Close
Enter your
text here

Preservation

When Lawyers Get Sued, They Have Preservation Obligations Too – eDiscovery Case Law

In Distefano v. Law Offices of Barbara H. Katsos, PC., No. CV 11-2893 (JS) (AKT) (D. ED NY Mar. 29, 2013), New York Magistrate Judge A. Kathleen Tomlinson found that the defendant (an attorney who was being sued by the plaintiff she previously represented for breach of contract, negligence/legal malpractice, and breach of fiduciary duty/duty of care) had a duty to preserve information from a discarded computer and ordered a hearing for the defendant to address a number of questions to determine the potential relevance of the destroyed data and whether the defendant had a sufficiently culpable state of mind.

The plaintiff alleged professional negligence by the defendant related to her representation of his franchise business for Cold Stone Creamery stores.  During a Discovery Status Conference, it was revealed that the defendant had gotten rid of her computer before the litigation began, as she noted in her affidavit that she was advised by a third-party individual who fixed her office computers that they could not be repaired.  As she used AOL for email correspondence, she contacted AOL “to inquire if emails from several years ago could be recovered by AOL”, but was told that they “could not recover emails from several years ago for the stated email address”.  After receiving the defendant’s affidavit, the plaintiff filed a motion for spoliation.

With regard to the defendant’s duty to preserve information related to her representation of the plaintiff, Judge Tomlinson stated:

“The Court concludes that Katsos’ duty to preserve documents arose as early as late February 2009, when Michael DiStefano terminated the attorney-client relationship between Plaintiffs and Defendants.”  On February 24, 2009, the plaintiff send the defendant a letter terminating the representation “immediately” and stated that he would “communicate with you further, in writing, so as to explain the reasons why I am discharging you.”  Noting that the “language of Michael DiStefano’s letter gives the appearance that Distefano was not satisfied with Katsos’ work”, Judge Tomlinson also noted that “[i]n assessing whether litigation was reasonably foreseeable in these circumstances, the Court cannot ignore the fact that Katsos is an attorney and should have been attuned to the prospect of litigation.”

To determine the defendant’s culpable state of mind, Judge Tomlinson ordered a hearing on May 13 for the defendant to “be prepared to testify regarding, among other things, the following areas:

  1. Katsos’ normal document preservation/retention/deletion/destruction practices;
  2. the number of computers utilized in her office prior to 2009, when the computers were purchased, and the specific circumstances surrounding the breakdown of each of those computers;
  3. the service agreements for those computers and the vendor(s) used;
  4. whether Katsos maintained a network server;
  5. AOL’s automatic deletion policies to the extent they were explained to Katsos;
  6. a complete list of every email address used by Defendant Law Offices of Barbara H. Katsos, PC and Defendant Barbara Katsos or her staff to communicate with Plaintiffs;
  7. Katsos’ attempts to gain access to the email accounts used by her paralegals and interns referenced in Paragraph 5 of Katsos Aff. II and page 16 of Plaintiffs’ Memorandum;
  8. the document preservation steps undertaken by Katsos when Plaintiffs instituted an adversary proceeding against her in March of 2010;
  9. the retention and utilization of the services of Jan Sloboda.” (the third-party individual that advised her to replace her computers)

The plaintiffs were also ordered to identify “general categories of documents that have been adversely affected” to help determine the relevance of the data in question and were permitted to question the defendant at the hearing.

So, what do you think?  Was this an appropriate course of action to determine whether sanctions are appropriate?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Image is Everything, But it Doesn’t Have to Cost Anything – eDiscovery Best Practices

Do you remember this commercial?  Can you believe it’s 23 years old?

Let’s recap.  So far, in our discussion of free utilities for collection of data for eDiscovery, we’ve discussed the pitfalls of using drag and drop, the benefits of Robocopy (illustrating with the same example copy) and the benefits (and pitfalls) of Richcopy for targeted collection.  But, are there any free tools that will enable you to perform a bit-by-bit forensic image copy that includes deleted files and slack space data?  Yes, there is.

