ESI

You Don’t Know What You Don’t Know

Bill Tolson eDiscovery, Information Governance , , , , , , , ,

Blog_06272014_graphicThe Akron Legal News this week published an interesting editorial on information governance. The story by Richard Weiner discussed how law firms are dealing with the transition from rooms filled with hard copy records to electronically stored information (ESI) which includes firm business records as well as huge amounts of client eDiscovery content. The story pointed out that ESI flows into the law firm so quickly and in such huge quantities no one can track it much less know what it contains.  Law firms are now facing an inflection point, change the way all information is managed or suffer client dissatisfaction and client loss.

The story pointed out that “in order to function as a business, somebody is going to have to, at least, track all of your data before it gets even more out of control – Enter information governance.”

There are many definitions of information governance (IG) floating around but the story presented one specifically targeted at law firms: IG is “the rules and framework for managing all of a law firm’s electronic data and documents, including material produced in discovery, as well as legal files and correspondence.” Richard went on to point out that there are four main tasks to accomplish through the IG process. They are:

  • Map where the data is stored;
  • Determine how the data is being managed;
  • Determine data preservation methodology;
  • Create forensically sound data collection methods.

I would add several more to this list:

  • Create a process to account for and classify inbound client data such as eDiscovery and regulatory collections.
  • Determine those areas where client information governance practices differ from firm information governance practices.
  • Reconcile those differences with client(s).

As law firms’ transition to mostly ESI for both firm business and client data, law firms will need to adopt IG practices and process to account for and manage to these different requirements. Many believe this transition will eventually lead to the incorporation of machine learning techniques into IG to enable law firm IG processes to have a much more granular understanding of what the actual meaning of the data, not just that it’s a firm business record or part of a client eDiscovery response. This will in turn enable more granular data categorization capability of all firm information.

Iron Mountain has hosted the annual Law Firm Information Governance Symposium which has directly addressed many of these topics around law firm IG. The symposium has produced ”A Proposed Law Firm Information Governance Framework” a detailed description of the processes to look at as law firms look at adopting an information governance program.

Discoverable versus Admissible; aren’t they the same?

Bill Tolson eDiscovery, Technology , , , ,

This question comes up a lot, especially from non-attorneys. The thought is that if something is discoverable, then it must be admissible; the assumption being that a Judge will not allow something to be discovered if it can’t be used in court. The other thought is that everything is discoverable if it pertains to the case and therefor everything is admissible.

Let’s first address what’s discoverable. For good cause, the court may order discovery of any matter (content) that’s not privileged relevant to the subject matter involved in the action. In layman’s terms, if it is potentially relevant to the case, you may have to produce it in discovery or in other words, anything and everything is potentially discoverable.  All discovery is subject to the limitations imposed by FRCP Rule 26(b)(2)(C).

With that in mind, let’s look at the subject of admissibility.

In Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534, 538 (D. Md. 2007), the court started with the premise that the admissibility of ESI is determined by a collection of evidence rules “that present themselves like a series of hurdles to be cleared by the proponent of the evidence”.  “Failure to clear any of these evidentiary hurdles means that the evidence will not be admissible”. Whenever ESI is offered as evidence, five evidentiary rules need to be considered. They are:

  • is relevant to the case
  • is authentic
  • is not hearsay pursuant to Federal Rule of Evidence 801
  • is an original or duplicate under the original writing rule
  • has probative value that is substantially outweighed by the danger of unfair prejudice or one of the other factors identified by Federal Rule of Evidence 403, such that it should be excluded despite its relevance.

Hearsay is defined as a statement made out of court that is offered in court as evidence to prove the truth of the matter asserted. Hearsay comes in many forms including written or oral statements or even gestures.

It is the Judge’s job to determine if evidence is hearsay or credible. There are three evidentiary rules that help the Judge make this determination:

  1. Before being allowed to testify, a witness generally must swear or affirm that his or her testimony will be truthful.
  2. The witness must be personally present at the trial or proceeding in order to allow the judge or jury to observe the testimony firsthand.
  3. The witness is subject to cross-examination at the option of any party who did not call the witness to testify.

