September 14, 2017

Social Media and Encrypted Data in Discovery

Ronald Hedges and Kristen B. Weil – November 15, 2016

The ever-expanding world of electronically stored information (ESI) poses a challenge to civil litigators who must stay abreast of new forms of social media and data encryption. The sources and volume of ESI have ballooned: “Every day, we create 2.5 quintillion bytes of data—so much that 90% of the data in the world today has been created in the last two years alone.” An increasing portion of that data comes from social-media networking sites. Litigators must know how to obtain this material in discovery, how to produce it, and how to handle lost, encrypted, or inaccessible data.

Is Social Media Discoverable?
There is no question that social media is discoverable. See Gatto v. United Air Lines, Inc., No. 10–cv–1090–ES–SCM, 2013 WL 1285285 (D.N.J. Mar. 25, 2013) (Facebook account “clearly within his control, as [p]laintiff had authority to add, delete, or modify his account’s content”); Robinson v. Jones Lang LaSalle Americas, Inc., No. 3:12–cv–00127–PK, 2012 WL 3763545 (D. Or. Aug. 29, 2012) (allowing discovery of, among other things, plaintiff’s email and text messages as well as her “social media content”).

But how can a party obtain social media in discovery? Normally, a party would issue a subpoena to the social-media provider in possession, custody, or control of the relevant information. However, the Stored Communications Act (SCA), 18 U.S.C. § 2701, et seq., prevents an electronic-communication service provider from disclosing the contents of a customer’s account to private parties, absent the account owner’s consent. Instead, a party should serve on the opposing party discovery requests seeking relevant social media. As with other discoverable materials, the receiving attorney can review his or her client’s private social-media profile to determine whether portions should be produced. Alternatively, courts may review a party’s social media profile in camera and make a determination as to whether any portion should be produced.

Courts are reluctant to allow unfettered access to a party’s private social-media profile, absent a threshold showing of need and relevance based on the content of a party’s public social-media profile. See, e.g., Forman v. Henkin, 134 A.D.3d 529, 22 N.Y.S.3d 178 (N.Y. App. Div. 1st Dep’t 2015) (defendant did not establish entitlement to plaintiff’s private Facebook postings because defendant merely speculated, without identifying sufficient facts, that postings would contain relevant information); Keller v. Nat’l Farmers Union Prop. & Cas. Co., No. CV 12–72–M–DLC–JCL, 2013 WL 27731 (D. Mont. Jan. 2, 2013) (denying access to private portions of social-media site absent threshold showing of need based on content of public portions); In re Milo’s Kitchen Dog Treats Consol. Cases, 307 F.R.D. 177 (W.D. Pa. 2015) (no unlimited access to social-media account). To gain access to an adversary’s private social-media profile, an attorney should review the public portions for evidence that would support a conclusion that the private portions likewise contain relevant data. For example, in a personal-injury case, an attorney who suspects that the defendant is not as seriously injured as he or she claims can use public postings and photographs of the defendant engaging in strenuous or leisure activities to justify a discovery request seeking the defendant’s private social-media postings. A general “fishing expedition” will likely be denied, but a targeted discovery request based on verifiable public postings will have a much better chance of success.

Attorneys should tread carefully to avoid violating ethical rules when reviewing an opposing party’s social media. Under the New York State Bar Association Social Media Ethics Guidelines, an attorney may review the public portion of a party’s social-media profile, regardless of whether that party is represented by counsel. Attorneys must be aware that certain social-media networks may send an automatic message to the accountholder that his or her account was viewed and by whom. In some jurisdictions such as New York, this message constitutes “contacting” a party, which, if that party is represented by counsel, violates ethical rules. See NYCLA,Formal Op. 743; NYCBA, Formal Op. 2012-2; but cf. Am. Bar Ass’n Comm. on Ethics & Prof’l Responsibility, Formal Op. 14-466 (passive review of juror’s social media does not constitute an ethical violation). An attorney may request permission to review the private portions of an unrepresented person’s social-media profile, but cannot use deception to gain access. Jurisdictions differ in whether attorneys are obligated to disclose the purpose of their request. Compare NYCBA, Formal Op. 2010-2 (attorney not required to disclose reason for “friend” request); N.H. Bar Ass’n Ethics Advisory Comm., Op. 2012-13/05 (attorney must inform witness of lawyer’s involvement in dispute and identify client and dispute). Of course, if a party is represented by counsel, direct contact is forbidden and any requests to view a represented party’s private social-media account should be made to the party’s attorney.

A party may produce ESI in various forms. Litigators are familiar with the choices available for email, for example, as TIFF images or PDFs, but may be at a loss for how to produce a client’s Twitter feed. Depending on the type of social media, a party can produce relevant portions of a profile by taking a snapshot and producing in image format.

The flipside to being able to obtain your adversary’s social media through discovery is the likelihood that your adversary will request your own client’s social media. To ensure that an attorney is in compliance with his or her ethical duties, an attorney must take appropriate steps to preserve a client’s social-media data. Because social media takes various forms—Facebook, Twitter, and Snapchat to name but a few examples—litigators should advise their clients about preservation of social media and should understand how social media should be collected and produced. This requires having a conversation with your client about what forms of social media the client uses and understanding how each social media platform operates. Some platforms involve ephemeral data that is difficult to preserve, while others do not. Armed with that understanding, attorneys can take steps to preserve the data by, for example, creating backups or taking snapshots. Attorneys may advise their clients as to what content can be taken down or made private, provided that data is preserved and that deletion or removal does not violate any common law or statutory duty.