Forensic Toolkit (FTK) is a computer forensics software application provided by AccessData.  The toolkit includes a standalone disk imaging program called FTK Imager.  FTK Imager is a free tool that saves an image of a hard disk in one file or in segments that may be reconstructed later. It calculates MD5 or SHA-1 hash values of the original and the copy, confirming the integrity of the data before closing the files.

With FTK Imager, you can:

  • Create forensic images of local hard drives, floppy diskettes, Zip disks, CDs, and DVDs, entire folders, or individual files from various places within the media.
  • Preview files and folders on local hard drives, network drives, floppy diskettes, Zip disks, CDs, and DVDs – including files located in container files such as ZIP or RAR files.
  • Preview the contents of forensic images stored on the local machine or on a network drive.
  • Mount an image for a read-only view that leverages Windows Explorer to see the content of the image exactly as the user saw it on the original drive.
  • Export files and folders from forensic images.
  • See and recover files that have been deleted from the Recycle Bin, but have not yet been overwritten on the drive.
  • Create MD5 or SHA-1 hashes of files and generate hash reports for regular files and disk images (including files inside disk images) that you can later use as a benchmark to prove the integrity of your case evidence. When a full drive is imaged, a hash generated by FTK Imager can be used to verify that the image hash and the drive hash match after the image is created, and that the image has remained unchanged since acquisition.

Like all forensically-sound collection tools, it retains the file system metadata (and the file path) and creates a log of the files copied.  You can also provide Case Number, Evidence Number, Unique Description, Examiner, and any Notes for tracking purposes to aid in chain of custody tracking.

To download FTK Imager, you can go to the AccessData Product Downloads page here.  Look for the link for FTK Imager in “Current Releases” (it’s currently the seventh item on the list) and open the folder and select the current version of FTK Imager (currently v3.1.2, released on 12/13/12).

Next week, we will begin to discuss how to use FTK Imager to preview files, create forensic images, recover deleted files and use hash values to validate your image.

So, what do you think?  Have you used FTK Imager as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Agrees with Defendant that Preserving 5 Terabytes of Data is Enough – eDiscovery Case Law

In United States ex rel. King v. Solvay, S.A., No. H-06-2662, 2013 U.S. Dist. LEXIS 30752 (S.D. Tex. Mar. 5, 2013), Texas District Judge Gray Miller granted the defendant’s request for a protective order where the plaintiffs only offered generalized, unsupported claims to support their request to extend and expand discovery.

In this False Claims Act, the plaintiffs, qui tam relators whose claims led to investigation by several state attorneys general, claimed the defendants engaged in off-label promotion of drugs, violated the anti-kickback statute, and retaliated against them.

The defendant, Solvay Pharmaceuticals, now doing business as Abbott Products (after Abbott acquired Solvay in 2010), filed a motion seeking a protective order from having to respond to the relators’ discovery requests about ongoing fraud, which it claimed were irrelevant to the claims in the lawsuit.

During the course of discovery, the company imposed a litigation hold and preserved more than 2,500 eMail backup tapes, more than 56,000 network share backup tapes, and roughly 5 terabytes of data on its network share drives—all dating from the 1990s through 2010 – and covering 89 custodians, both former and current employees. But the relators requested more. If the litigation hold were to expand to accommodate the relators’ requests, it would require the company to dedicate additional server space to store the data. Moreover, the company argued that it would cost at least $480,000 to process the eMails it was already preserving, and the review of those eMails would cost $2.3 million, excluding quality control, privilege review, and production costs. Adding the additional data from after Abbott acquired Solvay would drive these costs substantially higher. The relators objected, suggesting that the company’s “sweeping generalizations” about the potential burden were inaccurate. In the alternative, the relators agreed to an end date of December 31, 2012 or to depose witnesses to determine the appropriate cutoff.

Under Federal Rule of Civil Procedure 26(c)(1), courts can limit discovery to protect parties from undue burden or expense. Judge Miller agreed with the defendant that a few references that conduct was continuing “‘to the present’ in a 267-page complaint containing more than 768 paragraphs does not justify the burden and expense associated with unfettered discovery ‘to the present’ in a case in which discovery is already going to be incredibly expensive and time-consuming.” Although Judge Miller was willing to extend the relevant time frame to include some claims outside of the relators’ personal knowledge because the real party in interest was the United States, he was not willing to go so far as to permit the “generalized claims of ongoing conduct to form the basis for a fishing expedition.”  As a result, he granted the motion for a protective order, limiting the time frames for Solvay’s discovery obligations.

