Blogger Advises Company Execs to Learn about Computer Forensics

David Lacey, the security blogger at ComputerWeekly.com has a short post advising executives to become familiar with the field of computer forensics. Quoth Mr. Lacey:

Not many company directors will have the patience to read and digest [a recommended text on computer forensics]. But they should. Evidence of transactions underpins all modern business. In fact, amongst other things, an understanding of the validity of digital transactions will increasingly separate the real business men from the young apprentice boys.

More details on PI Licensing and Forensics Technicians

An update on the licensing issues discussed here, here, and here, with a couple of helpful links.

First, Kessler International, a company that engages in forensics accounting, computer forensics and corporate investigations, has posted the results of a survey concerning state licensing laws with respect to forensics accounting and computer forensics companies and employees. The results are posted in map form. Click on the state that interests you, and that state’s response pops up in pdf format.

Now, with respect specifically to Texas, you may click here [PDF] to find a series of opinions made by the Private Security Bureau with respect to licensing issues and technical tasks associated with computers. Scroll down and look at those opinions from August 21 to October 18.

Some relevant excerpts (keeping in mind that these are the board’s opinions, and not judicial rulings):

Computer Forensics August 21, 2007
The computer forensics industry has requested clarification of the Private Security Bureau’s position regarding whether the services commonly associated with computer forensics constitute those of an “investigations company” and are therefore services regulated under the Private Security Act (Chapter 1702 of the Occupations Code). It is hoped that the following will be of assistance.
First, the distinction between “computer forensics” and “data acquisition” is significant. We understand the term “computer forensics” to refer to the analysis of computer-based data, particularly hidden, temporary, deleted, protected or encrypted files, for the purpose of discovering information related (generally) to the causes of events or the conduct of persons. We would distinguish such a content-based analysis from the mere scanning, retrieval and reproduction of data associated with electronic discovery or litigation support services.
For example, when the service provider is charged with reviewing the client’s computer-based data for evidence of employee malfeasance, and a report is produced that describes the computer-related activities of an employee, it has conducted an investigation and has therefore provided a regulated service. On the other hand, if the company simply collects and processes electronic data (whether in the form of hidden, deleted, encrypted files, or otherwise), and provides it to the client in a form that can then be reviewed and analyzed for content by others (such as by an attorney or an investigator), then no regulated service has been provided.
The Private Security Act construes an investigator as one who obtains information related to the “identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person; the location, disposition, or recovery of lost or stolen property; the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property; or for the purpose of securing evidence for use in court. Tex. Occ. Code §1702.104. Consequently, we would conclude that the provider of computer forensic services must be licensed as an investigator, insofar as the service involves the analysis of the data for the purposes described above.
With respect to the statutory reference to “securing evidence for use in court,” we would suggest that the mere accumulation of data, or even the organization and cataloging of data for discovery purposes, is not a regulated service. Rather, in this context, the Bureau would interpret the reference to “evidence” as referring to the report of the computer forensic examiner, not the data itself. The acquisition of the data, for evidentiary purposes, precedes the analysis by the computer forensic examiner, insofar as it is raw and unanalyzed. FN1 The mere collection and organization of the evidence into a form that can be reviewed and analyzed by others is not the “securing of evidence” contemplated by the statute.
This analysis is consistent with the language of HB 2833 (Tex. Leg. 80th Session), which amends Section 1702.104. The amendment confirms that the “information” referred to in the statute “includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.”

FN1 It may well be that the hardware on which the data exists is itself the product of an investigation, but that is a separate question.

