Reflections of a Former FISA Judge

Gorton_Nathanielby Judge Nathaniel M. Gorton

Voice of the Judiciary

At the time I was appointed to the Foreign Intelligence Surveillance Court (“the FISA Court”) by the late Chief Justice William Rehnquist in mid-2001, very few judges, let alone members of the public, had ever heard of that Court.  September 11, 2001, changed all of that.  Now, most of us are well aware of the existence and purpose of the FISA Court, if not the details of its operations, and currently it is smack in the middle of the debate about trade-offs between civil liberties and national security.

For the record, I served on the FISA Court from 2001 to 2008 and therefore have been emeritus for almost six years.  I am not part of the recent controversy or privy to the details of the technology now under heavy scrutiny, but I believe I am still in a position to explain the importance of having such a Court and its value to the overall security of the nation.  That is the purpose of this article.

First, I need to dispel a lingering myth about what I still hear referred to as the “secret FISA Court”.  It is not secret.  It was created by statute in 1978, now embodied in Title 50 of the United States Code.  How the court is structured, the extent of its authority, the kinds of applications it is to consider and the minimization of the use of the intelligence gathered are all spelled out, in some detail, in the statute.

The FISA Court is intended to and does, in fact, provide judicial oversight to the gathering of foreign intelligence for national security purposes.  Before there was a FISA Court, one agency of the Executive could decide when another agency of the Executive was entitled to conduct electronic surveillance and physical searches for that purpose.  That is no longer the case.  Now a United States District Judge stands between those agencies and determines the propriety of surveillance that, in some circumstances, is of critical importance.

A timely reminder of that importance came from a recent acknowledgement by Former CIA Acting Director Michael Morell, a member of the President’s Review Group on Intelligence and Communications Technology.  He observed that had the currently maligned metadata program been in place before September 2001 “it would likely have prevented 9/11.”  Can there be any more compelling reason to continue such surveillance?  And, if continued, shouldn’t the authorization of such surveillance be under the tutelage of qualified independent judicial officers?  The Foreign Intelligence Surveillance Act provides for just that.

Membership on the FISA Court is a matter of public record but, as far as I know, none of the judges on the Court has ever been of a mind to advertise his or her appointment.  In fact, it is rare for a sitting FISA Judge to speak about the Court in public or even to write about it.

What is secret (i.e., classified) about the Court are the facts and details of the specific applications referred to the Court for decision.  The need for such secrecy is obvious:  the Court is dealing, in many cases, with people or organizations who demonstrably want to destroy our way of life.

FISA judges are appointed by the Chief Justice to staggered, non-renewable terms of seven years.  Because the judges are from different circuits, there is wide geographic diversity and, although it was not the case in my day, the Court is now almost equally balanced by gender.

The FISA Court is in session every week but the judges do not sit en banc.  Rather, they sit singly at regular intervals.  Although the workload of the Court is unpublished, it has been accurately reported that the number of FISA applications considered and approved over the past several years exceeds all Title III search warrants, federal and state, issued nationwide.  FISA judges work extremely hard while they are in Washington, D.C.  They read every application, each of which is long and detailed (although much of the material is of a repetitive nature).  I used to hold hearings on most applications, but I understand that practice is not as prevalent today.  The judges of the Court come together as a group twice each year to discuss procedures and rules and are privileged to attend an annual luncheon hosted by the Chief Justice at the Supreme Court, usually attended by the Attorney General and the directors of the investigative agencies with whom the Court interacts: the FBI, the CIA, and the NSA.

The statutory function of the FISA Court is to consider applications for electronic surveillance and/or physical searches.  A “significant purpose” of the requested search or surveillance must be to acquire foreign intelligence information.  The foreign intelligence must be “necessary” to protect against international terrorism or clandestine intelligence gathering activities and the applicant must also show that there is probable cause to believe that 1) the target of the surveillance is a foreign power (or the agent of a foreign power) and 2) the facilities targeted are being used (or are about to be used) by that foreign power or agent.  There is, however, no requirement of showing probable cause to believe that a crime has been committed,  a major distinction between FISA and Title III applications.

Each application considered by the Court is certified by the National Security Advisor or a Senate-confirmed national security official and is approved by the Attorney General, the Deputy Attorney General or the Acting Attorney General.  In other words, there is political accountability for every surveillance application that comes before the FISA Court.  That is an important safeguard because it means that every application is thoroughly vetted and screened before a FISA judge ever sees it.

The Court is assisted by very competent and capable full-time “legal counsel.”  It is their job to make sure that the applications presented to the Court are in full compliance with all statutory requirements.  Although applications are regularly approved, they are not infrequently withdrawn, revised and/or resubmitted with additional information before approval.  In fact, recent statistics show that FISA applications are initially rejected at a higher rate than are Title III applications.  Contrary to the opinion of some critics, FISA judges are not “rubber stamps” and the process works because the Executive and Judicial Branches both perform their functions conscientiously.  The Foreign Intelligence Surveillance Act was designed to (and does, in fact) provide for the protection of civil liberties, and the judges of the FISA Court diligently see to it that the statute is enforced.

That is why, frankly, I am disturbed by the recent rash of condemnation of the work of the National Security Agency and the effort to curtail significantly its surveillance function.  The work of law enforcement officers involved in our national security that I witnessed, and temporarily joined in overseeing, saves lives; and their investigations do not unduly invade the privacy of U.S. citizens.  The FISA Court plays a vital and necessary role in that regard, a role that should be acknowledged and protected by our leaders.

Judge Nathaniel Gorton was appointed by President George H.W. Bush in 1992.  He served in the Central Division (Worcester) until 2004 and has served in the Eastern Division (Boston) since then.

What’s Old Becomes New: Regulating the Sharing Economy

Cohen_Molly Zehngebot_Coreyby Molly Cohen and Corey Zehngebot

Heads Up

The Sharing Economy: An old concept made new through the internet-based sharing of underutilized space, skills, and stuff for monetary and non-monetary benefits.  Recently, a proliferation of start-ups have created digital platforms to connect owners with consumers.  These companies encourage people—and businesses—to use resources more efficiently and to share non-product assets (like time) as well as conventional “stuff.”  Citizens can share space in their homes (Airbnb), seats in their car (Lyft, Sidecar, UberX), places to park (Park Circa), used clothing (ThredUp), outdoor gear (gearcommons), time in the day (TaskRabbit, Instacart), and even capital (Zopa, Prosper).  This trend has attracted significant attention from thought leaders (in 2011, Time Magazine crowned it one of ten ideas that will change the world), venture capital (Uber recently received $258M in funding from Google Ventures, and a recent round of financing for Airbnb would value it above $10B), the media, and, most recently, Congress.  Nevertheless, regulatory mechanisms have not kept pace.

Small-scale, non-monetized sharing has historically been ignored or exempted by the legal system (though barter exchange is taxable).  The tipping point is near, however, as sharing with strangers becomes big business.  Forbes estimates the sharing economy generated $3.5 billion in 2013.  To grossly generalize, the law tends to prefer binary divisions: public and private, business and personal, donation and sale, consumer and provider, and, most saliently, my property and yours.  In the sharing economy, many companies blur these boundaries, resulting in a legal gray area.  Proponents, typically a younger, urban demographic, tend to view the regulatory hurdles as protectionism, serving entrenched operators in the market like taxicabs and hotels.  Yet, for municipalities, regulating sharing economy companies requires balancing the safety and welfare of the public with the potential for new economic development opportunities.

We’ve briefly highlighted a number of legal issues raised by the sharing economy.

