In the March 19, 2026 edition of The Legal Intelligencer, Kelly Lavelle writes, “AI Systems and the Question of Confidentiality.”Much of the attention surrounding generative AI in litigation has focused on hallucinated authorities and AI-generated filings. But a different litigation risk arises when lawyers, or even clients themselves, enter client information into an AI platform. Before privilege or production issues arise, the more basic inquiry is whether the information was ever confidential in the first place. This question is particularly significant in e-discovery, where electronically stored information generated by AI systems may later become discoverable.

The U.S. District Court for the Southern District of New York’s decision in United States v. Heppner brings that issue into focus. Although the case has been described as a privilege ruling, the court’s analysis turned on a more basic issue: whether the information was confidential when it was entered into the AI platform. If client information is submitted to a system under terms that allow the provider to access, retain, or disclose it, the protections that depend on confidentiality, including attorney-client privilege and work product, may never attach.

In Heppner, a corporate executive under criminal investigation used the publicly available generative AI platform “Claude” to generate written analyses of potential defenses after receiving a grand jury subpoena. He later shared those documents with counsel. Following his arrest, FBI agents executed a search warrant at Bradley Heppner’s home and seized numerous documents and electronic devices. Heppner’s counsel later informed the government that among the seized materials were approximately thirty-one documents memorializing Heppner’s communications with the AI platform.

Through his counsel, Heppner asserted privilege over these documents, arguing that the information entered into the AI platform was learned, that he created the documents to facilitate discussions with counsel and obtain legal advice, and that he subsequently shared the AI outputs with his attorneys. His counsel acknowledged, however, that they did not direct Heppner to conduct the AI searches. The court rejected those claims. It held that the documents were not communications with an attorney, were not prepared by or at the direction of counsel, and, critically, were not confidential in light of the platform’s privacy policy.

The court’s analysis centered on the conditions under which the information was entered into the system. The provider’s terms stated that user inputs and outputs were collected and retained and that the company reserved the right to disclose data to third parties, including governmental authorities. Under those conditions, the court concluded that Heppner lacked a reasonable expectation of confidentiality at the moment of disclosure.

The court also rejected Heppner’s contention that he communicated with Claude for the “express purpose of talking to counsel.” In doing so, the court looked to the platform’s own representations. Claude expressly disclaimed providing legal advice. When asked whether it could provide such advice, the system responded that it was not a lawyer, could not offer formal legal recommendations, and advised users to consult a qualified attorney.

The court acknowledged that the implications of artificial intelligence for the law are only beginning to be explored. The court emphasized that AI’s novelty does not place it outside established legal principles, including those governing attorney-client privilege and the work-product doctrine. AI does not change the basic rules.

The opinion highlights a familiar but often underemphasized principle that privilege attaches only when communications are intended to be confidential and were, in fact, kept confidential. In the AI context, if a platform’s terms allow provider use beyond delivering the requested service, such as model training, analytics, affiliate sharing, or extended retention, the user may be acting inconsistently with the intent to preserve confidentiality at the moment of disclosure. The issue is not a subsequent waiver. It is that the platform itself may defeat confidentiality at inception.

This reasoning extends beyond generative AI. Courts have consistently held that employees may waive attorney-client privilege when using employer email systems to communicate with counsel, with the analysis turning on whether the employee had an objectively reasonable expectation of confidentiality. In those cases, the inquiry focuses on whether the intent to communicate in confidence was objectively reasonable under the circumstances. Heppner suggests that AI platforms may be subject to similar scrutiny. The terms governing data retention and disclosure may determine whether any protection exists at all.

The court also reaffirmed that privilege remains grounded in professional accountability. Recognized privileges depend on a relationship with a licensed professional who owes fiduciary duties and is subject to discipline. Generative AI does not occupy that role. Even if an output resembles legal advice, it is not a communication with counsel.

However, the court suggested that if counsel had directed the use of the AI tool within a structured framework, the analysis might have been different. That distinction highlights the importance of control. When AI use is integrated into a counsel-directed process under defined terms, protection arguments may be stronger. When it is independent and unsupervised, confidentiality may fail at the start.

Platform terms of service are therefore central. Many providers claim licenses to user inputs and outputs broader than a confidentiality-preserving relationship would tolerate, sometimes including rights to use content for service improvement, analytics or model training. However, this concern does not apply in the same way to all AI tools. Paid legal research platforms or firm-licensed systems are often governed by professional services agreements that include confidentiality obligations and defined data controls. In those contexts, the vendor functions more like a traditional litigation support provider than a public AI service. Even there, however, the analysis may turn on the contract. Courts will look at the terms to determine what they permit and how the provider handles user content.

These issues directly affect attorney-client privilege. Privilege protects confidential communications made for the purpose of obtaining or providing legal advice. The problem is not simply waiver. It is that the basic requirements for privilege may never have been satisfied. The work-product doctrine raises a similar issue. Work product protects materials prepared in anticipation of litigation. If those materials are created on a public nonconfidential platform, it weakens the argument that they reflect protected legal strategy shielded from disclosure.

Heppner reinforces the basic rule that privilege depends on confidentiality at the time the communication is made. It does not arise simply because a document is later shared with counsel. In the AI context, that means platform terms, data handling practices, and professional controls must align with confidentiality requirements before client information is entered. The focus should be less on whether AI interactions are discoverable and more on whether confidentiality ever attached. As Heppner shows, confidentiality is not assumed simply because a document resembles legal analysis. It depends on the conditions under which the information was created and maintained.

Kelly A. Lavelle is Senior Counsel at Kang Haggerty. She focuses on e-discovery and information management, from preservation and collection to review and production of large volumes of electronically stored information. Contact her at klavelle@kanghaggerty.com.

Reprinted with permission from the March 19, 2026 edition of “The Legal Intelligencer” © 2026 ALM Global, LLC. All rights reserved. Further duplication without permission is prohibited. Request academic re-use from www.copyright.com. All other uses, submit a request to asset-and-logo-licensing@alm.com. For more information visit Asset & Logo Licensing.