So, what do you think?  Was the judge right to limit the defendant’s discovery obligations?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case Summary Source: Applied Discovery (free subscription required).  For eDiscovery news and best practices, check out the Applied Discovery Blog here.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

You Don’t Have to Be Rich to Use Richcopy – eDiscovery Best Practices

A couple of weeks ago, we discussed the pitfalls of using drag and drop for collecting files for eDiscovery and illustrated an example using a blog post that I wrote about a month ago in a Word document for the post Five Common Myths About Predictive Coding.  If you followed the steps along with one of your own files, you noticed that the resulting file appeared to have been modified before it was created, which reflects spoliation of the metadata during the copy process.

Last week, we discussed the benefits of Robocopy, how to access it via the command line prompt (if you have Windows Vista or later) and how to get it (if you don’t).  Then, we performed an example copy (using an Excel script I use to create the copy) and took a look at the results to show how the date metadata was preserved during the copy.  If you’d still like a copy of the Excel Robocopy script, feel free to request it by emailing me at daustin@cloudnincloudnine.comm.

If you want to be able to perform a forensically sound targeted collection, but would prefer a GUI based tool for performing the copy (instead of a command-line tool like Robocopy), then perhaps you should consider Richcopy.  RichCopy is a free computer utility program developed by Ken Tamaru of Microsoft to copy file directories.  It has some advantages, but also some pitfalls, to consider as a targeted copy and collection tool.

One of the benefits of Richcopy (in addition to the GUI interface) is that it copies several files simultaneously (“multi-threaded”), which can drastically reduce the time required for multi-gigabyte file copy operations (earlier versions of Robocopy didn’t support multi-threaded copying, but the current one does, with the /MT[:n] command).

Unfortunately, Richcopy has not been updated in nearly four years by the developer, so you may run into issues (for example, it apparently doesn’t handle file names longer than 255 characters) and, as a free utility, it’s not supported by Microsoft.  Also, Help doesn’t open up throughout much of the application, so getting additional information from the help file is not always easy.  Consider yourself warned.

You can download a copy of Richcopy from the link in this TechNet magazine article.  I did so, and performed the same copy of the Word document for the post Five Common Myths About Predictive Coding that I performed in the other cases.  Let’s see how Richcopy handled that file copy.

You’ll see below that the main form of Richcopy provides the ability to select the source and destination paths, and specify options (as indicated by the red box).  Once you have the parameters set, click the green “Go” button (as indicated by the red circle) to perform the copy.  Progress and logging information will appear in the two status windows below.

The Options button opens a dialog for specifying a variety of options, including copy parameters, thread counts, file attributes and error handling, files to be included and/or excluded (by name, extension or attributes, such as excluding system files) and logging.  As you’ll see below, I set the “files to be included” option to copy the example file I’ve been using in the other tests.

The result?  I did get a copy of the selected file which contained preserved file metadata (i.e., the Created date and the Accessed date reflect the original date and time when the file was created and last accessed).  However, it also copied empty folder for all of the folders underneath the source folder.  I couldn’t figure out how to turn it off and the aforementioned Help file issues didn’t enable me to identify a workaround.

If you absolutely require a GUI interface for free targeted file collection, Richcopy may be a better alternative than Robocopy, but not necessarily the best alternative.  Next week, we’ll begin discussing another free GUI alternative that not only supports targeted collection of files, but also supports bit-by-bit imaging to capture deleted files and slack space data!

So, what do you think?  Have you used Richcopy as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Changes to Federal eDiscovery Rules Could Be Coming Within a Year – eDiscovery Trends

As reported by Henry Kelston in Law Technology News (Are We on the Cusp of Major Changes to E-Discovery Rules?), another major set of amendments to the discovery provisions of the Federal Rules of Civil Procedure is getting closer and could be adopted within the year.  The United States Courts’ Advisory Committee on Civil Rules voted last week to send a slate of proposed amendments up the rulemaking chain, to its Standing Committee on Rules of Practice and Procedure, with a recommendation that the proposals be approved for publication and public comment later this year.

