Close
Enter your
text here

Preservation

eDiscovery Trends: Joseph Collins
 

This is the fifth of our Holiday Thought Leader Interview series, originally scheduled to be published on Tuesday, but rescheduled to today.  I interviewed several thought leaders to get their perspectives on various eDiscovery topics.

Today’s thought leader is Joseph Collins.  Joseph is the co-founder and president of VaporStream, which provides recordless communications. Joseph previously worked in the energy marketplace, but has become an advocate for private communication in business, even within the legal community.

Your product is designed to provide email-like communications that leave no record after being read. How did you get interested in communications that do not leave records? Why is this a legitimate business need?

We got into recordless communications because of the basic lack of privacy and confidentially online.  When I got my first email account back in the day I was told to be very careful what I write because you have no control over that message; I had to write like what I was writing was going to be on the front page of the newspaper.  The problem is people just don’t communicate that way, people need privacy and email and text just do not allow for it.

There is a legitimate business need because businesses need privacy and confidentiality for their internal communications.  Many times employees need to have confidential discussions and VaporStream facilitates that.  Have frank and honest communications are paramount in any company, and it is very hard to have that when think that that email and conversation might be end up in the wrong place.

Businesses do not need to “keep everything,” in fact they need to be able to decide what is considered to be material business information and what is not.  VaporStream facilities this decision making process because the data creator is going to be much better at knowing what need to be retained then a record management person on the back end.

How do you address the concerns of the legal community about VaporStream communications? Lawyers have been trained to keep records of everything- why should they consider using a service like yours?

Most lawyers keep everything because they already get private communications via attorney privilege, but also because they bill by the hour and want the email to prove it.  So lawyers are not our target market, but their clients are, and lawyers understand the risk and liability in communications.  There is one set of lawyers that can and do use VaporStream: IP lawyers. Their email is discoverable as part of the patent process, so we find IP lawyers like to use it to have those private and confidential communications that they need to effectively do their job.

Does VaporStream enable law breaking? If the executives at Enron had used a product like this, would they have gotten away with conspiring to manipulate financial data?

VaporStream is a technology and any technology can be misused, just like a knife or a car, there are benefits and possible misuse. From a corporate prospective you can use our VaporStream Enterprise Server, which will allow you to use filters just like corporate email and give companies protection from misuse.

In no way would VaporStream have helped Enron. The guys at Enron got caught because they commit fraud, not because of some smoking gun in email discovery. It was the fraud that bankrupted Enron, not the communications around it.  

Do you think that organizations over-preserve electronic evidence? Is there an argument to be made for more data destruction and less retention?

Absolutely, but the question is how do you accomplish this task. Best practices for data preservation and destruction have been around for a while now, but are companies better off today? Looking at the headlines for newspapers and the mountains of eDiscovery, it is clear the answer is no.

VaporStream allows companies to keep the valuable business information in email and then automatically get rid of the non-material information that is created by the company. By keeping information you do not need, not only are you are wasting lots of money each year, but it is a tremendous legal liability. Again, most companies are not obligated to “keep everything,” so it’s crazy to do so.  

What does this mean for eDiscovery? Could parties get in trouble for a failure to preserve evidence if it's discovered they use a service like VaporStream to communicate information relevant to a case?

Well, the key to using VaporStream is to have sound user policy. Then users will know when to use VaporStream and when not to use it. If there is a situation where there is say, a legal hold, then it probably would not a good choice to use VaporStream at that situation. By having the proper user policy, the company is protected, and VaporStream is an extension of that policy.

What is the future of this kind of communication? How does recordless communication fit into a world of social media and mobile computing where people leave digital communications all over the place?

When we look at the communications landscape, there are lots of places to share, which is great, but there is no place to have a private conversation. It’s hard to have honest and frank discussions without having trust in the communications channel.  If you think about the online world as an extension of the real world there still needs to be a place to have a private chat.

Thanks, Joseph, for participating in the interview!

And to the readers, as always, please share any comments you might have or if you’d like to know more about a particular topic!

Editor's Note: eDiscovery Daily will take a break for a couple of days to celebrate the holidays and will resume posts on Tuesday, December 27.  Happy Holidays from all of us at Cloudnine Discovery and eDiscovery Daily!

eDiscovery Trends: Sharon Nelson
 

This is the sixth and final installment of our Holiday Thought Leader Interview series. I interviewed several thought leaders to get their perspectives on various eDiscovery topics.

Today’s thought leader is Sharon Nelson.  Sharon is the President of Sensei Enterprises, where she has worked on the front lines of computer forensics and eDiscovery topics that are also discusses on her blog Ride the Lightning. She is a graduate of the Georgetown University Law Center and is the president elect of the Virginia Bar Association.

