THE ETHICS AND USE OF TECHNOLOGY:

IN YOUR PRACTICE AND IN THE COURT

David W. Thomas, Esq.MICHIEHAMLETT PLLC500 Court Square, Suite 300Charlottesville, VA 22903P: (434) 951-7224dthomas@michiehamlett.com

I. TECHNOLOGY and ETHICS: Ignorance is no Defense

Hopefully, everyone is familiar with the very first Rule of Professional Conduct in Virginia:A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

In August 2012, the American Bar Association formally approved a change to the Model Rules of Professional Conduct to expand the scope of “competence.” Now, in addition to being competent in one’s knowledge of the law and its practice, lawyers would also have to be competent when it comes to the technology that affects their practice. This included not only areas like e-Discovery, but also the everyday technology at use in running a law practice.

More specifically, the ABA’s House of Delegates voted to amend Comment 8 to Model Rule 1.1, which pertains to competence, to read:

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (emphasis added)

Twenty-seven (27) states have now formally adopted this new standard. Virginia became the 18th, when on December 17, 2015 (effective March 1, 2016), the Virginia Supreme Court formally modified Rule of Professional Conduct 1.1 to add language specific to the understanding and use of technology. Amending Comment #6 to Rule 1.1, the highlighted language was inserted:

[6] To maintain the requisite knowledge and skill, a lawyer should engage in continuing study and education in the areas of practice in which the lawyer is engaged. Attention should be paid to the benefits and risks associated with relevant technology. The Mandatory Continuing Legal Education requirements of the Rules of the Supreme Court of Virginia set the minimum standard for continuing study and education which a lawyer licensed and practicing in Virginia must satisfy. If a system of peer review has been established, the lawyer should consider making use of it in appropriate circumstances.

At the same time, the Court modified Rule 1.6 to add a new subsection (d):

1

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information protected under this Rule.

More importantly, it added a slew of new comments:

[19] Paragraph (d) requires a lawyer to act reasonably to safeguard information protected under this Rule against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of this Rule if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the employment or engagement of persons competent with technology, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

[19a] Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other laws, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of this Rule.

[20] Paragraph (d) makes clear that a lawyer is not subject to discipline under this Rule if the lawyer has made reasonable efforts to protect electronic data, even if there is a data breach, cyber-attack or other incident resulting in the loss, destruction, misdelivery or theft of confidential client information. Perfect online security and data protection is not attainable. Even large businesses and government organizations with sophisticated data security systems have suffered data breaches. Nevertheless, security and data breaches have become so prevalent that some security measures must be reasonably expected of all businesses, including lawyers and law firms. Lawyers have an ethical obligation to implement reasonable information security practices to protect the confidentiality of client data. What is “reasonable” will be determined in part by the size of the firm. See Rules 5.1(a)-(b) and 5.3(a)-(b). The sheer amount of personal, medical and financial information of clients kept by lawyers and law firms requires reasonable care in the communication and storage of such information. A lawyer or law firm complies with paragraph (d) if they have acted reasonably to safeguard client information by employing appropriate data protection measures for any devices used to communicate or store client confidential information.

To comply with this Rule, a lawyer does not need to have all the required technology competencies. The lawyer can and more likely must turn to the expertise of staff or an outside technology professional. Because threats and technology both change, lawyers should periodically review both and enhance their security as needed; steps that are reasonable measures when adopted may become outdated as well.

2

[21] Because of evolving technology, and associated evolving risks, law firms should keep abreast on an ongoing basis of reasonable methods for protecting client confidential information, addressing such practices as:

(a) Periodic staff security training and evaluation programs, including precautions and procedures regarding data security;

(b) Policies to address departing employee’s future access to confidential firm data and return of electronically stored confidential data;

(c) Procedures addressing security measures for access of third parties to stored information;

(d) Procedures for both the backup and storage of firm data and steps to securely erase or wipe electronic data from computing devices before they are transferred, sold, or reused;

(e) The use of strong passwords or other authentication measures to log on to their network, and the security of password and authentication measures; and(f) The use of hardware and/or software measures to prevent, detect and respond to malicious software and activity.

What these comments indicate is that lawyers now have a duty to stay abreast of evolving technology, particularly as it relates to the protection of client information. While the ability to remotely access data may be a boon and eliminate the need to be physically present in the office, it also means that others could theoretically access that same data without permission.This presentation, though perhaps exhausting, is by no means exhaustive. It is designed to help identify some major areas in which evolving technology can improve your practice, and to highlight the risks associated therewith. However, before any of the technologies discussed is adopted, further research must be done to ensure that it is a good fit for your practice while also keeping confidential information confidential.According to the ABA’s 2016 Legal Technology Survey, 26% of law firms with 500 or more attorneys admitted to experiencing some type of data breach. While only 2% of these breaches resulted in the loss of client data, 37% caused business downtime and a loss of billable hours, and 28% resulted in significant costs for correcting/remediating the breach. These figures underscore the importance of adopting measures to protect data security.

A. ELECTRONICALLY STORED INFORMATION

Not every litigated case involves e-discovery, and those that due involve varying levels of complexity. The chances are significant that some or all of the relevant parties have used email or other electronic communication, stored information digitally (whether local to their computer or online), and/or has other forms of ESI related to the dispute. Accordingly, we start with the

3

premise that “competent” handling of e-discovery has many dimensions, depending upon the complexity of e-discovery in a particular case.

A complete discussion of the identification and handling of ESI is the subject of a multi-day CLE. However, for our purposes we note that the ethical duty of competence requires an attorney to assess at the outset of each case what electronic discovery issues might arise during the litigation, including the likelihood that e-discovery will or should be sought by either side. Required in federal court, it is a good idea in state court too.

If e-discovery will probably be sought, the duty of competence requires an attorney to assess his or her own e-discovery skills and resources as part of the attorney’s duty to provide the client with competent representation. If an attorney lacks such skills and/or resources, the attorney must try to acquire sufficient learning and skill, or associate or consult with someone with expertise to assist.

Attorneys handling e-discovery should be able to perform (either by themselves or in association with competent co-counsel or expert consultants) the following:

implement/cause to implement appropriate ESI preservation procedures (sometimes called a “litigation hold”)

analyze and understand a client’s ESI systems and storage; advise the client on available options for collection and preservation of ESI; identify custodians of potentially relevant ESI; engage in competent and meaningful meet and confer with opposing counsel concerning

an e-discovery plan; perform data searches; collect responsive ESI in a manner that preserves the integrity of that ESI; and produce responsive non-privileged ESI in a recognized and appropriate manner.

The failure to do these things will almost certainly have dire consequences for your case and your client. In Roadrunner Transportation Services, Inc. v. Tarwater, 642 Fed. Appx. 759 (9th Cir. 2016), the Ninth Circuit approved entry of default judgment based upon an order imposing a terminating sanction for spoliation.