The Federal Rules of Evidence Hearsay Rule prohibits most statements made outside of court from being used as evidence in court. Looking at the three evidentiary rules mentioned above – usually a statement made outside of the courtroom is not made under oath, the person making the statement outside of court is not present to be observed by the Judge, and the opposing party is not able to cross examine the statement maker. This is not to say all statements made outside of court are inadmissible. The Federal Rule of Evidence 801 does provide for several exclusions to the Hearsay rule.

All content is discoverable if it potentially is relevant to the case and not deemed privileged, but discovered content may be ruled inadmissible if it is deemed privileged (doctor/patient communications), unreliable or hearsay. You may be wondering how an electronic document can be considered hearsay? The hearsay rule refers to “statements” which can either be written or oral. So, as with paper documents, in order to determine whether the content of electronic documents are hearsay or fact, the author of the document must testify under oath and submit to cross-examination in order to determine whether the content is fact and can stand as evidence.

This legal argument between fact and hearsay does not relieve the discoveree from finding, collecting and producing all content in that could be relevant to the case.

Next Generation Technologies Reduce FOIA Bottlenecks

Bill Tolson eDiscovery, Information Management, records retention, Technology , , , , , , , , , , ,

Federal agencies are under more scrutiny to resolve issues with responding to Freedom of Information Act (FOIA) requests.

The Freedom of Information Act provides for the full disclosure of agency records and information to the public unless that information is exempted under clearly delineated statutory language. In conjunction with FOIA, the Privacy Act serves to safeguard public interest in informational privacy by delineating the duties and responsibilities of federal agencies that collect, store, and disseminate personal information about individuals. The procedures established ensure that the Department of Homeland Security fully satisfies its responsibility to the public to disclose departmental information while simultaneously safeguarding individual privacy.

In February of this year, the House Oversight and Government Reform Committee opened a congressional review of executive branch compliance with the Freedom of Information Act.

The committee sent a six page letter to the Director of Information Policy at the Department of Justice (DOJ), Melanie Ann Pustay. In the letter, the committee questions why, based on a December 2012 survey, 62 of 99 government agencies have not updated their FOIA regulations and processes which was required by Attorney General Eric Holder in a 2009 memorandum. In fact the Attorney General’s own agency have not updated their regulations and processes since 2003.

The committee also pointed out that there are 83,000 FOIA request still outstanding as of the writing of the letter.

In fairness to the federal agencies, responding to a FOIA request can be time-consuming and expensive if technology and processes are not keeping up with increasing demands. Electronic content can be anywhere including email systems, SharePoint servers, file systems, and individual workstations. Because content is spread around and not usually centrally indexed, enterprise wide searches for content do not turn up all potentially responsive content. This means a much more manual, time consuming process to find relevant content is used.

There must be a better way…

New technology can address the collection problem of searching for relevant content across the many storage locations where electronically stored information (ESI) can reside. For example, an enterprise-wide search capability with “connectors” into every data repository, email, SharePoint, file systems, ECM systems, records management systems allows all content to be centrally indexed so that an enterprise wide keyword search will find all instances of content with those keywords present. A more powerful capability to look for is the ability to search on concepts, a far more accurate way to search for specific content. Searching for conceptually comparable content can speed up the collection process and drastically reduce the number of false positives in the results set while finding many more of the keyword deficient but conceptually responsive records. In conjunction with concept search, automated classification/categorization of data can reduce search time and raise accuracy.

The largest cost in responding to a FOIA request is in the review of all potentially relevant ESI found during collection. Another technology that can drastically reduce the problem of having to review thousands, hundreds of thousands or millions of documents for relevancy and privacy currently used by attorneys for eDiscovery is Predictive Coding.