Last week, I interviewed Sharon’s husband, John Simek, who is vice president of Sensei. John is a technical computer forensics expert, while Sharon provides the legal perspective on eDiscovery issues. Together, they are frequent speakers and authors on computer forensic issues.

As a lawyer, how did you get into the world of computer forensics? What is the role of an attorney within a computer forensics firm?

I stumbled into computer forensics along with my partner John Simek. Peter Greenspun, one of the leading criminal attorneys in Virginia, had a case in 1999 involving electronic evidence and he asked if we could help as experts. That case is still taught by the FBI. It got me thinking that Sensei should expand from information technology to computer forensics – and I knew it was a field that only a true scientist could excel in, so the wannabes of the world would not be able to truly compete. The role of an attorney is to stay up with the law and the cases and render expert advice to both clients and employees – and act as corporate counsel of course.

How has your blogging at Ride the Lightning influenced your legal career?

Within the context of Sensei, I operate as an expert, not as a lawyer, although I retain a separate law office. Certainly Ride the Lightning has helped Sensei’s marketing enormously, which ultimately helps to attract clients. I was honored when RTL was named to the American Bar Association’s Blawg 100 for the second year in a row and also when the Library of Congress asked my permission to archive it and to make it available to scholars and researchers. And it is just plain fun writing it!

Have lawyers begun to grapple with social media issues or are many still in denial?

There are still some lawyers in denial but their numbers are declining. In fact, I organize a lot of CLEs and many of the social media sessions are standing room only. Many lawyers want to learn how to use social media and how to avoid the ethical pitfalls. Things simply go viral in this new e-world. It is amazing how far social media (which includes blogs) extends your reach. Blogs, in particular, tend to attract reporters, which can be really helpful to marketing a law practice.

I believe you are involved in a lot of family law cases and disputes involving individuals. How has social media changed these cases?

It’s a veritable gold mine. People are unbelievably foolish in what they put online. We had a case where the husband was discussing his latest hookup with his lover on his Facebook page. He knew his wife was not his “friend”, but he had forgotten that a mutual acquaintance was his friend and she simply printed out all his postings. It’s not just family law though – social media is particularly helpful in personal injury cases where the Plaintiff who is “wholly disabled” is using a chain saw and dancing a jig (and yes, that’s from a real case). I almost can’t think of an area of law where social media isn’t a treasure trove – law enforcement has wholly embraced it as evidence against criminals who post astonishing admissions online.

As people increasingly live their lives online, do digital records ever really go away? Are we going to be followed around by our digital selves forever?

Some digital records will certainly go away – the problem is that you’ll never know which ones. People forward your communications or preserve them for their own reasons. Your business competitor may be archiving your website and anything that is open on your social media sites. Social media sites let you deactivate your account or delete posts, but that doesn’t help if someone else already has the information. And, indeed, it does not appear that social media sites truly delete your information since law enforcement has been known to get data that was supposedly no longer online. Trusting social media sites to respect your privacy is foolhardy. The only privacy we have is in the sheer volume of data out there – but once someone lasers in on you, your privacy is gone.

On Ride the Lightning, you discuss sanctions and electronic evidence blunders. Is there a common reason why lawyers make mistakes with digital evidence? What are the keys to making the profession smarter about handling computer records?

Education is the key, and we’re slowly getting there, but it is very slow. Most lawyers are technophobic and find it difficult to understand electronic evidence. They really need to call in well-qualified experts early on – that saves the most money because good experts won’t let you spend your money foolishly. As an example, an order to “preserve everything” is nonsensical, but we hear it all the time. If the attorneys on both sides are reasonable and they have good experts, it’s amazing how fast they can come to a strategy that saves everyone time and money. And for heaven’s sake, why not go after the low-hanging fruit first? That might cause the case to settle early before vast sums of money have been expended. You can always go back and do more digging if necessary.

How have you and husband John Simek managed to make a career out of computer forensics and eDiscovery? You seem to be busy with speaking and professional engagements- how do you make it work?

That’s the new world – our offices are in our laptops, so we carry our offices with us as we travel. There is very little that we cannot do remotely. We have fine-tuned the art of entering a hotel room and bringing up the laptops while unpacking our suitcases. People ask us all the time how a husband and wife can run a business and not make each other crazy. We really have a bright line – John makes the technical decisions and I make the legal, business and marketing decisions. We talk across that line, but we respect the line. It works for us – that and being in love of course. We always say that we get paid to play – we don’t know anyone who enjoys coming to work as much as we do. The word retirement is anathema to both of us!

