Why Law Firms Should Be Aware of Privacy Risks in eDiscovery

Why Law Firms Should Be Aware of Privacy Risks in eDiscovery

Cassandre Coyer of Bloomberg Law highlights the recent $50,000 penalty against Consilio LLC for over-collecting emails during discovery as an example of the significant privacy risks in eDiscovery practices, especially as state-level privacy laws proliferate. 

Consilio exceeded agreed-upon search parameters, accessing over 34,000 of a custodian’s emails, including sensitive medical and legal information, instead of the 600 relevant emails identified by a subsequent vendor. This violation underscores the legal and reputational risks firms face when discovery protocols are ignored.

For managing partners, this case illustrates the growing need to approach eDiscovery through a privacy lens. State privacy laws and the absence of explicit privacy requirements in the Federal Rules of Civil Procedure (FRCP) create a challenging regulatory landscape. While the FRCP emphasizes proportionality, it does not directly address privacy, leaving gaps that courts increasingly fill with stricter scrutiny of over-collection.

Discovery vendors and law firms must prioritize narrowly tailored data collection methods to avoid exposing sensitive information unnecessarily. As noted in the article by David Cohen of Reed Smith, practices like conducting searches in data sources before collection can limit risk. This approach minimizes data exposure and aligns with privacy best practices.

Over-collection is particularly fraught when dealing with dual-use devices, where employees’ personal and professional data often overlap. Managing these scenarios requires explicit consent and adherence to clear protocols, as mishandling such data risks not only legal penalties but also the erosion of client trust.

As privacy regulations tighten and enforcement intensifies, Coyer says that law firms must ensure their eDiscovery processes are robust and privacy-conscious. This includes vetting vendors rigorously, enforcing compliance with agreed protocols, and staying proactive in adapting to evolving privacy requirements.