We’re grateful to everyone who joined us to strengthen the relationships that drive effective False Claims Act enforcement and support the mission of TAF. A special thank‑you to Kiddo for the warm hospitality and to all who helped make the evening a success.

We look forward to continuing to support TAF’s work and to creating more opportunities for connection across our community.

Walter O. Bourdaghs focuses his practice on complex commercial litigation, construction law, and civil rights matters, drawing on experience representing individuals, small businesses, and international companies. He earned his J.D. from Boston University School of Law and holds a B.A. from Beloit College. Walter is admitted to practice in Massachusetts, Connecticut, New Jersey, and Pennsylvania, and recently relocated to Philadelphia after working at MG+M law firm in Boston, following six years as Center Coordinator at the University of Chicago’s Center for East Asian Studies.

Kyle Hannigan focuses his practice on complex civil litigation, contract disputes, whistleblower claims, and creditors’ rights, bringing experience helping clients navigate a wide range of legal challenges. He earned his J.D. from Rutgers Law School and holds a B.A. in Law & Justice from Rowan University. Kyle is admitted to practice in Delaware and began his career at Kang Haggerty as a law clerk during law school; before entering the legal profession, he spent eight years in the automotive industry as a vehicle technician and service and parts coordinator.

Nicholas Cardoso focuses his practice on business disputes and employment law, representing clients on both the plaintiff and defense sides in matters involving complex commercial litigation, contract disputes, and workplace claims. He earned his J.D. from the University of Virginia School of Law and holds a B.A. in Criminology from The College of New Jersey. Nick is admitted to practice in New Jersey and Pennsylvania and previously practiced at an Am Law 200 firm, where he gained valuable insight into defense strategies that inform his work today.

“We are thrilled to welcome Walter, Kyle, and Nick to the firm,” said Edward T. Kang, Managing Member of Kang Haggerty. “Each of them brings strong litigation skills, intellectual rigor, and a client centered approach that enhances our ability to serve businesses and individuals across the region.”

Kang Haggerty LLC is a boutique business litigation firm with offices in Philadelphia, PA and Marlton, NJ. The firm was formed by lawyers with a wide range of professional, cultural, social, and political backgrounds.

In the February 19, 2026 edition of The Legal Intelligencer, Edward Kang and Kandis Kovalsky co-authored, “Taking a Plaintiff’s Case to the Next Level: Holding Individuals Liable Under Pennsylvania Law.”

For plaintiffs counsel, winning a verdict against a corporate entity is often only the opening act. The real contest begins post-judgment, when the defendant reveals itself to be a shell: a defunct LLC, a dissolved partnership, or a corporation with nominal assets. The plaintiff, having prevailed on liability, is left holding a judgment that is legally pristine but could be practically worthless.

This outcome is avoidable. Strategic practitioners do not need to treat entity liability as the finish line; they may treat it as a starting point. Holding individual owners or officers personally liable—whether as partners, corporate actors, alter egos, or signatories—fundamentally alters the litigation landscape. It expands the pool of recoverable assets, concentrates the minds of defense counsel, and aligns the case with the core purpose of civil liability: meaningful accountability against wrongdoers.

Why Individual Liability Matters

The pursuit of individual liability is not a secondary consideration; it is a force multiplier for three distinct reasons.

First, individual exposure changes behavior. A corporate entity, insulated by limited liability and defense counsel, often litigates with strategic detachment. An individual whose personal assets, reputation, and future earnings are at risk does not. Cases involving individual defendants often settle differently—earlier, at higher values, and with fewer procedural hurdles. Personal risk concentrates attention in ways that corporate liability rarely does.

Second, the assets often reside with the individuals. Commercial general liability policies carry limits and exclusions. Directors and officers (D&O) policies, by contrast, frequently provide broader coverage that follows the individual, not the entity. A dissolved corporation cannot respond to a judgment; a former officer with a D&O tail policy can. General partners remain personally liable for partnership obligations—a fact often forfeited when plaintiffs name only the partnership in the complaint.

Third, accountability is the product. The Department of Justice’s 2015 Yates Memo recognized that corporate enforcement is incomplete when it stops at the entity level. Civil plaintiffs experience this reality firsthand. A family suing a nursing home chain is not made whole by a judgment against a corporate shell. They seek accountability from the individuals who made the decisions that caused the harm. That impulse is not merely human—it is legally and strategically sound.

Direct Liability Under Pennsylvania Statutes

It is well known that general partners are jointly liable for the debts of a partnership. This most straightforward path to individual liability is often statutory—and frequently overlooked at the pleading stage. Under the Pennsylvania Uniform Partnership Act, a judgment against a partnership is not, by itself, a judgment against any individual partner. See 15 Pa.C.S. Section 8437. Pennsylvania Rule of Civil Procedure 2132 reinforces this principle: a judgment entered against a partnership sued only in its firm name supports execution only against partnership property. To reach a partner’s individual assets, the partner must be named and served in the lawsuit.

The same logic applies to limited partnerships, under 15 Pa.C.S. Section 8645. General partners are jointly and severally liable for partnership obligations, but only if they are properly joined. A judgment against the limited partnership alone does not reach them. This is not a substantive limitation on liability; it is a pleading requirement. Plaintiffs who fail to name individual partners at the outset may forfeit the ability to collect from them entirely.

The lesson is elementary: name the partners when warranted. The cost of doing so is negligible; the cost of failing to do so can be fatal to recovery.

Participation Theory: Liability Through Conduct

Beyond statutory partnership liability, Pennsylvania recognizes a common-law doctrine that imposes individual liability on corporate officers and directors based on their personal involvement in tortious conduct. This is the participation theory, articulated most clearly in the Pennsylvania Supreme Court case Wicks v. Milzoco Builders, 470 A.2d 86 (Pa. 1983). Under Wicks, a corporate officer is individually liable for torts committed in the course of employment if the officer personally participated in the wrongful conduct or directed it to occur. See our earlier article on this topic, here.