Ownership: Can you share something that you don’t necessarily own? The app betrspot allows people to sell spots in line and seats at Starbucks.  The transaction transfers only occupancy and not real ownership, but Starbucks may argue that the seat was a non-assignable license, and therefore cannot be sold.  The earliest forays into the sharing economy—file-sharing systems like Napster—were quickly shut down because of alleged copyright violations.  The newer ventures may involve milder, but still important, questions about the nature of ownership.

Consumer Protection: When looking for a dog sitter on DogVacay, how do you know your pet will be well cared for?  Understandably, there are fears that unregulated transactions can endanger consumer safety.  For example, food exchanged via leftover-sharing sites, such as LeftoverSwap, may have been prepared inexpertly or in unsanitary conditions, creating a public health hazard.  As a solution, many companies have found that a two-way rating system of consumer and provider provides sufficient accountability, by serving as a “a self-enforcing form of consumer protection.”  Peer review and self-regulation foster a sense of community and are less costly than traditional enforcement mechanisms, although researchers have raised concerns that sharing economy participants may exhibit discriminatory tendencies.

Taxation: For tax purposes, is a ride-share provider like an UberX driver running a small business or franchise?  There’s been no consensus about how to tax the “sharing economy” due to the diversity of business types.  In some cases, participants may not be required to pay certain specialty taxes: e.g., it is unclear whether Airbnb hosts are required to pay hotel occupancy tax in most municipalities, but they still pay state and federal income tax.  Indeed, in many situations, it’s less clear how sharing economy transactions should or could be taxed.

Insurance: When you use your personal car to participate in a ride-sharing program for profit, are you covered by commercial insurance, personal insurance, or both, or neither?  In the event of an accident, the driver must rely on his or her personal policy, which may refuse the claim on the ground that the car was in commercial use at the time.

While ride-sharing companies typically provide drivers with commercial coverage, these policies don’t cover damage to the actual car.  (In California, companies provide $1 million liability coverage, higher than Massachusetts’ $20,000 minimum for bodily injury insurance for cabs.)  Moreover, commercial policies may not provide coverage when the driver isn’t operating Uber.  In a tragic San Francisco accident, an Uber driver killed a six-year-old.  While a cab driver would have had insurance through his company, there was no insurance for the Uber driver because he did not have a customer at the time of incident.  Since the incident, Uber has expanded its insurance coverage to include all drivers logged into the app and available for a fare.  More generally, there may be an opportunity for insurance providers to provide novel instruments for individuals and businesses.

Liability: Excited to learn to ski, you rent a pair of skis from gearcommons, only to break your arm in an epic fall down the mountain.  You later discover the skis were defective.  Is gearcommons liable?  While sharing economy companies face similar liability issues as brick and mortar companies, their existence as digital platforms creates new wrinkles.  When things go wrong, injured parties may argue that the provider was negligent in screening participants or goods.  Yet, these companies can argue that they are only technology platforms, serving to connect people or businesses, and therefore should not be held liable.  The companies’ claims reference the federal Communications Decency Act, which protects internet content-providers from liability associated with their content.

Zoning: If you live in an area zoned for residential use, is it a violation to rent out your apartment or condo short-term on Airbnb?  What about space in your private single-family home?  Zoning codes draw sharp distinctions between land uses and may or may not accommodate flexibility of use depending on the municipality.  The demographics of cities are changing, and a population increase in young, single workers has already had impacts on housing stock with the development of the micro-unit.  Coupled with concerns about housing affordability and shifts from a 9-to-5 workday to more freelance and project-based work, this area is ripe for some new thinking.

Licensing/Permitting: Common sense says your “pop-up” potluck shouldn’t need a business license, but how can one be sure?  What about eBay?  Should it be licensed as an auction house?  Many sharing economy companies are corollaries to entities that are already highly regulated and licensed (such as taxicabs, hotels, and restaurants).  It is often not clear whether a shared model would require the same permits and/or licenses as traditional operators.

A few municipalities have addressed these issues head-on, either creating legal exemptions for micro-entrepreneurs (as California Public Utilities Commission did for Lyft), or banning them outright (as Austin did by re-defining “rideshare” to exclude these start-ups).  While many cities have essentially been coerced into regulating ride-sharing due to lawsuits or social media campaigns, other issues—such as short-term rentals—are still nascent.

Boston and the Commonwealth of Massachusetts have not directly addressed these issues (except for a contentious and unenforced ban of Uber).  These are not easy issues to “solve”: the start-ups’ rapid emergence defy long regulatory timelines, and regulation may not be necessary in all cases.  However, cities that are willing to experiment and embrace regulatory innovation may thrive, along with the entrepreneurs who leverage new forms of collaborative consumption.  Though issues of compliance and enforcement are also present, the moment is ripe for Boston to be proactive rather than reactive.  There are tremendous environmental, social, and economic benefits of this activity.  How can the legal community be more open-minded about regulating “sharing?”  Boston has been a leader in developing and operating a bike-sharing program, and recently passed “enlightened” zoning to facilitate urban agriculture.  Tackling the sharing economy could be next.

Molly Cohen is a third-year student at Harvard Law School.

Corey Zehngebot, AIA, AICP, works as a Senior Urban Designer and Architect for the Boston Redevelopment Authority.

(Not) Wired: Electronic Coverage in the Federal Courts

Gertner_Nancyby Judge Nancy Gertner (Ret.)


I supported electronic coverage of court proceedings throughout my career, both as a lawyer — when I tried high profile cases in state court with camera coverage — and during the seventeen years that I was a federal judge — when I did not because of the federal ban on cameras.  I understand the concerns of the opponents, but they pertain to how to implement electronic coverage, not whether.  In fact, there is something quaint about the way some still characterize the debate — “cameras in the courtroom.”  In the 80’s, cases referred to the disruptive “glare” of the television lights and bulky cameras.  Now a handheld video camera, one hidden in the courtroom wall (I had a security camera behind a hollowed out law book), or even a smart phone can do the trick.  In the 80’s, with CourtTV broadcasting “gavel to gavel” coverage of trials, the debate was about televising proceedings.  Today, we talk about streaming videos over the Internet, or posting them on electronic dockets or court websites, even as the federal court posts transcripts and pleadings.  More stunning, only a short time ago reporters covered court proceedings with paper and pen.  Today they blog or “tweet” minute-by-minute accounts as in the recent trial of James “Whitey” Bulger.  (Gone is the “Perry Mason” moment of my first murder case, when, after a dramatic development, members of the press rushed out to find the public telephones and phone in their stories.)

To say I chafed at the federal ban on cameras in an understatement.  I testified before Congress in favor of legislation giving judges discretion to allow electronic coverage, with representatives of the Judicial Conference of the United States on the other side.  In Sony BMG v. Joel Tenenbaum, believing that the District Court’s rules permitted it, I allowed “narrowcasting” a legal argument to a specific publicly available web site.  The case pitted the record companies against college students accused of illegally downloading copyrighted music from the Internet.  I said: “This case is about the so-called Internet Generation – the generation that has grown up with computer technology in general, and the Internet in particular….  It is reportedly a generation that does not read newspapers or watch the evening news, but gets its information largely, if not … exclusively, over the Internet.”  The First Circuit reversed, in part based on a rule buried in the archives of the First Circuit Judicial Council, which no party had noticed before.  In Limone v. United States, which involved accusations of FBI misconduct in connection with the imprisonment of four men, I announced my decision in open court.  Because of intense public interest, there was an overflow courtroom into which a record of the proceedings was streamed, just as in the Whitey Bulger case.  The difference between streaming the proceedings to another courtroom, rather than to the public more broadly, is to me a distinction without a difference. Indeed, the public’s right of access to trials should not depend upon whether the case is high profile or not, whether it is of interest only to the parties, or of interest to the press.

