Joseph A. Tate Jr. (left) and David J. Walton (right) of Cozen O'Connor.

The holiday season is over, and you've been enabling your new Amazon Alexa, installing your Google Nest, setting up your SmartTV, and running with your Fitbit. Welcome to the world of the Internet of Things (IoT)! If you didn't already know, you've now just drastically increased your digital footprint as well as the potential that your new IoT data may be subject to preservation, collection and production in civil litigation.

IoT refers to the connection of devices to the internet or a secure network that are capable of collecting and transmitting data without human-to-human or human-to-computer interaction. Gartner Inc. forecasts that the number of IoT-connected devices will number 20.4 billion in 2020, up from 6.3 billion in 2015. Of those, 12.8 billion are associated with consumer applications and 7.7 billion associated with various business segments. By 2025, the volume of data associated with IoT devices is expected to be close to 79.4 zettabytes (a zettabyte (ZB) is equal to 1 trillion gigabytes). (See https://www.gartner.com/en/newsroom/press-releases.)

While it goes without saying that the growth of IoT has impacted our personal lives, it has also created new and interesting challenges in litigation, and the e-discovery process, in particular.

• IoT data and Federal Rules of Civil Procedure 26 and 34.

At the outset of federal litigation, the parties are required to meet and confer to develop a discovery plan, including how to handle electronic discovery, see Fed. R. Civ. P. 26 (f)(2). As part of that process, the plan must address any issues about disclosure, discovery, or preservation of electronically stored information (ESI), including the form or forms in which it should be addressed, see Fed. R. Civ. P. 26 (f)(3)(c). The parties must also address whether the requested ESI is relevant to any "party's claim or defense and proportional to the needs of the case, considering the importance of the issues at stake in the action, the amount in controversy, the parties' relative access to relevant information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit. Information within this scope of discovery need not be admissible in evidence to be discoverable."

It is obvious that IoT data is relevant in patent, data breach and consumer fraud litigation where the data is directly at issue. (See generally, Flynn v. FCA US, 327 F.R.D. 206 (S.D. Ill. 2018); TDE Petroleum Data Solutions v. AKM Enterprises, No. CIV.A. H-15-1821 (S.D. Tex. Sept. 11, 2015), aff'd, 657 F. App'x 991 (Fed. Cir. 2016); McLellan v. Fitbit, No. 3:16-CV-00036-JD (N.D. Cal. Oct. 11, 2017).)

It is not so obvious, however, that IoT data is relevant and proportional in commercial, employment, or personal injury cases. While email, text messages and electronic documents are regularly considered sources of potentially relevant ESI in those types of cases, does IoT data warrant the same consideration? If so, it must be analyzed and treated as all information subject to discovery.

It seems clear that IoT data is "electronically stored information" as defined by Fed. R. Civ. P. Rule 34. Rule 34 covers, either as documents or as electronically stored information, information "stored in any medium" and is intended to be broad enough to cover all current types of computer-based information, and flexible enough to encompass future changes and developments, see Columbia Pictures v. Bunnell, 245 F.R.D. 443, 447 (C.D. Cal. 2007). As such, how IoT data will be handled should be discussed and contemplated during the Rule 26 meet and confer process, memorialized in an ESI protocol, and specifically defined when propounding Rule 34 requests.

• Duty to preserve IoT data.

Once a determination has been made that the IoT data is relevant and proportional to the needs of the case, the next challenge is how to preserve the IoT data. "The obligation to preserve evidence arises when the party has notice that the evidence is relevant to litigation or when a party should have known that the evidence may be relevant to future litigation. Identifying the boundaries of the duty to preserve involves two related inquiries: when does the duty to preserve attach, and what evidence must be preserved?" See Zubulake v. UBS Warburg, 220 F.R.D. 212, 216 (S.D.N.Y. 2003). This duty to preserve falls not only to clients, but their attorneys as well. Further, the duty to preserve encompasses data that is in the party's "possession, custody, or control." However, some data may be within the possession or custody of third parties, but considered to be within the party's control based on contractual or other relationships, see "The Sedona Conference Commentary on Legal Holds: The Trigger & the Process," 11 Sedona Conf. J. 265 (2010).

While IoT data can be stored and accessed directly on the device, much of the data is uploaded and stored in the cloud. Given counsel's obligation to supervise the preservation process, it is imperative to work closely with our clients to identify specific devices and applications, and send detailed legal hold notices identifying the IoT devices and data to be preserved. A careful analysis should also been done regarding whether the IoT data is even in the "possession, custody or control" of the client. If it is determined that the data is not in the client's "control," we must consider the most appropriate means to request the data, either through subpoena or document request.

• Collecting and producing IoT data.

E-discovery professionals have been collecting email, mobile device and network data in a forensically sound manner for years. There are tried and true, defensible processes in place for collecting these types of ESI. This is not the case for IoT data given the myriad of different devices that have distinct operating and file systems, and proprietary hardware and software. Further, since much of the data is stored in cloud applications in different physical locations that are not easily accessible, it is imperative to retain a forensic service provider with vetted experience in handling this type of data. (See e.g., Alenezi, Ahmed & Atlam, Hany & Alsagri, Reem & Alassafi, Madini & Wills, Gary. (2019). "IoT Forensics: A State-of-the-Art Review, Challenges and Future Directions.")

Rule 34 requires that unless otherwise stipulated, ESI should be produced as it is kept in the usual course of business or in reasonable usable format. Because of this standard, an ESI protocol should clearly set forth the format of production. This is particularly important with IoT data.

While IoT data continues to expand and influence our personal and professional lives, there is no denying that the impact on e-discovery is significant. However, as attorneys who practice in this area, handling large volumes of data in litigation is nothing new. By applying the framework provided by the Rules of Civil Procedure, and analyzing and addressing the data in light of those rules, our e-discovery toolkit will continue to evolve with the data.

Joseph Tate is counsel and director of Cozen O'Connor's e-discovery and practice advisory services. He focuses his practice on e-discovery, information governance and data management issues in the context of litigation and investigations. As the director of electronic discovery and practice advisory services (ePAS), Tate leads the firm's e-discovery efforts, and is responsible for the day-to-day management of a team of attorneys and technologists that handle all phases of the e-discovery lifecycle. 

David Walton is a trial lawyer and litigator at the firm with a deep understanding of technology and its impact on litigation and he applies his knowledge of computer forensics to assist clients in their most high-stakes litigation. He is chair of cyber solutions and data strategies at the firm.