Corporate Counsel
ALM Properties, Inc.
Page printed from: Corporate Counsel

Back to Article

Select 'Print' in your browser menu to print this document.

Obtaining Disclosure of ESI From Non-Parties

Thomas F. Gleason

New York Law Journal

11-29-2011


It must be hard to be a computer network professional. You're responsible to maintain security, you have little or no control over what people send and receive from the computers you maintain, and you may be the only person with the technical knowledge and access to identify the source and availability of electronically stored information. I imagine these folks hate subpoenas, especially if they have nothing to do with their employer's business.

In Tener v. Cremer,[FOOTNOTE 1] the plaintiff sought to compel a non-party, New York University, to respond to a subpoena that might enable the plaintiff to identify the source of a posting on "Vitals.com," an internet opinion website that advertises itself as the place "where doctors are examined." This appears to be one of many internet sites that solicit opinions that others may use in making consumer decisions, and the plaintiff in Tener was a board certified physician who wanted to sue the author of allegedly defamatory remarks.

The Vitals.com posting was anonymous,[FOOTNOTE 2] but the plaintiff had learned of an Internet Protocol (IP) address[FOOTNOTE 3] associated with the offending message. This IP address did not identify the author's computer, but did lead to the server for the entire computer network maintained by NYU. Relying on this clue, the plaintiff subpoenaed the university, seeking to identify all persons using the NYU server who had accessed the internet on the date of the offensive posting, and to identify which of those computers had connected to the Vitals.com site.

It apparently was not easy for the university to comply with the plaintiff's requests. Although only NYU personnel could obtain access to the system, the "network address translation portal" used by NYU essentially acted as a switchboard, and through this "portal," many thousands of persons had access to outside websites. When NYU did not produce information satisfactory to the plaintiff, she moved to hold the university in contempt of court.

The university responded with an affidavit by its chief information security officer, who noted that the date of the allegedly offending comment was nearly a full year prior to the service of the subpoena, and that computers used to visit outside websites are identified in the NYU system only by a " ... text file that is automatically written over every 30 days."

IS IT REALLY DELETED?

Undaunted, the plaintiff replied with an affidavit by a forensic computer expert, who contended not surprisingly that nothing ever is really deleted from a computer. Instead, the expert contended that the term "written over," in the context of computer disc drives, is "deceptive," because the ostensibly deleted data still remains on the disc -- it only seems deleted and invisible to the user.

Apparently, unless one removes a hard drive and blasts it to smithereens, the address (i.e., the physical location on the disc) of information stored by any computer hard drive is the only thing that actually is eliminated upon erasure. This address removal allows the "deleted" information to remain on the disc, albeit invisible to and "deleted" from the perspective of the user. Thereafter, the ostensibly deleted data remains undisturbed on the disc's "free space," where it may eventually be overwritten and obscured, but that may not happen for awhile. As a result, the plaintiff's cybersleuth concluded that through software such as "X-Ray Forensic," the NYU data could enjoy a digital resurrection.

On the motion to hold NYU in contempt of court, the decision turned on the extent of the effort required by a non-party like NYU to that end. Should they be required to perform digital detective work and load forensic software? Should the non-party's expert assertion of unavailability be taken at face value?

The Supreme Court denied the contempt motion, accepting the university's assertion that the data was unavailable. The Appellate Division, 1st Department, reversed, reasoning that inaccessibility of electronic information cannot be decided based on the source or type of storage media, but instead must be based on a cost/benefit analysis, in light of the plaintiff's asserted need. As the record was not sufficiently detailed to perform this review, the case was sent back for a hearing.

FACTS AND AUTHORITY

The CPLR presently does not generally distinguish electronic and other types of evidence, and the only CPLR sections mentioned in the court's opinion are CPLR 3111 and 3122(d). These sections are important, because they provide that the reasonable production expenses of the non-party witness are to be defrayed by the party seeking the discovery, but they do not address the more vexing problem of how far a non-party has to go in its production efforts.[FOOTNOTE4]

An issue that did not arise in Tener is the obligation of a non-party to preserve ESI before a subpoena is served. Letter demands or notices of a duty to preserve ESI now are common, but what is the source of a preservation obligation of a non-party, and what is the remedy if they refuse?[FOOTNOTE 5] This is an important area of future study and perhaps legislation.