Computer Network Vulnerability Testing Firms — AMENDED January 15, 2008
This opinion amends the previous opinion issued in June of 2007. The question posed was whether network vulnerability testing firms must be licensed under the Private Security Act, Chapter 1702 of the Texas Occupations Code (“the Act”). Such companies typically conduct:
(1) Scans of a computer networks to determine whether there is internet vulnerability or other external risk to the internal network;
(2) Sequential “dial ups” of internal phone numbers to assess potential access;
(3) Risk assessment and analysis on all desktop computers connected to the network;
(4) Notification of any new security threats and required action.
Section 1702.226 of the Occupations Code provides in relevant part, that “[a]n individual acts as a private security consultant for purposes of this chapter if the individual consults, advises, trains, or specifies or recommends products, services, methods, or procedures in the security loss prevention industry.” TEX. OCC. CODE §1702.226 (1).
However, while the Bureau regulates consultants in the “security industry or loss prevention industry,” these latter phrase is not explicitly defined in the statute. It is therefore necessary to look to the rest of the statute in order to understand to which services the private security consultant’s licensure requirement applies.
It is reasonable to consider those industries otherwise regulated by the Private Security Act as reflecting the scope of the phrase “security industry or loss prevention industry.” In other words, the definitions are implied by those services that are regulated by the statute, viz., security guards, locksmiths, alarm system installers and monitors, and private investigators, and not software designers, installers or suppliers.
Thus, the industries that are directly regulated are the same industries about which one cannot consult without a license. Because the Private Security Bureau does not regulate software designers, installers, or suppliers, it also does not regulate those who provide consulting services related to computer network security.
Computer Repair & Technical Assistance Services October 18, 2007
Computer repair or support services should be aware that if they offer to perform investigative services, such as assisting a customer with solving a computer-related crime, they must be licensed as investigators. The review of computer data for the purpose of investigating potential criminal or civil matters is a regulated activity under Chapter 1702 of the Texas Occupations Code, as is offering to perform such services. Section 1702.102 provides as follows:
§1702.104. Investigations Company
(a) A person acts as an investigations company for the purposes of this chapter if the person:
(1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to:

(A) crime or wrongs done or threatened against a state or the United States;
(B) the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person;
(C) the location, disposition, or recovery of lost or stolen property; or
(D) the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property;
(2) engages in the business of securing, or accepts employment to secure, evidence for use before a court, board, officer, or investigating committee;
(3) engages in the business of securing, or accepts employment to secure, the electronic tracking of the location of an individual or motor vehicle other than for criminal justice purposes by or on behalf of a governmental entity; or
(4) engages in the business of protecting, or accepts employment to protect, an individual from bodily harm through the use of a personal protection officer.
(b) For purposes of subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.
Please be aware that providing or offering to provide a regulated service without a license is a criminal offense. TEX. OCC. CODE §§1702.101, 1702.388. Employment of an unlicensed individual who is required to be licensed is also a criminal offense. TEX. OCC. CODE §1702.386.

Case Blurb: Search Cactus; Court lays out Protocol for Forensic Collection of Plaintiff’s Hard Drive

Post Process-Plaintiff Attorney objected to a forensics exam of his computer hard drive, a computer which he used both personally and professionally. The court, though noting the validity of issues raised, ruled for Defendants. In doing so, it appointed two forensics experts to act as officers of the court, and issued the following protocol:

[T]his Court ORDERS:
1. Within seven days of the date of this Opinion and Order, Plaintiff’s forensic computer expert shall mirror image both of Plaintiff’s computer systems’ hard drives and Plaintiff shall preserve this mirror image.

2. Plaintiff’s forensic computer expert shall then remove only Plaintiff’s confidential personal information from the mirror image of Plaintiff’s computer systems’ hard drives. Plaintiff’s expert shall provide Defendants with the protocol he utilized to remove the confidential information.

3. Plaintiff shall then provide Defendants’ computer forensic expert access to his computer systems’ hard drives.

4. Defendants’ forensic computer expert shall mirror image Plaintiff’s computer systems’ hard drives in approximately four to eight hours for each system. If the expert finds that this is not enough time, Plaintiff is expected to be reasonable in allowing some additional time. Defendant is expected to be considerate with regard to scheduling times that are less intrusive to Plaintiff and his business.

5. Defendants’ expert shall review his findings in confidence with Plaintiff prior to making any findings available to Defendants.

6. Plaintiff shall identify for deletion any information that is irrelevant and create a specific privilege log of any relevant information for which he claims privilege. The computer forensic expert shall remove the information claimed as privileged and provide all other information to Defendants.

7. Defendants’ expert shall provide Plaintiff with the protocol he utilized to remove the privileged information.

8. Forensic computer experts C. Matthew Curtin and Scott T. Simmons shall act as officers of this Court. Defendants shall be responsible for remunerating Mr. Curtin and Plaintiff shall be responsible for remunerating Mr. Simmons.

