Editor's Note: We have already seen insurance coverage issues revolving around connected devices, including this arson case where an arsonist was betrayed by his pacemaker, a case involving an Arkansas man, a murder, and an Amazon Alexa as the only witness, and one fraud attempt involving a smart-watch. Read more about these cases here, and try to keep your mind open when the IoT is involved in a claim.
While estimates vary, the number of globally Internet-connected devices now ranges anywhere from 20 to 30 billion—a staggering statistic that only becomes more staggering when considering the amount of data created by those devices. See Leading the IoT, Gartner, at 2; Gilad David Maayan, The IoT Rundown for 2020, Security Today (Jan. 13, 2020).
At a macro level, the "Internet of Things" or "IoT" describes "dedicated-function objects" connected to the Internet (e.g., refrigerators, vehicles, or washing machines). See Leading the IoT at 2. Traditionally, those devices performed singular functions without regard to any other devices or Internet data. But, as technology has infiltrated every aspect of our daily lives, consumers have grown accustomed to IoT devices—whether they know it or not. These IoT devices transmit data back and forth to centralized servers or data repositories, or they communicate with other devices in the home. For simplicity, we employ the term IoT devices to also include wearable devices, such as smart watches and sleep tracking devices.
IoT devices benefit from exponentially more data to make mundane tasks more efficient and customizable. For example, homeowners simply can open their doors to set off a chain reaction of smart devices connected to Wi-Fi, such as deactivating an alarm, changing the lighting and music, adjusting the thermostat, preheating the oven for dinner, and opening the blinds. Perhaps even more pertinent to litigation, health data and other personal information are routinely collected by many IoT devices. The latest Apple Watch Series 6 can now measure blood oxygen levels, take an ECG, and measure fitness and other health metrics. "Smart scales" can measure and transmit weight, BMI, heart rate, and body composition. And, of course, Alexa and Google Home are continuously "listening" to conversations throughout the home. See Grant Clauser, Amazon's Alexa Never Stops Listening to You. Should You Worry?, New York Times (Aug. 8, 2019).
How can IoT data impact your individual clients in federal court litigation? The Federal Rules of Civil Procedure provide some guideposts, but much is uncertain given the relatively new introduction of many IoT products and the rapidly developing feature sets. Additionally, while outside the scope of this article, state court procedural rules may vary on the collection, search, and production of IoT data.
Initial Considerations and Disclosures
Immediately after being retained, attorneys must advise clients to preserve any IoT data to the extent possible given the preservation obligation in anticipation of and during litigation. This should include an early discussion about which "smart devices" your client owns and employs—including any devices in their home that may be collecting relevant data. That data may impact the allegations of the case and early discovery strategies. Also, attorneys and clients should investigate whether IoT devices have any "auto-delete" functions that can be disabled.
These early client discussions should similarly focus on mandatory initial disclosures, which include "a description by category and location" of electronically stored information (ESI) in a party's possession, custody, or control. See FRCP 26(a)(1)(ii). Attorneys should perform a good faith investigation to determine whether any of a client's IoT devices contain potentially relevant data, even if arguments are later made to exclude those devices and their data from discovery.
Additionally, attorneys should consider whether to include or exclude IoT devices in an ESI Protocol at the initial stages of litigation. Often, an ESI Protocol delineates the sources or devices from which data must be collected and searched. To the extent your client has any relevant IoT devices, you may seek to exclude those devices as inaccessible or unnecessarily burdensome or costly.
Is IoT Data Even Relevant to the Case?
The Federal Rules of Civil Procedure provide a generalized standard of relevance, allowing for the discovery of "any nonprivileged matter that is relevant to any party's claim or defense," subject to proportionality considerations. FRCP 26(b)(1). Relevance of IoT data, of course, hinges on the claims at issue and a variety of other circumstantial factors. In cases concerning a plaintiff's health, for example, defendants may argue that relevant IoT data includes physical health data on personal and home devices—such as Apple Watches, Fitbits, "smart scales," Wi-Fi enabled thermometers, and more. Attorneys should discuss this closely with clients and perform due diligence about the various devices to ensure the data is indeed relevant. Attorneys also should investigate whether such health data is reliable. See, e.g., Kalyeena Makortoff, Study Claims Fitbit Trackers Are 'Highly Inaccurate,' CNBC (May 23, 2016).
Other IoT data may apply to an even broader set of cases, such as geolocation data. Because many devices now track geolocation data (i.e., a user's or device's location measured by GPS coordinates), that data could be relevant to a variety of federal court matters, such as consumer class actions, employment litigation, mass torts, and insurance litigation. Seemingly innocuous devices may even be used to prove or disprove location data, such as a smart home thermostat that only activates when individuals are at home (e.g., the Nest Thermostat lowers energy usage when no one is home). To the extent your client has any such devices, you should have early discussions to determine whether there is any reason that IoT data confirms or conflicts with the allegations in the complaint.
Proportionality Considerations
As federal court practitioners undoubtedly are aware, proportionality considerations often weigh heavily on discovery matters in complex federal court litigation. Considerations include "the importance of the issues at stake in the action, the amount in controversy, the parties' relative access to relevant information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit." FRCP 26(b)(1). The parties' access to relevant information, the burden and expense, and the parties' resources all have significant bearing on the potential discovery of IoT data.
In many cases, defendant companies employ proportionality as a means of limiting their own document and data productions. However, proportionality may be used as a defense for individual clients seeking to bar discovery into IoT devices. First, does your client have access to the relevant data? This may very well depend on the device and the storage of the data. For example, health data on Apple Watches may be readily accessible through applications on the device, while historical data on a smart thermostat may be difficult to obtain and only available through third party subpoenas. Second, what are the expenses associated with collecting, searching, and producing the IoT data? Is there available software to process and organize the data? Determine how much it would cost to manually collect data and weigh that cost against the relevance of the information. And third, does your client have the means to fund the search and collection of such data? Unlike emails and standard documents, which are routinely collected and processed, discovery of IoT data could command significant time and resources depending on the size of the case. Such discovery could prove quite costly and burdensome.
Privacy Considerations
In many federal court matters, individual clients may voice privacy concerns when faced with burdensome discovery requests. Those concerns often focus on whether a vendor or attorney will comb through the client's text messages or private social media messages. With IoT data, though, the privacy concerns may be even more heightened depending on the device. Consider your client's concerns especially when health data is at issue. To that end, HIPAA, the federal health privacy law used to protect patients, may not apply to wearable devices and other smart health tracking devices. Rather, HIPAA only applies to "covered entities," including health plans and healthcare providers. See A Shared Responsibility: Protecting Consumer Health Data Privacy in an Increasingly Connected World, Manatt Health, at 7 (June 2020) (discussing why HIPAA may not cover smart watches or other health technology devices). While state laws may protect some data, be careful to consider any privacy implications of IoT data.
* * *
As clients continue to amass more IoT devices and employ them in their daily lives, attorneys must be cognizant of the impact those devices may have on litigation and discovery. Additional investigation and research may be necessary at an early stage to determine both relevance and proportionality.
Brian Morrison is a partner with Tadler Law, where he focuses on class actions and other complex litigation, and he also advises companies on contractual disputes and employment matters. Joann Militano is a senior associate with the firm, where she focuses on pursuing and mining electronically stored information in nationwide class actions and other complex litigation.