e-discovery

Do organizations really have formal information disposal processes…I think NOT!

Bill Tolson eDiscovery, Information Management, records retention, Technology , , , , , , , , , , ,

Do organizations really have formal information disposal processes…I think NOT!

Do organizations regularly dispose of information in a systematic, documented manner? If the answer is “sure we do”, do they do it via a standardized and documented process or “just leave it to the employees”?

If they don’t…who cares – storage is cheap!

When I ask customers if they have a formal information disposal process, 70 to 80 percent of the time the customer will answer “yes” but when pressed on their actual process, I almost always hear one of the following:

1.    We have mailbox limits, so employees have to delete emails when they reach their mailbox limit
2.    We tell our employees to delete content after 1,2, or 3 years
3.    We store our records (almost always paper) at Iron Mountain and regularly send deletion requests

None of these answers rise to an information governance and disposal process. Mailbox limits only force employees into stealth archiving, i.e. movement of content out of the organization’s direct control. Instructing employees to delete information without enforcement and auditing is as good as not telling them to do anything at all. And storing paper records at Iron Mountain does not address the 95%+ of the electronic data which resides in organizations.

Data center storage is not cheap. Sure, I can purchase 1 TB of external disk at a local electronics store for $150 but that 1 TB is not equal to 1 TB of storage in a corporate data center. It also doesn’t include annual support agreements, the cost of allocated floor space, the cost of power and cooling, or IT resource overhead including nightly backups. Besides, the cost of storage is not the biggest cost organizations who don’t actively manage their information face.

The astronomical costs arise when considering litigation and eDiscovery. A recent RAND survey highlighted the fact that it can cost $18,000 to review 1 GB of information for eDiscovery. And considering many legal cases include the collection and review of terabytes of information, you can imagine the average cost per case can be in the millions of dollars.

So what’s the answer? First, don’t assume information is cheap to keep. Data center storage and IT resources are not inexpensive, take human resources to keep up and running, and consume floor space. Second, information has legal risk and cost associated with it. The collection and review of information for responsiveness is time consuming and expensive. The legal risks associated with unmanaged information can be even more costly. Imagine your organization is sued. One of the first steps in responding to the suit is to find and secure all potentially responsive data. What would happen if you didn’t find all relevant data and it was later discovered you didn’t turn over some information that could have helped the other side’s case? The Judge can overturn an already decided case, issue an adverse inference, assign penalties etc. The withholding or destruction of evidence is never good and always costs the losing side a lot more.

The best strategy is to put policies, processes and automation in place to manage all electronic data as it occurs and to dispose of data deemed not required anymore. One solution is to put categorization software in place to index, understand and categorize content in real time by the conceptual meaning of the content.  Sophisticated categorization can also find, tag and automatically dispose of information that doesn’t need to be kept anymore.  Given the amount of information created daily, automating the process is the only definitive way to answer ‘yes we have a formal information disposal process’.

Information Governance and Predictive Coding

Bill Tolson eDiscovery, Information Management, records retention , , , , ,

Predictive coding, also known as computer assisted coding and technology assisted review, all refer to the act of using computers and software applications which use machine learning algorithms to enable a computer to learn from records presented it (usually from human attorneys) as to what types of content are potentially relevant to a given legal matter. After a sufficient number of examples are provided by the attorneys, the technology is given access to the entire potential corpus (records/data) to sort through and find records that, based on its “learning”, are potentially relevant to the case.

This automation can dramatically reduce costs due to the fact that computers, instead of attorneys conduct the first pass culling of potentially millions of records.

Predictive coding has several very predictable dependencies that need to be addressed to be accepted as a useful and dependable tool in the eDiscovery process. First, which documents/records are used and who chooses them to “train the system”? This training selection will almost always be conducted by attorneys involved with the case.

The second dependency revolves around the number of documents used for the training. How many training documents are needed to provide the needed sample size to enable a dependable process?

And most importantly, do the parties have access to all potentially relevant documents in the case to draw the training documents from? Remember, potentially relevant documents can be stored anywhere. For predictive coding, or any other eDiscovery process to be legally defensible, all existing case related documents need to be available. This requirement highlights the need for effective information management by all in a given organization.

As the courts adopt, or at least experiments with predictive coding, as Judge Peck did in Monique Da Silva Moore, et al., v. Publicis Groupe & MSL Group, Civ. No. 11-1279 (ALC)(AJP) (S.D.N.Y. February 24, 2012, an effective information management program will become key to he courts adopting this new technology.