Participation theory is not veil-piercing. It does not require proof of fraud, undercapitalization, or disregard of corporate formalities. It does not attack the corporate structure. Instead, it reflects a bedrock principle: individuals remain liable for their own torts, even when acting on behalf of a corporation.

But the doctrine has limits. Alleging that a defendant held a corporate title or signed a document is insufficient. Plaintiffs must plead specific facts demonstrating personal involvement: directing the conduct, approving the scheme, making the misrepresentation, or physically engaging in the wrongful act. Courts are skeptical of boilerplate allegations of “participation.” Overreaching invites dismissal and damages credibility.

Participation theory applies only to individuals, not affiliated entities. To reach parent companies or sister corporations, plaintiffs must turn to other doctrines, such as alter ego or enterprise liability.

Contractual Liability: The Signatory Problem

In contract cases, the path to individual liability is narrower and more nuanced. The general rule is familiar: an agent who signs a contract on behalf of a disclosed principal is not personally liable on that contract (unless the agent specifically agrees to assume liability). See Vernon D. Cox & Co. v. Giles, 406 A.2d 1107, 1110 (Pa. Super. 1979). But the exceptions are where cases are won or lost.

One common exception arises from ambiguity. If a contract does not clearly indicate the signatory’s representative capacity, parol evidence may be admissible to determine whether the parties intended individual liability. See Trenton Trust v. Klausman, 296 A.2d 275, 277 (Pa. Super. 1972). Ambiguous signature blocks, inconsistent use of letterhead, or vague agency language can expose individuals to personal liability. See Hazer v. Zabala, 26 A.3d 1166, 1170 (Pa. Super. 2011).

Another fertile theory is misrepresentation of authority. An agent who warrants they have authority to bind a principal—but does not—may be personally liable for breach of warranty of authority. See Kribbs v. Jackson, 129 A.2d 490, 496 (Pa. 1957) Similarly, an individual who makes material misrepresentations to induce a contract may face tort liability for fraudulent inducement, even if the contract itself binds only the entity. See Felix v. Fraternal Order of Police, Philadelphia Lodge No. 5, 759 A.2d 34, 39 (Pa. Commw. Ct. 2000).

These theories should be explored early. Discovery into the signatory’s knowledge, the entity’s financial condition at the time of contracting, and the parties’ communications can reveal evidence of individual intent and responsibility. In the right case, contractual individual liability is not ancillary; it is central.

Alter Ego and Piercing the Corporate Veil

The most demanding—and most powerful—path to individual liability is veil piercing. Pennsylvania law requires a showing that the corporation was a mere alter ego or business conduit of the individual and that respecting the corporate form would sanction fraud, illegality, or fundamental unfairness. Put simply, veil-piercing is most viable when someone uses a corporate form to perpetrate fraud.

Unlike participation theory, veil piercing attacks the corporate structure itself. It can also extend beyond individuals to affiliated entities under enterprise liability theories. In Mortimer v. McCool, 255 A.3d 261 (Pa. 2021), the Pennsylvania Supreme Court recognized the viability of enterprise liability while declining to apply it on the facts. More recently, in Dewberry Group v. Dewberry Engineers, 604 U.S. 321 (2025), the U.S. Supreme Court reaffirmed the presumption of corporate separateness but left room for traditional veil piercing and equitable adjustments where corporate forms obscure economic reality. See our latest article on this topic, here.

These decisions offer both caution and opportunity. Courts will not disregard corporate form lightly, but they remain receptive to well-supported claims involving commingling, asset shifting, undercapitalization, and artificial inter-company transactions. Discovery into inter-company transfers, pricing practices, and the use of shell entities can provide the factual foundation necessary to overcome the presumption of separateness.

As a practical matter, veil piercing should rarely be pled in an initial complaint. The necessary facts are almost never available pre-discovery, and premature allegations risk early dismissal under Pennsylvania’s fact-pleading standards, and potentially, a loss of credibility with the court. A more effective strategy is to plead viable individual claims under participation theory and statutory liability, then develop the evidentiary record to support alter ego claims as the case progresses.

Choosing the Right Theory

Each individual liability doctrine serves a distinct function, and understanding their interplay is critical to effective case management.

• Partnership liability is mandatory, not discretionary. Name the partners.
• Participation theory is the primary tool for holding officers and managers accountable for their own tortious conduct.
• Contractual liability theories apply where ambiguity, misrepresentation, or extra-contractual conduct creates individual exposure.
• Veil piercing and enterprise liability are reserved for cases involving manipulation of corporate form to evade responsibility or to perpetuate fraud.

Used together, these doctrines transform litigation strategy. They expand the defendant pool, increase settlement leverage, and protect plaintiffs from the all-too-common scenario of winning on liability but losing on collectability.

Conclusion

The shift from entity liability to individual accountability is not merely tactical; it reflects the economic realities of modern commerce. Corporate entities can be created, dissolved, and restructured with ease. Individuals endure. They hold assets, carry insurance and bear responsibility for their conduct. On many occasions, individuals are the wrongdoers.

Plaintiffs who treat the corporate defendant as the endpoint of litigation will continue to obtain judgments against shell companies and wonder why their clients remain uncompensated. Plaintiffs who integrate individual liability into their strategy from the outset—by naming partners, pleading participation, scrutinizing contractual authority, and preserving alter ego theories—are likely to recover more. They will fulfill the fundamental promise of civil law: that wrongdoing leads to meaningful accountability, not empty judgments.

Edward T. Kang is the managing member of Kang Haggerty. He devotes the majority of his practice to business litigation and other litigation involving business entities. Contact him at ekang@kanghaggerty.com.

Kandis L. Kovalsky, a member with the firm, focuses her practice on a broad range of high stakes business-related civil litigation in Pennsylvania, New Jersey, and New York state and federal courts and arbitral tribunals, and representing relators in high stakes qui tam actions filed under the federal and state False Claims Acts. Contact her at kkovalsky@kanghaggerty.com. 

