Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Electronically Stored Information - for Lega

Electronically Stored Information is ubiquitous and used more and more in legal proceedings. It is imperative that we all understand the what, where and how of this data.
by

David Matthews

on 13 February 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Electronically Stored Information - for Lega

What Are We Looking For?
Email & Attachments
Voice Mail
Phone records (desk and cell)
Instant Messaging and Text Messages
Documents of all types (Word, Excel, PDF, etc.)
Database information and structure
Physical access records
Video surveillance tapes
Hard-drive contents from laptops and/or desktops
Content from other devices (CD/DVD, USB, PDAs, etc)
System logs
Web sites (surfing habits, actual web content)
A Day in the Life...
Electronically Stored Information (ESI)
What, where, how and why
Recent Case Law
Agenda
ESI
Normally stored in much greater volume than are hard copy documents.
Dynamic, in many cases modified simply by turning a computer on and off.
Can be incomprehensible when separated from the system(s) that created it.
Contains non-apparent information, or metadata, that describes the context of the information and provides other useful and important information
Specific Issues
Not Reasonably Accessible (NRA)
Spoliation
Litigation Holds - Document Retention
Examples of Not Reasonably Accessible
Deleted Data (accidentally & intentionally)
Non readable data
Improperly classified / labeled data
Data in the “cloud”
What is Reasonably Accessible?
Active, online data
Near-line data
Some forms of offline storage if kept in readily usable format (not requiring restoration or manipulation to be used)
Sanctions for Spoliation
Outright dismissal of the case
Exclusion of evidence
Adverse jury instruction
Exclusion of expert testimony
Civil contempt sanctions
Awards of attorneys’ fees
Fines to counsel or referral to their bar association
Spoliation Defined
Spoliation is “the destruction or significant alteration of evidence, or the failure to preserve property for another’s use as evidence in pending or reasonably foreseeable litigation.”
Mosaid Technologies, Inc. v. Samsung Elec.Corp. (D. NJ 2004)
Spoliation Examples
Wachtel v. Health Net, Inc.(NJ District Ct 2006), facts taken as established, exhibits stricken from evidence, witnesses barred, reimbursement of plaintiff’s fees and costs, discovery master paid by defendants, fined for discovery violations.
Zubulake v. UBS Warburg (SDNY 2003), adverse inference instruction (emails not produced would have negatively impacted case), defense counsel partly to blame for not locating and producing emails, $29 million damages
Safe Harbor Rule
(Rule 37)
Creates a "safe harbor" that protects a party from sanctions for failing to provide electronically stored information lost because of the routine, good-faith operation of the party's computer system.
Litigation Hold
Should be placed on documents and email when litigation is “reasonably foreseeable”, for instance:
When a formal complaint, subpoena, or notification of a lawsuit is received
Somebody threatens litigation, even verbally by saying, “I am going to sue.”
A regulatory or governmental body starts an investigation.
An attorney or third-party investigator requests facts related to an incident or dispute.
An incident takes place that results in injury.
An employee makes a formal complaint to management, especially when related to personnel issues
Litigation Hold Process
Attorney’s responsibility
Must establish who owns relevant data
Need to know who will acquire and preserve
Where will it be stored and how
Pre-hold meeting
Delivery of hold notice & followup
ESI Specifics
What are we looking for?
Where is it?
When was it created and how long will it exist?
Why do we need it?
Who created it and who controls it?
Most importantly – HOW do we retrieve it?
Where Is It (logically)?
File Servers
Desktops or Laptops (at home or office)
Internet or Phone Service Providers (IM, Text messages, personal email)
USB, CD/DVD, Floppy disks, Tape
PDAs, Game Consoles, iPods
Peer to Peer (P2P) file shares or FTP servers
Social Networking and blogging sites
Where is it (physically)?
Physical location?
Backed up somewhere?
Locked up?
Encrypted?
How many copies or versions?
When Was It Created
Time stamps – can you trust them?
Dates and times on a computer are dependent on its clock being accurately set and running.
A clock that is correctly set now may not have been correctly set in the past.
Time affected by zones, formats, Daylight Saving – and can be manipulated
Document management
Records retention rules vs. practices
Tape or other backups – procedures for recycling/disposal
Procedures for de-provisioning of hardware
Why Do We Need It?
Litigation
When you know or believe there might be litigation
Public Disclosure
Must be more than a “substantial” effort
Investigations
Must have written procedures (and follow them!)
Especially if might go to court or become a Law Enforcement issue (more to come)
Who Created It and Who Controls It
We must have systems in place to prove ownership and that documents haven’t been tampered with (non-repudiation)
In order to know how to recover data, we need the contact information for the custodian of that data
How Do We Retrieve It?
Procedures
Gathering the data
Reporting
HOW? - Procedures
Procedures must be written, published and strictly adhered to
Attorney and/or Human Resources and a Supervisor must initiate - using signed form
In litigation holds, attorney must deliver and follow up with the hold memo to all involved parties
For litigation holds or public disclosures should have a scoping meeting with a check list
HOW? – Gathering the data
Make sure all staff know the correct, forensically sound procedures and follow them
Anyone doing data acquisition for litigation or investigations must sign a non-disclosure agreement
Ensure they are using recognized tools and/or can demonstrate their efficacy
All staff involved in acquisition of data must log every step
HOW? - Reporting
Create reports free from jargon and acronyms
Include everything you did, the tools you used and what you found
Include any application generated reports or logs
Be prepared and competent at giving these reports both in writing or orally.
New eDiscovery Issues
The Evil Cloud
Big Data/AI
Social networking
Mobile Devices