Hiding from eDiscovery in Plain Sight

Bill Tolson eDiscovery, Technology , , , , ,

QR or “quick response” Codes have been showing up a lot more in the last year. A QR code is a matrix barcode (or two-dimensional code), readable by QR scanners, also readable by mobile phones with a camera, tablet computers with built-in camera including iPads, and smartphones including iPhones. The code consists of black modules arranged in a square pattern on white background. The information encoded can be a text message, a SMS message, a URL, an email reply or several other types of data. The QR code in the top left corner of this blog is the QR code for the URL for the eDiscovery101.net blog site.

QR codes are increasingly gaining acceptance in United States business and end user mind share, though they have been popular in some Asian countries for many years.

So what do QR codes have to do with eDiscovery? A friend of mine was telling me about a new business he had started using QR codes in a very unique way and it occurred to me to wonder if eDiscovery collection and review applications would be able to recognize data encoded into QR codes and if not, how could custodians use QR codes to pass information they didn’t want to be found in an eDiscovery process. For example, could you email information to others without calling attention to yourself by using encryption or have the content indexed and flagged by eDiscovery applications?

The answer is absolutely…

Look at the following email example:

The QR code embedded in the email message is simply a link to the URL for this blog site. To connect to this site you would start up your free QR code scanner on your iPhone and it would automatically link you to the site. If the above email was part of the email corpus in an energy price manipulation case, would it be flagged for any suspicious activity?

But the main point is when collecting and running millions of emails through eDiscovery software, QR codes, as far as I can tell, would not be readable and index-able by any known eDiscovery software.

Now take a look at the email message again:

If you were to scan the above QR code with your free QR code scanner, you would see the following:

As you can see, a great deal of text can be embed in a QR code that is readable by a free QR scanner pointed at a printout or even your computer display.

Is the above example a reasonable way to pass information that you don’t want caught by eDiscovery processes? Not really…an easier way would be to call someone and give them the message verbally but I wanted to point out that eDiscovery search and review applications are not 100% effective and custodians can beat them if they really try. eDiscovery vendors need to be constantly on the lookout for these new techniques of sending and receiving ESI.

Will Spoliation Insurance Change How Judges Rule?

Bill Tolson eDiscovery , , , , , , ,

On Dec.2 2010, the Lexington Insurance Company started selling a new product–spoliation insurance. No, spoliation is not misspelled, and no, it’s not a witty descriptor for what’s likely to happen inside the office break room refrigerator before the end of the holidays. Spoliation is a legal term for the destruction of evidence in civil litigation matters. And this form of insurance protects you in the event a judge imposes fines or penalties because of lost evidence or other eDiscovery failures.

Why might you need spoliation insurance? Well, Duke University conducted a recent study finding 97 eDiscovery sanction cases in 2009, more than any prior year. These are cases where the judge has determined one of the parties destroyed evidence and now must determine a penalty for this destruction of evidence.

Some questions that come to mind for me:

  1. Does having spoliation insurance mean the discoveree can exercise less care with his records information management (RIM) program, litigation hold, or discovery processes because they don’t have to worry about a fine or penalty?
  2. Is the fact that you have spoliation insurance discoverable?
  3. Would the fact that you have spoliation insurance alter the ruling by the judge? (Would the judge, for instance, impose a higher fine or penalty to hammer the insurance company?)

Obviously, spoliation insurance will not affect whether your organization wins or loses the case. Also, I would expect insurance companies to set premiums to reflect their risk. If the insured has an effective RIM program and processes to find and protect responsive electronically stored information easily, insurers should lower premiums for these buyers over other applicants with questionable or no processes or other tools.

The next question that comes to mind is: Do you need spoliation insurance if your organization has prepared for effective eDiscovery by creating RIM policies, training employees on responsibilities and processes, and acquiring technology like an archive to better control ESI?

Now, the answer to this question is pretty commonsensical. Invest in responsible processes and training as well as the best tools/automation for RIM and eDiscovery, and you likely won’t need spoliation insurance.

The ABA Journal had a story on spoliation insurance on March 1, 2011. The ABA Journal article can be viewed here.

How easy is eDiscovery in SharePoint 2010?

Bill Tolson eDiscovery, records retention, Technology , , , , , , , , , ,

There has been nagging questions surrounding SharePoint and its ability to allow complete and effective eDiscovery searches of all potentially responsive content in the repository. The below description is from the Microsoft Enterprise Content Management (ECM) Team Blog.

