Post Process

Everything to do with E-discovery & ESI

Archive for September 25th, 2007

The complexities of e-discovery: In the beginning

Posted by rjbiii on September 25, 2007

Yet another new series: Effectively Managing E-Discovery. This is the first installment.

Complex discovery projects in this digital era can intimidate attorneys and their clients alike. One reason for this is because that electronic discovery requires an understanding across several disciplines. Law, IT, records management, and compliance are some of those areas of knowledge from which any discovery team should draw. It is difficult for any one individual to have sufficient knowledge across all these areas, so communication between experts from these professions becomes important. And we all know that lawyers and IT people communicate with each other effortlessly, don’t we?

Even in the IT sector, electronic discovery can call on different knowledge bases. Archiving, back-up and restoration might be needed at the collection point in the process, while a programmers knowledge of file formats will be useful downstream during the processing of evidence; an expert in search engines might be needed to help cull down the data to a manageable size for “eyes on” review by attorneys; a dba might be needed to analyze and extract data from a customized database…the scenarios are endless.

Before we go further, we must also acknowledge that their is some abiguity with regard to when a “discovery project” actually begins. The legal standard is “reasonable anticipation” of litigation. There are a number of events that may trigger the “duty to preserve,” and some of those have been listed in under the duty to preserve tag. Because what creates this reasonable anticipation can take an infinite series of forms, there is no, and will never be, a complete list.

Any discussion on the complexities of a particular project begins with the IT enterprise housing the data. Before you can collect data, you must insure it is preserved. Before you can preserve it, you must identify which data sources (or custodians) possess relevant information. And this identification process is tied to such things as network topology, which users are involved in the projects associated with the pending litigation, and what practices are implemented by these custodians in storing their data. Merely identifying the appropriate custodians requires a knowledge of the legal nature of the dispute (is this IP, employment dispute, white collar crime?) and the nature of personnel assignments within the company. Who works on what projects? If some of the custodians have administrative assistants or secretaries, you can’t forget about them!

Issues that are dealt with include legacy systems, password protection, encryption, storage habits (how often are items backed up, restored, etc…), unmapped partitions, expensive or proprietary application formats (that e-discovery vendors will be unable to process). Are there any mirrored, or collocated servers?

Then, there are situations in which storage has been outsourced. What are the policies and procedures of wading through that data?

One worry of discovery team members is whether the scope of discovery goes beyond the bounds of the business’s IT enterprise. What would cause that? Well, mixed personal and business use on the same computer. Do users work at home on their own machines? Do employees use private, external e-mail accounts to send and receive work-related documents? Are “retired” computers given away without being wiped? Practices such as these expand the scope of scrutiny beyond the bounds of the company’s IT universe, and the prevention of these situations is best addressed in a company’s “acceptable use” and “document retention” policies.

Once data sources are identified, and effective measures implemented to preserve the data, a collection process that is defensible in court must be designed. Outside counsel, after addressing these issues with their own client, must also then assess the opponent’s data universe in the same manner, assuming that they will be requesting documents as well. So while outside counsel, playing offense, is trying to get a feel for how to get to the adversary’s documents, General Counsel is usually confined to playing defense, and making sure its own house is in order. Much of the GC’s best work can be done before any dispute hits, in implementing policies and processes smoothly integrate litigation holds and defensible collection into the data retention practices of the company. To insure a smooth handoff from GC to outside counsel, communication between the two is another critical component to a successful discovery project.

These factors must be looked at early on in the process. Some of them should be examined before the emergence of any dispute. I’m sure there are more issues early on, and any war stories are welcome. I’ll examine vendor management in my next post under this topic.

Posted in Effectively Managing E-Discovery | 3 Comments »

The problem with passwords

Posted by rjbiii on September 25, 2007

I’m sure none of us has ever noticed this before:

Paying bills and buying merchandise online may be convenient but carries a well-known side effect: Too many passwords.

Virtually every secure Web site involved in transacting financial information requires a username and password. Your credit cards. Your mortgage. Your auto loan. Your phone. Your cell phone. Your bank account. Your 401(k) account. Your brokerage account. Your health insurance account. Your prescription drug provider. Shopping sites. Hotel reservation sites. Airline reservation sites. You get the idea.
[…]
Over the years, estate attorneys have discovered a lesser-known side-effect: Some people go to their graves preserving their passwords, leaving relatives and representatives of their estates with no knowledge of how to access the various accounts – or even which accounts exist.

(emphasis added)

I’m pretty good about remembering passwords, yet I’ve had to call certain vendors to re-set on a number of occassions. While processing evidence, we often come up on password protected files. While there are a number of apps that take advantage of back-door routes, often the only answer is brute force. At some point, I’ll look at password protected files in the context of the legal standard of “reasonably accessible.”

Posted in Computer Security, Password Protection | Leave a Comment »

To Delete or Not to Delete, if you work for the Government…

Posted by rjbiii on September 25, 2007

We’ve already posted once about the difficulty in deciding when it is appropriate to delete e-mails. But that article was written from the corporate perspective. Think, then, how much more difficult it can be for a state institution to comply with transparency rules:

An e-mail pops into your inbox. You scan over it. Now you’ve got a decision to make: Delete it, or keep it?

These decisions are made daily by hundreds of millions of people around the world, often without more than second of thought.

That may be fine if you’re reading a friend’s message or a consumer solicitation on your home computer. But if you are a public employee, a hasty deletion could be a crime. Really.

The AP writer is not likely familiar with compliance and discovery issues, or he wouldn’t express such surprise. Basically, the article details the difficulties on deciding when it’s okay to delete, and when it isn’t, and government units subjected to rules on openness and transparency use different templates than do businesses. So how is the fateful decision made? Same as it is in most corporations:

The responsibility essentially falls on each government employee sending and receiving an e-mail to judge whether it can be deleted or should be saved.

And ultimately, that will either have to change, or there will be consequences…

Posted in Articles, Compliance, Data Management, email | Leave a Comment »