During the case, Plaintiff accused Defendant of deleting data from his laptop computers despite Plaintiff’s prior numerous demands that Defendant preserve the information. A forensic computer expert testified that files on Defendant’s laptop were deleted and overwritten. The District Court found that Defendant’s conduct was willful and purposeful, ordered terminating sanctions, and entered default judgment against Defendant. The court also awarded attorney fees to Plaintiff. The Ninth Circuit determined that there was “ample evidence” that Defendant had deleted emails and files on his laptops after his duty to preserve arose and after having received multiple preservation demands from Plaintiff. The Ninth Circuit affirmed the District Court’s decision, holding that the District Court did not clearly err in finding willful destruction of the data and in finding that Plaintiff was deprived of its primary evidence. The District Court also

4

did not err in finding that a less drastic sanction would have been sufficient. The Ninth Circuit also affirmed the award of attorneys’ fees in Plaintiff’s favor.

Things went even worse for the Defendant in Victor Stanley, Inc. v. Creative Pipe, Inc., et al., 269 F.R.D. 497 (D.MD., 2010). The opinion is useful for the Court’s extensive analysis of the law on electronically-stored information (ESI) spoliation claims and related sanctions. Because of the defendant’s particularly bad behavior, the Court rendered a default judgment, an injunction, payment of plaintiff’s legal fees & costs, and the possibility of jail time for civil contempt of court.

Beyond getting your client in trouble, failing to understand the extent and importance of ESI could also land you in some ethical trouble. See, e.g., Pension Committee of the University of Montreal Pension Plan v. Banc of America Securities, LLC (S.D.N.Y. 2010) 685 F.Supp.2d 456, 462 – 465 (defining gross negligence in the preservation of ESI), (abrogated on other grounds in Chin v. Port Authority 685 F.3d 135 (2nd Cir. 2012) (failure to institute litigation hold did not constitute gross negligence per se)). A court order that counsel’s conduct during discovery was “negligent” is likely to attract the attention of both the bar and your malpractice carrier.

B. CLOUD COMPUTING

What is “cloud computing”? A massive oversimplification would define cloud computing as any data or processing that is not physically located on your laptop or tablet. Cloud computing includes a number of services/programs that you may already use, including:

Web-based email, like Gmail, Hotmail, and Outlook online Online file storage, such as Dropbox, Google Docs, or Microsoft OneDrive Online software (technically software-as-a-service, or SaaS), such as Microsoft Office

365

For lawyers, “cloud computing” may be desirable because it can provide costs savings and increased efficiency in handling voluminous data. Better still, cloud service is elastic, and users can have as much or as little of a service as they want at any given time. The service is sold on demand, typically by the minute, hour or other increment. Thus, for example, with “cloud computing,” an attorney can simplify document management and control costs.

Advantages of cloud-based practice management:

Instant access. The cloud delivers the software as a service (SaaS) which means it can be turned on and off instantly with a subscription or cancellation. This is akin to renting software, the same way a firm might rent or lease office space.

IT experience not required. Cloud practice management tools are web-based, so there is no need for an experienced IT professional to set up and install the software.

Scalability. A key factor in choosing practice management tools, particularly for growing law firms, is to select a software product that will scale as the firm grows. On a cloud platform, adding additional users is as easy as turning the software on initially.

5

Automatic upgrades. Maintenance updates and product upgrades happen automatically; most cloud providers push these updates outside of working hours. Save for feature or usability enhancements, most users won’t even notice the update occurred, which avoids disruption.

Data protection. Cloud tools generally back up data automatically but it’s usually advisable to check the terms and conditions.

Device agnostic. The cloud is accessed through a web browser, so it does not matter if you have a preference among operating systems or among a PC, a laptop or tablet.

Predictable cost. Cloud tools are commonly sold on a monthly subscription model, which means law firms can forecast and budget costs with accuracy. Some cloud tools offer discounts to law firms that choose to subscribe on an annual basis.

Disadvantages of cloud-based practice management:

Less control. Cloud products tend to be configurable as opposed to customizable. Premise products, with 20 years of development behind them, often offer greater functionality and an ability to customize the software around established law firm processes.

Internet access a must. Generally it’s impossible to work “offline” on cloud tools. If the internet goes down, or a legal professional physically moves beyond an access point, the data and applications stored in the cloud are usually not accessible.

Limited integrations. While cloud tools are maturing, and more general business tools are becoming cloud-friendly, most cloud tools are challenged to integrate other software programs.

Service stops when payment stops. Since cloud-based practice management tools are delivered as a service, access to use those tools ends if a law firm cancels the subscription. Here again, it is important to check the terms and conditions of any provider chosen to see what conditions apply for retaining and moving data.

Because “cloud computing” refers to “offsite” storage of client data, much of the control over that data and its security is left with the service provider. Data may be stored in other jurisdictions that have different laws and procedures concerning access to or destruction of electronic data. Lawyers using cloud services must therefore be aware of potential risks and take appropriate precautions to prevent compromising client confidentiality (see two-factor authentication, below). They must also assure that the jurisdictions in which the data are physical stored do not have laws or rules that would permit a breach of confidentiality in violation of the Rules of Professional Conduct.

The Virginia State Bar has already addressed a number of the issues raised by cloud computing even before the revisions to Rules 1.1 and 1.6. In LEO 1872 (2013), the VSB

A lawyer must always act competently to protect the confidentiality of clients’ information, regardless of how that information is stored/transmitted, but this task may be more difficult when the information is being transmitted and/or stored electronically through third-party software and storage providers. The lawyer is not required, of course, to absolutely guarantee that a breach of confidentiality

6

cannot occur when using an outside service provider. Rule 1.6 only requires the lawyer to act with reasonable care to protect information relating to the representation of a client.

When a lawyer is using cloud computing or any other technology that involves the use of a third party for the storage or transmission of data, the lawyer must follow Rule 1.6(b)(6) and exercise care in the selection of the vendor, have a reasonable expectation that the vendor will keep the data confidential and inaccessible by others, and instruct the vendor to preserve the confidentiality of the information. The lawyer will have to examine the third party provider’s use of technology and terms of service in order to know whether it adequately safeguards client information, and if the lawyer is not able to make this assessment on her own, she will have to consult with someone qualified to make that determination.