Public proceedings in the 21st century necessarily mean electronic coverage.  We understand generally that to make something public requires affirmative efforts — courtrooms big enough to meaningfully include as many people as possible, overflow rooms, even handicapped access.  And today, it requires provision for media to bring in smartphones and computers — to stream the video, to blog, to tweet.

The federal courts lag woefully behind the states.  Forty eight states (including Massachusetts) permit electronic coverage; study after study has reported favorable results.  It does not impede the fair administration of justice and does not impair the orderly conduct of proceedings.  This is so even though the state court’s docket — with murders and rapes — is far more vulnerable to distortion than the federal courts’.

As the states move into their fourth decade of electronic coverage, federal courts are stuck in yet another “experiment.”  The first was a three year trial experiment in cameras (from 1991 to 1994), at the end of which a judicial committee recommended its continuation, namely televised coverage of civil proceedings at the trial and appellate level.  The United States Judicial Conference rejected the recommendation, except with respect to appellate courts.  Apparently, appellate courts can be trusted to exercise their discretion to broadcast arguments (as the 2nd and 9th circuit do); district court judges cannot.  After Congress threatened legislation, the Judicial Conference in 2010 recommended yet another pilot — a gesture at once unnecessary and inadequate.  It is unnecessary because the data is in.  And it is inadequate because it covers only civil proceedings, and requires all parties to consent.  Small wonder that since 2010, few if any cases have been televised.

Massachusetts Rule 1:19 goes much further, allowing “electronic recording or transmitting of courtroom proceedings open to the public” by the news media.  The definition of “news media” has recently been expanded to include private individuals who “regularly gather, prepare, photograph, record, write, edit, report or public news or information about matters of public interest for dissemination to the public in any medium whether print or electronic.”  In short, blogs are allowed — so long as the blogger is registered with the court (a potential issue as distinctions between traditional media and the citizen media grow more obscure).

In a recent murder case, the Superior Court judge barred Twitter, allowing online blogging only.  Tweeting, he suggested, with only 140 characters, could not adequately report the trial, and would be cumulative to other modes of real time access.  The line the judge drew was troubling.  If the tweeting is not disruptive of the proceedings — and it is not, any more than any other social media — it is not clear that a court should try to determine which electronic communications are adequate to the task, which outlet really needs to do it.

Trial judges plainly need to be the gatekeepers with respect to what is covered and how.  We have to learn how to draw careful and reasoned lines, particularly as the technology evolves. (“No cameras,” no matter how the technology and the audience has changed, is not a thoughtful policy; it is the opposite.)  Social media creates extraordinary challenges for the conduct of jury trials — especially, to warn jurors about going online during the trial, when they are used to doing that from the moment they wake up.  But we are a long way from the OJ Simpson case of twenty years ago, when the conduct of a televised trial was widely disparaged.  The challenge now is to appropriately regulate the new technology — not to ignore it.

Judge Nancy Gertner was appointed to the bench in 1994 by President Clinton. She has written and spoken widely on various legal issues and has appeared as a keynote speaker, panelist or lecturer concerning civil rights, civil liberties, employment, criminal justice and procedural issues, throughout the U.S., Europe and Asia. In September of 2011, Judge Gertner retired from the federal bench and became part of the faculty of the Harvard Law School teaching a number of subjects including criminal law, criminal procedure, forensic science and sentencing, as well as continuing to teach and write about women’s issues around the world.

The Boston Bar Association’s Marathon Assistance Project: One Year Later

OLYMPUS DIGITAL CAMERA Clark_Chris Jennings_Emilyby David S. Clancy, Christopher G. Clark, and Emily Jennings


Nearly one year ago, the Boston Bar Association (BBA) launched its Marathon Assistance Project to match volunteer lawyers with clients facing a range of legal issues created by the April 15, 2013 Boston Marathon bombings.  Some lawyers volunteered to represent individual victims of the bombings.  Others volunteered to assist small, independent businesses affected by the bombings.  Through the Marathon Assistance Project, the BBA responded to 100% of the requests for assistance from the community.

In response to the BBA’s request for volunteers, we signed up to help two individuals injured by the bombings prepare their submissions to the One Fund.  We met with our clients, gathered medical records and information, requested additional information from hospitals when necessary, wrote clear descriptions of the injuries sustained, and, for one client, appeared for an in-person interview with the One Fund.

One of our clients, a Marathon spectator, was standing on Boylston Street outside of a restaurant just yards away from the second blast.  She was wounded by shrapnel and sent by ambulance to a nearby hospital, where doctors told her that an X-ray indicated that her injuries did not warrant overnight hospitalization.  Despite her return home that same day, her troubles were not over; in the next few weeks, she experienced persistent ankle pain, concussive-like symptoms, hearing loss, and pain.  A subsequent MRI revealed that two pieces of shrapnel were still lodged in her ankle, and doctors also determined that she had experienced a concussion and sustained inner ear damage.  The injuries left her in a leg cast and using crutches for several months following the bombings, and today she still has difficulty with such simple matters as descending stairs or standing for a length of time.

Our other client was standing approximately 15 yards from one of the blasts.  Immediately following the explosion, he suffered significant and persistent hearing problems.  In the days and weeks after the bombings, he sought medical attention and was treated for his continued tinnitus.

Although both of our clients received a distribution from the One Fund in 2013, they continue to live with the impact of their experiences on Boylston Street one year ago.  The charitable contribution, while deeply appreciated and helpful, did not represent the end of their Marathon bombing experience.

For our part, we learned that there very much was a need, and place, for volunteer lawyer advocates in the aftermath of the Marathon bombings.  Certainly, the One Fund’s claims process was designed to be navigable by a layperson, and it was possible for victims to make successful claims without assistance.  Still, that process involved gathering documents, drafting a persuasive explanation of the injuries sustained, and getting the submission notarized — a practical problem, especially for someone who was immobile.  All of those requirements came at a time when individual victims were rightly focused on their recoveries, both physical and emotional.  BBA volunteers were able to take on this work for their clients, reducing the burden on people who, at that time, already had significant new challenges to address.

From our perspective, the BBA’s Marathon Assistance Project was valuable for another reason, which had less to do with the need for legal expertise.  People injured in the bombings, and their families, experienced a shocking and tragic event.  In our meetings with them, we sensed that, separate and apart from the usefulness of legal help, they appreciated the simple fact that an established Boston institution, and individuals associated with it, were listening to and supporting them.  It seemed that the mere existence of the project sent, and was gratefully received as, a powerful signal that affected individuals were part of a community that intended to embrace and assist them.  This message was reinforced by the fact that the BBA’s effort was one part of a constellation of other community contributions — including similar initiatives from other legal groups, monetary donations from across the globe (more than 195,000 individuals donated to the One Fund alone), and the unparalleled dedication and sacrifice shown by Boston medical professionals and first responders.

For these reasons, we are grateful to have been able to play a small part in the BBA’s Marathon Assistance Project, and to work with other attorneys who volunteered through that project, or otherwise, to address challenges created as a result of the bombings.  Some of those experiences are detailed in the following articles.  Shannon Capone Kirk represented a woman who was standing on Boylston Street and suffered significant hearing loss as a result of the bombings.  Jon Cowen and Rosanna Sattler represented several small businesses in the area around the Marathon finish line that were forced to close for 10 days while the crime scene was processed.  Sue Abbott and Lisa McChesney explain how they worked with the City of Boston to establish the One Fund and obtain expedited tax-exempt status from the IRS, a process that typically takes up to 18 months but which they accomplished in just one month.  The experiences of those volunteer lawyers — a small subset of the BBA members who volunteered — are told in the following articles.