Ferron v. Search Cactus, L.L.C., 2008 WL 1902499 at *5 (S.D. Ohio Apr. 28, 2008 )

Case Blurb: Search Cactus LLC; Forensics Examiners to Serve as Officers of the Court

Post Process-Plaintiff Attorney objected to a forensics exam of his computer hard drive, a computer which he used both personally and professionally. The court, though noting the validity of issues raised, ruled for Defendants. In doing so, it appointed two forensics experts to act as officers of the court:

It appears to the Court that both of the forensic computer experts presented to it are qualified. In certain situations, courts appoint computer forensic experts to act as officers of the court to help “reduce privacy intrusions and privilege waiver issues during forensic analysis.” Mark E. Borzych, Avoiding Electronic Discovery Disputes: Practice Questions Answered, 41 AZ Attorney 36 (January 2005). See also Thielen, 2007 U.S. Dist. LEXIS 8998, at *8 (court ordered forensic analysis by third party and accepted that no waiver of privilege occurred). Thus, the two identified computer forensic experts shall serve as officers of this Court.

Ferron v. Search Cactus, L.L.C., 2008 WL 1902499 at *4 (S.D. Ohio Apr. 28, 2008 )

Computer Forensics Vindicates Man Fired for Possessing Child Pornography

A distasteful case appears in the on-line version of the Boston Herald. Michael Fiola was suddenly fired from his job at a state agency and accused of possessing child pornography:

Months later, DIA information technology officials noted that the data usage on Fiola’s Verizon wireless bill was 4 times greater than his colleagues’. After discovering the child porn , Commissioner Paul Buckley fired him on March 14, 2007.

DIA turned the matter over to state police who, after confirming “an overwhelming amount of images of prepubescent children engaged in pornographic poses” were stored on the laptop, persuaded Boston Municipal Court to issue a criminal complaint against Fiola in August 2007.

Now, I’ve seen Dateline, and I know that there are people (a lot of people, evidently) who simply can’t resist the impulse to engage in this kind of behavior. In fact, if you work anywhere near a computer forensics lab (and I do), you find out how incredibly common this kind of activity is. That said, there’s still a little issue of due process. It seems that the data wasn’t downloaded by Mr. Fiola, or anyone he knows, after all:

[Computer Examiner Tami] Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye.

The DA’s office concurs. So, Mr. Fiola went back to work, right? Wrong. Apparently the Massachusetts Department of Industrial Accidents, who had employed Fiola, who had in fact given him a laptop with defective protection, states that it “stands by [its] decision” to terminate him. Fiola’s attorney, Timothy Bradl, doesn’t get it:

“Imagine this scenario: Your employer gives you a ticking time bomb full of child porn, and then you get fired, and then you get prosecuted as some kind of freak,” he railed.

I don’t get it either, and in this day and age, these types of situations are going to continue to occur; so we should all be very wary.

TX Case Blurb: Honza; Court addresses objection to discovery request based on revealing confidential information, court order

[Producing Party members] seek a writ of mandamus compelling Respondent, the Honorable Greg Wilhelm, Judge of the County Court at Law No. 1 of Ellis County, to set aside a discovery order requiring the Honzas to permit a forensic expert to create a mirror image of each of the computer hard drives in the Honzas’ office in an effort to locate two particular documents or iterations of those documents…

The Honzas contend that Respondent abused his discretion because: (2) the order authorizes the disclosure of information protected by the attorney-client privilege; and (3) the order authorizes the disclosure of confidential information pertaining to the Honzas’ other clients who have no connection to the underlying lawsuit.

The present discovery dispute originated with [Requesting Party's] motion to gain access to the Honzas’ computers, which was filed about one month before trial. By this motion, [Requesting Party] sought “[i]nformation (the ‘Metadata’) contained on the actual computers of the Defendants, such as any time stamps on the Relevant Documents, versions of the Relevant Documents, if any, as well as the deletion of various versions, if any.” [Requesting Party] explained that, although the Honzas responded to a prior request for production of relevant documents in their electronic version, “the Metadata was neither produced nor made available.”

[Ed. Testimony indicated the existence of relevant documents with respect to a another transaction apparently not addressed by earlier discovery requests]

[] [Requesting Party] sought discovery of relevant documents pertaining to the [newly revealed] transaction, and the [Producing Party] complied by providing pertinent written discovery.

[Requesting Party] seeks the metadata from the [Producing Party's] hard drives because it wants to identify the points in time when the partial assignment draft was modified in relation to the diary entry. This goes to the issue of whether [the Producing Party] altered the partial assignment after the parties concluded their agreement but before the document was presented for execution.

