Archive for October, 2007

Are You Ready for E-Discovery?

Saturday, October 13th, 2007

If you’re like most of us in IT, you probably have a relatively small number of individuals in your firm that you’re used to working with fairly closely.

For example, if you’re a development manager, you probably work closely on a daily basis with the business folks to understand their requirements for the systems you develop. If you’re a network architect, you might work closely with software architects in order to optimize the network to support the applications that people use daily.

However, no matter where you are in IT and no matter what firm you work for, chances are that one area of the firm you don’t work closely with is inside counsel — in other words, legal.

Now, that’s not to say that there’s never any interaction between these two areas. For example, in the case of human resource investigations or employee terminations, both areas might be brought in to perform a certain role.

However, if you’re an IT person and you have a speed dial, chances are that nobody from the legal team is on it. Get ready, though, because new rules for data discovery could be about to change all that.

What Is E-Discovery?

E-discovery is, simply, discovery of digital evidence. As electronic artifacts — documents, e-mail , instant messages and others — make up the vast majority of correspondence and record-keeping in most firms, it would make sense that they would be relevant to many legal proceedings.These artifacts are transitory — that is, they can be deleted, archived or moved without manual intervention as part of the everyday process of doing business — and it makes sense that specific attention be paid to making sure that evidence is available should the need arise.

Given these factors, the Federal Rules of Civil Procedure (FRCP), or the corpus of court procedures governing how civil trials are conducted in the United States, have been amended to specifically address digital evidence.

There had been practical examples of discovery in a digital context prior to this (e.g., Zubulake vs. UBS Warburg), but the changes to the federal rules formalize the approach.

These amendments went into effect Dec. 1, 2006, and spell out what is required in case digital evidence is required during a legal proceeding.

So What’s Different?

The changes to the federal rules that specifically relate to discovery are rules 26 and 34. Without going into the specifics, they basically spell out that all nonprivileged electronic documents be searched, that all electronic documents be disclosed (without the requirement to await a specific request) and that all relevant documents be identified for use during the pretrial phase of the court proceeding.

From an IT perspective, this is a tall order. These requirements imply that we know where all of the digital archives, records and e-mails in the firm are located, how we can go about getting access to them, and the timetable associated with which e-mail, instant messages and documents might be routinely deleted in the course of doing business.

In most firms, the support of multiple e-mail servers, the use of off-site backups, and lack of a standardized policy for e-mail deletion and retention complicates satisfying these requirements.

Furthermore, different technologies might have different administrators that oversee their operation; for example, e-mail might have a different administrative team than messaging or mobile devices.

Minimizing the Burden

In sizable organizations, finding the right person to talk to about retention of these artifacts can be a lengthy exercise. Couple this with the fact that there’s a fairly tight timetable spelled out in the FRCP, and you have a recipe for trouble.

Of course, the rules are intentionally burdensome but they specifically indicate that requests for discovery should be balanced with an organization’s need to continue to do business; in other words, the goal is not to make it impossible for a company to survive while records are being produced.

However, it is important to recognize that some level of burden is inherent in doing anything outside the norm, and strategic, advance planning can reduce that level of burden quite significantly.

How to Prepare

I’m not a lawyer, and this is not legal advice. However, from a planning perspective, there are a few steps that IT can take that can spell difference between efficiently responding to requests from the legal team and being bogged down by “whose job is it to find this stuff anyway” concerns.

One of the main issues from an IT perspective is the tight time frame associated with discovery requirements.

If IT is not brought into the process early, individuals responsible for tracking down records, requesting backup tapes, ferreting out historical data and searching the archives can find themselves behind the eight ball when it comes to responding in a timely manner.

IT professionals can save themselves a great deal of hassle down the road by working with counsel to standardize a communication methodology that addresses potential discovery-related activity.

Define a Communication Channel

A useful preparation strategy would define a communication channel with counsel whereby IT personnel can be brought in to the discovery process as early as possible. This would allow IT to start tracking down where this information is and determining how to obtain it.

Additionally, it is useful to reassess overall record retention policies within the firm (in tandem with counsel) with an eye to efficiently responding to discovery. Specifically, the FRCP recognize that some firms delete data after a period of time as a normal course of business.

In these cases, companies that have a defined policy for the destruction of records are not obligated to produce records that are outside the window of when data is retained.

It is imperative that counsel oversee the development of these policies, as time frames should be short enough to minimize the burden associated with searching for artifacts, but long enough to be “reasonable” (i.e. not created specifically to destroy evidence).

By :

Ed Moyle is currently a manager with CTG’s information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit, and secure solutions development.

