Publications

4th Amendment And Shared Servers: Lessons From Shkreli

9/29/2017 Articles

The prosecution of Martin Shkreli, whom the BBC has called “the most hated man in America,” reveals some important lessons about the Fourth Amendment protections against search and seizure in the digital corporate context: physical access to documents on a server may trump actual ownership of records. As the use of shared servers increases, foresight and commitment to clear document policies can prevent potentially overbroad and unconstitutional data collection.

In December 2015, Shkreli, former head of the pharmaceutical company Retrophin, was indicted for conspiracy to commit securities fraud. Federal prosecutors in Brooklyn alleged that Shkreli raided Retrophin cash and stock to pay defrauded investors in two hedge funds he managed, MSMB Capital Management LP and MSMB Healthcare Management LP. In response to a government subpoena following Shkreli’s indictment, the publicly traded Retrophin produced troves of MSMB Capital and MSMB Healthcare-related documents. Shkreli subsequently moved to suppress those documents, arguing their introduction at trial would violate his Fourth Amendment protection against government searches and seizures.

Shkreli argued that, although he used his MSMB entities’ email to conduct Retrophin business, and although MSMB entity information was stored on Retrophin servers, the produced MSMB information was password protected, and thus not accessible to Retrophin. Therefore, Shkreli argued, he had a reasonable and subjective expectation of privacy in the MSMB documents.

To complete his Fourth Amendment claim, Shkreli also argued that Retrophin functionally acted as a government agent in collecting MSMB documents for production because, Shkreli alleged, the company “partner[ed]” with the government to collect MSMB documents.

Retrophin disagreed and the government opposed Shkreli’s claim. Retrophin filed an affidavit asserting that “emails sent to or from MSMB email addresses (both in current and archived form) were commingled on Retrophin’s servers with emails sent to or from Retrophin email addresses,” that no separate password was required to access MSMB entity emails stored on the Retrophin servers, and that Retrophin — not Shkreli or MSMB entities — paid for and maintained the servers that housed the documents at issue. Moreover, the company responded to the subpoena by producing “responsive documents that it had in its possession, custody or control,” and that merely production did not mean it was acting as a government agent. Therefore, the government asserted Shkreli’s Fourth Amendment rights were not violated by the production of the MSMB entity data.

Judge Kiyo Matsumoto agreed and denied Shkreli’s suppression attempts, finding that Shkreli did not have a reasonable expectation of privacy in the documents at issue, and that “corporate compliance with a government subpoena [does not] transform the complying entity into a government agent.”

The court recognized that, while the Second Circuit had found that a corporate officer like Shkreli may assert a reasonable expectation of privacy in his corporate records, see United States v. Chuang, 897 F.2d 646, 649 (2d Cir. 1990), Shkreli had not made such a showing. The court found that Shkreli willingly co-mingled MSMB and Retrophin records, and that Shkreli signed Retrophin’s email policy, which stated that “[a]ll electronic data ... transmitted through [Retrophin] facilities ... are the property of the company.” In other words, because Shkreli had failed to take proper precautions to keep MSMB material separate from Retrophin material, he could not demonstrate a subjective expectation of privacy in his corporate records. Shkreli was later convicted of three counts of securities fraud.

Shkreli’s failed motion to suppress provides a cautionary tale for entities that share physical or server space. Shkreli essentially argued that, because the MSMB documents formally belonged to MSMB and thus were not in the “possession, custody or control” of Retrophin, their production was a constitutional violation. The court ignored formal ownership, however, and found that the intermingling of Retrophin and MSMB records on a shared server was sufficient to establish Retrophin’s “possession, custody or control” over MSMB material.

Of course, intermingling records alone does not waive constitutional rights, In re SK Foods LP, No. 2:09-CV-02942-MCE (E.D. Cal. Dec. 24, 2009) (finding no authority for assertion that “privacy interests are waived simply because [] companies may have shared storage and access capabilities”), and federal appellate courts considering the Fourth Amendment rights of those not subject to search have proposed procedures for disaggregating intermingled physical documents, see United States v. Tamura, 694 F.2d 591, 595–96 (9th Cir. 1982) holding modified by United States v. Comprehensive Drug Testing Inc., 579 F.3d 989 (9th Cir. 2009) (“In the comparatively rare instances where documents are so intermingled that they cannot feasibly be sorted on site, we suggest that the Government and law enforcement officials generally can avoid violating fourth amendment rights by sealing and holding the documents pending approval by a magistrate of a further search ...”).

