Discovery Strategies for the IoT and Smart Devices

In litigation, if discovery is inevitable, manage the process carefully to control the scope and costs. This is especially critical in litigation involving “smart” and highly technical products. Let’s begin with an overview of the Internet of Things (IoT). The term was first coined in 1999 by Kevin Ashton. Here is an interesting article Ashton wrote in 2009 for RFID Journal explaining the term’s inception and his idea of the meaning. Simply put, the IoT is the extension of Internet connectivity into physical devices embedded with electronics and sensors. These devices can communicate and interact and be remotely monitored and controlled. IoT and Smart Device Examples:

  • Geolocation data from a cell phone
  • Activity data from wearable technologies and fitness trackers
  • Operational and testing data from drones and autonomous vehicles
  • Artificial Intelligence:
    • Helping factory machines to “learn” better performance over time
    • Analytics to predict customer buying needs/habits 
    • Industrial equipment predicting when it will require maintenance 
    • Home connectivity

E-discovery started around the same time that the IoT term was coined. E-discovery traditionally involved emails, Word documents, and spreadsheets. Today, it has expanded to include virtual assistants, wearable devices, home automation technology, biometrics, and much more. With the increasing use of the IoT, the legal industry has labeled it as the “third wave of e-discovery.” This third wave comes with its own set of unique capabilities and challenges such as: source code, system/user activity, audit logs, geolocation, access reports, security tracking, biometrics, computer-generated information, etc. The IoT and smart devices are continuously generating data. By 2020, Cisco estimates that the IoT will generate 600 zettabytes of data a year. That’s 600 trillion gigabytes.

Impact on Litigation

The data generated by the IoT brings on new cases and claims involving connected devices, such as product defects, failure to disclose cybersecurity risks, and selling products with cybersecurity risks built into source or the operating system. There will also be a significant impact on the discovery of these new cases and claims. When it comes to the IoT, most products are not designed for legal discovery. They are not designed in manner where it is easy or intuitive to gather or understand the data that is being collected – let alone find a usable way of exporting the data for review by attorneys as potential evidence litigation. Here are a few considerations:

  • Lack of Protocols. There is no single protocol for inter-communication, data export, or storage format. Consider the issues with “interoperability” of electronic health records. We, as an industry, need to start thinking about systems and technologies that can cost-effectively allow for collection, review and analysis of IoT data. There are many other considerations as well, such as privacy and even free speech. Alexa can talk – but does she have first amendment rights?
  • Re-Defining “Metadata.” Metadata used to be thought of as data such as when a document or email was created or sent, by whom, and who may have accessed or printed it. Now it is how and when people are accessing the internet on their devices. This might include not only your internet search history, but also when you are exercising, what products are in your refrigerator, how well you are sleeping and who is ringing your doorbell.
  • Data Governance & Litigation Response Planning. Corporate legal departments are not necessarily considering IoT data as part of a comprehensive data governance or litigation response plan. When do you start to plan? Forbes predicts that “More than ever, data is going to be critical to humanity.” The International Data Committee predicts that by 2025 nearly 20% of the data in the global datasphere will be critical to our daily lives. In eight years’ time, an average connected person anywhere in the world will interact with connected devices nearly 4,800 times per day – one interaction every 18 seconds. Seems like we should start planning now. 

Key Takeaways

In a quickly changing, technologically charged world we must keep our finger on the pulse of the moving pieces around us. It may not be affecting our, or our clients’ bottom line today, but it could, and it will. As time passes more data is being generated, more devices are being developed, and more connections are being made. Steps must be taken to understand the data and address the potential risks that may have been revealed. Here are few steps to get started:

  • Be Prepared – and Aware. Find good resources and stay abreast of changes, case law and trends. Consider designating a topic expert to keep your team informed and up to date with important advances and changes. 
  • Robust Data Governance Strategies. Consider, and evolve, your firm or company’s policies, procedures and personnel.
    • What is Reasonable? With all this data, what is reasonable in terms of data governance? What do we need to save? What can we, in good faith, delete (absent preservation obligations, triggered by pending litigation)? 
    • Evolving Checklists. Keep evolving checklists of data sources and locations, retention periods, and who is responsible for what. This is especially critical as part of merger and acquisition activity. Be sure to have good documentation on potentially acquired company information and where data is stored, and any data preserved for past or ongoing litigation. It is critical to know where to find relevant data if litigation later arises regarding acquired company’s products or data. 
    • Backup Technologies. Consider backup technology. Legacy backup solutions may be cheap for storage but can be very costly when it comes to restoration for review and production. Cloud storage can be much more efficient offering indexed searching and automated retention, but balance with the need for privacy and security. Also, cloud storage can add another layer of complexity when it comes to discovery with potentiality for involvement of another party, which could include authentication issues. Cloud data is typically considered to be within the corporate owner’s control, even if the data itself is not hosted on company premises. As a result, courts will generally consider cloud data to be accessible and subject to preservation obligations. How does your cloud service provider account for this? Early preparation can present good opportunities at 26(f) conferences to explain why certain portions of cloud data aren’t relevant to the case and do not require preservation, which can help limit discovery-related costs. It is expected that rules and best practices for managing cloud-stored data will continue to develop and be refined. 
  • Cooperation and Proportionality. Early discovery planning is key. Start thinking about preservation obligations as soon as possible. Engage experts as needed such as IT professionals, attorneys specializing in discovery, etc. Use your meet and confer wisely. Proportionality is a critical concept. Consider moving for a protective order that seeks to set data retention responsibilities and define production methodologies as soon as possible, as this may protect the inherent value of the data and also limit the burdens associated with ongoing preservation and production of large volumes of data.
  • Service Providers and Experts. Employ experts and service providers when needed. Consider the following: 
    • Early Planning. The need for experts may end up being even earlier in the litigation process than usual, such as during an investigation or when responding to a demand letter, as potential custodian interviews may involve highly technical subject matter expertise.
    • Preservation. Preservation obligations may require more than identifying data custodians and data sources. It may be worthwhile to consider more formalized data mapping and/or workflow to truly understand all of the complexities and what may need to be preserved such as: What data is being generated by a device? Where does that data go? How is data transformed into something “usable”? 
    • Review. Experts, like data scientists or IT experts, may need help with reviewing the data to pull the pieces of information that are relevant to their expertise. 
  • Post-Litigation Debriefing. Perform a thorough post-litigation debriefing. Consider: What worked? What can be put into place to better manage, or avoid, future litigation?