies may be particularly vulnerable to attack unless they too plan to protect their data.₃₉ As noted above, encryption is also an affirmative defence to accidental publication of personal information in at least California’s Confidentiality of Social Security Number Act.₄₀ Additionally, various encryption standards are required to be used by government contractors involving intelligence matters. ₄₁ Moreover, it is just plain smart to encrypt to avoid inadvertent disclosure of proprietary information. IT and legal departments must co-ordinate the company’s need for encryption services and determine whether their current system adequately protects them in case of hacking, theft, or lawsuit.

International issues: when data compliance worlds collide

The rules of data collection, processing, retention, use, monitoring, access, and destruction not only differ dramatically in jurisdictions outside the US, but also, in some instances, are directly contrary to US laws. For companies that operate internationally, it is essential that they understand both the local data compliance and cross-broader rules that apply to electronic data.

In the EU, for instance, each country has, pursuant to the EU Data Privacy Directive, implemented laws governing the collection, recording, organisation, storage, adaptation, alteration, retrieval, blocking, monitoring, use, disclosure, transmission, transfer, and destruction of ‘personally identifiable information’, and in some cases yet further protections for ‘sensitive personally identifiable’ information.

Unlike in the US, EU ‘personally identifiable information’ is broadly defined and is generally not limited by industry and sector, but instead protects unauthorised processing or transmittal of a person’s information, such as name, address, compensation, benefits, and financial information as well as more ‘sensitive’ information such as health, racial or ethnic origina, political affiliation, trade union membership, or marital status. Such laws extend not only to employees, but also consumers. Italy, Austria, and a few other countries take it a step further and extend data privacy protection beyond people to companies.

Because the US is essentially considered an ‘unsafe’ jurisdiction by the EU, such information cannot be lawfully transferred, electronically or otherwise, to the US or other ‘unsafe jurisdictions’ unless certain safeguards are in place, such as participation in the US-EU Safe Harbor Agreement, adoption of EU Model Clauses, or implementation of approved Data Privacy policies. Even when such protections are in place to transfer personally identifiable data to the US, it may not permit ‘onward transfers’ of such data to unidentified third-party processors or to other countries, such as data entry services in India. And the EU countries are not alone: Canada, Argentina, Japan, Australia, and many other countries are also adopting varying degrees of data privacy protections.

Not only must companies understand what data they are allowed to collect, process, and transmit internationally, but they must also grapple with at times competing and sometimes conflicting laws. For instance, SOX requires publicly traded companies to have an anonymous whistleblower hotline in which to report suspected financial and securities violations. The thought behind the SOX anonymous hotline is that it would give employees comfort to know that their identities are unknown, so they need not fear reprisal. In contrast, the EU generally frowns on anonymous hotlines as an infringement of privacy rights, and limits anonymous reporting. The conflicting priorities of SOX’s transparency versus the EU concern of privacy poses an obvious dilemma for publicly traded multinationals and requires a sophisticated data management system to ensure that, among other things, proper limited retention, access, and retrieval are safeguarded while also meeting the US SOX requirements.₄₂

Other US ‘best practices’ simply do not translate internationally. For instance, the French Supreme Court in 2001 held that it was not only a wrongful termination but also unconstitutional and a criminal violation when a French company fired a French employee after it learned from monitoring his company computer that he had sent e-mails containing confidential information to a potential competitor. The French Court held that the employee had a constitutional right of privacy during his working hours and at his workplace, even where the employer had forbidden the non-professional use of his company computer. Germany has taken a slightly softer tack, but it too restricts monitoring of employee computers if the employer allows the employee to use the company system for personal use. Several EU jurisdictions require any employee monitoring to be, at a minimum, registered and approved by the local data privacy authority.

It is therefore imperative, when selecting electronic data management systems, that the company understands local legal requirements where the data is collected, used, or accessed. If, as is the case for multinational companies, data arises in or is transferred to multiple jurisdictions, it is critical that data privacy laws be observed and that proper firewalls and access restrictions be present in any data system to prevent data processing, monitoring, or data transfer without proper, compliant safeguards.

Cynthia L Jackson is a partner at Baker & McKenzie’s Palo Alto office.