[Producing Party members] seek a writ of mandamus compelling Respondent, the Honorable Greg Wilhelm, Judge of the County Court at Law No. 1 of Ellis County, to set aside a discovery order requiring the Honzas to permit a forensic expert to create a mirror image of each of the computer hard drives in the Honzas’ office in an effort to locate two particular documents or iterations of those documents…

The Honzas contend that Respondent abused his discretion because: (2) the order authorizes the disclosure of information protected by the attorney-client privilege; and (3) the order authorizes the disclosure of confidential information pertaining to the Honzas’ other clients who have no connection to the underlying lawsuit.

The present discovery dispute originated with [Requesting Party's] motion to gain access to the Honzas’ computers, which was filed about one month before trial. By this motion, [Requesting Party] sought “[i]nformation (the ‘Metadata’) contained on the actual computers of the Defendants, such as any time stamps on the Relevant Documents, versions of the Relevant Documents, if any, as well as the deletion of various versions, if any.” [Requesting Party] explained that, although the Honzas responded to a prior request for production of relevant documents in their electronic version, “the Metadata was neither produced nor made available.”

[Ed. Testimony indicated the existence of relevant documents with respect to a another transaction apparently not addressed by earlier discovery requests]

[] [Requesting Party] sought discovery of relevant documents pertaining to the [newly revealed] transaction, and the [Producing Party] complied by providing pertinent written discovery.

[Requesting Party] seeks the metadata from the [Producing Party's] hard drives because it wants to identify the points in time when the partial assignment draft was modified in relation to the diary entry. This goes to the issue of whether [the Producing Party] altered the partial assignment after the parties concluded their agreement but before the document was presented for execution.

[Ed. The opinion then went on to list various Federal and State sources for persuasive authority in discovery law, especially with respect to ESI]

Privileged or Confidential Information

The [Producing Party] also contend[s] that the discovery order improperly authorizes the disclosure of (1) information protected by the attorney-client privilege and (2) confidential information pertaining to the Honzas’ other clients who have no connection to the underlying lawsuit.

Notwithstanding the “unlimited” access necessarily granted the forensic expert, Respondent’s order preserves any privileged or confidential information in several ways. First, the expert is limited in his search to two specific documents or iterations of those documents. [Members of the Producing Party] are then accorded the right to review the documents and information which the expert believes responsive and produce to [Requesting Party] only those documents and information which [members of the Producing Party] themselves believe are responsive. These provisions effectively preclude [Requesting Party] from having any access to documents or information pertaining to other clients of the Honzas not involved in this litigation.

Second, the order allows the [Producing Party executives] to withhold from discovery any documents or information which they claim to be privileged or confidential and provide instead a privilege log, subject to in camera review by Respondent.

Finally, the order provides that: (1) the observation of information by [Requesting Party] representatives during the imaging process shall not constitute a waiver of privilege or confidentiality; (2) all participants in the imaging process are subject to a protective order prohibiting the unauthorized disclosure of information; and (3) [Requesting Party's] expert must provide proof of being bonded and of having commercial liability insurance by which the [Producing Party] may be “fully indemnified against any monetary loss.”

For these reasons, we hold that Respondent appropriately tailored the discovery order to prohibit the unauthorized disclosure of privileged or confidential information and no abuse of discretion is shown.

[Ed. Note that a dissenting opinion is also entered by one of the Judges hearing the case. See the order itself for the full text of that dissent, or of the opinion itself.]