Thanks, Sharon, for participating in the interview!

And to the readers, as always, please share any comments you might have or if you’d like to know more about a particular topic!

eDiscovery Case Law: Lilly Fails to Meet its eDiscovery Burden, Sanctions Ordered

In Nacco Materials Handling Group, Inc. v. Lilly Co., No. 11-2415 AV, (W.D. Tenn. Nov. 16, 2011), the court required the defendant to bear the costs of discovery where its preservation and collection efforts were “woefully inadequate.” Parties must cooperate and voluntarily preserve, search for, and collect ESI to avoid the imposition of sanctions.

In this case, Nacco, a manufacturer and seller of lift trucks and aftermarket parts, accused Lilly, a former Nacco dealer, of illegally accessing its proprietary, password-secured website on over 40,000 occasions. Nacco asserted a host of claims, including violations of the Computer Fraud and Abuse Act, computer trespass, misappropriation of trade secrets, tortious interference with contract and business relations, and tortious interference with prospective economic advantage.

Nacco filed a motion seeking expedited discovery so that its forensic expert could search Lilly’s computers and determine which computers accessed Nacco’s proprietary information. The expert turned up evidence of inappropriate access on 17 of the 35 computers he examined.

As discovery continued, Nacco also requested the deposition of a 30(b)(6) witness. However, the witness Lilly offered was unprepared to answer questions on the topics outlined in the deposition notice. Based on the witness’s statements in the deposition and evidence found during the forensic examination, Nacco filed a motion to prevent the further spoliation of evidence and sought sanctions.

The court decided that Lilly’s attempts to preserve evidence were “woefully inadequate.” The company “failed to take reasonable steps to preserve, search for, and collect potentially relevant information, particularly electronic data, after its duty to preserve evidence was triggered by being served with the complaint.” Specifically, U.S. Magistrate Judge Diane Vescovo found that the company “failed to timely issue an effective written litigation hold, to take appropriate steps to preserve any existing electronic records, to suspend or alter automatic delete features and routine overwriting features, and to timely and effectively collect ESI.”

The court explained that Lilly sent the litigation hold to seven of its 160 employees without adequate instructions—and the seven did not include the “key players” to the litigation. The company made no further efforts to prevent the deletion of e-mail, data, or backup tapes. Finally, the company apparently “left collection efforts to its employees to search their own computers with no supervision or oversight from management. Lilly did not follow up with its employees to determine what efforts were taken to preserve and collect relevant evidence, and Lilly failed to document any of its search and collection efforts.” Therefore, the court found that Lilly breached its duty to preserve relevant evidence.

After finding the company negligent, the court imposed sanctions against Lilly that included the expense of additional discovery, including the cost of a second 30(b)(6) deposition, the forensic examinations and imaging already complete, the costs of additional analysis of computers of the nine employees who accessed Nacco’s website, and the costs of imaging the computers in its service department. In addition, the court ordered Lilly to pay monetary sanctions equal to plaintiff’s reasonable costs, including attorney’s fees, in bringing the motion.

Finally, the court ordered Lilly to provide an affidavit describing its preservation and collection efforts and certifying that it had suspended its automatic delete functions and preserved backup tapes.

So, what do you think?  Were the sanctions justified? If so, did the court go far enough?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case Summary Source: Applied Discovery (free subscription required).

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery Trends: John Simek
 

This is the third of our Holiday Thought Leader Interview series.  I interviewed several thought leaders to get their perspectives on various eDiscovery topics.

Today’s thought leader is John Simek. John is the Vice President of Sensei Enterprises, a computer forensics firm in Fairfax, Va, where he has worked since 1997. He is an EnCase Certified Examiner and is a nationally known testifying expert in computer forensic issues. Together with his wife, Sharon Nelson, John has become a frequent speaker on eDiscovery topics and digital forensic issues. We have also interviewed Sharon, who serves as Sensei’s President, for this series, and her interview will appear this coming Wednesday.

You have been a forensic examiner for a long time. How has the business changed over that time? How much does the rate of change in computer technology make your job difficult? Has social media and mobile technology changed the nature of your work and the evidence in play?

Certainly the technology changes present a challenge for any forensic examiner. We are constantly investing in training and tools to deal with the changing landscape. Social media investigations and mobile devices are explosive forms of evidence for many of our cases. The constant changes in smartphones means we must have dozens of tools to extract data from iPads, Androids, BlackBerrys, iPhones, tablets and other mobile devices. Access to social media data varies as well. Some is readily available in the public areas, some may reside on the actual computer used to access the social media sites and some data may be held by the providers themselves, where the user has no clue it is being collected.