Predictive Coding is the process of applying machine learning and iterative supervised learning technology to automate document coding and prioritize review. This functionality dramatically expedites the actual review process while dramatically improving accuracy and reducing the risk of missing key documents. According to a RAND Institute for Civil Justice report published in 2012, document review cost savings of 80% can be expected using Predictive Coding technology.

With the increasing number of FOIA requests swamping agencies, agencies are hard pressed to catch up to their backlogs. The next generation technologies mentioned above can help agencies reduce their FOIA related costs while decreasing their response time.

Coming to Terms with Defensible Disposal; Part 1

Bill Tolson eDiscovery, Information Management , , , , , ,

Last week at LegalTech New York 2013 I had the opportunity to moderate a panel titled: “Defensible Disposal: If it doesn’t exist, I don’t have to review it…right?” with an impressive roster of panelists. They included: Bennett Borden, Partner, Chair eDiscovery & Information Governance Section, Williams Mullen, Clifton C. Dutton, Senior Vice President, Director of Strategy and eDiscovery, American International Group and John Rosenthal, Chair, eDiscovery and Information Management Practice, Winston & Strawn and Dean Gonsowski, Associate General Counsel, Recommind Inc.

During the panel session it was agreed that organizations have been over-retaining ESI (which accounts for at least 95% of all data in organizations) even if it’s no longer needed for business or legal reasons. Other factors driving this over-retention of ESI were the fear of inadvertently deleting evidence, otherwise called spoliation. In fact an ESG survey published in December of 2012 showed that the “fear of the inability to furnish data requested as part of a legal or regulatory matter” was the highest ranked reason organizations chose not to dispose of ESI.

Other reasons cited included not having defined policies for managing and disposing of electronic information and adversely, organizations having defined retention policies to actually keep all data indefinitely (usually because of the fear of spoliation).

One of the principal information governance gaps most organizations haven’t yet addressed is the difference between “records” and “information”. Many organizations have “records” retention/disposition policies to manage those official company records required to be retained under regulatory or legal requirements. But those documents and files that fall under legal hold and regulatory requirements amount to approximately 6% of an organization’s retained electronic data (1% legal hold and 5% regulatory).

Another interesting survey published by Kahn Consulting in 2012 showed levels of employee understanding of their information governance-related responsibilities. In this survey only 21% of respondents had a good idea of what information needed to be retained/deleted and only 19% knew how  information should be retained or disposed of. In that same survey, only 15% of respondents had a general idea of their legal hold and eDiscovery responsibilities.

The above surveys highlight the fact that organizations aren’t disposing of information in a systematic process mainly because they aren’t managing their information, especially their electronic information and therefore don’t know what information to keep and what to dispose of.

An effective defensible disposal process is dependent on an effective information governance process. To know what can be deleted and when, an organization has to know what information needs to be kept and for how long based on regulatory, legal and business value reasons.

Over the coming weeks, I will address those defensible disposal questions and responses the LegalTech panel discussed. Stay tuned…

eDiscovery Cost Reduction Strategies

Bill Tolson eDiscovery, Information Management, records retention , , , , , ,

In these still questionable economic times, most legal departments are still looking for ways to reduce, or at least stop the growth, of their legal budgets. One of the most obvious targets for cost reduction in any legal department is the cost of responding to eDiscovery including the cost of finding all potentially responsive ESI, culling it down and then having in-house or external attorneys review it for relevance and privilege. Per a CGOC survey, the average GC spends approximately $3 million per discovery to gather and prepare information for opposing counsel in litigation.

Most organizations are looking for ways to reduce these growing costs of eDiscovery. The top four cost reduction strategies legal departments are considering are:

  • Bring more evidence analysis and do more ESI processing internally
  • Keep more of the review of ESI in house rather that utilize outside law firms
  • Look at off-shore review
  • Pressure external law firms for lower rates

I don’t believe these strategies address the real problem, the huge and growing amount of ESI.

