Archive for May, 2007

Effective Electronic Discovery: Who, What, Where, When

Sunday, May 27th, 2007

There are a number of reasons that electronic discovery continues to make news, attorneys and paralegals are demanding standards to govern electronic discovery, and courts around the country are considering (some are already implementing) local rules to change how attorneys manage the electronic portion of discovery in cases.

The ABA Task Force on Electronic Discovery, and the Discovery Subcommittee of the Advisory Committee on the Rules of Civil Procedure, are inviting public comment and considering options for best practices and possible rules changes. The news media continues to report blunders by companies who haven’t mastered appropriate electronic housekeeping.

All this adds up to the conclusion that attorneys and paralegals face a steep learning curve to understand electronic discovery, and then stay current with the continual developments in the area. No matter what your level of electronic discovery expertise, gathering the answers to four simple questions will position you to handle electronic discovery effectively in any case.


Whether crafting electronic discovery requests to be served on an opponent, or
Examining a document request aimed at your own client, the first step in electronic
Discovery is to answer three “who?” questions:

  1. Who are the document custodians of interest?
  2. Who are the holders of electronic evidence relevant to the issues at hand? and,
  3. Who is knowledgeable about how and where electronic documents are created and stored?

The answers to these questions will help formulate an overall electronic discovery strategy. In the same way key players and likely witnesses are identified early in traditional discovery, so must specific electronic document custodians or specific computer users be pinpointed in electronic discovery. Work closely with the client to prepare an outline even a partial organizational chart of all who may have created, received, or shared relevant information on their computers.


Knowing who likely created responsive and potentially relevant electronic data is a good start, and next you must think about what kinds of electronic documents were created by the key players in order to formulate either an electronic discovery request or response. Not all computer users create information in the same way.

Company executives and members of upper management primarily use standard office software, including e-mail and word processing applications, or presentation software such as Microsoft’s PowerPoint. People in finance and accounting departments tend to create large numbers of spreadsheets and other numbers-based data, and may use database systems. Engineers or computer programmers often use computer-aided drawing or other specialized technical software.

The best way to gather, process and review electronic data can depend greatly on the kind of data at issue.


Once key players and likely witnesses are identified, and an idea is formulated on the kinds of electronic documents they created, you need to think about where their electronic data “resides.” Where is backup data stored? Where are documents saved on the network? Where are e-mail messages kept? What are the options for local storage on hard drives and removable media? Gathering this information early is necessary to guide an effective discovery process.

The requesting party should schedule a Rule 30(b) (6) deposition of the person most knowledgeable about the opponent’s computer systems in order to determine all the likely locations of relevant electronic data.

Courts frown upon “any-and-all electronic data” requests. Answering the “where” questions early in the case will guide help formulate appropriately targeted electronic discovery document requests, and will position you for the most effective and efficient electronic discovery process possible.

As a responding party, the “where” questions must be answered as soon as litigation is pending or imminent. This information is needed to carry out document preservation obligations and to determine from what locations you will need to collect data in order to respond to forthcoming document requests.

Having this information in hand early in the case can save considerable expense and delay once discovery is underway. Addressing the “where” questions in an expedient manner will also serve to minimize business interruptions for your client.


The two “when” questions that must be answered are:

  1. When does the duty to preserve electronic data attach? And,
  2. When was the responsive data created?

As a responding party, one of the most important “when” questions centers on the desire to avoid claims of spoliation. In paper discovery, typically intentional acts prompt claims of improper document handling or allegations of spoliation. In electronic discovery, changes to data even unintentional data destruction can occur unless you take immediate precautions as soon as litigation is pending or imminent.

For example, backup tapes are typically rotated and recycled by companies on a predetermined schedule. If potentially relevant data is overwritten even with the best of intentions and in the normal course of business courts may find evidence of spoliation, which can result in monetary sanctions or even an adverse inference instruction. End users also delete and overwrite data on a daily basis. Without immediate answers to the first “when” question, your client will begin the electronic discovery process at a distinct disadvantage.

The second “when” question involves the time of creation of responsive data. As a requesting party, you should narrowly tailor your electronic document requests to a sensible time period. This is another area where courts routinely demonstrate reluctance to allow overly broad requests.

As a responding party, you will be able to begin data gathering and plan your electronic document review approach only after you know what time period is at issue. With this information in hand, you can provide guidance to your client to avoid accumulation of excess data and unnecessary costs.


Many paralegals and legal assistants will face their first real experience with electronic discovery in 2004. For some, this will mean assisting attorneys with proactive measures to streamline electronic discovery practices before a document request is pending. For others, the experience will feel like trial by fire scrambling to gather, process, review and produce electronic documents in the heat of battle. From whatever position you begin, you must identify the who, what, where and when of electronic discovery early in the case.

Dan Goldwin is an attorney and Electronic Discovery Specialist in the Chicago office of LexisNexis Applied Discovery. Mr. Goldwin has worked with many legal professionals and their clients helping to educate them about the evolving law and practice of electronic discovery. Prior to joining Applied Discovery, he practiced in the intellectual property and litigation departments at the Chicago office of Sonnenschein Nath & Rosenthal LLP. He was graduated cum laude from the Northwestern University School of Law in 2000, where he was a member of the National Moot Court Team.

Mr. Goldwin is a frequent speaker on the topic of electronic discovery for law firms in Chicago, Cleveland, and Columbus, and at events such as LegalTech Chicago, the ABA Tech Show. His next speaking engagement will be an electronic discovery panel at the Corporate Legal Times Super Conference in June.



Dan Goldwin, Esq.