The Pennsylvania State Bar has gone into more depth, and provided a useful checklist for attorneys to follow when selecting a vendor/service to ensure that they are using reasonable care in their cloud computing. Attorneys should check to determine that the vendor/service has systems in place for:

Backing up data to allow the firm to restore data that has been lost, corrupted, or accidentally deleted;

Installing a firewall to limit access to the firm’s network; Limiting information that is provided to others to what is required, needed, or requested; Avoiding inadvertent disclosure of information; Verifying the identity of individuals to whom the attorney provides confidential

information; Refusing to disclose confidential information to unauthorized individuals (including

family members and friends) without client permission; Protecting electronic records containing confidential data, including backups, by

encrypting the confidential data; Implementing electronic audit trail procedures to monitor who is accessing the data; Creating plans to address security breaches, including the identification of persons to be

notified about any known or suspected security breach involving confidential data; Ensuring the provider:

• explicitly agrees that it has no ownership or security interest in the data;• has an enforceable obligation to preserve security;• will notify the lawyer if requested to produce data to a third party, and provide the

lawyer with the ability to respond to the request before the provider produces the requested information;

• has technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing;

• includes in its “Terms of Service” or “Service Level Agreement” an agreement about how confidential client information will be handled;

• provides the firm with right to audit the provider’s security procedures and to obtain copies of any security audits performed;

7

• will host the firm’s data only within a specified geographic area. If by agreement, the data are hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and Pennsylvania;

• provides a method of retrieving data if the lawyer terminates use of the SaaS product, the SaaS vendor goes out of business, or the service otherwise has a break in continuity; and,

• provides the ability for the law firm to get data “off” of the vendor’s or third party data hosting company’s servers for the firm’s own use or in-house backup offline.

Investigating the provider’s:• security measures, policies and recovery methods;• system for backing up data;• security of data centers and whether the storage is in multiple centers;• safeguards against disasters, including different server locations;• history, including how long the provider has been in business;• funding and stability;• policies for data retrieval upon termination of the relationship and any• related charges; and,• process to comply with data that is subject to a litigation hold.

Determining whether: data is in non-proprietary format; the Service Level Agreement clearly states that the attorney owns the

data; there is a 3rd party audit of security; and, there is an uptime guarantee and whether failure results in service

credits. Employees of the firm who use the SaaS must receive training on and are required to

abide by all end-user security measures, including, but not limited to, the creation of strong passwords and the regular replacement of passwords.

Protecting the ability to represent the client reliably by ensuring that a copy of digital data is stored onsite.

Having an alternate way to connect to the internet, since cloud service is accessed through the internet.

Pennsylvania Bar Association, Formal Opinion 2011-200

It is unlikely that any single provider will be able to check all of these boxes. Nor would it be expected that you would delve in-depth into every potential vendor with respect to every item on this list. This is where the use of a good consultant will pay dividends. It is likely for this reason that Comment 20 to Rule 1.6 specifically references the use of an IT consultant/professional.

C. DATA SECURITY

8

Once (or if) you have some method of cloud computing in place, how do you “act reasonably to safeguard information protected under this Rule against unauthorized access by third parties”? A complete answer to this question would require days, but in addition to choosing a quality provider, you can maximize the chance that only you and your staff can access the data, and that your staff will only access the data for its intended purpose.

a. Two-factor authentication

Two-factor authentication is any combination of authentication mechanisms designed to ensure that the person accessing the data is who they claim to be. Perhaps without knowing it, each of us already uses two-factor authentication in a variety of ways. For instance, using an ATM requires the use of a physical bank card and a unique pin number. Entering the country now requires that one possess a passport which matches the biometrics on file (usually a fingerprint).

When it comes to internet security, the most common forms of two-factor authentication are (1) a unique password coupled with (2) either a SecurID token or mobile phone authentication. The former is usually a physical device that must be carried around. It generates a random string of characters which is constantly changing, and which is verified by the server when entered.

Most of you are probably more familiar with the latter, the mobile phone authentication. Following the entry of your password, a special one-time code is sent to you by SMS/text message, and must be entered within a relatively short period of time.

Whatever method is chosen, everyone should strongly consider adopting some form of multi-factor authentication. While by no means fool-proof, it does significantly decrease the risk of being hacked, because your password alone is no longer sufficient for access.

b. Staff Training and Access

There is no clear guidance as to how an attorney should ensure that staff is appropriately trained when it comes to access to electronic data. LEO 1872 addresses the issue, but other than referring to Rules 5.1 and 5.3, it provides only that:

a partner or other managing lawyer in a firm always has the same responsibility to take reasonable steps to supervise subordinate lawyers and nonlawyer assistants, but the meaning of “reasonable” steps may vary depending upon the structure of the law firm and its practice. Additional measures may be necessary to supervise staff who are not physically present where the lawyer works.

Unfortunately, there do not appear to be any third party training services designed to inform law firm staff on the proper way to access and handle sensitive or confidential electronic information. For instance, if you allow your paralegal to work remotely, can they access client files using a public WiFi network (e.g. while at Starbucks)? Can they take those files home with them on a physical medium (CD, thumb drive) which can be lost or stolen?

At this point, the best advice is to train (and require) staff to take all of the same steps you currently take (or will take, after this presentation) to protect client files. If you need a little more

9

back-up, check out Sensei Enterprises, run by our very own Sharon Nelson. Though aimed more at attorneys, their seminars may be adaptable to staff.

D. EMAIL ENCRYPTION

Of the states which have addressed the issue, none have determined that the use of unencrypted email is necessarily a violation of professional ethics. The ABA has issued an opinion on the topic, but its guidance is limited to disclosing the risks of transmitting sensitive information by email:

A lawyer sending or receiving substantive communications with a client via e-mail or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or e-mail account, where there is a significant risk that a third party may gain access…

ABA Formal Opinion 11-459.

As far back as 2000, the Massachusetts Committee on Professional Ethics determined that a lawyer's use of unencrypted Internet e-mail to engage in confidential communications with a client does not violate Massachusetts’ rule on confidentiality:

[i]t is the Committee's opinion that the use of unencrypted Internet e-mail for the purpose of transmitting confidential or privileged client communications does not, in most instances, constitute a violation of any applicable ethical rule, including Rule 1.6. The Committee reaches this conclusion primarily because it believes that both the lawyer and the client typically have a reasonable expectation that such communications will remain legally and effectively private. See, e.g., 18 U.S.C.A. 2510, et seq. (the "Electronic Communications Privacy Act"). The technological possibility that a privileged or confidential e-mail communication could be intercepted in disregard of federal law does not diminish that expectation. Other standard forms of communication, including the telephone and the United States mail, also carry with them some risk of interception. Legal prohibitions on the interception of private telephone calls and letters, however, generally provide protection against unauthorized disclosure sufficient to make those means of communication reasonably secure for purposes of Rule 1.6(a). The Committee believes that, in light of statutes such as the Electronic Communications Privacy Act, the same reasoning now applies to unencrypted Internet e-mail.