To resolve the dispute in Tener, the 1st Department relied on the Federal Rules of Civil Procedure[FOOTNOTE 6] and Guidelines for Electronically Stored Information recently promulgated by the Supreme Court, Nassau County Commercial Division. The Nassau County Guidelines specifically deal with the ESI obligations of parties to a pending action, but the court also found them useful for non-party disclosure issues.[FOOTNOTE 7]

In Tener, the university's assertions of "unavailability" could not be resolved on the contested record because essential facts were in dispute. The hearing might involve some credibility determinations concerning the respective expert assertions, and would determine whether the identifying information was " ... written over as NYU maintains," or whether it is " ... somewhere else, such as in unallocated space as a text file." The hearing also would address the practicalities of identifying the author of the offending posting, whether the information truly was inaccessible or just difficult to obtain, and the budget for the data examination process.

This seems like a lot of work, and it probably is, but sometimes important cases justify heavy disclosure expenses. The Tener case recognizes this balance of interests and is consistent with already existing CPLR procedures. CPLR 3102 allows pre-action discovery, whether to aid in bringing an action and to preserve evidence, and these days it is likely that such disclosure will involve ESI.[FOOTNOTE 8] Therefore, so long as the expenses and interests of the third-party custodian are properly recognized, as the Tener court clearly contemplates, it appears that the (well-paid) forensic professionals will have their day.

::::FOOTNOTES::::

FN1 Tener v. Cremer, —AD3d—, Slip Op 06543; 2011 WL 4389170 (1st Dept. 2011).

FN2 It appears that the site may not track the information of persons making posts, as the Privacy Policy states in part: "[t]o protect Your privacy, Vitals does not associate Your website navigation activities to given Healthcare Providers...." Read more: http://www.vitals.com/privacy#ixzz1di4kzGix.

FN3 According to Wikipedia, an Internet Protocol address (IP address) is a numerical label assigned to hardware that uses the Internet Protocol for communication. They are numbers in binary code (zeros and ones), but usually are stored in text files and displayed in "human readable notations," meaning a string of base 10 numbers such as 172.16.254.1. See http://en.wikipedia.org/wiki/Ip_address.

FN4 See also, CPLR 3101(a)(4), which generally governs scope of disclosure. There has been some inconsistency in appellate holdings on the necessary showing to enable non-party disclosure. Compare Dioguardi v. St. John's Riverside Hospital, 144 AD2d 333 (2d Dept. 1988) and Matter of Cavallo, 66 AD3d 675 (2d Dept. 2009); with Matter of New York County DES Litigation, 171 AD2d 119 (1st Dept. 1991) and Cavaretta v. George, 270 AD2d 862 (4th Dept. 2000). See also, Matter of Troy Sand & Gravel Company v. Town of Nassau, 80 AD3d 199 (3d Dept. 2010). It would appear the better rule is to allow disclosure of all matter material and necessary to an action, tempered by the concern shown in Tener for undue inconvenience to non-parties.

FN5 While any entity that might be involved in litigation would be well advised to avoid the perils of spoliation, it is less clear how preservation will be enforced for those who may have useful information, but lack the interest or resources to ensure preservation. Is a party's demand alone enough to shift risk to a non-preserving third party? If so, what is the source of this power? It may be awkward to derive standards for non-parties from civil practice rules, which would not ordinarily be consulted by those not engaged in litigation.

FN6 See generally, FRCP Rule 45 [d][1][D] and rule 26 (b)(2)(C).

FN7 The guidelines require the parties to identify, in reasonable detail, electronically stored information that is not reasonably accessible, as well as the anticipated costs and efforts involved in retrieving it. In addition, the guidelines require that the parties be prepared to discuss the " ... need for certified forensic specialists and/or experts ... " so that the discovery of "deleted" data is not ruled out, but rather becomes the subject of a cost/benefit analysis.

FN8 See, CPLR 3102(c), which allows pre-action disclosure upon court order. For a full discussion of the procedures, see Siegel, New York Practice [5th Ed.], §352, pp. 591-592.

This article originally appeared in the New York Law Journal.