Electronic Discovery Best Practices

Saturday, May 26th, 2007


[1] The concept of electronic discovery is still somewhat intimidating to many attorneys, but those who have learned to implement electronic discovery best practices are enjoying the advantages it offers, which include greater control over document review and production processes as well as significant cost reductions. Whether you come to the discovery process as in-house or outside counsel, you can anticipate some of the issues involved in responding to electronic data requests. Pre-review cooperation among in-house counsel, their litigators, and Information Technology (IT) personnel is ideal for planning a successful electronic discovery response.

[2] The abundance of electronic information makes pre-litigation planning more important than ever before. Finding and producing information in response to electronic document requests can initially appear to be an enormous undertaking, and a disorganized or untimely response can have disastrous consequences. With preparation and the proper technology, however, the document review and production process can be easier and more efficient than procedures used in the “paper world.”

Counsel can streamline discovery response, minimize its impact upon ongoing business operations, reduce costs of review and production, and gain a strategic advantage in the process. Proper planning among corporate counsel, IT departments, and outside counsel integrates preparation for discovery with daily operations. Rather than experience a crisis when litigation arises, corporate management and its counsel are instead ready to respond, leveraging the advantages of electronic discovery.


[3] The basic legal framework for electronic discovery is the same as for paper documents. Federal Rule of Civil Procedure 34 authorizes requests for production of documents, including “electronic data compilations.” Courts now routinely require litigants to demonstrate good faith efforts to identify discoverable electronic data, and to inform opposing counsel when data is available for production in electronic form.

[4] The Federal Rules of Civil Procedure have not been changed to account for electronic data, but the Discovery Subcommittee of the Advisory Committee on the Rules of Civil Procedure undertook substantial work in 2003 to evaluate the need for such changes. Regardless of official rule changes, application of discovery rules to electronic documents raises issues unforeseen in the days of paper storage. Companies that can expect to receive electronic discovery requests must anticipate the need for ready access to responsive information, while guarding against creating an overwhelming volume of material to be


[5] At the commencement of litigation, and before receiving any formal discovery request, a party must disclose to opposing parties certain information, including a description by category and location of documents and data compilations.This requirement means that a party must search available electronic systems for relevant information.Multiple copies of responsive electronic information may be stored in hard drives, networks, backup tapes, laptops, floppy disks, employees’ home computers, and PDAs. How far does the duty to unearth informationextend?
[6] GTFM, Inc. v. Wal-Mart Stores, Inc. examined the duty to investigate the existence of electronic information.The plaintiffs requested information about Wal-Mart’s local sales.In responding, Wal-Mart’s attorney relied on a senior executive, who indicated that local sales data was maintained for five weeks only and was no longer available.Wal-Mart claimed that providing the information would be unduly burdensome because it did not have the centralized computer capacity to track the information segregated as requested.One year later, the plaintiffs deposed a Wal-Mart MIS vice president, who testified that Wal-Mart’s computers could in fact track the requested information for up to one year.At the time of plaintiffs’ request, the local sales information was segregated and available, but because of the delay caused by counsel’s misrepresentation, it was no longer available.The court chastised counsel for failing to consult MIS personnel:

Whether or not defendant’s counsel intentionally misled plaintiffs, counsel’s inquiries about defendant’s computer capacity were certainly deficient . As a vice president in Wal-Mart’s MIS department, she was an obvious person with whom defendant’s counsel should have reviewed the computer capabilities.
An on-site inspection of defendant’s computer facilities at Wal-Mart’s expense was ordered. The court further imposed upon Wal-Mart all the plaintiff’s expenses and legal fees caused by the inaccurate disclosure, including the cost of the cumbersome process plaintiffs had to use to extract the information sought. This misstep ultimately cost Wal-Mart nearly $110,000.

[7] Client information systems yielded another unpleasant surprise in Linnen v. A.H. Robins Co. Plaintiff’s document request for certain emails specifically called for deleted emails available on backup tapes. Defendant Wyeth initially responded, and later confirmed, that it had no backup tapes for a particular time frame. Months later, Wyeth learned that its IT department had in fact preserved over one thousand backup tapes holding potentially responsive information, and that the estimated cost to restore the tapes would exceed $1 million. Though Wyeth’s policy was to recycle backup tapes after three months, these tapes had been set aside during unrelated litigation. As a sanction for its failure to disclose the existence of the tapes, “whether unintended or willful,” the court imposed upon Wyeth all costs and fees associated with email discovery.

[8] In addition to mandatory disclosures and responses to specific discovery requests, Rule 30(b)(6) provides for deposing a designated IT person in order to obtain discovery of an opponent’s computer systems.

Deposing a designated IT person may provide substantive information about systems and document management protocols that could shape further discovery.


[9] Rule 26(b)(2) provides protection from unduly burdensome or expensive discovery requests. A court may deny a discovery request or require a requesting party to pay expenses if the burden or expense of the proposed discovery outweighs any likely benefits. As courts become more experienced with electronic discovery, they will expect litigants to demonstrate a reasoned approach to electronic document requests.

Electronic discovery requests that are not sufficiently tailored to identify potentially relevant information will be denied.

[10] When a requesting party demonstrates a good faith effort to furnish reasonably tailored electronic discovery requests, courts will hold the responding party to a higher standard in providing a full response. A party unable to readily produce responsive data may open itself to intrusive measures; for example, the court may order that an opponent’s expert be given direct access to its computers. However, at least one court has interpreted Rule 34 to require some showing of non-compliance with discovery obligations before an opponent will be allowed direct access to a company’s computer databases.

[11] If a corporation’s own actions contribute to its discovery difficulties, it is especially unlikely that a court will be sympathetic to pleas for relief. In In re Brand Name Prescription Drugs Antitrust Litigation, the defendant acknowledged that part of its problem retrieving stored information was the limitations of the software it was using. The court reasoned that it would be unfair to impose upon plaintiffs the cost of defendant’s choice of an inferior electronic storage media. As in matters involving paper discovery, courts are unimpressed with vague claims that a particular request is unduly burdensome.


