e-discovery seminar - MS

How to Avoid The Biggest
Electronic Evidence Mistakes
Ken Jones
Senior Technology Architect
Pileum Corporation
Why is Proper Handling of
Electronic Data Important?
 Most of the evidence in your case isn’t on paper and never will be.
From a 2005 survey, only 5% to 7% of all information is “born” outside
of a computer.
Paper Evidence
Computer Evidence
Why is E-Discovery Different from
Traditional Discovery?
• Volume of Information
– 1 e-mail search for 68 terms for 10 users = 45GB of data in over
500,000 e-mail messages!
– In the Enron/Andersen litigation, the digital evidence topped 200
Terabytes, far more than if you digitized all the books in the Library of
Congress.
• Vicinity of Information
– Data moves to places not expected
– Servers, workstations, portable drives, e-mail recipients
– cache files, slack space, duplicate documents
Why is E-Discovery Different from
Traditional Discovery?
• Volatility of Information
– Data change through normal operations
– Ease of Data Corruption during collection
• Variation of Information
– Log Files
– Metadata
– Databases and spreadsheets
– E-mail Headers
Mistake 1: Inadequate
Preparation
Are You Prepared?
• Usual reaction: Panic, confusion, unnecessary expense,
and possible loss of evidence
• Example: Database had information critical for a case.
Attorney answer – “Print it out”
• How can you fix this?
– Train attorneys, paralegals, and staff
– Review (or create) data collection policies and procedures
– Proactively assist clients with high litigation risk to create a plan to
preserve electronic evidence
– Create an e-discovery procedure for your firm (yes, it can happen to
you too!)
Mistake 2: Moving
Too Slowly
Why is this a problem?
• Example: Key evidence was an e-mail that had been
deleted, but waited until 6 months after the suit was filed to
try to recover it or prove it was sent!
Data can easily be lost. How?
• Routine system deletion – many log files are only saved for
30, 60, or 90 days.
– Computer Log files (e-mail transmission, web page activity, etc)
– ISP logs of IP addresses
• Alteration through routine system operations
– Just booting a PC changes hundreds of files
• Employee actions – deliberate or accidental
– Example: Employee had key data in their e-mail but left the
company, so their mailbox was deleted!
• Automatic overwriting and recycling (especially with backup)
What is the solution?
• Preserve early
• Preserve
widely
– Can always
exclude for
privilege later
• Notify ALL
necessary
people
(especially IT)
November 1, 2013
Bob Smith
ABC Corporation
PO Box 12345
Jackson, MS 39225
Re:
Smith v. XYZ Corp. – Not Yet Filed
Dear Mr. Smith:
Please be advised that Plaintiffs in above matter believe electronically stored
information to be an important and irreplaceable source of discovery in the abovereferenced matter. The discovery requests we intend to serve will seek information
from your client’s computer systems. This includes, e-mail and other electronic
communication, word processing documents, spreadsheets, databases, calendars,
telephone logs, contact manager information, Internet usage files, and network
access information.
The laws and rules prohibiting destruction of evidence apply to
electronically stored information in the same manner that they apply to other
evidence. Due to its format, electronic information is easily deleted, modified or
corrupted. Accordingly, we demand that you immediately take every reasonable
step to preserve this information until the final resolution of this matter. This
includes, but is not limited to, an obligation to discontinue all data destruction and
backup tape recycling policies.
Sincerely,
Les Cheatem
DUHE, CHEATEM & HOWE
Mistake 3: Not
Involving Specialists
Early Enough
Why is this a Problem?
• Internal IT staff does probably does not have the time, tools,
or knowledge to do it properly.
– If there is a dispute over the method of preservation or collection do
you want your internal IT staff to testify in court?
• Difficulty of getting information after the discovery period
• It is not just WHAT you ask for but HOW you ask for it to be
delivered. Many times metadata is key to getting answers