In re Honza, 2007 WL 4591917 (Tex. App. Dec. 28, 2007)

[Producing Party members] seek a writ of mandamus compelling Respondent, the Honorable Greg Wilhelm, Judge of the County Court at Law No. 1 of Ellis County, to set aside a discovery order requiring the Honzas to permit a forensic expert to create a mirror image of each of the computer hard drives in the Honzas’ office in an effort to locate two particular documents or iterations of those documents…

The Honzas contend that Respondent abused his discretion because: (1) the discovery order is overbroad and authorizes an improper “fishing expedition”;…

The present discovery dispute originated with [Requesting Party's] motion to gain access to the Honzas’ computers, which was filed about one month before trial. By this motion, [Requesting Party] sought “[i]nformation (the ‘Metadata’) contained on the actual computers of the Defendants, such as any time stamps on the Relevant Documents, versions of the Relevant Documents, if any, as well as the deletion of various versions, if any.” [Requesting Party] explained that, although the Honzas responded to a prior request for production of relevant documents in their electronic version, “the Metadata was neither produced nor made available.”

[Ed. Testimony indicated the existence of relevant documents with respect to a another transaction apparently not addressed by earlier discovery requests]

[] [Requesting Party] sought discovery of relevant documents pertaining to the [newly revealed] transaction, and the [Producing Party] complied by providing pertinent written discovery.

[Requesting Party] seeks the metadata from the [Producing Party's] hard drives because it wants to identify the points in time when the partial assignment draft was modified in relation to the diary entry. This goes to the issue of whether [the Producing Party] altered the partial assignment after the parties concluded their agreement but before the document was presented for execution.

[Ed. The opinion then went on to list various Federal and State sources for persuasive authority in discovery law, especially with respect to ESI]

Overbroad Discovery

The [Producing Party] first contend that the discovery order is overbroad and authorizes an improper “fishing expedition.” In this regard, they argue that Respondent improperly “gave blanket approval for [the Requesting Party] to gain total access to [their] computers and all information stored on them, whether or not it has anything to do with this lawsuit.”

Although it is true that Respondent’s order gives A & W’s forensic expert [FN8]complete access to all data stored on the Honzas’ computers, the order provides that the expert is to index all forensic images acquired from the imaging process “for the limited purpose of searching (the ‘Examination Process’) for two documents, previously Bates-labeled as HONZA 00019 and HONZA 00017, which are drafts of “Assignment of Contract” and any iterations (the ‘Relevant Documents’).” The expert must then compile any documents or information which the expert believes responsive and deliver them to the Honzas to determine for themselves which are responsive to A & W’s discovery request and which they choose to withhold, providing a privilege log instead.

In addition to limiting the expert’s search to two specific documents, the order provides that no waiver of privilege or confidentiality occurs if any otherwise privileged or confidential information is observed by A & W’s counsel or representatives during the imaging process, and they are prohibited from using such information other than in compliance with the terms of the order. The forensic expert is likewise prohibited from disclosing any information observed during the imaging process. And finally, the order requires the expert and all party representatives or counsel participating in the imaging process to sign an acknowledgment agreeing that they are subject to contempt of court for any violation of the order.

Any order requiring the imaging of a computer hard drive necessarily grants the expert who is conducting the imaging process access to all data on that hard drive. Here, Respondent specifically limited the expert’s search to two documents; gave the [Producing Party] a “right of first refusal” with regard to determining which documents or information are relevant to those two documents and responsive to [Requesting Party's] discovery request; imposed stringent limitations on inadvertent disclosures to prevent any unintended waiver of confidentiality or privilege; and placed all participants in the imaging process under a carefully drawn protective order.

Therefore, we do not agree with the Honzas’ contention that the discovery order is overbroad.

[Ed. Note that a dissenting opinion is also entered by one of the Judges hearing the case. See the order itself for the full text of that dissent, or of the opinion itself.]

In re Honza, 2007 WL 4591917 (Tex. App. Dec. 28, 2007)

[Producing Party members] seek a writ of mandamus compelling Respondent, the Honorable Greg Wilhelm, Judge of the County Court at Law No. 1 of Ellis County, to set aside a discovery order requiring the Honzas to permit a forensic expert to create a mirror image of each of the computer hard drives in the Honzas’ office in an effort to locate two particular documents or iterations of those documents…

The Honzas contend that Respondent abused his discretion because: (1) the discovery order is overbroad and authorizes an improper “fishing expedition”; (2) the order authorizes the disclosure of information protected by the attorney-client privilege; and (3) the order authorizes the disclosure of confidential information pertaining to the Honzas’ other clients who have no connection to the underlying lawsuit.