[12] In the context of electronic discovery, questions of undue burden and expense typically arise when a request calls for data that is not readily retrievable. For example, data that has been “deleted” is not readily retrievable because it is stored only on backup tapes, on outdated systems, or is no longer available in electronic form. Production might require, for example, restoration of backup tapes or creation of programs to search for and retrieve responsive data. In such circumstances, producing parties frequently argue that costs of production should be shifted to requesting parties.

[13] Such efforts to shift costs have traditionally yielded mixed results. Some courts have ordered the requesting party to pay extraordinary costs of production. Others have required parties to restore responsive information at their own expense, denying claims that substantial costs involved were “undue.”In Linnen, defendant Wyeth estimated that restoring backup tapes containing potentially relevant information could cost over $1 million. The court deferred ruling on restoration of all the tapes, awaiting results of a sampling, but indicated that Wyeth would be required to bear the cost. The court reasoned that it would be unfair for a corporation to enjoy the benefits of technology and also to use it as a shield in litigation.

[14] More recently, case law on the subject of cost allocation demonstrates courts’ efforts to develop a methodical approach to electronic discovery disputes. The Zubulake decision instructs that the following three-step analysis is required in disputes involving the scope and cost of discovery of electronic data:

  1. The court must thoroughly understand the responding party’s computer system, both with respect to active and stored data. For data kept in an accessible format, the usual rules of discovery apply and the responding party will be required to pay for production. The court should consider shifting costs only when inaccessible data is at issue.
  2. Because the cost-shifting analysis is so fact-intensive, the court must determine what data may be found on the inaccessible media. A “sampling” approach is sensible in most cases.
  3. In conducting the cost-shifting analysis, a seven-factor test should be applied.

The new seven-factor test represents a modification of the widely followed cost-shifting analysis set forth in Rowe Entertainment, Inc. v. William Morris Agency, Inc.The seven-factor cost-shifting test follows the initial three-step analysis:

  1. The extent to which the request is specifically tailored to discover relevant information,
  2. The availability of such information from other sources,
  3. The total cost of production, compared to the amount in controversy,
  4. The total cost of production, compared to the resources available to each party,
  5. The relative ability of each party to control costs and its incentive to do so,
  6. The importance of the issues at stake in the litigation, and
  7. The relative benefits to the parties of obtaining the information.

The Zubulake court instructed that the seven factors should not be weighted equally. Instead, the central question must be whether the request imposes an undue burden or expense on the requesting party – or, stated differently, “[H]ow important is the sought-after evidence in comparison to the cost of production?”

[16] The court stated that the first two factors – comprising a “marginal utility” test – are the most important. The second part of the analysis should consider factors three, four, and five in making a determination of expense and relative ability to bear the burden of the expense. The court further stated that factor six, which considers the importance of the litigation itself, must stand on its own and has the potential to predominate over the other factors when it comes into play. Finally, factor seven was listed as the least important because of the general presumption that the response to a discovery request will generally [this is an important distinction] benefit the requesting party.


[17] A producing party should not expect to meet discovery obligations by providing hard copies of electronic data. Data is discoverable in computerized form even if the same information has already been produced on paper. While computer-based documents may be technically usable in printed form, they are unnecessarily cumbersome for a requesting party to review. When further analysis would entail substantial costs in re-inputting data, courts have ordered producing parties to provide materials in computer-readable form. Production in a form directly readable by the adverse party’s computers is decidedly the “preferred alternative.”

[18] In Bristol-Myers Squibb, plaintiffs and defendants initially entered an agreement regarding copying costs. The plaintiffs were to pay ten cents per page for documents defendants copied for production. After the defendants produced a significant quantity of paper and delivered the bill, plaintiffs disputed how much they actually owed. Defendants moved for an order seeking reimbursement in the amount of ten cents per page produced, as originally agreed upon by plaintiffs. The plaintiffs had some objections. Though Bristol-Myers Squibb was producing documents it had stored in both paper and electronic form, it produced all documents to the plaintiffs in paper form. Defendants scanned documents stored in paper form to create electronic images for its own review, while “blowing back” paper copies for production to the plaintiffs.

[19] With respect to the documents that were stored electronically, the plaintiffs argued that those documents stored in electronic form should have been produced in electronic form.The court noted that the plaintiffs specifically asked for paper, even after the court raised the issue of electronic information at a case management conference.

The plaintiffs “had every opportunity” to request electronic information, but they did so only after receiving the bill for paper production. Nevertheless, the court sided with the plaintiffs on this issue. The court found it “somewhat troublesome” that the defendants had responsive information in electronic form but produced it on paper. The court held that the defendants fell short of their Rule 26 disclosure obligations by not telling the plaintiffs that the information was available in electronic form. The plaintiffs were not required to pay the costs of copying paper because the defendants did not tell the plaintiffs that requested documents were available in electronic form.


[20] Besides anticipating the logistics of discovery response, a corporation must consider its legal duty to preserve evidence. The duty to preserve evidence applies to electronic evidence as well as to paper.

[21] Once litigation is pending or imminent, a party must take affirmative measures to preserve potential evidence that might otherwise be destroyed in the course of business. Usual procedures for data destruction or recycling may have to be suspended. In Procter & Gamble, for example, the company initially disclosed that emails of five key employees might be relevant. Then, however, it failed to preserve the emails. Though the court had not issued a specific preservation order, it imposed a $10,000 fine for this “sanction able breach of P&G’s discovery duties.”