From the Microsoft blog:=================================================================

Hi everyone, I am Quentin Christensen and I work on document and records management functionality for SharePoint. Electronic discovery (commonly referred to as eDiscovery) is an area we are supporting with new set of capabilities in SharePoint Server 2010. In case you are not familiar with eDiscovery, it is the process of finding, preserving, analyzing and producing content in electronic formats as required by litigation or investigations. eDiscovery is an important concern for all of our customers and given that SharePoint has grown to be an integral part of collaboration, document, and records management for many organizations, we recognize the need to support the eDiscovery process for SharePoint content.

Microsoft Office SharePoint Server 2007 included a hold feature that could be used for eDiscovery, but it was scoped to the Records Center site template. With SharePoint Server 2010 the eDiscovery capabilities have been greatly expanded to provide more functionality and the power to use these features across your entire SharePoint deployment.

In this post, I want to highlight three major improvements in SharePoint that support eDiscovery. You can:

  • Manage holds and conduct eDiscovery searches on any site collection
  • Use SharePoint Server Search or FAST Search for SharePoint out of box to search and process content
  • Automatically copy eDiscovery search results to a separate repository for further analysis

Read on to learn how SharePoint Server 2010 can support your eDiscovery initiatives and provide you with the tools you need to manage holds, identify, and collect SharePoint content.

The eDiscovery Process

The Electronic Discovery Reference Model from EDRM (edrm.net) provides an overview of the different parts of the eDiscovery process:

imageSharePoint Sever 2010 addresses the Information Management, Identification, Preservation and Collection stages. While this blog post will focus mostly on the identification, preservation and collection components, SharePoint provides a rich Information Management platform for Collaboration, Social Computing, Document Management and Records Management.  This means that you can take a proactive approach to eDiscovery by putting a governance framework in place and using appropriate disposition policies to expire content. Managing content and deleting it when it is no longer needed will reduce the amount of content that must be indexed and searched, and collected for eDiscovery.  The result is that eDiscovery costs can be dramatically reduced, changing the problem from finding a needle in a hay stack to finding a needle in a hay bale. Ultimately, the key to achieving legal compliance for eDiscovery obligations is built upon a foundation of robust Information Management.

When an eDiscovery event occurs, such as a receipt of complaint, discovery, or notice of potential legal claim, the identification stage begins. Content that may be subject to eDiscovery must be identified and searches are conducted to find that content. That content needs to be preserved and at some point, the content will be collected.

 

The eDiscovery Features

Hold and eDiscovery

Hold and eDiscovery is a site level feature that can be activated on any site.

imageActivating this feature creates a new category in Site Settings that provides links to Holds and Hold Reports lists. There is also a page to discover and hold content that allows you to search for content and add it to a hold. Once the Hold and eDiscovery feature is activated you can create holds and add to hold any content in the site collection. By default only Site Collection administrators have access to the Hold and eDiscovery pages. To give other users permission, add them to the permissions list for the Hold Reports and Holds lists. This will also give access to the Discover and hold content page.

clip_image005You can manually locate content in SharePoint and add it to a hold, or you can search for content and add the search results to a hold. With the Hold and eDiscovery feature you can create holds in the hold list and then manually add content to the relevant hold by clicking on Compliance Details from the drop down menu for individual items.

imageThen click on the link to Add/Remove from hold.

imageAnd you can select the relevant hold to add to or remove from.

imageBy manually adding an item to hold you will block editing and deletion of that item until it is released from hold. You will notice that the document now has a lock icon showing that it cannot be edited or deleted.

imageEach night a report for each hold is generated by a timer job. If you need a hold report faster you can manually run the Hold Processing and Reporting timer job in Central Administration.

Search and Process

You can manually add items to hold on any site collection, which is great. But that doesn’t help you find the content you don’t already know about. What if you have a large amount of items you want to find and add to a hold? For that you can use the features on the Discover and hold content page, which is a settings page in Site Settings. From this page you can specify a search query and then preview the results. The configured search service (SharePoint Search Server or FAST Search for SharePoint) will automatically be used. You can then select the option to keep items on hold in place so they cannot be edited or deleted, or if you have configured a Content Organizer Send to location in Central Administration you can have content copied to another site and placed on hold. You may want to create a separate records center site for a particular hold to store all content related to that hold. The Content Organizer is a new SharePoint Server 2010 feature based on the Microsoft Office SharePoint Server 2007 Document Router with richer functionality to automatically classify content based on Content Type or metadata properties. Look for a future blog post covering the Content Organizer.