There have been several cases of law firms and EDD providers suing each other of late. Why is there this seeming rise in conflict and how does it affect relationships in the industry?

I’ve only seen two such cases and they get ugly really quick. I think the primary reason is lack of transparency and adequate communication. The client should always know what the anticipated costs and effort will be. Should scope change then a new estimate needs to be communicated. I think all too often the EDD providers launch out of the gate and the costs spiral out of control. Obviously, if you are one of those providers that ended up in court over fees or even inadequate or improper processing of ESI, your reputation will be forever spoiled.

There are a lot of certifications a forensic examiner can obtain. What is the value of certification? How should buyers of EDD services evaluate their forensic examiners?

Certifications are a good starting point, although I think they have lost their value over the last several years. Perhaps the tests are getting easier, but I’m seeing folks with forensic certifications that shouldn’t be trusted with a mouse in their hand. Don’t just look to forensic certifications either. Other technology (network, operating system, database, etc.) certifications are also valuable. Check CVs. Do they speak, write and have previous experiences testifying? One of the best methods of evaluation is referrals. Did they do a quality job? Were they on time? Did the costs fall within budget?

You’ve done a lot of work in family law cases. In cases where emotions are running high, how do you counsel clients? Is there a way to talk to people about proportionality when they are angry?

You’ve hit the nail on the head. There is very little logic in family law cases, especially when emotions are running high. I’ve lost count of the number of times we’ve told clients NOT to spend their money on continuing or even starting a forensic analysis. Some listen and some don’t. The exception is where there are issues pertaining to the welfare of any children. We had one case where dad was into BDSM and exhibiting similar behavior towards the children. Mom had no job and was extremely brutalized from the abuse over the years. We completed that case pro bono as it was the right thing to do. Dad lost custody and ordered supervised visitation only.

There has been a lot of hype about EDD services for small firms. In your experience, is this becoming a reality? Can small and solo firms compete with large firms for more EDD cases?

Electronic evidence plays a part in more and more cases. There is a crying need for better tools and methods to review ESI in the smaller cases. Thankfully, some vendors are listening. Products like Digital Warroom and Nextpoint’s products are very affordable for the smaller cases and don’t require a large investment by the solo or small firm attorney. These are hosted solutions, which means you are using the cloud. Large firms are also using hosted solutions, but may use other vendor products depending on the type of data (e.g. foreign language) and/or volume.

You testify in a lot of cases as an expert witness. What are the reasons your services might be needed in this area? What are common reasons that forensic evidence is being challenged, and how can legal teams avoid being challenged?

The good news is that less than 10% of our cases end up going to trial. As we say in the forensic world, “The truth is the truth.” Once we have had a chance to analyze the evidence and report the findings, there are rarely any challenges. That’s what a forensic exam is all about- being repeatable. The opposing party’s examiner better find the same results. The challenge may come from the interpretation of the results. This is where experience and knowledge of the expert comes into play. Many of the forensic examiners today have never used a computer without a graphical interface. Remember the Casey Anthony case? I cringed when I heard the prosecution testimony about the activity surrounding the Internet searches. It failed the smell test in my mind, which ended up being true since the expert later admitted there was a problem with the software that was used.

Would you recommend a similar career path to young technologists? What do you like about being a forensic examiner?

Some universities are now offering degrees in Digital Forensics or some similar name. I’m not sure I would go the route of computer forensics as a baseline. I’m seeing more activity in what I would call digital investigations. This includes network forensics and dealing with cases such as data breaches. We are doing more and more of these types of exams. It’s sort of like following the data trail. Probably the single best thing about being a forensic examiner is getting to the truth. Since we also do criminal defense work, there are many times that we’ve had to call the attorney and tell them that their client needs a new story.

Thanks, John, for participating in the interview!

And to the readers, as always, please share any comments you might have or if you’d like to know more about a particular topic!

eDiscovery Best Practices: Production is the “Ringo” of the eDiscovery Phases
 

Since eDiscovery Daily debuted over 14 months ago, we’ve covered a lot of case law decisions related to eDiscovery.  65 posts related to case law to date, in fact.  We’ve covered cases associated with sanctions related to failure to preserve data, issues associated with incomplete collections, inadequate searching methodologies, and inadvertent disclosures of privileged documents, among other things.  We’ve noted that 80% of the costs associated with eDiscovery are in the Review phase and that volume of data and sources from which to retrieve it (including social media and “cloud” repositories) are growing exponentially.  Most of the “press” associated with eDiscovery ranges from the “left side of the EDRM model” (i.e., Information Management, Identification, Preservation, Collection) through the stages to prepare materials for production (i.e., Processing, Review and Analysis).