[22] In re Prudential Insurance Co. of America Sales PracticeLitigation71 illustrates the duty to preserve electronic evidence.Prudential, alleged to have engaged in deceptive sales practices, was ordered to preserve all potentially relevant records. In spite of the order, its employees in at least four locations destroyed outdated sales materials. Further discovery revealed that Prudential had distributed document retention instructions to agents and employees via email; however, some employees lacked access to email and others routinely ignored it. Prudential also distributed a hard copy memorandum, but did not distribute it universally. Furthermore, senior executives never directed distribution of the court’s order to all employees.

[23] The court found Prudential’s efforts were inadequate, noting the lack of a “clear and unequivocal document preservation policy.”Though the court found no willful misconduct, it nevertheless inferred that the lost materials were relevant and would have reflected negatively on Prudential. Citing Prudential’s “gross negligence” and “haphazard and uncoordinated approach,” the court imposed a sanction of $1 million.

[24] More recently, the Zubulake court examined the standards for spoliation of information stored on backup tapes:
Must a corporation, upon recognizing the threat of litigation, preserve every shred of paper, every email or electronic document, and every backup tape? The answer is clearly, ‘no’. Such a rule would cripple large corporations, like UBS, that are almost always involved in litigation. As a general rule, then, a party need not preserve all backup tapes even when it reasonably anticipates litigation.

However, the court noted that anyone who is a party or anticipates being a party to a lawsuit “must not destroy unique, relevant evidence that might be useful to an adversary.”Noting that the duty to preserve extends to all employees likely to have relevant information, or the “key players” in the case, the court determined that all the individuals whose backup tapes were lost fell into this category in this case.

[25] In assessing the duty of a litigant to preserve evidence, the court noted that electronic data presents some unique issues:
A party or anticipated party must retain all relevant documents (but not multiple identical copies) in existence at the time the duty to preserve attaches, and any relevant documents created thereafter. In recognition of the fact that there are many ways to manage electronic data, litigants are free to choose how this task is accomplished.

[26] The court went on to summarize a party’s preservation obligations with regard to electronic data in general, and backup tapes in particular:
The scope of a party’s preservation obligation can be described as follows: Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents. As a general rule, that litigation hold does not apply to inaccessible backup tapes (e.g. those typically maintained solely for the purpose of disaster recovery), which may continue to be recycled on the schedule set forth in the company’s policy.

On the other hand, if backup tapes are accessible (i.e. actively used for information retrieval), then such tapes would likely be subject to the litigation hold. However, it does make sense to create one exception to this general rule. If a company can identify where particular employee documents are stored on backup tapes, then the tapes storing the documents of ‘key players’ to the existing or threatened litigation should be preserved if the information contained on those tapes is not otherwise available. This exception applies to all backup tapes.

Though they may harshly punish litigants for failure to preserve evidence, courts also recognize that certain documents are destroyed in the ordinary course of business. Not every missing document supports a finding of spoliation. No unfavorable inference can be drawn from destruction of documents when the circumstances properly account for it. A party may defeat a claim of spoliation by showing that evidence was destroyed pursuant to a valid and consistently enforced document management policy.The basic standard, set forth in Lewy v. Remington Arms Co., is whether a document retention policy is reasonable.

[27] In Lewy, the defendant firearms manufacturer had destroyed customer complaints and gun examination reports pursuant to its records retention policy.The court delineated factors that help determine whether destruction pursuant to such a policy justified a “negative inference instruction.”Specifically, the court remanded the case with instructions to consider:

  1. whether the policy was reasonable given the facts and circumstances of the relevant documents;
  2. whether lawsuits or complaints had been filed, and the frequency and magnitude of any such complaints; and
  3. whether the policy was instituted in bad faith, to limit evidence available to potential plaintiffs.

The court emphasized that whatever the dictates of a corporate policy, a corporation must preserve those documents that it knows or should know may become material in litigation. A company cannot shield itself with a policy of wholesale document destruction.


[28] Keeping up with the quickly changing law of electronic discovery is a good start, but knowing how to put these lessons to work in practice is the key to conducting electronic discovery successfully. Effective planning requires a new working relationship among internal and external legal and technical resources.

[29] A. Inside Counsel

  1. Consider implementing a formal document retention policy to formalize rules for saving and destroying electronic documents. Be sure that the policy includes electronic information, and that employees understand the purpose of the policy and the importance of compliance. If your company opts not to formalize such a protocol, be sure you have outlined the pros and cons of this decision for the management team.
  2. Focus on making litigation preparedness a part of employees’ daily work. Increase company-wide awareness of the types of information that must be disclosed in litigation. Educate all employees about the pitfalls of carelessly destroying or retaining information. Train employees to document and store their work in an organized (and ultimately defensible) fashion.
  3. Establish an ongoing working relationship between in-house legal and IT personnel. Provide guidance to IT personnel about document retention and destruction and enforcement of a formal document retention policy if one is in place. Make IT employees aware of the most common electronic data problems: retaining unnecessary information for too long, or failing to retain information that the company has an obligation to keep. Striking the right balance here is critical to avoiding problems in court.
  4. Organize data storage efforts and establish systems that simplify later identification, retrieval, and production of responsive information. Talk to IT personnel about the implications of choosing software and changing systems. Consider capabilities that may be relevant to a discovery response: How is data stored? In what format is it stored? Is it accessible or inaccessible? Do you want to have ready access to information from systems no longer in use?
  5. To preserve evidence when necessary, outline a specific plan for the suspension of usual document destruction and backup tape recycling protocols. Identify key employees from the legal and IT department to be involved as soon as litigation is pending or imminent. Determine how best to distribute evidence preservation instructions to all employees, and ensure that enforcement mechanisms are in place.
  6. Designate and train an IT representative to act as the company’s 30(b)(6) deposition witness when electronic data storage may be at issue. Advise key IT employees that clear communication with outside counsel will be necessary to properly respond to electronic document requests.

