Are IoT devices making a concrete difference in civil discovery? The answer is yes, but we’re still in the early stages. The trend, however, suggests that eDiscovery is likely to undergo a sea change in the next 3-5 years, if courts direct defendants to produce raw IoT sensor data or big data analytics derived from IoT devices. See Gordon v. T.G.R. Logistics, Inc., 321 F.R.D. 401 (D. Wy. 2017) (“More data has been created in the last two years than in the entire previous history of the human race and the amount of data is predicted to grow 10-fold by 2020.”) (citing Data set to grow 10 fold by 2020 as Internet of things takes off, Antony Adshead, ComputerWeekly. com/news/2240217788).
The proliferation of IoT data and devices creates a whole new set of challenges for in-house counsel, outside counsel, and eDiscovery companies. See Huawai Techs. USA, Inc. v. U.S., 440 F. Supp. 607, 640-41 (E.D. Tex. 2020) (defining IoT devices and summarizing security risks of the increasing number of devices). There is little regulation of smart devices so far, aside from individual states like California. Similarly, a lack of consensus exists surrounding applicable standards and legal frameworks that govern the design, manufacture, and performance of IoT products in general. In addition, internal processes have not yet been established to locate, preserve, and review data from IoT devices. Thus, companies are left without much direction, either to avoid litigation in the first instance or defend against overly burdensome discovery requests once litigation commences.
The very nature and growth of IoT devices are expanding the civil discovery landscape. For example, data from hundreds of sensors in cars and airplanes are becoming central when there’s an accident or crash. Smart cameras, smart locks, fitness wearables, stored app data, sensors monitoring aspects of agriculture, consumer products, electrical grids and other infrastructure, smart medical devices, and industrial automation sensor data may be relevant in specific cases. In-house counsel, outside counsel, and judges must educate themselves about these new sources of information and what data can be derived from them.
One characteristic of IoT devices may limit civil discovery to some extent. Unlike computer hard drives, servers, and cloud storage, many of the tiny, individual sensors in existing IoT devices are not robust enough to receive security upgrades (a separate security challenge addressed in a different blog). Similarly, many of these sensors do not store data, or don’t store it for long, nor can data be downloaded from individual sensors. Thus, discovery battles will likely center around the huge amounts of data these sensors send to a gateway or the cloud and/or the end product used by companies once the IoT data has been analyzed and synthesized.
As one example of IoT data recently used in civil litigation, plaintiff’s counsel in a personal injury case used Fitbit data to prove damages, demonstrating how much his client was disabled as a result of the defendant’s alleged conduct.
Class actions have been initiated over Amazon’s Ring doorbell and other IoT products when there have been hacks or other security breaches, alleging a variety of tortious conduct.
Amazon has been sued in a separate class action for violations of Illinois’ Biometric Information Privacy Act. The company allegedly violated privacy laws with its smart camera technology by creating face embeddings or “face templates” – highly detailed geometric maps of the face that are unique to each person, just like fingerprints.
The putative class action also alleged that Amazon stored this biometric data insecurely and unencrypted, with unfettered Amazon employee access. In addition, Ring allegedly partnered with and provided video and facial recognition data from its smart doorbells to law enforcement agencies without consent, further violating consumer privacy.
In a separate class action under Illinois’ Biometric Information Privacy Act, several months ago Facebook agreed to settle for $550 million for alleged violations of the statute by using face templates and facial recognition technology. The three Illinois class representatives said they were never told that the site’s photo tagging system used facial recognition technology to analyze photos and then create and store face templates. Facebook turned off that feature by default in 2019.
So far, most of the litigation involving IoT discovery has occurred in IP or criminal cases. See, e.g., Alarm.com Inc. v. ipDatatel, 383 F. Supp. 3d 719, 722 (S.D. Tex. 2019) (IP dispute over patent for a smart home-security system). In the criminal context, Fitbit data has been used to establish a victim’s approximate time of death, as well as a criminal defendant’s location when he claimed to be elsewhere. In one New Hampshire case involving a double homicide with no eyewitnesses, prosecutors sought evidence from an Amazon Echo and its voice-recognition system, Alexa. Investigators argued that the device might have been awakened by spoken words during the time of the murder. They seized the device, but the data and sound recordings were housed on servers controlled by Amazon. Amazon objected to providing the information based on privacy implications and First Amendment rights.
In a separate case, a criminal defendant was accused of killing a Georgia police officer, and investigators also sought possible sound recordings from an Amazon Echo device. Amazon again resisted investigators’ efforts to obtain the device’s stored sound data. However, the criminal defendant who owned the Amazon Echo subsequently consented, and Amazon complied without a court battle.
As when the Federal Rules were amended to focus on electronically stored information, we can anticipate significant changes in discovery based on the growing prevalence of smart devices. Counsel and the courts are going to have to decipher all of these IoT devices and the data they collect, in a manner that makes it cost-efficient and reasonable for parties to collect, review, and analyze the information.