The present discovery dispute originated with [Requesting Party's] motion to gain access to the Honzas’ computers, which was filed about one month before trial. By this motion, [Requesting Party] sought “[i]nformation (the ‘Metadata’) contained on the actual computers of the Defendants, such as any time stamps on the Relevant Documents, versions of the Relevant Documents, if any, as well as the deletion of various versions, if any.” [Requesting Party] explained that, although the Honzas responded to a prior request for production of relevant documents in their electronic version, “the Metadata was neither produced nor made available.”

[Ed. Testimony indicated the existence of relevant documents with respect to a another transaction apparently not addressed by earlier discovery requests]

[] [Requesting Party] sought discovery of relevant documents pertaining to the [newly revealed] transaction, and the [Producing Party] complied by providing pertinent written discovery.

[Requesting Party] seeks the metadata from the [Producing Party's] hard drives because it wants to identify the points in time when the partial assignment draft was modified in relation to the diary entry. This goes to the issue of whether [the Producing Party] altered the partial assignment after the parties concluded their agreement but before the document was presented for execution.

[Ed. The opinion then went on to list various Federal and State sources for persuasive authority in discovery law, especially with respect to ESI]

Under these decisions, the following protocol is generally followed. First, the party seeking discovery selects a forensic expert to make a mirror image of the computer hard drives at issue. This expert is required to perform the analysis subject to the terms of a protective order, generally prohibiting the expert from disclosing confidential or otherwise privileged information other than under the terms of the discovery order.

After creating the mirror images and analyzing them for relevant documents or partial documents, courts typically require the expert to compile the documents or partial documents obtained and provide copies to the party opposing discovery. That party is then to review the documents, produce those responsive to the discovery request, and create a privilege log for those withheld. Finally, the trial court will conduct an in-camera review should any disputes arise regarding the entries in the privilege log.

Because our research has disclosed no Texas decisions regarding this type of electronic discovery, we will apply these fairly uniform procedures to the issues presented in this proceeding.

[Ed. Note that a dissenting opinion is also entered by one of the Judges hearing the case. See the order itself for the full text of that dissent, or of the opinion itself.]

In re Honza, 2007 WL 4591917 (Tex. App. Dec. 28, 2007)

The 2006 amendments to Rule 34 of the Federal Rules of Civil Procedure simply clarify “that discovery of electronically stored information stands on equal footing with discovery of paper documents.” Fed.R.Civ.P. 34 Advisory Committee’s Note on 2006 Amendments. Consequently, without a qualifying reason, plaintiff is no more entitled to access to defendant’s electronic information storage systems than to defendant’s warehouses storing paper documents.

The discovery process is designed to be extrajudicial, and relies upon the responding party to search his records to produce the requested data. In the absence of a strong showing that the responding party has somehow defaulted in this obligation, the court should not resort to extreme, expensive, or extraordinary means to guarantee compliance. Imaging of computer hard drives is an expensive process, and adds to the burden of litigation for both parties, as an examination of a hard drive by an expert automatically triggers the retention of an expert by the responding party for the same purpose. Furthermore, as noted above, imaging a hard drive results in the production of massive amounts of irrelevant, and perhaps privileged, information. Courts faced with this inevitable prospect often erect complicated protocols to screen out material that should not be part of discovery. See, e.g., Playboy Enters., 60 F.Supp.2d [1050, 1054 (S.D.Cal.1999) (appointing court’s expert to conduct examination). Again, this adds to the expense and complexity of the case.
This court is therefore loathe to sanction intrusive examination of an opponent’s computer as a matter of course, or on the mere suspicion that the opponent may be withholding discoverable information. Such conduct is always a possibility in any case, but the courts have not allowed the requesting party to intrude upon the premises of the responding party just to address the bare possibility of discovery misconduct.