Recent Case Law
Chen v. Dougherty (W.D. Wash. 7/7/09)
• Plaintiff prevailed in trial and asked for
attorney’s fees
• Court agreed BUT reduced the rate for one
attorney
Her “inhibited ability to participate meaningfully
in electronic discovery” was indicative of
“novice skills in this area” and not
“experienced council”
Federico v. Lincoln Military Housing, LLC, (E.D. Va. Dec. 31, 2014)
Plaintiffs allege personal injury due to mold in military housing
Plaintiffs fail to produce much social media content and text messages and defense asks for dismissal
Court ruled plaintiffs have to pay for expert help (no cost shifting)
No other sanctions due to lack of relevance (of text messages) & "nearly complete" production of social media
Sekisui Am. Corp. v. Hart, (S.D.N.Y. 6/10/13)
• Court considered Plaintiff's "at least" negligent deletion of "the entire active email folder of an important witness
• Declined to impose adverse inference or other sanctions
• Didn't feel that "relevant information potentially helpful to [the defendants] [wa]s no longer available."
United Cent. Bank v. Kanan Fashions,
Inc., (N.D. Ill. 9/21/11)
• Judge recommends sanctions for selling
relevant server to Dubai (“elaborate
spoliation”)
• Declined to sanction defendant’s attorneys
because they were lied to
• Court found that defendant’s counsel had
“continuously” reminded them of their
preservation obligations
United Corp. v. Tutu Park Ltd., (V.I. Jan. 28, 2015)
Plaintiff requests all ESI back to Jan, 1999
KMART (defense) argued too much had changed in that time (acquisition, hardware, software, database changes/updates, and their retention policy)
KMART produced what they had
Court accepted their explanation
Declined to hold in contempt or sanction
O’Neill v. the City of Shoreline, (Wash.
10/7/10)
• Deputy Mayor reports to council about an
email complaining of improper conduct
• Author of email (plaintiff) didn’t send it and
wants to see who did and when
• Wa Supreme Court upholds Court of Appeals
decision – plaintiff entitled to metadata.
• City of Shoreline responsible for
searching Deputy Mayor’s personal hard
drive!
Procaps S.A. v. Patheon Inc., (S.D. Fla. Mar. 18, 2014)
• Court agrees plaintiff made deficient preservation/collection efforts
• Ordered to pay for "extensive forensics exam" by neutral 3rd party
• Also agreed plaintiff's attorney failed to communicate in general - specifically about search terms which were deemed inadequate
• Court confirmed a "basic rule" that "outside counsel must carefully craft the appropriate keywords with input from the ESI custodians"
Pension Comm. of Univ. of Montreal
Pension Plan v. Bank of Am. Secs.,
LLC. (S.D.N.Y. 1/15/10)
• Judge Scheindlin (of Zubalake fame)
• Addresses preservation obligations and
spoliation in great detail
• Includes great discussions on culpability,
burdens of proof, and appropriate remedies
Integrating with Cyber Event Process
Incident Response plan process includes:
• Triage
• Declaration of event
• Assignment of roles
• Documentation and follow-up during event
• After action
Triage
• What data is relevant – attorneys,
management and maybe IT
• Declaration of event
• Litigation hold notice – attorneys or legal staff
• Assignment of roles
• Pre-discovery meeting – attorneys, affected
employees, management and IT
Documentation and follow-up
• Who is responsible for gathering and
preserving data – IT and employees (with
management)
• Maintaining chain of custody
• Detailed log of an forensic or other in-depth
analysis to find relevant data
• After Action
• Affidavit of preservation
• Lessons learned documentation
The new Federal (and most State) rules specifically address ESI
ESI is everywhere and you know where and how to find it
Laws keep evolving making collaboration between legal and IT more important
Summary
Sources for Additional Guidance / Reference
• E-discovery Law - http://www.ediscoverylaw.com/news-updates-ediscovery-amendments-to-the-federal-rules-of-civil-procedure-gointo-
effect-today.html
• Northwestern University -http://www.law.northwestern.edu/journals/njtip/v4/n2/3/
• LexisNexis - http://www.lexisnexis.com/applieddiscovery/lawLibrary/courtRules.asp
• IT Compliance Institute - http://www.itcinstitute.com/display.aspx?ID=3160
• Proposed Rules: http://www.uscourts.gov/rules/Reports/ST09-2005.pdf
• KenWithers.com: http://www.kenwithers.com/rulemaking/index.html
• Electronic Discovery Law: http://www.ediscoverylaw.com/
• Discovery Resources: http://discoveryresources.org
• The Sedona Conference: http://www.thesedonaconference.org/
• Death By Email Blog: http://www.DeathByEmail.com
• Nixon Peabody: http://www.nixonpeabody.com/publications_detail3.asp?Type=P&PAID=66&ID=771#ref7
• Wikipedia – Expert Witness: http://en.wikipedia.org/wiki/Expert_witness
• Wikipedia – Daubert standard: http://en.wikipedia.org/wiki/Daubert_Standard
Thanks!
David R Matthews, CISSP, CISM, DRFS, CSFA
Consulting & Professional Services
dmatthewsusa@gmail.com


