Insights
Publications

4th Amendment And Shared Servers: Lessons From Shkreli

9/29/2017 Articles

The prosecution of Martin Shkreli, whom the BBC has called “the most hated man in America,” reveals some important lessons about the Fourth Amendment protections against search and seizure in the digital corporate context: physical access to documents on a server may trump actual ownership of records. As the use of shared servers increases, foresight and commitment to clear document policies can prevent potentially overbroad and unconstitutional data collection.

In December 2015, Shkreli, former head of the pharmaceutical company Retrophin, was indicted for conspiracy to commit securities fraud. Federal prosecutors in Brooklyn alleged that Shkreli raided Retrophin cash and stock to pay defrauded investors in two hedge funds he managed, MSMB Capital Management LP and MSMB Healthcare Management LP. In response to a government subpoena following Shkreli’s indictment, the publicly traded Retrophin produced troves of MSMB Capital and MSMB Healthcare-related documents. Shkreli subsequently moved to suppress those documents, arguing their introduction at trial would violate his Fourth Amendment protection against government searches and seizures.

Shkreli argued that, although he used his MSMB entities’ email to conduct Retrophin business, and although MSMB entity information was stored on Retrophin servers, the produced MSMB information was password protected, and thus not accessible to Retrophin. Therefore, Shkreli argued, he had a reasonable and subjective expectation of privacy in the MSMB documents.

To complete his Fourth Amendment claim, Shkreli also argued that Retrophin functionally acted as a government agent in collecting MSMB documents for production because, Shkreli alleged, the company “partner[ed]” with the government to collect MSMB documents.

Retrophin disagreed and the government opposed Shkreli’s claim. Retrophin filed an affidavit asserting that “emails sent to or from MSMB email addresses (both in current and archived form) were commingled on Retrophin’s servers with emails sent to or from Retrophin email addresses,” that no separate password was required to access MSMB entity emails stored on the Retrophin servers, and that Retrophin — not Shkreli or MSMB entities — paid for and maintained the servers that housed the documents at issue. Moreover, the company responded to the subpoena by producing “responsive documents that it had in its possession, custody or control,” and that merely production did not mean it was acting as a government agent. Therefore, the government asserted Shkreli’s Fourth Amendment rights were not violated by the production of the MSMB entity data.

Judge Kiyo Matsumoto agreed and denied Shkreli’s suppression attempts, finding that Shkreli did not have a reasonable expectation of privacy in the documents at issue, and that “corporate compliance with a government subpoena [does not] transform the complying entity into a government agent.”

The court recognized that, while the Second Circuit had found that a corporate officer like Shkreli may assert a reasonable expectation of privacy in his corporate records, see United States v. Chuang, 897 F.2d 646, 649 (2d Cir. 1990), Shkreli had not made such a showing. The court found that Shkreli willingly co-mingled MSMB and Retrophin records, and that Shkreli signed Retrophin’s email policy, which stated that “[a]ll electronic data ... transmitted through [Retrophin] facilities ... are the property of the company.” In other words, because Shkreli had failed to take proper precautions to keep MSMB material separate from Retrophin material, he could not demonstrate a subjective expectation of privacy in his corporate records. Shkreli was later convicted of three counts of securities fraud.

Shkreli’s failed motion to suppress provides a cautionary tale for entities that share physical or server space. Shkreli essentially argued that, because the MSMB documents formally belonged to MSMB and thus were not in the “possession, custody or control” of Retrophin, their production was a constitutional violation. The court ignored formal ownership, however, and found that the intermingling of Retrophin and MSMB records on a shared server was sufficient to establish Retrophin’s “possession, custody or control” over MSMB material.

Of course, intermingling records alone does not waive constitutional rights, In re SK Foods LP, No. 2:09-CV-02942-MCE (E.D. Cal. Dec. 24, 2009) (finding no authority for assertion that “privacy interests are waived simply because [] companies may have shared storage and access capabilities”), and federal appellate courts considering the Fourth Amendment rights of those not subject to search have proposed procedures for disaggregating intermingled physical documents, see United States v. Tamura, 694 F.2d 591, 595–96 (9th Cir. 1982) holding modified by United States v. Comprehensive Drug Testing Inc., 579 F.3d 989 (9th Cir. 2009) (“In the comparatively rare instances where documents are so intermingled that they cannot feasibly be sorted on site, we suggest that the Government and law enforcement officials generally can avoid violating fourth amendment rights by sealing and holding the documents pending approval by a magistrate of a further search ...”).