Reprinted with permission from the February 19, 2026 edition of “The Legal Intelligencer” © 2026 ALM Global, LLC. All rights reserved. Further duplication without permission is prohibited. Request academic re-use from www.copyright.com. All other uses, submit a request to asset-and-logo-licensing@alm.com. For more information visit Asset & Logo Licensing.

In the January 7, 2026 edition of The Legal Intelligencer, Edward Kang writes, “Authenticity Under Pressure: Rethinking Rule 901 in the Age of AI.“

For decades, Federal Rule of Evidence 901 has been a pillar of evidentiary stability. Its intentionally flexible standard—requiring only “evidence sufficient to support a finding that the item is what the proponent claims it is”—easily accommodated evidence from handwritten letters to surveillance footage. Authentication disputes were rarely dispositive, typically resolved through minimal foundation and common sense.

Enter the age of artificial intelligence (AI). The advent of generative artificial intelligence—specifically, tools capable of producing hyper-realistic audio, video, images and text (deepfakes)—has fractured the rule’s foundational assumptions. When synthetic media can replicate a person’s likeness or voice with near-perfect fidelity, traditional authenticity markers become unreliable. Evidence can be entirely fabricated yet appears genuine, leaving opposing parties without meaningful tools to prove manipulation.

This technological shift has triggered a parallel evolution in law. The conversation now spans from reforming Rule 901 to proposing a new Federal Rule of Evidence 707 specifically for AI-generated evidence. Simultaneously, ethics regulators are clarifying that lawyer competence requires understanding these technologies. The result is a critical convergence: the mechanics of authentication are now inseparable from counsel’s duty of competence under ABA Model Rule 1.1.

Rule 901’s Analog Assumption in a Digital World

Rule 901 was conceived in an era where forgery was typically crude, detectable, and difficult to scale. Its illustrative examples—testimony based on personal knowledge, distinctive characteristics, chain of custody—presume authenticity can be assessed through human perception and circumstantial context.

Generative AI dismantles this logic. Modern models produce videos of individuals saying things they never uttered, audio clips indistinguishable from real recordings, and documents that mimic unique writing styles—often complete with consistent metadata and artifacts that evade casual scrutiny. In this context, a witness’ assurance that evidence “looks real” offers scant probative value.

Courts are sensing this mismatch. While few opinions directly confront deepfakes, judicial unease with superficial digital authentication is growing. See, e.g., Alford v. Commonwealth, No. 2022-SC-0278-MR, 2024 WL 313431, at *6 (Ky. Jan. 18, 2024) (stating that the emergence of artificial intelligence, with the capacity and initiative to manipulate digital media, “will only serve to further compromise our determinations of authenticity unless such advancements are both recognized and addressed by our courts”). Some courts are “mindful” that the rules of evidence “may need to adapt,” yet still apply the same “low threshold for authentication” of electronic evidence as instructed by the current rules. See State v. Ziolkowski, 329 A.3d 939, 950 (Conn. 2025). The result is unpredictability: similar evidence may be admitted in one courtroom and excluded in another, based largely on a judge’s comfort with the technology rather than a consistent doctrinal framework. “As artificial intelligence progresses, battles over the accuracy of computer images and manipulation of deepfakes can be expected to intensify.” See Pegasystems v. Appian, 904 S.E.2d 247, 279 (Va. App. 2024), appeal granted (Mar. 7, 2025); see also People v. Smith, 969 N.W.2d 548, 565 (Mich. App. 2021) (“we are mindful that in the age of … so-called deep fakes, a trial court faced with the question whether a social-media account is authentic must itself be mindful of these concerns”).

The Case for Reforming Rule 901: Asymmetry and Reliability

The push for reform centers on two flaws exposed by AI: asymmetry and compromised reliability. A proponent of synthetic evidence needs only to clear Rule 901’s low bar of plausibility. The opponent, however, may bear an impossible burden to prove falsity without access to proprietary tools, training data, or generation logs. The current rule relies on adversarial testing, but the technology itself can obscure any meaningful test.
Proposed reforms vary. Some suggest amending Rule 901’s examples to explicitly reference AI-generated evidence, signaling that courts may demand technical proof. Others advocate a more structural shift, placing an affirmative burden on the proponent of AI-susceptible evidence to demonstrate authenticity through forensic analysis.

Skeptics warn that rewriting Rule 901 risks complexity and could disadvantage less-resourced litigants. They argue that judicial discretion and evolving common law—which have adapted the rule to include email and digital photos—can suffice. Yet even skeptics acknowledge deepfakes present a qualitative leap: unlike prior technologies, generative AI is designed to evade detection. This reality fuels the argument for a more targeted solution.

Proposed Rule 707: A Surgical Response to Synthetic Evidence

In the November 26, 2025 edition of The Legal Intelligencer, Edward Kang writes, “From Vulnerability to Liability: Understanding Today’s Cyber Claims and Enforcement.”

On Oct. 31, mass spam emails were sent from multiple university-affiliated accounts to members of the University of Pennsylvania community. The messages, sent from compromised “@upenn.edu” addresses, criticized the university’s data security practices and its institutional purpose, and suggested that internal systems had been infiltrated. Although UPenn’s Office of Information Security quickly disabled the compromised accounts and initiated a forensic investigation, the extent of any unauthorized access to personal information remained uncertain.

Only three days later, a class action was filed in the U.S. District Court for the Eastern District of Pennsylvania by a putative class of students, applicants, alumni and employees. The complaint alleges that UPenn failed to maintain reasonable cybersecurity measures despite collecting and storing personally identifiable information. Plaintiffs further allege that UPenn disregarded known cyber risks, failed to implement adequate monitoring and intrusion-detection systems, and did not act with sufficient urgency once the unauthorized access was discovered. The lawsuit seeks damages and injunctive relief, requiring UPenn to strengthen its data security practices. Several other class action lawsuits soon followed within a few days.

While the factual investigation is ongoing, the speed with which the lawsuits followed the incident illustrates how rapidly cybersecurity events now trigger litigation and how strongly plaintiffs view institutional cybersecurity as an affirmative legal obligation rather than a technical aspiration.

