Forensic Update

Reflections on information management within the legal and regulatory arena

Archive for September, 2010

Records Retention problem? I think not…

Posted by Johnny Lee on September 28, 2010

Paper LandfillMany organizations continue to wrestle today with what the good folks at the Association for Imaging and Information Management (“AIIM”) have deemed our “digital landfills.”  This metaphor captures well the mentality that most organizations (according to recent studies) do not, in fact, have any sort of records or data retention issue.

The majority of organizations actually suffer from a data destruction problem.  For it is the failure to defensibly destroy—rather than to retain—information that is posing new and challenging problems.  Indeed, a systematic and effective records destruction program eludes most organizations today.  And the confidence within these organizations (to sift through these landfills quickly and completely) remains quite low.

Over the last four years, AIIM has conducted its State of the ECM Industry survey with rather dismal results for what we’ll coin here as the Content-Recovery Confidence Index.  Indeed, for each of the past four years, over 35% of organizations responding to the survey are “Not Very Confident” or “Not at All Confident” in their ability, if challenged, to demonstrate that their electronic information is “accurate, accessible, and trustworthy.”

What is even more alarming is the fact that the percentage of those responding with low confidence numbers have been steadily on the rise since 2006.  ForensicUpdate has published many articles on the reasons for this—from the unfettered proliferation of data to the inexpensive cost of enterprise storage to the simple fact that many organizations have lived a “charmed life” by not having to suffer through a bet-the-company litigation or regulatory matter.  Just the same, the steady rise of organizations expressing concern in their inability to produce information under the gun (and under the microscope) can hamper an organization’s ability to convince an outside party—be it opposing counsel, customer, vendor, judge, or regulator—that the information provided is the accurate and complete record of what transpired.

Posted in ECM, eDiscovery, Investigations, Records Retention | Tagged: , , , , , , , , , , , , , , | Comments Off on Records Retention problem? I think not…

Expectation of Social Media Privacy = Wishful Thinking?

Posted by Johnny Lee on September 27, 2010

Wishful ThinkingA few weeks ago, this forum posted an article about an administrative hearing held by the Equal Employment Opportunity Commission (“EEOC”) that dealt with the “discoverability” of information from social networking sites.  In that matter, EEOC v. Simply Storage Management, the Commission held that this information was relevant and discoverable because of the nature of the allegations at issue (namely, that the harm alleged resulted in depression and post-traumatic stress).

We now see this same logic applied to a civil matter in Romano v. Steelcase Inc., wherein the plaintiff’s social networking posts were requested1 in discovery because the plaintiff had specifically alleged that the harm from the defendant caused the plaintiff the “loss of enjoyment of life.”  Just as with the EEOC case, the court approved but limited the defendant’s motion, ordering “there shall be full disclosure of all non-privileged matter which is material and necessary to the defense or prosecution of an action.”  This extended, quite obviously in the court’s opinion, to materials posted to a social networking site that might be indicative of plaintiff’s mental state.

As predicted in our prior post, we expect this sort of discovery request to become a fairly standard arrow in defense counsel’s quiver.  For when mental anguish is alleged, any public statement indicating mental state on a social media site is not only public (therefore accessible) but completely fair game (because it is directly responsive to the matter before the court).

Several things are of interest in this case.  In addition to being an early civil court adaptation of the administrative rule set forth in the EEOC matter, it is important to note that the court must still navigate the granting of discovery carefully here.  Put differently, while the data within these social networking updates are discoverable, the mechanics of acquiring them require the consent of the content-creating party.  The failure to acquire this consent runs the risk of a court battle between the court’s motion to compel and the social networking site’s obligations under the Stored Communications Act2—better all around to have the parties produce their own content.

Also of interest is that this case (much like the EEOC matter) dealt with resistance from the producing party on privacy grounds, though here the plaintiff advanced a Fourth Amendment response to the defendant’s discovery request.  And, just as with the EEOC matter, the court held that such privacy rights are forfeited when the information alleged as private is posted voluntarily to such a public forum.  Leaning on prior case law involving other forms of electronic communication (notably electronic mail), the court equated such a privacy claim as unreasonable and the by-product of a “theoretical protocol better known as wishful thinking.”

1 To review a copy of the actual drafted motion, please click here.

2 For more on the decision in May 2010 that seems to be the first to apply the 1986 Stored Communications Act (18 U.S.C. 2701-11) to data on social networking sites, please see Crispin v. Christian Audigier Inc. (C.D. Calif. May 26, 2010).


Case Law Update: Court Orders Production of Plaintiff’s User Names and Passwords for Social Network Accounts @ McMillen v. Hummingbird Speedway, Inc., No. 113-2010 CD (C.P. Jefferson, Sept. 9, 2010).  Click here for an excellent write-up of this case from early September 2010.

Posted in eDiscovery, Investigations, Privacy, Records Retention, Social Networking | Tagged: , , , , , , , , , , , , , , | 1 Comment »

Jail Time for eDiscovery shenanigans? Believe it…

Posted by Johnny Lee on September 22, 2010

eDiscovery Jail TimeIn a development that is sure to send a shock wave through the Electronic Discovery (“eDiscovery”) and Litigation communities, Magistrate Paul Grimm (United States District Court of Maryland) issued a court order recommending potential prison time for an especially egregious case of eDiscovery mismanagement.  Specifically, Judge Grimm’s order (q.v., Victor Stanley Inc. v. Creative Pipe, Inc. court order) issued on September 9th, found that the defendant’s mishandling of Electronically Stored Information (“ESI”) was tantamount to a “pervasive and willful violation of serial Court orders to preserve and produce ESI evidence” and that, as such, the behavior shall be treated as contempt of court.

