LCJ Proposes FRCP Rules for Privacy and Cybersecurity

LCJ’s new rules proposal urges critical amendments to the Federal Rules of Civil Procedure (FRCP) to help courts and parties navigate the difficult conflict between discovery demands and the duty to protect personal and confidential information from data breaches and other unauthorized access.

It is now routine for parties to seek and produce, and for courts to order production of, significant amounts of information about parties and non-party individuals -- including customers, employees, suppliers, contractors, and the general public. Courts and parties need rules guidance for balancing the needs of their cases with the burdens of protecting parties and non-parties from risks posed by unauthorized access, use, and disclosure of personal and confidential information. LCJ’s proposals for FRCP amendments would provide guidance by:

Authorizing protective orders for safeguarding personal and confidential data under FRCP 26(c).

  1. Incorporating the burdens of privacy rights and the risks of unauthorized access to personal and confidential data into the proportionality analysis under Rule 26(b)(1).

  2. Requiring parties to take reasonable steps to secure data obtained through discovery under Rule 34.

  3. Clarifying that Rule 45 requires parties and non-parties to protect personal and confidential information.

These proposed rule updates would incorporate the concept of “reasonable steps” into the FRCP for the management of sensitive data in litigation. As privacy concerns and cybersecurity threats are urgent and grow more so, improved FRCP guidance to courts and parties is essential.

Rule 26(c) protective orders are the primary mechanism courts and parties use to safeguard information shared in discovery. However, the rule’s effectiveness is constrained by its text. Rule 26(c) neither mentions privacy as a ground for a protective order nor provides guidance as to the consensus “reasonable steps” standard for protecting information. Rule 26(c) should be amended now to acknowledge expressly that protective orders can be used to protect privacy, and to articulate that such protective orders should require reasonable steps to prevent unauthorized access or disclosure of information. Amending the rule will also help courts and parties think proactively about balancing the interests of non-parties.

But courts and parties need more tools than a Rule 26(c) amendment would provide; they need tools for proactively managing the complications of privacy rights and the risks of data breaches.

Amending Rule 26(b)(1) would end the uncertainty over the availability of proportionality analysis to help determine the scope of discovery concerning personal and confidential information.

Rule 34 should incorporate the commonsense presumption that parties making data requests have taken or will take reasonable measures to prevent unauthorized access to the personal and confidential information they will receive—and will abide by their existing responsibilities to absent non-parties.

Rule 45 should include a clear privacy protection standard outlining the responsibility of parties seeking to subpoena information from non-parties. It is insufficient to put the burden solely on subpoena recipients, particularly those who are bystanders to the litigation, to bring motions to quash whenever a subpoena requests information that is personal or confidential. The rule should protect “a person subject to the subpoena” and require reasonable steps to protect confidential information the subpoena recipient holds about other non-parties.

Read the full proposal here.