Of course, if you can implement a more high tech eSignatures regime, do so. 

For examples of available platforms, see the “Vendors” links in my eSignatures Bibliography.

In any event, here is a lower tech method  . . .

Continue Reading Adobe Acrobat Tech Tip — Inserting Scanned Signature Page(s) into an Agreement — a Low-Tech eSignatures Regime

In this colorful 6-minute Records Retention video, I provide an overview of how a well-organized Electronic Information Management (“EIM”) environment can help a company of any shape or size:

  • improve efficiency;
  • save money on storage;
  • reduce risk; and
  • prepare for litigation and eDiscovery.

Fenwick & West’s  EIM Practice Group, which I lead, is now in its second decade.   In at least 50 matters, my EIM teammates and I have provided practical and economical hybrid legal / IT / information-security advice.

 Heartbleed — The “Data Map” Lesson — Intro

The Heartbleed vulnerability is, by now, an item about which we have all assuredly heard a lot.   To get caught up on your reading on the technology aspects of this issue, see the linked articles I have compiled in the “To Learn More” section at the end of this post.    Note, though, that one key lesson is much more of a common-sense, communication and organizational one.  Most every organization could readily beef up its information-security by creating and then maintaining an up-to-date chart or “ data map” of the who/what/when/why/where of its electronically stored information (ESI).

  Where’s Your Organization’s Data?

In the 1960’s, a local New York City TV station came up with the phrase “It’s 10 PM. Do you know where your children are?”   In the 21st century, any organization would do itself a favor by asking the same question about its electronically stored information (ESI).  No matter its shape or size, many a company diffuses its information-management and information-security among various people, systems and locations.   So, generating a chart listing every key vat inside and outside the company’s physical and virtual walls is a must.

A simple spreadsheet is better than nothing and also better than having a disparate set of protocols/lists.   There should be a row for each key repository, e.g., each:

  • Database
  • Website
  • Cloud environment

And the columns (some of which would entail YES/NO) could include:

  • System Name
  • Content Type
  • In-House or Cloud
  • Owner Name (point of contact)
  • Owner Contact Info.
  • Encrypted at Rest
  • Encrypted in Transit
  • Retention/Deletion Rule(s)
  • Back-up Schedules
  • DR/BC Status (Disaster-Recovery/Business-Continuity)

For Cloud-stored data, additional columns could be:

  • Segregation from Others’ Data
  • Notice-of-Breach Duty Shifted

Finally, to paraphrase George Orwell in “Animal Farm,” some data is more private than other data.  Several categories of information thus warrant special in-the-trenches attention once their locations have been idenitfied:

  • Personally identiable information (PII)
  • Protected health information (PHI)
  • Payment card industry information (PCI)

Now, it’s time to begin charting . . . and to start mapping . . .


To Learn More


Some resources as to ESI data-mapping:

—  Brownstone, Electronic Records Retention, Nat’l Const. Confs. Webinar Slides, at 25 (Mar. 20, 2014)

—  Stephenson, Streamline electronic discovery using a data map, Lawyers USA (Jan. 12, 2012) [quoting me 🙂 ]

—  Brownstone, Data-Mapping & Electronic Information Management, Lorman Webinar Slides (Nov. 4, 2009)

                                        And even more as to “Heartbleed”:

—  Codenomicon, The Heartbleed Bug (last visited 5/6/14)

—  Qualys, SSL Server Test (last visited 5/6/14)

—  Valsorda, Heartbleed test (last visited 5/6/14)

—  Goodin, Confirmed: Nasty Heartbleed bug exposes OpenVPN private keys, too, ars technica (4/16/14)

—  Lee, Here’s why it took 2 years for anyone to notice the Heartbleed bug, Vox (4/12/14)

—  Geuss, Private crypto keys are accessible to Heartbleed hackers, new data shows, ars technica (4/12/14)

—  Schneier, Heartbleed is a catastrophic bug in OpenSSL, Schneier on Security (4/11/14)

—  Felten, How to protect yourself from Heartbleed, Freedom to Tinker (4/11/14)

—  Grant, The Bleeding Hearts Club: Heartbleed Recovery for System Administrators, EFF (4/10/14)

—  Cipriani, Heartbleed bug: Check which sites have been patched, CNET (4/9/14)

—  Shankland, ‘Heartbleed’ bug undoes Web encryption, reveals Yahoo passwords, CNET (4/8/14)

—  Kumparak, Massive Security Bug In OpenSSL Could Affect A Huge Chunk Of The Internet, TechCrunch (4/7/14)

—  Timson, Who is Robin Seggelmann and did his Heartbleed break the internet?  Sidney Morning Herald (4/11/14)

This 214-page document, “Handbook on European data protection law,” looks incredibly comprehensive.  It ends with 13 pages of citations to European case law on various issues.