Original Source :

Reduce E-Discovery Costs: Organize Data Before Litigation Starts

Saturday, October 13th, 2007

Annually, the lack of policies and procedures assuring easy discovery of all pertinent electronic records is costing companies tens of thousands of dollars in this litigious society. In today’s world, the details of business transactions and negotiations are recorded electronically through e-mails and text messages. Companies of old had clerical staff and warehouses dedicated to document storage and cross indexing. Today, individual hard drives and network servers perform the function of storage, but lack the ability to properly cross index correspondence.

Companies should consider encouraging, or even requiring, employees to organize their e-mails and other electronic data in folders corresponding with the transactions in which they relate. Organizing e-mails and other data can make it much easier for counsel to retrieve, filter and evaluate data related to transactions at issue reducing costs.

To understand how this works in practice, consider the following scenario: Company A has five employees involved in a transaction that becomes litigious. None of the employees organize their e-mails or electronic data in a way that makes it easy to separate out the data related to the transaction at issue. The lawyers for Company A thus have to pull all of the data off hard and shared drives, and then apply search terms to find the data in question. It would not be unusual for this data to be in the range of 5-10 gigabytes of information. Law firms typically hire a vendor to filter the data and eliminate duplicates at a rate of $1,000 per gigabyte. Thus, the company could easily pay $5,000 to $10,000 prior to data review.

By contrast, suppose Company B (another defendant in the same case) also has five employees involved in the transaction. Company B’s employees, however, have saved the relevant e-mails and electronic data into identifiable folders on their hard drives and on a shared drive. The lawyers for Company B only retrieve those folders related to the transaction at issue, which amount to less than 1 gigabyte of data. The lawyers for Company B still conduct de-duplication at $1,000 per gigabyte, but because the data set is much smaller, the process costs less than $1,000. In addition, the company saves attorney time, as the attorneys do not have to review “false hits,” and instead review only the relevant data pulled from the appropriate folders.

In summary, if companies encourage their employees to organize their data before litigation starts, they can substantially reduce litigation costs later.


Jill Griset, Helms Mulliss & Wicker PLLC. E-Discovery Lead Counsel

Original Story :


eDiscovery, IT and What to Do About It

Friday, October 12th, 2007

The new Federal Rules of Electronic Discovery will be a burden to IT but you can mitigate the fallout, writes CIO Update guest columnist Michael Sears of Mathon Systems.Have you heard the new Lawyer joke: What do you call a lawyer who likes the new federal rules of eDiscovery? Plaintiff’s counsel. Okay, not very funny. But it makes a point.

The new federal rules are changes only lawyers who sue companies tend to like. Other lawyers, like the ones who work in your General Counsel’s office are not that happy about them. And maybe those who work in the CIO’s shop feel the same way.

On December 1, 2006, after several years of review by the legal industry, and agreement with the U.S. Supreme Court and the U.S. Congress, new Rules of Electronic Discovery became the model rules that federal courts follow. If history is any guide, state courts will also soon adopt most, if not all, of these provisions.

These rules take into consideration the major technical innovations effecting digital files and documents over the past few years. They change the game for storage and records retention, as well ongoing litigation support within your company. It’s critical that you are aware of the impact of these new rules, and understand both the positive and negative consequences of them.

Most major corporations today hold more than 3TBs of user data and messages. Trends also indicate this mass of data will grow by double digits year upon year. As that happens, the likelihood is great your company might maintain a document your records retention policy said should have been destroyed. As well, the likelihood is great your company might misplace a document within the network that some regulatory body requires you to keep.

From an eDiscovery standpoint, the critical idea is during a lawsuit, a court will have little patience if a corporation can’t find records it should or must have. If you can’t find those documents, you may well break trust with the court. Or worse, your company could be liable for money penalties, or sanctions, by the court.

In the last few years, several financial services companies have actually been cited for discovery failures and courts have imposed multi-million dollar penalties. Then, of course, there’s the underlying lawsuit that may be lost, and from that, more liability.

Rule 26 & 26(b)2

There are two key elements that will directly affect all companies. The first of these is captured in Rule 26 and its sub-chapter, 26(b)2. Rule 26 describes what is discoverable. For the purposes of this article, let’s assume everything in your corporate files that is the subject of a lawsuit, and not privileged communication, is discoverable.

This is, of course, a very broad provision, and it subjects companies to potential liability, in the first part, by what a document might contain (a “smoking gun,” for instance). And the second part is just as damaging. Since companies must turn over all relevant files, if you miss an important one, by oversight or by the difficulty of retrieving it, your company might have a problem.