David S. Clancy is a partner, Christopher G. Clark is an associate, and Emily Jennings was a summer associate, in the Boston office of Skadden, Arps, Slate, Meagher & Flom LLP. Their litigation practice encompasses a broad array of matters affecting public and private companies, including class action, securities law, insurance, intellectual property, employment, and transaction-related disputes at the trial and appellate levels.

Pro Bono Experience: Boston Marathon Bombing Victim

Kirk_Shannonby Shannon Capone Kirk


On April 15, 2013, I was thankfully in Palm Springs with my family for a wedding. I say “thankfully” because my husband is an ultra-marathoner.  He’d wanted to do the Boston Marathon, but we had to attend my cousin’s wedding clear across the country.  Being three hours behind, I woke up to the unbelievable.  Just like on 9/11, at first I couldn’t process the images I was seeing.  And then red.  We all saw red.  I yelled to my then nine-year-old son to leave the room.

“That’s blood on the pavement on Boylston,” I said.

I hated this feeling on 9/11.  And I hated this feeling on 4/15.  This feeling of the world crashing.  Of incapacity.  Of the deepest empathy for others you can feel—and yet, the competing certainty you are helpless to help anyone.  Later, Fox, CNN, all of them, kept showing pictures of Martin Richard, the boy who died.  A boy.  My son cuddled close on the couch.  I wept.  We went home after the wedding, and life went on as life goes on, and work got busy as work gets busy.  And I remained unhelpful.

A few months later, on June 13, 2013, the Boston Bar Association reached out to the Pro Bono committee at Ropes & Gray seeking assistance for a bombing victim with her One Fund application.  I’d need to meet the victim in person in Salem, New Hampshire, the very next day; she couldn’t converse on the phone given her hearing loss from the bombing.  Being from New Hampshire and suddenly remembering that awful feeling of incapacity, I snapped at the request, hopeful I could do something.  Plus, she was only in Salem.  Salem doesn’t require a plane ticket or visa or passport like a lot of my regular work.  It was literally the least I could do.

Gretchen greeted me kindly at her husband’s office in Salem.  She leaned in with her ear to listen to my “hello,” and then turned to lean into my face to shake my hand.

“You’ll need to speak slow so I can read your lips,” she said.

I started thinking about my mother in these initial minutes with Gretchen.  Trying to explain what I do for a living to my mother, who for as long as I can remember denied having a hearing problem, used to dissolve into a mess of loud words.  A mismatch of understanding at a raucous family dinner table.

“What?” she’d squawk loudly, even though she sat to my caddy-corner left.  Her face would scrunch and her eyes would close.

“….[blah, blah, blah…..] E-Discovery….terabytes….computer forensics…”

“Oh, Never. Mind,” she’d give up, shaking off her obvious annoyance—at herself, at me, I never understood.

The family conversation would go on around her, interjected here and there by her “What’s” until she’d give up, leave the table, and do the dishes.  I don’t think I noticed any of this until now, in retrospect, after working on a Boston Bombing case.

The One Fund application was actually pretty straightforward.  Filling it out, I figured, would be very unlike the work required to craft a preservation plan for firewall logs and ten databases in a data breach case.  I figured I’d be in and out in half-an-hour.  And yet, it was not until hours later when we finished the application.  We spent hours talking, loudly, slowly, repeating phrases, reading lips, undergoing translations of English to English, organizing a labyrinth of medical records and, mostly, distilling a very emotional account into a sterile, one paragraph blurb on her objective, physical injury.  For Gretchen, a human with a real problem larger than simply saying “hearing loss,” it took a while to uncoil the events of April 15th and how they changed her life, physically and emotionally.

Gretchen had already been diagnosed before the Marathon with hearing loss in both ears, the right side suffering from profound loss; the left, also functioning at a deficit, was considered her “good ear.”  So, in moving through the thick Boylston crowd with her fifteen-year-old, she worked hard to focus on keeping her son close to her side.

The first bomb exploded, crashing the air.  She turned her “good ear” toward the blast, unsure of what was going on.  Then, the second bomb ripped through the screaming crowd and this is what did her in.  Now both ears were damaged.

I wanted the One Fund deciders to know how hard it was to be left out of conversations with your own sons.  To hear wind instead of words.  Ringing instead of crisp birdsong.  I wanted them to “see” this invisible injury.  One that now, after the blasts, left Gretchen unable to differentiate peripheral noise, unable to hold conversations with multiple people, left her with increased tinnitus and multiple sounds running constant in her head: crickets, faucets, wind, ringing.  Noises.  Constant noises.  Not distinct voices.  And how voices too, they were all different.  Even her husband’s.  Even her own.  I wanted them to understand that now, Gretchen could no longer enjoy any music, could not separate the different notes.  I tried to imagine working, driving, cooking, running without the tinkling of the piano, the hypnotic waves of a cello, the thud-thud of motivating Hip-Hop, or the soul-soothing guitars of folk.  I wanted everyone to understand how Gretchen could never escape it—because it was always there, absolutely there, yet invisible to everyone else.

But, given the triage nature of the One Fund application—necessary to distribute funds ASAP to those in serious need—we had work to do.  In other words, we had to say how the sector of the hard drive was physically damaged, objectively prove it, and seriously distill, almost avoid, the frustrating, very real emotional side of how business stops when computers break.  As I explained this to Gretchen, and her husband handed tissues for her tears, and as I put her jumble of medical records in chronological order and in the best objective light, I watched her chin quiver and her fists clench.  I watched her retreat to her inner world.

I thought of my mom.

Gretchen was approved by the One Fund for Category D and received the pre-set distribution of funds.  She is thankful for the donations.  And certainly we all agree the focus of the Fund should continue to devote resources and charity to those most critically injured and those who suffered loss of life.  As for hearing loss victims, this too is a lifetime cost.  And a lifetime burden.  There is no cure.  And it’s not going away.

A few months ago, the Boston Bar Foundation’s Society of Fellows asked me to address how helping a Marathon victim impacted me.  It impacted me professionally and personally.  Professionally, I am sure I am just a pin in the hard drive, but I do have a pulse and I have a new knowledge on an invisible injury.  Personally, I hope I’m a better daughter.  How happy I truly am now to see my mother engaged and smiling, sitting with us at the table, wearing her hearing aids. I am better able to understand what she has gained.

Shannon Capone Kirk is a Chambers-ranked E-Discovery Counsel at Ropes & Gray and Professor at Suffolk Law.  Shannon’s international practice manages electronic data in litigation.

The Boston Marathon Bombing One Year Later:  Insurance Coverage for Business Raises Concerns

Cowen_Jon Sattler_Rosannaby Jon C. Cowen and Rosanna Sattler


One year after the Boston Marathon bombing, most retailers, hotels, and restaurants in the Back Bay have returned to normal business operations.  Many businesses have filed claims with their insurers for business interruption losses. Not all businesses, however, have been made whole, despite having insurance policies in place that were intended to provide such coverage.  According to data supplied by the Massachusetts Division of Insurance, 133 businesses made claims for business interruption losses.  Only half of them (64) received insurance payments.  What can be learned from their experiences and what, if anything, can business owners do to enhance insurance protection in the event of another catastrophic event?

