Photo of Bexis

We get paranoid in our old age.  We know that our clients spend a great deal of effort and money on keeping their internal data safe from criminal hackers.  We assume that hospitals and other repositories of electronic medical records are doing the same.  However, once such data, such as corporate trade secrets and personnel files, are turned over during discovery, we have no confidence whatever that the other side is employing similarly robust data security measures.  Equally, if not more, problematic is the degree of data security maintained by expert witnesses and the plethora of other litigation-related vendors who may receive confidential material − translators, court reporting services, copying services, data processors, database and remote deposition hosts, coders, document reviewers, graphics producers, jury researchers, and trial preparation services.  Similar confidentiality issues exist, although less of a concern for us, concerning plaintiffs’ personal medical records after they are collected.

Is there any way we can require them to upgrade their security?

We think there might be, and it would be through adding explicit data security provisions to litigation (particularly MDL) security orders.  Maybe we’re just being paranoid, and such data security standards are already being used.

We decided to take a look, collecting and reviewing a number of recent product liability and some other MDL protective orders.

Unfortunately, most protective orders don’t go beyond requiring experts and other vendors receiving confidential information to sign agreements that they will abide by the protective orders, which means not disclosing the information to others and returning/destroying all copies at the end of their involvement in the litigation.  That’s necessary, of course, to deal with rogue actors within the litigation (like the expert shenanigans we discussed here), but it doesn’t provide any safety against non-party bad actors.

We see vague language such as taking “reasonable efforts” – whatever they are − to prevent unauthorized disclosures.  That kind of language isn’t likely to require any recipient do anything more than what they are already doing.  Naturally, recipients believe, and will claim, that they were acting “reasonably,” no matter how poor their security really is.  After all, these are the same experts that we’ve seen submit woefully insufficient reports, some even with AI-hallucinated studies, so excuse us if we have no confidence that their data security efforts are any better.

Among the drug/device MDL protective orders we reviewed, the most comprehensive is from the Philips CPAP litigation.  Here are its provisions:

A.        The recipient of any [confidential material] that is provided under this Protective Order shall maintain such [confidential material] in a reasonably secure and safe manner, including reasonable administrative, technical, and physical safeguards designed to protect the security and confidentiality of such information against unauthorized access and any other reasonably anticipated threats or hazards, and that ensures that access is limited to the persons authorized under this Protective Order, and shall further exercise the same or greater standard of due and proper care with respect to the storage, custody, use, and/or dissemination of such information as is exercised by the recipient with respect to its own proprietary information, but no less than the reasonable precautions set forth in this Protective Order.

B.        [Confidential material] in electronic form shall be maintained in a secure litigation support site that applies standard industry practices regarding data security, including but not limited to, application of access control rights to those persons entitled to access the information under this Protective Order.  A list of current and former authorized users of the Receiving Party’s litigation support site shall be maintained while this Action, including any appeal, is pending.

C.        [Confidential material] downloaded from the litigation support site in electronic format shall be stored or shipped only on devices or media (e.g., laptop, tablet, smartphone, USB drive) that are encrypted with access limited to persons entitled to access Protected Information under this Protective Order.

D.        [Confidential material] in hard copy format shall be maintained in the Receiving Party’s counsel’s law offices or comparably secure location, with access reasonably limited to persons entitled to access Protected Information under this Protective Order.

E.         Electronic delivery of [confidential material] shall be by secure File Transfer Protocol or encrypted email addressed only to persons entitled to access Protected Information under this Protective Order.

F.         Physical shipments of [confidential material] shall be securely sealed and addressed only to persons entitled to access [confidential material] under this Protective Order.