What Happens When Social Media Data Is Lost or Inaccessible
Social-media information may be lost or inaccessible because of a failure to preserve data (whether intentional or unintentional) or because it is encrypted. In some cases, this loss may be sanctionable.

The starting point to the inquiry is whether a party can reasonably access and produce requested information. Under Federal Rule 26(b)(2)(B), “A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost.” Even if the party resisting discovery can show that the information is not reasonably accessible because of undue burden or cost, “the court may nonetheless order discovery from such sources if the requesting party shows good cause.” Thus, even if the requested information theoretically could be produced, there may be circumstances where a party is excused from production due to cost and burden.

The Sedona Conference has suggested applying the proportionality standard contained in Federal Rule 26 when considering whether ESI is not “reasonably accessible.” This means balancing the costs of preserving, retrieving, reviewing, and producing electronically stored information, as well as the nature of the litigation and the amount in controversy.

Assuming, however, that social-media data is reasonably accessible, what happens if a party fails to produce it? A movant may ask the court to impose various sanctions. Under Federal Rule 37(a), a party can make a motion to compel disclosure and for sanctions. If a party fails to comply with a court’s discovery order, the movant can seek sanctions under Federal Rule 37(b). If ESI is lost, a party can seek relief through Federal Rule 37(e), which permits the court to issue a variety of sanctions against a party who fails to take “reasonable steps” to preserve ESI in the anticipation or conduct of litigation. Subsection (e) of the rule provides:

If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court:

(1) upon finding prejudice to another party from loss of the information, may order measures no greater than necessary to cure the prejudice; or

(2) only upon finding that the party acted with the intent to deprive another party of the information’s use in the litigation may:

(A) presume that the lost information was unfavorable to the party;

(B) instruct the jury that it may or must presume the information was unfavorable to the party; or

(C) dismiss the action or enter a default judgment.

Federal Rule 37(e) applies only where ESI should have been preserved but was lost as a result of a party’s failure to take “reasonable steps” to preserve and the ESI cannot be restored or replaced. When the ESI cannot be restored or replaced, the court may order measures to cure the prejudice to the other party. Where the court concludes that the party intentionally failed to preserve ESI, it may presume that the lost information was unfavorable to the party, instruct the jury that it may or must presume that the information was unfavorable to the party, or dismiss the case or enter a default judgment.

If a party possesses encrypted information and is either unable or unwilling to decrypt the data, how might courts react? We are unaware of any New York State case law that directly addresses encryption in either the civil or criminal context. However, if a party simply refuses to comply with a discovery request to decrypt data, the moving party can seek judicial assistance in the form of an order to comply. As noted above, noncompliance will presumably lead to some form of judicial compulsion.

In the criminal context, motions to compel a party to decrypt data have met mixed results. Several courts have concluded that compelling a party to produce an alphanumeric password to decrypt data is a testimonial communication that would violate the party’s Fifth Amendment right against self-incrimination. See, e.g., In re Grand Jury Subpoena Duces Tecum dated March 25, 2011, 670 F.3d 1335 (11th Cir. 2012); Commonwealth v. Baust, 89 Va. Cir. 267 (Va. Cir. Ct. 2014); State v. Trant, No. CUMCDCR201502389, 2015 WL 7575496 (Me. Dist. Ct. Oct. 27, 2015). Such passwords are a product of one’s mind. The Baust court, however, drew a distinction between alphanumeric passwords and biometric passwords such as fingerprints. The court likened alphanumeric passwords to the combination of a safe, whereas fingerprints were akin to a key. Disclosing alphanumeric passwords requires the party to divulge mental processes, but fingerprints were mere non-testimonial physical characteristics. Relying on this distinction, the Baust court concluded that compelling a party to decrypt data using fingerprints did not implicate the Fifth Amendment but compelling a party to produce a password did. Civil courts may be inclined to adopt this same distinction.

But what if the producing party’s response is something like, “I don’t remember the decryption key?” Presumably the judge presiding over the dispute will conduct a hearing and make a credibility determination. If the judge finds the party to be incredible, what should the judge do? A judge may choose between the sanctions available under Federal Rules 37(b) and 37(e). As noted above, subsection (b) allows the court to sanction a party for disobeying a discovery order by striking pleadings, dismissing the action, or issuing a contempt order, among other things, whereas subsection (e) allows the court to issue an adverse-inference instruction or dismiss the action, among other things. However, subsection (e) only applies if a court determines that the inability to decrypt encrypted data renders it “lost.”

Here, a criminal-law analogy might be appropriate. In Commonwealth v. Gelfgatt, 468 Mass. 512, 11 N.E.3d 605 (2014), the Massachusetts Supreme Judicial Court held that, under the facts before it, an individual could be compelled to decrypt several computers that law enforcement had seized. On remand, the individual argued that he could not remember the keys, was found incredible, and ordered to try to provide access again or else be held in contempt and remanded to custody. (Order dated Nov. 6, 2014, Mass. Sup. Ct. Suffolk Cnty.). Drawing the analogy suggested above, a judge might hold the producing party in civil contempt and remind the party that he or she holds the “key to the cell” in his or her head. Alternatively, the judge might consider a case-dispositive sanction, perhaps deeming the encrypted ESI to be “lost,” or a lesser sanction such as ordering an adverse inference, imposing monetary sanctions, or ordering a party to engage a vendor.


Keywords: litigation, pretrial practice, discovery, social media, ESI, sanctions, Fifth Amendment, encryption, Rule 26


Ronald Hedges is senior counsel and Kristen B. Weil is a senior managing associate with Dentons in New York, New York.

Ronald Hedges and Kristen B. Weil – November 15, 2016