Chapter 12 - Privacy Issues in Civil Litigation and Governmental Investigations

Question 1

Disclosures required by law

Answer 1

FDA requires health professionals and drug manufacturers to report serious adverse events assoc. with use of FDA regulated item

OSHA requires reporting info about certain workplace injuries and illness.

States can require reporting certain types of injuries/conditions - abuse, gun wounds, contagious diseases.

Recall HIPAA allows PHI to be disclosed if required by law.

Question 2

Disclosures permitted by law

Answer 2

• HIPAA - required to discloses to data subject and to HHS in enforcement action.
• Computer/Hacker trespasser - Section 217 of USA PATRIOT Act permits, not require owner/operator of computer system to provide access to law enforcement to communications if –
  1. O/O authorizes interception of hacker’s communications on the computer
  2. Investigator acting under color of law
  3. Reasonable grounds to believe contents will be relevant to investigation.
  4. such interception not acquire other communications.

Question 3

Disclosures forbidden by law (unless consented to)

Answer 3

• State law evidentiary privileges – eg. atty- can prohibit client, doctor-patient.

Forbids forcing disclosure, but can still consent.

Recall COPPA, HIPAA - consent required or exception.

Fifth Am self incrim right also.

F

Question 4

Public access to court records: protective orders

Answer 4

• response to public access to court records: protective orders, where judge dets what info should not be made public and what conditions apply for access. Moving party must show good cause

Reqs for PO:

1. must be confidential information in the 1st place.
2. must show info is relevant to the case
3. must weigh harm against the need for the information.

• HIPAA has a qualified protective order provision, applies in state courts not covered by PO in fed rules of civpro.
  If granted, prohibits parties from using/disclosing PHI except in litigation, and must return it at end.

Question 5

Public access: required redaction

Answer 5

FRCP Rule 5.2: Privacy Protection for Filings Made with Court”
Requires no more than this in court filings:

1. The last four digits of the Social Security number and taxpayer-identification number
2. The year of the individual’s birth
3. If the individual is a minor, only the minor’s initials
4. The last four digits of the financial account number

Certain exemptions exist, and can file under seal w/o redaction in some cases.

Bankruptcy has similar rules.

Criminal proceedings add city and state of home address also must be redacted.

Question 6

E-discovery of electronically-stored information (ESI): Guidelines of Sedona Conference re. emails

Answer 6

Regarding email retention, the Sedona Conference offers four key guidelines:

1. Email retention policies should be administered by interdisciplinary teams composed of participants across a diverse array of business units
2. Such teams should continually develop their understanding of the policies and practices in place and identify the gaps between policy and practice
3. Interdisciplinary teams should reach consensus as to policies, while looking to industry standards
4. Technical solutions should meet and parallel the functional requirements of the organization

Question 7

When can data not be included in response to e-discovery request?

Answer 7

When done in good faith, data that is “transitory in nature, not routinely created or maintained by [d]efendants for their business purposes, and requiring of additional steps to retrieve and store,” may be considered outside the duty of preservation

Question 8

Court test to resolve conflict between retention policy and a discovery request?

Answer 8

(1) a retention policy should be reasonable considering the facts of the situation,
(2) courts may consider similar complaints against the organization and
(3) courts may evaluate whether the organization instituted the policy in bad faith.

Question 9

Tension between GDPR and a domestic discovery request

Answer 9

Ways courts have resolved:

1. if party sought US jurisdiction, then require production
2. require production for all parties, regardless of whether sought US jurisd.
3. Focus on nature of document at issue - privacy log describing docs without disclosing - balancing
4. resort to Hague Convention on the Taking of Evidence (much harder - is last resort for those seeking evidence)
   party seeking to displace FRCP bears burden of demo Hague is more appropriate and that foreign law prohibits production
   Aerospaciale case outlines factors US court may use to make this determination:
5. The importance of the documents or data to the litigation at hand
6. The specificity of the request
7. Whether the information originated in the United States
8. The availability of alternative means of securing the information
9. The extent to which the important interests of the U.S. and the foreign state would be undermined by an adverse ruling

