Data security concerns have increased in the past several years, as hacking, corporate espionage and data breaches are on the rise around the globe. Third-party attacks are becoming not only more sophisticated but also larger in scale. Law firms, legal matters, litigation and produced data remain high-profile targets for cyber-attacks. As discussed in a previous article, producing parties remain vulnerable to the risk that even if they adequately protect data in their own systems, third parties may steal data from the requesting parties’ systems.

Parties and counsel who receive data in litigation have an obligation to take reasonable steps to protect that data. See The Sedona Principles, Third Edition: Best Practices, Recommendations & Principles for Addressing Electronic Document Production, 19 Sedona Conf. J. 1, 179 (2018); see also William LaRosa, Note, New Legal Problems, Old Legal Solutions: Bailment Theory As A Baseline Data Security Standard of Care Owed to Opponent’s Data In E-Discovery, 167 U. Pa. L. Rev. 1 (2019). Moreover, “[a] requesting party inherits the data privacy and protection obligations that come with the ESI it receives, including the responsibilities that arise from the loss of that information.” The Sedona Principles at 179, n. 147.

Thus, the question is not whether a receiving party has a duty to take reasonable steps to protect data, but what is reasonable and proportionate in the context of the matters. While a receiving party could attempt to address security concerns unilaterally without reaching an agreement with opposing parties, this is a risky strategy. First, they may not know the value of the data they are receiving and, therefore, not know whether their efforts to secure the data are sufficient. Second, reaching agreements with the opposing party in advance of production provides greater certainty as to what is reasonable and prevents the parties from imposing security standards after the fact. Third, and finally, producing parties may not be able to actually produce information without having certain data security and breach notice requirements in place.

Read the full article.



Contacts

David Kessler
David Kessler
Global Head of eDiscovery and Information Governance Head of Privacy, US
Email
david.kessler@nortonrosefulbright.com
T: +1 212 318 3382
Susana Medeiros
Susana Medeiros
Senior Associate
Email
susana.medeiros@nortonrosefulbright.com
T: +1 212 318 3044

Practice areas:

Industry:

Recent publications

Publication

The European Commission’s prohibition of Illumina's acquisition of GRAIL

On 6 September 2022, the European Commission (EC) prohibited Illumina’s acquisition of Grail, bringing to an end the administrative stage of a legal saga that has attracted interest beyond competition law specialists.

Global | April 17, 2024

Life sciences and healthcare
Environmental-law-trees-green

Publication

EU scales up green subsidies: How to benefit from support for clean investments

On February 6, 2024 the Council of the EU and the European Parliament agreed a provisional version of the Net-Zero Industry Act (NZIA), which is now expected to be formally adopted by the end of April 2024.

Global | April 11, 2024

Climate change and sustainability
Environment-plant-planting-trees-greens-soil-growth

Publication

Belgium, the brand-new EU leader in the fight against ecocides

On 22 February 2024, Belgium became the EU frontrunner in the fight against ecocides by being the first EU member state to criminalise ecocide, in the new Belgian Criminal Code.

Global | March 22, 2024

Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now