Last year, a man was indicted for aggravated arson based on heart rate, cardiac rhythm, and other data obtained from his pacemaker. Another man was charged with murder based, in part, on data collected from his Fitbit. While these cases might sound far-fetched, they may soon be commonplace, particularly with the explosive growth in wearable devices and mobile health applications, which are used by one-fifth and one-third of all U.S. consumers, respectively. See “Patients Want a Heavy Dose of Digital,” Accenture Consulting (2016). The reverberations caused by these technologies will extend far beyond the criminal system. Only last month, the Food and Drug Administration approved a digital pill “embedded with a sensor that can tell doctors whether, and when, patients take their medication.” Pam Belluck, “First Digital Pill Approved to Worries About Biomedical ‘Big Brother,’” N.Y. Times (Nov. 13, 2017) (“the sensor … generates an electrical signal when splashed by stomach fluid … [that] is detected by a Band-Aid-like patch that must be worn on the left rib cage … [that] sends the date and time of pill ingestion and the patient’s activity level via Bluetooth to a cellphone app”).
Given the speed with which these innovations are moving from science fiction to reality, the e‑discovery implications for civil litigants warrant close examination. Just as the Supreme Court grapples with how to apply the Fourth Amendment in the age of the smartphone (see Adam Liptak, “Justices Seem Ready to Boost Protection of Digital Privacy,” N.Y. Times (Nov. 29, 2017)), parties and judges alike will struggle with how to apply such established e‑discovery principles as proportionality and reasonable accessibility in this new arena. At the same time, the introduction of this new category of electronically stored information may help to level the playing field in disputes that traditionally impose highly asymmetric discovery burdens. The products liability defense bar, in particular, may find opportunities to leverage data generated by wearable and biomedical devices to undermine plaintiffs’ claims.
Mobile Health Applications
The sheer volume of digital health data generated by mobile health applications is staggering. A recent study estimated that there are 318,500 mobile health apps now available in app stores, with roughly 200 new apps added daily. See IQVIA Institute for Human Data Science Study: Impact of Digital Health Grows as Innovation, Evidence and Adoption of Mobile Health Apps Accelerate (Nov. 7, 2017). These apps serve myriad purposes and capture a diverse array of unique, personal, and potentially valuable health data. For example, there are health apps that function as electronic calorie counters, exercise guides and trackers, medical journals, sleep monitors, step counters, blood glucose readers, blood pressure monitors, medication trackers, drug dosage guides, and physical therapy guides.[see note 1] Some patients are even using medical apps to communicate directly with doctors to receive treatment recommendations and diagnoses. Google recently acquired a company with apps that use a smartphone’s camera to check blood hemoglobin counts and its microphone to measure lung function. See Jon Fingas, “Google sees a future in wearable-free health monitoring,” Engadget (Oct. 15, 2017).
Whether these apps are helping to track a weekly jog or verify life-saving dialysis treatment, they generate a treasure trove of information regarding an individual’s daily activities and routines that could be swept up in the discovery phase of litigation. For example, in a products liability action, general wellness information captured through an app could undermine a plaintiff’s claims about the injuries allegedly suffered or the long-term medical care needed. In addition, some apps and devices effectively generate surveillance data regarding the user, which, if requested and produced, could provide probative information about a plaintiff’s day-to-day activities and whereabouts.
Many of the questions we ask when developing a preservation and collection strategy take on a new level of complexity in this realm. For instance, is the information stored on the user’s physical device, somewhere in the cloud, or elsewhere? If in the cloud, is the end user in control of the data, or is the information more likely to be deemed within the exclusive “possession, custody, or control” of the app developer? Either way, are any tools available to export the pertinent data for review and potential production? If so, in what format are the data provided? The answers to these and other questions could be challenging to find and may differ for each app or device at issue. Even after those details are clarified, the e-discovery tools that are the lawyer’s stock-in-trade may not be suitable to analyze the information in an efficient manner. Early discussion of these issues during meet-and-confer negotiations is almost invariably the best practice, particularly so that the parties can reach consensus on a protocol that addresses, among other things, privacy and data security requirements.
Wearable and Implantable Devices
Wearable devices are electronic, Internet-connected gadgets that track data about the wearer’s health, wellness, and vital signs. Examples include “smart” watches, bracelets, clothing, shoes, and eyeglasses. These devices collect many different types of data, ranging from physical activity or general wellness telemetry (e.g., sleep rates, steps taken, calories consumed, and body temperature) to vital health information, including blood glucose levels, heart rate, and blood pressure. Wearable devices use sensors that gather data from the user’s body and then transmit that data (usually via Bluetooth (see Nick Paul Taylor, “Express Scripts rolls out smart inhalers in digital health push,” FierceBioTech (Nov. 17, 2017) (describing “inhalers incorporating digital sensors that track when the device is used and send the data to their smartphones via Bluetooth”)), Wi-Fi, or some other protocol) to the user for her own review or, in many instances, directly to a health care professional for evaluation and analysis. As the underlying sensors powering these devices become smaller, less obtrusive, and more easily incorporated into everyday accessories, articles of clothing, and even body art,[see note 2] the adoption of wearable devices (and corresponding real-time logs of personal health and activity data) will skyrocket, as the FDA has already recognized. See Valentina Palladino, “FDA clears first medical accessory for the Apple Watch—an EKG sensor,” ArsTechnica (Nov. 30, 2017) (discussing the FDA’s Digital Health Innovation Action Plan as part of the agency’s “effort to collaborate with tech companies that want to make it easier to produce devices and software that consumers can use to monitor their health”). On Dec. 7, 2017, the FDA released three policy documents, including two implementing portions of the 21st Century Cures Act, generally designed to reduce FDA oversight over digital health products, including wearables and medical apps. See “Statement from FDA Commissioner Scott Gottlieb, M.D., on advancing new digital health policies to encourage innovation, bring efficiency and modernization to regulation” (Dec. 7, 2017). The policy documents include a Draft Guidance “Clinical and Patient Decision Support Software” (Dec. 8, 2017); a Draft Guidance “Changes to Existing Medical Software Policies Resulting from Section 3060 of the 21st Century Cures Act” (Dec. 8, 2017); and a Final Guidance Software as a Medical Device (SAMD): Clinical Evaluation (Dec. 9, 2017).