Question 10

Katz v. US

Answer 10

“What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.” The court found that a warrant was needed for a police bug in a restaurant, placed to hear the calls behind the closed doors of a phone booth.
Katz is best remembered today for the widely cited “reasonable expectation of privacy” test. In a concurring opinion, Justice John Marshall Harlan stated: “There is a twofold requirement, first that a person have exhibited an actual (subjective) expectation of privacy and, second, that the expectation be one that society is prepared to recognize as ‘reasonable.’”

Question 11

Exceptions to req of warrant where a reas exp of privacy exists

Answer 11

• “In public” exception - if knowingly expose to public, not prot by 4th - plain view
• If put info in hands of 3rd party, its not protected by 4th
  so companies can turn over data subject info without warrant when data subj gave them the info.

But see Jones v. US

Question 12

Jones v. US

Answer 12

The court held unanimously that a warrant was needed when the police placed a Global Positioning System (GPS) device on a car and tracked its location for over a month. The majority decision emphasized that the police had trespassed onto the car when they physically attached the GPS device. Four of the nine justices, however, would have held that a search occurred even without the physical attachment, and even for movements that took place entirely in public. A fifth justice seemed to indicate sympathy for this constitutional limit on surveillance of “in public” activities, and also stated that the time had come to reexamine the third-party doctrine

Question 13

Riley v. California

Answer 13

The 2014 case of Riley v. California was an important decision where the Supreme Court unanimously held that the contents of a cell phone cannot be searched unless law enforcement officers first obtain a search warrant.56 The justices ruled that the data on a cell phone was quantitatively (the amount of data) and qualitatively (the kind of data) different than the contents that would normally be found in a physical container, which was the analogy the government had proposed to the court. As to the quantity of data, the Court noted the immense storage capacity of cell phones as well as the ability to link to remote storage. With regard to the quality of data, the Court opined that Internet searches can reveal a person’s interests, and location information can pinpoint an individual’s movement over time.57

Question 14

HIPAA - When disclosure to law enforcement is permitted without consent -= “law enforcement exception”

Answer 14

1. The information sought is relevant and material to a legitimate law enforcement inquiry
2. The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought
3. De-identified information could not reasonably be used

Note: Other than law enforcement exception, HIPAA has a “required by law” exception to cover where other statutes require disclosure.

Question 15

Other HIPAA disclosures to law enforcement permitted in these cases

Answer 15

• about a crime on the premises,
• about decedents in connection with a suspected crime,
• in emergencies,
• about victims of a crime even in the absence of patient consent if a multifactor test is met.
• Limited information may in some instances also be released for identification and location purposes

Question 16

General approach of federal law wrt access to communications by law enforcement / govt.

Answer 16

• From strictest to most permissive, federal law has different rules for
  (1) telephone monitoring and other tracking of oral communications;
  (2) privacy of electronic communications and
  (3) video surveillance, for which there is little applicable law.
• Federal law is also generally stricter for real-time interception of a communication, as contrasted with retrieval of a stored record.
• In each area, states may have statutes that apply stricter rules.
• Furthermore, monitoring that is offensive to a reasonable person can give rise to claims under state invasion of privacy or other common-law claims.

Question 17

Title III interception requirements

Answer 17

• applies to phone wiretapping, bugging, any oral communication uttered by a person exhibiting an expectation that such communication is not subject to interception under circs justifying such expectation., and (via ECPA) to e-comms.
• But exact rules for wire, oral and e-comms vary.
• But interception of all of these is criminal offense and there is a PROA, unless exception applies.

Question 18

Exceptions to T3 prohibition on interception of wire, oral, and e-comms

Answer 18

• If one party given consent (although some states are 2-party consent)
• Done in ordinary course of biz
• email or phone service provider, eg.