[Ed. The opinion then went on to list various Federal and State sources for persuasive authority in discovery law, especially with respect to ESI]

Privileged or Confidential Information

The [Producing Party] also contend[s] that the discovery order improperly authorizes the disclosure of (1) information protected by the attorney-client privilege and (2) confidential information pertaining to the Honzas’ other clients who have no connection to the underlying lawsuit.

Notwithstanding the “unlimited” access necessarily granted the forensic expert, Respondent’s order preserves any privileged or confidential information in several ways. First, the expert is limited in his search to two specific documents or iterations of those documents. [Members of the Producing Party] are then accorded the right to review the documents and information which the expert believes responsive and produce to [Requesting Party] only those documents and information which [members of the Producing Party] themselves believe are responsive. These provisions effectively preclude [Requesting Party] from having any access to documents or information pertaining to other clients of the Honzas not involved in this litigation.

Second, the order allows the [Producing Party executives] to withhold from discovery any documents or information which they claim to be privileged or confidential and provide instead a privilege log, subject to in camera review by Respondent.

Finally, the order provides that: (1) the observation of information by [Requesting Party] representatives during the imaging process shall not constitute a waiver of privilege or confidentiality; (2) all participants in the imaging process are subject to a protective order prohibiting the unauthorized disclosure of information; and (3) [Requesting Party's] expert must provide proof of being bonded and of having commercial liability insurance by which the [Producing Party] may be “fully indemnified against any monetary loss.”

For these reasons, we hold that Respondent appropriately tailored the discovery order to prohibit the unauthorized disclosure of privileged or confidential information and no abuse of discretion is shown.

[Ed. Note that a dissenting opinion is also entered by one of the Judges hearing the case. See the order itself for the full text of that dissent, or of the opinion itself.]

In re Honza, 2007 WL 4591917 (Tex. App. Dec. 28, 2007)

TX Case Blurb: Honza; Court addresses objection to ‘overly broad’ discovery requests, court order

[Producing Party members] seek a writ of mandamus compelling Respondent, the Honorable Greg Wilhelm, Judge of the County Court at Law No. 1 of Ellis County, to set aside a discovery order requiring the Honzas to permit a forensic expert to create a mirror image of each of the computer hard drives in the Honzas’ office in an effort to locate two particular documents or iterations of those documents…

The Honzas contend that Respondent abused his discretion because: (1) the discovery order is overbroad and authorizes an improper “fishing expedition”;…

The present discovery dispute originated with [Requesting Party's] motion to gain access to the Honzas’ computers, which was filed about one month before trial. By this motion, [Requesting Party] sought “[i]nformation (the ‘Metadata’) contained on the actual computers of the Defendants, such as any time stamps on the Relevant Documents, versions of the Relevant Documents, if any, as well as the deletion of various versions, if any.” [Requesting Party] explained that, although the Honzas responded to a prior request for production of relevant documents in their electronic version, “the Metadata was neither produced nor made available.”

[Ed. Testimony indicated the existence of relevant documents with respect to a another transaction apparently not addressed by earlier discovery requests]

[] [Requesting Party] sought discovery of relevant documents pertaining to the [newly revealed] transaction, and the [Producing Party] complied by providing pertinent written discovery.

[Requesting Party] seeks the metadata from the [Producing Party's] hard drives because it wants to identify the points in time when the partial assignment draft was modified in relation to the diary entry. This goes to the issue of whether [the Producing Party] altered the partial assignment after the parties concluded their agreement but before the document was presented for execution.

[Ed. The opinion then went on to list various Federal and State sources for persuasive authority in discovery law, especially with respect to ESI]

Overbroad Discovery

The [Producing Party] first contend that the discovery order is overbroad and authorizes an improper “fishing expedition.” In this regard, they argue that Respondent improperly “gave blanket approval for [the Requesting Party] to gain total access to [their] computers and all information stored on them, whether or not it has anything to do with this lawsuit.”

Although it is true that Respondent’s order gives A & W’s forensic expert [FN8]complete access to all data stored on the Honzas’ computers, the order provides that the expert is to index all forensic images acquired from the imaging process “for the limited purpose of searching (the ‘Examination Process’) for two documents, previously Bates-labeled as HONZA 00019 and HONZA 00017, which are drafts of “Assignment of Contract” and any iterations (the ‘Relevant Documents’).” The expert must then compile any documents or information which the expert believes responsive and deliver them to the Honzas to determine for themselves which are responsive to A & W’s discovery request and which they choose to withhold, providing a privilege log instead.