Massachusetts State Bar, Committee on Professional Ethics Opinion 00-01.As with everything else discussed today, the use of email encryption presents a balancing test. While not required in every day communication, it probably makes sense if you are transmitting particularly sensitive information, including anything which contains a social security number.While more sophisticated, enterprise encrypted email is available, you can actually encrypt email on a case-by-case basis using Outlook 2016:

1) Open a new message, then click File > Properties.

10

2) Click “Security Settings,” and then select the Encrypt message contents and attachments check box.

3) Compose the message, including attaching any files, and then click Send.

If you run an older version:1) In the message that you're composing, on the Options tab, in the More Options group,

click the dialog box launcher Dialog Box Launcher in the lower-right corner. 2) Click “Security Settings”, and then select the Encrypt message contents and attachments

check box. 3) Compose your message, and then click Send.

If you don’t already have a Digital ID, you will be prompted to obtain one, which you can then provide to the recipient by a separate communication. Though the process can be time-consuming, it probably makes sense for particularly sensitive information.

II. USING TECHNOLOGY TO WIN (OR NOT LOSE) CASES

A. Social Media Generally It is ubiquitous - Facebook has 1.31 billion monthly users, averaging 30 hours per week, while LinkedIn has 106 million monthly active users and Twitter has 313 million monthly active users.

That means that approximately 6,000 tweets per second are sent (over 350,000 tweets per minute, 500 million tweets per day, and 200 billion tweets per year). Instagram has 600 million monthly active users, and 300 million daily active users.

By its nature, social media is not private, and the privacy policies of most social media services state that they do not guarantee privacy of posted content and metadata. Twitter practically advertises that fact, stating “What you say on Twitter may be viewed all around the world instantly.”

B. General Legal Principles a. A party has a duty to preserve evidence when it knows, or should have known,

that the evidence may be relevant to anticipated litigation. Silvestri v. GMC, 271 F.3d 583, 591 (4th Cir. 2001). The duty to preserve evidence "includes an obligation to identify, locate, and maintain, information that is relevant to specific, predictable, and identifiable litigation." Victor Stanley, Inc. v. Creative Pipe, Inc., 269 F.R.D. 497, 522 (D. Md. 2010). At the absolute latest, the duty is triggered when a claimant informs the defendant of a potential claim. See, e.g., Sampson v. City of Cambridge, 251 F.R.D. 172, 181 (D. Md. 2008).

b. Social media is discoverable, and there is no right of privacy or established privilege which completely immunizes social media account holders' private electronic information from discovery. See e.g., Potts v. Dollar Tree Stores, Inc., 2013 U.S. Dist. LEXIS 38795, 2013 WL 1176504, at * 3 (M.D. Tenn. 2013); Howell v. Buckeye Ranch, Inc., 2012 U.S.

11

Dist. LEXIS 141368, 2012 WL 5265170, at * 1 (S.D. Oh. 2012); Davenport v. State Farm Mutual Automobile Insurance Company, 2012 U.S. Dist. LEXIS 20944, 2012 WL 555759, at * 1 (M.D. Fla. 2012); Tompkins v. Detroit Metropolitan Airport, 278 F.R.D. 387, 388 (E.D. Mich. 2012) (material published on private Facebook page “is generally not privileged, nor is it protected by common law or civil notions of privacy."); Patterson v. Turner Constr. Co., 88 A.D.3d 617, 931 N.Y.S.2d 311, 312 (N.Y. App. 2011) (holding that the "postings on plaintiff's online Facebook account, if relevant, are not shielded from discovery merely because plaintiff used the service's privacy settings to restrict access"); Romano v. Steelcase, Inc., 30 Misc. 3d 426, 907 N.Y.S.2d 650, 656 (N.Y. Sup. Ct. 2010) (Facebook itself does not guarantee privacy); Mailhoit v. Home Depot U.S.A., Inc., 285 F.R.D. 566, 570 (C.D. Cal. 2012) (indicating that social networking site content is neither privileged nor protected, but recognizing that party requesting discovery must make a threshold showing that such discovery is reasonably calculated to lead to admissible evidence); Reid v. Ingerman Smith LLP, No. CV2012-0307(ILG)(MDG), 2012 U.S. Dist. LEXIS 182439, 2012 WL 6720752, at *2 (E.D.N.Y. Dec. 27, 2012) (no expectation of privacy even if plaintiff uses most extreme privacy settings available on Facebook); U.S. v. Meregildo, 883 F. Supp. 2d 523, 2012 WL 3264501, at *2 (S.D.N.Y. 2012) (Facebook user "had no justifiable expectation that h[er] 'friends' would keep h[er] profile private. . . . ".); U.S. v. Lifshitz, 369 F.3d 173, 190 (2d Cir. 2004) (contrasting privacy expectation of e-mail with greater expectation of privacy of materials located on a person's computer); Nucci v. Target Corp., 40 Fla. L. Weekly 166 (Dist. Ct. App. 2015) (enforcing trial court order compelling discovery of photos from Facebook account); Federico v. Lincoln Military Hous., LLC, 2014 U.S. Dist. LEXIS 178943 (E.D. Va. Dec. 31, 2014); In re White Tail Oilfield Servs., 2012 U.S. Dist. LEXIS 146321, 1, 2012 WL 4857777 (E.D. La. Oct. 11, 2012); EEOC v. Simply Storage Mgmt., 270 F.R.D. 430, 435 (S.D. Ind. 2010) (ordering EEOC to produce portions of plaintiff’s Facebook and MySpace content because “[i]t is reasonable to expect severe emotional or mental injury to manifest itself in some [social networking service] content, and an examination of that content might reveal whether onset occurred, when, and the degree of distress.”).

c. Generally, a factual predicate for discovery of social media is necessary. See, e.g., Brogan v. Rosenn, Jenkins & Greenwald, LLP, 28 Pa. D. & C.5th 553, 565 (C.P. 2013); Hoy v. Holmes, 107 Schuylkill L. Rev. 19, 23 (2013) ("We agree that a factual predicate has to be shown by the party seeking discovery for non-public information posted on social media.”); Simms v. Lewis, 2012 WL 6755098, at * 2 (Indiana Co. 2012) ("[b]ased upon the information contained in a post visible on her public page, it is reasonable to infer that the non-public portion of plaintiff's account may contain additional relevant evidence."); Trail v. Lesko, 2012 Pa. Dist. & Cnty. Dec. LEXIS 194, 2012 WL 2864004, at * 7 (Alleg. Co. 2012) (information contained in the publicly available portions of a user's profile should form a basis for further discovery); Zimmerman v. Weis Markets, Inc., 2011 Pa. Dist. & Cnty. Dec. LEXIS 187, 2011 WL 2065410, at * 4 (Northumberland Co. 2011) (“[b]ased on a review of the publicly accessible portions of his Facebook and MySpace accounts, there is a reasonable likelihood of additional relevant and material information on the non-public portions of these sites.”); McMillen v. Hummingbird