Potential Revisions that Have Impact to Discovery Include:

  • Rule 26: Changes incorporate a limitation to the general scope of discovery allowed by Rule 26(b)(1) as to what is proportional to the needs of the case, measured by the cost-benefit calculus now required by Rule 26(b)(2)(C)(iii) that is currently used most often when a party moves to limit discovery.
  • Rules 30 and 31: Changes reduce the number of depositions (oral and written) allowed per side, from 10 to 5, and reduce the time limit for each deposition, from 7 hours to 6 hours.
  • Rule 33: Changes reduce the number of interrogatories permitted, from 25 to 15.
  • Rule 34: Amendment requires that objections to document requests be stated with specificity and include a statement as to whether any responsive materials are being withheld on the basis of the objection.
  • Rule 36: Implements a new limit of 25 requests for admission for each party, with requests to admit the genuineness of documents expressly exempted from the limit of 25.
  • Rule 37: The proposed amendment in Rule 37(e) is intended to create a uniform national standard regarding the level of culpability required to justify severe sanctions for spoliation, establishing a non-sanction category of measures a court may impose when it finds that a party failed to meet its preservation obligation, such as allowing additional discovery, requiring a party to recreate or obtain the information it lost, or ordering a party to pay reasonable expenses resulting from the loss of information.  Rule 37(b)(2)(A) includes a “hotly debated” amendment that the court may impose sanctions or order an adverse jury instruction only if it finds that the failure to preserve caused “substantial prejudice” in the litigation and was “willful or in bad faith,” or that the failure to preserve “irreparably deprived a party of any meaningful opportunity” to litigate the claims in the action.

The proposed changes to Rule 37, in particular, appear to give producing parties more latitude when failing to meet their preservation obligation was not willful or in bad faith.  As the article notes, “if the standing committee approves the proposed amendments for publication at its meeting in early June, the amendments would be published for public comment soon thereafter. The public comment period for proposed rules normally lasts six months. The advisory committee, anticipating a high level of public interest in the proposals, plans to hold several days of public hearings in different cities around the U.S., with dates and locations yet to be announced.”

So, what do you think?  Are you pleased or concerned with the proposed amendments?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Performing an Example Copy with Robocopy – eDiscovery Best Practices

Yesterday, we discussed the benefits of Robocopy, how to access it via the command line prompt (if you have Windows Vista or later) and how to get it (if you don’t).  Today, we’re going to perform an example copy and take a look at the results.

As you’ll recall, we discussed the pitfalls last week of using drag and drop for collecting files for eDiscovery and illustrated an example using a blog post that I wrote about a month ago in a Word document for the post Five Common Myths About Predictive Coding.  If you followed the steps along with one of your own files, you noticed that the resulting file appeared to have been modified before it was created, which reflects spoliation of the metadata during the copy process.  Let’s see how Robocopy handles that file copy.

I mentioned yesterday that Robocopy is a command line tool.  If you’re really good at typing long commands at the command prompt without making a mistake, you can enter cmd in the ‘Search programs and files’ box from the Windows Start menu (‘Start’, then ‘Run’, for older versions on Windows) and that will open up a window with the command prompt.  Feel free to “have at it”.

I actually use Excel as a Robocopy script builder – courtesy of CloudNine Discovery’s Vice President of Computer Forensics, Michael Heslop (thanks, Mikey!).  The Excel workbook that I’m using takes user entered information regarding the custodian’s files to be copied and uses that to build a Robocopy statement that can then be executed at the command prompt.  I have three script examples in the Excel file: 1) Script to copy all files/folders in a folder path, 2) Script to copy specific file extensions in a folder path, and 3) Script to copy one file in a folder path.  It’s the third script example I’ll use here.

You’ll see below that I’ve highlighted the changes I’ve made to the single file copy script in the Excel spreadsheet, specifying the file name that I want to copy, the name of the custodian, the destination drive (in this case, the “E:” drive which references a connected external drive) and the path to be copied.