Holding content in place is recommended if you want to leave content in the location is was created with all the rich context that SharePoint provides, while blocking deletion and editing of content. Be aware that this will prevent users from modifying items. If you prefer users to continue editing documents, then use the copy to another location approach.

When searching and processing, the search will by default be scoped to the entire Site Collection and run with elevated permissions so all content can be discovered. The search can be scoped to specific sites and you can also preview search results before adding the results to a hold. Items can be placed on multiple holds and compliance details will show all of the holds that are applied to an item.

imageIn summary, SharePoint Server 2010 contains key features that make it an essential aspect of your eDiscovery strategy. With the new SharePoint Server 2010 capabilities you can easily apply proper retention policies for all content and make it easier to discover content if an eDiscovery event occurs. eDiscovery often prescribes tight deadlines for production. SharePoint 2010 helps you find the right content and deliver it faster.

Quentin Christensen
Program Manager – Document and Records Management
Microsoft

The coming collision of “free to the public cloud storage” and eDiscovery

Bill Tolson Cloud Storage, eDiscovery, Information Management, Technology , , , , , , , , , , , , , , , , , ,

The discovery process is tough, time consuming and expensive. What new problems are corporate attorneys facing now with the availability of “free to the public cloud storage”?

First, what is “free to the public cloud storage”? For the purposes of this blog I will define it as a minimum amount of storage capacity offered by a third party, stored and accessible via the internet made available to the public at no cost (with the hope you purchase more). The cloud storage offerings I’ve already mentioned do not limit the types of files you can upload to these services. Music storage is a prime target for these services but many, like myself, are using them for storage of other types of files such as work files which can be accessed and used with nothing more than a computer and internet connection, anywhere.

Examples of these cloud storage offerings include Dropbox, Amazon Cloud Drive, Apple iCloud, and Microsoft SkyDrive. I looked at the Google Cloud Service but determined it is only useful with Google Docs.

A more detailed comparison of these services can be found here.

The only differences between the four offerings stem from the amount of free capacity available and how you access your files. For example, my Amazon Cloud Drive as seen from my Firefox web interface:

Figure 1: The Amazon Cloud Drive web interface

The advantage to users for these services is the ability to move and store work files that are immediately available to you from anywhere. This means you no longer have to copy files to a USB stick or worse, email work files as an attachment to your personal email account. The disadvantage of these services are corporate information can easily migrate away from the company security and be managed by a third party the company has no agreement with or understanding of in reference to the third party will respond to eDiscovery requests. Also be aware that ESI, even deleted ESI is not easily removed completely. In a previous blog I talked about the Dropbox “feature” of not completely removing ESI when deleted from the application as well as keeping a running audit log of all interactions of the account (all discoverable information). The Amazon Cloud Drive has the same “feature” with deletions.

Figure 2: The deleted items folder in the Amazon Cloud Drive actually keeps the deleted files for some period of time unless they are marked and “Permanently Deleted”

The big question in my mind is how will corporate counsel, employees and opposing counsel address this new potential target for responsive ESI? Take, for example, a company which doesn’t include public cloud storage as a potential litigation hold target, doesn’t ask employees about their use and or doesn’t search through these accounts for responsive ESI…potential spoliation.

For Corporate counsel:

  1. Be aware these types of possible ESI storage locations exist.
  2. Create a use policy addressing these services. Either forbid employees from setting up and using these services from any work location and equipment or if allowed be sure employees acknowledge these accounts can and will be subject to eDiscovery search.
  3. Audit the policy to insure it is being followed.
  4. Enforce the policy if employees are not following it.
  5. Document everything.

For employees:

  1. Understand that if you setup and use these services from employer locations, equipment and with company ESI, all ESI in that account could be subject to eDiscovery review.
  2. If you use these services for work, only use them with company ESI, not personal files.
  3. Be forthcoming with any legal questioning about the existence of these services you use.
  4. Do not download any company ESI from these services to any personal computer, this could potentially open up that personal computer to eDiscovery by corporate counsel

For opposing counsel:

Ask the following questions to the party being discovered

  1. Do any of your employees utilize company sanctioned or non-sanctioned public cloud storage services?
  2. Do you have a use policy which addresses these services?
  3. Does the policy penalize employees for not following this use policy?
  4. Do you audit this use policy?
  5. Have you documented the above?