In addition to limiting the expert’s search to two specific documents, the order provides that no waiver of privilege or confidentiality occurs if any otherwise privileged or confidential information is observed by A & W’s counsel or representatives during the imaging process, and they are prohibited from using such information other than in compliance with the terms of the order. The forensic expert is likewise prohibited from disclosing any information observed during the imaging process. And finally, the order requires the expert and all party representatives or counsel participating in the imaging process to sign an acknowledgment agreeing that they are subject to contempt of court for any violation of the order.

Any order requiring the imaging of a computer hard drive necessarily grants the expert who is conducting the imaging process access to all data on that hard drive. Here, Respondent specifically limited the expert’s search to two documents; gave the [Producing Party] a “right of first refusal” with regard to determining which documents or information are relevant to those two documents and responsive to [Requesting Party's] discovery request; imposed stringent limitations on inadvertent disclosures to prevent any unintended waiver of confidentiality or privilege; and placed all participants in the imaging process under a carefully drawn protective order.

Therefore, we do not agree with the Honzas’ contention that the discovery order is overbroad.

[Ed. Note that a dissenting opinion is also entered by one of the Judges hearing the case. See the order itself for the full text of that dissent, or of the opinion itself.]

In re Honza, 2007 WL 4591917 (Tex. App. Dec. 28, 2007)

TX Case Blurb: Honza; Court outlines process for Forensic Expert’s access to Party’s hard drive and subsequent production

[Producing Party members] seek a writ of mandamus compelling Respondent, the Honorable Greg Wilhelm, Judge of the County Court at Law No. 1 of Ellis County, to set aside a discovery order requiring the Honzas to permit a forensic expert to create a mirror image of each of the computer hard drives in the Honzas’ office in an effort to locate two particular documents or iterations of those documents…

The Honzas contend that Respondent abused his discretion because: (1) the discovery order is overbroad and authorizes an improper “fishing expedition”; (2) the order authorizes the disclosure of information protected by the attorney-client privilege; and (3) the order authorizes the disclosure of confidential information pertaining to the Honzas’ other clients who have no connection to the underlying lawsuit.

The present discovery dispute originated with [Requesting Party's] motion to gain access to the Honzas’ computers, which was filed about one month before trial. By this motion, [Requesting Party] sought “[i]nformation (the ‘Metadata’) contained on the actual computers of the Defendants, such as any time stamps on the Relevant Documents, versions of the Relevant Documents, if any, as well as the deletion of various versions, if any.” [Requesting Party] explained that, although the Honzas responded to a prior request for production of relevant documents in their electronic version, “the Metadata was neither produced nor made available.”

[Ed. Testimony indicated the existence of relevant documents with respect to a another transaction apparently not addressed by earlier discovery requests]

[] [Requesting Party] sought discovery of relevant documents pertaining to the [newly revealed] transaction, and the [Producing Party] complied by providing pertinent written discovery.

[Requesting Party] seeks the metadata from the [Producing Party's] hard drives because it wants to identify the points in time when the partial assignment draft was modified in relation to the diary entry. This goes to the issue of whether [the Producing Party] altered the partial assignment after the parties concluded their agreement but before the document was presented for execution.

[Ed. The opinion then went on to list various Federal and State sources for persuasive authority in discovery law, especially with respect to ESI]

Under these decisions, the following protocol is generally followed. First, the party seeking discovery selects a forensic expert to make a mirror image of the computer hard drives at issue. This expert is required to perform the analysis subject to the terms of a protective order, generally prohibiting the expert from disclosing confidential or otherwise privileged information other than under the terms of the discovery order.

After creating the mirror images and analyzing them for relevant documents or partial documents, courts typically require the expert to compile the documents or partial documents obtained and provide copies to the party opposing discovery. That party is then to review the documents, produce those responsive to the discovery request, and create a privilege log for those withheld. Finally, the trial court will conduct an in-camera review should any disputes arise regarding the entries in the privilege log.

Because our research has disclosed no Texas decisions regarding this type of electronic discovery, we will apply these fairly uniform procedures to the issues presented in this proceeding.

