Keeping Confidential Information Confidential - Page 1

Jul 10, 2008

Kurt Stitcher

In the age of electronically stored information (ESI), the execution of a search warrant may lead to the seizure of extraordinary volumes of irrelevant, privileged, and/or protected data. Because the courts have shown little inclination to adapt their Fourth Amendment “search and seizure” jurisprudence to the realities of our digital culture, your company may have to engage in some “self-help” to ensure that its sensitive information, and that of its customers, remains protected.

The sheer volume of information that may be stored on a computer system renders any ESI search problematic, as federal agents must locate the proverbial “needle in the haystack” by sifting through gigabytes (or even terabytes) of data to find the information identified in the search warrant. Even more problematic is the structure and location of those data. Modern computer databases are “relational,” such that no matter how well specified the sought after data may be, they will be found among gigabytes of information that are unrelated and outside the scope of the warrant. Practically speaking, then, all ESI is “intermingled,” and specific data cannot be “seized” without some type of “search” to locate and retrieve it.

In light of the foregoing, it is inevitable that the execution of a computer search warrant at your company’s facilities will sweep up materials well beyond the scope of the warrant, including privileged and confidential information. And your company’s problems do not end when the seizure ends. Once the government has possession of your ESI, it will search the data for information responsive to the warrant. How? With the kind of methodical, detailed searches that are likely to uncover every imaginable type of sensitive information. "But doesn’t the law impose significant limitations on the government’s power to search," you ask?

Unfortunately, no. In fact, the courts have consistently upheld the government’s right to seize entire computer systems (including hardware, mirror images, digital media, etc.) and to search all aspects of the seized items in order to locate data described in the search warrant. For example, in the 2008 case, United States v. Comprehensive Drug Testing, Inc. (BALCO), that arose out of the steroid scandal that engulfed major league baseball, the Ninth Circuit Court of Appeals upheld the government’s a) employment of multiple, overlapping subpoenas and search warrants to seize ESI well beyond the bounds of “probable cause”; b) comprehensive search of the seized ESI; and c) use of those data against various innocent third parties.

Smelling the Coffee

The BALCO opinion is a wake-up call for corporate America. First, BALCO demonstrates how the government is willing to manipulate the means for compelling ESI to preclude the affected parties from challenging the scope of production or preventing the disclosure of private and privileged information.

Second, the case highlights a government practice of reviewing data outside the scope of probable cause, which, in this case, allowed the government to secure additional search warrants that it could not have obtained absent the sweeping seizure and search. In such circumstances, there is no practical constraint on the government’s ability to use narrow search warrants to obtain enormous quantities of unrelated data.

Third, BALCO effectively holds that any warrant that authorizes the seizure of hardware necessarily permits a search of all data on that hardware, such that no warrant can ever be deemed insufficiently “particular” to be ruled illegal.

Although there is no foolproof method for protecting your company against the possible ravages of an ESI search warrant, there may be ways proactively to ameliorate the pain.

Data Segregation - The less “aggressive” of the proactive steps and one that your company should consider taking simply as a matter of good document management policy and procedure is the electronic segregation of privileged data, as well as of data implicating significant privacy concerns. This may involve a number of coordinated actions including:

  • A written document retention policy - If you don't have one, draft or update one and be sure to address the management of ESI. Your company must know a) what types of information it generates; b) where that information is stored; c) how it is stored; and d) who has knowledge of the foregoing facts.

Page 1 of 2


0 Comments (click to add your comment)
Comment and Contribute

Your comment has been submitted and is pending approval.



 (click to add your comment)

Comment and Contribute

Your name/nickname

Your email


(Maximum characters: 1200). You have characters left.