The resource was “jointly prepared by the European Union Agency for Fundamental Rights and the Council of Europe together with the Registry of the European Court of Human Rights.”

Note also that, since 2012, the Euriopean Union has been working on major proposed amendments to the “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995″.   A revised EU Directive was “adopted” in January 2012, and ostensibly implementation in 2015 is still the goal.  See this home page for the EU Directive amendments.

For some pertinent developments last fall, including backlash from Edward Snowden’s NSA revelations,  see:

To learn about the inherent conflicts between: on the one hand, U.S. discovery rules/scope; and, ont the other hand, data-privacy laws promulgated by the EU Parliament as well as by various individual countries in the EU (e.g., France, Germany, Italy and the UK . . .  check out these resources:

And also these excellent compilations:

Amended Federal Rule of Civil Procedure 45 to take effect

When we all return to work from Thanksgivukkah weekend, Federal Rule of Civil Procedure (FRCP) 45, governing non-party subpoenas, will have changed, effective December 1, 2013.  To review the new content, follow one or both of these links:

A set of accompanying changes will also have been made to FRCP 37(b)(1), as reflected at these other links:

And, the all important Advisory Committee Notes can be accessed here:


Overview of Several of the Key Changes


1.  Issuance from Court Handling Underlying Case

  • Now a subpoena not only can but “must be issued from the court where the action is pending.” (emphasis added)
  • No longer must it issue from a court located in the geographical area for compliance.

2.  Nationwide-Service and Compliance-Location Clarification

  • Now “[a] subpoena  may be served at any place within the United States,” even though the compliance location must be tethered to the recipient’s place of residence, work or business.
  • No longer does one ever need to refer to state law — as to, e.g., compliance location.

3.  Forum for Subpoena-Related Motions/Disputes — a Change but With Some Flexibility

  • Now, subpoena-related disputes will typically be resolved in the district court in the compliance location; however, there is a possibility of transfer of a pertinent motion to the issuing court.
    • FRCP 45(d)(3) [formerly (c)(3)]
    • FRCP 45(f) [NEW subsection]
    • Advisory Committee Note to 45(f)
      • “In some circumstances . . . transfer may be warranted in order to avoid disrupting the issuing court’s management of the underlying litigation, as when that court has already ruled on issues presented by the motion or the same issues are likely to arise in discovery in many districts[; t]ransfer is appropriate only if such interests outweigh the interests of the nonparty served with the subpoena in obtaining local resolution of the motion.”
  •  No longer does one have to bring such a motion before the issuing court; however, “the court where compliance is required . . .  may transfer a motion . . . if the person subject to the subpoena consents or if the court finds exceptional circumstances.”

To Learn More

As to a range of eDiscovery issues related to non-party subpoenas, see:

—  eDiscovery: Subpoenas and Non-Party Production Issues (lengthy slide deck from a webinar I did for Lorman Education Services 5/20/13)

   —  Obligations When Third Parties Control Data, by Barry M. Kazan & Emily J. Mathieu of Thompson Hine, N.Y.L.J. (10/7/13)

 As to the brand new FRCP changes (including ones not touched on in this post), see these excellent resources:

—  Changes to [FRCP] 45  . . .  Promise To Simplify Federal Subpoena Practive, by Christopher Tompkins & Ethan E. Kent, Jenner & Block (11/14/13)

—  Rule 45 Changes in Motion, by Richard Marcus, Distinguished Professor of Law, UC Hastings College of the Law, Recorder (8/8/11) (LEXIS ID & Password required)

—  Rule 45 Third‐Party Subpoenas and Upcoming Amendments, by Jonathan E. Goldberg of SNR Denton and Darren A. Craig of Frost Brown Todd, Strafford Publications (7/11/13)

—  Report of the Civil Rules Advisory Committee  (6/6/11)

—  Survey of Issues Regarding [FRCP] 45, by Prof. Richard Marcus, Associate Reporter to the Advisory Committee on Civil Rules of the Judicial Conference of the U.S. (3/14/09)

Just a quick note to remind (?or first-mind?) everyone that this site’s Resources page is an ever-expanding universe.