The Scotts Co. v. Liberty Mutual Ins. Co., 2007 WL 1723509 (S.D. Ohio June 12, 2007) (quoting with approval Diepenhorst v. City of Battle Creek, 2006 U.S. Dist. LEXIS 48551, *10-11 (W.D. Mich. June 30, 2006).)

Law.com brings us an article on the protocols adopted by courts with respect to inspecting a party’s hard drive during discovery. As frequent readers of this page know, document production is typically left up to each party in a dispute. Thus, allowing one party (or its forenisc expert) to inspect another’s computer represents a bit of a departure from traditional practice:

As a federal district court judge recently observed, a computer itself is not evidence in most cases, but merely the instrument for creating evidence (like a typewriter) or the means of storing it (like a file cabinet).

Accordingly, today’s litigants routinely seek access to opponent’s computer hard drive to search for discoverable evidence, especially when the opposing party may not be forthcoming about deleted or transferred files.

Hard drive inspections, therefore, are likely to occur when one party is seen to be less than forthcoming with its productions than their obligations require.

Generally speaking, courts allow imaging of an opponent’s computer hard drive in situations involving an adversary’s unsatisfactory document production or a finding that a hard drive search would yield deleted items. For example, in Playboy Enters. v. Welles, 60 F.Supp.2d at 1050, rev’d on other grounds, Playboy Enters. v. Welles, 279 F.3d 796 (9th Cir. 2002), a trademark infringement case, the plaintiff’s discovery request included permission to have access to the defendant’s hard drive for the purpose of recovering deleted e-mails that allegedly were systematically erased after litigation commenced and that may have been highly relevant. In granting the defendant’s request, the court found that the need for the requested information outweighed the burden to the defendant. Some courts will issue discovery orders for expedited discovery at the outset of litigation when the subject matter of the dispute involves trade secrets or other sensitive information that can be easily erased or destroyed.

The article notes that often third party vendors are used to accomplish the inspection to prevent the perception (real or imagined) of the presence of bias or abuse in the process. The article also mentions that even when allowing these inspections, protections courts often establish protections against undue burdens or disclosure of privileged or private data. Remember in our last post, the court in Lakeside School set up a screening process so that an employee’s privileged “web based” e-mails were not disclosed to the school, despite the fact that the school owned the hard drive at issue, and the employee had signed an agreement allowing the school to inspect the computer.

In this employee discrimination case, defendant Lakeside School sought a court order allowing inspection of a hard drive from a laptop belonging to the school, but which had been assigned for use to plaintiff for use in the discharge of his duties while employed at the school. The employee argued that some information on the laptop was covered by attorney-client and marital privilege.

The court ruled that in general, the employee had no expectation of privacy for communications made on the laptop belonging to his employer: he had signed a document indicating that he had read the school’s employee handbook containing a policy allowing the school to inspect any computer it furnishes its employees; any communications made using the e-mail accounts provided by the school similarly was bereft of any expectation of privacy. However, the court ruled that “web based” e-mails made on the computer, communicating with employee’s spouse or attorney, were covered by privilege.

I”m guessing here that the term “web based e-mails” means that the employee had an e-mail account, with an ISP that was not associated with the school (like Yahoo or Hotmail), and that he used his business laptop to access and use those accounts. These are what the court protected.

Another interesting facet of the decision is that, in the absence of an agreed protocol by the parties, the court dictated the procedure the parties would use for inspection of the hard drive. The court allowed the school’s suggested procedure:

Lakeside would be willing to have its own expert, at its own expense [ ], provide both parties’ counsel with a list of files (deleted and active) from Mr. Sims’ computer … Plaintiffs’ counsel can then identify any files they believe are privileged, as well as the nature of the privilege being asserted. Lakeside will then review any remaining files over which no claim of privilege is made, and will determine whether any of plaintiffs’ privilege designations should be challenged.

