It’s rare to read a legal publication these days – or even a mainstream newspaper or magazine – without coming across a story about the “Internet of Things,” or IOT. The IOT refers to the ability of everyday objects to connect to the internet, allowing these devices to gather, send and receive data. Examples include wearable technology like watches and fitness bands that track our pulse, how far we’ve walked, and how many calories we’ve burned. Or smart phones that know which aisle of the store we’re in and show us relevant coupons or rebate forms. It also includes refrigerators that tell us when we are out of milk, thermostats that know when we’re home and when we’re away, and cars that monitor and collect our driving habits.
The IOT promises to offer people, organizations, and society tremendous value and benefits. And to be sure, the IOT also poses mission-critical data security challenges to many organizations, and it creates profound privacy concerns for all of us as individuals. But let’s narrow the focus for this blog post, and explore how the IOT will impact e-discovery. Whether it’s litigation, an internal investigation, or the defense of a regulatory matter, the IOT changes how information is discovered and used as evidence. To my thinking, these changes fall into three broad areas:
Awareness of IOT data and its relevance. There is no doubt that data generated within the IOT – just like any other electronic information – is discoverable if relevant and not privileged. But how many lawyers and litigants right now are thinking about IOT information when they develop case strategy? Or create a discovery plan? Or draft requests for production? For instance, consider an organization defending a claim by an employee that it failed to reasonably accommodate her alleged disability; shouldn’t counsel be requesting relevant data from her “fitbit®” device about her physical activities? The first wave of change in discovery will come when parties routinely consider IOT information and incorporate it into case strategy.
The proliferation of new types of claims. Once litigants are fully aware of IOT information, creative lawyers undoubtedly will use it to create new types of claims, or at least expand the scope of existing legal theories. For example, go back to the idea of a smart phone pushing coupons to shoppers in certain aisles of certain stores; now imagine a consumer class action claim brought by persons whose phones didn’t offer certain coupons – Flawed software? Geographic/socio-economic discrimination? Or simply user error in selecting the right app settings? How about a company that permits employees (or customers) to wear Google Glass in its offices, and then faces a breach of privacy claim by an employee whose actions were recorded without her knowledge? Be prepared for new claims and theories to start showing up in complaints.
Challenges in preserving and collecting IOT data. Once organizations realize the importance of IOT information, then they face the challenges of preserving and collecting it. These challenges arise in several ways:
- To the extent IOT information resides on the physical device itself, preserving and collecting from the device may prove to be very difficult. First, the tools used for proper legal and forensic collection don’t always evolve as fast as the newest devices, and even a very experienced, skilled e-discovery vendor may struggle to collect the information. Furthermore, as the security and encryption of IOT devices gets more and more advanced, “cracking” the devices if the owner/operator is not available to provide access becomes increasingly difficult. Also, if the IOT device is used as part of an enterprise “BYOD” program, the company may push different settings and software to the device that make it different from others, and therefore more challenging to access. But even before data can be collected, it must be preserved. I suspect the typical user of a device connected to the IOT will need substantial help in understanding how to preserve information from that device in connection with a legal hold.
- If the IOT device sends data to be stored elsewhere – in the cloud, or on an enterprise server, for example – locating and collecting data from a particular device (or a certain group of devices) can be tricky. To the extent the discovery involves participation of a third party that hosts the data, all the possession/custody/control issues associated with such arrangements in traditional discovery come into play.
- For many IOT devices, the data gathered by the device are sent along to be aggregated with many others, typically in some type of structured database. Discovery of information from structured databases has always proved troublesome, and IOT databases are no different. (For an excellent treatment of the issues around database discovery, see the Sedona Conference Database Principles, 2014.)
I’m confident that the IOT will generate many positive benefits for businesses and individuals. And I know that we’ll also have a lot of fun with these devices along the way! But along with the fun comes the work of dealing with these devices, and the vast stores of data they create, in the context of discovery. At DiscoverReady, we’re ready to tackle that work, and look forward to helping our clients navigate these new challenges.