Several eDiscovery experts have told me that the average eDiscovery matter can include between 2 and 3 GB of potentially responsive ESI per employee. Now, to put that in context, 1 GB of data can contain between 10,000 and 75,000 pages of content. Multiply that by 3 and you are potentially looking at between 30,000 and 225,000 pages of content that should be reviewed for relevancy and privilege per employee. Now consider that litigation and eDiscovery usually includes more than one employee…ranging from two to hundreds.

It seems to me the most straight forward and common sense way to reduce eDiscovery costs is to better manage the information that could be pulled into an eDiscovery matter, proactively.

To illustrate this proactive information management strategy for eDiscovery, we can look at the overused but still appropriate DuPont case study from several years ago.

DuPont re-looked at nine cases. They determined that they had reviewed a total of 75,450,000 pages of content in those nine cases. A total of 11,040,000 turned out to be responsive to the cases. DuPont also looked at the status of these 75 million pages of content to determine their status in their records management process. They found that approximately 50% of those 75 million pages of content were beyond their documented retention period and should have been destroyed and never reviewed for any of the 9 cases. They also calculated they spent $11, 961,000 reviewing this content. In other words, they spent $11.9 million reviewing documents that should not have existed if their records retention schedule and policy had been followed.

An information management program, besides capturing and making ESI available for use, includes the defensible deletion of ESI that has reached the end of its retention period and therefore is valueless to the organization.

Corporate counsel should be the biggest proponents of information governance in their organizations simply due to the fact that it affects their budgets directly.

Can you wipe your twitter ramblings, and should you?

Bill Tolson eDiscovery, Information Management, Technology , , , , , , ,

In December of 2011, the Library of Congress and Twitter signed an agreement that will eventually make available every public Tweet ever sent as an archive to the Library of Congress.


While writing a blog post last week, I began  to wonder how long all my twitter postings would
be available and who could look at them. For the fun of it, I went back through approximately 6 months of my old twitter postings, re-tweets and replies (yes you can do it, it’s relatively easy and you can look at anyone’s).

I’ve been pretty good about keeping my twitter posts “business-like” and have steered away from personal stuff like “I just checked in to the Ramada Inn on route 11…can’t wait for the evening to begin!”, or “does anyone know how to setup an off-shore bank account?” or “those jerks over at Company ABC are a bunch of losers”.  But many tweeters aren’t so disciplined and have posted stuff that could come back to haunt them later. I could imagine a perspective employer reviewing a candidate’s twitter history or even worse an attorney conducting research for a case using the public twitter archives to create a timeline.

With that in mind, could you delete your twitter postings and should you? Twitter does allow you to delete specific tweets one at a time but as far as I can determine, Twitter does not give you the ability to delete your entire twitter history short of deactivating your account. From the Twitter website:

How To Delete a Tweet

If you’ve posted something that you’d rather take back, you can remove it easily. When you hover over your Tweet while viewing your home or profile page, you’ll see a few options appear below the message.

To delete one of your Twitter updates:

  1. 1.       Log in to Twitter.com
  2. 2.       Visit your Profile page
  3. 3.       Locate the Tweet you want to delete
  4. 4.       Hover your mouse over the message (as shown below), and click the “Delete” option that appears

Voila! Gone forever… almost. Deleted updates sometimes hang out in Twitter search. They will clear with time.

We do not provide a way to bulk delete Tweets. If you’re looking to get a “fresh start” on your Twitter account without losing your username, the best way to do this is to create a temporary account with a temporary username, and then switch the username between your current account and the temporary account. Please see our article on How to Change Your Username for more info. 

On December 30, 2011, CNET published a story titled “How to delete all your tweets” which highlighted a product called TwitWipe. TwitWipe is a free tool that allows you to delete ALL your past tweets in one fell swoop. This may be handy because you can clean out your twitter account and start fresh without changing your username and dumping all your hard won followers.

