Loading presentation...
Prezi is an interactive zooming presentation

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Electronically Stored Information - for Lega

Electronically Stored Information is ubiquitous and used more and more in legal proceedings. It is imperative that we all understand the what, where and how of this data.
by

David Matthews

on 22 May 2017

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Electronically Stored Information - for Lega

What Are We Looking For?
Email & Attachments
Voice Mail
Phone records (desk and cell)
Instant Messaging and Text Messages
Documents of all types (Word, Excel, PDF, etc.)
Database information and structure
Physical access records
Video surveillance tapes
Hard-drive contents from laptops and/or desktops
Content from other devices (CD/DVD, USB, PDAs, etc)
System logs
Web sites (surfing habits, actual web content)
A Day in the Life...
Where and How of ESI
Recent Case Law
Agenda
ESI
Normally stored in much greater volume than are hard copy documents.
Dynamic, in many cases modified simply by turning a computer on and off.
Can be incomprehensible when separated from the system(s) that created it.
Contains non-apparent information, or metadata, that describes the context of the information and provides other useful and important information
Specific Issues
Not Reasonably Accessible (NRA)
Spoliation
Litigation Holds - Document Retention
Examples of Not Reasonably Accessible
Deleted Data (accidentally & intentionally)
Non readable data
Improperly classified / labeled data
Data in the “cloud”
What is Reasonably Accessible?
Active, online data
Near-line data
Some forms of offline storage if kept in readily usable format (not requiring restoration or manipulation to be used)
Sanctions for Spoliation
Outright dismissal of the case
Exclusion of evidence
Adverse jury instruction
Exclusion of expert testimony
Civil contempt sanctions
Awards of attorneys’ fees
Fines to counsel or referral to their bar association
Spoliation Defined
Spoliation is “the destruction or significant alteration of evidence, or the failure to preserve property for another’s use as evidence in pending or reasonably foreseeable litigation.”
Mosaid Technologies, Inc. v. Samsung Elec.Corp. (D. NJ 2004)
Spoliation Examples
Wachtel v. Health Net, Inc.(NJ District Ct 2006), facts taken as established, exhibits stricken from evidence, witnesses barred, reimbursement of plaintiff’s fees and costs, discovery master paid by defendants, fined for discovery violations.
Zubulake v. UBS Warburg (SDNY 2003), adverse inference instruction (emails not produced would have negatively impacted case), defense counsel partly to blame for not locating and producing emails, $29 million damages
Safe Harbor Rule
(Rule 37)
Creates a "safe harbor" that protects a party from sanctions for failing to provide electronically stored information lost because of the routine, good-faith operation of the party's computer system.
Litigation Hold
Should be placed on documents and email when litigation is “reasonably foreseeable”, for instance:
When a formal complaint, subpoena, or notification of a lawsuit is received
Somebody threatens litigation, even verbally by saying, “I am going to sue.”
A regulatory or governmental body starts an investigation.
An attorney or third-party investigator requests facts related to an incident or dispute.
An incident takes place that results in injury.
An employee makes a formal complaint to management, especially when related to personnel issues
Litigation Hold Process
Attorney’s responsibility
Must establish who owns relevant data
Need to know who will acquire and preserve
Where will it be stored and how
Pre-hold meeting
Delivery of hold notice & followup
ESI Specifics
What are we looking for?
Where is it?
Who created it and who controls it?