When a Cybersecurity-Related Claim May Be Brought

Whether a cybersecurity incident becomes actionable depends on when plaintiffs can demonstrate that a lapse in these duties resulted in a concrete injury or created a substantial risk of imminent harm. Recent U.S. Court of Appeals for the Third Circuit and U.S. Supreme Court decisions provide a clear framework for this threshold.

The Supreme Court’s decision in TransUnion v. Ramirez, 594 U.S. 413 (2021), reshaped the standing landscape for data-related harm. In Ramirez, the putative class action against TransUnion alleged violations of the Fair Credit Reporting Act, including the defendant’s failure to follow reasonable procedures to ensure credit files were accurate. The court held that the plaintiffs seeking damages must demonstrate a concrete injury. Without demonstrating the likelihood that their information would be disseminated, that the risk of harm materialized, or that the risk of harm itself independently harmed them, the plaintiffs whose information was not disseminated, therefore, did not meet the concrete injury requirement. Although the case did not involve a cyber breach, its reasoning has become the foundation for evaluating modern data-security claims.

The Third Circuit has built on this framework in Clemens v. ExecuPharm, 48 F.4th 146 (3d Cir. 2022), which clarifies how the concreteness of a data-related injury can be assessed and when cyber-related harms become actionable within the circuit. Clemens involved a ransomware attack in which a criminal hacking group exfiltrated a trove of highly sensitive information, including Social Security numbers, bank-account details, and tax records, and then posted that information publicly on the dark web. The trial court dismissed the plaintiff’s complaint, reasoning that allegations of any speculative identity theft due to a data breach are insufficient to establish standing. The Third Circuit reversed, holding that the plaintiff had standing to sue because the publication of her data created a substantial risk of identity theft. The court emphasized that the nature of the compromised information, its availability to criminal actors, and the plaintiff’s mitigation efforts together satisfied the requirement of injury-in-fact.

Importantly, misuse is not always required. Plaintiffs may also pursue claims where an institution has made specific cybersecurity commitments, such as promises in admissions materials, donor communications, privacy policies, research data management plans, or federal grant certifications, and has failed to honor them. In these circumstances, claims based on breach of contract, negligent misrepresentation, or deceptive practices can attach even in the absence of confirmed misuse. The key question becomes whether the institution represented that it would implement certain controls and whether its actual practices fell short of these representations.

In practice, a cybersecurity claim becomes viable when unauthorized access is paired with any combination of: actual misuse or publication of data; demonstrable, nonspeculative mitigation efforts; emotional or reputational harm resulting from the breach; or the breach of specific, identifiable promises regarding cybersecurity practices. Courts are increasingly sophisticated in evaluating these elements, treating cybersecurity duties as enforceable components of institutional governance.

The False Claims Act and Cybersecurity: An Expanding Enforcement Frontier

While private plaintiffs increasingly turn to negligence and consumer-protection theories in the wake of cyber incidents, federal enforcement trends indicate that cybersecurity lapses are increasingly carrying implications far beyond private civil litigation. In particular, the Department of Justice’s civil cyber-fraud initiative has brought cybersecurity to the forefront of False Claims Act (FCA) enforcement—a development with significant implications for universities that receive federal funding.

Formally launched to address systemic underinvestment in cybersecurity among government contractors and grantees, the civil cyber-fraud initiative targets entities that knowingly misrepresent their cybersecurity practices or compliance with federal requirements; fail to implement cybersecurity controls that are express conditions of payment; or fail to report cyber incidents as required by federal regulations or contract terms.

Crucially, a breach is not required for there to be an FCA violation. Under the DOJ’s theory, the core wrong is the misrepresentation: if an institution certifies compliance with cybersecurity requirements, such as NIST SP 800-171 for controlled unclassified information or federal reporting requirements for cyber incidents, but has not actually implemented those measures, the certification itself may be a false claim.

Recent cases illustrate how this theory is applied in practice. In 2025, Illumina, Inc. paid nearly $10 million to resolve allegations that it had misrepresented compliance with federal cybersecurity requirements for medical device software, despite no breach having occurred. Earlier cases involving defense contractors similarly turned not on the theft of data but on failures to implement required controls under Department of Defense contracts.

This enforcement posture has sweeping implications. Any organization that contracts with the federal government or receives federal funds, whether in healthcare, defense, manufacturing, research, technology, or public services, may be subject to cybersecurity-related FCA scrutiny. Even complex, decentralized organizations must ensure that their internal practices align with the cybersecurity commitments outlined in contracts, bids, compliance certifications, or grant submissions. A gap between policy and practice, or between what is certified and what is actually implemented, can expose the organization to significant financial penalties and reputational harm.

Unlike class actions, which are made public, an FCA action is filed under seal. Such an action is kept under seal for months and sometimes years. That means, given the number and speed of class actions filed against the University of Pennsylvania, it would not be surprising that an FCA action has already been filed against the university.

Conclusion

Viewed together, the UPenn incident, the court’s standing jurisprudence, and DOJ’s expanding FCA enforcement signal that cybersecurity is now a critical legal and governance obligation. Underinvestment can quickly translate into legal exposure.

Incident response has also taken on heightened legal significance. The speed and clarity with which institutions detect, escalate, investigate, and disclose cyber incidents directly influence the trajectory of litigation and regulatory scrutiny. Delays, ambiguities, or false or even incomplete notifications often become focal points in class-action claims, undermining institutional credibility.

Ultimately, these developments underscore the need for proactive oversight. Effective cybersecurity now requires coordinated action across IT, legal, compliance, and administrative domains. Budgeting, staffing, vendor management, and periodic audits are no longer technical concerns; they are components of an institution’s legal risk profile.

Edward T. Kang is the managing member of Kang Haggerty. He devotes the majority of his practice to business litigation and other litigation involving business entities. Contact him at ekang@kanghaggerty.com.