As a participant in the Boston Bar Association’s Marathon Assistance Project, our firm, Posternak Blankstein & Lund LLP, volunteered to assist a number of Back Bay businesses impacted by the Boston Marathon bombing on a pro bono basis, in pursuing insurance claims.  One of our clients is a small retail store on Newbury Street that had been open for less than a year, and which was relying on the Boston Marathon to kick off a busy tourist season. Instead, it suffered a large drop in sales after the bombing.  Another client is a music recording and production studio which suffered losses from the bombing and resulting shut-down of the Back Bay.  In our experience, notwithstanding public sympathy and the urging of state and local officials to act expeditiously in resolving Boston Marathon bombing-related claims, many insurers have strictly interpreted policy provisions and they have sought to aggressively enforce policy exclusions and limitations, delaying or denying insurance payments.

The Boston Marathon bombing was the first terrorist attack to occur on U.S. soil since the events of September 11, 2001.  As such, it provided the first opportunity for insurers and policyholders to test the application of exclusions and affirmative coverage for terrorist events created under the Terrorism Risk Insurance Act of 2002 (TRIA).  At first, many feared that terrorism exclusions – by which insurance recovery is limited or excluded for losses resulting from terrorist acts – would prevent business owners from obtaining any recovery.  That fear was misplaced, however. It is now clear that terrorism exclusions had little, if any, impact on insurance recovery for businesses affected by the Marathon bombing.

The terrorism exclusion is triggered only when certain conditions are met. First, the Secretary of the Treasury, with the concurrence of the Secretary of State and the Attorney General, must certify that the event constitutes an act of terrorism under TRIA.  Second, the act must result in an aggregate loss of more than $5 million.  Third, the act must be a danger to human life, property or infrastructure and must be intended to coerce the civilian population or influence the policy or conduct of the federal government.

No certification has been made by the President’s cabinet that the Boston Marathon bombing constituted an act of terrorism – and it is questionable whether any such declaration will be made.  But even if it were, and even if aggregate losses exceeded the monetary threshold, no clear mechanism exists for establishing whether or not the Marathon bombers intended to coerce the civilian population or influence U.S. foreign policy under the third prong of the TRIA test.  Insurers who might avoid making payments by enforcing the exclusion have, perhaps wisely, decided not to press the issue; they would have the burden of proof to establish that the exclusion applies.  It appears that no property or business interruption claims were denied on the basis of the terrorism exclusion.

Although the terrorism exclusion has been largely a non-issue for businesses impacted by the Boston Marathon bombing, insurers have been cautious in making payments under another form of insurance known as the Civil Authority coverage.  In an event like the Marathon bombing, this type of insurance coverage has much broader application than standard business interruption insurance because it is triggered whether or not there is physical damage at the insured’s business premises.  The Civil Authority coverage allows recovery of lost business income and expenses so long as the business was forcibly shut down as a result of the actions of state or local authorities.  The Civil Authority coverage came into play here because a six block area surrounding the Marathon finish line was closed to the public for 10 days while the Boston police and federal law enforcement authorities conducted their investigation.

The Civil Authority coverage has been implicated in past natural disasters and, unlike the terrorism exclusion, there is at least some limited precedent for the handling of such claims.  But for Boston Marathon-related claims, insurers have been inconsistent in making payments under this form of coverage.  In one case we handled, the carrier denied coverage entirely. In another, the insurer paid for lost business income but refused to reimburse our client for extra expenses that also fall within the scope of coverage.  These differences cannot be explained by where the businesses are located – in both cases, the storefronts are on Newbury Street, outside of the area cordoned off for the crime scene investigation.  Slight differences in the policy language could be the explanation. For the business that was denied Civil Authority coverage, the policy required that access be prohibited to the area “immediately surrounding the damaged property.” For the client that received payment of a portion of its lost business income, the policy required only that the loss be caused “by action of civil authority.” However, that insurer has refused to pay for lost and spoiled inventory, denying that it constituted a “necessary Extra Expense” under the Civil Authority coverage.

The events of a year ago have raised awareness about the need for businesses to carefully assess their risks and to examine the scope of coverage provided by their insurance policies. For business interruption losses, coverage may vary widely depending on the insurer, the policy terms and applicable law. Policies differ both in terms of how coverage is triggered, and how losses are measured in the event of a loss. While some policies require a complete suspension of operations, others will allow recovery based on a material decline in business income between pre- and post-event levels.

The lesson learned is that when purchasing insurance policies, businesses must ensure that they have maximum protection in the event of a catastrophe. At minimum, this should include affirmative terrorism coverage, as well as business interruption, extra expense and civil authority coverage.

Rosanna Sattler is the Co-chair of and Jon C. Cowen is a partner in the Litigation Department of Posternak Blankstein & Lund LLP. Both regularly represent clients in complex first-party and third-party insurance coverage disputes.

Disaster Relief: The One Fund Boston Model

Abbott_Sue McChesney_Lisaby Susan L. Abbott and Lisa A.H. McChesney


The authors express their appreciation to the many others at Goodwin Procter who were part of the One Fund team, and in particular for the invaluable assistance of Stuart Cable, Mary-Kathleen O’Connell, and Alyssa Fitzgerald.

In the wake of the Boston Marathon bombings on April 15, 2013, Boston Mayor Menino and Massachusetts Governor Patrick proposed creating a charity to benefit the survivors and families of those killed in the attack.  On April 16, Mayor Menino reached out to local businesses Hill Holliday and John Hancock to assist with the creation of the One Fund Boston.  Later that day, before the fund was even incorporated and before Ken Feinberg was brought on as administrator, the One Fund received its first $1 million commitment from John Hancock.

As the One Fund’s attorneys, we at Goodwin Procter had to seek quick incorporation of the fund and apply on an expedited basis for 501(c)(3) tax-exempt status with the IRS.  However, applications for 501(c)(3) status often take up to eighteen months to process, and in addition, obtaining the necessary approval was challenging, due to IRS limitations on the types of distributions that charitable organizations can make to individuals in the context of disaster relief.

Generally, to qualify for tax-exempt status, an organization must show that it will assist a large enough or sufficiently indefinite charitable class so that it is providing a public rather than a private benefit.  In addition, in IRS Publication 3833, the IRS takes the position that an organization cannot distribute funds to individuals merely because they are victims of a disaster, but generally must determine that a recipient lacks adequate financial resources of his or her own.  The IRS therefore had questions about the One Fund’s plans to make distributions without financial needs testing.

The One Fund team worked closely with the IRS to overcome these issues and to show that the One Fund instead met the criteria for a 501(c)(3) tax-exempt charitable organization as an organization that lessens the burdens of government, focusing on the organization’s relationship with the City of Boston and the City’s role in approving distributions.  “Lessening the burdens of government” is an alternative method of qualifying as a 501(c)(3) organization.  As far as we know, this method has not been used before in the disaster relief context.  This approach to the formation of a relief organization allowed the One Fund Boston to accomplish its immediate and ongoing goals for distributions.

On May 14, just one month after the bombings, the IRS granted the One Fund Boston 501(c)(3) tax-exempt status.  The One Fund’s attorneys were able to use procedures for expedited approval and effective dialogue with the IRS to obtain this unusually quick and favorable result.

The One Fund has been a huge success and an important contribution to Boston’s recovery.  All of the $60 million in funds donated to the One Fund Boston through June 26, 2013 were distributed to those who were most affected by the bombings, in accordance with a protocol developed by Mr. Feinberg.  In addition, the One Fund Boston will continue to provide support for those affected and has announced that it will make a second distribution.

