SEC magnifying glassThe prosecution of Martin Shkreli, whom the BBC has called “the most hated man in America,” reveals some important lessons about the Fourth Amendment protections against search and seizure in the digital corporate context: physical access to documents on a server may trump actual ownership of records.

In December 2015, former head of the pharmaceutical company Retrophin, Martin Shkreli, was indicted for conspiracy to commit securities fraud. Federal prosecutors in Brooklyn have alleged that Shkreli raided Retrophin to pay investors in two hedge funds he managed, MSMB Capital Management LP and MSMB Healthcare Management LP. In response to a government subpoena following Shkreli’s indictment, the publicly-traded Retrophin produced troves of MSMB Capital and MSBM Healthcare-related documents. Shkreli subsequently moved to suppress those documents, arguing their use violated his Fourth Amendment protection against searches and seizures.

Shkreli argued that, although he used his MSMB entities’ email to conduct Retrophin business, and although MSMB entity information was stored on Retrophin servers, the produced MSMB information was password protected and thus not accessible to Retrophin. Therefore, in accessing and producing password-protected information, Retrophin had violated Shkreli’s Fourth Amendment rights.

The government responded, sending the court a letter saying Retrophin had confirmed that no separate password was required to access MSMB entity emails stored on the Retrophin servers, and that Retrophin, not Shkreli or MSMB entities, paid for and maintained the servers that housed the documents at issue. Therefore, the government asserted Shkreli’s Fourth Amendment rights were not violated by the production of the MSMB entity data.

Judge Kiyo Matsumoto denied Shkreli’s suppression attempts, finding that Shkreli did not have a reasonable expectation of privacy in the documents at issue. Entities that share physical or server space should learn from Shkreli’s experience. To protect against unauthorized government searches and seizures, entities sharing servers should password protect distinct-entity documents and consider sharing the costs of hosting servers.