Privacy & Cybersecurity Law Blog

On November 6, 2024, a Texas state district court jury found that a large e-discovery vendor violated Title 7, Chapter 33 of the Texas Penal Code, which provides that accessing a computer without its owner’s permission is a Class B misdemeanor. This case highlights the importance for e-discovery vendors of considering data privacy and security requirements in the course of discovery proceedings.                   

The court awarded $50,000 in damages against the vendor, finding that the vendor ignored e-discovery protocol when accessing an individual’s personal email account to search for emails containing 12 search terms dating back to 2012. As a result, the vendor downloaded more than 34,000 emails from the individual’s email account that included sensitive information such as medical data, Social Security numbers and attorney-client privileged information. According to reports, if the vendor had not deviated from the e-discovery protocol, only 600 relevant emails would have been in scope of discovery. 

Data minimization is a key feature of many privacy laws, including the recently enacted Texas Data Privacy and Security Act, and companies are generally required to limit the collection of personal data to what is adequate, relevant and reasonably necessary to the disclosed purpose for which the personal information will be processed. As threat actors increasingly target the service supply chain, data security breaches have become prevalent among service providers. Overcollection of personal information through the e-discovery process generates an array of potential risks to e-discovery vendors and the subjects of discovery in the event of a cybersecurity incident.

General rules governing discovery in the Federal Rules of Civil Procedure require proportionality in discovery procedures but do not specifically address data privacy and security regulations. The landscape is further complicated by privacy considerations in e-discovery involving employee devices. Thus, e-discovery vendors must pay close attention to privacy and security law requirements, both legal and contractual, as part of their approach to discovery.