–
–
–
–
E-mail headers and routing information
Word processing profiles and editing history
Spreadsheet data sources and formulas
Database structure and relationships
• Computer Forensics may need to be used
– Recovery of deleted items
– Detailed examination of activities on a computer
What is Computer Forensics?
Computer forensics is a branch of digital
forensic science pertaining to legal evidence
found in computers and digital storage media.
The goal of computer forensics is to examine
digital media in a forensically sound manner
with the aim of identifying, preserving,
recovering, analyzing and presenting facts and
opinions about the digital information.
Which e-mail was never received?
Received: from smtp486.redcondor.net (208.80.204.86) by
mail.pileum.com (10.250.10.55) with Microsoft SMTP Server
(TLS) id 14.3.158.1; Mon, 7 Oct 2013 09:26:12 -0500
Received: from mail-vb0-f67.google.com ([209.85.212.67])
by smtp486.redcondor.net ({6695537a-536a-45f9-a249877c85428649}) via TCP (inbound) with ESMTPS id
20131007142611158 for <[email protected]>; Mon, 07
Oct 2013 14:26:11 +0000
X-RC-FROM: <[email protected]>
X-RC-RCPT: <[email protected]>
Received: by mail-vb0-f67.google.com with SMTP id
g17so549789vbg.2 for <[email protected]>; Mon, 07 Oct
2013 07:26:05 -0700 (PDT)
…
Received: from pileum.com (10.250.10.108) by PILEUMEXCH2.corp.pileum.com (10.250.10.55) with Microsoft SMTP
Server id 14.3.158.1; Mon, 7 Oct 2013
09:34:02 -0500
…
Answer: They both were,
only the one of the right
is a fake
What is the solution?
• Create a partnership now with a vendor to assist with
handling of electronic evidence
• Involve the vendor prior to discovery to help
– Ask for the right data
– Ask for data in the right format
– Ask for the right amount of data
• Know when to use computer forensics
– Deleted data is often recoverable
• Allow adequate time for examination of data
Mistake 4: Incorrect
Handling of Data
Why is this a problem?
• IT or Staff Lacking in Tools or Methodology
– Wrong methods to image a PC (Windows, Ghost, etc.)
– Not creating adequate chain of custody documents
– Not securing the equipment properly
• Example: A laptop had critical info on it. The IT staff
powered on the computer to copy all of the files to a USB
hard drive. They just ruined all of the “last accessed”
information on the files
• Possible Judicial Actions as a result of a Failure to Preserve
–
–
–
–
–
Preservation Orders
Forensic Investigation Costs
Negative Inference Jury Instructions
Default Judgment or Dismissal
EDD Horror Stories usually include judicial sanctions
Failure to Preserve - Examples
– A jury awarded $800-million in punitive damages when Morgan
Stanley repeatedly failed to produce emails in a timely manner.
The judge stated that "efforts to hide its emails" were evidence of
"guilt." (Coleman Holdings v. Morgan Stanley)
– A jury awarded $29.2-million in the largest single sex
discrimination verdict in U.S. history after UBS Warburg could not
produce copies of relevant emails. The jury was instructed to
"infer that the [missing] evidence would have been unfavorable" to
the defendant. (Zubulake v. UBS Warburg)
– The SEC imposed a fine of $10-million on Banc of America
Securities, the brokerage arm of Bank of America, after they
"repeatedly failed promptly to furnish" email and gave
"misinformation".
Mistake 5: Not
Asking for All
Sources of Data
Where can ESI be found?
The Usual Suspects:







Desktops
Laptops
Servers
USB drives
CD-ROMs
DVDs
Backup Tapes
The Vicinity Problem:
Data Moves To Places You Don’t Expect
Less Obvious Sources of Relevant Data











Internet Service Provider Logs
Cloud Service Provider Data and Logs
E-mail Archives
Instant Messaging
Cell Phone Text Messages
Smart Phones/Tablets
Personal Home Computers
Former Employees Computers
Personal E-mail accounts
E-mail Recipients
Copiers/Fax/Scanners
Keys to Avoid Mistakes
• Plan Ahead
– Get the proper tools
– Get the proper training
• Involve the right experts
– Electronic Evidence Collection
– Forensics
• Make a good plan and move quickly!
Contact Information
Ken Jones
Senior Technology Architect
Pileum Corporation
[email protected]
601-214-5788
Support: 601-863-0086