Where Is It (logically)?
File Servers
Desktops or Laptops (at home or office)
Internet or Phone Service Providers (IM, Text messages, personal email)
USB, CD/DVD, Floppy disks, Tape
PDAs, Game Consoles, iPods
Peer to Peer (P2P) file shares or FTP servers
Social Networking and blogging sites
Where is it (physically)?
Physical location?
Backed up somewhere?
Locked up?
Encrypted?
How many copies or versions?
When Was It Created
Time stamps – can you trust them?
Dates and times on a computer are dependent on its clock being accurately set and running.
A clock that is correctly set now may not have been correctly set in the past.
Time affected by zones, formats, Daylight Saving – and can be manipulated
Document management
Records retention rules vs. practices
Tape or other backups – procedures for recycling/disposal
Procedures for de-provisioning of hardware
Why Do We Need It?
Litigation
When you know or believe there might be litigation
Public Disclosure
Must be more than a “substantial” effort
Investigations
Must have written procedures (and follow them!)
Especially if might go to court or become a Law Enforcement issue (more to come)
Who Created It and Who Controls It
We must have systems in place to prove ownership and that documents haven’t been tampered with (non-repudiation)
In order to know how to recover data, we need the contact information for the custodian of that data
How Do We Retrieve It?
Procedures
Gathering the data
Reporting
HOW? - Procedures
Procedures must be written, published and strictly adhered to
Attorney and/or Human Resources and a Supervisor must initiate - using signed form
In litigation holds, attorney must deliver and follow up with the hold memo to all involved parties
For litigation holds or public disclosures should have a scoping meeting with a check list
HOW? – Gathering the data
Make sure all staff know the correct, forensically sound procedures and follow them
Anyone doing data acquisition for litigation or investigations must sign a non-disclosure agreement
Ensure they are using recognized tools and/or can demonstrate their efficacy
All staff involved in acquisition of data must log every step
HOW? - Reporting
Create reports free from jargon and acronyms
Include everything you did, the tools you used and what you found
Include any application generated reports or logs
Be prepared and competent at giving these reports both in writing or orally.
New eDiscovery Issues
The Evil Cloud
Big Data/AI
Social networking
Mobile Devices
Recent Case Law
Chen v. Dougherty (W.D. Wash. 7/7/09)
• Plaintiff prevailed in trial and asked for
attorney’s fees
• Court agreed BUT reduced the rate for one
attorney
Her “inhibited ability to participate meaningfully
in electronic discovery” was indicative of
“novice skills in this area” and not
“experienced council”
Morgan Hill Concerned Parents Assoc. v. California Dept. Educ., (E.D. Cal. 2/2/17)
Plaintiffs’ requests for production specified that ESI be produced “in their native electronic format together with all metadata"
Defendant produced responsive documents in a “’load file’ format.” - made no specific objection to native format till years later
Defendant argued that it was “entitled” to disregard Plaintiffs’ request because it had produced ESI in a “reasonably usable” format that did not degrade its searchability
Court rejected Defendant’s arguments, relying substantially on the protocol for requesting and producing ESI under Fed. R. Civ. P. 34(b)
Sekisui Am. Corp. v. Hart, (S.D.N.Y. 6/10/13)
• Court considered Plaintiff's "at least" negligent deletion of "the entire active email folder of an important witness
• Declined to impose adverse inference or other sanctions
• Didn't feel that "relevant information potentially helpful to [the defendants] [wa]s no longer available."
United Cent. Bank v. Kanan Fashions,