The resulting Robocopy statement created is as follows:

robocopy “C:Usersdaustin” “E:Austin, DougCUsersdaustin” “Common Myths About Predictive Coding–eDiscovery Best Practices.docx” /S /ZB /XJ /V /TEE /W:0 /R:0 /LOG+:”E:RobcopyLog-Austin,Doug.log”

This statement (that Michael created) takes the prompt information I’ve provided and uses it to build the Robocopy statement with desired copy and logging options.  To see a list of available options for Robocopy, type robocopy /? at the command prompt.

I take the Robocopy statement and copy it, pasting it into an empty file in Notepad or Wordpad, then save it with a file name that contains a “.bat” extension (e.g., robocop1.bat, saved to my desktop).  Then, simply double-click the file and it will open up a command window on the desktop and execute the statement.

Doing so put a copy of the file in the E:Austin, DougCUsersdaustinDocuments folder.  It also created a log file at the root which documents every folder it checked and the one folder in which it found the file.  Look at the properties of the copied file and you’ll see:

The Created date and the Accessed date reflect the original date and time when the file was created and last accessed.  That’s what we want!

You can request a copy of my Excel Robocopy script builder by sending an email to me at daustin@cloudnincloudnine.comm and I’ll be happy to send it to you.   It’s rudimentary, but it works!

So, what do you think?  Have you used Robocopy as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Want to Save Your Metadata in Collection? Robocop(y) to the Rescue! – eDiscovery Best Practices

I may be showing my age, but I love the original movie RoboCop (1987).  Good movie for its time (the original, not the sequels).  But, I digress…

Last week, we discussed the pitfalls of using drag and drop for collecting files for eDiscovery and illustrated an example using a blog post that I wrote about a month ago in a Word document for the post Five Common Myths About Predictive Coding.  If you followed the steps along with one of your own files, you noticed that the resulting file appeared to have been modified before it was created, which reflects spoliation of the metadata during the copy process.

I mentioned that there are better, more forensically sound, free methods for collecting data.  One such method is Robocopy.  Robocopy is short for “Robust File Copy”.  So, technically, it has nothing to do with RoboCop, unless you consider that it protects your file metadata during the copy and saves you from spoliation of data.  Here are some key benefits:

  • Saves Metadata: Preserves file system date/time stamps which, as we illustrated last week, drag and drop does not preserve;
  • Targeted Collections: Suitable for targeted active file collections, primarily based on copying folders and their contents (files and sub-folders), not for deleted files or data from unallocated space;
  • Reliable: Enables the user to resume copying where it left off in the event of network/system interruptions;
  • Complete: Supports mirroring of the source folder so that the entire contents can be copied, including empty folders;
  • Self-Documenting: Provides an option to log the copy process for self-documentation, useful for chain of custody tracking.

If you have Windows Vista (or a later version of Windows, such as Windows 7 or Windows 8), you already have the command line version of Robocopy.  Robocopy provides numerous options for copying, including how files are copied, which files are selected, options for retrying files that fail to copy and options to log the copy process.  To see all syntax options for Robocopy (and there are many), type robocopy /? at the command prompt.

If you have an earlier version of Windows (like XP), Robocopy is not automatically included with your version of Windows.  To install it you have two options: 1. Download the robocopy.exe from the Windows 2003 resource kit, or 2. Install a GUI version which includes the exe.

If you prefer a GUI interface for later versions of Windows, you can try Richcopy (which we will discuss next week).

Not excited about using a command line tool?  Tomorrow, we will walk through a Robocopy exercise with the same file I copied last week and I will discuss how you can build a Robocopy “script” in Excel (or use one that I already have) to make the copying and collection process easier.

So, what do you think?  Have you used Robocopy as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright ©Metro-Goldwyn-Mayer Studios Inc.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Plaintiff Receives Adverse Inference Sanction for Deleting Facebook Profile – eDiscovery Case Law

Unlike last week’s case law summary about a case where a request for social media data was denied, this week’s case law summary relates to sanctions for deleting a social media data profile.