Some highlights of recent additions and changes include:

  • Brand new eSignatures Bibliography posted on 9/11/13
  • New/replacement Records-Retention slide deck from a webinar I did for NCC on 9/10/13
  • Revised/updated Predictive Coding & T-A-R slide deck — as revised 5/11/13

Keep visiting ITLawToday’s Resources page and the rest of this site to stay up to date on the intersection of law and IT.

Over the past dozen years, having done almost 400 presentations  (almost 500 including eDiscovery law school class sessions) within my firm and out in the world I have learned a number of tricks of the trade.

Though generally I am function paperlessly, a reality is that many an attendee still likes a hardcopy slides handout on which he/she can take notes.  I do generate same and have them printed in color, double-sided.

More importantly, from a technical perspective, I’ve never been happy with Microsoft PowerPoint’s default Handout Creation modes, at least up through the 2007 version.

Even assuming one doesn’t put too much text on each slide, neither out-of-the-box approach is very satisfying.  Either there are 3 slides to a page so the attendees can barely see the miniscule text.  Or there are 2 slides to a page but no note lines.

So, many moons ago, my former assistant (she’s still a tech-savvy secretary here at Fenwick & West) Berta Lopez helped me come up with a better way.  The end result, as coined by me, is  . . . drum roll please . . . .  “Display-One-Readable-Slide-And-Lines” (“DORSAL”) handout version.

Maybe Microsoft or a handshake-software programmer can come up with an automated approach to generate my favored version.  Until that day, here’s a “how-to” if you or your assistant would like to give it a try:

  • Open the .ppt version and from the Office button, choose “Create Handouts in Microsoft Office Word”:

  • Then, in the ensuing window, choose “Blank lines below slides”:

  • Click on OK or press the Enter key.
  • Once it all goes into Word, save the file
  • Then, for each slide/image, right click, then choose Format Object:
    • Click on the Size tab

  • In the Height field input 4.8 over the default height
  • [You can copy the 4.8 for pasting into this filed for each of the other slides/objects.]
  • Then click on OK or press the Enter key.


  • Repeat for each slide.


  • Once you get through all the slides/images, save the file
  • Then convert it to Acrobat (File . . .  Print . . . . AdobePDF)


  • In the .pdf version in Adobe Acrobat, click on the Pages tab (on the left).
  • Via Ctrl+Click, select all the pages that have only blank lines (every other page).
  • Right click on one of them and choose Delete Pages.
  • Click OK as to each of the next two prompts.
  • Save the file, which should now only have slides (one per page).
  • Remove the Metadata.
  • Save the file again.

Your attendees will thank you. . . .

The Just-Signed New Jersey Law

On Thursday August 29, New Jersey Governor Chris Christie signed revised legislation, namely A.B. 2878, which, among other restrictions, forbids employers to ask applicants or employees for their social-media or other online logins/passwords.  A few months back, on May 6, Gov. Christie had conditionally vetoed a prior iteration of the bill, asking that it not rein in employers so much.

For example, the Governor sought — and ultimately obtained by an August 19 unanimous vote — amednments that would allow employers to conduct various types of investigations and not prohibit “an employer interviewing a candidate for a marketing job  . . . from asking about the candidate’s use of social networking so as to gauge the candidate’s technological skills and media savvy.”

Similar Laws in Force in a Dozen Other States

New Jersey joins the following 12 other states that have enacted similar bans during since May 2, 2012:

 Already in force:

       Arkansas; California; Colorado; Illinois; Maryland;

       Michigan; New Mexico; Utah; Vermont; and Washington


 — Taking effect soon: 

      Nevada (10/1/13); and Oregon (1/1/14)

Some of those states’ statutes contain very broad prohibitions.  Others, like Michigan’s and New Jersey’s, grant employers some exceptions, usually encompassing workplace investigations.
Delaware has also enacted an analogous ban, which, although not directed at employers, focuses on universities vis-a-vis students.
For a very good recent article on the various approaches the states have taken, see Philip L. Gordon and Joon Hwang, Making Sense of the Complex Patchwork Created by Nearly One Dozen New Social Media Password Protection Laws, Workplace Privacy Counsel (July 2, 2013).

