Cloudy, with a chance of eDiscovery


In the last year there has numerous articles, blogs, presentations and panels discussing the legal perils of “Bring Your Own Device” or BYOD policies. BYOD refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. The problem with BYOD is company access to company data housed on the device. For example, how would you search for potentially relevant content on a smartphone if the employee wasn’t immediately available or refused to give the company access to it?

Many organizations have banned BYOD as a security risk as well as a liability when involved with litigation.

BYOC Equals Underground Archiving?

Organizations are now dealing with another problem, one with even greater liabilities. “Bring your own cloud” or BYOC refers to the availability and use by individuals of free cloud storage space available from companies like Microsoft, Google, Apple, Dropbox, and Box.net. These services provide specific amounts of cloud storage space for free.

The advantage to users for these services is the ability to move and store work files that are immediately available to you from anywhere; home or while they’re traveling. This means employees no longer have to copy files to a USB stick or worse, email work files as an attachment to their personal email account. The disadvantage of these services are that corporate information can easily migrate away from the organization with no indication they were ever copied or moved – otherwise known as “underground archiving”.  This also means that potentially responsive information is not protected from deletion or available for review during eDiscovery.

Stopping employee access to outside public clouds is a tough goal and may negatively affect employee productivity unless the organization offers something as good  that they can manage and access as well. For example several companies I have talked to over the last year have begun offering Dropbox accounts to employees with the understanding that the company has access to for compliance, eDiscovery or security reasons all the while providing the employee the advantages of a cloud account.

The other capability organizations should research about these cloud offerings is their ability to respond to legal hold and eDiscovery search. Questions to consider include: Does the organization have the ability to search across all company owned accounts for specific content? What type of search do they offer; Keyword, concept? Can the organization view the contents of documents without changing the document metadata? Can the organization place to “stop” on deletions by employees at any time?

Organizations need to be aware of and adapt to these cloud services and be thorough in addressing them.

For Corporate counsel:
  1. Be aware these types of cloud storage services exist for your employees.
  2. Think about offering these cloud services to employees under the organization’s control.
  3. Create a use policy addressing these services. Either forbid employees from setting up and using these services from any work location and company owned equipment or if allowed be sure employees acknowledge these accounts can and will be subject to eDiscovery search.
  4. Audit the policy to insure it is being followed.
  5. Enforce the policy if employees are not following it.
  6. Train the employees on the policy.
  7. Document everything.
For employees:
  1. Understand that if you setup and use these services from employer locations, equipment and with company ESI, all content in that account could be subject to eDiscovery review, personal or company related.
  2. Ask your organization what the policy is for employee use of cloud storage/
  3. If you use these services for work, only use them with company content, not personal files.
  4. Be forthcoming with any legal questioning about the existence of these services you use.
  5. Do not download any company ESI from these services to any personal computer, this could potentially open up that personal computer to eDiscovery by corporate counsel
For opposing counsel:

Be aware of these services and ask the following questions during discovery:

  1. Do any of your employees utilize company sanctioned or non-sanctioned public cloud storage services?
  2. Do you have a use policy which addresses these services?
  3. Does the policy penalize employees for not following this use policy?
  4. Do you audit this use policy?
  5. Have you documented the above?

These cloud services are an obvious productivity tool for employees to utilize to make their lives easier as well as more productive. All involved need to be aware of the eDiscovery implications.

Advertisements

Ask the Magic 8-Ball; “Is Predictive Defensible Disposal Possible?”


The Good Ole Days of Paper Shredding

In my early career, shred days – the scheduled annual activity where the company ordered all employees to wander through all their paper records to determine what should be disposed of, were common place. At the government contractor I worked for, we actually wheeled our boxes out to the parking lot to a very large truck that had huge industrial shredders in the back. Once the boxes of documents were shredded, we were told to walk them over to a second truck, a burn truck, where we, as the records custodian, would actually verify that all of our records were destroyed. These shred days were a way to actually collect, verify and yes physically shred all the paper records that had gone beyond their retention period over the preceding year.

The Magic 8-Ball says Shred Days aren’t Defensible

Nowadays, this type of activity carries some negative connotations with it and is much more risky. Take for example the recent case of Rambus vs SK Hynix. In this case U.S District Judge Ronald Whyte in San Jose reversed his own prior ruling from a 2009 case where he had originally issued a judgment against SK Hynix, awarding Rambus Inc. $397 million in a patent infringement case. In his reversal this year, Judge Whyte ruled that Rambus Inc. had spoliated documents in bad faith when it hosted company-wide “shred days” in 1998, 1999, and 2000. Judge Whyte found that Rambus could have reasonably foreseen litigation against Hynix as early as 1998, and that therefore Rambus engaged in willful spoliation during the three “shred days” (a finding of spoliation can be based on inadvertent destruction of evidence as well). Because of this recent spoliation ruling, the Judge reduced the prior Rambus award from $397 million to $215 million, a cost to Rambus of $182 million.