In Gatto v. United Air Lines, Inc., No. 10-cv-1090-ES-SCM, (D.N.J. Mar. 25, 2013), New Jersey Magistrate Judge Steven C. Mannion issued an adverse inference sanction against the plaintiff for failing to preserve data due to the fact that he either, deactivated his Facebook account and allowed the account to be automatically deleted after fourteen days, or that he deleted the account outright.  Judge Mannion denied the defendant’s request for attorney’s fees and costs for “the time and effort it was forced to expend in an effort to obtain discovery”.

Case Background

In this personal injury action, a ground operations supervisor alleged injuries after vehicles operated by the defendants did “crash into him”.  The defendants served a production request to the plaintiff in July 2011 which included a request for documents and information related to social media accounts maintained by the plaintiff.  In November 2011, the plaintiff provided the defendants with signed authorizations for the release of information from sites such as eBay and PayPal, but did not include an authorization for the release of records from Facebook.  In a settlement conference in December 2011, the judge ordered the plaintiff to execute an authorization for the release of documents and information from Facebook and the plaintiff agreed to change his password and provide it to the defendants.

However, the parties disputed whether it was agreed that defense counsel would directly access the plaintiff’s Facebook account.  The defendants subsequently accessed the account and the plaintiff received an alert from Facebook that his account was logged onto from an unfamiliar IP address.  After, in January 2012, the plaintiff’s counsel agreed to download the Facebook account information and provide a copy to the parties, it was determined that the plaintiff’s Facebook account had been deactivated back on December 16, 2011 (after he received the alert from Facebook), and that all of the plaintiff’s account data was lost.  As a result, the defendants requested the adverse inference instruction and monetary sanctions.

Judge’s Evaluation and Ruling

Judge Mannion noted four factors in considering an adverse inference instruction sanction:

  1. the evidence was within the party’s control;
  2. there was an actual suppression or withholding of evidence;
  3. the evidence was destroyed or withheld was relevant to the claims or defenses; and
  4. it was reasonably foreseeable that the evidence would be discoverable.

Judge Mannion stated, “Here, the deletion of Plaintiff’s Facebook account clearly satisfies the first, third, and fourth of the aforementioned factors.  Plaintiff’s Facebook account was clearly within his control, as Plaintiff had authority to add, delete, or modify his account’s content…It is also clear that Plaintiff’s Facebook account was relevant to the litigation.”  With regard to the second factor and the plaintiff’s claim that the deletion was unintentional, Judge Mannion ruled that “Even if Plaintiff did not intend to permanently deprive the defendants of the information associated with his Facebook account, there is no dispute that Plaintiff intentionally deactivated the account. In doing so, and then failing to reactivate the account within the necessary time period, Plaintiff effectively caused the account to be permanently deleted.”  Finding all four factors satisfied, Judge Mannion granted the adverse inference instruction sanction.  With regard to the request for fees and costs, Judge Mannion ruled that “such a decision is left to the discretion of the court” and denied the request.

So, what do you think?  Was the sanction appropriate?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Pop Quiz: Is it Possible for a File to be Modified Before it is Created? – eDiscovery Best Practices

Sounds like a trick question, doesn’t it?  The answer is yes.  And, collecting files in a forensically unsound manner can be a drag…and drop.

You know those TV shows where they say “Don’t try this at home?”  Here is an exercise you can try at home.  Follow these steps:

Open Windows Explorer and go to one of your commonly used folders – for example, your Documents folder.  Select one of the documents by clicking on it.  Then, hold down the Ctrl key on your keyboard and drag that file to another folder (preferably another of your commonly used folders).  You’ve just created a copy of that file.  BTW, be sure you hold down the Ctrl key when dragging; otherwise, you will move the file to the new folder instead of copying it.

Go to the folder containing the new copy of the file in Windows Explorer and right-click on the file, then select Properties from the pop-up menu.  You will then see a Properties window similar to the one in the graphic at the top of this blog post.  In my example, I used a blog post that I wrote about a month ago in a Word document for the post Five Common Myths About Predictive Coding.

Notice anything unusual?  The Created date and the Accessed date reflect the date and time that you performed a “drag and drop” of the file to create a copy of it in a new location.  The Modified date still reflects the date the original file was last modified – in my example above, the modified date is the date and time when I last edited that document in Word.  The file appears to have been modified one month before it was created.*

If this were an eDiscovery collection scenario and you used “drag and drop” to collect a file like this, then…congratulations! – you’ve just spoliated metadata during the collection process.  This is one reason why “drag and drop” is not a recommended approach for collecting data for eDiscovery purposes.

