Keeping Confidential Information Confidential
In the age of electronically stored information (ESI), the execution of a search warrant may lead to the seizure of extraordinary volumes of irrelevant, privileged, and/or protected data. Because the courts have shown little inclination to adapt their Fourth Amendment search and seizure jurisprudence to the realities of our digital culture, your company may have to engage in some self-help to ensure that its sensitive information, and that of its customers, remains protected.
The sheer volume of information that may be stored on a computer system renders any ESI search problematic, as federal agents must locate the proverbial needle in the haystack by sifting through gigabytes (or even terabytes) of data to find the information identified in the search warrant. Even more problematic is the structure and location of those data. Modern computer databases are relational, such that no matter how well specified the sought after data may be, they will be found among gigabytes of information that are unrelated and outside the scope of the warrant. Practically speaking, then, all ESI is intermingled, and specific data cannot be seized without some type of search to locate and retrieve it.
In light of the foregoing, it is inevitable that the execution of a computer search warrant at your companys facilities will sweep up materials well beyond the scope of the warrant, including privileged and confidential information. And your companys problems do not end when the seizure ends. Once the government has possession of your ESI, it will search the data for information responsive to the warrant. How? With the kind of methodical, detailed searches that are likely to uncover every imaginable type of sensitive information. "But doesnt the law impose significant limitations on the governments power to search," you ask?
Unfortunately, no. In fact, the courts have consistently upheld the governments right to seize entire computer systems (including hardware, mirror images, digital media, etc.) and to search all aspects of the seized items in order to locate data described in the search warrant. For example, in the 2008 case, United States v. Comprehensive Drug Testing, Inc. (BALCO), that arose out of the steroid scandal that engulfed major league baseball, the Ninth Circuit Court of Appeals upheld the governments a) employment of multiple, overlapping subpoenas and search warrants to seize ESI well beyond the bounds of probable cause; b) comprehensive search of the seized ESI; and c) use of those data against various innocent third parties.
Smelling the Coffee
The BALCO opinion is a wake-up call for corporate America. First, BALCO demonstrates how the government is willing to manipulate the means for compelling ESI to preclude the affected parties from challenging the scope of production or preventing the disclosure of private and privileged information.
Second, the case highlights a government practice of reviewing data outside the scope of probable cause, which, in this case, allowed the government to secure additional search warrants that it could not have obtained absent the sweeping seizure and search. In such circumstances, there is no practical constraint on the governments ability to use narrow search warrants to obtain enormous quantities of unrelated data.
Third, BALCO effectively holds that any warrant that authorizes the seizure of hardware necessarily permits a search of all data on that hardware, such that no warrant can ever be deemed insufficiently particular to be ruled illegal.
Although there is no foolproof method for protecting your company against the possible ravages of an ESI search warrant, there may be ways proactively to ameliorate the pain.
Data Segregation - The less aggressive of the proactive steps and one that your company should consider taking simply as a matter of good document management policy and procedure is the electronic segregation of privileged data, as well as of data implicating significant privacy concerns. This may involve a number of coordinated actions including:
A written document retention policy - If you don't have one, draft or update one and be sure to address the management of ESI. Your company must know a) what types of information it generates; b) where that information is stored; c) how it is stored; and d) who has knowledge of the foregoing facts.
▫ Training - Group training, handbooks, human points of contact, and compliance mechanisms are all vital to ensuring that your company can avoid questions about its conduct in the event of a government investigation. Notably, the destruction of data, if conducted in compliance with company policy, can save you both money and logistical headaches and can help defeat charges of obstruction or spoliation.
▫ A crisis management team - Form one that includes management, legal, IT, and accounting personnel. When a crisis arises, the team should ensure immediate notice to those who know how and where the company is storing potentially relevant ESI. The team should also arrange the immediate suspension of automatic data destruction procedures and the circulation of preservation notices (a.k.a. holds).
▫ Data segregation - Segregate privileged and otherwise protected data from non-privileged and routine data. Internal IT and outside consultants can address the technical feasibility of various proposals. Even if the government winds up seizing ESI, the prior segregation will bolster the companys position when it seeks return of the segregated data and will assist you in crafting a post-seizure review process that maximizes the companys chances of preserving the sanctity of privileged and private ESI.
Data Encryption - The more radical approach to ESI self-help is the encryption of privileged and otherwise protected data within the companys computer system. Data encryption comes in many forms but, at base, all encryption systems require encryption codes (typically from software) and encryption keys (e.g., symmetric, public, one-time pads). The goal of any encryption program is to prevent unauthorized persons from accessing your privileged and protected ESI.
Let us suppose the government has executed a search warrant at your place of business and has seized both encrypted and unencrypted files for off-site review. How does the government get access to your encrypted data? First, it can try to break the encryption, which, depending on the encryption method utilized, could be extraordinarily difficult and time-consuming.
Second, the government can serve a grand jury subpoena demanding production of the encryption key. Unfortunately, your company has no Fifth Amendment rights and cannot refuse to comply with the subpoena. But all is not lostthe company can still negotiate with the government regarding the withholding of privileged materials and/or move to quash the subpoena. Pre-search negotiations beat post-search negotiations any day.
Third, even if the government never serves a subpoena, it can still negotiate with the company over an appropriate protocol for a search of your ESI. Having gone through the dual processes of segregation and encryption, you will be in an excellent position to establish that the encrypted information is legally protected from disclosure.
Government search and seizure in the digital age can pose serious problems for your company. By taking appropriate proactive steps, however, you can help secure your companys privileged and protected informationand that of your clients or customersagainst unwarranted intrusion from potentially overreaching government investigators.
Kurt Stitcher is a partner in the Litigation Practice Group at Levenfeld Pearlstein LLC, where he represents clients in product liability and toxic/mass tort litigation, corporate internal investigations and white-collar criminal defense, and general commercial and class action litigation.