All of those phases lead to one inevitable stage in eDiscovery: Production.  Yet, few people talk about the actual production step.  If Preservation, Collection and Review are the “John”, “Paul” and “George” of the eDiscovery process, Production is “Ringo”.

It’s the final crucial step in the process, and if it’s not handled correctly, all of the due diligence spent in the earlier phases could mean nothing.  So, it’s important to plan for production up front and to apply a number of quality control (QC) checks to the actual production set to ensure that the production process goes as smooth as possible.

Planning for Production Up Front

When discussing the production requirements with opposing counsel, it’s important to ensure that those requirements make sense, not only from a legal standpoint, but a technical standpoint as well.  Involve support and IT personnel in the process of deciding those parameters as they will be the people who have to meet them.  Issues to be addressed include, but not limited to:

  • Format of production (e.g., paper, images or native files);
  • Organization of files (e.g., organized by custodian, legal issue, etc.);
  • Numbering scheme (e.g., Bates labels for images, sequential file names for native files);
  • Handling of confidential and privileged documents, including log requirements and stamps to be applied;
  • Handling of redactions;
  • Format and content of production log;
  • Production media (e.g., CD, DVD, portable hard drive, FTP, etc.).

I was involved in a case recently where opposing counsel was requesting an unusual production format where the names of the files would be the subject line of the emails being produced (for example, “Re: Completed Contract, dated 12/01/2011”).  Two issues with that approach: 1) The proposed format only addressed emails, and 2) Windows file names don’t support certain characters, such as colons (:) or slashes (/).  I provided that feedback to the attorneys so that they could address with opposing counsel and hopefully agree on a revised format that made more sense.  So, let the tech folks confirm the feasibility of the production parameters.

The workflow throughout the eDiscovery process should also keep in mind the end goal of meeting the agreed upon production requirements.  For example, if you’re producing native files with metadata, you may need to take appropriate steps to keep the metadata intact during the collection and review process so that the metadata is not inadvertently changed. For some file types, metadata is changed merely by opening the file, so it may be necessary to collect the files in a forensically sound manner and conduct review using copies of the files to keep the originals intact.

Tomorrow, we will talk about preparing the production set and performing QC checks to ensure that the ESI being produced to the requesting party is complete and accurate.

So, what do you think?  Have you had issues with production planning in your cases?  Please share any comments you might have or if you’d like to know more about a particular topic.

eDiscovery Trends: Potential ESI Sources Abound in Penn State Case
 

Whether you’re a college football fan or not, chances are you’ve heard about the scandal associated with the allegations of serial child abuse by former Penn State football coach Jerry Sandusky.  There seems to be new developments almost daily and the scandal has already cost the jobs of the university president, vice president, athletic director and the head football coach, Joe Paterno, who had been head coach since 1965 and on the coaching staff since 1950 (most of us weren’t even born yet!).  Numerous lawsuits seem highly likely to arise as a result of the alleged abuse against a variety of defendants, including the university, individuals alleged to be involved in the abuse and cover-up and also the Second Mile Foundation founded by Sandusky.

Seth Row, an attorney with Parsons Farnell & Grein LLP in Portland (OR), has written an article published in the Association of Certified eDiscovery Specialists (ACEDS) web site providing a detailing of potential sources of ESI that may be relevant in the case.  The article illustrates the wide variety of sources that might be responsive to the litigation.  Here are some of the sources cited by Row:

  • Videotape of entry and exit from the athletic facilities at Penn State, to which Paterno gave Sandusky access after the latter resigned in 1999;
  • Entry/exit logs, which are likely housed in a database if keycards were used, for the Lasch Football Building, where abuse was allegedly witnessed
  • Phone records of incoming and outgoing calls;
  • Electronic rosters of football players, coaches, staff, student interns, and volunteers affiliated with the Penn State football program over time;
  • The personal records of these individuals, including telephone logs, internet search histories, email accounts, medical and financial records, and related information created over time;
  • University listservs;
  • Internet forums – a New York Times article reported last week that a critical break in the investigation came via a posting on the Internet, mentioning that a Penn State football coach might have seen something ugly, but kept silent;
  • Maintenance logs maintained by the two custodial employees who allegedly witnessed abuse;
  • Identities of all media beat reporters who covered the Penn State football team;
  • Passenger and crew manifests for all chartered flights of the Penn State football team in which Sandusky was a passenger;
  • Sandusky's credit card records to document meals and outings where he may have been accompanied by victims, and records of gifts he purchased for them;
  • All records of the Second Mile Foundation identifying boys who participated in its programs, as well as the names of donors and officers, directors and staff;
  • Paper record equivalents of this ESI that were produced in the 1990s before electronic recordkeeping became prevalent;
  • All electronic storage and computing devices owned or maintained by Sandusky, Paterno and other central figures in the scandal, including cell phones, personal computers, tablet computers, flash drives, and related hardware.