There are better, more forensically sound, free methods for collecting data, even if your goal is simply to perform a targeted collection of active files from within a folder.  If you wish to also collect deleted files and data from drive “slack space”, there are free methods for performing that collection as well.  Next week, we will begin discussing some of those methods.

So, what do you think?  Have you used “drag and drop” as a mechanism for eDiscovery collection?  Please share any comments you might have or if you’d like to know more about a particular topic.

* – Microsoft Office files do keep their own internal metadata date fields, so the date created would still be preserved within that field.  Other file types do not, so the “drag and drop” method would eliminate the date created completely for the new copies of those files.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

The Hammer Comes Down on Losing Plaintiff for Spoliation of Data – eDiscovery Case Law

Apparently, having your case dismissed isn’t the worst that can happen to you for egregious spoliation of data.  You can also be ordered to pay the winning party over $200,000 in fees and costs for the case.

In Taylor v. Mitre Corp., No. 1:11-cv-1247, 2013 (E.D. Va. Feb. 13, 2013), Virginia District Judge Liam O’Grady partially granted the prevailing defendant’s motion for fees and costs after the court dismissed the case due to the plaintiff’s spoliation of evidence. The court refused to grant the costs of image processing because the defendant did not adequately explain the services involved; it granted the costs of forensic analysis of the plaintiff’s laptop and made a partial award of attorneys’ fees given the difficulty in litigating this issue.

In November 2012 (as discussed on this blog here), Judge O’Grady dismissed the plaintiff’s employment-related claims against his former employer, Mitre. Taylor had used a sledgehammer to destroy a computer and data wiping programs to eliminate data from his laptop, prompting case-ending spoliation remedies. When the court ruled in favor of Mitre, it also ruled that Taylor should pay for Mitre’s fees and costs associated with its motion for sanctions.

Mitre claimed fees in the amount of $378,480 and costs in the amount of $49,245. The fees included the costs of forensic analysis of Taylor’s computer and image processing. Noting the “scant case law on the issue of image processing,” Judge O’Grady declined to award costs for this service and also referenced Mitre’s failure to explain “what these image processing services entailed (for example, what does it mean to ‘blow back TIFF images,’ why does it cost $686.00, and why did it need to be performed twice?), but Mitre [made] no claim that the resulting images were ever admitted into evidence.” Although rejecting more than $5,000 of Mitre’s claim, the court permitted Mitre to submit an additional motion to explain these fees.

Mitre also claimed costs of more than $32,000 to analyze Taylor’s laptop. Finding that “Taylor’s intentional destruction of evidence no doubt made forensic analysis of his computer more time consuming and expensive,” Judge O’Grady awarded the fee. However, he partially rejected the request for costs because “the Taxation Guidelines do not entitle Mitre to expert witness fees beyond the $40 per day, plus travel and incidentals, afforded to lay witnesses.” Accordingly the court awarded Mitre the costs of the forensic analysis, minus the costs of $3,200 charged for “‘testimony preparation’ and ‘expert testimony.’”

In addition, Mitre’s attorneys sought compensation for the work they did “as a result of Mr. Taylor’s spoliation. The bill is for 649.2 hours of attorney time and 245.4 hours of paralegal time, for a grand total of $378,480.00 in fees.” The court reduced the hours of the attorneys to 487 hours, finding that some of the time would have been spent regardless of the spoliation, with the rest acceptable because the “spoliation issue was, however, contentious and much ink was spilled.” The court rejected the request for paralegal time, finding the tasks they performed either administrative or attorney work. Ultimately, the court awarded fees of $163,882.18.  Including the awarded costs, the total came to $202,399.66 in fees and costs awarded – a hefty price for using a sledgehammer and data wiping software on two discoverable computers.

So, what do you think?  Were the awarded costs appropriate?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case Summary Source: Applied Discovery (free subscription required).  For eDiscovery news and best practices, check out the Applied Discovery Blog here.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.