Reprinted with permission from the November 26, 2025 edition of “The Legal Intelligencer” © 2025 ALM Global, LLC. All rights reserved. Further duplication without permission is prohibited. Request academic re-use from www.copyright.com. All other uses, submit a request to asset-and-logo-licensing@alm.com. For more information visit Asset & Logo Licensing.

In the November 20, 2025 edition of The Legal Intelligencer, Kelly Lavelle writes, “Understanding and Applying Local Rules When Drafting ESI Protocols.“

ESI protocols govern how parties preserve, collect, review, and produce electronic evidence in federal litigation. What once was an obscure procedural topic now lies at the center of nearly every civil case involving documents, emails, databases and other forms of electronic data. ESI protocols provide structure and predictability in an area that can otherwise be costly and difficult to manage. A well-drafted ESI protocol defines production formats, metadata requirements, search terms, and privilege review procedures, reducing disputes and helping discovery move forward efficiently.

The Role of Local Rules in Electronic Discovery

With ESI protocols now a regular part of litigation, local rules and court practices play a more significant role in guiding the process. While the Federal Rules of Civil Procedure provide the foundation for electronic discovery, many district courts have developed their own local rules and forms to guide parties in drafting ESI protocols. Some districts have detailed local rules governing electronic discovery, while others, including the Eastern District of Pennsylvania, have not enacted a formal local rule governing ESI, but rely instead on individual judges’ policies and preferences that serve the same purpose. These guidelines show that courts expect parties to manage ESI in an organized way and to address potential issues in advance rather than waiting for them to arise. Following local practice helps lawyers know what the court expects, makes negotiations smoother, and saves time by avoiding mistakes the court has already ruled out.

Recent case law demonstrates how these local practices guide judicial decisions on ESI. In Hall v. Warren, 2025 WL 1392294 (W.D.N.Y. May 14, 2025), the parties failed to reach an agreement on an ESI protocol governing the production of electronically stored information. When negotiations fell apart, plaintiffs moved to compel production of metadata from internal reports and investigative files, arguing that such information was necessary to verify whether documents had been altered and to confirm their authenticity and completeness. Unable to obtain agreement from the parties, the court issued its own ESI protocol order that included selected provisions from each side’s proposal.

The defendants filed multiple objections to the court’s order, arguing that the order violated the district court’s local rules and imposed undue cost and technical burden. They claimed the order mandated universal metadata production, required technical tasks they could not perform, demanded compatibility with opposing counsel’s document review platform, and ordered native production without proper justification.

The court rejected these arguments, clarifying that the ESI order did not require many of the things defendants claimed it required and that the order’s actual requirements were consistent with the local rules and, in many instances, mirrored the local rules specific provisions. The order also provided flexibility for the parties to meet and confer on alternate formats or cost-sharing if a production became disproportionately burdensome.

The critical lesson from Hall is that the defendants misunderstood both the ESI order and the local rules they said it violated. The defendants clearly had read the district’s local rules because they cited them throughout their objections. Their problem was not ignorance of the local rules but misunderstanding what those rules actually required. The defendants thought the ESI order required things it did not require. They believed it violated local rules when it actually followed them. They argued that certain procedures were mandatory when the order actually provided flexibility. Because they misunderstood the local rules from the beginning, they could not negotiate effectively. As such, the defendants ended up with a court-imposed protocol that likely was less favorable than what they could have achieved through informed negotiation.

While Hall shows how local rules guide substantive resolution of ESI disputes, the case Husidic v. FR8 Solutions, No. 3:24-cv-963-WGY-SJH (M.D. Fla. Sept. 10, 2025), demonstrates the importance of complying with local procedural requirements even when parties agree. In Husidic, the parties submitted a joint motion requesting that the court enter the parties’ stipulated ESI protocol as an order. The magistrate judge denied the motion identifying three defects. First, the motion cited no legal authority for the proposition that courts should routinely enter agreed ESI protocols as orders. Second, the parties failed to include the memorandum of law required by the U.S. District Court for the Middle District of Florida’s local rules governing motion practice. Third, the request lacked any showing that court adoption of the protocol was necessary or appropriate.

The magistrate judge also identified a substantive issue with the parties’ proposed stipulation, which included ambiguous provisions referencing privilege and work-product protections that might implicate Federal Rule of Evidence 502, yet neither the stipulation nor the motion addressed Rule 502(d). The court emphasized that if parties seek a non-waiver order, they must make the request expressly and provide factual support demonstrating why such an order is necessary.

In declining to endorse the parties’ ESI protocol, the court implied that judicial resources should not be spent approving private agreements that can be managed through cooperation and adherence to the local rules. Further, compliance with local procedural requirements is essential, even when parties agree on the substance of an ESI protocol. Counsel must understand not only the local rules governing electronic discovery but also the local rules governing motion practice and the standards for obtaining court orders.

Practical Guidance for Counsel

For lawyers, these cases show that the most effective ESI protocol is one based on the local rules of the district court or specific judges’ policies and procedures. Counsel should familiarize themselves not only with the federal rules but also with the district court’s ESI checklists, policies, procedures, and discovery guidelines, many of which provide practical direction that supplements the federal rules. Before the Rule 26(f) conference, counsel should review the district’s local rules on electronic discovery and consider how those rules, and the judge’s preferences are likely to influence court resolution of any disputes. By following local rules from the beginning, parties can reduce the likelihood of motion practice and avoid judicially imposed resolutions that may be less favorable than a negotiated agreement.

Kelly A. Lavelle is an associate at Kang Haggerty. She focuses on e-discovery and information management, from preservation and collection to review and production of large volumes of electronically stored information. Contact her at klavelle@kanghaggerty.com.

Reprinted with permission from the November 20, 2025 edition of “The Legal Intelligencer” © 2025 ALM Global, LLC. All rights reserved. Further duplication without permission is prohibited. Request academic re-use from www.copyright.com. All other uses, submit a request to asset-and-logo-licensing@alm.com. For more information visit Asset & Logo Licensing.