Another well know example of sudden retention/disposition policy activity that caused unintended consequences is the Arthur Andersen/Enron example. During the Enron case, Enron’s accounting firm sent out the following email to some of its employees:

This email was a key reason why Arthur Andersen ceased to exist shortly after the case concluded. Arthur Andersen was charged with and found guilty of obstruction of justice for shredding the thousands of documents and deleting emails and company files that tied the firm to its audit of Enron. Less than 1 year after that email was sent, Arthur Andersen surrendered its CPA license on August 31, 2002, and 85,000 employees lost their jobs.

Learning from the Past – Defensible Disposal

These cases highlight the need for a true information governance process including a truly defensible disposal capability. In these instances, an information governance process would have been capturing, indexing, applying retention policies, protecting content on litigation hold and disposing of content beyond the retention schedule and not on legal hold… automatically, based on documented and approved legally defensible policies. A documented and approved process which is consistently followed and has proper safeguards goes a long way with the courts to show good faith intent to manage content and protect that content subject to anticipated litigation.

To successfully automate the disposal of unneeded information in a consistently defensible manner, auto-categorization applications must have the ability to conceptually understand the meaning in unstructured content so that only content meeting your retention policies, regardless of language, is classified as subject to retention.

Taking Defensible Disposal to the Next Level – Predictive Disposition

A defensible disposal solution which incorporates the ability to conceptually understand content meaning, and which incorporates an iterative training process including “train by example,” in a human supervised workflow provides accurate predictive retention and disposition automation.

Moving away from manual, employee-based information governance to automated information retention and disposition with truly accurate (95 to 99%) and consistent meaning-based predictive information governance will provide the defensibility that organizations require today to keep their information repositories up to date.

Defensible Disposal means never being accused of spoliation for hosting “Shred Days”


U.S District Judge Ronald Whyte in San Jose reversed his own prior ruling from a 2009 case where he issued a judgment against SK Hynix, awarding Rambus Inc. $397 million in a patent infringement case. In his reversal this month, Judge Whyte ruled that Rambus Inc. had spoliated documents in bad faith when it hosted company wide “shred days” in 1998, 1999, and 2000. Judge Whyte found that Rambus could have reasonably foreseen litigation against Hynix as early as 1998, and that therefore Rambus engaged in willful spoliation during the three “shred days” (a finding of spoliation can be based on inadvertent destruction of evidence). Because of this recent spoliation ruling, the Judge reduced the prior Rambus award from $397 million to $215 million, a cost to Rambus of $182 million.

Two questions come to mind in this case; 1) why did Rambus see the need to hold “shred days”?, and 2) did they have an information governance policy and defensible disposal process? As a matter of definition, defensible disposal is the process (manual or automated) of disposing of unneeded or valueless data in a way that will standup in court as reasonable and consistent.

The obvious answer to the second question is probably not or if yes, it wasn’t being followed, otherwise why the need for the shred days? Assuming that Rambus was not destroying evidence knowingly; the term “shred-days” still has a somewhat negative connotation. I would think corporate attorneys would instruct all custodians within their companies that the term “shred” should be used sparingly or not at all in communications because of the questionable implications.

The term “Shred days” reminds many of the Arthur Andersen partner who so famously sent an email message to employees working on the Enron account, reminding them to “comply with the firm’s documentation and retention policy”. The Andersen partner never ordered the destruction or shredding of evidence but because anticipation of future litigation was potentially obvious, the implication in her email was “get rid of suspect stuff”. The timing of the email message was also suspect in that just 21 minutes separated Ms. Temple’s e-mail message to Andersen employees on the Enron account about the importance of complying with the firm’s document retention policy from an entry in a record of her current projects in which she wrote that she was working on a case involving potential violations of federal securities laws.

The Rambus case highlights the need for a true information governance process including a truly defensible disposal strategy. An information governance process would have been capturing, indexing, applying retention policies, protecting content on litigation hold and disposing of content beyond the retention schedule and not on legal hold… automatically, based on documented and approved legally defensible policies. A documented and approved process which is religiously followed, and with proper safeguards goes a long way with the courts to show good faith intent to manage content and protect that content subject to anticipated litigation.

