eDiscovery Daily Blog

• July 14, 2017

A rare two-topic day, but both are notable…

Remember the Microsoft Ireland Warrant case, where the Second Circuit reversed earlier rulings and denied the government’s efforts to compel Microsoft to provide emails in that case?  It may not be over yet.

According to The Recorder (Government Asks SCOTUS to Overturn Microsoft Decision on Overseas Data, written by Ben Hancock), the Department of Justice last month asked the U.S. Supreme Court to overturn that landmark appeals court decision handed down last summer in favor of Microsoft Corp. that put their company data stored overseas mostly out of reach of U.S. law enforcement.  The case stems from a warrant issued in December 2013 by a U.S. magistrate judge in the Southern District of New York directing Microsoft to turn over a criminal suspect’s email data. Microsoft determined that the data was stored at its center in Dublin, and subsequently moved to quash the warrant. The district judge denied that request, but Microsoft prevailed in an appeal to the circuit court.

Here’s a link to the Petition for a Writ of Certiorari filed by the DOJ.

If the government’s petition is taken up by the high court, its decision could introduce some measure of clarity (and hopefully consistency) in the multiple legal battles playing out around the country over whether prosecutors can enforce warrants for private data stored abroad in the cloud.  For example, while Microsoft has prevailed so far in this case, Google has had two rulings go against it earlier this year in similar cases.

“It seems backward to keep arguing in court when there is positive momentum in Congress toward better law for everyone,” Brad Smith, Microsoft’s chief legal officer, said in a blog post responding to the DOJ petition. “The DOJ’s position would put businesses in impossible conflict-of-law situations and hurt the security, jobs, and personal rights of Americans.”

It will be interesting to see if SCOTUS takes the case, or we see legislation that clarifies expectations regarding data stored overseas.  Thanks to ACEDS for the tip on this story.

In other news…

As reported by ZDNet, As many as 14 million records of subscribers who called Verizon’s customer services in the past six months were found on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems, an Israel-based company.  The data was downloadable by anyone with the easy-to-guess web address.

Chris Vickery, director of cyber risk research at security firm UpGuard, who found the data, privately told Verizon of the exposure shortly after it was discovered in late-June.  It took over a week before the data was eventually secured.  The customer records were contained in log files that were generated when Verizon customers in the last six months called customer service.

Each record included a customer’s name, a cell phone number, and their account PIN – which if obtained would grant anyone access to a subscriber’s account, according to a Verizon call center representative, who, according to ZDNet spoke on the condition of anonymity as they were not authorized to speak to the press.

A Verizon spokesperson told CNBC on Wednesday that, “[a]s a media outlet recently reported, an employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access.  We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information.”

Verizon said the subscribers affected was “overstated” and that the PINs that were available during the breach aren’t actually linked to customer accounts but rather were numbers used to authenticate customers at call centers.

Verizon, of course, produces its excellent Data Breach Investigations Report every year (we’ve covered it the last three years).  Will they have anything to say about their own data breach in next year’s report?  We’ll see.

So, what do you think?  Should data stored internationally, but accessed in the US, be subject to subpoena?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Also, if you’re going to be in Houston on July 20, Women in eDiscovery (WiE) Houston Chapter, in partnership with South Texas College of Law, will be hosting the inaugural eDiscovery “Legal Technology Showcase & Conference” at South Texas College of Law in downtown Houston.  I will be participating as a panelist on the “State of the Industry” panel and my colleague, Karen, will be moderating the “Legal Operations and Litigation Support” panel.  Click here for more information about the conference, including how to register!

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.