Inc., (N.D. Ill. 9/21/11)
• Judge recommends sanctions for selling
relevant server to Dubai (“elaborate
spoliation”)
• Declined to sanction defendant’s attorneys
because they were lied to
• Court found that defendant’s counsel had
“continuously” reminded them of their
preservation obligations
United Corp. v. Tutu Park Ltd., (V.I. Jan. 28, 2015)
Plaintiff requests all ESI back to Jan, 1999
KMART (defense) argued too much had changed in that time (acquisition, hardware, software, database changes/updates, and their retention policy)
KMART produced what they had
Court accepted their explanation
Declined to hold in contempt or sanction
O’Neill v. the City of Shoreline, (Wash.
10/7/10)
• Deputy Mayor reports to council about an
email complaining of improper conduct
• Author of email (plaintiff) didn’t send it and
wants to see who did and when
• Wa Supreme Court upholds Court of Appeals
decision – plaintiff entitled to metadata.
• City of Shoreline responsible for
searching Deputy Mayor’s personal hard
drive!
Procaps S.A. v. Patheon Inc., (S.D. Fla. Mar. 18, 2014)
• Court agrees plaintiff made deficient preservation/collection efforts
• Ordered to pay for "extensive forensics exam" by neutral 3rd party
• Also agreed plaintiff's attorney failed to communicate in general - specifically about search terms which were deemed inadequate
• Court confirmed a "basic rule" that "outside counsel must carefully craft the appropriate keywords with input from the ESI custodians"
Pension Comm. of Univ. of Montreal
Pension Plan v. Bank of Am. Secs.,
LLC. (S.D.N.Y. 1/15/10)
• Judge Scheindlin (of Zubalake fame)
• Addresses preservation obligations and
spoliation in great detail
• Includes great discussions on culpability,
burdens of proof, and appropriate remedies
Integrating with Cyber Event Process
Incident Response plan process includes:
• Triage
• Declaration of event
• Assignment of roles
• Documentation and follow-up during event
• After action
Triage
• What data is relevant – attorneys,
management and maybe IT
• Declaration of event
• Litigation hold notice – attorneys or legal staff
• Assignment of roles
• Pre-discovery meeting – attorneys, affected
employees, management and IT
Documentation and follow-up
• Who is responsible for gathering and
preserving data – IT and employees (with
management)
• Maintaining chain of custody
• Detailed log of an forensic or other in-depth
analysis to find relevant data
• After Action
• Affidavit of preservation
• Lessons learned documentation
ESI is everywhere and now you know where and how to find and manage it
Laws keep evolving making collaboration between legal and IT more important
Summary
Sources for Additional Guidance / Reference
• E-discovery Law - http://www.ediscoverylaw.com/news-updates-ediscovery-amendments-to-the-federal-rules-of-civil-procedure-gointo-
effect-today.html
• Northwestern University -http://www.law.northwestern.edu/journals/njtip/v4/n2/3/
• LexisNexis - http://www.lexisnexis.com/applieddiscovery/lawLibrary/courtRules.asp
• IT Compliance Institute - http://www.itcinstitute.com/display.aspx?ID=3160
• Proposed Rules: http://www.uscourts.gov/rules/Reports/ST09-2005.pdf
• KenWithers.com: http://www.kenwithers.com/rulemaking/index.html
• Electronic Discovery Law: http://www.ediscoverylaw.com/
• Discovery Resources: http://discoveryresources.org
• The Sedona Conference: http://www.thesedonaconference.org/
• Death By Email Blog: http://www.DeathByEmail.com
• Nixon Peabody: http://www.nixonpeabody.com/publications_detail3.asp?Type=P&PAID=66&ID=771#ref7
• Wikipedia – Expert Witness: http://en.wikipedia.org/wiki/Expert_witness
• Wikipedia – Daubert standard: http://en.wikipedia.org/wiki/Daubert_Standard
Thanks!
David R Matthews, CISSP, CISM, DRFS, CSFA
Consulting & Professional Services
dmatthewsusa@gmail.com