Controversy re: These Login/Password Bans

The wave of state legislation in this context is  a privacy victory for employees, job seekers and/or students.  But, from the  management perspective, many have criticized the stricter of these laws as addressing a discrete (non-)issue with a blunt instrument approach. See, e.g., Molly DiBianca, Michigan Enacts Social-Media Privacy Law, Delaware Employment Law Blog (Dec. 30, 2012).

Others have noted that a greater priority should be a modernization of the federal Electronic Communications Privacy Act (“ECPA”). Behnam Dayanim, Employee Privacy Forces Legislation, Recorder (Aug. 8, 2012) (“these ‘bullet bills’ … represent a missed opportunity both to update the SCA to reflect today’s technology and to re-engage . . . over the broader policy questions.”) (LEXIS ID and password needed).

Indeed, the federal Stored Communications Act (SCA) — Title II of the ECPA — of is sorely in need of an update as its outdated provisions do not come close to addressing modern technology and 21st century methods of electronic communications. The SCA was passed in 1986 to try to address that new-fangled technology known as voicemail.

The only amendment to the SCA since its 1986 inception was via the USA PATRIOT Act, hastily passed just weeks after 9-11 to make it easier for prosecutors to obtain from Internet Service Providers the missives of potential terrorists. The SCA’s sister provision, the Wiretap Act — now Title I of the Electronic Communications Privacy Act (ECPA) — has barely been changed since way back in 1968, when wiretapping on phone calls was the primary concern.

Note, though, that the SCA has been interepreted many times by various federal courts to criminalize and provide civil damages for anyone who illictly obtains an individual’s login credentials and then accesses a password-protected online environment. See Robert D.Brownstone, eWorkplace II White Paper (Apr. 3, 2012), at 19-20 (.pdf pp. 24-25).

But see also this brand new piece, Philip L. Gordon, New Jersey Court’s Decision Provides Roadmap For Access To Employees’ Restricted Social Media Content, Workplace Privacy Counsel (Aug. 27, 2013), which addresses a recent decision in a case whose prior opinion was discussed in Venkat Balasubramani, Accessing an Employee’s Facebook Posts by “Shoulder Surfing” a Coworker’s Page States Privacy Claim — Ehling v. Monmouth Ocean Hosp., Eric Goldman Blog (June 4, 2012).

As to a reboot of the ECPA for the 21st century, of course none of us — including our state legislators — can force Congress’ hand.

Congress Asleep at the Switch with SNOPA (why didn’t they call it “SNOOPA”?)

 Speaking of Congress, don’t hold you breadth for the oft-threatened ECPA reboot.   As in the notice-of-data-breach 
 context, the states have jumped in to fill the void in this arena because of Congress’ inaction.   On the federal level, the
 “Social Networking Online Protection Act” (SNOPA) was introduced in the House as H.R. 5050 on April 27, 2012 and
 reintroduced on February 6, 2013.  But the bill has languished with no activity since then.

Two Dozen More State Bills Pending

 Approximately two dozen states have pertinent pending 2013 legislation (linking to 2012 legislation compilation).
 Some of those states are considering entering the fray for the first time.  Others — California, Delaware, Illinois and Maryland —
 are contemplating beefing up or expanding their current provisions.

Open Issue = “Shoulder-Surfing”

Banning forced disclosure of logins/passwords has been the thrust of the pertinent statutes so far.   Thus, some of the enacted and pending bills have been silent as to the related practice of “shoulder-surfing” — namely, having an interviewee log into, e.g., her/his Facebook while the interviewer stands or sits behind the prospect so as to see all the private content to which the applicant is instructed to surf.

At first blush, conceptually shoulder-surfing seems quite similar to login/password access.  But maybe there are differences, such as that the element of surprise might not allow an applicant the chance to “clean up” his or her social-media possts and friends/followers lists.  And maybe, some ban exceptions should exist in certain public sector situations.

Apparently, cities and counties  like to be able to try to sniff out whether prospective cops have relatives or friends who are gang members.  On the other hand, government action intruding into individual privacy is a constitutional law concern for public agency employers.

As to the various sides and aspects of the shoulder-surfing issue, see generally: Bob Sullivan, Govt. Agencies, colleges demand applicants’ Facebook passwords, NBC News (Mar. 6, 2012).  And the above-linked Gordon/Hwang piece sheds some light on which of the first 12 password-bans bans ostensibly did and did not address in-person shoulder-surfing — and on some do’s and don’ts (mostly don’ts).

The Future?

Stay tuned for developments in this area, as one state after another takes the plunge.