Public response to the swift action taken by the One Fund Boston has been favorable, and Mayor Menino noted that in his 20 years as mayor of Boston, he had never seen the business community come together so quickly on behalf of the citizens of Boston.

While the One Fund Boston model will not work in all circumstances, it may be an alternative to more traditional charitable models when there is significant government involvement.  In such cases, it provides an opportunity for the public and private sectors to work together to deliver expedited, direct benefits to those in need as a result of disasters.

Susan L. Abbott is a partner at Goodwin Procter LLP and Chair of the firm’s Tax-Exempt Organizations Group.  She led the pro bono team that incorporated, obtained 501(c)(3) status for, and advised the One Fund Boston. 

Lisa A.H. McChesney is an associate in the firm’s Trusts and Estate Planning Group and assisted with the One Fund Boston application for 501(c)(3) status.

SJC Holds That “Modern Rule” on Easements Applies to Registered Land

Pinto_Donby Donald R. Pinto, Jr.

Case Focus

In its recent decision in Martin v. Simmons Properties, LLC, 467 Mass. 1 (2014), the Supreme Judicial Court (“SJC”) held that the rule it adopted in its landmark decision in M.P.M. Builders, LLC v. Dwyer, 442 Mass. 87 (2004) – which allows the owner of land burdened by an easement to relocate the easement or change its dimensions – applies to easements appurtenant to registered land.  Rejecting a contrary holding of the Appeals Court, the SJC affirmed an underlying Land Court ruling that registered land is not exempt from the “modern rule” of M.P.M. BuildersMartin not only clarifies that M.P.M. Builders applies to registered land, it confirms that, in the wake of M.P.M. Builders, a long line of cases concerning the rights of parties holding easements that are clearly described or are shown on a plan is no longer good law.

Plaintiff Clifford J. Martin (“Martin”) in 1969 purchased about one-third of an acre of registered land in a commercial-industrial district near the Medford-Somerville line.  Martin’s parcel – Lot 3A – has the benefit of several easements, including an easement of passage over Way A, which crosses a number of other lots in the area.  In 1993, defendant Simmons Properties, LLC (“Simmons”) purchased three of the lots that Way A crosses.  Simmons made various improvements on its parcels, and some of those improvements protrude into Way A.

In 2007, Martin sued Simmons in Land Court, alleging 15 acts of encroachment on Way A.  Some of these encroachments were initiated by Simmons; others predated its ownership of its lots.  While conceding that, to date, none of these encroachments prevented him from using Way A to access Lot 3A, Martin claimed he was entitled to have the encroachments removed so he could use the full width of Way A.  After trial, the Land Court ruled that Martin was not entitled to the removal of any encroachments from Way A.

The Land Court reasoned that, though the encroachments in Way A are within an easement referenced in Martin’s certificate of title, this confers on Martin no “absolute right to removal . . . .”  While the certificate provides certainty as to Martin’s title – including the existence of his easement over Way A – the court saw no reason to forsake the usual rules of property law applicable to unregistered land, under which the owner of the burdened land (Simmons) may use its land for all purposes not inconsistent with the rights of the easement holder (Martin).  The Land Court noted that, if Martin’s use of Lot 3A were to change, as a result of which the encroachments in question did materially interfere with his rights in Way A, Martin might then be entitled to “judicial adjustment” of the encroachments.

Martin appealed, and on the question of his right to removal of the encroachments, the Appeals Court reversed.  After noting the distinction between easements intended to remain fully open and those intended to provide only a “convenient passage,” the court stated, “we are aware of no case that holds that only a convenient passage is intended when a right of way is reserved over a way defined and located by reference to a Land Court plan.”  The Appeals Court found support for its view in a line of cases holding that, where the description of a right of way is definite and free from ambiguity – particularly where it is shown on a plan – the easement holder is entitled to use the entire width of the described way.  Having placed Martin’s easement over Way A into this category, the court concluded that “[a] finding that the obstructions do not interfere with present or future uses is immaterial . . . .”  With regard to encroachments that pre-dated Simmons’ ownership of its lots, the Appeals Court remanded the case to the Land Court for further findings to determine which party is responsible for their removal.

The SJC granted Simmons’ application for further appellate review and affirmed the Land Court’s ruling that the encroachments in Way A need not be removed.  The SJC held that the case is governed by its 2004 decision in M.P.M. Builders, supra, in which the court announced the adoption of the “modern rule” of § 4.8(3) of the Restatement (Third) of Property (Servitudes) (2000).  Section 4.8(3) provides that, unless expressly prohibited by the terms of an easement, the owner of the burdened property can make reasonable changes in the location and dimensions of an easement to permit “normal use or development” of the property, but only if those changes do not (a) significantly lessen the utility of the easement, (b) increase the burdens on the easement holder in its use and enjoyment, or (c) frustrate the purpose for which the easement was created.  The SJC noted that, while M.P.M. Builders concerned the relocation of an easement, the same rule applies in a case like Martin, where the easement has not been relocated but rather its width has been narrowed in some places.

Regarding the fact that Martin’s easement is appurtenant to his registered land and is shown on a Land Court plan, the SJC rejected the Appeals Court’s view that this rendered the easement “immutable.”  The SJC found nothing in its precedents or in the land registration act to suggest that different rules apply to easements appurtenant to registered land.  The court noted that while the registration system provides certainty with respect to title – including by assuring owners of registered land that their easements continue to exist – it does not purport to grant additional property rights.  Thus, the SJC concluded, “we adhere to our well-established precedent and consider the easement here under existing jurisprudence as to recorded land.”

Martin is an important decision for two reasons.  First, it confirms that easements appurtenant to registered land are not accorded special status, and are subject to changes in their location and dimensions under the rule of M.P.M. Builders.  Second, more broadly, it makes clear that the long line of cases on which the Appeals Court relied – standing for the proposition that where an easement is described with precision or is shown on a plan, the easement holder has the right to use the full width of the easement – is no longer good law.  Under the “modern rule” of M.P.M. Builders, all easements are subject to changes in their location and dimensions unless by their express terms they prohibit such changes.  Thus Martin highlights an important drafting note for grantees of easements:  if you like the location and width of your easement, and you want to keep it, make sure it includes language prohibiting the kinds of changes otherwise authorized by M.P.M. Builders.

Donald R. Pinto, Jr. is a Director of Rackemann, Sawyer & Brewster, P.C. where he handles all types of real estate litigation.  He is the founder and editor of, a widely-read real estate and land use law blog. 

Any Calls, Texts, or Photos May Be Used Against You: Warrantless Cell Phone Searches and Personal Privacy

Leone_Gerry Freedman_Linn Sylvia_Kathrynby Gerard T. Leone, Linn Foster Freedman, and Kathryn M. Sylvia

Legal Analysis

The world envisioned by the Supreme Court in Chimel v. California, 395 U.S. 752 (1969) – one where physical objects such as spare handcuff keys, drugs, gambling ledgers, and weapons could be found on the person of any arrestee – is now a much different place.  Historically, searches incident to arrest have been justified to prevent escape, the destruction of evidence and to protect the arresting officers from dangerous weapons. Smartphone technology has changed the landscape and offered new challenges for our courts.  In the vast majority of arrests these days, the police locate a cell phone on or near an arrestee, seize it, and seek to search the device pursuant to the search incident to arrest exception to the warrant requirement.  This situation obviously implicates incrimination issues, as well as privacy concerns, because one handheld device can contain enormous amounts of personal information collected over lengthy periods of time, and much or even all of this data might be arguably inadmissible or irrelevant to an individual’s conduct or intent at the time of arrest.  For this reason, courts applying the search incident to arrest doctrine must carefully balance the government’s ability to seize and use personal data of an arrestee to incriminate them, against the risk of allowing an unreasonable intrusion into our personal lives.