Facebook Spoliation Costs Widower and His Attorney $700K in Sanctions


The below article is from Abovethelaw.com by Christopher Danzig

In 2008, truck driver William Donald Sprouse pleaded guilty to charges of involuntary manslaughter for the accidental death of 25-year-old Jessica Lester. According to a bluntly-written news article from the time of the trial, Sprouse’s “truck rounded a corner on two wheels, flipped and rolled over onto Lester’s car, a crushing sixty thousand pounds landing where Jessica sat.”

Jessica’s parents and her widower, Isaiah Lester, won a massive wrongful death suit in 2010 against Sprouse and his employer at the time of the accident, Allied Concrete Company. A Virginia jury awarded them a massive $10.6 million. Clearly, the family’s wounds were still fresh.

But the courtroom odyssey was not over.

On October 21 (nearly a year later), Judge Edward Hogshire signed a “final order” (PDF) cutting the jury verdict in half in Lester v. Allied Concrete Company and William Donald Sprouse, and penalizing Lester and his attorney, Matt Murray, a combined $722,000 in sanctions:

Whereas, the court, having reviewed the evidence and arguments of counsel and carefully considered the extensive pattern of deceptive and obstructionist conduct of Murray and Lester resulting in the sanction award, finds that most of the substantial fees and costs expended by Defendants were necessary and appropriate to address and defend against such conduct…

To read the entire article, click here.

Exchange 2010 Message Search and eDiscovery


An important aspect of the eDiscovery process is finding all potentially responsive ESI. In other words the eDiscovery auditor must perform a search on all ESI repositories which could house responsive ESI.

Key to eDiscovery search in Exchange 2010 is to choose words, date ranges, attachment file names etc to help the auditor narrow the results set to be reviewed, but not to the point of overlooking responsive ESI. The eDiscovery keyword search in Exchange 2010 will only find exact matches of those terms input. Additionally, the eDiscovery multi-mailbox search in Exchange 2010 will not reproduce the history of the email, such as when it was opened, what folders it existed in and when, if it was deleted and when etc., something which can add a great deal of context to the ESI.

Another key in this process is the effectiveness of your system’s indexing capability. Does it index everything including metadata, the entire email message and all attachments so that when you perform a search, you find all instances of the content? And… is the index reliable?

The indexing and search functionality of Exchange 2010 is considered neither accurate nor reliable by eDiscovery industry experts. In testing by a 3rd party market research firm, it was found that:

  • Custodian display name and address searches missed more than 20% of custodian email compared to last name only searches.
  • Lists of search terms became corrupt without generating warning errors.
  • When items are placed on litigation hold, the preservation system did not preserve the critical location context or other metadata properties of content.

To the opposing counsel, these deficiencies are a prime target to call into question your eDiscovery process and maybe enough to have the Judge force you to perform the eDiscovery search again using very expensive third party services.

Although improved over the search capabilities of previous versions of Exchange, several major limitations to Exchange Search remain that should be fully understood. These limitations restrict how Exchange Search is used, and limit its ability to be a primary factor for upgrade for stand-alone eDiscovery support by most organiza­tions.

The biggest drawbacks to Exchange 2010 include:

  • Default search filters limited: Standard Microsoft Office formats can be indexed by Exchange 2010 so that eDiscovery searches can find and return these record types, but there is limited support for other common formats such as the popular PDF file format as well as audio or video file formats. By default, the content of email messages with PDF attachments are unsearchable. (see the iFilter section below)
  • No public folder search: Organizations with a significant investment in public folders will find that they cannot search across public folder data using the native Exchange Search functionality.
  • Localization and language limitations: Emails written in multiple languages are not indexed by Exchange Search. In addition, queries made in a specific language must match the locale of the local computer doing the search.
  • Encrypted messages not indexed: Messages encrypted with S/MIME encryption are not able to be indexed and are subsequently not searchable.
  • Exchange 2010 effectively has 2 indexes per mailbox: One index exists on the Exchange Server and one on the local Outlook machine. Any local PST files cannot be searched from the eDiscovery search interface. Local user search syntax and search results may differ from the network eDiscovery search.
  • Broad-brush legal holds: Legal Holds are a mailbox wide setting meaning that all content in a target mailbox is placed on legal hold. You cannot place individual objects on legal hold. Users can move, forward, reply, flag and categorize items under legal hold with no record. Metadata changes such as the email folder location are not tracked.
  • No case management: eDiscovery searches have no matter folders, audit or security for all eDiscovery group users. Searches for unrelated cases will all be thrown together with no ability to set security by matter.
  • Metadata can be changed on export: According to a report, email exported from the Exchange archive mailbox could have the Creator, Last Modified, PR_Creation_Time, Conversation Index and even message size changed

A question corporate General Counsels need to ask themselves and their IT departments is; can I respond to an email discovery request quickly enough and in a defensible manner to satisfy the opposing counsel and Judge?