This is an interesting capability but I think the more important question is why would you use this drastic of a step? The four most obvious reasons one would want to delete all their twitter postings and start fresh would be:

1.       You went through an unfortunate period in your life that you would rather forget

2.       You were regularly conducting criminal activities through your Twitter account

3.       You are considering a run for the presidency

4.       For whatever reason, you don’t want your twitter postings archived and available at the Library of Congress

The ability to delete ESI can be dangerous if done at the wrong time, especially if civil litigation is anticipated. Deleting a single tweet or every tweet you have ever posted can be construed as destruction of evidence if those tweets could have been relevant in litigation. ESI, no matter its format or where it’s stored, is potentially evidence  and should be at least considered when protecting ESI for litigation hold. Attorneys on both sides need to include social media content like twitter postings in their eDiscovery plans and be sure to warn all custodians about deleting/editing  social media content once litigation is anticipated.

Part 2, Steganography; Hiding from eDiscovery in plain sight

Bill Tolson eDiscovery, Technology , , , , , , ,

In my last blog I described a unique way of hiding incriminating data from eDiscovery queries in plain sight. In the example, I was able to hide obviously responsive information in a QR code attached as part of the signature to an email message.  The point was to show that ESI, especially email, can still be used to communicate with others and remain under the radar of the best eDiscovery search applications.

Now let’s look at another way to hide incriminating ESI from eDiscovery search applications.

The technique is called Steganography. Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message; a form of security through obscurity. The best known Steganography technique hides information in standard graphic images.

Graphic #1: Tree

The above image of a tree includes a steganographically hidden image. The hidden image (the image of the cat below) is revealed by removing all but the two least significant bits of each color component and a subsequent normalization. The hidden image is shown below.

Graphic #2: Cat

You can hide any electronically stored data in any graphic image. As in the example above, a picture can be hidden in another picture. But the technique is not limited to hiding pictures in pictures. A word document, a schematic, even a sound file can be embedded and hidden in any graphic.

There are several free steganography applications available on the internet. I found and tested two; Invisible Secrets 2.1 and Xiao Steganography. Both use JPEG images as the “carrier” device.

How can this technique be used to pass incriminating information to someone else? Using the email example from my previous blog, let’s look at the example email message below from Bill to Ken.

Email example #1

There is absolutely nothing out of the ordinary in this email and would not trigger an eDiscovery search application to flag it as suspicious. Look closely at the email signature especially the eDiscovery101 graphic. Now look at the email below:

Email example #2

The second email looks exactly the same. Again there would be no reason for an eDiscovery search application to flag it as suspicious. But, hidden in the second email’s eDiscovery101 graphic is the very incriminating Word document shown below:

Graphic #3: Incriminating letter

This raises the question; if you were conducting an eDiscovery investigation, how would you ever suspect that there is additional responsive data included in the in the “eDiscovery101” email signature graphic and if you did suspect hidden data, how could you prove it?

To answer the first question, we need to understand how steganography applications work. For this example I will use the Invisible Secrets 2.1 application.

The application includes a helpful wizard to quickly walk you through the process.

The first step is to decide which graphic file you will use as the “carrier” for the incriminating data. In this case I will use my standard JPEG file for my blog, eDiscovery101.

The next step is to select the source file or in this example the incriminating letter from above.

Next, a password for encryption of the incriminating letter is requested. This will insure the incriminating (hidden) data in the eDiscovery101 graphic cannot not be accessed, even if suspected.

Lastly, you need to give the application a destination file name. In this case I named it something obvious and familiar, eDiscovery101s.jpg, so as not to draw attention to it. At this point, after the “Next” button is pressed, the new graphic file is created and can be inserted into the email signature.

Detecting hidden data via automation is tough if not impossible. As I mentioned before, As far as I know, there is no eDiscovery application which can recognize and flag steganography. To have a chance, you must already suspect a custodian and then manually look for inconsistencies. For this example, the only way to tell if a given graphic contains hidden data is to compare the size of the images. The two eDiscovery101 images have different sizes. The original eDiscovery101 image is a 52KB JPEG file, while the second eDiscovery101 image is a 78KB JPEG file. Another clue to hidden data would be to search for know steganography applications on the custodian’s desktop or laptop (if they didn’t delete it after creating the hidden data). But remember, even if you find a suspicious image, without the encryption password you will never be able to open it.