Disaggregating electronic records is much more complex than disaggregating physical records, however, and requires courts to grapple with the constitutional implications of server technology and the ubiquity of shared server space. “The advent of fast, cheap networking has made it possible to store information at remote third-party locations,” and "[g]overnment intrusions into large private databases thus have the potential to expose exceedingly sensitive information about countless individuals not implicated in any criminal activity, who might not even know that the information about them has been seized and thus can do nothing to protect their privacy.” United States v. Comprehensive Drug Testing Inc., 621 F.3d 1162, 1177 (9th Cir. 2010).

While the courts grapple with how the constitution contemplates the storage of vast amounts of data stored all over the world, it remains clear that demonstrating a reasonable and subjective expectation of privacy in material is critical to stating a viable Fourth Amendment claim.

To make the strongest case for that expectation of privacy, entities sharing physical or server space should password protect distinct-entity documents, create formal policies regarding ownership of electronic and other records, and consider sharing the costs of hosting servers. Taking these precautions to protect distinct-entity documents on shared server space will strengthen claims to a reasonable and subjective expectation of privacy in entity records, and prevent unconstitutional searches.

Published in Law360.

Firm Highlights

Publication

Internal Investigations for Nonprofits: A Means of Identifying and Addressing Misconduct Before the Regulators Come Calling

The worst nightmare for most nonprofit board members is a complaint that sparks an investigation of misconduct at the organization. The ember may have been burning for some time before the board becomes aware...

Read More
News

Companies Increasingly Investigating Their Own Cultures—Even When There Are No Complaints

Aviva Gilbert, Farella partner and co-chair of the firm's White Collar Criminal Defense and Internal Corporate Investigations practice, spoke to Corporate Counsel for the article "Companies Increasingly Investigating Their Own Cultures—Even When There Are...

Read More
News

As Feds Step Up White-Collar Enforcement, Companies Face Heightened Risks

Aviva Gilbert, Farella partner and co-chair of the firm's White Collar Criminal Defense and Internal Corporate Investigations Group, was quoted in the Corporate Counsel article "As Feds Step Up White-Collar Enforcement, Companies Face Heightened...

Read More
Publication

Investigations, Audits, Subpoenas, Oh My!

Our Nonprofit Education Series speakers Cynthia Rowland, Aviva Gilbert and guest speaker, Stephanie Fauerbach from FTI Consulting, discuss "Investigations, Audits, Subpoenas, Oh My!" Nonprofit entities can be just as prone to misconduct (theft, embezzlement, accounting snafus...

Read More
News

Chambers USA 2022 Recognizes Farella Braun + Martel Lawyers, Practices

Farella Braun + Martel is pleased to announce that Chambers USA has recognized 14 lawyers and 6 practice areas in the legal directory’s 2022 edition. Individual California and Western U.S. Rankings: Sarah Bell &ndash...

Read More
News

Farella Braun + Martel Announces Five New Partners

Read More
News

Will Other States Follow in California's Footsteps Regarding Cryptocurrency Regulation?

Aviva Gilbert, partner and co-chair of Farella's White Collar Criminal Defense and Internal Corporate Investigations Group, was quoted in the Daily Business Review article, "Will Other States Follow in California's Footsteps Regarding Cryptocurrency Regulation?" In...

Read More
Publication

Internal Investigations for Nonprofits: A Means of Identifying and Addressing Misconduct Before the Regulators Come Calling

Cynthia Rowland: Welcome to EO Radio Show , Your Nonprofit Legal Resource, brought to you by the Exempt Organizations Group at Farella Braun + Martel. My name is Cynthia Roland and I'm a partner at Farella...

Read More
Publication

Continuing Use of CGL Policies to Cover Data Breach Losses

Our lives and the products and devices we use become more dependent on data by the day. As a result, cyberattacks and data breaches present everchanging risks to companies and individuals, and the importance...

Read More
News

Janice Reicher Named a 2022 Leadership Council on Legal Diversity Fellow

Farella Braun + Martel is proud to announce that Janice Reicher has been named a member of the 2022 class of Leadership Council on Legal Diversity (LCLD) Fellows. Janice joins a select group of...

Read More