Part I of this article appears in the May 2004 issue of The Metropolitan Corporate Counsel.Once all relevant internal electronic data is protected from destruction or alteration, the next step is to clearly define the scope of the data gathering project both internally and from the adversary. Not everything saved will necessarily need to be produced. Therefore, an examination of the boundaries of the universe of electronic information that is relevant needs to be defined. For example, what individuals, departments, period of time, topic, or job function are the targets? Will deleted files need to be produced? Will back-up tapes need to be restored? If so, are periodic snapshots acceptable? In what form must the documents be produced? Will outside help, in the form of a computer forensic expert be required?
Accumulating Internal E-Data For Offensive And Defensive Use
The use of disparate technologies, the existence of electronic data in multiple geographic locations and the fact that employees have differing access to information services are further complications to be addressed. They require creation of a diagram of the layout of the information services which shows how the relevant data resides organization-wide. Accomplishing this requires exploring such things as the types of electronic mail servers deployed, the policies governing the life of an email, any size limitations on mailboxes, the types of file servers, whether users have home directories and where they are, whether there are shared folders and, if so, where they are and how they are shared (by department, job function, geography).
When the plan is complete, it should be reviewed by a professional to insure that it is comprehensive and forensically sound. Maintaining evidentiary integrity is critical. That means integrity of the original data as well as the metadata. Beware of copy tools that make changes to file dates and other data unless proper precautions are taken. In this regard, it is critical that a chain of custody be tracked throughout the process. It should include the time and date of each procedure, the nature of the procedure, who conducted it, its outcome and any problems that were encountered, and when the data was secured. Keeping this in mind, finding the balance between the need to obtain admissible electronic data and the desire to contain costs can be a delicate one. It is critical, however, to remember that the electronic evidence obtained must be authenticated in court. If it cannot, whatever was expended was wasted.
Finally, new technologies and techniques are now available to assist in conducting comprehensive privilege reviews. They allow thousands of documents to be sorted to identify those subject to privilege, making a "bullet-proof" privilege review within reach.
Requesting And Obtaining Data From An Adversary
Developing a strategy for targeting an adversary's relevant electronic information is critical and should occur early in litigation. In doing so, you must remember that electronic discovery is a two-way street. You will probably be served with the same type of requests you serve yourself. As a result, electronic discovery can be very expensive and very invasive. Therefore, while the relative importance and goals of electronic discovery should be evaluated at the outset of a case, they should be continually reevaluated as the litigation progresses always keeping in mind the risks of exposing your own electronic information, before seeking such discovery from your adversary.
Generally, implementing the strategy begins with sending a warning/preservation letter to the adversary, putting him or her on notice that certain electronic evidence is considered relevant. Its purpose should be to prevent the intentional or unintentional destruction of electronic information relevant to the case. Where litigation has not yet been initiated, it may be sent with initial correspondence with the adversary. On the other hand, where litigation has already commenced, it is generally wise to send it no later than along with initial interrogatories and document requests or the initial pleading. The letter should notify the other side, in bold, large font, that they are required to initiate immediate procedures to assure that they, and everyone over whom they possess control, are aware of their duty to preserve, maintain and protect all paper and electronic data. The letter should remind them that failure to comply could result in sanctions and should advise them to consult with an attorney.
The initial discovery demands should be aimed at identifying the components of the adversary's relevant electronic universe. As a preliminary matter, they should be amended to incorporate the special issues inherent in the production of electronic data. For example, they should request that electronic data be produced in a specified data format (e.g., ASCII, Microsoft Word) and physical media (e.g., CD-ROM, diskette) or with any software that will be required to review and access data and to produce in another format. It is important that electronic data be produced electronically because printouts of electronic files do not preserve all the relevant information in the files. In addition, producing information in electronic form dramatically reduces the costs of copying, producing and utilizing the material, including allowing for full text searches. Finally, the data should be produced in read-only media such as write-once compact disks. This practice is advantageous because it provides a unique identifier for each document (i.e., the path and file name). It also helps to avoid any future claim that the data was altered after it was produced, enhances the ability to show the chain of custody and to provide testimony regarding authenticity and thereby increases the odds that the data will be admissible at trial.
Substantively, initial discovery - whether by way of written discovery or deposition - should be targeted to obtain an inventory of the adversary's network and how it is configured. It focuses on such issues as how many desktop/laptops are connected to the network, who has them, what operating system is installed, whether employees use home computers for business purposes, how they connect to the office, whether the company's network allows access to the internet and, if so, how, what hardware and software are involved, whether there is a firewall and whether it logs network traffic. The discovery may also target detailed information about the network servers (file, application, print, database, email and/or others), their types, locations, operating system, how stored data is organized, and what data is stored.
The location of the types of data that are relevant to the case may be explored (e.g., application software, word processing, desktop publishing, spreadsheets, databases, accounting and inventory, enterprise software, email). It may inquire about the use of various storage devices (e.g., hard drives, floppy disks, ZIP disks, back-up tapes, compact discs and DVDs, palm pilots) and their location, file servers, file names, document management software, file types, limitations, data retention, and back-ups. It should identify the adversary's document retention and management policies. Email addresses and internet services used by target personnel during the relevant period should be identified. It should seek a description of the procedure used for backing-up (including the schedule, type of back-up medium, rotation of medium used, location of back-up medium and custodian of back-up medium).
Discovery requests should also seek a description of the procedures and processes used to search for and produce the documents and things responsive to the interrogatories and document requests themselves and should request identification of all efforts made to locate and produce electronically stored evidence including whether individual computers, network servers, email accounts, back-up tapes and/or archived email were searched. Finally, it should seek the identities of all persons managing the computer network or employed by the Management Information System (MIS) department. Throughout the process of seeking and producing electronic discovery, it is critical that there be ongoing consultation between the client and lawyer to develop a strategy for collecting, analyzing and processing data.
Overview Of Expert Help
Electronic evidence is fragile so preservation can be critical. A forensic expert can preserve the status quo, reconstruct deleted information, determine whether a user wiped, cleaned-up or defragmented his or her hard drive, and retrieve data that answers new questions that arise. Moreover, a forensic expert can help ensure that no evidence is damaged, no viruses are introduced, extracted data is protected and a proper chain of custody is maintained.
Forensic consultants can recover active data (data that was accessible to the particular user working with the computer), recovered data (files and directories recovered after being deleted from the active data) and unused data ("free space" or unallocated portions of the hard drive which contains files that are free because they were never used or because information previously contained there was deleted). In other words, deleted documents may often be recovered in whole or in fragments by one properly trained. This is particularly important in data destruction cases, because it may permit the recovery of deleted material.
In addition to retrieving files, forensic consultants can often determine whether computer evidence was tampered with, altered, damaged or removed. They can examine hidden information associated with recovered files (including deleted data or data from inactive or unused storage areas) and provide a historical ledger of the content of the files. Computer files often contain hidden or embedded information such as hidden columns on spreadsheets that show up on electronic, but not on printed versions, and a "bcc" field on an email. They also contain metadata which can provide the blueprint of a backdated document or reveal improper attempts to delete relevant information. Forensic experts, using specialized programs, can document destructive actions as well as unauthorized access, copying, downloading, printing or emailing (which are of particular interest where theft of trade secrets is at issue). They can provide critical evidence to authenticate documents and emails and to detect the faking of electronic evidence. Computer forensic engineers can also provide invaluable support by customizing reports about the data, providing information during the course of the litigation and providing expert testimony at trial.
Used properly, electronic discovery is a remarkably powerful tool. Experienced counsel and experts can help their clients enjoy it and protect against its many inherent dangers.
Published June 1, 2004.