G.        If a Receiving Party or authorized recipient discovers any loss of Protected Information or a breach of security, including any actual or suspected unauthorized access, relating to another Party’s [confidential material], the Receiving Party or authorized recipient shall:  (1) promptly provide written notice to Designating Party of such breach within twenty-four (24) hours of the breach discovery; (2) investigate and make reasonable efforts to remediate the effects of the breach, and provide Designating Party with assurances reasonably satisfactory to Designating Party that such breach shall not recur; and (3) provide sufficient information about the breach that the Designating Party can reasonably ascertain the size and scope of the breach.  The Receiving Party or authorized recipient agrees to cooperate with the Designating Party or law enforcement in investigating any such security incident.  In any event, the Receiving Party or authorized recipient shall promptly take all necessary and appropriate corrective action to terminate the unauthorized access.

In re Philips Recalled CPAP, Bilevel PAP, & Mechanical Ventilator Products Liability Litigation, MDL 3014, Doc. 76, pp. 28-30 §VII (W.D. Pa. Dec. 7, 2021).  We note the requirement that all recipients adhere to “standard industry practices regarding data security.”  That’s a definite improvement on “reasonable efforts” clauses, as it imposes an objective standard.  However, it would be preferable to state what such practices are, since they probably vary by industry.  There are plenty of data security standards out there that have been developed by various organizations and agencies.  Among the promulgating standards setting organizations are the International Organization for Standardization (ISO) the National Institute of Standards and Technology (NIST), the American Institute of Certified Public Accountants, the Health Information Trust Alliance (HITRUST), and the Center for Internet Security (CIS). One of these, or something else, could be identified specifically in a protective order as what all signatories are required to abide by.

Another example of comprehensive language concerning protection from non-party hackers was recently drafted in the In re At&T, Inc. Customer Data Security Breach Litigation MDL.  We suppose that’s logical, for a data breach MDL to have the strong protective provisions against data breaches.  After all, it would not be a good look counsel for plaintiffs seeking to recover for a data breach to have a second data breach of their own or their vendors’ to deal with.  Notable, in this order, is the provision expressly making a recipient of confidential material responsible for the security practices of vendors to which it provides such information.  Here’s the language, in the “security” section of the protective order:

22. Any Receiving Party in possession of [confidential material] shall establish reasonable internal procedures designed to ensure such [confidential material] is not accessed by or disseminated to unauthorized individuals.

23. A Receiving Party may not upload or input any [confidential material], including excerpts from such materials, into any open-source web-based generative artificial intelligence system (e.g. ChatGPT, Google Bard, etc.).  A Receiving Party may utilize document review systems that utilize artificial intelligence within a closed, limited, secure universe that is not an open-source web-based generative artificial intelligence system.  The obligations and restrictions of this paragraph apply even where the [confidential material] has been anonymized.

24. Any Receiving Party in possession of [confidential material] shall ensure any document review platform utilized, and any vendor supporting such system if not supported internally, maintains reasonable administrative, technical, and physical safeguards designed to protect the security and confidentiality of such [confidential material], protect against any reasonably anticipated threats or hazards to the security of such [confidential material] and protect against unauthorized access to or use of such [confidential material].

25. If a Receiving Party discovers a breach of security, including any actual or suspected unauthorized access, to [confidential material] subject to this Protective Order (“Security Incident”), they shall: (1) notify the Producing Party of such Security Incident; (2) investigate and take reasonable efforts to remediate the effects of the Security Incident; and (3) provide sufficient information about the Security Incident such that the Producing Party can reasonably ascertain the scope of the Security Incident as it relates to the [confidential material].  The Receiving Party agrees to cooperate with the Producing Party or law enforcement in investigating any such Security Incident.  In any event, the Receiving Party shall promptly take all necessary and appropriate corrective action to terminate the unauthorized access.

26. Nothing herein shall preclude the Producing Party from asserting legal claims or constitute a waiver of legal rights and defenses in the event of litigation arising out of the Receiving Party’s failure to appropriately protect [confidential material]from unauthorized disclosure.