With such a wide variation of potential custodians and time frames, it will be difficult to quickly narrow down the potential ESI sources.  As the author points out, it seems likely that Penn State has already locked down its records retention policies throughout the university.  They certainly would seem to have a reasonable expectation of litigation.  Investigators and attorneys will likely be racing against time to identify as many other parties as possible with potentially responsive ESI.

So, what do you think?  Have you been involved in litigation with such a wide distribution of potentially responsive ESI?  Please share any comments you might have or if you’d like to know more about a particular topic.

eDiscovery Best Practices: Data Mapping Doesn’t Have to be Complicated
 

Some time ago, we talked about the importance of preparing a data map of your organization’s data to be ready when litigation strikes.

Back then, we talked about four steps to create and maintain an effective data map, including:

  • Obtaining early “buy-in” with various departments throughout the organization;
  • Document and educate to develop logical and comprehensive practices for managing data;
  • Communicate regularly so that new data stores (or changes to existing ones) can be addressed as they occur;
  • Update periodically to keep up with changes in technology that create new data sources.

The data map itself doesn’t have to be complicated.  It can be as simple as a spreadsheet (or series of spreadsheets, one for each department or custodian, depending on what level of information is likely to be requested).  Here are examples of types of information that you might see in a typical data map spreadsheet:

  • Type of Data: Prepare a list and continue to add to it to ensure all of the types or data are considered.  These can include email, work product documents, voice mail, databases, web site, social media content, hard copy documents, and any other type of data in use within your organization.
  • Department/Custodian: A data map is no good unless you identify the department or custodian responsible for the data.  Some of these may be kept by IT (e.g., Exchange servers for the entire organization) while others could be down to the individual level (e.g., Access databases kept on an individual’s laptop).
  • Storage Classification: The method(s) by which the data is stored by the department or custodian is important to track.  You’ll typically have Online, Nearline, Offline and Inaccessible Data.  A type of data can apply to multiple or even all storage classifications.  For example, email can be stored Online in Exchange servers, Nearline in an email archiving system, Offline in backup tapes and Inaccessible in a legacy format.  Therefore, you’ll need a column in your spreadsheet for each storage classification.
  • Retention Policy: Track the normal retention policy for each type of data stored by each department of custodian (e.g., retain email for 5 years).  While a spreadsheet won’t automatically identify when specific data is “expired”, a regular process of looking for data older than the retention time period will enable your organization to purge “expired” data.
  • Litigation Hold Applied: Unless of course, that data is subject to an active litigation hold.  If so, you’ll want to identify the case(s) for which the hold is applied and be prepared to update to remove those cases from the list once the hold obligation is released.  If all holds are released on normally “expired” data and no additional hold obligations are expected, that may be the opportunity to purge that data.
  • Last Update Date: It’s always a good idea to keep track of when the information in the data map was last updated.  If it’s been a while since that last update, it might be time to coordinate with that department or custodian to bring their portion of the data map current.

As you see, a fairly simple 9 or 10 column spreadsheet might be all you need to start gathering information about the data stores in your organization.

So, what do you think?  Has your organization implemented a data mapping program?  If not, why not? Please share any comments you might have or if you’d like to know more about a particular topic.

eDiscovery 101: Simply Deleting a File Doesn’t Mean It’s Gone
 

This subject came up recently in discussion with one of my clients and since he was confused as to what happens when a file is deleted, I thought it would be worthwhile to discuss the topic on the blog.

Disk drives use an index or table to keep track of where each file begins and ends on the disk.  You may have heard terms such as “FAT” (file allocation table) or NTFS ({Windows} NT File System) – these filing systems enable the file to be retrieved quickly on the drive.  They’re like a “directory” of all of the active files on the disk.  When a file is “deleted” (i.e., actually deleted, not just moved to the Recycle Bin), the data for that file isn’t actually removed from the disk (in most cases).  Instead, the entry pertaining to it is removed from the filing system.  As a result, the area on the disk where the actual data is located becomes unallocated space.

Unallocated space, also known as inactive data or drive free space, is the area of the drive not allocated to active data. On a Windows machine, deleted data is not actually destroyed, but the space on the drive that can be reused to store new information. Until the unallocated space is overwritten with new data, the old data remains.  This data can be retrieved (in most cases) using forensic techniques. On MAC O/S 10.5 and higher, there is an application that overwrites sectors when a file is deleted. This process more securely destroys data, but even then it may be possible to recover data out of unallocated space.

