It all used to be so simple. In the old days, Lawyer A would send a document request to Lawyer B by pony express; Lawyer B would go review her client’s documents, pull some for privilege and non-responsiveness, Bates stamp the documents with a calligraphy pen, load up the mule carts and deliver the document production back to Lawyer A. But that was back in the 1990s when I started practicing. The world is now a vastly more complex place. The explosion of electronically stored information (ESI), data privacy laws, heightened preservation rules, cloud computing, and complex and transnational corporate structures have changed discovery forever. For the better? One hopes. But as Charles Kelly has noted, “the good of the scorpion is not the good of the frog.”
While the world has evolved, some of the legal standards that we use have been in place seemingly forever. These include the phrase “possession, custody or control” (PCC), which has been in use for hundreds of years and has been in the Federal Rules of Civil Procedure since 1937. PCC appears in Rules 34 and 45 to define the scope of the universe of documents and ESI that a party or person may need to preserve, review and produce in a litigation. CPLR §3120 uses the same standard. But how does a party determine that universe, i.e., what does it actually mean these days to have PCC of a document or a few bytes of ESI? It is a critical question because discovery failures can lead to adverse inferences, sanctions and infamy!
The Practical Ability Standard. In the Second Circuit, most district courts have determined that parties have PCC of documents or ESI when they have the “practical ability” to obtain them. Under the practical ability standard, “‘control’ does not require that the party have legal ownership or actual physical possession of the documents at issue; rather, documents are considered to be under a party’s control when that party has the right, authority, or practical ability to obtain the documents from a non-party to the action.” In re NTL Securities Litigation, 244 F.R.D. 179, 195 (S.D.N.Y 2007).
The Sedona Conference has issued a commentary that is critical of the practical ability standard for several reasons. First, it may require a party to produce documents that it has no legal right to produce. Second, it may require a party to produce documents in violation of another country’s data privacy laws or its contracts with third parties. SEC v. Strauss, No. 09 Civ. 4150, 2009 U.S. Dist. LEXIS 101227 (S.D.N.Y. Oct. 28, 2009). Third, it can lead to inconsistent results. And, fourth, it places the burden on the party seeking the discovery to demonstrate that the other side in fact has the practical ability to obtain documents or ESI, usually without the benefit of any discovery. These are all serious problems that can potentially interfere with the discovery process. The Sedona Conference has recommended the abandonment of the practical ability standard.
The Legal Right Standard. The legal right standard, which is used in most of the federal circuits, holds that a party has PCC of documents or ESI where the party either has possession of or the legal right to obtain and produce the information. This standard eliminates most of the gray area created by the practical ability standard by eliminating the possibility of a party having to produce documents that it has no legal right to produce.
The Legal Right Plus Notification Standard. Following the lead of some courts in the First, Fourth and Tenth Circuits, the Sedona Conference has advocated that PCC be defined by the Legal Right Standard, but that a producing party must also notify the party seeking discovery if it is aware that there are responsive documents in a third party’s control. So, for example, if Party A seeks documents from Party B that Party B does not have a legal right to produce, Party B must notify Party A that Non-Party C (likely some type of affiliate or vendor) has control of responsive documents.
In determining whether a party has the “practical ability” to produce documents in the possession of a third party, New York courts consider multiple factors bearing on the relationship between the party and the third party. In In re Passport Special Opportunities Master Fund, 2016 U.S. Dist. LEXIS 25657, *1 (S.D.N.Y. March 1, 2016), one of the parties (Passport) subpoenaed a non-party affiliate of Deloitte & Touche (DTTL). The subpoena sought one particular letter, which was known to be in the possession of another non-party, Deloitte Pakistan. Passport was unsuccessful in arguing that DTTL had the practical ability to get the letter from Deloitte Pakistan. The court considered and weighed the following factors: the relationship between the targeted entity and the custodian of the documents; how the custodian has handled the documents at issue and similar documents in the past; and any business or other interests that could impact the custodian’s willingness to give the documents to the subpoenaed entity. The court found that DTTL did not have the practical ability to obtain the letter from Deloitte Pakistan because there was no evidence of a history of a “free flow” of documents between the two entities. The only document DTTL ever received from Deloitte Pakistan was a letter explaining that it was unable to give DTTL the subpoenaed letter because doing so would violate Pakistani law. The court also noted that just because two firms may have a working relationship, does not alone give rise to the practical ability to get documents from each other.