[30] B. Outside Counsel

  1. Expand working knowledge of client operations to include client information systems: What information is maintained? How is it stored? What will be the procedures for and costs of retrieval if an electronic discovery request is received? With a solid working knowledge of client systems, outside counsel will be equipped to establish discovery parameters with opposing counsel early in the case and challenge overbroad requests if necessary.
  2. Maintain a focus on minimizing disruption of client operations. Work with IT personnel and inside counsel to reduce the time individual employees must divert to examining their files for responsive information. Know how to use technology to protect employees’ time and produce timely, accurate responses. Prompt and complete discovery responses can prevent the imposition of intrusive measures, such as on-site inspections.
  3. Before and after a document request is received, adequately explain the scope of the obligation to preserve electronic data and the duty to search different systems and storage media. Do not expect a written document request to be self-explanatory. Be a partner in the data retrieval process, not just the vehicle for the message.
  4. Become acquainted with key IT personnel. Educate them about the types of documents most frequently requested in litigation as well as questions they can expect if deposed. Prepare with them to make a prompt and thorough inventory of stored information when litigation arises.


[31] While electronic discovery disasters such as crushing costs, harsh sanctions, and even default judgments can strike the unready, great benefits are available to those who prepare. In-house counsel, litigation attorneys, and IT personnel all have roles to play. Electronic discovery response planning is not just a matter of gathering responsive information, but of working in advance to control what information is created and how it is stored.

[32] Electronic discovery best practices begin with making data management a part of daily business operations. Attorneys cannot accomplish this objective without involving IT personnel, and IT personnel cannot properly maintain electronic data without guidance from counsel about what should be kept or destroyed. Outside counsel can help by providing ongoing advice about the law of electronic discovery and what to expect in the process.

[33] As a part of discovery planning, attorneys and IT personnel should also educate themselves about how available technology can streamline the discovery process. When litigation arises, they can take advantage of technology to gather and review information without substantially disrupting operations. Technology exists to provide lawyers with tools and resources to handle complex discovery in a speedy, cost-efficient manner without interrupting the workflow of familiar business and discovery practices. With the use of such tools, in-house lawyers can gain control over data retrieval and review processes, while outside counsel can enjoy a tremendous advantage in preparing client cases for the best resolution.

Virginia Llewellyn*
Cite as: Virginia Llewellyn, Electronic Discovery Best Practices,
10 RICH. J.L. & TECH. 51 (2004), at

Don’t let electronic evidence bury your firm

Friday, May 25th, 2007

By Sharon D. Nelson, Esq. and John W. Simek


Electronic Evidence How vastly the world has changed in the past decade. Today, more than 90 percent of our documents are electronic and most never will be converted to paper. We send e-mails at a frenzied pace — North America alone transmits more than 4 trillion e-mails a day. The daily average of non-spam e-mails received by the average worker is 20 to 80. No longer does the word “documents” in discovery mean paper documents. The definition of document has been universally expanded to include electronic files.

With increasing frequency, the pivotal evidence in cases is electronic and can show up in two places you might not think of. First are in those e-mails we dash off with such abandon and so little thought. You should hit that “Send” button only if: 1) it’s OK to see your e-mail on the front page of The New York Times; 2) you don’t mind if your entire neighborhood sees it on a bulletin board on your nearest highway; 3) it would be perfectly agreeable for your mom to read it; and 4) if you have considered whether the transmission of the message could ever come back and bite you in the tush in a courtroom.

Another source of pivotal evidence many lawyers and paralegals are blithely unaware of is metadata (hidden data showing things such as authors, dates of creation, modification and access, the last time the document was printed, tracked changes and more) that goes along with documents unbeknownst to senders. Metadata also is contained in the headers (message tracking information) that accompany an e-mail transmission. The headers might identify the sender’s Internet Protocol address and the mail client used. This is often the most compelling evidence of all, and it doesn’t show up in printed copies of documents or messages. You must obtain the evidence electronically, to the chagrin of those still happiest wading through boxes of documents.More...

Why should support staff care about electronic evidence and discovery? It’s often the paralegals and other members of the legal team who end up sifting through the evidence and doing much of the work in selecting an expert to help when it comes to e-discovery.

Computer Forensics and Electronic Evidence: The Dividing Lines

Understandably, many people are confused by the distinctions between electronic evidence and computer forensics, especially because the same companies often provide both services. Basically, a computer forensic technologist makes a bit-by-bit image of the hard drive or other media in issue and identifies the relevant evidence, generally using search terms or data parameters provided by the attorneys. The forensic technologist will analyze Internet activity, as well as application and e-mail use (including Web-based e-mail). Once the evidence is extracted and partially analyzed, the computer forensics portion is finished.Understandably, many people are confused by the distinctions between electronic evidence and computer forensics, especially because the same companies often provide both services. Basically, a computer forensic technologist makes a bit-by-bit image of the hard drive or other media in issue and identifies the relevant evidence, generally using search terms or data parameters provided by the attorneys. The forensic technologist will analyze Internet activity, as well as application and e-mail use (including Web-based e-mail). Once the evidence is extracted and partially analyzed, the computer forensics portion is finished.If the forensics company doesn’t also provide comprehensive evidence analysis, it will burn the electronic evidence onto CDs or DVDs, in a form readable to the attorney or to an electronic evidence company. The compilation can consist of Microsoft Word documents, PowerPoint presentations, Excel spreadsheets, Outlook e-mail, Intuit QuickBooks data, Web-based e-mail (such as Microsoft Hotmail) and so on. If the volume of evidence is small, it’s often sent directly to the attorney. If the volume is large, it’s usually sent to an electronic evidence company that then indexes, dedupes and sorts through the evidence, often importing it into software, such as Summation, to help manage the vast amount of information.