In the November 20, 2025 edition of The Legal Intelligencer, Edward Kang writes, “Method, Not Mystique: The Renewed Demands of Rule 702.“

For many years, it was common practice to address expert challenges late in the litigation cycle. Create case themes. Discovery proceeds. Case themes change or develop alongside witness testimony. The Daubert briefing arrives near the end. The expectation was that juries would resolve competing expert views through cross-examination and credibility determinations. That cycle no longer accurately reflects reality in federal courts within the U.S. Court of Appeals for the Third Circuit and throughout the country.

Since the 2023 amendment to Federal Rule of Evidence 702, courts have adopted a more explicit and front-loaded approach to expert admissibility. The rule did not rewrite the familiar elements of qualification, reliability, and fit, but it clarified who bears what burden and when. Trial courts must now ensure, more likely than not, that an expert has not only employed a reliable method but applied that method reliably to sufficient facts or data. Issues that once passed as matters of weight for the jury now receive substantive scrutiny at the admissibility stage.

Lawyers accustomed to relying on experience-based experts must now make the analytical path explicit. Credibility and cross-examination alone could rescue a thin factual basis or an implicit chain of reasoning. Admissibility is no longer a late-stage checkpoint. It is a threshold gate, and lawyers must plan accordingly from the outset of a case.

The Approach Within the Third Circuit

In Slatowski v. Sig Sauer, 2024 WL 1078198 (E.D. Pa. Mar. 12, 2024), aff’d in part, rev’d in part and remanded, 148 F.4th 132 (3d Cir. 2025), the U.S. District Court for the Eastern District of Pennsylvania excluded two causation experts in a firearm-discharge case despite their credentials and experience. The district court found the opinions lacked a reliable analytical bridge, emphasizing that neither expert offered any conclusion that could be subject to testing or specific to the circumstances in which the plaintiff’s pistol fired. The lack of incident-focused methodology and analysis proved fatal under amended Rule 702.

The Third Circuit affirmed. The panel stressed that the “hallmark of Daubert‘s reliability” prong is the scientific method, meaning the “generation of testable hypotheses that are then subjected to the real-world crucible of experimentation, falsification/validation, and replication.” The court noted that a qualified expert must bridge the gap between theory and reality, and the lack of factual context was fatal in this case. Even if the expert testimony was “reliable about whether the [pistol’s] design could have caused an accident,” it needs to be reliable about “whether the design did cause this accident.”

It is worth noting that the court did not characterize this decision as a close call or a matter better left to cross-examination. Instead, it treated the Rule 702 amendment as a clear directive: opinions that lack testable, case-grounded reasoning cannot reach the jury. The ruling signals a practical expectation that plaintiffs must now present a documented analytical path that connects method to facts with precision, not inference or shorthand experience.

The Growing Trend of Demanding Reliable Application of Reliable Methods to Facts

Courts outside the Third Circuit are moving in the same direction. The amended rule and the advisory committee’s commentary have become a touchstone, and courts are citing them to clarify that the sufficiency of basis and reliability of application belong to judges, not juries. Three circuits illustrate this shift.

The Sixth Circuit’s approach is best illustrated by In re Onglyza and Kombiglyze Products Liability Litigation, 93 F.4th 339 (6th Cir. 2024), where exclusion of the plaintiffs’ cardiology expert was affirmed after the court found that, although the expert used “undeniably a reliable methodology,” the opinion was unreliable because it rested on selective data points and inconsistent application of several factors required by the method. The opinion cites the 2023 amendment and emphasizes its “corrective effect:” Rule 702’s recent amendments “were drafted to correct some court decisions incorrectly holding ‘that the critical questions of the sufficiency of an expert’s basis, and the application of the expert’s methodology, are questions of weight and not admissibility.’”

The Ninth Circuit’s decision reveals a similar posture, but with different emphasis. In Engilis v. Monsanto, 151 F.4th 1040 (9th Cir. 2025), the court rejected any presumption of admissibility by noting that “there is no such presumption, as a proponent of expert testimony must always establish the admissibility requirements of Rule 702 by a preponderance of the evidence.” The court affirmed the lower court’s exclusion of expert testimony and granting of summary judgment where the expert failed to provide any “scientifically sound reason” when ruling out a potential cause, thus failing to establish that his testimony was “based on sufficient facts or data.” The Fifth Circuit has been equally direct. Nairne v. Landry, 151 F.4th 666, 705 (5th Cir. 2025), reinforces the point by excluding a statistics expert who failed to explain the method-to-data application.

Across jurisdictions, the pattern is consistent. Courts expect transparent and documented analysis sufficient to show a reliable application of established methods to relevant facts. When some part of the analytical or reasoning chain is missing, courts will exercise their role as gatekeepers and exclude the expert testimony. The cases do not signal hostility to plaintiffs or to experts. They signal a renewed willingness on the part of the courts to enforce Rule 702 as written: reliability must now be demonstrated, rather than assumed.

Practical Guidance for Plaintiffs Attorneys

For plaintiffs lawyers, the shift in expert testimony admissibility is not theoretical. It reorders when and how cases must be built. The admissibility of expert testimony should be treated as a design principle from day one: identify the theory of causation early, map the analytic chain, and assemble the factual record intentionally so that each step is visible and testable. Litigation strategy must align with admissibility demands, rather than assuming that cross-examination will supply what the record lacks.

The amended Rule 702 rewards intentional sequencing. It punishes gaps that emerge only after discovery closes. Ask experts, before engagement if possible, to articulate precisely how their method connects to the facts at issue and what data they will need to apply it reliably. Build discovery around that roadmap. If testing, literature review, or additional medical documentation is necessary, get it early. Document the methodology as a narrative, not merely as a set of citations. Writing it early sharpens the analysis and exposes weaknesses in time to cure them. Treat expert testimony admissibility as architecture, not defense. In doing so, plaintiffs will not only meet the demands of Rule 702 but also strengthen the merits of their cases in the process.

Edward T. Kang is the managing member of Kang Haggerty. He devotes the majority of his practice to business litigation and other litigation involving business entities. Contact him at ekang@kanghaggerty.com.

