Privacy Risks Mount as E-Discovery Errs Toward Over-Collection

Consilio LLC’s rare criminal penalty for violating a Texas statute highlights the challenges discovery providers face in navigating an increasing number of state privacy regulations while managing overwhelming amounts of electronic evidence.

A jury slapped Consilio with a $50,000 penalty on Nov. 6, finding it knowingly accessed 10 years’ worth of emails from caretaker Angelyn Olson’s computer without her consent, instead of sticking to agreed-upon limits.

The case is among the first against an e-discovery vendor to yield a jury award over privacy violations during discovery. Courts will now increasingly scrutinize parties that over-collect data in discovery, especially as many states beyond those known for stringent privacy protections also have statutes similar to Texas’.

Litigators should approach e-discovery with “a privacy lens,” said Bobby Malhotra of Winston & Strawn LLP, who focuses on e-discovery and data privacy issues. “Especially when handling sensitive information like Social Security numbers, financial account details, and health records,” he said.

The case arose from a 2021 suit filed in the US District Court for the District of Maine accusing Olson of defrauding the owner of a property she oversaw by more than $4.5 million; she was found guilty in June 2023.

Olson agreed during discovery talks to give Consilio limited access to her personal email account to look for a list of 12 search terms in emails dating back to 2012, according to an August amended complaint against the vendor filed in Texas state court. Consilio ignored the agreed-upon e-discovery protocol, and instead downloaded all her emails from the date range, the complaint said.

That included more than 34,000 files—some of which contained sensitive information including medical data, privileged attorney-client information, and Social Security numbers, the complaint said.

After Consilio’s deviation from protocol, another e-discovery vendor took over and was able to narrow the relevant evidence in Olson’s mailbox using the search terms. The corrected collection only pulled 600 relevant emails then used in court, Olson’s attorney Rob Miller of Miller Copeland LLP said.

“Once you give a username and password, you’ve got to trust them to follow protocol,” Miller said. “Once they have access to your machine, your device, you can’t stop them. That’s the scary part.”

A Consilio spokesperson told Bloomberg Law the company was “disappointed” with the Olson verdict and remained confident it had followed “industry best practices in this matter.”

Another plaintiff sued Consilio in 2023 in the US District Court for the Eastern District of Michigan, alleging similar deviation from agreed-upon search terms. The plaintiffs dismissed their suit in June, according to a docket filing.

‘Over-Collection’

Parties are more frequently tempted to collect excessive data during discovery, especially amid a plethora of electronic evidence including emails, text messages, audio recordings, and application data.

The Federal Rules of Civil Procedure currently require parties to take “proportionality” into consideration when approaching discovery, weighing the time and expenses required against the value of the potential evidence. But the rules don’t yet explicitly reference privacy considerations.

“We have to balance the need for fulsome, comprehensive discovery against the desire of conducting a targeted collection to address privacy issues,” Malhotra said. Technological limitations may also require broad collection of data from a mailbox or device, for example, “so it’s not always possible.”

Lawyers for Civil Justice, an advocacy organization comprising corporations, law firms, and national defense bar organizations, submitted suggested rules last fall to amend the FRCP to address data security and privacy.

A spokesperson for the organization told Bloomberg Law Monday that the suggestions are still pending before the Advisory Committee on Civil Rules.

‘New Twist’

In the place of explicit rules, the patchwork of state privacy laws has added “a new twist” to e-discovery, said David Cohen, a partner at Reed Smith who chairs the firm’s records and e-discovery group.

The steady growth of both privacy regulations and the threat of data breaches have pushed both law firms and vendors to shift their approaches to discovery proceedings.

Parties are increasingly prioritizing the practice of searching through content in its source, like an inbox, to determine what’s relevant before data collection, Cohen said. Doing so keeps more information in the custodian’s hands and only exports what’s essential.

“It’s absolutely a concern for us when we’re involved, not just protecting our clients’ data and our systems, but now you have to worry about your discovery vendor system, your discovery company,” he said, in addition to the opposing law firm and their own vendors.

‘Bring Your Own Device’

The friction between litigation needs and expectations of privacy mostly plays out in cases involving devices used by employees for both professional and personal purposes.

Though companies can craft “Bring Your Own Device” policies to spell out how employees should use their phones professionally, “most courts are going to say that an employee has an expectation of privacy on a device,” said Jill Crawley Griset, partner at McGuireWoods who co-directs the firm’s discovery counsel services group.

These scenarios require discovery attorneys tread carefully amid sensitive data when culling information relevant to their cases—all while having to ensure they’re obtaining affirmative consent from the custodians of the personal information.

“Lawyers need to be very cognizant of each set of data that they’re working on,” Griset said, noting some questions they should keep in mind. “Where did the data come from? Is it personal data? Is it data that you know has to be filtered in a certain way before they look at it?”