12

Speedway, Inc., 2010 Pa. Dist. & Cnty. Dec. LEXIS 270, 2010 WL 4403285, at * 4 (Jefferson Co. 2010) (Review of plaintiff’s public Facebook page suggested private posts contained discoverable information).; Keller v. Nat'l Farmers Union Prop. & Cas., 2013 U.S. Dist. LEXIS 452, 2013 WL 27731 (D. Mont. Jan. 2, 2013) (holding defendant could not delve “carte blanche” into plaintiff’s social media accounts without threshold showing that content undermined plaintiffs’ claims in the case); McCann v. Harleysville Ins. Co. of N.Y., 78 A.D.3d 1524, 1524 (N.Y. App. Div. 2010) (holding Facebook account outside scope of discovery where defendant failed to establish factual predicate “with respect to the relevancy of the evidence”); Kregg v. Maldonado, 98 A.D.3d 1289, 1290 (N.Y. App. Div. 2012) (denying discovery of Facebook account, holding “the proper means by which to obtain disclosure of any relevant information contained in the social media accounts is a narrowly-tailored discovery request seeking only that social-media-based information that relates to the claimed injuries arising from the accident.”); Higgins v. Koch Dev. Corp., 2013 U.S. Dist. LEXIS 94139, 9, 2013 WL 3366278 (S.D. Ind. July 5, 2013) (granting discovery of Facebook account from date of injury until date of plaintiff’s deposition specifically regarding the injuries incurred, “employment activities, outdoor activities, and enjoyment of life reasonably related to those injuries and their effects”).

C. Discovery of Social Media in State Court a. Informal Discovery

i. General points 1. Search for parties online. 2. Review publicly-available information, i.e., posts, photos, and other content that can be

viewed without “friending” the party.3. Non-public information, i.e., content that is protected by the privacy settings, is not available

for informal discovery.4. Public information, i.e., content that is viewable by the general public because the privacy

settings are not activated, is fair game.

ii. Womack v. Yeoman , 83 Va. Cir. 401 (Richmond 2011) 1. Facts : Defense counsel accessed plaintiff’s publicly-available Facebook account through

informal discovery and sought to use certain photos as exhibits. Plaintiff objected on privacy grounds.

2. Issue : Whether plaintiff’s publicly-available Facebook account is shielded from informal discovery.

3. Holding : No, plaintiff’s Facebook account was publicly available and therefore, defendant permitted to access and use its contents as exhibits.

4. Analysis a. Online searches of public websites does not violate privacy rights.b. “Simply entering a name into Google, Facebook, MySpace, or any other social

networking website, … does not constitute a violation of anyone’s privacy rights. The

13

public information posted on the internet is not private information. It is posted on a public medium, and available to anyone with access to the internet.”

c. Information available to the public, i.e., without “friending” the party to overcome their privacy settings, is permissible informal discovery.

d. “There are ways to secure ‘non-public’ data and information on social networking sites [via privacy settings]. Instead, the social media pages were ‘public’ when the defendant's counsel conducted her internet search.”

b. Formal Discoveryi. Rule 4:9 - Request for Production

1. Produce in native format a complete copy of any and all of your social networking websites, including but not limited to Facebook, Twitter, Instagram, blogs, etc. to which you have posted any Content from the date of the accident to the present. “Content” is defined as posts, messages, chat logs, email, written statements, and/or photographs, whether public or private, pertaining to the accident, your injuries, or your physical activities since the accident.

ii. Rule 4:9A – Subpoena Duces Tecum 1. The Stored Communication Act, 18 U.S.C. §2701 forbids providers “from disclosing the

contents of an account to any non-governmental entity pursuant to a subpoena or court order.”

a. The “SCA prevents 'providers' of communication services from divulging private communications to certain entities and/or individuals.” Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892, 900 (9th Cir. 2008), rev'd on other grounds by City of Ontario, Cal. v. Quon, 560 U.S. 746, 130 S. Ct. 2619, 177 L. Ed. 2d 216 (2010) (citation omitted); see also Crispin v. Audigier, 2010 WL 229328 (C.D. Cal. May 26, 2010); Crispin v. Christian Audigier, Inc., 717 F. Supp. 2d 965, 991 (C.D. Cal. 2010) (holding Facebook and MySpace messages not publicly available are protected information under the SCA).

b. https://www.facebook.com/help/133221086752707 c. Even if you serve Facebook with a subpoena duces tecum to produce the content of

accounts, it will refuse to honor it.2. Subpoenas to third party end-users are valid.

a. The SCA does not preclude discovery of a party’s electronically stored communications remaining within the party’s control. See, e.g., Flagg v. City of Detroit, 252 F.R.D. 346, 349 (E.D. Mich. 2008).

iii. Subscriber information 1. Facebook will produce subscriber information, i.e. user identification number, email address,

date and time stamp of account creation date, most recent log-ins, registered mobile number, and verification of whether publicly viewable.

14

2. If you need to subpoena subscriber information, you need to serve a California or federal subpoena on Facebook. Subpoenas from cases pending outside of California must be domesticated. See California Code of Civil Procedure § 2029.300.

a. Facebook’s registered agent is: Custodian of Records, Facebook, Inc. c/o Corporation Services Company 2730 Gateway Oaks Drive, Suite100, Sacramento CA 95833.

b. Facebook’s registered agent in Virginia is: Corporation Service Company, Bank of America Center, 16th Floor, 1111 East Main Street, Richmond, Virginia 23219.

iv. Take on Facebook in Virginia?1. Yelp, Inc. v. Hadeed Carpet , 62 Va. App. 678 (2014)

a. In a defamation case, the circuit court clerk issued a subpoena duces tecum to Yelp, Inc., to identify anonymous commenters on its website.

b. The circuit court sanctioned Yelp, Inc., for its failure to comply with the subpoena.c. On appeal, the Court affirmed, holding (a) Virginia Code § 8.01-407.1 permitted

“unmasking” of anonymous Internet commenters, and (b) Rule 4:9A and Virginia Code §§ 8.01-301 and 13.1-766 permitted service of a subpoena duces tecum on a foreign corporation’s registered agent in Virginia.

d. The case is currently pending before the Supreme Court of Virginia on the question of whether “a Virginia trial court may assert subpoena jurisdiction over a non-party California company, to produce documents located in California, just because the company has a registered agent in Virginia.”

c. Motion to Compeli. James v. Edwards , 85 Va. Cir. 139 (Greensville County 2012)

1. Facts : Motor vehicle accident. plaintiff alleged severe injuries. Photos on plaintiff’s publicly-available Facebook page depicted binge drinking, partying, and other post-accident shenanigans. Defense counsel moved to compel plaintiff’s Facebook user name and password, along with complete copies of the contents of the Facebook account.