To protect organizations from this type eDiscovery liability they can put some basic measures in place. Most importantly, include in your email system use policy a definitive statement about using these types of encryption applications on any organization owned assets, and audit custodians for enforcement. You could also forbid placing graphic images within the body of an email but this is not realistic. For example you could insert the same incriminating letter mentioned above into a table within a spreadsheet and convert that table to a JPEG. Below is a spreadsheet converted into a JPEG image file with the same incriminating letter embedded in it.

Spreadsheet #1

Would the above spreadsheet embedded into an email raise suspicions? Probably not… If custodians are determined to hide data in plain sight, they can with little chance of being caught.

Golf and Early Case Assessments – A Drama

Bill Tolson eDiscovery, records retention, Technology , , , , , , , , , , , ,

Effective early case assessment is dependent on a complete data set.

On the average 97% of data generated within businesses is electronic. The average employee generates and receives up to 20 MB of email and potentially hundreds of MBs of office work files per day. Litigation is a huge problem these days for businesses. A huge amount of the cost of litigation is the cost of finding and reviewing electronically stored information (ESI) for both early case assessment as well as eDiscovery request response. ESI can hide anywhere in the corporate infrastructure; custodian workstations, network share drives, USB thumb drives, CD/DVDs, iPods etc. A centrally managed and fully indexed archive can speed the collection and review of potentially responsive records for early case assessment as well as more fully control and insure the placement of litigation holds.

No matter the case, the first question when you’re faced with litigation is whether the case has merit. If you haven’t prepared a case assessment strategy ahead of time, it will be difficult to quickly and effectively determine your strategy going forward; should you settle or fight…

An early case assessment capability provides you with four obvious benefits:

  • Provides an early indication of the merits of the case – do you have any actual liability.
  • Can suggest the proper strategy going forward.
  • Can provide you an estimate of the cost of defending the case and the time required.
  • Will help you plan for the discovery process and prepare for the “meet and confer” meeting.

Let’s look at some scenarios.

Scenario #1

You’re the General Counsel of a publicly traded software company in the state of California.

It’s a Friday near the end of summer and you’re sitting in your office thinking about your Hawaiian golf vacation which begins tomorrow.

You’re checking the last of your mail before you leave for 3 weeks.

You open a letter from an outside law firm addressed to you…

(Your secretary hears a string of profanities emanating from your office)

You immediately think to yourself; once this news gets out, your company’s stock will be hammered, your board of directors will want an update yesterday, your channel partners will want to be advised on their potential liability, sales that are in process will stop, your CEO will want to know if the case has merit…and your wife will want to know why you just cancelled the Hawaiian vacation she was looking forward to (she was staying home).

What to do first?

You call the plaintiff’s law firm of Tolson & Yonamine to determine what this case is based on…what’s driving it. The Partner managing the case can’t be reached but 2 hours later you receive a fax (a fax, really?) of a printed email that looks like it came from within your company…

What the…? Who, in their right mind would seriously consider something like this much less put it in writing?

Ok, first things first. Your next steps are:

  • Find out who “Jennifer” is, who she reports to and what department she work in. Also find out if she is even still with the company
  • Call the VP of IT and let her know what’s going on and verbally tell her to secure any infrastructure data from Jennifer or Bob
  • Follow that up by sending an email to the VP of IT asking her to secure Jennifer and Bob’s email boxes, and any backup tapes for their respective email servers
  • Send an email to Jennifer informing her of the litigation hold, her duties under it and the consequences if the directions are not followed
  • Send an email to Bob informing him of the litigation hold, his duties under it and the consequences if the directions are not followed
  • Instruct  the VP of IT via email to find the original of the email in question on the email servers or backup tapes

To complicate matters, the VP of IT calls back immediately to tell you that the company only keeps backup tapes of the email servers for 30 days and are then recycled. She also informs you that the company has a 90 day email retention policy meaning that employees must clear emails older than 90 days out of their mailbox or the company will do it automatically. Copies of those emails, if they exist, will only be available on the employee’s local workstations. You think to yourself; if that’s the case, how did the outside law firm get them?