These services are the obvious path for employees to utilize over the next couple of years to make their lives easier. All involved need to be aware of the eDiscovery implications.

Part 2: Finding hidden data and metadata in office documents for eDiscovery

Bill Tolson eDiscovery, Technology , , , , , , , , ,

I ended my last blog with the question; So what and how should a company put in place a process to make sure this type of metadata is removed as a standard process before litigation arises?

Before we answer that question, let’s review the point of the last posting. The point was that Microsoft Office (and other applications) can be a rich source of discoverable information (not just metadata, thanks Leonid) for the plaintiff, especially if the author of the document didn’t take the time to scrub all hidden and personal information before finalizing it. Obviously this unseen data can be a goldmine for the opposing counsel if they know to look for it.

To address this risk, you should get your employees into the habit of “finalizing” documents by running the Microsoft Office “Document Inspector” as well as deleting all previous revisions of the document. To many, this seems like a lot of trouble but in the long run can significantly reduce your eDiscovery risk.

Figure 1: Accessing the “Document Inspector” in Word 2007

The Document Inspector provides a central location for you to examine documents for personal, hidden, or sensitive information. You can then use built-in Document Inspector modules to remove unwanted information more easily. The document inspector can be found by clicking on the “Prepare” topic and then on the “Inspect Document” menu item. The Document Inspector is available the same way in all Microsoft Office applications.

Figure 2: The Document Inspector

As you can see above, the Document Inspector allows you to check for Comments, revisions, versions, annotations, document properties, personal information, custom XML data, headers, footers, watermarks and hidden text. This type of data can be damaging in litigation if the discovered party is not aware of its existence.

Once the Document Inspector is run, you will get an indication of potential threats as seen in the window below:

Figure 3: The Document Inspector will alert you to possible threats

From this point, you can either “remove all” hidden data for each topic searched on or none of it.

But that’s the point right? You can’t remove this data after a litigation hold has been applied so by removing this hidden data as part of a consistent process will remove the risk of having to review and turn over this data in discovery.

The two points to remember is first, this hidden data and metadata could exist in you employee’s potential responsive files which means you better review it before you turn it over and second, there are ways for employees to easily remove it themselves as part of a documented process.

Accessing hidden metadata in Office documents for eDiscovery

Bill Tolson eDiscovery, Technology , , , , , , , , , ,

Microsoft Office and other documents including PowerPoint, Word, and Excel among others can be a rich source of discoverable information for the plaintiff, especially if the author of the document didn’t take the time to scrub all hidden and personal information before finalizing it. Be aware all of this hidden and personal metadata can’t be altered after a litigation hold should have been applied.

Several types of hidden and personal data can and will be saved by default in an Office document if the correct precautions are not taken.  The first point to remember is that Office applications are by default capturing data as the document in question is created, reviewed and revised. Data such as:

  • Comments, revision marks from tracked changes, versions, and ink annotations
  • Document properties and personal information. Document properties, also known as metadata (metadata: Data that describes other data. For example, the words in a document are data; the word count is an example of metadata.), include details about your document such as author, subject, and title. Document properties also include information that is automatically maintained by Office programs, such as the name of the person who most recently saved a document and the date when a document was created. If you used specific features, your document might also contain additional kinds of personally identifiable information (PII) (personally identifiable information (PII): Any information that can be used to identify a person, such as a name, address, e-mail address, government ID, IP address, or any unique identifier associated with PII in another program.), such as e-mail headers, send-for-review information, routing slips, printer paths, and file path information for publishing Web pages.
  • Headers, footers, and watermarks
  • Hidden text including reviewers notes
  • Hidden rows, columns, and worksheets
  • Invisible content PowerPoint presentations and Excel workbooks can contain objects that are not visible because they are formatted as invisible
  • Off-slide content
  • Presentation notes
  • Document server properties. If your document was saved to a location on a document management server, such as a Document Workspace site or a library based on Microsoft Windows SharePoint Services, the document might contain additional document properties or information related to this server location.
  • Custom XML data

In my experience, few companies train their employees to remove this metadata before their documents, spreadsheets and presentations are finalized and distributed. For the attorney asking for ESI, a tell tale sign of spoliation would be the total absence of this hidden data. The attory could do a quick sampling of discovered documents and if the majority of them are “clean” then a discussion with the defendants counsel and possibly Judge would be in order. Unless the defendants could show evidence of employee processes including the regular removal of this type of data as a standard process, a spoliation ruling would be in the cards.