To answer that question, you need to consider another question. Is Exchange 2010 indexing everything in my system so that when you conduct a search it will find all relevant content?

The answer is probably not. The question of completeness of the eDiscovery search capability in Exchange 2010 is a big issue many don’t even think to question.

Can you rely on the Exchange eDiscovery search to produce the results so that 1: all potentially responsive ESI can be found and placed on a litigation hold and 2: does the results you end up with contain all potentially responsive ESI?

Hiding from eDiscovery in Plain Sight


QR or “quick response” Codes have been showing up a lot more in the last year. A QR code is a matrix barcode (or two-dimensional code), readable by QR scanners, also readable by mobile phones with a camera, tablet computers with built-in camera including iPads, and smartphones including iPhones. The code consists of black modules arranged in a square pattern on white background. The information encoded can be a text message, a SMS message, a URL, an email reply or several other types of data. The QR code in the top left corner of this blog is the QR code for the URL for the eDiscovery101.net blog site.

QR codes are increasingly gaining acceptance in United States business and end user mind share, though they have been popular in some Asian countries for many years.

So what do QR codes have to do with eDiscovery? A friend of mine was telling me about a new business he had started using QR codes in a very unique way and it occurred to me to wonder if eDiscovery collection and review applications would be able to recognize data encoded into QR codes and if not, how could custodians use QR codes to pass information they didn’t want to be found in an eDiscovery process. For example, could you email information to others without calling attention to yourself by using encryption or have the content indexed and flagged by eDiscovery applications?

The answer is absolutely…

Look at the following email example:

The QR code embedded in the email message is simply a link to the URL for this blog site. To connect to this site you would start up your free QR code scanner on your iPhone and it would automatically link you to the site. If the above email was part of the email corpus in an energy price manipulation case, would it be flagged for any suspicious activity?

But the main point is when collecting and running millions of emails through eDiscovery software, QR codes, as far as I can tell, would not be readable and index-able by any known eDiscovery software.

Now take a look at the email message again:

If you were to scan the above QR code with your free QR code scanner, you would see the following:

As you can see, a great deal of text can be embed in a QR code that is readable by a free QR scanner pointed at a printout or even your computer display.

Is the above example a reasonable way to pass information that you don’t want caught by eDiscovery processes? Not really…an easier way would be to call someone and give them the message verbally but I wanted to point out that eDiscovery search and review applications are not 100% effective and custodians can beat them if they really try. eDiscovery vendors need to be constantly on the lookout for these new techniques of sending and receiving ESI.

Will Spoliation Insurance Change How Judges Rule?


On Dec.2 2010, the Lexington Insurance Company started selling a new product–spoliation insurance. No, spoliation is not misspelled, and no, it’s not a witty descriptor for what’s likely to happen inside the office break room refrigerator before the end of the holidays. Spoliation is a legal term for the destruction of evidence in civil litigation matters. And this form of insurance protects you in the event a judge imposes fines or penalties because of lost evidence or other eDiscovery failures.

Why might you need spoliation insurance? Well, Duke University conducted a recent study finding 97 eDiscovery sanction cases in 2009, more than any prior year. These are cases where the judge has determined one of the parties destroyed evidence and now must determine a penalty for this destruction of evidence.

Some questions that come to mind for me:

  1. Does having spoliation insurance mean the discoveree can exercise less care with his records information management (RIM) program, litigation hold, or discovery processes because they don’t have to worry about a fine or penalty?
  2. Is the fact that you have spoliation insurance discoverable?
  3. Would the fact that you have spoliation insurance alter the ruling by the judge? (Would the judge, for instance, impose a higher fine or penalty to hammer the insurance company?)

Obviously, spoliation insurance will not affect whether your organization wins or loses the case. Also, I would expect insurance companies to set premiums to reflect their risk. If the insured has an effective RIM program and processes to find and protect responsive electronically stored information easily, insurers should lower premiums for these buyers over other applicants with questionable or no processes or other tools.

The next question that comes to mind is: Do you need spoliation insurance if your organization has prepared for effective eDiscovery by creating RIM policies, training employees on responsibilities and processes, and acquiring technology like an archive to better control ESI?

Now, the answer to this question is pretty commonsensical. Invest in responsible processes and training as well as the best tools/automation for RIM and eDiscovery, and you likely won’t need spoliation insurance.

The ABA Journal had a story on spoliation insurance on March 1, 2011. The ABA Journal article can be viewed here.