Because the unallocated space on a hard drive or server is that portion of the storage space to which data may be saved, it is also where many applications “temporarily” store files when they are in use. For instance, temporary Internet files are created when a user visits a web page, and these pages may be “cached” or temporarily stored in the unallocated space.  Rebooting a workstation or server can also clear some data from the unallocated space on its drive.

Since computers are dynamic and any computer operation may write data to the drive, it is nearly impossible to preserve data in the unallocated space on the hard drive and that data is not accessible without special software tools. To preserve data from the unallocated space of a hard drive, the data must be forensically collected, which basically copies the entire drive’s contents, including every sector (whether those sectors contain active data or not). Even then, data in the unallocated space may not be complete. Because the unallocated space is used to store new data, writing a new file may overwrite part of a deleted file, leaving only part of that file in the unallocated space.

Nonetheless, “deleted” files have been recovered, collected and produced in numerous lawsuits, despite efforts of some producing parties to destroy that evidence.

So, what do you think?  Have you ever recovered deleted data that was relevant to litigation?  Please share any comments you might have or if you’d like to know more about a particular topic.

eDiscovery Case Law: KPMG Denied in Request for “Proportionality Test” to Preservation

In Pippins v. KPMG LLP, No. 11 Civ. 0377 (CM)(JLC), (S.D.N.Y. Oct. 7, 2011), defendant’s request for a protective order allowing it to maintain only a random sample of 100 hard drives from 2,500 laptops or to require plaintiffs to bear the cost of maintaining 2,500 hard drives was denied.

It was not shown that information on the hard drives was duplicative, and it was too early in the litigation to know whether the cost of maintaining the hard drives was proportional to plaintiffs’ potential recovery. In an action concerning whether accountants should be considered exempt employees under the Fair Labor Standards Act, defendant sought an order allowing it to preserve only a random sample of 100 hard drives from laptops of former and departing accountant employees. Defendant already was preserving almost 2,500 such hard drives at a cost of $1.5 million. As an alternative, defendant sought an order requiring plaintiffs to bear the cost of maintaining more than 100 of the hard drives.

Plaintiffs were willing to use sampling to lessen the number of hard drives but contended that a random sample of the hard drives would not be a meaningful sample. Plaintiffs also contended that keyword searching of the random samples suggested by defendant was outmoded and not likely to cull out information sought by plaintiffs, including work product and hours worked by defendant’s accountant associates. Plaintiffs sought an order requiring production of five of the hard drives for inspection so that the parties could negotiate a resolution to the hard drive preservation issue. The court denied defendant’s motion for a protective order and directed defendant to preserve hard drives of members of the New York class that plaintiffs sought to represent.

While the court considered defendant’s preservation efforts “comprehensive,” it did not appear that other information being preserved duplicated information on the hard drives. Also, the cost of preserving the hard drives could be substantial but it was too early to know whether that cost would be proportional to the value of the litigation. The court added that courts in the Southern District of New York “have cautioned against the application of a proportionality test as it relates to preservation.” While the court would not order defendant to provide plaintiffs with five sample hard drives, it encouraged the parties to seek agreement on sampling pending a ruling on class certification and a lifting of the stay of discovery in the action.

So, what do you think?  Do proportionality and preservation mix?  Please share any comments you might have or if you’d like to know more about a particular topic.

Case Summary Source: Applied Discovery (free subscription required).  For eDiscovery news and best practices, check out the Applied Discovery Blog here.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine Discovery. eDiscoveryDaily is made available by CloudNine Discovery solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscoveryDaily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

eDiscovery Rewind: Eleven for 11-11-11
 

Since today is one of only 12 days this century where the month, day and year are the same two-digit numbers (not to mention the biggest day for “craps” players to hit Las Vegas since July 7, 2007!), it seems an appropriate time to look back at some of our recent topics.  So, in case you missed them, here are eleven of our recent posts that cover topics that hopefully make eDiscovery less of a “gamble” for you!

eDiscovery Best Practices: Testing Your Search Using Sampling: On April 1, we talked about how to determine an appropriate sample size to test your search results as well as the items NOT retrieved by the search, using a site that provides a sample size calculator. On April 4, we talked about how to make sure the sample set is randomly selected. In this post, we’ll walk through an example of how you can test and refine a search using sampling.