Rule 26(b)2 comes to the rescue, at least for now. It deals with how hard you need to look for files. You do not need to produce electronically stored information that can be identified as too hard to access.

This “reasonably accessible” test suggests that you have to search your files in earnest, but you don�t have to “jump through hoops” to find data that’s just too hard to get to. On motion, you must show the information is not reasonably accessible, even though you tried to retrieve it.

But stay tuned here, many practitioners believe there will be significant ongoing litigation surrounding rule 26(b)2, as companies wrestle with the cost and expense of eDiscovery.

Rule 37(f)

The second key provision that will affect us is Rule 37(f). This is the “safe harbor” provision of the rules that states if you make a good faith effort to maintain your data in an active records retention policy, you will not be liable to produce the record if it’s been deleted in the normal course of business.

This, of course, is a good thing for most companies. However, it does require you to be active in enforcing your policies. If you delete records consistently, programmatically, and you can demonstrate your program, you have the power to control the depth of an eDiscovery search � according to where you think Rule 37 will end up.

If you don’t actively implement your own programs, and in so doing, you aren’t consistent, then courts will give your company limited access to this safe harbor.

So with the new rules comes a call to action. IT is the critical element within a mix of departments of any organization. There are several steps that should be taken, including:

  • Identify an eDiscovery Tsar within the organization whose role it is to fully understand how these legal imperatives effect ongoing records retention policies and storage initiatives within the organization;
  • Create and publish a records retention policy;
  • Enforce that policy;
  • Form a standing committee made up of IT, Legal, Finance and Human Resources (these last two are where most of the potentially explosive documents are created), whose job it is to audit the holding and elimination of data. This group is separate from the group (usually IT) that is tasked with enforcing the policy;
  • Identify the new platforms that are coming on-line that extend the existing document management, records retention and messaging applications. As well, investigate some of the new technologies that are laser-focused on content management, tagging, search, production and storage of documents within organizations.

In conclusion, 2007 will see significant activity in the courts, as these new rules play their part in discoveries and law suits. You need to get ready for the fallout. There are real sanctions in these rules, and as a result, the way data is created, managed, stored and searched will all be affected in the coming year and beyond.

By Michael Sears ,

Original Story :

importance of E-Discovery

Thursday, October 11th, 2007

An interesting story this morning on a importance of E-Discovery by clearwellsystems, Here is the blurb:

In my experience, e-discovery does not make the radar screen of most corporate General Counsels (GCs). Typically, it is one many issues left to others (e.g., Chief of Litigation, Director of Litigation Support) within the GC’s group. That may change after the recent verdict in the case of Broadcom vs. Qualcomm.

See below for the story, as told by Corporate Counsel in their October issue, with additional commentary from me [added in brackets]:

Collateral Damage

After a string of punishing legal defeats, Qualcomm Incorporated has switched general counsel. On August 13 the company announced that Carol Lam would replace Louis Lupin as its legal chief [Sounds like he got fired]. The move came a week after a federal judge issued a scorching order accusing Qualcomm and its outside lawyers of “gross litigation misconduct.” [Sounds like a pretty good reason why he got fired]

Emily Kilpatrick, Qualcomm’s director of corporate communications, says Lupin is leaving for personal reasons [Isn’t that what they always say?]. “He has been an outstanding leader and contributor to Qualcomm’s success over the past 12 years,” according to Kilpatrick. “However, he has decided to step down as general counsel and take a personal leave.” [a decision most likely made at the request of his boss]

Lam, who was hired in February to supervise Qualcomm’s worldwide litigation, will take over as interim GC, according to a company statement. Lam is one of the U.S. Attorneys fired by the U.S. Department of Justice this past winter. [oh, the irony…]

Based in San Diego, Qualcomm licenses semiconductor technology and system software to cell phone makers. For several years it’s been engaged in a pitched battle with rival Broadcom Corporation over who has infringed whose patents.

