Substantive IoT Data and Metadata and Their Relevance
Just like any other electronic information, data generated within the IoT are discoverable if relevant and not privileged. But how many lawyers and litigants right now are thinking about IoT information when they develop case strategy, create a discovery plan, or draft requests for production? As attorneys more routinely consider available IoT information, and incorporate that information into case strategy, we will experience the first wave of change in e-discovery.
For example, in a recent personal injury case reported in the media, the attorneys for a woman who suffered injuries in a car accident are using data obtained from her fitness tracking device to show that her levels of physical activity remain below normal. Parmy Olson, “Fitbit Data Now Being Used in the Courtroom,” Forbes (Nov. 16, 2014). Or consider an organization defending a claim by an employee that it failed to reasonably accommodate his alleged disability by giving him light-duty work. Surely the organization’s discovery should include requests for data from the employee’s fitness tracking device, which would provide information about his physical activities. All of this shows that such data can be used not only to support a litigant’s claims, but also to rebut claims. And as reported in the media, IoT evidence also can be introduced in connection with criminal investigations and prosecutions. See Myles Snyder, “Police: Woman’s Fitness Watch Disproved Rape Report,” ABC27.com (June 19, 2015).
In some cases, however, the substantive data collected by the IoT device is not what’s relevant; rather, litigants will seek to discover the device’s available metadata. Think about the Nest thermostat, a residential thermostat product that is connected to the Internet and maintains collected metadata as part of its operation. There may be legal disputes in which data about the homeowner’s heating and cooling settings are irrelevant, but metadata about the days and times the home was unoccupied could be crucial. Similarly, the content of a photo taken with an IoT device may not be relevant, but the geolocation metadata showing where the photo was taken could be significant.
New Kinds of Claims
Once litigants become more aware of IoT information and data, creative lawyers will use it to create new types of claims—or at least expand the scope of existing legal theories. Consider a company that permits employees (or customers) to wear Google Glass in its offices; that company now faces the risk of a breach of privacy claim by an employee whose actions were recorded without her knowledge. Or think of the smartphone that pushes coupons to shoppers in certain aisles of certain stores. Now imagine a consumer class action claim brought by persons who shop in a particular neighborhood and whose phones didn’t offer certain coupons, causing them to pay more for the items. Might these consumers have a claim that the provider of the coupons engaged in geographic or socioeconomic profiling and arguably race discrimination?
The theory of new IoT-based claims recently became reality when a group of plaintiffs sued automakers Toyota, Ford, and General Motors. Cahen v. Toyota Motor Corp., No. 3:15-cv-01104 (N.D. Cal. Mar. 10, 2015). In their proposed class action, the plaintiffs allege that the defendants sold unsafe cars because their Internet connectivity creates vulnerability to hackers, who could hypothetically take control of the cars’ breaking, acceleration, and steering. According to the complaint:
Defendants failed consumers . . . when they sold or leased vehicles that are susceptible to computer hacking and are therefore unsafe. Because Defendants failed to ensure the basic electronic security of their vehicles, anyone can hack into them, take control of the basic functions of the vehicle, and thereby endanger the safety of the driver and others.
Id. ¶ 3. This lawsuit raises many interesting issues at the intersection of IoT technology and the law. But perhaps most significantly from a legal perspective, the plaintiffs do not allege that any car’s computer actually has been hacked. The suit rests on the mere possibility that such hacks could take place. Is that enough to sustain legal claims? Could other plaintiffs succeed with allegations that personal health and fitness information generated by a Fitbit might fall into the wrong hands? Or that an Internet-connected pacemaker potentially could be hijacked and its wearer murdered?
This issue may be clarified somewhat by the Supreme Court next month, when it hears Spokeo, Inc. v. Robins, No. 13-1339 (U.S. Apr. 27, 2015). In Spokeo, the Court will hear an appeal from Robins v. Spokeo, Inc., 742 F.3d 409 (9th Cir. 2014), in which the U.S. Court of Appeals for the Ninth Circuit ruled that plaintiff Robins had Article III standing to assert a claim for violation of the Fair Credit Reporting Act by defendant Spokeo, for allegedly maintaining false information about him on Spokeo’s website, even though Robins alleged no actual injury or damages. The U.S. Supreme Court thus may decide whether a plaintiff who has not suffered any actual injury but can nevertheless simply prove a violation of a federal statute has standing to sue. If the Supreme Court answers in the affirmative, the repercussions for potential ligation about IoT threats could be quite broad, to the extent that standing to sue might arise merely from the failure of IoT devices to meet statutory or regulatory requirements for data security and privacy, without the prerequisite of any actual injury or damage.
Similarly, a recent standing decision from the Seventh Circuit potentially opens the door to more types of IoT litigation. In Remijas v. Neiman Marcus Group, LLC, No. 14-3122, 2015 WL 4394814 (7th Cir. July 20, 2015), a putative class of Neiman Marcus customers brought claims in the wake of a data breach that exposed their credit card information. Even though most plaintiffs could not show any actual injuries yet, the court ruled that they had standing to proceed because they demonstrated a “substantial risk” of future injuries caused by the data breach. Although data breaches have not yet hit the IoT industry, the data collected and stored by these devices could be hugely valuable to hackers. In jurisdictions adopting the Neiman Marcus standard, if litigants can show a substantial risk of future harm from an IoT device, they can at least survive a standing-based challenge to their theory for proceeding with their claims.
Unique Challenges Around Preserving and Collecting IoT Data
Once lawyers and parties realize the importance of IoT information and data, they face the challenges of preserving and collecting it, which arise in several ways.
First, to the extent IoT data resides on the device itself, preserving and collecting from the device may prove to be difficult. The tools used for legal and forensic collection don’t always evolve as fast as the newest devices, and even a very experienced, skilled e-discovery vendor may struggle to collect the information. Furthermore, as the security and encryption of IoT devices gets more advanced, “cracking” the devices if the owner/operator is not available to provide access becomes increasingly difficult. Also, if the IoT device is used as part of an enterprise “BYOD” program, the company may push different settings and software to the device that make it different from others and therefore more challenging to access. But even before data can be collected, it must be preserved. The typical end user of a device connected to the IoT likely will need substantial help to preserve its information in connection with a requisite litigation hold.
Second, most IoT devices do not actually store data, but gather and send data to be stored elsewhere—in the cloud, or on an enterprise server, for example. Establishing the storage location of the data, and then identifying and collecting data from a particular device (or group of devices) can be tricky. Also, in many instances, discovery will involve a third party that hosts the data. All the possession/custody/control issues associated with such arrangements in traditional discovery will come into play when litigants seek IoT information from third-party hosts.
Finally, IoT devices commonly send their individual data to be aggregated with data from many other users, typically in some type of structured database. Discovery of information from structured databases has always proved troublesome, and IoT databases will be no different.For an excellent treatment of the issues concerning database discovery, see Sedona Conference, Database Principles (2014).
Conclusion
The IoT undoubtedly will generate positive benefits for businesses and individuals. And these gadgets can be a lot of fun! But along with the fun comes the work of dealing with these devices, and the vast stores of data they create, in the context of discovery in an increasingly litigious society. Litigants, attorneys, and e-discovery professionals need to understand how this fast-changing IoT technology can impact virtually any legal dispute, and the courts will need to develop new ways to deal with disputes that involve such IoT technology.
Keywords: litigation, commercial, business, discovery, e-discovery, electronic discovery, Internet, Internet of Things, IoT