You send one of your staff attorneys and an IT person to both Bob and Jennifer’s offices to look for a copy of the email on their local computers etc.

Later, you find that Bob has a 3 GB PST, local personal email archive, on his laptop where the email might exist but for some reason the IT guy can’t open it. IT calls Microsoft support and is told that the PST is too big and is no doubt irrevocably corrupted.

In the mean time, one of your staff attorneys spends 4.5 hours at Jennifer’s office and eventually finds a copy of the email in her local PST… the email really does exist…%$#@!!. She has no idea why she would have written something like that and there are no records of any other emails associated with that particular smoking gun email. Because the email in question is older than the company’s oldest email server backup tapes, your early case assessment is stopped dead for lack of data.

Now what?

After several months of negotiating with ABC Systems and their law firm, you settle for damages of $35 million and an apology published in the business section of the San Jose Mercury News.

In the preceding scenario, the available early case assessment process suggested that the case might have merit and should be settled before more resources were expended. In this case, the early case assessment was negatively impacted by a shortage of data due to retention policies that were put into place mainly for storage management reasons.

Having access to all relevant information early on can mean the difference between fighting a winnable case and settling the case early for hopefully much less then is being asked for. An early case assessment strategy with the right tools can improve the odds of a favorable outcome.

Early Case Assessment with Proactive ESI Archiving

Let’s look at the preceding scenario with one difference… the defendant has an ESI archiving system and a more common sense retention policy which in this case includes a 3 year retention policy for email.

You are the General Counsel of a publicly traded software company in California

It’s a Friday near the end of summer and you are sitting in your office thinking about your Hawaiian golf vacation which begins tomorrow

You open the last of your mail before you leave for 3 weeks

You open a letter from an outside law firm…

This can’t be real. This must be a joke from your $*@$!! Brother-in-law. After calling him and determining it’s not a joke you think to yourself; NOW WHAT?

You call the opposing counsel to determine what this case is based on. The partner managing the case can’t be reached but 2 hours later you receive a fax showing a printed email that looks like it came from within your company…

Next, you must place a litigation hold on all potentially responsive records

  • Find out who “Jennifer” is, who she reports to and what department she work in. Also, is she even still with the company
  • Call the VP of IT and let her know what’s going on
  • Instruct one of your staff attorneys to query the email archive to determine if that specific email exists, and to provide the entire conversation thread around that email so you can review it for intent.

Your staff attorney quickly queries the archive and pulls up a copy of the email message with the entire conversation thread, puts the entire conversation thread on litigation hold and sends you the following email…

“Boss, the email in question was based on the following conversation thread starting with the CEO:”

“Based on the early case assessment using the email archive and the conversation thread capability, I found that the “smoking gun” email was taken out of context and can prove the case has no merit…We should talk to opposing counsel as soon as possible to end this now.”

You think to yourself; whatever person’s idea it was to get that email archiving system in place should be given a load of stock options…

You spend the next morning talking to the opposing counsel…the action is withdrawn a month later…

You continue with your golf vacation having only missed two days and your wife is especially happy you were able to go on your vacation (alone).

An important aspect of an early case assessment is to tell you if the case has merit. It’s difficult to make an informed assessment about a case without all the data…

Accidental Data Deletion Still Considered Spoliation

Bill Tolson eDiscovery, records retention, Technology , , , , , , ,

From an article posted to the Infosecurity-us.com website yesterday:

When litigation-based data management isn’t taken seriously dire consequences will occur.

When it comes to electronic discovery, if you fail to protect potentially relevant data and it’s destroyed, no matter the excuse, you have deprived the other side of their right to all relevant evidence to support their case and subsequently put them at a disadvantage.