The FDA explained that these policy documents were promulgated “to expand our efforts to encourage innovation in the ever-changing field of digital health.”
In a similar vein, devices that are implanted into the human body are becoming increasingly Internet-connected. These “implantable” medical devices include pacemakers, defibrillators, insulin pumps, spinal cord stimulators, brain chips, and drug infusion pumps. In addition to capturing vital health information directly from the user’s body—and, in some instances, even administering treatment—these devices also collect and transmit information about their own functionality and alert health care providers if they are malfunctioning or likely to fail. While few implantable medical devices are currently Internet-connected, this number will rise in the near future as manufacturers of knee replacements, hip replacements, and spinal implants, among others, incorporate real-time electronic reporting to improve the functionality and performance of their devices.
Given employees’ willingness to have chips implanted in their hands merely to save a few seconds getting into their offices (see Maggie Astor, “Microchip Implants for Employees? One Company Says Yes,” N.Y. Times (July 25, 2017) (noting that more than half of the company’s employees had volunteered to be “chipped” even though “[a] microchip implanted today to allow for easy building access and payments could, in theory, be used later … to track the length of employees’ bathroom or lunch breaks”)), many patients likely will flock to be first in line to receive Internet-connected implantable devices. And if those same patients eventually become parties to products liability litigation, questions abound as to the accessibility, accuracy, authenticity, and discoverability of the underlying data recorded by those devices, and perhaps even the constitutionality[see note 3] of seeking such discovery in the first place.
At first blush, Federal Rule of Civil Procedure 26(b)(2)(B), which excludes sources identified as “not reasonably accessible because of undue burden or cost” from discovery, might seem applicable. But that argument may be unavailing where, as in most instances, the data of interest can be obtained remotely. Parties for whom the data are unfavorable may then challenge the accuracy or authenticity of the information. While no device is infallible, producing parties should be able to marshal the newly revised Federal Rules of Evidence 902(13) and 902(14) [see note 4] to circumvent authenticity challenges.
As to discoverability, the two touchstones of relevance and proportionality merit consideration. Data generated about a person via a wearable or implantable device should not be per se relevant to every dispute involving that person, but could be relevant in cases where physical, behavioral, or even emotional injuries are at issue. Where relevance is apparent, Federal Rule of Civil Procedure 26(b)(1) also mandates that the information be proportional to the needs of the case. The Advisory Committee Notes accompanying the 2015 Amendments instruct that one factor informing the proportionality determination—“the parties’ relative access to relevant information”—is intended to place a “heavier [burden] on the party who has more information, and properly so.” Typically, the large corporate defendant has greater access to relevant information, but the script might be reversed with the growth in consumer-facing wearable and implantable devices.
Technology will always move faster than the law, but pharmaceutical and medical device counsel must remain cognizant of how mobile health applications and accompanying sensor-laden devices could, with proper planning and foresight, open new avenues for pursuing their claims and defenses.
 While the FDA previously promulgated guidance under the prior administration indicating that it would regulate a subset of mobile health apps as if they were traditional medical devices, the 21st Century Cures Act removes general wellness products, including certain apps and software, from regulatory oversight. 21 U.S.C. §360(j).
 For example, a recent paper reported on a lightweight sensor that can easily be applied to the body (and even disguised as a temporary tattoo) to monitor electrical muscle activity, body temperature, and other vital signs, all without irritating the user’s skin. See Aneri Pattani, “A Sensor on Your Skin That Looks and Feels Like a Temporary Tattoo,” N.Y. Times (July 20, 2017).
 Cf. Orin Kerr, “Judge rejects warrant provision allowing compelled thumbprints to unlock iPhones,” Wash. Post (Feb. 23, 2017) (“obtaining thumbprints will violate the Fifth Amendment because cellphones contain very sensitive information”).
 Effective Dec. 1, 2017, these two new sections of Rule 902 allow parties to authenticate certain types of electronically stored information, including data from an electronic device, via routine affidavit as opposed to live testimony.
Samuel Abate Jr. is a partner in Pepper Hamilton’s health sciences department. Jason Lichter is director of discovery services and litigation support at the firm. Michael Vives is an associate in the health sciences department.