So what and how should a company put in place a process to make sure this type of metadata is removed as a standard process before litigation arises?

My next blog entry will answer this question.

Encrypted and hidden files put eDiscovery at risk

Bill Tolson eDiscovery, Technology , , , , , , , , , , , , , , , , , , , , , , ,

There are some pretty nice freeware applications available which allow a user to encrypt and hide files/data/electronic records in plain sight on their computers. Can this pose a problem for IT and corporate legal?  Let me put it this way…how would you find and place ESI that’s encrypted or is both encrypted and made to look like something else on a litigation hold?

Does the fact that encryption applications present in a corporate infrastructure make claims of spoliation if the files can’t be found or decrypted more likely? Is this a problem you should even worry about?

It’s a stretch but in some circumstances this capability could significantly raise your eDiscovery risk. To illustrate this problem further I will specifically talk about an application called TrueCrypt which is a free open-source disk encryption software application for Windows 7/Vista/XP, Mac OS X, and Linux.

TrueCrypt is an application for creating and maintaining an on-the-fly-encrypted volume (data storage device as opposed to a single file).This means that you can create an encrypted volume capable of storing many encrypted files which to casual observers, looks like a single file. On-the-fly encryption means that data is automatically encrypted or decrypted right before is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password or correct encryption keys. There are several encryption algorithms available in the application but the most secure is the AES 256-bit key algorithm, the same one used by the federal government in many instances.

Files can be copied to and from a mounted TrueCrypt volume just like they are copied to/from any normal storage device (for example, by simple drag-and-drop operations). Files are automatically decrypted on-the-fly (in memory/RAM) while they are being read or copied from an encrypted TrueCrypt volume.  Similarly, files that are being written or copied to the TrueCrypt volume are automatically being encrypted on-the-fly (right before they are written to the disk) in RAM.

Now, to make matters worse (or better depending) TrueCrypt also can create a hidden encrypted volume within the visible encrypted volume.

The layout of a standard TrueCrypt volume before and after a hidden volume was created within it. (Graphic from the TrueCrypt manual)

The principle is that a TrueCrypt volume is created within another TrueCrypt volume. Even when the outer volume is mounted and visible, it would be impossible to prove there is a hidden volume within it or not, because free space on any TrueCrypt volume is always filled with random data when the volume is created and no part of the (dismounted) hidden volume can be distinguished from random data. Note that TrueCrypt does not modify the file system (information about free space, etc.) within the outer volume in any way.

So to put it another way, an employee trying to hide data from a discovery search could first create an encrypted volume on their hard disk or some other removable device such as a USB stick and store encrypted data on it. Even more diabolical, they could move some innocuous data to it as a decoy and store the real data on the hidden volume inside the original volume. This capability provides the employee plausible deniability in the case of corporate legal or IT forces the employee to decryption the volume they can see.

So the big question is this; how would you as a discovery auditor even know of or find these hidden and encrypted data volumes? In reality it’s not easy. You have to go into it looking for hidden and encrypted data. There are some forensics applications that will at least find and flag encrypted files and volumes including the TrueCrypt format. I am unable to determine if these forensics applications can find and flag hidden volumes.

As a test, I setup a 10 GB TrueCrypt encrypted volume on this computer and named it “Attorney Communication” in a folder I named “contracts”. To the casual observer all they see is a large file in a folder called “contacts” (see below).

Within that encrypted “Attorney Communication” file I copied four decoy files to make it look like those were the important files I was keeping encrypted just in case I am forced to open the encrypted volume by legal (see below).

As you can see above, you can’t tell by looking at it that it contains the hidden 8 GB volume I had also created. That hidden volume is accessible only by typing a totally different password.

The hidden 8 GB TrueCrypt volume on this computer

So how do you find these hidden volumes and files if the employee is not cooperating? If you suspect the employee has been using this technology the first obvious step would be to do a search of the employee’s hard disk looking for an application called “TrueCrypt”. This would be a dead give-away that the employee could have encrypted and hidden data volumes on their computer. This is not  certain because the employee could have installed the TrueCrypt application on a USB stick, which does not integrate with Windows, so when not plugged in to the computer, there would be no trace of the TrueCrypt application.