-

Question 19

Stored Comms

Answer 19

• general prohib ag unauth acquisition, alteration or blocking of e-comms while in facility through which ecomms service provided.
• Crim penalties so careful before giving to law enfor. textbook not give standards, just say consult expert
• Exceptions
  Company providing the service
  or as authorized by user of service wrt ecomm from or to them
• Not pre-empt.
• Preservation orders: provider of wire/ecomm or remote computing service, upon request of govt. entity must take all necessary steps to preserve records, pending court order.

Question 20

Pen Registers and Trap and Trace Orders

Answer 20

• Note traditionally, these were under the “relevant to an ongoing investigation” low standard, for production to law enforcement.
• USA Patriot Act expanded PR and T&T orders to not just phone numbers but any “dialing, routing, addressing, or signaling info” transmitted to or from a device or process.

USA FREEDOM Act pulled this back - prohibits PR and T&T for bulk collection, and restricting to phone # or email address or similar “specific selector”

Question 21

Communications Assistance to Law Enforcement Act (CALEA) aka Digital Telephony Act

Answer 21

• Lays out duties of defined actors in telecomm industry to cooperate in interception of communications for law enfor. , etc.
• Reqs telecomms to design products/services to ensure they can carry out lawfuly order to provide govt. access to comms.
• FCC implemented through r-making
• not apply to internet services, but rulemaking rendered VOIP and broadband subject to CALEA when interconnect with trad phone services.

Question 22

Cybersecurity Information Sharing Act (CISA) – 2015

Answer 22

• The statute permits the federal government to share unclassified technical data with companies about how networks have been attacked and how successful defenses against such attacks have been carried out.
• Companies are authorized to voluntarily share with govts and private entities ‘cyber threat indicators” and “defensive measures” for a “cybersecurity purpose” or receive such info from these entities.

IF done in accordance with certain reqs, such as, for cyber threat indicator, first remove any info not dir related to threat and that relates to an individual

• Sharing with feds does not waive atty-client priv., but may wrt st/loc/priv
• Info shared can’t be used for enf action.
• Shared info exempt from FOIA, sim state laws.
• Company can monitor and operate defensive measures on own info, or of others with permission, for cyber purpose; and company protected from liability for this monitoring (not for operating defensive measures).

Question 23

Right to Financial Privacy Act

Answer 23

no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution unless the financial records are reasonably described” and meet at least one of these conditions:

1. The customer authorizes access
2. There is an appropriate administrative subpoena or summons
3. There is a qualified search warrant
4. There is an appropriate judicial subpoena
5. There is an appropriate formal written request from an authorized government authority

Note: over 12 states have similar reqs

Consumers have right to notice and to challenge request

Damages available, plus punn and atty fees

Question 24

Media Records and Privacy Protection Act

Answer 24

Under PPA, government officials engaging in criminal investigations are not permitted to search or seize media work products or documentary materials “reasonably believed to have a purpose to disseminate to the public a newspaper, book, broadcast or other similar form of public communication.” In practice, rather than physically searching a newsroom, “the PPA effectively forces law enforcement to use subpoenas or voluntary cooperation to obtain evidence from those engaged in First Amendment activities.”

It applies only to criminal investigations, not to civil litigation.

Several states provide additional protections.

Violation can lead to penalties of a minimum of $1,000, actual damages and attorney’s fees.

One important exception is if there is probable cause to believe that a reporter has committed or is in the process of committing a crime.

Question 25

Evidence stored in a different country

Answer 25

Microsoft v. US (the Microsoft Ireland case) - 2d circuit ruled SCA not able to be used by govt to get data housed overseas, but Congress in 2018 passed CLOUD Act which expanded reach of SCA to cover oversease data.

Question 26

FISA History

Answer 26

In passing FISA in 1978, both supporters and critics of broad surveillance powers achieved important goals. Supporters of surveillance gained a statutory system that expressly authorized foreign intelligence wiretaps, lending the weight of congressional approval to surveillance that did not meet all the requirements of ordinary Fourth Amendment searches. Critics of surveillance institutionalized a series of checks and balances on the previously unfettered discretion of the president and the attorney general to conduct surveillance in the name of national security.