Similarly, in Alexander Interactive v. Adorama the court found that the responding party had no practical ability to get documents from an Indian subcontractor, characterized (by the requesting party) as a “long-standing affiliate.” The court looked to “the existence of cooperative agreements or contracts between the responding party and non-party, the extent to which the non-party has a stake in the outcome of the litigation, and the non-party’s past history of cooperating with document requests.” The requesting party argued that plaintiff had control over the documents because plaintiff and the Indian company had enjoyed a long standing, close working relationship, the Indian company had billed 3,000 hours on the project, and the plaintiff allegedly referred to the Indian company as its “Mumbai operation.” Nonetheless, the court determined that plaintiff lacked the practical ability to get documents from the Indian company because they did not share any officers or employees or have any written agreements about sharing documents, the affiliate had no interest in the outcome of the litigation, and there was no evidence of previous cooperation or document production in this case.
Rosehoff, Ltd. v. Truscott Terrace Holdings is a recent case where a federal court found that a party did have the practical ability to obtain documents from a third party. The defendants used an email server maintained by third party, Connelly. The defendants initially failed to disclose the existence of the server, but once they did, they maintained that they did not have the practical ability to access the documents on the server. The court looked to the same factors as in Alexander, particularly the past cooperation with document requests. The dispositive factor for the court was that Connelly had actually previously cooperated with the plaintiffs to produce emails, which meant that Connelly would have provided the defendants with copies of the emails had they asked. The court went further and imposed sanctions under Rule 37(a)(5)(A) for defendants’ failure to disclose the server’s existence.
In the parent-subsidiary context, courts look to the degree of ownership and control the parent has over the subsidiary, whether the two entities operate as one, whether the parent has access to documents from the subsidiary in the ordinary course of business, and whether there is an agency relationship. In Stream SICAV v. Wang, 2014 U.S. Dist. LEXIS 81098, at * 11-12 (S.D.N.Y. June 12, 2014), the court conducted a detailed factual inquiry into all of those factors and found that the parent had little involvement in the daily operations of the subsidiary, did not receive financial statements, did not share employees or an office with the subsidiary, and rarely accessed documents from the subsidiary, and that it did not have the “legal right, authority or ability” to obtain documents from the subsidiary.
Perhaps the most important case to touch upon these issues is In the Matter of a Warrant to Search a Certain E-mail Account Controlled and Maintained by Microsoft Corporation. The Stored Communications Act (SCA), which was part of the Electronic Communications Privacy Act of 1986, was enacted in a technological era that is now virtually unrecognizable. The SCA allows the government to issue warrants to service providers to seize customers’ private data, even where the data is password protected. Federal agents served such a warrant on Microsoft in the United States, requiring it to produce a customer’s private emails. But the emails were exclusively located on servers in the Republic of Ireland; and Ireland is subject to the EU’s strict data privacy laws as well as its own criminal code.
Microsoft moved to quash the warrant, arguing that the government is not authorized under the SCA to issue warrants for extraterritorial searches. The magistrate judge and district court rejected Microsoft’s arguments and sided with the government, holding that an SCA warrant was a hybrid between a warrant and a subpoena, and that Microsoft, which is a United States company, had “control” over the documents. The district court also found that the warrant did not implicate international concerns, particularly because the transfer of documents would occur in the United States, not in Ireland. Microsoft’s motion to quash was denied, and in fact Microsoft was held in contempt for failing to produce the emails.
Microsoft appealed, and the Second Circuit reversed, holding that the SCA did not authorize extraterritorial warrants. The Circuit noted that the “subpoena‐warrant distinction is significant here because, unlike warrants, subpoenas may require the production of communications stored overseas.”
The Supreme Court granted certiorari, and the case was argued on Feb. 27, 2018. The government framed the issue as whether a U.S. provider of email services must comply with a warrant by disclosing electronic communications within its control, regardless of where they are stored. The government argued that a provider cannot be said to be seizing records already in its “custody and control.” Microsoft, on the other hand, urges that this is simply a matter of statutory construction and that Congress did not authorize extraterritorial warrants in the SCA.
During oral argument, the justices appeared to be divided. Chief Justice John Roberts expressed concern that affirming the Second Circuit would allow service providers to shield data from the government by moving it to foreign servers (and potentially using that as a tactic to attract customers). Justices Sonia Sotomayor and Ruth Bader Ginsburg seemed to be leaning toward interpreting the SCA narrowly, siding with Microsoft, and leaving it up to Congress to update the SCA to apply to current technology.
Congress, widely known for tackling complex issues and staying well ahead of the curve, may actually do something to address the issue. Both houses have introduced versions of the CLOUD Act of 2018, which would address extraterritoriality in the SCA. A quick perusal of the draft bills, however, demonstrates the complexity of the issue in light of comity, data privacy laws, and other policy considerations.
It is certainly worth watching what happens with in Congress, the Supreme Court, and in the Circuit and district courts on these issues.
Michael B. de Leeuw is a member of Cozen O’Connor.