K&L Gates has their own summary here, and a copy of the opinion here (MS Word format).

Sims v. Lakeside School, 2007 WL 2745367 (W.D. Wash. Sept. 20, 2007)

The latest in our series on e-discovery pitfalls.

K&L Gates has posted an opinion in which U.S. Magistrate Howard R. Lloyd dictates the collection and search protocols of a set of data over which the parties have become somewhat contentious. Let us begin with His Honor’s description of the dispute:

According to defendants, there are two hard drives in question. In July 2007, they reportedly made bit-for-bit copies of those hard drives (including recovered deleted files and fragments) and produced documents responsive to plaintiff’s requests. Plaintiff is skeptical about the production.

Well, the requesting party is always skeptical, isn’t it? What circumstances give merit to plaintiff’s suspicions?

[Plaintiff/Requesting Party] says that, to date, defendant Romi Mayder has produced only one email pertaining to his work at Silicon Test Systems, Inc. whereas Bob Pochowski, a third-party witness, has produced a host of documents (emails, data sheets, and the like) from Mayder that apparently were created during Mayder’s employment at Verigy.

Oops. This illustrates the dangers of working with highly distributable and “copyable” documents, such as e-mail, and not producing a full set (for whatever reason). Even in the days of paper, you never knew where all the copies might have been hiding. In this digital age of ours, with the ease of replication and distribution, the dangers are exponentially higher. So let us remember two things: do a good job on formulating an appropriate search protocol; and, of course, never deliberately exclude relevant documents not subject to privilege from production. But the court isn’t finished with plaintiff’s suspicions.

Verigy also contends that other documents produced to date demonstrate Mayder’s willingness to manipulate evidence. Plaintiff also asserts that, when defendant Mayder left plaintiff’s employ, a system or software upgrade was performed which may have deleted files from defendants’ hard drives.

So now they walk beyond the line of suggesting the producing party could have accidentally failed to produce, but suggest defendant is indifferent with respect to its obligation to produce, or that it even purposefully manipulates data to protect itself. This serves to illustrate the importance of following a defensible, documented collection plan. The documentation may serve to refute allegations of impropriety or mismanagement. The importance of retaining a third party to execute the collection process is also on point, as such an expert tends to lend an objective voice to any dispute over procedure.

Now, this next bit is interesting, and potentially really bad for the defendant.

[Requesting Party] argues that it needs to conduct additional discovery of those hard drives, not only to determine whether any relevant documents have been withheld from defendants’ production, but also to examine what may have happened on the hard drives and why.

The requesting party wants to examine the drives to see if defendants failed in their responsibilities. The request is not made merely for the sake of satisfying their curiosity. The possibility that such intrusive measures might be allowed should be a warning shot over the bow for any party engaged in discovery. Make sure your processes are thorough, managed competently, well documented, and defensible.

[Producing Party does] not dispute that a system or software upgrade was performed which may have deleted files from their hard drives. However, they maintain that all deleted files have been recovered and preserved and that they have produced all information responsive to plaintiff’s requests.

All deleted files have been recovered? That’s far from certain, especially with respect to an operation as extensive as a software upgrade. The percentage of deleted files forensically recovered is based on many factors. Was “wiping” involved? If not, has the drive been defragmented? What is the “data turnover” (number of files deleted vs. number of new files written to the drive) of the drive at issue? Under only a very limited set of circumstances might one be able to say with any semblance of certainty that every single deleted file was recovered. As we see, the judge doesn’t appear convinced either. Upon considering the arguments, the court sets a two-tiered plan into place.

Defendants propose a two-tier protocol which (a) permits discovery in areas that defendants deem presumptively relevant; and (b) allows plaintiff to request that the expert conduct other searches, subject to an opportunity by defendant to review and object to the proposed search requests.