Why Hire a Forensic Technologist?

Speaking bluntly, amateurs step on themselves, and almost inevitably alter data and, in the worst cases, make it inadmissible in court. Even so, there are technologists and there are technologists. In this very new field of e-discovery, some folks simply hang out their shingle and pronounce themselves forensic technologists. A good technologist, as discussed later, has all kinds of certifications, a lot of technical experience, many instances of having qualified as a court expert, and possesses an extensive “toolkit” allowing maximum recovery and analysis of data, particularly deleted or obscure data.Speaking bluntly, amateurs step on themselves, and almost inevitably alter data and, in the worst cases, make it inadmissible in court. Even so, there are technologists and there are technologists. In this very new field of e-discovery, some folks simply hang out their shingle and pronounce themselves forensic technologists. A good technologist, as discussed later, has all kinds of certifications, a lot of technical experience, many instances of having qualified as a court expert, and possesses an extensive “toolkit” allowing maximum recovery and analysis of data, particularly deleted or obscure data.Technologists know where to look for the information you need, and can help you tailor your discovery requests if you need to narrow discovery while procuring as much useful information as possible. A technologist is prepared with huge amounts of drive space and can recreate all sorts of native environments to analyze evidence. Having an expert helps preserve the chain of custody and prove authenticity of the evidence — an expert is far better qualified than an attorney or an Information Technology staff member to explain the technical side of computer forensics and defend against common charges that the evidence is unreliable or might have been tampered with.

Selecting a Computer Forensic/Electronic Evidence Company Another reason for legal support staff to care about electronic evidence is they are frequently asked to locate appropriate forensic assistance. This can be a daunting task, and the right selection might depend on a number of factors including what is at issue in the case, the budget, the geographic location of the expert, and the credentials of the experts being considered.

Some of the largest players in the industry provide both computer forensics and electronic evidence services. Some of the biggest firms include:

  • Ernst & Young,
  • Deloitte Touche Tohmatsu,
  • Applied Discovery (owned by LexisNexis),
  • Kroll Ontrack,

There are a host of other well-known firms in this burgeoning industry (see “E-discovery Services” on Page 66). As a general rule, the larger the firm, the larger the bill. It’s not uncommon to pay as much as $500 per hour in the largest firms. In high-quality but smaller firms, $250 to $300 per hour might be a more common charge. If the firm you are looking at charges less than $250 per hour, you probably want to raise your eyebrows and seriously investigate the firm’s credentials, references, number of courts it’s qualified in, its standing in the industry and so forth.

Regardless of the size of the firm, here are some of the factors you should consider in selecting the specific forensic technologist for your case:

  1. Review their forensics certifications. Currently, the most prestigious certification available to private firms is the EnCE (EnCase Certified Examiner) issued by Guidance Software. More certifications are emerging and will gain credibility over time, but in the private sector, the EnCE is the certification to look for. A caveat: Many less-than-honest folks will claim certifications on their curriculum vitae when the truth is they took classes or had training courses — no real meaningful certification was granted, just a “certification of attendance.”
  2. Look for technical certifications. A good forensic technologist will have a lot of letters after his or her name, indicating a broad range of certifications with a number of different technologies. If you see no certifications, or a “base-level” certification (such as A+), you don’t have an individual with a wealth of experience. If the expert is a Certified Novell Engineer, Certified Cisco Network Administrator, Microsoft Certified Professional + Internet, Microsoft Certified Systems Engineer, NT Certified Independent Professional and a Certified Internetwork Professional, you have someone with an expansive technical background (just to name a few examples).
  3. Get the expert’s CV early on and study it. Ask questions. Does it show the expert has spoken at a lot of seminars or written a lot of articles? How many courts has the expert qualified in? What is the expert’s educational and professional background?
  4. Above all things, get several references and check them out. Did the expert do a thorough, professional job? Was the expert responsive when contacted? Was the work completed on time? Did the expert stay within budget (not always possible) or at least alert the client of additional costs before incurring them? Perhaps the number one complaint heard about experts involved in electronic evidence is costs spiraled out of control without notification to the law firm, resulting in a client highly perturbed with his or her law firm.

Now You Have an Electronic Evidence Case — What Is Next? If the hard drive or other media is in your possession (or your client’s), do nothing. Don’t even power it up. Booting up a typical Windows operating system changes the dates and times on approximately 400 to 600 files. Never, ever let your IT folks or your client’s IT folks do their own investigation. They are not forensically trained and will unwittingly trample on the evidence, changing what could be critical dates, such as the date of last access, modification and so on. The trampled evidence might not be admitted in court at all, or it could be regarded as suspect because it was not acquired forensically.

If the hard drive or other media is in your possession (or your client’s), do nothing. Don’t even power it up. Booting up a typical Windows operating system changes the dates and times on approximately 400 to 600 files. Never, ever let your IT folks or your client’s IT folks do their own investigation. They are not forensically trained and will unwittingly trample on the evidence, changing what could be critical dates, such as the date of last access, modification and so on. The trampled evidence might not be admitted in court at all, or it could be regarded as suspect because it was not acquired forensically.If the evidence is in the other side’s hands, first, make sure you send a preservation of evidence letter. The other side will be hard pressed to argue innocence when confronted with spoliation of evidence charges if they have received a preservation of evidence letter. Be as specific as possible in the letter and not overly broad, so fair notice is given of the kind of evidence to be preserved. If you know or suspect where the information is located (on a particular machine, a specific media or in a particular file location), say so. The more specifics you can give, the less excuse there is for having evidence vanish or be tampered with.