2. Issue : Whether the entire contents of plaintiff’s Facebook account, including his username and password, was discoverable.

3. Holding : defendant permitted to access to plaintiff’s Facebook account under supervision of plaintiff’s counsel. However, plaintiff not required to disclose entire contents of account or its log-in information.

4. Analysis :a. Scope of discovery is “any matter, not privileged, which is relevant to the subject

matter involved in the pending action … if the information sought appears reasonably calculated to lead to the discovery of admissible evidence.” Va. Sup. Ct. R. 4:1(b)(1).

b. plaintiff’s Facebook account was subject to discovery.c. Facebook’s privacy policies dispel any reasonable expectation of privacy.d. plaintiff put his mental and physical state at issue by filing the personal injury

lawsuit.

15

e. defendant met threshold showing that information on the Facebook account was likely to lead to discoverable evidence; however, defendant was denied unlimited access to Facebook account.

f. Court ordered plaintiff to provide username and password to his attorney, and to delete nothing.

g. plaintiff’s counsel was instructed to make arrangements with Defense counsel to meet to review all portions of plaintiff’s Facebook account from date of the accident to present, and to produce printed copies of any pertinent web pages.

h. defendant was not permitted to be present during review.

D. Discovery of Social Media in Federal Court a. Formal Discovery

i. Request for Production 1. Fed. R. Civ. P. 34(a)(1)(A)

a. “A party may serve on any other party a request … to produce and permit the requesting party or its representative to inspect, copy, … any designated documents or electronically stored information, including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations … .”

2. Fed. R. Civ. P. 34(b)(2)(E)a. “A party must produce documents as they are kept in the usual course of business or

must organize and label them to correspond to the categories in the request; …”b. “If a request does not specify a form for producing electronically stored information,

a party must produce it in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms; …” and,

c. “A party need not produce the same electronically stored information in more than one form.”

3. Fed. R. Civ. P. 37(e) (“Lost Data”)a. “Absent exceptional circumstances, a court may not impose sanctions under these

rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.”

i. But see Hosch v. BAE Sys. Info. Solutions, Inc., 2014 U.S. Dist. LEXIS 57574 (E.D. Va. Apr. 24, 2014) (dismissing employment retaliation case with prejudice where the plaintiff permanently deleted all data on an iPhone and a Blackberry after a Court Order and two days before turning them over for examination); Taylor v. Mitre Corp., 2013 U.S. Dist. LEXIS 19550, (E.D. Va. Feb. 13, 2013) (dismissing claims where the plaintiff smashed a work computer with a sledge hammer and ran specialized programs to delete information on his laptop in direct response to an Order to surrender the laptop).ii. Subpoena Duces Tecum

1. Fed. R. Civ. P. 45(e)

16

a. “A person responding to a subpoena to produce documents must produce them as they are kept in the usual course of business or must organize and label them to correspond to the categories in the demand; …”

b. “If a subpoena does not specify a form for producing electronically stored information, the person responding must produce it in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms; …” and,

c. “The person responding need not produce the same electronically stored information in more than one form.”

2. In re Subpoena Duces Tecum to AOL, LLC, 550 F. Supp. 2d 606 (E.D.Va. 2008)a. Facts : State Farm issued subpoena duces tecum to AOL seeking private emails of two

adjusters in a pending lawsuit. Adjusters intervened and moved to quash.b. Issue : Whether the Electronic Privacy Communications Act (18 U.S.C. § 2700 et

seq.) prohibited AOL’s disclosure of the adjusters’ email messages to a private party in response to a civil discovery subpoena.

c. Holding : Yes. Court granted motion to quash subpoena.d. Analysis :

i. The Electronic Privacy Communications Act (ECPA) prohibits an electronic communication or remote computing service to the public from knowingly divulging to any person or entity the contents of customers' electronic communications or records pertaining to subscribing customers. 18 U.S.C. § 2702.

ii. The ECPA allows disclosure of electronic messages, inter alia, in ongoing criminal investigations to government entities.

iii. Courts have interpreted the ECPA to deny subpoenas duces tecum to electronic communication service providers and prohibit disclosing messages to private parties in pending civil lawsuits. See, e.g. Theofel v. Farey-Jones, 359 F.3d 1066, 1071-72, 1077 (9th Cir. 2004) (subpoena to Internet service provider for plaintiff’s email was “invalid”); Federal Trade Commission v. Netscape Communication Corp., 196 F.R.D. 559, 559, 561 (N.D. Cal. 2000) (denying motion to compel e-mail provider to disclose subscriber information in response to a subpoena).

b. Motion to Compeli. Federico v. Lincoln Military Hous., LLC, 2014 U.S. Dist. LEXIS 178943

(E.D. Va. Dec. 31, 2014)1. Facts : Personal injury claim for mold in military housing. Plaintiff families alleged severe

injuries following defendant’s failure to maintain their homes. Plaintiffs were active users of social media networks and posted on publicly available profiles, in addition to special interest pages, including “Families Affected by Military Housing Mold,” “the Truth About Lincoln Military Housing in Hampton Roads,” and “Victims of Toxic Mold.”

17

2. Defendant sought discovery of social media. Plaintiffs failed to produce. Defendant moved to compel. In response, plaintiff sought to shift production cost to defendant based on a quote from Sensei Enterprises to perform “email and social media recovery” from plaintiff’s computers, estimated to be $22,450.00. Court denied request for cost-shifting, granted order compelling discovery, and ordered self-directed search was sufficient.

a. Despite several weeks to perform self-search, plaintiffs failed to meet the deadline for various reasons. defendant moved for sanctions under Rule 37(a)

i. Monetary sanctions - Monetary sanctions “must” be granted “[i]f the [discovery] motion is granted - or if the disclosure or requested discovery is provided after the motion was filed,” except no sanctions shall be awarded if “movant filed the motion before attempting in good faith to obtain the motion,” “opposing party's nondisclosure, response, or objection was substantially justified,” or “other circumstances make an award of expenses injust.” Fed. R. Civ. P. 37(a)(5)(A).

ii. Spoliation – Inherent power of court to remedy destruction of irretrievably losing evidence, including dismissal, default judgment, preclusion of evidence, or imposition of adverse inference. Silvestri v. Gen. Motors Corp., 271 F.3d 583, 590 (4th Cir. 2001). Party must have had (a) control over evidence, (b) obligation to preserve, (c) destruction or loss accomplished by a culpable state of mind, (d) evidence was relevant to claim or defense of party seeking discovery. Goodman v. Praxair Svcs., Inc., 632 F. Supp. 2d 494, 509 (D. Md. 2009). Obligation extends pre-suit when party reasonably should know that the evidence may be relevant to anticipated litigation. Silvestri, 271 F.3d at 591. Party breaches duty when it fails to act reasonably to preserve the evidence. Id. at 590.

b. Court took sanctions motion under advisement. Plaintiffs paid an IT expert $29,000 to recover social media. Plaintiffs produced 5,000 pages of responsive social media one month later.

c. Defendant renewed motion for sanctions. 3. Held: Rule 37 applied because extensive production occurred after the initial Motion to

Compel and orders. The plaintiffs were “poorly instructed” and “dilatory” in their discovery efforts, but not culpable; thus, no spoliation. defendant’s request for dismissal was denied, but plaintiff was responsible for $29,000 cost to produce, plus attorneys’ fees.