Questions?
T&E Investment Group, LLC v. Faulkner,
(N.D. Tex. Feb. 12, 2014)
Court ordered adverse inference and sanctions against Defendant
Defendant found to have used bulk file changer to manipulate metadata trying to hide their use of unproduced computer
Expert testified defendant used bulk file tool to mislead plaintiff's investigators
E.E.O.C. v. Fry’s Elecs. Inc.
(W.D. Wash. 7/13/12)
Sexual harassment litigation
Serious spoliation sanctions on Fry’s for discovery violations
Appointed Special Master to report “as-of-yet undiscovered discovery violations”
Wide variety of deceptions and improper proceedings cited by court
Lord Abbett Mun. Income Fund., Inc v. Asami, (N.D. Cal. Oct. 29, 2014)
Parties had agreed to preserve 159 computers and share cost
When defense is granted summary judgement they "will no longer pay" but you can't destroy them because we might need them in appeal
Plaintiff argued (and court agreed) - defense had had plenty of opportunity to examine and plaintiff's examinations had shown no relevant data
Court also considered "proportionality principle" (FRCP 26(b)(2)) deciding the burden of preservation outweighed the benefit
Taylor v. Mitre Corp., (E.D. Va. Nov. 8, 2012)
physically destroying a relevant computer with a hammer
using both Evidence Eliminator and CCleaner to erase potentially relevant evidence
also recommended that Plaintiff pay Defendant’s reasonable attorney’s fees and costs incurred as a result of the spoliation
Calderon v. Corporacion Puertorrique a de Salud, (D.P.R. Jan. 16, 2014)
Plaintiff sued for sexual harassment
Defense moves to dismiss and court gives adverse inference because records showed text messages deleted from plaintiff's phone
Messages were deleted after plaintiff "knew of should have known" litigation was pending (so duty to preserve)
Paulson-Fortner v. City of Bainbridge Island, Kitsap County Superior Court, (Nov. 4 2013)
Plaintiff's sued under State Public Records Act
Council members using personal devices for city business (alleged)
Plaintiff's counsel asked for personal device hard drives to be turned over
Judge ruled email on their devices must be released
No expectation of privacy since they conducted city business on personal devices
Arrowhead Capital Fin., Ltd. v. Seven Arts Entm’t, Inc., (S.D.N.Y. 9/16/16)
Citing misconduct “As deep as it is wide,” court imposes sanctions on defendants and counsel
Defendants obstructing depositions and failing to preserve and produce relevant documents, among other things
Court imposed sanctions, including: precluding them from litigating the issue of personal jurisdiction; imposing a “spoliation instruction, as appropriate, on any claims that are ultimately submitted to the jury”; ordering payment of Plaintiff’s attorneys fees related to the misconduct; and ordering the retention of a second outside counsel
In re Domestic Drywall Antitrust Litig., (E.D. Pa. May 12, 2014)
Plaintiffs contend review of large number of docs is burdensome
Judge rules that current capabilities of ESI analysis and management tools give ability to search quickly for relevant data
No excuses - get those tools and get to work
Kyko Global Inc. v. Prithvi Info. Solutions Ltd., (W.D. Wash. June 13, 2014)
Plaintiffs obtained Writ of Execution and one defendants computer, etc. were seized
Plaintiff's counsel outbid defense in public auction - obtained and examined computer
Since original owner had formatted drive and installed new OS - judge ruled there was no waiver of attorney client privilege
Kyko Global Inc. v. Prithvi Info. Solutions Ltd., (W.D. Wash. June 13, 2014)
Plaintiffs obtained Writ of Execution and one defendants computer, etc. were seized
Plaintiff's counsel outbid defense in public auction - obtained and examined computer
Since original owner had formatted drive and installed new OS - judge ruled there was no waiver of attorney client privilege
A Day in the Life...
Woke up, got out of bed...
When Was It Created
Time stamps – can you trust them?
Dates and times on a computer are dependent on its clock being accurately set and running.
Many organizations will have a time server - by ensuring syncs to that time you avoid issues
A clock that is correctly set now may not have been correctly set in the past.
Time affected by zones, formats, Daylight Saving – and can be manipulated
Why Do We Need It?
For any legal considerations
Public Disclosure
Audits
Archiving - family history
Who Created It and Who Controls It
It's important to be able to prove ownership and that documents haven’t been tampered with (non-repudiation)
In order to know how to recover or safely preserve data, we need to know who actually controls it and how to contact them
The How questions
How did it happen
Procedures
Gathering the data
Reporting
Content you create intentionally
Social media sites
Documents, spreadsheets
Databases, address/contacts lists
Blogs
Photo sites
How is ESI created?
Data that is created by systems - perhaps unknown to you
Cookies and other Internet artifacts
Computer & Application logs
Loyalty cards
Public video recordings
Credit/Debit purchases
Information created "for" you
Bank records
Phone records
Vehicle logs
Payroll/Benefits
Insurance/Health records
HOW? - Procedures
In a mature organization procedures are written, published and strictly adhered to
For personal data:
Understand who owns it (you or the service provider, e.g. Facebook, Gmail...)
Look up or inquire about procedures
Practice!
Your legal department (if you have one) manages litigation holds and electronic discovery
HOW? – Gathering the data
If you or your organization need to locate/preserve or produce ESI:
Ensure everyone knows the correct, forensically sound procedures and follows them
Ensure your users know you have the right to examine their devices as appropriate (assuming that's part of your policy)
When doing data acquisition for litigation or investigations:
Know and follow evidence rules
Carefully log every step
For personal retrieval, management and storage:
Be aware of need to preserve integrity
Keep a log of what you do, when and how
Store things in a secure way and document that you've done
HOW? - Reporting
Create reports free from jargon and acronyms
Include everything you did, the tools you used and what you found
Include any application generated reports or logs
Be prepared and competent at giving these reports both in writing or orally.
Full transcript