Questions?
T&E Investment Group, LLC v. Faulkner,
(N.D. Tex. Feb. 12, 2014)
Court ordered adverse inference and sanctions against Defendant
Defendant found to have used bulk file changer to manipulate metadata trying to hide their use of unproduced computer
Expert testified defendant used bulk file tool to mislead plaintiff's investigators
E.E.O.C. v. Fry’s Elecs. Inc.
(W.D. Wash. 7/13/12)
Sexual harassment litigation
Serious spoliation sanctions on Fry’s for discovery violations
Appointed Special Master to report “as-of-yet undiscovered discovery violations”
Wide variety of deceptions and improper proceedings cited by court
Lord Abbett Mun. Income Fund., Inc v. Asami, (N.D. Cal. Oct. 29, 2014)
Parties had agreed to preserve 159 computers and share cost
When defense is granted summary judgement they "will no longer pay" but you can't destroy them because we might need them in appeal
Plaintiff argued (and court agreed) - defense had had plenty of opportunity to examine and plaintiff's examinations had shown no relevant data
Court also considered "proportionality principle" (FRCP 26(b)(2)) deciding the burden of preservation outweighed the benefit
Taylor v. Mitre Corp., (E.D. Va. Nov. 8, 2012)
physically destroying a relevant computer with a hammer
using both Evidence Eliminator and CCleaner to erase potentially relevant evidence
also recommended that Plaintiff pay Defendant’s reasonable attorney’s fees and costs incurred as a result of the spoliation
Calderon v. Corporacion Puertorrique a de Salud, (D.P.R. Jan. 16, 2014)
Plaintiff sued for sexual harassment
Defense moves to dismiss and court gives adverse inference because records showed text messages deleted from plaintiff's phone
Messages were deleted after plaintiff "knew of should have known" litigation was pending (so duty to preserve)
Paulson-Fortner v. City of Bainbridge Island, Kitsap County Superior Court, (Nov. 4 2013)
Plaintiff's sued under State Public Records Act
Council members using personal devices for city business (alleged)
Plaintiff's counsel asked for personal device hard drives to be turned over
Judge ruled email on their devices must be released
No expectation of privacy since they conducted city business on personal devices
In re: Biomet M2a Magnum Hip Implant Prods. Liab. Litig (N.D. Ind. Aug, 21, 2013)
Biomet used both keyword searching and predictive coding to find responsive documents
Opposing counsel asked for the "seed set" which court denied due to possibly not responsive data
However, suggested Biomet should reconsider in the interest of cooperation
In re Domestic Drywall Antitrust Litig., (E.D. Pa. May 12, 2014)
Plaintiffs contend review of large number of docs is burdensome
Judge rules that current capabilities of ESI analysis and management tools give ability to search quickly for relevant data
No excuses - get those tools and get to work
Kyko Global Inc. v. Prithvi Info. Solutions Ltd., (W.D. Wash. June 13, 2014)
Plaintiffs obtained Writ of Execution and one defendants computer, etc. were seized
Plaintiff's counsel outbid defense in public auction - obtained and examined computer
Since original owner had formatted drive and installed new OS - judge ruled there was no waiver of attorney client privilege
Kyko Global Inc. v. Prithvi Info. Solutions Ltd., (W.D. Wash. June 13, 2014)
Plaintiffs obtained Writ of Execution and one defendants computer, etc. were seized
Plaintiff's counsel outbid defense in public auction - obtained and examined computer
Since original owner had formatted drive and installed new OS - judge ruled there was no waiver of attorney client privilege
A Day in the Life...
Woke up, got out of bed...
Full transcript