E. Nitty Gritty: How to collect, preserve, and use social media evidencea. Collection Methods

i. Screen shots 1. Very basic starting point, but totally indefensible.

ii. Internal archive function 1. Starting place for social media collection. Was not conceived to be a forensic collection tool.

18

2. Misses lots of thingsa. Is a simple snapshot – no ongoing monitoringb. Often will not collect most available metadata informationc. Will not generate hash valuesd. Often will only provide content from the user’s own account and will not provide

content contributed by that user to others’ account, such as their “walls.” e. The only original timestamps that it preserves are in the HTML files which can easily

be modified.f. Some services have limited archive feature

i. Facebookii. Twitter

iii. Instagramg. Some services have no effective archive feature

i. LinkedInii. Websites (Blogger, Wordpress, and general websites)

h. How to use the archive featurei. Need access to the user’s credentials to log into the account.

i. When to use the archive featurei. Initial client intake

ii. Starting point for collection when you have credentials

iii. Forensic Collection Tools 1. The Gold Standard 2. Use an e-discovery service or buy software yourself3. Why should you use forensic collection tools?

a. Speed i. Collection (immediate and ongoing)

b. Searchingi. Search within collection tool or export to a searchable database (Concordance,

PST files, PDF)c. Anonymity

i. No email noticesii. No footprint whatsoever

d. Defensibilityi. Preserves MD5 hashing for authentication

ii. Prevents alteration with read only modeiii. Metadata fields are all collected and preserved

4. How do they work?a. Most use API functionality, but some use webcrawling

5. Semi-public/semi-private services (e.g., Facebook)a. Need login credentials

19

6. Public services (e.g., Twitter, Instagram, LinkedIn)a. Generally, DO NOT need login credentials

iv. Collection of Facebook profile information1. Public searches (no credentials)

a. Can get all the publicly available portions of someone’s profile, who has commented, what photos, what wall posts, etc. in a searchable format

b. Can search all of Facebook for keywordsi. E.g. a particular drug name or person of interest

2. Private searches (with credentials)a. Obtain everything

i. Every post, every IM, every photoii. Deleted items and edited items

iii. What others have postediv. Geo-location information

b. Silently follow the subjectc. Webcrawling

i. Tools will preserve entire pages that are linked toii. Can search for keywords both in posts/IMs/walls and on pages linked out to

v. Collection of Webpages (Blogger, Wordpress, general websites)1. Preserve an entire domain if desired2. Preserve everything linked to from a page3. Completely defensible

a. Maintain metadatab. Create hash valuesc. Read only

vi. Collection of Twitter and Instagram1. Connect directly through API2. Everything is public – no credentials needed

a. See their tweets, who is following them, what photos they havei. All without notifying them

3. Live Geo-streaminga. See who is tweeting from a given location (down to feet) at a given time

4. Monitoringa. Ongoing collection of a specific location or userb. Potential uses

i. Monitor the courthouse ii. Tweets from time and place of incident

iii. Domestic disputes

20

iv. Research on opposing parties

vii. Collection of LinkedIn1. Obtained via Webcrawling2. No credentials needed3. Obtain all information posted, all connections, all links

viii. Collection of Gmail and all types of IMAP email1. Need credentials 2. Forensic collection tools create a more defensible end product than relying upon PST files

provided either by the end-users themselves or their IT department3. Privilege issues if opposing party4. With credentials, can silently access account and minimize disruption for client, client

employees, etc.5. Get everything

a. All foldered datab. All sent filesc. All attachments with parent child relationships preserved

b. How do I get this stuff into evidence?i. Make plans in advance

1. “The inability to get evidence admitted because of a failure to authenticate it almost always is a self-inflicted injury which can be avoided by thoughtful advance preparation.” Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534, 536 (D. Md. 2007) (dismissing cross motions for summary judgments where parties failed to authenticate electronic evidence)

ii. The easy way 1. Stipulation2. 26(f) conference

a. Agree to a process for stipulating to the authenticity of e-mails each party produces during discovery to avoid unnecessary expense.

3. Requests for admissiona. Admit that the document attached hereto as Exhibit A is authentic, genuine, and a

true and correct copy of plaintiff’s Facebook wall.b. Admit that the plaintiff made the statements set forth in the document attached hereto

as Exhibit A.c. Admit that the document attached hereto as Exhibit A is admissible into evidence in

this matter.

iii. The hard way

21

1. Rule 901(a) establishes responsibility of the trial judge to make preliminary determinations regarding the admissibility of evidence.

a. Low bar -- A court need only be able to legitimately infer that a document is genuine to find it to be “authentic.” Questions concerning trustworthiness might go to the weight of the evidence.

2. Rule 901 (b) – ten nonexclusive examples of how to authenticate evidence3. Rule 104(b) – the "conditional relevance rule"

a. Applies during the authentication process when there is a dispute of fact regarding an exhibit’s authenticity. The party seeking to exclude the exhibit offers other evidence that the exhibit is not authentic. The trial judge cannot determine authentication as a preliminary matter under Rule 104(a) because there is a genuine dispute of fact that must be resolved before a final determination may be made.

b. Rule 104(b) allocates to the ultimate fact finder (jury or judge) the responsibility to resolve fact disputes

c. Courts consider evidence from all on a continuum. i. Clearly authentic evidence is admitted, clearly inauthentic evidence is

excluded, and everything in between is conditionally relevant and admitted for the jury to make its own conclusions

iv. Multiple ways to authenticate1. Rule 901(b)(1)--Someone with Personal Knowledge

a. If you are introducing a screen shot from a Facebook page, call as a witness the person who created and maintains the page, and ask the witness if she made or authorized the posting.

b. Use depositions or RFAs when possible to establish foundation ahead of time. 2. Rule 901(b)(3)--Use of an Expert or Comparison by the Fact Finder

a. A computer forensic expert can authenticate the maker of social media content. b. Cost issues

3. Rule 901(b)(3) a. Allows the fact finder to authenticate social media evidence when shown an example

of a posting that is known to have been made by the person that you contend authored the posting by comparing it to a posting of unknown authenticity.