Reprinted with permission from the November 20, 2025 edition of “The Legal Intelligencer” © 2025 ALM Global, LLC. All rights reserved. Further duplication without permission is prohibited. Request academic re-use from www.copyright.com. All other uses, submit a request to asset-and-logo-licensing@alm.com. For more information visit Asset & Logo Licensing.

In the November 10, 2025 edition of The Legal Intelligencer, Aaron Peskin writes, “POWER Act—A Philadelphia Game Changer.”

It has been no secret that for many years, Pennsylvania has lagged behind its neighbors, particularly New Jersey, when it comes to protections for whistleblowing employees. While employees on both sides of the river enjoy the same federal whistleblower protections, the similarities end at the state level. New Jersey has the Conscientious Employee Protection Act (CEPA). This statute covers all New Jersey employees and generally protects any employee that reports or objects to any sort of conduct that they believe to be illegal, unethical, or contrary to public policy. Pennsylvania meanwhile has the Pennsylvania Whistleblower Law. While that law does protect employees that report conduct of “wrongdoing or waste.” However, the scope of what is considered to be “wrongdoing or waste” has been found to be relatively narrow by courts interpreting that statute, especially the U.S. District Court for the Middle of District of Pennsylvania. And the biggest hurdle to making a claim under the Pennsylvania Whistleblower Law is that the employer must be a “public body.” This means that unless your employer is either a public entity funded by Pennsylvania tax dollars or a private entity that receives public funds, you are out of luck. This stands in stark contrast to CEPA, where any employee can sue any employer for retaliation for reporting or objecting to a wide range of conduct. And New Jersey courts have interpreted that statute as broadly as possible to favor employees.

While Pennsylvania does not have particularly strong employee protections against retaliation, Philadelphia employees now enjoy protections similar to those employees across the river thanks to the “Protect Our Workers, Enforce Rights (POWER) Act.” This law was passed by Philadelphia City Council and signed by Mayor Cherelle Parker on May 27, 2025. This act made significant changes to Title 9 of the Philadelphia Code and greatly strengthened employee protections against retaliation.

Specifically, the POWER Act prohibits retaliation against any employee seeking to assert their rights under any “Worker Protection Ordinance,” which is broadly defined to a wide range of Philadelphia ordinances protecting workers, such as concerning wage theft, fair workweek standards, and protections for domestic workers. The protected activities are similarly broadly defined and include seeking information about one’s rights, discussing their rights with another person, objecting to or refusing to participate in any conduct that violates a worker protection ordinance, making an oral or written complaint to an employer, filing a complaint with any governmental agency or court, and providing evidence or participating in any court or administrative proceeding relating to a formal or informal complaint. The POWER Act also explicitly prohibits an employer from retaliating against an employee that takes sick leave under the Philadelphia Sick Leave Law.

Perhaps most importantly, the POWER Act creates a rebuttable presumption of retaliation when an employer takes an adverse employment action, such as firing, suspending, demoting or otherwise penalizing an employee, within 90 days of the protected activity. This effectively turns the relevant standard for retaliation on its ear. In New Jersey and when dealing with Federal statutes, 90 days is generally held to create an inference of retaliation, but one that is can be rebutted by the employer through a preponderance of the evidence to show legitimate non-retaliatory reason(s) for the adverse employment action. In Philadelphia, however, the employer must show the non-retaliatory reason(s) by way of clear and convincing evidence. This is a significantly higher bar than that in most other jurisdictions and employers should be mindful of this standard.

Beyond the retaliation protections the POWER Act is also a gamechanger in several other respects. First, the POWER Act has strengthened the Philadelphia Department of Labor’s Office of Worker Protections (OWP), empowering it to conduct proactive workplace investigations and to hold employers accountable for violations of Philadelphia ordinances, such as the paid sick leave law and the Domestic Workers’ Bill of Rights. It also allows the city to suspend or revoke business licenses and city procurement contracts of employers with repeated violations and requires the creation of a “bad actors database” that publicly lists employers with three or more violations. If OWP finds that employer has violated the POWER Act, the agency can seek civil penalties of $2,000 for each violation. Those fines will be paid into a Worker Justice Fund, which will give back to employees that have suffered monetarily, physically, or mentally as a result of retaliation.

Second, while the OWP has extensive enforcement power, an employee does not necessarily have to exercise their rights through that office. The POWER Act also creates a private right of action against an employer that violates that ordinance and they do not need to exhaust administrative remedies (such as reporting to OWP) before doing so. In doing so, employees can seek damages directly from the employer, which is a significant change from previous practices where penalties were directed solely to the City. Before filing suit, an employee must give the employer the opportunity to cure the alleged infraction within 15 days, but that requirement is waived for instances of retaliation. That means that an employee may file suit immediately after he or she believes that retaliation has taken place. The statute of limitations for a claim under the POWER Act is three years, which is significantly longer than most federal statutes and even two years beyond that permitted under CEPA.

Third, the POWER has strengthened protections for immigrant workers. It authorizes the OWP to certification applications and submit statements of interest on behalf of those workers, including those subject to unlawful retaliation, who may be eligible for a U Visa or T Visa under the Victims of Trafficking and Violence Protection Act or for the Deferred Action Program.

National Recognition

• Tier 2 – Construction Law
• Tier 2 – Litigation – Construction

Regional Rankings – Philadelphia Metro

• Tier 1 – Construction Law
• Tier 1 – Litigation – Construction
• Tier 2 – Commercial Litigation

These rankings reflect the firm’s continued strength in complex construction and commercial matters, as well as its commitment to delivering strategic, results-driven counsel across the region and beyond.

About Best Law Firms®

Since its inception in 2010, Best Law Firms® has been a nationally respected benchmark for legal excellence. Its rankings are based on a rigorous, data-driven methodology that blends detailed client feedback, peer evaluations, and comprehensive firm data. Recognition by Best Law Firms® reflects a consistent record of professional achievement, deep legal expertise, and a steadfast commitment to client service.