Can You Trust Your Expert Witnesses With Confidential Data?

• Author: Sharon D. Nelson and John W. Simek
• Date: July 27, 2017

Not always. There was a recent case in which confidential data was not, to put it mildly, well handled. The corporate defendant, a mortgage servicer, was accused of violating a consumer’s privacy rights based on the manner in which it handled collection calls. The defendant protected its customer data with layers of network security consistent with best practices and ISO guidelines. During discovery, the plaintiff’s experts received the calling data and copies of the customer service call recordings.

Both experts had unrelated full-time day jobs. Their expert witness work was a side business run out of their homes. Neither expert had a technical degree, and neither had taken a course in data security for over a decade. Both experts stored the sensitive case data in their homes. There were no locks on the doors to their home offices, so anyone in the houses had access to the drives. Neither expert was familiar with the basic ISO standards relating to data security. Neither had a written data security plan for their home network, and no outside company had ever performed vulnerability or penetration testing on their networks. One expert had no automatic intrusion detection software on his network. Both routinely produced data with sensitive PII (personally identifiable information) in unencrypted form.

The produced debt-collection calls included highly personal discussions in which debtors explained why a mortgage was in default, such as health or financial problems. One expert testified that he kept these recordings on an unencrypted portable laptop and accessed it on his home and public Wi-Fi networks. He also produced the call recordings to a third party to obtain technical assistance. The third party was not asked to execute the protective order, and that data presumably still resides on the third party’s servers.

Well, you get the message. Expert witnesses, including us, routinely receive highly sensitive PII for review and analysis. Sensitive PII (SPII) is data that, if lost, compromised or disclosed without authorization, could result in substantial harm or embarrassment to the individual.

Attorneys cannot ignore how their experts manage the data produced to them. When highly sensitive data is produced in a lawsuit, it is removed from the protected network environment built by the data’s owner and produced to the lawyers on the other side. The manner in which it is produced is up to the producing party. Sometimes the data is scrubbed of identifying...