Calm abstract legal illustration related to 2010 03 aba techshow highlights trends in virtual law practice social media strategy data security and e discovery.
ArchivesNews & Cases

E discovery rules for virtual practice, social media, and security

By Lucas S.
10 Min Read

The material in this article is general legal information for educational use only. It should not be treated as legal, financial, or tax advice, and reading it does not form an attorney-client relationship. Legal rules vary by jurisdiction and change frequently. Questions about a specific matter belong with a qualified professional. The author and publisher disclaim liability for actions taken in reliance on this content.

Key Facts
  1. Federal level: Federal Rule 26(f)(3)(C) requires the discovery plan to address issues about “disclosure, discovery, or preservation of electronically stored information,” including the form or forms in which it should be produced.
  2. Federal level: Federal Rule 26(b)(1) limits discovery to nonprivileged matters that are relevant and proportional to the needs of the case.
  3. Federal level: Federal Rule 34(a)(1)(A) permits a request for designated documents or electronically stored information stored in any medium and allows production after translation “into a reasonably usable form.” **.
  4. Federal level: Federal Rule 34(b)(2)(A) requires production responses within 30 days after being served (with a related 30-day timing tied to the Rule 26(f) conference when requests are delivered under Rule 26(d)(2)).
  5. Federal level: Federal Rule 37(e) authorizes ESI spoliation measures only when lost ESI “should have been preserved,” was lost because of failure to take reasonable steps to preserve it, and “cannot be restored or replaced through additional discovery.”.
  6. Federal level: Under Federal Rule 37(e)(1), the court’s measures must be “no greater than necessary to cure prejudice.”.
  7. Federal level: Under Federal Rule 37(e)(2), harsher outcomes (including presumptions, jury instructions, dismissal, or default) require a finding that the party acted with intent to deprive another party of the information’s use in the litigation.
  8. Federal level: HIPAA Security Rule administrative safeguards require a security management process that includes risk analysis (required) and information system activity review (required).
  9. Federal level: The GLBA Safeguards Rule includes breach notification timing; when the notification event involves at least 500 consumers, notification to the FTC is required “as soon as possible” and no later than 30 days after discovery of the event.
  10. National overview: FTC guidance states that all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted security-breach notification laws for personal information, and it cautions that notice requirements depend on the types of information involved.

This legal information provides a Federal overview of how ESI from virtual practice and social media can become part of discovery, and a State-focused overview of breach-notification concepts. Sources are linked throughout.

Contents

Why “virtual practice” and social media show up in discovery

Virtual practice and social media strategy often generate records in cloud accounts, apps, and devices. In Federal civil litigation, those records can be treated as electronically stored information (ESI), so they may need to be addressed in early discovery planning, produced in usable formats, and preserved to avoid spoliation disputes (see the Federal Rules and the linked regulations/guidance below).

The federal ESI workflow starts with the discovery plan

In Federal court, discovery planning is not only logistical—it also requires early attention to ESI. Federal Rule 26(f)(3)(C) requires the parties’ discovery plan to address issues about disclosure, discovery, or preservation of ESI, including the “form or forms” in which it should be produced. Federal Rule 26(b)(1) then limits discovery to nonprivileged matters that are relevant and proportional to the needs of the case (Fed. R. Civ. P. 26(f)(3)(C), Fed. R. Civ. P. 26(b)(1)).

How Rule 34 frames production of digital content

Federal Rule 34 governs requests for production. Under Rule 34(a)(1)(A), a requesting party may request designated documents or ESI that is stored “in any medium” and that can be produced directly or after translation “into a reasonably usable form.” Rule 34(b)(2)(A) sets a response deadline: the responding party generally must respond within 30 days after being served (and the rule ties a related 30-day timing to the Rule 26(f) conference when requests are delivered under Rule 26(d)(2)) (Fed. R. Civ. P. 34(a)(1)(A), Fed. R. Civ. P. 34(b)(2)(A)).

Social media records fit the same ESI model

A common confusion is to assume social-media content triggers a totally different “platform rule.” In practice, Federal discovery often turns on how the information is designated and managed as ESI under the Federal discovery plan, production requests, and proportionality limits—rather than on the name of the platform.

