In the age of electronically stored information (ESI), the execution of a search warrant may lead to the seizure of extraordinary volumes of irrelevant, privileged, and/or protected data. Because the courts have shown little inclination to adapt their Fourth Amendment search and seizure jurisprudence to the realities of our digital culture, your company may have to engage in some self-help to ensure that its sensitive information, and that of its customers, remains protected.
The sheer volume of information that may be stored on a computer system renders any ESI search problematic, as federal agents must locate the proverbial needle in the haystack by sifting through gigabytes (or even terabytes) of data to find the information identified in the search warrant. Even more problematic is the structure and location of those data. Modern computer databases are relational, such that no matter how well specified the sought after data may be, they will be found among gigabytes of information that are unrelated and outside the scope of the warrant. Practically speaking, then, all ESI is intermingled, and specific data cannot be seized without some type of search to locate and retrieve it.
In light of the foregoing, it is inevitable that the execution of a computer search warrant at your companys facilities will sweep up materials well beyond the scope of the warrant, including privileged and confidential information. And your companys problems do not end when the seizure ends. Once the government has possession of your ESI, it will search the data for information responsive to the warrant. How? With the kind of methodical, detailed searches that are likely to uncover every imaginable type of sensitive information. "But doesnt the law impose significant limitations on the governments power to search," you ask?
Unfortunately, no. In fact, the courts have consistently upheld the governments right to seize entire computer systems (including hardware, mirror images, digital media, etc.) and to search all aspects of the seized items in order to locate data described in the search warrant. For example, in the 2008 case, United States v. Comprehensive Drug Testing, Inc. (BALCO), that arose out of the steroid scandal that engulfed major league baseball, the Ninth Circuit Court of Appeals upheld the governments a) employment of multiple, overlapping subpoenas and search warrants to seize ESI well beyond the bounds of probable cause; b) comprehensive search of the seized ESI; and c) use of those data against various innocent third parties.
Smelling the Coffee
The BALCO opinion is a wake-up call for corporate America. First, BALCO demonstrates how the government is willing to manipulate the means for compelling ESI to preclude the affected parties from challenging the scope of production or preventing the disclosure of private and privileged information.
Second, the case highlights a government practice of reviewing data outside the scope of probable cause, which, in this case, allowed the government to secure additional search warrants that it could not have obtained absent the sweeping seizure and search. In such circumstances, there is no practical constraint on the governments ability to use narrow search warrants to obtain enormous quantities of unrelated data.
Third, BALCO effectively holds that any warrant that authorizes the seizure of hardware necessarily permits a search of all data on that hardware, such that no warrant can ever be deemed insufficiently particular to be ruled illegal.
Although there is no foolproof method for protecting your company against the possible ravages of an ESI search warrant, there may be ways proactively to ameliorate the pain.
Data Segregation - The less aggressive of the proactive steps and one that your company should consider taking simply as a matter of good document management policy and procedure is the electronic segregation of privileged data, as well as of data implicating significant privacy concerns. This may involve a number of coordinated actions including:
A written document retention policy - If you don't have one, draft or update one and be sure to address the management of ESI. Your company must know a) what types of information it generates; b) where that information is stored; c) how it is stored; and d) who has knowledge of the foregoing facts.