Tag Archives: discovery

Private Facebook Posts May Not Be So Private

This is not Mark Zuckerberg trying to extract a few more cents out of you by pushing more ads to you – in fact, Facebook really doesn’t even have much of a say in this.  It is not even a Google thing.

Still, it is useful to understand.

In the case of a Manhattan woman who was disabled in a horseback riding accident, the courts have ruled back and forth.

The woman is blaming the trainer and horse owner for fitting the horse with a defective stirrup.  The case is unusual because usually equine trainers have no liability for accidents, based on the law.  In this case, the rider, who suffered brain and spinal injuries, is claiming negligence.

The trial court ruled that the woman had to provide both Facebook posts and photos from both before and after the accident during discovery.  The trainer is trying, I assume, to determine if the disabilities prevented her from doing the things that she did before the accident and turned her into a recluse, which is what she is claiming.

The trial court did exclude any nude pictures from having to be disclosed.

But then the appeals court reversed the trial court and said that she did not have to produce that information.

But now the full appeals court, by a vote of 7-0, said that the trial court was correct and that the information did have to be produced.  This court is the state’s highest court, so it is not clear if there is any further appeal avenue available.

The appeals court did acknowledge that the posts were private, but said that did not allow her to avoid discovery.

For users, there is a warning here.  Do not assume that anything that you post online, even if you think it might be private, is really private.  I am sure that this woman did not think about the implications of her Facebook posts during a trial.

But there is a simple answer – if you want it to be private, do not post it.  Don’t even put in on Google photos or Microsoft One Drive.  If you make it accessible to an Internet provider, it is likely disclose-able.

Information for this post came from Reuters.

Why The First Call After A Breach Should Be To Cyber Counsel

If you are responsible for your cyber incident response team and you discover that you may have been breached – like the Trump Hotels this week – who should you call, and how should you contact them?

I will answer the and how part first because it is easier.

Walking down the hall is best.  Failing that, the phone is ok as long as it is not connected to your company network (like a VoIP phone).  What you don’t want to do is use company email or messaging systems.

There are two reasons for this.  The first is that you do not know if those systems have been compromised and if, as a result of using them, you are telling the attacker that you are on to him and how much your know.

You are also leaving bread crumbs that can be discovered as part of the legal process after the breach and used against you.

So now that the and how part is handled, lets move on to the the who part.

The answer is not your boss or the CEO.  That will just ruin their day and if you tell them 5 minutes later, it won’t make any difference.

That first call should be to your outside cyber incident response law firm.  The one you should have on retainer.  The one that you have already brought up to speed on your business and processes.  The last thing you want to do at this point is be dealing with contracts and explaining to them what you do.

The firm also has to be experienced in cyber incident response – otherwise, they might make mistakes.

The one thing that Target did right during their breach – and it was not to decide to wait until after Christmas to remove the malware – was to contact their cyber incident response outside attorney.

That firm directed the response in order to provide the company legal advice and prepare for lawsuits.  That cover allowed them to protect what they did under attorney client privilege.  It turns out that the fact that they were outside counsel instead of corporate legal makes a difference in the story.  After all, you were preparing for litigation – you don’t pay outside law firms hundreds of dollars an hour unless you are expecting something bad to happen – more cover.

And it worked.  When the banks who were suing Target attempted to get Target to produce documents during discovery, Target’s law firm said that those documents belonged to the law firm (since the law firm engaged all the consultants and experts, not Target) and were protected by privilege.

Except for a few business emails between the CEO and the Board which were considered business records and not protectable, the judge struck down requests for every other document.

So in your incident response plan should be, at the top, a note to self:  CALL ATTORNEY FIRST.  Then call your boss.

If you have questions, remember that I am not a lawyer and do not play one on the Internet – contact that cyber incident response attorney that you already have a relationship with.


Information for this post came from the National Law Review.