A second way to find potentially encrypted volumes would be to search for very large files. Usually encrypted volumes will be larger than normal files because they are just that, a large space to store many files. So you could do a Windows search for files over 10 MB and see what you get. An indication would be a large file with no applications associated with it. By this I mean that when you double click the file the system doesn’t recognize it as a standard Windows application and displays the “Open with” dialog box shown below:

That leaves the problem of discovering the hidden volume. A sure but very slow process to test this possibility would be to copy a bunch of files into the encrypted volume, if the employee has opened it, to see if the available storage space id equal to the volume size.  For example the file properties in Windows states my encrypted volume is 10 GB in size but in this example the employee only has 5 MB of files stored in it. To test to see if the volume contains a hidden volume, you could copy an additional 9.95 GB of data into it to see if you get a “volume full” message before all of the data was copied into it. If you could only copy an additional say 1.95 GB before the “volume full” message was received, that would indicate that a hidden 8 GB volume exists.

A faster way to get an indication of hidden volumes is to use a large file finder tool. I found one called “Largefiles3” which had a surprising capability. In this case I ran the application looking for files larger than 10 MB on the C drive.

The interesting capability here is that it found the encrypted volume I named “Attorney Communication” but it determined its size to be 2.147 GB not the 10 GB shown in the Windows file system data. This is because I had created an 8 GB hidden volume inside the “Attorney Communication” volume thereby only leaving 2 GB for the original volume. This is a huge red flag if you are looking for it. Now, without the password you still can’t access the original encrypted volume or the hidden volume but at least you would know it exists and can apply pressure to the employee.

So how do you prevent these encryption applications from putting your eDiscovery processes at risk? The most obvious one is to include in your employee computer use policy a statement prohibiting the use of these types of applications with stated punishments if not followed. This will stop general employees from using this kind of application but will not deter those employees bent on breaking your rules. The obvious next step is to sample and audit your employees to see if these applications are being used. For corporate legal, the main thing you want to establish is your “good faith intent” to make sure your eDiscovery processes are defensible.

The duty to preserve ESI is not always cut and dried

Bill Tolson eDiscovery , , , , , , , , , , , ,

The amendments to the Federal Rules of Civil Procedure (FRCP) describe the duty to preserve potential evidence when litigation can be reasonably anticipated. The term “reasonably anticipated” is a key idea and one that has caused many arguments over the last four-plus years. To make the point that organizations need to be conservative and take this seriously, it makes sense to look at a case that has gone on for several years.

On April 17, 2008, Phillip M. Adams & Associates L.L.C. (Adams) filed a motion for sanctions against ASUSTEK Computer, Inc. and ASUS Computer International for spoliation (destruction) of evidence. Adams claimed that “ASUS has destroyed the source code and documents relating to ASUS’s test programs, as well as other documents that would have conclusively demonstrated ASUS’ piracy.” On March 30, 2009, the magistrate judge issued a decision granting in part Adams’s motion. The magistrate judge found that “the universe of materials we are missing is very large,” and that “we have very little evidence compared to what would be expected.” In this case, the court reaffirmed its earlier holding regarding the trigger for defendants’ duty to preserve, namely that “in late 1999 the entire computer and component manufacturer’s industry was put on notice of a potential for litigation regarding defective floppy disk components (“FDCs”) by the well publicized settlement in a large class action lawsuit against Toshiba.”  In this ongoing case, a litigation hold responsibility was triggered by a settlement years before. The magistrate judge further found that “ASUS’ practices invite the abuse of the rights of others, because the practices tend toward loss of data.” In other words when the case was in process in 2008, the defendants should have applied a litigation hold to specific data back in 1999-2000, eight to nine years before the case showed up in court.

A related recent ruling: Phillip M. Adams & Assoc., LLC v. Windbond Elecs. Corp., 2010 WL 3767318 (D. Utah Sept. 16, 2010)

What does this mean for organizations today? Well, it’s difficult to “anticipate” future litigation so be conservative in your litigation hold triggering events meaning if even the slightest possibility exists of litigation based on external events, news stories etc. lock down that potentially responsive ESI as soon as possible. That’s easy to say but difficult to accomplish. The first step as pointed out in this case is to train your staff and employees to be sensitive to these “events” and to not be shy about pointing them out to your corporate legal department. The point is to manage your ESI more effectively. If you have control of your data you have a better chance of reacting to and finding responsive ESI when you need to and securing it.