Normally, you will be asking them to preserve: 1) e-mail (electronic versions), along with header information, archives and any logs of e-mail system usage; 2) data files created with word processing, spreadsheet, presentation or other software; 3) databases and all log files that might be required; 4) network logs and audit trails; and 5) electronic calendars, task lists, telephone logs and contact managers. In your letter, make sure to note these things might exist in active data storage, including servers, workstations and laptops, and in offline storage including backups, archives, floppy disks, ZIP disks, tapes, CD-ROM, DVDs, memory sticks and any other form of media. Caution that potentially discoverable data should not be deleted, moved or modified.

With respect to users who might have discoverable information on their computers, new files should not be saved to existing drives or media, no new software should be loaded, and no data compression, encryption, defragging or disk optimization procedures should be run until an image of the hard drive is acquired. Ask that the normal rotation and overwrite of backup media cease until copies are made. Also mention that no media storage devices containing potentially discoverable information should be disposed of due to upgrades, failure, donation or for any other reason.

If the case seems to require it, get a protective order. Mention specifics in the order as well, so there can be no misunderstandings. When do you need one? The Enron/Arthur Andersen debacle is a good example. It became known that shredding papers and wholesale electronic deletions were taking place. If you can present a judge with any sort of credible scenario suggesting spoliation might occur, you are very likely to be granted a protective order.

Onward to Discovery

When talking about electronic evidence, make your discovery illuminating and clear. Define everything at some length, encompassing all forms of media, all manner of things that could be considered responsive and all possible locations. Use interrogatories to get relevant information about the target computer network.

When talking about electronic evidence, make your discovery illuminating and clear. Define everything at some length, encompassing all forms of media, all manner of things that could be considered responsive and all possible locations. Use interrogatories to get relevant information about the target computer network.

  • What kind of network are you dealing with?
  • How is the network configured?
  • What operating system is used?
  • What class of machines is used?
  • What applications, both off the shelf and custom, are used?
  • What sort of backup system is used?
  • When is backup media overwritten?
  • Who is the systems administrator?
  • Are home computers used for business?
  • Do they use laptops, Palm handhelds or other personal digital assistants?
  • Do they have a digital copier hooked up to their network?
  • Do they use cell phones or pagers?

It’s a common error to focus solely on the server and the workstations and to forget other data sources.

  • Is there remote access?
  • What sort of e-mail package do they use?
  • Is a firewall used?
  • Is there an e-mail server?
  • Who is the Internet network provider?
  • Where is e-mail stored for transmission, retrieval and archiving?

Depose the systems administrator and other parties in the IT department likely to have relevant information about the computer systems. Again, make sure you receive full information about the backup system (often a treasure trove) and all possible data locations. It’s common practice, though certainly not universal, to have monthly backup tapes (or other media) going back six months to several years. Make sure you have information about the hardware and software used to create the backups. Your forensic technologist might need to recreate the native environment to restore data from the backup media. Get a copy of the backup schedule for both incremental and full backups. How is the backup media rotated? Understand what logging is done on the network and what audit trails might exist.

Users themselves often are unaware of the extent to which their activities could be traced. Audit trails might tell you what ID accessed the system, when it was accessed, how long the individual was connected, what he or she did and more. These trails also could tell you which ID copied, printed, deleted or downloaded files and when it was done. Find out if the company uses monitoring software. If so, there might be a wealth of information indicating programs used, files accessed, e-mails sent or received by employees and records of the Internet sites visited. Find out how security access is structured, such as who has access to which files and programs, who has read-only access and who has write access. For relevant individuals, get user names, logons, passwords and e-mail addresses. Find out about any encryption programs used and request the encryption keys.

Ask every witness about his or her computing habits. Do they make individual backups of their systems? Do they use floppy disks, ZIP disks, CD-ROMs or thumb drives to copy some information from their system as a backup or for portability reasons? Do they use their home computer to check their business e-mail? Does the individual do business work on the home computer? Where do they store their documents? For instance, does an attorney save his or her work on a secretary’s workstation? Do they use a laptop, PDA, cell phone or pager?

Request to inspect and forensically acquire any relevant data. Note the words “forensically acquire.” This does not mean copying a drive and doesn’t mean “ghosting” a drive. The acquisition should be done by a trained forensic technologist using specialized equipment and software. If there is an objection because of the time element and disruption to business, your expert can help offer alternatives to minimize the disruption.

Keep in mind, “deleted” doesn’t really mean deleted. In computer terms, deleted means the space on the disk once occupied by a particular file now is available to be overwritten. The pointers to the deleted file are gone, but bits and pieces of the file, or the whole file, will remain until they are overwritten. Whatever remains of the file (called residual data) might be recovered from the area of the disk’s surface that isn’t allocated (this is known as unallocated space and it often contains valuable evidence if painstakingly searched). Again, residual data will not be captured in a file-byfile copy of a disk, but it’s captured by an imaged copy of the disk, which duplicates the hard disk’s surface sector by sector.

During this process, you must maintain data integrity. Make sure you write-protect all media. A good forensic technologist will do the same thing as part of the acquisition, making sure nothing can be added, erased or altered on the original. For the same reasons, your forensic technologist will virus-check all media. If a virus is found, the appropriate response is to record all relevant information and then notify the producing party of the virus’ existence. The technologist will never clean the virus from the original media, but will do so from the acquired evidence if the virus impacts the data to be produced.

Establish and maintain a chain of custody. Make sure you can track the evidence from its original source to its introduction in court. This means being able to prove no information was added, deleted or altered; the forensic copy of the evidence is complete; the process used to copy the evidence was dependable and repeatable; and all media was secured. This harks back to preceding points. Write-protecting and virus-checking will help establish nothing was added, deleted or altered. Making a pure forensic copy of the evidence, with matching “hash” values between the original and image copy, will help prove the acquisition was complete. The hash is a form of digital fingerprint.