Question 27

Snowden

Answer 27

• In passing FISA in 1978, both supporters and critics of broad surveillance powers achieved important goals. Supporters of surveillance gained a statutory system that expressly authorized foreign intelligence wiretaps, lending the weight of congressional approval to surveillance that did not meet all the requirements of ordinary Fourth Amendment searches. Critics of surveillance institutionalized a series of checks and balances on the previously unfettered discretion of the president and the attorney general to conduct surveillance in the name of national security.

the 2013 Presidents Review Group was told that 70 percent of its recommendations were being adopted in letter or spirit, and others have been adopted since.

The Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency in the executive branch, released detailed reports on the Section 215125 and Section 702126 surveillance programs, making numerous recommendations. Overall, PCLOB made 22 recommendations in its Sections 215 and 702 reports and virtually all have been accepted and implemented.

The Snowden revelations led to significant reforms in U.S. surveillance law and practices.

These reforms included passage of the USA FREEDOM Act in 2015, which among multiple provisions ended bulk collection under the Section 215 program,

and the Judicial Redress Act of 2016, which extends U.S. Privacy Act protections to certain non-U.S. persons. There have also been numerous administrative changes.

Question 28

FISA Basics

Answer 28

FISA establishes standards and procedures for electronic surveillance that collects “foreign intelligence” within the United States FISA orders can issue when foreign intelligence gathering is “a significant purpose” of the investigation. 138 For law enforcement cases, court orders issue based on probable cause of a crime; FISA orders instead issue on probable cause that the party to be monitored is a “foreign power” or an “agent of a foreign power.”

In addition to wiretap orders, FISA authorizes pen register and trap and trace orders (for phone numbers, email addresses, and other addressing and routing information) and orders for video surveillance.

Generally can’t disclose the fact of order to the target.

Mostly an issue for telecomm providers

Question 29

Section 215 orders

Answer 29

provides that a federal court order can require the production of “any tangible thing” for defined foreign intelligence and antiterrorism investigations.

The definition of tangible thing is broad, including “books, records, papers, documents, and other items.” Recipients of such an order receive notice that they were forbidden from disclosing the existence or contents of the order.

USA FREEDOM Act ended bulk collection under 215 - now must be a specific request

Question 30

FISA: Section 702

Answer 30

Refers to a 2008 amendment to FISA

applies to collection of electronic communications that take place within the United States and only authorizes access to the communications of targeted individuals for listed foreign intelligence purposes. One legal question answered by Section was how to govern foreign-to-foreign communications for interception of content that has been stored within the United States

To target the communications of any person, the government must have a foreign intelligence purpose to conduct the collection and a reasonable belief that the person is a non-U.S. citizen located outside of the United States.

Section 702 can provide access to the full contents of communications, and not just metadata

To target the communications of any person, the government must have a foreign intelligence purpose to conduct the collection and a reasonable belief that the person is a non-U.S. citizen located outside of the United States.151 Section 702 can provide access to the full contents of communications, and not just metadata

PRISM - ask company for X selector and they have to give it

UPSTREAM - ongoing filter of ecomms/phone calls passing through US internet infrascture that meet X selector

Question 31

National Security Letters (NSLs)

Answer 31

• USA Patriot Act expanded these
• NSLs generally can seek records relevant to protect against international terrorism or clandestine intelligence activities.

NSLs can be issued without any judicial involvement.

Under the 2006 amendments, however, recipients can petition to a federal court to modify or set aside an NSL if compliance would be unreasonable or oppressive

• he 2006 amendments said that recipients are bound to confidentiality only if there is a finding by the requesting agency of interference with a criminal or counterterrorism investigation or for other listed purposes
• FBI now presumptively terminates NSL secrecy when investigation closes or not more than 3 years after opening of a full inviestigation.