Litigation News – Spring 2015
April 4, 2015
Data Encryption and Its Potential Effect on Litigation and Discovery
In September 2014, Apple introduced a new mobile-operating system called iOS8. iOS8 offers enhanced data-encryption protection to Apple users and the content stored on their mobile devices. Apple’s advancements in data-encryption technology, however, have also caused concern among some groups, especially current and prospective litigants. In this article, we consider how data-encryption technology might interfere with the investigation and discovery stages of civil litigation.
Data-encryption technology is constantly changing and evolving. Apple’s iOS8 now encrypts several categories of data, including call logs, photos, contacts, calendars, and messages. Further, Apple’s user agreement denies the company of the legal right to override the user’s encryption password, and its encryption software essentially prevents Apple from overriding a user’s password. Both technically and legally, the only person who can decrypt the user’s information is the user. Law enforcement personnel claim that Apple’s encryption feature will hinder legitimate criminal investigations, as Apple will not (and claims that it cannot) respond to a valid subpoena to provide the requested data from an iOS8 device. In the world of civil litigation, Apple’s iOS8 is just another example of a challenging discovery issue created by data encryption.
Many organizations now permit employees and other agents to use personal devices, such as iPhones, to access and store company emails and files, while others may still issue company-owned devices to employees. An employee can store company-related text messages, call information, photos, or other data on devices, which may then be encrypted with a user-created password. For any person or entity that may find itself in litigation, Apple’s encryption technology and policies may raise certain discovery questions, including how a party might discover documents from an unavailable former employee of another party.
For parties responding to discovery requests, the use of encryption technology raises additional questions and concerns. What is a party’s obligation to provide encrypted information? Might a party be held accountable to provide decrypted data when the password to decrypt the data is unavailable? In litigation, it is likely that the party providing encrypted information must at least provide the encryption password so that the requesting party may decrypt the documents and review them.
But what might happen when the employer is not able to provide the password for encrypted files or otherwise decrypt them? In that situation, some federal case law in Pennsylvania suggests that the employer would not have to produce such evidence. Federal Rule of Civil Procedure 26 requires a litigant to retain electronically-stored information which it knows, or reasonably should know, is relevant to the action; is reasonably calculated to lead to the discovery of admissible evidence; is reasonably likely to be requested during discovery; and/or is the subject of a pending discovery request. A party, however, “need not provide discovery of electronically stored information from sources that the party identifies is not reasonably accessible because of undue burden or costs.”
In Cochran v. Caldera Medical, Inc., a federal case from 2014, a plaintiff sought to require a defendant to produce encrypted documents via the parties’ electronically-stored information (“ESI”) protocol. The defendants claimed that the encrypted data was inaccessible to the defendant. Because the defendant claimed inaccessibility of the encrypted files, the court did not require the defendant to produce the documents at that time. While the court in Cochran did not specifically state that the files were inaccessible because they could not be decrypted, several other courts have already classified encrypted files without passwords as “inaccessible.”
Pennsylvania state courts have not yet directly addressed the issue of encrypted data with respect to discovery. The Pennsylvania Rules of Civil Procedure, however, make it clear that a party must produce those documents or things within the party’s “possession, custody, or control.” ESI falls within the ambit of documents and things that may be requested. Generally, it has been understood that documents held by an employee of a party are documents within a company’s possession, custody, or control, while files in the possession of a former employee may not have to be produced by the company.
In a manner similar to the federal rules, the Pennsylvania Rules of Civil Procedure prevent the discovery of ESI if discovery “would cause unreasonable annoyance, embarrassment, oppression, burden or expense to the deponent or any person or party.” An employer that possesses encrypted files but not the password needed to decrypt the files, as could occur where a former employee fails to provide the employer with the needed password, might argue that the files are inaccessible and producing the decrypted files would cause an undue burden. Further, an employer might argue the files simply are not within its control, as it does not have the encryption password necessary to access it.
To potentially resolve the issue of inaccessible encrypted files, a party seeking to obtain such encrypted files through discovery might request through written discovery the names of those former employees with information relevant to the case. Once the names of those former employees are obtained, the party may then subpoena the former employee and require the employee to provide the files or the encryption password. In addition, it may be beneficial for employers to review their internal policies to evaluate the potential for discovery-related issues regarding encrypted files and other electronically-stored information.
As data technology advances, it is important for individuals and companies to understand the relevant issues, questions, and considerations for discovery in litigation. What responsibility does an employee have to provide the password needed to access encrypted files upon leaving the company? Where are a company’s files stored? To what extent can employees or other individuals access company data remotely from personal devices? Are any files from employee devices stored by the company? By periodically addressing these issues, questions, and considerations, an individual or company may avoid unnecessary headaches or expenses should future litigation arise. The Litigation Practice Group at McNees Wallace & Nurick regularly assists clients with navigating the discovery process and with the particular and ever-increasing challenges created by advances in data-encryption technology.
© 2015 McNees Wallace & Nurick LLC
Litigation News is presented with the understanding that the publisher does not render specific legal, accounting or other professional service to the reader. Due to the rapidly changing nature of the law, information contained in this publication may become outdated. Anyone using this material must always research original sources of authority and update this information to ensure accuracy and applicability to specific legal matters. In no event will the authors, the reviewers or the publisher be liable for any damage, whether direct, indirect or consequential, claimed to result from the use of this material.