Leveraging the Power of Data From “Things” – The Internet of Things

Authentication of all gathered evidence is needed for the court to consider, and rule upon its admissibility. Considering the growth of new IoT devices and their expanding use, identifying and understanding the constitutional issues and privacy rights will continue to gain importance in courtroom disputes.

As with all forms of evidence, counsel should consider how to authenticate and use the IoT data in dispositive motions or at trial. Where IoT data is retrieved from a non-party service provider or manufacturer, counsel may need to authenticate the data by establishing account credentials and ownership through interrogatories, requests for admission, or depositions or through other common or uniform credentials, such as email or physical addresses, telephone numbers, photographic identifiers, or biometric data that links the IoT data with the device owner.

At the outset of a dispute, counsel should analyze whether IoT devices and data may be relevant to any party’s claims or defenses (Federal Rule of Civil Procedure (FRCP) 26(b)(1)) and be proactive regarding the preservation of that potentially relevant data. Where IoT data may be relevant, counsel should determine early on the potential need to specifically address IoT devices and data with the parties’ counsel as well as with adverse or non-parties.

Data from an IoT device should be considered just as other forms of ESI data; a data’s source or location is a consideration when determining whether and how to ensure the preservation of IoT data. Counsel should keep in mind that IoT data is likely to exist in multiple locations that are controlled by various parties and non-parties, including service providers, device manufacturers, and owners of the actual IoT device(s).

There are duties and obligations on the parties with respect to the preservation of potentially relevant IoT data. As with disputes involving other types of ESI, parties must preserve IoT data if it is relevant to pending or reasonably anticipated litigation, or else face sanctions (FRCP 37(e)). Where relevant IoT data also resides on a tangible device, the federal common law requires potential litigants to preserve the device when they reasonably anticipate litigation. Counsel preparing a litigation hold for clients should consider including instructions to place a litigation hold on IoT devices and their data. Since many of these devices are new and novel, some litigants or document custodians may be unfamiliar with the term “IoT” or fail to recognize IoT devices as a potential source of relevant information.

• Specifically describe the IoT devices and data subject to the hold,

• Identify the type of IoT data likely to be relevant.

• Additionally, if counsel has any concern that a relevant IoT device may be destroyed or misplaced, counsel should consider pursuing the collection of the IoT device and data as soon as possible.

• The loss or destruction of an IoT device may render relevant data inaccessible and make it difficult or impossible to preserve related data.

• Client IoT data that resides with non-party data service providers may expire under the providers’ existing retention periods. These providers may have short retention periods for that data, particularly where the device owner’s subscription does not include payment for the provider to maintain the data on a long-term basis.

The next time you are faced with trying to prove (or refute) a particular fact, give some thought to things that may have been used, interfaced with, or interconnected. Think about where the data might be found to support your claims. Home computers. External devices. Wearables. Smart speakers. Smart home devices like thermostats. Smart doorbells. The public cloud. The GPS in a vehicle. Trying to prove the theft of trade secrets? Did the alleged perpetrator travel? Did the travel leave “footprints?” Would it help your case to find and collect these footprints? Data exists everywhere. Learning how to properly collect and maintain it, authenticate it and leverage it will continue to place you ahead of the pack.

IoT data is unique in many ways. It is not created by humans. It’s not clear who has possession, custody, and control of the data these devices generate. The data comes and goes quickly and must be acted upon quickly to ensure accessibility, proper preservation, and admissibility. It is now and will grow to be an even more valuable resource in cases of product liability, negligence, family law. But the care and handling of the data these devices generate is of utmost importance and should not be left in untrained hands. The 2017 additions to Rule of Evidence 902, paragraphs (13) and (14), allow for authentication of electronic evidence by an affidavit of a “qualified person” who can certify in writing that the data was obtained within the requirements of Rule 902(11) and (12).

Imagine the possibilities…