In re AT&T, Inc. Customer Data Security Breach Litigation, No. 3:24-cv-00757-E, Doc. 31, at pp 11-12 ¶¶22-26 (N.D. Tex. Dec. 9, 2024).  Particularly relevant going forward is the provision forbidding recipients from feeding any confidential information to “any open-source web-based generative artificial intelligence system.”

We found less comprehensive language elsewhere:

Protected Material must be stored and maintained by a Receiving Party at a location and in a secure manner that ensures that access is limited to the persons authorized under this Order.  For purposes of this Order, a secure website, or other internet-based document depository with adequate security, shall be deemed a secure location.

In re Optical Disk Drive Products Antitrust Litigation, MDL 2143, Doc. 920, p.10 ¶7.1 (N.D. Cal. April 77, 2010).  Unfortunately, neither “secure” nor “adequate security” is a defined term.

Storage of Designated Information.  The recipient of any information designated as Confidential shall maintain such information in a secure and safe area and shall exercise the same standard of due and proper care with respect to the storage, custody, use and/or dissemination of such information as is exercised by the recipient with respect to his/her/its own proprietary information.

Pfizer, Inc. v. Natco Pharma, Inc., No. 1:21-cv-01179, Doc. 15, p. 13 ¶8 (D. Del. Oct. 6, 2021).  This is not much better than a “reasonable efforts” clause in our opinion, since the basic problem that concerns us is providing confidential information to entities without very robust security, whether or not the same lassitude extends to a recipient’s protection of its own information.

We also found HIPAA-specific security provisions in several of the protective orders.  Something like this should probably be in every protective order involving the production of medical records – meaning every drug/device MDL − and by now may well be routine.  Here’s a representative provision:

In accordance with the requirements of the regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), specifically, 45 C.F.R. §164.512(e)(1)(ii)(B) and §164.512(e)(1)(v), the Court hereby enters this HIPAA Qualified Protective Order, as that term is defined in the foregoing regulations.  In addition to the foregoing federal laws and regulations, this Order is entered to facilitate compliance with applicable state laws and regulations governing patient privacy and protecting healthcare information.

In re Generic Pharmaceuticals Pricing Antitrust Litigation, MDL 2724, Doc. 1691, at p.3 ¶3.1 (E.D. Pa. Feb. 18, 2021).  See also In re Taxotere (Docetaxel) Eye Injury Products Liability Litigation, MDL No. 3023, CMO #12, at 6.6 ¶5(e) (E.D. La. May 1, 2023) (“To avoid security risks, a receiving party agrees to abide by existing HIPAA data protection provisions (e.g., Business Association Agreements) when handling Confidential Information and other ESI protected by federal or state law”).  While these references only apply to some confidential documents – those covered by HIPAA – and do not appear directed at security from non-party hackers, they at least provide something to work with, since they reference, expressly or impliedly, security standards established by outside authoritative sources.

In addition to the quoted provisions, we would add another deterrent to lax security practices.  We have seen provisions requiring third-party vendors “to submit to the jurisdiction of [the issuing court] as to matters concerning compliance with” the protective order.  We think that is a good start, but in the event of a data breach concerning protected materials, the submission to jurisdiction should extend to damages suits by anyone whose data was exposed by a criminal hackers.  The litigation that resulted in discovery-related  removal of confidential materials from the protections created by the entity that created it should be the forum for any and all collateral litigation arising from a data breach involving such information.

Anyway, this is what we’ve found so far in protective orders that addresses the problem of non-party criminal hacking.  If the various provisions quoted above are combined, along with our suggestions, the resulting protective order would create as good a protective environment for confidential material in litigation as it is probably possible to develop, given the number of uncontrollable bad actors out there.

Thanks to Debbie Ford for collecting these (and many more) protective orders.

Drug & Device Resources

Bexis’ Book

FDA-regulated products now account for an estimated one-fifth of overall economic activity in the U.S. They have also been the focus of a litigation explosion. This timely guide covers all aspects of litigation involving drugs, medical devices, vaccines and other FDA-regulated prescription products.
Learn More About This Book