For broader background on how courts and judges approach new media questions, see Judges all a twitter over new media.

Preservation and sanctions under Rule 37(e) (the spoliation framework)

Discovery disputes frequently become preservation disputes. Federal Rule 37(e) addresses what happens when ESI is lost: it applies when the ESI “should have been preserved,” it was lost because a party failed to take reasonable steps to preserve it, and it “cannot be restored or replaced through additional discovery” (Fed. R. Civ. P. 37(e)).

Rule 37(e) then sets two remedy levels. If the court finds prejudice, Rule 37(e)(1) allows measures “no greater than necessary to cure prejudice.” If the court finds intent to deprive another party of the information’s use, Rule 37(e)(2) allows more severe remedies such as presumptions, jury instructions, dismissal, or default (Fed. R. Civ. P. 37(e)(1)-(2)).

The Federal Judicial Center’s summary of the 2015 amendments also emphasizes that Rule 37(e) “does not create a duty to preserve ESI” and instead leaves in place the common-law duty (Federal Judicial Center: Civil Rules 2015—Failure to Preserve ESI).

A compact map of the Federal ESI rules (planning → production → preservation)

Discovery stage Rule text focus Practical takeaway for virtual practice/social media Main authority
Planning Address ESI disclosure/discovery/preservation and production form(s) Early decisions about what is preserved and what format is produced Fed. R. Civ. P. 26(f)(3)(C)
Production Request/response mechanics and translation into usable form ESI requests can require “reasonably usable” production Fed. R. Civ. P. 34
Lost ESI Conditions and remedy tiers for spoliation Lost ESI remedies depend on preservation failure + ability to restore + prejudice/intent Fed. R. Civ. P. 37(e)

Data security rules create separate compliance expectations

Federal ESI discovery and data security compliance can overlap because both concern how digital records and systems are handled—but they are not the same legal obligation. For HIPAA-covered entities and business associates, the HIPAA Security Rule’s administrative safeguards require a security management process that includes risk analysis and information system activity review (and those elements are described as required in the regulation) (45 CFR 164.308).

For financial institutions governed by the GLBA, the Safeguards Rule requires “reasonable administrative, technical, and physical safeguards” and also contains breach-notification provisions tied to specific notification-event scenarios and timelines (16 CFR 314.4).

For related privacy background, technology raises significant privacy concerns, experts say aligns with the broader theme that technology choices affect both risk and recordkeeping.

How GLBA notification timing works, and why it can matter

Under the GLBA Safeguards Rule notification provision, when a notification event involves the information of at least 500 consumers, the financial institution must notify the FTC “as soon as possible” and no later than 30 days after discovery of the event (16 CFR 314.4).

Breach notification is largely state based in practice

FTC guidance describes a federal/state split: it states that all states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted security-breach notification laws for personal information. The FTC also cautions that notice requirements depend on the types of information involved—so the details typically require checking the relevant Federal and state authorities for the information at issue (FTC: Data Breach Response: A Guide for Business).

Sources

Share This Article
ByLucas S.
Follow:
I am an independent writer and researcher with a deep interest in law, public affairs, and how the U.S. legal system operates in the real world. Regarding the key facts about my work, my role consists of providing plain-English legal explanations and covering various lawsuits and legal disputes. My approach involves preparing articles using the primary sources listed on each page. I am not an attorney or a lawyer and I do not provide legal advice. The primary areas where I focus my research include explaining complex legal topics in plain English, translating official legal materials into accessible explanations, and following current lawsuits and court cases. You should consult a qualified professional for advice regarding your own situation.
Previous Article Calm abstract legal illustration related to 2010 03 aba brief weighs in on christian legal society case. Christian Legal Society case and the 2010 ABA amicus filing on campus access
Next Article Calm abstract legal illustration related to 2010 03 economic recovery health care mediation and same sex dissolution to be topics at aba spring conference. Same sex divorce mediation in a 2010 ABA archive recovery
Most Popular

You Might Also Like