[Ed. Note that a dissenting opinion is also entered by one of the Judges hearing the case. See the order itself for the full text of that dissent, or of the opinion itself.]

In re Honza, 2007 WL 4591917 (Tex. App. Dec. 28, 2007)

Case Blurb: Scotts Co.; Forensic Copies not required by amended FRCP

The 2006 amendments to Rule 34 of the Federal Rules of Civil Procedure simply clarify “that discovery of electronically stored information stands on equal footing with discovery of paper documents.” Fed.R.Civ.P. 34 Advisory Committee’s Note on 2006 Amendments. Consequently, without a qualifying reason, plaintiff is no more entitled to access to defendant’s electronic information storage systems than to defendant’s warehouses storing paper documents.

The discovery process is designed to be extrajudicial, and relies upon the responding party to search his records to produce the requested data. In the absence of a strong showing that the responding party has somehow defaulted in this obligation, the court should not resort to extreme, expensive, or extraordinary means to guarantee compliance. Imaging of computer hard drives is an expensive process, and adds to the burden of litigation for both parties, as an examination of a hard drive by an expert automatically triggers the retention of an expert by the responding party for the same purpose. Furthermore, as noted above, imaging a hard drive results in the production of massive amounts of irrelevant, and perhaps privileged, information. Courts faced with this inevitable prospect often erect complicated protocols to screen out material that should not be part of discovery. See, e.g., Playboy Enters., 60 F.Supp.2d [1050, 1054 (S.D.Cal.1999) (appointing court’s expert to conduct examination). Again, this adds to the expense and complexity of the case.
This court is therefore loathe to sanction intrusive examination of an opponent’s computer as a matter of course, or on the mere suspicion that the opponent may be withholding discoverable information. Such conduct is always a possibility in any case, but the courts have not allowed the requesting party to intrude upon the premises of the responding party just to address the bare possibility of discovery misconduct.

The Scotts Co. v. Liberty Mutual Ins. Co., 2007 WL 1723509 (S.D. Ohio June 12, 2007) (quoting with approval Diepenhorst v. City of Battle Creek, 2006 U.S. Dist. LEXIS 48551, *10-11 (W.D. Mich. June 30, 2006).)

Hard drive inspection requests during discovery

Law.com brings us an article on the protocols adopted by courts with respect to inspecting a party’s hard drive during discovery. As frequent readers of this page know, document production is typically left up to each party in a dispute. Thus, allowing one party (or its forenisc expert) to inspect another’s computer represents a bit of a departure from traditional practice:

As a federal district court judge recently observed, a computer itself is not evidence in most cases, but merely the instrument for creating evidence (like a typewriter) or the means of storing it (like a file cabinet).

Accordingly, today’s litigants routinely seek access to opponent’s computer hard drive to search for discoverable evidence, especially when the opposing party may not be forthcoming about deleted or transferred files.

Hard drive inspections, therefore, are likely to occur when one party is seen to be less than forthcoming with its productions than their obligations require.

Generally speaking, courts allow imaging of an opponent’s computer hard drive in situations involving an adversary’s unsatisfactory document production or a finding that a hard drive search would yield deleted items. For example, in Playboy Enters. v. Welles, 60 F.Supp.2d at 1050, rev’d on other grounds, Playboy Enters. v. Welles, 279 F.3d 796 (9th Cir. 2002), a trademark infringement case, the plaintiff’s discovery request included permission to have access to the defendant’s hard drive for the purpose of recovering deleted e-mails that allegedly were systematically erased after litigation commenced and that may have been highly relevant. In granting the defendant’s request, the court found that the need for the requested information outweighed the burden to the defendant. Some courts will issue discovery orders for expedited discovery at the outset of litigation when the subject matter of the dispute involves trade secrets or other sensitive information that can be easily erased or destroyed.

The article notes that often third party vendors are used to accomplish the inspection to prevent the perception (real or imagined) of the presence of bias or abuse in the process. The article also mentions that even when allowing these inspections, protections courts often establish protections against undue burdens or disclosure of privileged or private data. Remember in our last post, the court in Lakeside School set up a screening process so that an employee’s privileged “web based” e-mails were not disclosed to the school, despite the fact that the school owned the hard drive at issue, and the employee had signed an agreement allowing the school to inspect the computer.