Disaggregating electronic records is much more complex than disaggregating physical records, however, and requires courts to grapple with the constitutional implications of server technology and the ubiquity of shared server space. “The advent of fast, cheap networking has made it possible to store information at remote third-party locations,” and "[g]overnment intrusions into large private databases thus have the potential to expose exceedingly sensitive information about countless individuals not implicated in any criminal activity, who might not even know that the information about them has been seized and thus can do nothing to protect their privacy.” United States v. Comprehensive Drug Testing Inc., 621 F.3d 1162, 1177 (9th Cir. 2010).

While the courts grapple with how the constitution contemplates the storage of vast amounts of data stored all over the world, it remains clear that demonstrating a reasonable and subjective expectation of privacy in material is critical to stating a viable Fourth Amendment claim.

To make the strongest case for that expectation of privacy, entities sharing physical or server space should password protect distinct-entity documents, create formal policies regarding ownership of electronic and other records, and consider sharing the costs of hosting servers. Taking these precautions to protect distinct-entity documents on shared server space will strengthen claims to a reasonable and subjective expectation of privacy in entity records, and prevent unconstitutional searches.

Published in Law360.

Firm Highlights

Publication

Privacy During Bankruptcy Proceedings: Why It Matters

During these particularly trying times resulting from the COVID-19 pandemic, businesses of all sizes have been concerned about the future. As a result, considering potential liquidation or restructuring through bankruptcy is inevitably starting to...

Read More
News

Farella’s Aviva Gilbert Honored With WWCDA Catherine M. O’Neil Mentoring Award

SAN FRANCISCO, November 19, 2020: Northern California legal powerhouse Farella Braun + Martel is pleased to announce that Aviva J. Gilbert will be honored by the Women's White Collar Defense Association (WWCDA) with its Catherine...

Read More
Publication

SEC Expands Definition of “Accredited Investor” – Here Are 5 Key Takeaways

The SEC recently adopted amendments to Rule 501(a) of Regulation D of the Securities Act of 1933 that expand the definition of “accredited investor” by adding new categories of eligibility based on professional knowledge...

Read More
News

Farella Braun + Martel Ranked Among “Best Law Firms” by U.S. News & World Report and Best Lawyers

SAN FRANCISCO, November 5, 2020: Farella Braun + Martel earned national and regional rankings across a number of practice areas in the U.S. News & World Report and Best Lawyers® release of the “Best...

Read More
Publication

SB 67 Moves California’s Cannabis Appellations Program Forward

In February of 2020, the California Department of Food & Agriculture (CDFA) issued its first iteration of the Cannabis Appellations Program (CAP) , which set forth proposed regulations for licensed cannabis cultivators to establish...

Read More
Event

North Coast Cannabis Industry Conference

Farella Braun + Martel is a proud underwriter of the North Bay Business Journal's 2020 North Coast Cannabis Industry Conference series. This live virtual event will explore new opportunities and challenges to the medical...

Read More
Event

Antitrust and Technology: Perspectives From In-House Competition Counsel

Chris Wheeler is the moderator for the Association of Corporate Counsel San Francisco Bay Area Chapter program "Antitrust and Technology: Perspectives from In-House Competition Counsel." Overview: As the COVID-19 pandemic has accelerated the digital...

Read More
News

Year-End Planning After The Election: What Financial Advisors & Tax Pros Are Telling Clients About Future Tax Changes

Lauren Galbraith was quoted in the Forbes article "Year-End Planning After The Election: What Financial Advisors & Tax Pros Are Telling Clients About Future Tax Changes." Read the full article, here .

Read More
Publication

Electric Fence: Protecting Proprietary Rights in Collected Energy Data

Like companies in other industries, a growing number of modern energy-related companies are focusing their efforts on data collection and analysis. For example, Enphase – an energy technology company – regularly tracks data about how...

Read More
Event

Antitrust and Technology: Perspectives from In-House Competition Counsel

Chris Wheeler will moderate a panel in the discussion on "Antitrust and Technology: Perspectives from In-House Competition Counsel." As the COVID-19 pandemic has accelerated the digital revolution, attention in Washington, D.C. and elsewhere has...

Read More