Since the Federal Rules of Civil Procedure have recently put more emphasis on producing electronically stored information, the e-discovery team needs to understand the choices that need to be made about how to collect and process the information, as well as what those choices mean.
The Information Management Journal, September and October 2007- With the rise of electronic data and changes to the Federal Rules of Civil Procedure (FRCP) in December 2006 about electronically stored information (ESI), information and legal professionals need to learn more about how to handle electronic discovery. These are some of the recent changes to the FRCP:
Rule 37(f) was changed to add definitions and safe harbors for the routine changes made to electronic files during routine tasks like backups.
- Information on what to do with data that is hard to get to [Amended Rule 26(b)(2)(B)]
- Responsibilities for keeping ESI safe and the pre-trial conference.
- How to handle privileged material that was made by mistake [Amended Rule 26(b)(5)]
- Electronic file production requests [Amended Rules 33(d), 34, 26(f)(3), 34(b)(iii)]
There are many different ideas about how to plan for, manage, organize, store, and get ESI. Some of the options are very expensive, both in terms of money and time. Even more confusing is the fact that technology is always changing. Computer forensics and electronic discovery are often confused with each other, but there is a big difference between the two. The sidebar "Computer Forensics vs. Electronic Discovery" tells you more about these.
How to Make the Right Decisions
To respond to e-discovery within the limits of the new FRCP, organizations need to make a lot of important decisions that will affect how ESI is collected and processed.
Choices About Collecting
These questions need answers right away:
1. Does this project include e-mail files? If so, do any key people have an Internet e-mail account in addition to their corporate accounts?
Large email service providers can't store a lot of mail files because there are so many transactions. Many Internet e-mail account providers, like AOL, BellSouth, and Comcast, keep their e-mail logs for no more than 30 days. If a case might need to look at e-mails from Internet accounts, the discovery team needs to ask for the records quickly or they might be lost forever. Usually, a subpoena is needed for this. In rare cases, pieces of Internet e-mail can be found on a person's hard drive through forensics.
2. Is there a chance that illegal behavior could be found?
In many cases where electronic data is involved, wrongdoing is found. In these cases, it could be a member of the technology department or an employee with a lot of technical knowledge. In these situations, the first thing a company might do is fire the employee or employees involved and figure out how bad the damage is before calling the police.
This could be the worst thing to do. If a technical person did something wrong, that person might be the only one who knows how to get into the files, find the problem or fix it. Usually, this is the person who knows the passwords for mission-critical software. Most of the time, the technical employee can work from home and access company files. If this access isn't taken away before the employee is fired, it's possible that a fired or unhappy employee could get into the network and do a lot of damage.
A better solution would be to limit the employee's access to everything, both locally and remotely. The employee is then told that management knows about what happened and is given a chance to help minimize the damage. If criminal activity is involved, especially if financial or medical records have been lost or stolen, it's best to call the police as soon as possible. Electronic criminals often vanish and get rid of any evidence of what they did.
Is it possible that files that have been deleted or hidden could be important in this case?
You can gather electronic files for discovery in three ways:
- From a legal point of view, as explained in the sidebar
- Semi-forensically, using methods and apps that haven't been tested to get files.
- Moving copies of files from one place to another without using forensic methods like cut-and-paste. Hashing files to make sure they haven't changed isn't one of these methods. Hashing involves using a hash algorithm to create a mathematical fingerprint of one or more files, which will change if any changes are made to the collection.
When it comes to some things, all that matters is what is written in electronic documents. It doesn't matter as much who made the files, where they are kept, how they have been accessed, or if they have been changed or deleted.
In other cases, context information, like finding deleted files, is very important and needs to be gathered in a forensic way. This also means
- Keeping track of the chain of custody
- Making a forensic copy with validated forensic tools that create hash records
- Make sure the data can be searched legally
- Writing up any findings in a scientific report
- Using processes that can be done over and over to look at and analyze the data
Before any data is collected, it is important to figure out the value of the electronic forensic file collection. Once semi-forensic or non-forensic methods have been used, there is no way to get records back to how they were before.
Are backup tapes part of a collection that is still being used?
Some cases have to do with the past, so it's important to figure out how to handle computer backups right away.
Most businesses have a plan for how often they switch out their backup media. In a four-week cycle, for example, daily backups are done for a week, and then the tapes (or hard drives) are taken offsite to be stored. For the second, third, and fourth weeks, a new set of tapes is used. The three tapes from the first set are then stored away from the office. The tapes and drives from the first week are used again in the fifth week. This process is done because it saves a lot of money and is very cost-effective.
Under a litigation hold, backup tapes may become part of the active information that needs to be kept. This means that any rotation schedule must stop, and because the FRCP was changed in 2006, it is very important for the legal team to share this information with the technology employees who are in charge of business continuity processes.