This article will provide an overview of the two most recent Massachusetts Supreme Judicial Court (“SJC”) decisions on the issue, and will highlight two cases currently pending before the Supreme Court of the United States.

The SJC has ruled that police can conduct a limited cell-phone search without a warrant pursuant to the search incident to arrest exception.  In both Commonwealth v. Phifer, 463 Mass. 790 (2012) and Commonwealth v. Berry, 463 Mass. 800 (2012), the SJC held that checking the arrestee’s cell phone call history in order to discover evidence of the crime of arrest was acceptable under the search incident to arrest exception to the warrant requirement.  In Phifer, officers viewed the defendant speaking on his cell phone shortly before engaging in a drug transaction.  After police arrested the defendant and a codefendant, the codefendant provided police with his phone number.  The subsequent search of the defendant’s cell phone involved a “few ‘simple manipulations’” to display the recent call logs where police matched several recent calls to the codefendant’s phone number.  In upholding the search, the Phifer court limited its ruling to the facts of that case, holding that when police had probable cause to believe the search of the cell phone would reveal evidence of crime, the search was constitutional.

But Berry presented a different situation.  The police witnessed the defendant selling heroin to a customer from within a vehicle.  Officers arrested the defendant and the customer, and seized their cell phones incident to arrest.  Unlike Phifer, neither officer witnessed either arrestee use his cell phone before or during the illegal transaction.  Still, police reviewed Mr. Berry’s recent call history and dialed the most recent number, correctly presuming that it belonged to the customer.  The SJC stated that this “very limited search” was reasonable due to the police officer’s knowledge that cell phones are used in drug transactions, even if police had no particularized suspicion that either the defendant or the customer had used a cell phone to conduct this transaction.

While the Berry court sought to limit its decision to the facts of the case, the effect is likely to be far reaching, and applied to many other scenarios.  Indeed, the facts present in Berry include 1) experienced officers with knowledge and training in drug transactions; 2) a high crime area; and 3) general knowledge that cell phones are often used in drug transactions.  Such general facts will be present in virtually every drug arrest, and thus every arrestee’s cell phone will seemingly be subject to a “limited” search incident to arrest.  The Berry court did not require any particularized nexus between the officers’ witnessing the use of a cell phone and a target drug transaction, despite a clear opportunity to do so, given the important factual differences between the usage of the cell phone in the Phifer and Berry offenses.

In April 2014, the United States Supreme Court will revisit these issues.  In People v. Riley, No. D059840, 2013 WL 475242 (Cal. Ct. App. Oct. 16, 2013), cert. granted sub nom. Riley v. California,No. 13-132, 2013 WL 3938997 (U.S. Jan. 17, 2014),the Court will consider whether a post-arrest search of the petitioner’s cell phone violates his Fourth Amendment rights. There, police stopped Mr. Riley for having expired vehicle tags.  During the stop, the police learned that he was driving with a suspended license and arrested him.  Pursuant to policy, the officers conducted an “inventory search” of his vehicle and, in the process, found guns hidden underneath the vehicle’s hood.  Officers placed the defendant under arrest and seized his cell phone.  Officers then conducted two warrantless searches of the cell phone’s content—one at the scene during which the officer scrolled through the defendant’s contact list, and one at the police station during which a different officer searched photographs and video clips contained therein.  The cell phone was a “smartphone that was capable of accessing the Internet, capturing photos and videos, and storing both voice and text messages, among other functions,” according  to Mr. Riley’s certiorari petition. Mr. Riley was charged with attempted murder and assault with a semiautomatic weapon, based in part on the contents seized from his cell phone—including infamous gang-members’ names and incriminating photographs—that proved critical to the government’s investigation and charging decision.

Mr. Riley argues in his Petition that “Federal courts of appeals and state courts of last resort are openly and intractably divided over whether the Fourth Amendment permits the police to search the digital contents of an arrestee’s cell phone incident to arrest.  This issue is manifestly significant.”  While the State, in its opposition brief, “acknowledges that there is a growing conflict concerning whether the Fourth Amendment permits law enforcement officers to search the contents of a cell phone incident to arrest,” it argues that the police officers’ search of Mr. Riley’s cell phone did not constitute a Fourth Amendment violation.  In support of its position, the State argues that courts “categorically allow the police to search any item of personal property on an arrestee’s person at the time of his lawful arrest,” if the search was reasonable.

A second case accepted by the United States Supreme Court, United States v. Wurie, 728 F.3d 1 (1st Cir. 2013), cert. granted, No. 13-212, 2013 WL 4402108 (U.S. Jan. 17, 2014), addresses whether the Fourth Amendment permits the government to conduct a post-arrest warrantless search of an arrestee’s cell phone call log.  There, the police witnessed what they believed to be a drug transaction within a vehicle.  Police arrested the defendant for distributing crack cocaine and removed him to the police station.  The officer seized two cell phones from Mr. Wurie and eventually used the personal contacts and telephone numbers to determine his home address.  Officers then obtained a search warrant for Mr. Wurie’s home where they discovered a firearm, ammunition and drug paraphernalia.  The government convicted him of numerous drug crimes and for being a felon in possession.  On appeal, the First Circuit overturned his conviction, holding that the search incident to arrest exception “does not authorize the warrantless search of data within a cell phone that is seized from an arrestee’s person” unless another exception to the warrant requirement applies.

The Solicitor General submitted a writ of certiorari arguing that it is well-settled that “a custodial arrest based on probable cause justifies a full search of an arrestee and any items found on an arrestee, including items such as wallets, calendars, address books, pagers and pocket diaries.”  He further argued that “the cell phone at issue was a comparatively unsophisticated flip phone” and, as a result, this particular case is not suitable for determining the scope of Fourth Amendment rights pertaining to cell phone searches.

The State advanced similar arguments below, and the First Circuit considered and disagreed with each.  As to the argument that police may search any item on the arrestee, the First Circuit held that Chimel does not authorize even a limited warrantless search of a cell phone because such a search is not necessary to preserve destructible evidence or promote officer safety.  The First Circuit also rejected the idea that the particular phone’s storage capacity should be a factor, quoting the Seventh Circuit’s reasoning that “[e]ven the dumbest of modern cell phones gives the user access to large stores of information.”

It would seem that, even if the Supreme Court holds that searches of cell phones incident to arrest are constitutional, there must be a reasonableness standard applied to limit and condition the nature, scope and extent of such searches.  The implication of the upcoming decisions may be far reaching.  As the First Circuit in Wurie recognized, the evolution of technology makes the government’s reach into private data ever more problematic.  Today, individual cell phones act as bank cards, home security surveillance portals, and repositories for intimate details such as personal health information and social security numbers.  Tomorrow, technology will turn another corner, allowing more information to be immediately available to whomever may access a personal cell phone.  As technology evolves, and personal e-data continues to be inextricably intertwined with our everyday lives, the law as it applies to devices that possess such personal information will be critical to the debate over personal privacy and governmental intrusion.

Gerry Leone is a former Middlesex County District Attorney.  He is a partner with Nixon Peabody LLP and conducts internal and governmental investigations for public and private clients.  Gerry also represents individuals and organizations facing complex civil and criminal matters.