Defendants sought to protect themselves from abuse:

Defendants express concern that plaintiff will propound unduly burdensome or otherwise abusive searches beyond the scope of permissible discovery under Fed.R.Civ.P. 26. At the motion hearing, it was suggested, somewhat facetiously, that Verigy might attempt to request a search for all documents with the letter “A.” Indeed, documents submitted on supplemental briefing indicate that Verigy apparently has previously requested a search for all documents containing the letter “V” (see Pasquinelli Decl., Ex. C)–a request which strikes this court as being patently overbroad.

In an interesting note, the requesting party argued that disclosure of additional search terms it wanted to use might infringe attorney work product. The court, however, was not persuaded.
In concluding its opinion, the court felt the urge to remind counsel and the parties of their duties under the law:

Although it should go without saying, the parties are admonished to proceed in good faith and to refrain from conduct designed to unnecessarily encumber or retard discovery or to impose unnecessary expense or burden on the opposing parties or the court.

To reiterate the lessons of the case: engage in an honest, thorough, and well documented discovery plan; think about retaining a third party to serve as an objective, knowledgeable voice; and scrutinize the implementation of processes (such as software upgrades) that endanger the integrity of the litigation hold.

According to an article posted by Dark Reading, (annoying ad warning) IT departments are doing more of the intrusion investigations, and other tasks traditionally outsourced to experts, themselves.

If you think finding out who did what with your data always means calling in high-priced spooks armed with arcane software, think again. The trend is toward placing the power to handle investigations in the hands of enterprises themselves. Why? With security incidents, e-discovery and litigation on the rise across all industries and organizations of all sizes, having tools in-house allows IT to mobilize quickly and address situations before there’s significant impact.

The forensics software landscape has also gotten more inclusive, with enterprise-class investigative tools in the pipeline along with log-analysis software, network monitors, and systems that can aid in investigations and e-discovery involving e-mail. Many of these do double duty, making them easier sells come budget time.

The article also discloses that Guidance Software, producer of EnCase, will soon get a little more competition:

In the forensics space, at least two upstarts are set to rival the enterprise edition of Guidance Software’s Encase, the granddaddy of investigative toolsets. By year’s end, security services provider Mandiant will step into the enterprise incident response arena with its Intelligent Response appliance, and AccessData is also prepping an offering, due in the first half of next year, that will encompass forensics, incident response and e-discovery.

I’m not sure what a product that encompasses “forensics, incident response and e-discovery” will look like (seems like it might be taking too big a bite of the cookie), but I’m willing to reserve judgment for now.

According to the Indianapolis Star:

The department will show off its “mobile computer forensics vehicle,” sort of a computer crime lab on wheels, Wednesday morning at the state police post on East 21st Street.

Love to see pictures…

Uh oh. This isn’t good:

Mesa Air Group said yesterday its chief financial officer went to great lengths to permanently delete computer data sought by Hawaiian Airlines to cover up his interest in pornography.

In an evidentiary hearing held yesterday before Hawaiian’s lawsuit against Mesa goes to trial, the operator of the interisland airline go! said it discovered that CFO Peter Murnane had been browsing adult Web sites.

It also said Murnane was solely responsible for deleting data from his three computers and that the company had given to Hawaiian all the deleted data.

How far did Mr. Murnane allegedly go in his cover-up attempts? A computer forensics expert explains:

Jefford Englander, a computer forensics expert from Phoenix-based Lightstone Solutions, spent about 90 minutes on the stand yesterday detailing how he uncovered multiple instances of deleted files that he could not identify. He also uncovered signs the computer clock had been manipulated — including files that appeared to have been modified before they were created.

Now, to be sure, this all must be substantiated. Mr. Murnane has his own side to the story, and as everyone knows, things aren’t always what they seem. But it doesn’t look good.