Data security concerns have increased in the past several years, as hacking, corporate espionage and data breaches are on the rise around the globe. Third-party attacks are becoming not only more sophisticated but also larger in scale. Law firms, legal matters, litigation and produced data remain high-profile targets for cyber-attacks. As discussed in a previous article, producing parties remain vulnerable to the risk that even if they adequately protect data in their own systems, third parties may steal data from the requesting parties’ systems.

Parties and counsel who receive data in litigation have an obligation to take reasonable steps to protect that data. See The Sedona Principles, Third Edition: Best Practices, Recommendations & Principles for Addressing Electronic Document Production, 19 Sedona Conf. J. 1, 179 (2018); see also William LaRosa, Note, New Legal Problems, Old Legal Solutions: Bailment Theory As A Baseline Data Security Standard of Care Owed to Opponent’s Data In E-Discovery, 167 U. Pa. L. Rev. 1 (2019). Moreover, “[a] requesting party inherits the data privacy and protection obligations that come with the ESI it receives, including the responsibilities that arise from the loss of that information.” The Sedona Principles at 179, n. 147.

Thus, the question is not whether a receiving party has a duty to take reasonable steps to protect data, but what is reasonable and proportionate in the context of the matters. While a receiving party could attempt to address security concerns unilaterally without reaching an agreement with opposing parties, this is a risky strategy. First, they may not know the value of the data they are receiving and, therefore, not know whether their efforts to secure the data are sufficient. Second, reaching agreements with the opposing party in advance of production provides greater certainty as to what is reasonable and prevents the parties from imposing security standards after the fact. Third, and finally, producing parties may not be able to actually produce information without having certain data security and breach notice requirements in place.

Read the full article.



Contacts

David Kessler
David Kessler
Global Head of eDiscovery and Information Governance Head of Privacy, US
Email
david.kessler@nortonrosefulbright.com
T: +1 212 318 3382
Susana Medeiros
Susana Medeiros
Senior Associate
Email
susana.medeiros@nortonrosefulbright.com
T: +1 212 318 3044

Practice areas:

Industry:

Recent publications

sunset-in-cubilin-village-in-ecuador

Publication

WHS Law Briefing

Welcome to our WHS Law Briefing. This briefing identifies key issues and emerging trends in WHS Law, and details significant legislative and case law developments from February to date in July 2025.

Australia | August 04, 2025

Health and safety law
London skyscrapers

Publication

Essential Corporate News – Weeks ending 25 July and 1 August 2025

.On 25 July 2025 the FCA published Primary Market Bulletin 57 (PMB 57) in which it finalises certain changes to the Knowledge Base, consults on further amendments, and highlights upcoming changes to the National Storage Mechanism and certain UK MAR notification forms.

United Kingdom | August 01, 2025

Corporate, M&A and securities
construction-site-with-workers

Publication

Security of Payment Act trumps deemed service provisions

In Roberts Co (NSW) Pty Ltd v Sharvain Facades Pty Ltd (Administrators Appointed) [2025] NSWCA 161, the NSW Court of Appeal has found that, for the purposes of the Building and Construction Industry Security of Payment Act 1999 (NSW) (SoP Act), a deeming clause providing that a notice given after 5pm is to be treated as having been given and received at 9am on the next business day, does not extend the statutory time period for service of a payment schedule.

Australia | August 01, 2025

Energy, infrastructure and resources
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now