What are your responsibilities when it comes to securing data that could be used against you in a current or future civil lawsuit? Judges today have little sympathy for accidental or shoddy data handling practices when it comes to protecting and turning over data in litigation.

Controlling your company’s information at all times is crucial if, or when, you get dragged into civil litigation. What is eDiscovery? Well, it’s not an afterhours team-building exercise. Electronic discovery (also called eDiscovery or Discovery) refers to any process (in any country) in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. The eDiscovery process can be carried out offline on a particular computer or it can be accomplished on a corporate network.

Since the new amendments to the Federal Rules of Civil Procedure (FRCP) were adopted in December 2006, judges expect that organizations in eDiscovery have complete control of their organization’s data and can fully respond to an eDiscovery request in days or weeks, not months or years.

The entire article can be read here

Does Exchange 2010 have eDiscovery Defensibility?

Bill Tolson eDiscovery, Technology , , , , , , , , ,

One question I get asked a lot lately at webinars and seminars is; doesn’t Microsoft Exchange have all the tools I need to respond to a Discovery request? In other words can you rely on Exchange 2010 discovery capability for defensible search and litigation hold? Depending on who you talk to the answer can be yes or no.

Now don’t get me wrong, Microsoft has made great strides on its eDiscovery capability over the last several years with Exchange 2007 and 2010. But there is at least one major question to ask yourself when considering if Exchange 2010 has the capabilities, by itself, to respond to a eDiscovery request. That question is; can I respond to a email discovery request quickly and completely enough to satisfy the opposing counsel and Judge in a defensible manner?

One potential problem I’ve run across is a question of completeness of the eDiscovery search capability in Exchange 2010. Can you rely on it to produce the search results so that 1, all potentially responsive ESI can be found and placed on a litigation hold and 2, does the results set you eventually end up with contain all potentially responsive ESI?

Exchange 2010 comes with a default package of what Microsoft terms as iFilters. These iFilters allow Exchange to index specific file types in email attachments. This default iFilter pack (a description of which can be seen here) must be installed when Exchanger server 2010 is installed. This default iFilter pack includes the following file types:

.ascx, .asm, .asp, .aspx, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .doc, .docx, .dot, .h, .hhc, .hpp, .htm, .html, .htw, .htx, .hxx, .ibq, .idl, .inc, .inf, .ini, .inx, .js, .log, .m3u, .mht, .odc, .one, .pl, .pot, .ppt, .pptx, .rc, .reg, .rtf, .stm, .txt, .url, .vbs, .wtx, .xlc, .xls, .xlsb, .xlsx, .xlt, .xml, .zip

An obvious missing file type is the Adobe Acrobat .pdf extension. Many/most eDiscovery professionals will tell you that PDF files make up a sizable share of potentially responsive ESI in discovery. What if your IT department didn’t know about this limitation and never installed a separate iFilter for Adobe Acrobat files? What if your legal department didn’t know of this missing capability?

Your discovery searches would not be returning responsive PDF files causing major risk in both litigation hold and your overall discovery response.

Another question in reference to the Exchange 2010 Abobe Acrobat search capability is the effectiveness of the search. In a WindowsITPro article from last year titled Exchange Search Indexing and the problem with PDFs, Or “Why I hate Adobe with the Burning Passion of 10,000 Suns”, Paul Robichaux writes:

This test provided an unsatisfying result. I don’t feel like I found or fixed the problem; I just identified it more closely. Telling my users, “Sure, you can search attachments in Exchange, unless they happen to be PDFs, but then again maybe not,” isn’t what I had in mind. I hope that Adobe fixes its IFilter to work properly; it’s a shame that Adobe’s poor implementation is making Exchange search look bad.”

Corporate attorneys in organizations using Exchange 2007 and 2010 as their email system should immediately ask their IT departments about their system’s ability to index and search PDF files.

Attorneys on the other side of the table should be asking defense counsel the status of their Exchange 2007/2010 Adobe Acrobat search and litigation hold capability.