b. Riskyi. Cannot predict juror reaction

ii. No feedback 4. Rule 901(b)(4)--Distinctive Circumstances or Characteristics

a. If it looks a duck…b. Inventory all the circumstances and characteristics that apply to the social media that

demonstrate, more likely than not, it was authored by the claimed authorc. Consider matters such as

i. Contentii. Whether the post replied to an earlier post

22

iii. Distinguishing language (abbreviations, slang, punctuation, use of emoticons, etc.)

iv. Nicknamesv. Content uniquely known by the claimed author

vi. Internet addressvii. Date

viii. Metadata identifiersd. RESEARCH FIRST –Find out what is or is not sufficient similarity or circumstances

to permit authentication by this method. 5. Rule 901(b)(9)--System or Process Producing Reliable Results

a. Requires a witness i. with personal knowledge under Rule 602 240 to explain how the social media

evidence was created; orii. who is an expert qualified under Rule 702.

b. Use deposition if witness not available. Rule 804(b)(1).6. Rule 902(5)--Official Publications

a. If the website or social media is government-sponsored7. Rule 902(6)--Newspapers and Periodicals

a. Traditional news media sources are increasingly going digital. i. Many programs and reporters have Twitter sites.

b. If accepted by the court, the newspaper or periodical posting is self-authenticated, eliminating the need for a sponsoring witness.

F. Practical Takeawaysa. Client intake

i. Get user account names and passwords during intake.ii. Instruct client to delete nothing.

1. Rule 3.4(a) prohibits unlawful obstruction of another’s access to evidence. See, e.g., Lester v. Allied Concrete Co., 80 Va. Cir. 454, 2010 Va. Cir. LEXIS 153 (Cir. Ct. 2010); aff’d in part and reversed in part by Allied Concrete Co. v. Lester, 285 Va. 295, 300, 736 S.E.2d 699, 701 (2013).

iii. Instruct client to either deactivate account (which, on Facebook, still preserves everything); or, as a far less desirable alternative, to ensure all privacy settings are activated.

b. Informal discoveryi. Search publicly-available information.

ii. Remember ethics1. No pretexts2. No fake accounts3. Do not connect with represented parties, jurors, or judges

c. Formal discovery

23

i. If you intend to use social media, produce with Rule 26(a)(1)(A)(ii) initial disclosures.

ii. Request social media via Rule 34(a)(1)iii. Inquire regarding social media in depositions and interrogatories.iv. Request the opportunity to perform self-search. It is simpler to review

social media, print relevant screen shots, etc., as Frederico would have allowed, than hire an IT expert.

d. How to resist production of social mediai. Violation of attorney-client privilege

ii. Violation of physician-patient privilegeiii. Failure to show factual predicate (a/k/a “fishing expedition”)iv. Lack of reasonable particularityv. Overly broad and unduly burdensome

vi. Make identical requests of the opposing partye. Collection

i. Minimum standard is internal archive featureii. Gold standard is forensic recovery with proprietary software or E-

discovery vendorf. Authentication

i. If you can’t agree or do it in advance, be ready to authenticate in multiple ways

APPENDIX

E. FURTHER READING

Virginia State Bar Legal Ethics Opinion 1872 (2013) : Virtual Law Office and Use of Executive Office Suites

Virginia State Bar Legal Ethics Opinion 1873 (2014) : Continued Use of Former Firm Name in URL After Firm Name has Changed

ABA Formal Opinion 11-459 : Duty to Protect the Confidentiality of E-mail Communications with One's Client

24

ABA Formal Opinion 462 : Judge's Use of Electronic Social Networking Media

ABA Formal Opinion 466 : Lawyer Reviewing Jurors' Internet Presence

Alaska Bar Association 2016-1 : May a Lawyer Surreptitiously Track Emails and Other Documents Sent to Opposing Counsel

California State Bar Ethics Opinion 2015-193 : ESI and Discovery Requests

California State Bar Ethics Opinion 2007-174 : Electronic Client Files

California State Bar Ethics Opinion 2010-179 : Confidentiality and Technology

California State Bar Ethics Opinion 2012-184 : Virtual Law Office

California State Bar Ethics Opinion 2015-193 : ESI and Discovery Requests:

Connecticut Informal Opinion 2013-07 : Cloud Computing

DC Bar Ethics Opinion 362 (2012) : Non-lawyer Ownership of Discovery Service Vendors

Delaware Ethics Opinion 2008-2 : Use of the designation "Super Lawyer" or "Best Lawyer" on a lawyer's website or in an email solicitation

Florida Bar Ethics Opinion 00-4 (2000) : Legal Services over the Internet

Florida Bar Ethics Opinion 12-3 (2013) : Cloud Computing

Maine Ethics Opinion 207 : The Ethics of Cloud Computing and Storage

Massachusetts Ethics Opinion 12-03 (2012) : Google docs and cloud computing

New Hampshire Ethics Opinion 2012-13/4 : The Use of Cloud Computing in the Practice of Law

New York City Bar Formal Opinion 2010-2 : Obtaining Evidence From Social Networking Websites

New York City Bar Formal Opinion 2014-2 : Use of Virtual Law Office by New York Attorneys

New York City Bar Formal Opinion 2015-3 : Lawyers Who Fall Victim to Internet Scams

New York State Bar Association Ethics Opinion 842 (2010) : Using an outside online storage provider to store client confidential information

New York State Bar Association Ethics Opinion 972 (2013) : Listing in Social Media

25

New York State Bar Association Ethics Opinion 1025 (2014) : Virtual law office; Advertising principal law office address

New York State Bar Association Ethics Opinion 1062 (2015) : Financing a law practice; crowdfunding websites

Oregon State Bar Formal Opinion 2005-164 : Communicating with Represented Persons: Contact Through Web Sites and the Internet

Oregon State Bar Formal Opinion 2011-187 : Competency: Disclosure of Metadata

Oregon State Bar Formal Opinion 2011-188 : Information Relating to the Representation of a Client: Third-Party Electronic Storage of Client Materials

Oregon State Bar Formal Opinion 2013-189 : Accessing Information about Third Parties Through a Social Networking Website

Pennsylvania Bar Association Ethics Opinion 2010-200 : Ethical Obligations on Maintaining a Virtual Office for the Practice of Law in Pennsylvania

Pennsylvania Bar Association Ethics Opinion 2011-200 : Ethical Obligations for Attorneys Using Cloud Computing / Software as a Service while Fulfilling the Duties of Confidentiality and Preservation of Client Property

Pennsylvania Bar Association Ethic s Opinion 2014-300 : Ethical Obligations for Attorneys Using Social Media

Texas Ethics Opinion 2015-02 (2015) : Social Media and Attorneys

Washington State Bar Ethics Opinion 2215 (2012) : Cloud Computing

26