eDiscovery Best Practices: Your ESI Collection May Be Larger Than You Think: Here’s a sample scenario: You identify custodians relevant to the case and collect files from each. Roughly 100 gigabytes (GB) of Microsoft Outlook email PST files and loose “efiles” is collected in total from the custodians. You identify a vendor to process the files to load into a review tool, so that you can perform first pass review and, eventually, linear review and produce the files to opposing counsel. After processing, the vendor sends you a bill – and they’ve charged you to process over 200 GB!! What happened?!?

eDiscovery Trends: Why Predictive Coding is a Hot Topic: Last month, we considered a recent article about the use of predictive coding in litigation by Judge Andrew Peck, United States magistrate judge for the Southern District of New York. The piece has prompted a lot of discussion in the profession. While most of the analysis centered on how much lawyers can rely on predictive coding technology in litigation, there were some deeper musings as well.

eDiscovery Best Practices: Does Anybody Really Know What Time It Is?: Does anybody really know what time it is? Does anybody really care? OK, it’s an old song by Chicago (back then, they were known as the Chicago Transit Authority). But, the question of what time it really is has a significant effect on how eDiscovery is handled.

eDiscovery Best Practices: Message Thread Review Saves Costs and Improves Consistency: Insanity is doing the same thing over and over again and expecting a different result. But, in ESI review, it can be even worse when you get a different result. Most email messages are part of a larger discussion, which could be just between two parties, or include a number of parties in the discussion. To review each email in the discussion thread would result in much of the same information being reviewed over and over again. Instead, message thread analysis pulls those messages together and enables them to be reviewed as an entire discussion.

eDiscovery Best Practices: When Collecting, Image is Not Always Everything: There was a commercial in the early 1990s for Canon cameras in which tennis player Andre Agassi uttered the quote that would haunt him for most of his early career – “Image is everything.” When it comes to eDiscovery preservation and collection, there are times when “Image is everything”, as in a forensic “image” of the media is necessary to preserve all potentially responsive ESI. However, forensic imaging of media is usually not necessary for Discovery purposes.

eDiscovery Trends: If You Use Auto-Delete, Know When to Turn It Off: Federal Rule of Civil Procedure 37(f), adopted in 2006, is known as the “safe harbor” rule. While it’s not always clear to what extent “safe harbor” protection extends, one case from a few years ago, Disability Rights Council of Greater Washington v. Washington Metrop. Trans. Auth., D.D.C. June 2007, seemed to indicate where it does NOT extend – auto-deletion of emails.

eDiscovery Best Practices: Checking for Malware is the First Step to eDiscovery Processing: A little over a month ago, I noted that we hadn’t missed a (business) day yet in publishing a post for the blog. That streak almost came to an end back in May. As I often do in the early mornings before getting ready for work, I spent some time searching for articles to read and identifying potential blog topics and found a link on a site related to “New Federal Rules”. Curious, I clicked on it and…up popped a pop-up window from our virus checking software (AVG Anti-Virus, or so I thought) that the site had found a file containing a “trojan horse” program. The odd thing about the pop-up window is that there was no “Fix” button to fix the trojan horse. So, I chose the best available option to move it to the vault. Then, all hell broke loose.

eDiscovery Trends: An Insufficient Password Will Thwart Even The Most Secure Site: Several months ago, we talked about how most litigators have come to accept that Software-as-a-Service (SaaS) systems are secure. However, according to a recent study by the Ponemon Institute, the chance of any business being hacked in the next 12 months is a “statistical certainty”. No matter how secure a system is, whether it’s local to your office or stored in the “cloud”, an insufficient password that can be easily guessed can allow hackers to get in and steal your data.

eDiscovery Trends: Social Media Lessons Learned Through Football: The NFL Football season began back in September with the kick-off game pitting the last two Super Bowl winners – the New Orleans Saints and the Green Bay Packers – against each other to start the season. An incident associated with my team – the Houston Texans – recently illustrated the issues associated with employees’ use of social media sites, which are being faced by every organization these days and can have eDiscovery impact as social media content has been ruled discoverable in many cases across the country.

eDiscovery Strategy: "Command" Model of eDiscovery Must Make Way for Collaboration: In her article "E-Discovery 'Command' Culture Must Collapse" (via Law Technology News), Monica Bay discusses the old “command” style of eDiscovery, with a senior partner leading his “troops” like General George Patton – a model that summit speakers agree is "doomed to failure" – and reports on the findings put forward by judges and litigators that the time has come for true collaboration.

So, what do you think?  Did you learn something from one of these topics?  If so, which one?  Please share any comments you might have or if you’d like to know more about a particular topic.

eDiscoveryDaily would like to thank all veterans and the men and women serving in our armed forces for the sacrifices you make for our country.  Thanks to all of you and your families and have a happy and safe Veterans Day!