Preparing for the eDiscovery Wave of the Internet of Things

Recommind Admin
February 19, 2015

Among the recent developments in the eDiscovery industry, one of the most anticipated trends is the Internet of Things (IoT). The IoT has been in the news for a few years now. But for the eDiscovery world, 2014 marked the IoT’s emergence as a hot topic. This is due in large part to the increasing number of interconnected devices, applications, technologies, and other innovations that are flooding workplaces, businesses, and homes. Given the increasing ubiquity of the IoT, its potential to generate large amounts of data, the relevance that such information could hold in litigation, and the privacy and security risks associated with the IoT, lawyers and clients should begin to consider what preparations to take now so they are ready when a tsunami of IoT-related issues arrive. Making eDiscovery Waves That the IoT caught the attention of the eDiscovery cognoscenti became evident when Baker Hostetler published a well-reasoned post last year regarding the regulatory and security challenges arising from IoT. This was followed up by the celebrated IoT session from the 2014 Georgetown Law Advanced E-Discovery Institute. During that session, speakers representing various constituencies observed that the IoT could raise any number of preservation and production challenges in the discovery process. Ignatius Grande from Hughes, Hubbard & Reed explained that the IoT was not designed to accommodate eDiscovery demands:

Many products in the IoT sphere are not created with litigation hold, preservation and collection in mind . . . In terms of liability . . . companies will most likely be responsible to preserve data produced by the capabilities of their products and services in the event of a litigation hold. (emphasis added)

To address these IoT features, enterprises will need to ensure that their litigation readiness programs include a process for preserving and producing relevant IoT data. Unless appropriate steps are taken in this regard, relevant IoT materials could be lost, setting the stage for expensive and time-consuming satellite litigation. Drowning in Data Privacy and Information Security Besides traditional litigation, the IoT has also created other eDiscovery hazards that may be lurking beneath the surface of companies’ information governance programs. Two of the most prominent involve data privacy and information security. These issues were spotlighted in the Baker Hostetler IoT post:

[T]he FTC announced [in 2013] that it had its eye on the consumer risks presented by the IoT by filing a seven-page complaint against TRENDnet, . . . [which] alleged that TRENDnet’s practices failed to provide reasonable security “to prevent unauthorized access to sensitive information, namely the live feeds from the IP cameras.” (emphasis added)

Beyond the TRENDnet incident, the risky interplay between the IoT, data privacy, and information security was also on display with Samsung’s awkward admission this month that its smart TVs could eavesdrop and record viewers’ voice commands. Perhaps even more troubling, though, is a new revelation that such data is transmitted to third parties through unencrypted transmissions, leaving it vulnerable to “a man-in-the-middle in the network to eavesdrop on the data and tamper with it.” The IoT incidents involving TRENDnet and Samsung demonstrate that companies need to be aware that the IoT may inadvertently or intentionally sweep up personally identifiable information (PII). Regardless of whether consumer or employee PII are affected, the processing, retention and/or inadvertent disclosure of PII may violate domestic and cross-border data protection laws. Having an actionable information governance strategy to address these issues is essential. Such a strategy should include a plan for identifying information that must be kept for business or legal purposes while isolating other data (particularly PII) for eventual deletion. It should also encompass steps to ensure compliance with the privacy expectations of local and international data protection authorities. Taking a proactive approach that addresses these issues and others will likely help companies avoid many of the treacherous problems associated with the IoT.