Linn Foster Freedman is a partner with Nixon Peabody LLP and is leader of the firm’s Privacy & Data Protection group. Linn practices in data privacy and security law, and complex litigation.

Kathryn M. Sylvia is an associate with the firm and member of the firm’s Privacy & Data Protection team. She concentrates her practice on privacy and security compliance under both state and federal regulations. 

Lessons Learned from the Trenches: A Roadmap for Successfully Navigating a Large-Scale Data Breach

Sussman_Heather Dunlap_Sabrinaby Heather Egan Sussman and Sabrina E. Dunlap

Practice Tips

Data breaches dominate world news, with retailers reporting incidents affecting millions of customers.  Representing a company facing a massive breach is not for the inexperienced or faint of heart.  While each incident brings a new set of facts and challenges, this roadmap can help guide any business to successfully navigate a large-scale breach in way that meets legal requirements and mitigates the risk of harm.

Prepare in advance by developing an effective incident response plan.

When the report of a breach first comes in, time is of the essence.  Some breach notification laws have surprisingly short reporting deadlines.  E.g., Conn. Ins. Dept. Bulletin IC-25 (August 18, 2010) (notice within five days); 9 V.S.A. § 2435(3)(B)(i) (2012) (notice within 14 days); M.G.L. c. 93H § 3(b) (2007) (notice “as soon as practicable and without unreasonable delay”).  Companies can contract with business partners for even shorter notice periods.  By preparing and testing an effective response plan in advance, companies can best position themselves to respond quickly when faced with a breach to meet required reporting deadlines, including under applicable insurance policies.

Evaluate notification obligations as early as possible. 

Once the response team is in place, it is critical to determine the type of information involved and any notification obligations.  Forty-six states and the District of Columbia have breach notification laws and an increasing number of countries around the world are following suit.  Such laws require a company to notify affected residents – and, in some cases, particular regulators – in the event a resident’s “personal information” has been compromised.  In the U.S., these laws typically define “personal information” to include a natural person’s name plus some other data element that can be used to commit identity theft or financial harm (the elements vary by state).  Elsewhere, the definition of “personal information” can be much broader.

Breach notification laws also often dictate notice content, such as a description of what occurred and the type of personal information involved.  Massachusetts is the only U.S. state to expressly prohibit including details of the breach in the consumer notice letter.  See M.G.L. c. 93H § 3(b).

Conduct the investigation under privilege.

Upon receiving the initial report of a suspected breach, the company must investigate and remediate the incident.  Companies should conduct the investigation under privilege to protect process and findings.  Companies also should consider retaining outside counsel experienced in managing the moving parts of a complex breach scenario, while protecting the company in any resulting litigation or government enforcement action.

Cooperate with law enforcement, but require subpoenas for information.

In some cases, the company will learn of an incident from law enforcement (such as the FBI).  There are benefits to working cooperatively with these agencies, including receiving government assistance and law enforcement back-up.  Before turning over information to law enforcement, however, companies should insist on a subpoena.  This can shield against claims that the company further breached the privacy of affected individuals by turning over information without authorization.  Keep in mind, however, that informal discussions between the company’s forensics teams and law enforcement can circumvent established protocols and waive privilege protections.

Control the information flow.

Upon receiving a report of an incident, the company must mobilize the incident response team and get to the root of the problem before sharing information with outsiders.  Because facts are still unfolding, however, releasing information too early can result in confusion, reputational harm, and compromise litigation strategy.

As a result, it is important to control information flow from the outset by coordinating all communications through one lead person responsible for tracking incoming requests and outgoing responses.  That lead should work with legal counsel to protect confidentiality and privilege.

In some cases, it may be preferable to get in front of a story so the business can shape the narrative.  Depending on the jurisdiction involved, it may be best to notify regulators before addressing the media.  Most companies will need to rely on internal communications teams to manage this strategy.  Public relations firms usually are reserved for the largest incidents expected to receive substantial scrutiny.

Spend wisely on digital forensic firms.

Not every incident requires hiring a digital forensic firm.  These firms are most appropriate in specific cases, such as when the incident presents a high litigation risk, when the incident has an unknown cause or effect, or when the incident involves the company’s network and the IT department is not able or appropriate to respond.

Forensic firms also can help to determine at a granular level what systems were accessed during the incident and thus help define the scope of the breach.  (For example, the forensic investigator might establish that the hacker infiltrated the network perimeter, but not the database containing sensitive information.)  They also know how to remediate incidents and secure the network perimeter against further intrusion.  This can be critical in cybersecurity incidents where hackers create “back doors” through which they can later return to steal more data.

Payment card breaches present special issues.

Where the breach involves payment card information, merchants also must address reporting requirements under the Payment Card Industry (PCI) rules.  When an incident occurs, the merchant generally is required to notify the card brands, who notify the issuing banks, who notify affected consumers.  PCI rules also may require that the business hire a “preferred forensic investigator” (PFI) to determine whether the merchant violated the Payment Card Industry Data Security Standards and related rules.  Because the PFI’s findings can lead to substantial fines, a merchant should consider retaining under privilege an independent forensics firm to monitor the PFI’s investigation and preserve the merchant’s ability to challenge the PFI’s findings and resulting fines.

Balance speed with precision.

Not every breach will involve a tidy, sortable spreadsheet containing the names and mailing addresses of affected individuals.  When it is not possible to determine quickly who is affected and where they live, a company must balance the need to promptly notify against the concern for avoiding customer confusion and resulting harm.  Companies caught in this Catch-22 should consider invoking the “substitute notification” option available under some breach notification laws that permits a company in certain circumstances to post notice of the incident on a website or other permitted location in lieu of sending individual notices.  This option carries risks, however, including unnecessarily alarming customers not affected by the breach and may be most appropriate when paired with some other limiting data point, for example, that the incident impacts shoppers at a particular store during a particular period of time, rather than all customers everywhere at any time.

If law enforcement instructs the company to delay notifications pending the investigation, memorialize the directive to defend against any claims of needless reporting delay.

Engage regulators proactively, but stand firm where legal merits warrant.

After receiving notice of a breach, regulators likely will contact the company to request more information.  In the U.S., state Attorneys General Offices (AGO) often will work together in one consolidated review of the breach.  The multi-state process has clear benefits to the AGOs because it streamlines costs and can achieve efficiencies.  Companies are wise to consider how best to capitalize on the efficiencies of this process, while still advancing legal arguments and defenses available in each state.  Companies should not hesitate to stand firm, however, when authorities take unsupported or unreasonable settlement positions.

Conduct a post-incident review.

There are many lessons to be learned through effective post-incident review.  Following any incident, a company should perform a careful root cause analysis and assess what changes should be made in light of the experience. Public companies also must consider whether the incident triggers further disclosure requirements.

Watch the evolving regulatory landscape. 

On February 4, 2014, U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act, which seeks to establish a federal breach notification standard and impose minimum data security requirements for businesses, like the approach taken in Massachusetts.  See 201 C.M.R. 17.00, et seq. (2007)

Similar past proposals from federal legislators have not gained traction, but with the recent spate of highly publicized breaches, a proposal may soon become law.  Familiarity with the regulatory landscape is vital when advising clients responding to complex data security breaches.

Heather Egan Sussman is a partner at McDermott Will & Emery LLP. Heather co-chairs the Global Privacy & Data Protection Affinity Group and is a recognized leader in her field.

Sabrina E. Dunlap is an associate in the law firm of McDermott Will & Emery LLP, focusing on privacy and data security and employment law. Sabrina is a Certified Information Privacy Professional (CIPP) and an active member of the International Association of Privacy Professionals.