Qualcomm’s biggest problems have come in a case in San Diego federal district court. In January a jury ruled that the company had violated Broadcom’s patents. But even before the verdict, Qualcomm suffered a major setback as the trial drew to a close. One of the company’s witnesses revealed the existence of email that Broadcom said should have been produced during discovery. [Yet again, email is the smoking gun]

In April general counsel Lupin and one of Qualcomm’s outside attorneys sent letters of apology to the court, saying they failed to do a detailed enough keyword search of the company’s email. [No big deal, right? After all, we are saying sorry]

But that wasn’t enough for Judge Rudi Brewster, who has been hearing the San Diego case. On August 6 he issued a blistering 54-page ruling. He accused Qualcomm not only of failing to turn over more than 200,000 pages of relevant email and electronic documents during discovery, [i.e., this is a case of a deeply flawed e-discovery process, not of a simple missing email] but of engaging in a years-long campaign to deliberately mislead a technological standards body. Brewster ordered Qualcomm to pay Broadcomm’s litigation costs, and voided two of its patents. (David Rosmann, vice president of intellectual property litigation at Broadcom, estimates that its fees could be around $10 million). [The legal costs alone are several times what it would have cost Qualcomm to purchase an e-discovery solution and avoid this whole situation in the first place]

In a statement, Qualcomm said it “respectfully disagrees” with Brewster’s ruling and intends to appeal. “Qualcomm acknowledges the seriousness of the court’s findings and reiterates its previous apology to the court for the errors made during discovery and for the inaccurate testimony of certain of its witnesses,” the statement read. [We said sorry, isn’t that enough for you guys?]

The company’s problems aren’t over, however. Federal magistrate judge Barbara Major is now considering whether to levy sanctions against Qualcomm’s attorneys. [Don’t think you can hide behind your deep-pocketed employer. If you screw up e-discovery, it will be your neck on the line] Major has given “any and all…attorneys who signed discovery responses, signed pleadings and pretrial motions, and/or appeared at trial on behalf of Qualcomm” until September 21 to file a statement explaining why they shouldn’t be penalized. [For the lawyers in question, it’s guilty unless their arguments convince the judge they are innocent]

Original story:

The ethics of computer-based electronic evidence recovery

Monday, October 8th, 2007

Technology is present in every aspect of modern life. Information Technology is constantly growing & every new development gets a larger role in our lives. Criminals are exploiting the same technological advances which are driving forward the evolution of society.

Computers can be used in the commission of crime, they can contain evidence of crime and can even be targets of crime. Understanding the role and nature of electronic evidence that might be found, how to process a crime scene containing potential electronic evidence and how an agency might respond to such situations is crucial. It cannot be over emphasized that the rules of evidence apply equally to computer-based electronic evidence as much as they do to material obtained from other sources. It is always the responsibility of the case officer to ensure compliance with legislation and, in particular, to be sure that the procedures adopted in the seizure of any property are performed in accordance with statute and current case law.

Electronic evidence is valuable evidence and it should be treated in the same manner as traditional forensic evidence with respect and care. The recovery of evidence from electronic devices like computers, tapes, CD/DVD, flash drives, is now firmly part of investigative activity in both public and private sector domains. The methods of recovering electronic evidence, whilst maintaining evidential continuity and integrity may seem complex and costly, but experience has shown that, if dealt with correctly, it will produce evidence that is both compelling and cost effective.

Computer-based electronic evidence is information and data of investigative value that is stored on or transmitted by a computer. As such, this evidence is latent evidence in the same sense that fingerprints or DNA(deoxyribonucleic acid) evidence is latent. Computer-based electronic evidence is very delicate. It can be easily altered, damaged, or destroyed if not handled properly or by improper examination, For this reason special precautions are taken to document, collect, preserve and examine this type of evidence. Failure to do so may make it unusable or lead to an inaccurate conclusion.

In its natural state, we cannot see what is contained in the physical object that holds our evidence. Equipment and software are required to make the evidence available. Testimony may be required to explain the examination and any process limitations.

Four principles are involved:

Principle 1:

No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

Principle 2:

In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3:

An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4:

The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

Explanation of the principles

Computer-based electronic evidence is subject to the same rules and laws that apply to documentary evidence. The principle of documentary evidence may be explained thus: the responsibility is on the prosecution to show to the court that the evidence produced is as it is since the first possession of police.

Sometimes Operating systems and other programs alter and add to the contents of electronic storage automatically even user may not aware of changes being made by such programs. Wherever practicable, an image should be made of the entire target device. If creating image of  incomplete or selective file which is considered as an alternative in certain circumstances, investigators should be careful to ensure that all relevant evidence is captured.

In a some cases, it may not be possible to get an image using a recognized imaging device. In these conditions, its necessary o access original machine to recover the evidence. While doing this it is important that a witness, who is able to give evidence to a court of law makes any such access.

It is essential to display objectivity in a court, as well as the continuity and integrity of evidence. It is also necessary to demonstrate how evidence has been recovered, showing each process through which the evidence was obtained. Evidence should be preserved to such an extent that a third party is able to repeat the same process and arrive at the same result as that presented to a court.