Both the hardware and software used must meet industry standards of quality and reliability. Good examples are EnCase, FastBloc, SafeBack and the dd function of Linux, all of which law enforcement authorities use frequently. The image is then analyzed in a read-only mode to prevent spoliation. The copying process must be repeatable as a means of independent verification. As always, evidence in the case should be kept secure, with very restricted access.

Common Mistakes in Using Electronic Evidence As most paralegals know, attorneys don’t get it right unless you ride shotgun for them. So here are ways to keep your attorneys from sinking in courtroom quicksand.

As most paralegals know, attorneys don’t get it right unless you ride shotgun for them. So here are ways to keep your attorneys from sinking in courtroom quicksand.Believe it or not, the most common mistake is failing to designate the expert. The number of times this happens is truly amazing. Occasionally, you will find a judge so eager to hear the expert, he or she will do an end run around procedure and let the expert testify as a fact witness, but that is far and away the exception.

Another astonishing mistake is the failure to prepare the expert. Regardless of the expert’s skill, the absence of preparation time with the attorney can be catastrophic. For some reason, this task almost always is left until the bitter end, and often is given short shrift, if it’s done at all. Likewise, if electronic evidence is at issue, why would an attorney fail to prepare for cross-examination of the opposing expert without consultation with his or her expert?

As silly as it sounds, the failure to maintain a proper chain of custody frequently comes into play. The smartest move, once you know electronic evidence is involved, is to get it into the hands of your expert, sign a chain of custody form, have the evidence forensically imaged, and then return the original evidence, again with the chain of custody form. Once the expert has imaged the original evidence, it doesn’t matter what happens to the returned original. The expert will carefully keep the imaged evidence under lock and key. Returning the original also helps defuse the business impact argument.

Another problem with electronic evidence is its just plain difficult to explain in lay language. It’s important to get your expert, who undoubtedly speaks “geekspeak” very well, to speak the English language in simple declarative sentences when testifying in court. Even more helpful is coming up with images and analogies easily comprehended by both judges and juries. Judges are frequently as confused as juries by electronic evidence and often pepper the expert with questions in an attempt to make sure they understand the true nature of the testimony.

Keep the expert’s testimony as short as possible. Dragging out technical testimony will make the listeners’ eyes glaze over. Your expert isn’t there as a soporific, but one would hope to provide illumination.

If you have a great expert, the other side will quickly stipulate to qualification as an expert. Don’t let that deter you from deftly sliding in your expert’s qualifications wherever possible, particularly in a jury trial. Hearing your expert has written and spoken on particularly relevant topics or holds certifications directly pertinent to the case will make a jury find your expert more credible. Finally, attorneys and support staff should remember how much they don’t know. An electronic evidence expert should be questioned from a script and not on the fly. Heaven help attorneys who start thinking they know more than they actually do and decide to ad lib a question to which they don’t know the answer.

In one case, we watched in horror as an attorney did a marvelous job establishing the prosecution’s expert had totally failed in his official report to validate the date and time of the computer that was the source of his evidence. It was a good place to quit, but, sensing advantage, the attorney could not let it go. He asked how the jury was supposed to consider the dates and times relevant at all given the report’s complete failure to validate them. The witness was then able to point out to great effect that, notwithstanding the expert’s omission, three different server logs all corroborated the dates and times. Oops.

The world of electronic evidence and e-discovery is filled with pitfalls that can potentially bury even the best of law firms and corporations. However, attorneys, paralegals and support staff can survive the encounter if they proceed slowly, carefully and thoughtfully with a plan. It’s those who thrash and flail in a panic who often end up digging their own grave.

Author Sharon D. Nelson, Esq. and John W. Simek are the President and Vice President of Sensei Enterprises, Inc., a computer forensics and legal technology firm based in Fairfax, Ca. (703) 359- 0700 (phone); (703) 357-8434 (fax);;

, Esq. and John W. Simek are the President and Vice President of Sensei Enterprises, Inc., a computer forensics and legal technology firm based in Fairfax, Ca. (703) 359- 0700 (phone); (703) 357-8434 (fax);;

Doing E-Discovery Is Best Left to Outside Experts

Thursday, May 24th, 2007

Hunton & Williams has 17 offices for its Richmond, Va.-based firm, with one central litigation support center for helping its lawyers with their caseloads. That center is a 10,000-square-foot facility with between 35 and 40 staffers who handle complicated
tasks, and that increasingly has meant collecting, sorting and analyzing electronic evidence.

Hunton is rare in that it does electronic discovery in-house. However, even this firm does not handle all of its own workload for e-discovery issues. For really big or complicated cases, the firm will turn over evidence to e-discovery consultants.

In the paper world, discovery was something law firms did themselves. When it comes to electronic discovery, however, firms need to have a certain amount of inhouse expertise, but most will probably find e-discovery is best left to outsiders.

“We make arrangements with outside vendors whenever we need to,” says Sherry Harris, senior case management specialist with Hunton. (more…)

How to Avoid Common Pitfalls

Wednesday, May 23rd, 2007

Over the past few years, many multinational companies, and the law firms that service them, have made a concentrated effort to control the management of data created, stored, or sent overseas. It is no easy task. An estimated 99 percent of new information is stored electronically, mostly on computer hard disk. This is a tremendous amount of data considering that a company’s primary day-to-day contact with its own foreign executives may be conducted through e-mails, instant messaging, online video conferencing,or other forms of electronic communications.

In the United States, a burgeoning body of case law has brought e-discovery out of the hands of a few tech savvy lawyers and introduced an entirely new element to civil discovery to a growing number of practitioners. Counsel that ignores the pronouncements of Zubulake v. UBS Warburg may be dealt a heavy blow at trial and on appeal. In addition, the Federal Rules of Civil Procedure incorporate several amendments dealing specifically with e-discovery. (more…)