A human resources executive of a manufacturing company has recently filed a discrimination suit against the company in federal court. The company’s General Counsel is satisfied that there are defenses to substantive claims, but is quite concerned that discovery may lead to the disclosure of personally identifiable information about other employees or customers. The General Counsel inquires about the various options for entering into a confidentiality order.

The Practice

Although stipulated confidentiality orders have been standard practice in U.S. courts for many years, no such order is the same and they are anything but routine because each case is different and presents litigants and lawyers with distinct categories of materials, documents, and electronically stored information (ESI) that might be discoverable. Some discovery materials are innocuous, but others could contain highly sensitive or proprietary information to a litigant or third party, such as a corporation’s trade secrets or nonpublic strategy documents, or a person’s financial or medical records.

Civil discovery practice in U.S. courts implicates a wide range of potentially discoverable materials and ESI. Prior to the onset of discovery, parties usually negotiate and enter agreed-upon stipulations concerning the treatment and protection of certain types of information that may appear in materials produced in discovery. These stipulations are then submitted to the court for approval, subject to the court’s finding of good cause, and entered as orders. Stipulated confidentiality orders are typically entered prior to discovery requests being issued and, thus, tend to account for a wide range of circumstances that might arise in discovery.

Potentially implicated in discovery are a broad range of privacy laws and confidentiality considerations. Therefore, when contemplating, negotiating, and drafting stipulated confidentiality orders, lawyers must understand and navigate a complex mosaic of privacy laws and other issues concerning confidentiality.

The Laws

Federal, state, and international laws and regulations governing the privacy of personal information, documents, and data have been in place for decades. But they are constantly evolving and expanding privacy rights attached to information, documents, and materials that could be discoverable in litigation.

At the federal level, for instance, Congress has historically legislated personal privacy protections on subject-by-subject basis rather than in an omnibus manner: the Census Confidentiality Statute of 1954 (personally identifiable census data); the Fair Credit Reporting Act of 1970 (consumers’ personal information in the possession of consumer reporting agencies); the Family Educational Rights and Privacy Act of 1974 (student educational records and information); and the Cable Communications Policy Act of 1984 (telecommunications services subscriber information).

The 1990s saw two pieces of federal legislation which greatly enhanced the privacy protection afforded to documents and information that are frequently the subject of discovery in civil litigation. The Gramm-Leach-Bliley Act of 1999 safeguards the privacy of personally identifiable, nonpublic consumer financial information. In addition, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 installed privacy protections for patient medical records and health information. Each statute sets forth notice and/or consent requirements and imposes obligations on companies to institute appropriate controls for the protected information.

However, as businesses, consumers, and the law have entered the digital age, recent data privacy and protection laws have upended this approach. The last five years have seen well-publicized, major developments in this space—most notably, the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Illinois Biometric Information Privacy Act (BIPA). Each regime applies a broad definition of what constitutes “personal information,” specifically itemizes categories of “protected information,” or does both. Perhaps more challenging is the extra-territorial application of these laws—how they reach into and apply in foreign jurisdictions and countries.

Best Practices

For litigants and lawyers alike, evaluating and traversing this web of competing privacy laws from the outset of litigation presents a challenge. Suggested guidance to assess the need for and scope of a stipulated confidentiality order includes:

  • Assess the scope of the claims and defenses asserted, which will inform the scope of discovery.
  • Understand the scope of the litigation collection that has already taken place, including hard copy documents, ESI, and custodians.
  • Identify likely subject matters and topics on which parties could potentially seek discovery.
  • Collaborate with the client to investigate and classify the materials, documents, and ESI that are in the litigation collection by methods such as interviewing relevant custodians.
  • Evaluate whether certain potentially discoverable materials, documents, ESI or categories of information they contain are possibly governed by privacy laws or otherwise require protection in the discovery process based on the way they are treated in the normal course.
  • Assess which persons might receive access to the potentially discoverable materials by virtue of the litigation, such as other parties, their outside and in-house counsel, and their testifying experts or consultants; court personnel; ESI or document vendors; and mock jurors.
  • Confer with the client to assess what appropriate protections and protocols for permissive disclosures are warranted to account for privacy laws and other confidentiality considerations in light of the anticipated scope of discovery and the content of potentially discoverable materials.
  • Inform opposing counsel of the need for certain potentially discoverable materials to be protected from disclosure and confer over whether an appropriate stipulated confidentiality order can be negotiated and agreed.
  • If agreement cannot be reached with opposing counsel, consider whether to unilaterally move the court to enter an appropriate confidentiality order. Be aware that most courts will require an affidavit setting forth the factual basis and reasons which show good cause for entry of a confidentiality order.

In conclusion, stipulated confidentiality orders can be used to identify and manage risks associated with privacy and confidentiality obligations that arise in civil litigation. Lawyers should take care to assess these risks in the context of specific litigation matters that arise.