To be clear, Judge Grimm recommended imprisonment “unless and until [the Defendant] pays to Plaintiff the attorney’s fees and costs that will be awarded to Plaintiff as the prevailing party.”  Just the same, this is a clarion call from the courts to sanction severely for evidence spoliation and for what appears to be a willful disregard of a series of discovery requests and court orders.

As with the Qualcomm Inc. v. Broadcom Corporation case from late 2007, the presiding magistrate judge found exceptionally bad mismanagement of ESI to warrant a substantial sanction.  There, the magistrate judge ordered Qualcomm to pay a portion of Broadcom’s attorney fees, and the judge referred six Qualcomm attorneys to the California State Bar for review and possible disciplinary sanctions.

We see two things in Judge Grimm’s recent court order.  First, we see further evidence of a “no nonsense” policy stance being adopted by federal courts relative to evidence spoliation and inadequate attorney oversight into the eDiscovery process.  Second, we see perhaps the case law “tipping point” that provokes organizations to elevate eDiscovery mismanagement as a serious enough enterprise risk to warrant genuine investment in their litigation readiness strategies and programs.  One thing is certain: Things just got a lot more interesting for those monitoring (and participating in) the case law in this space…stay tuned!

Posted in eDiscovery, Investigations, Litigation Hold, Records Retention | 2 Comments »

eDiscovery meets CMM…a new benchmarking model

Posted by Johnny Lee on September 21, 2010

EDRM CMMThe excellent consortium of experts at EDRM have delivered a tremendous service to organizations that are wrestling with in-house Electronic Discovery program development.   At long last, a vendor-agnostic framework exists to inform and to guide companies seeking to improve their litigation readiness capabilities without over-engineering their policies or procedures or purchasing technology that underwhelms because it’s misaligned to strategy.

As with any Capability Maturity Model (“CMM”), the basic utility of the model is the objective way in which it identifies key indicators of capability across people, process, and technology within a given organization.  If you’re unfamiliar with the good folks at the Electronic Discovery Reference Model, I strongly recommend you review their excellent research.

This model, developed as part of the EDRM White Paper Series, will help organizations benchmark their current capabilities along a straightforward spectrum.  Additionally, the CMM permits insights into which level of capability is optimal for a given organization, given its unique risk profile, which should cut down immensely on the “boil the ocean” reticence many organizations face when they first embark down the path of developing an eDiscovery readiness program.  Sincere kudos to the great work at EDRM!

Posted in ECM, eDiscovery, Information Security, Litigation Hold, Records Retention | 1 Comment »

Perusing the Digital Library via your Computer’s Card Catalog…

Posted by Johnny Lee on September 14, 2010

Binary Card CatalogWhether we recognize it or not, our daily work with computers involves a great deal of behind-the-curtain changes within these systems that most of us never contemplate.  Indeed, the mere fact that you are reading this article indicates that you’ve altered the computer or device on which you’re perusing this site.  Some of these are automated changes, and some are the direct result of “manual” intervention by the user; all of them are potentially impactful to a forensically thorough review of a given system.

The vast majority of the changes performed by an end-user are mere housekeeping, such as removing the no-longer-useful drafts that lead up to the final version of an email, spreadsheet, or document.  However, to understand how computer forensics professionals recover files that don’t depart via such innocent means, it is imperative to learn a little more about the life cycle of a so-called deleted file.

To begin, we must assume that the audience is at least familiar with the concept of a library card catalog.  So, for the benefit of those who came of age after the 1990s, I will characterize the card catalog as a large bureau comprised of very skinny drawers, filled with thousands of index cards, each containing bibliographic information about a given book housed within that particular library.  In theory, every book within the library has a corresponding card (within the catalog drawers) that tells the reviewer of the card: (1) the book exists within the library, (2) some basic indicia about that book, such as the author, title, publication house and date, copyright information, etc., and (3) where to go within the library to lay hands on the book itself.

For most computer systems (and memory devices) in use today, the digital equivalent of the card catalog is called the File Allocation Table (“FAT”).  Simply put, the FAT is the framework of the file system that provides the means for a computer to identify where files have been written to the hard drive so that it can quickly retrieve them for use.  (For a broader introduction to FATs, please click here.)

When a new computer file is created (again, in most systems), a short entry is made within the directory where the file is to reside (akin to choosing the appropriate drawer within the library’s card catalog), then a new FAT entry is recorded (akin to creating a new card to place within that catalog drawer) to describe the file and tell the computer/librarian where to look within the hard drive/library for the file itself, and finally the data is written to the disk (akin to placing the “book” on an actual shelf within the library).

In the physical world, removing a book from a library would typically involve taking the book off the shelf, removing its corresponding bibliographic card from the card catalog, and disposing of both items.  However, the digital equivalent of this process undertakes only one of these steps.  Specifically, when a file is deleted the directory entry is changed to a “please ignore me” flag (using the E5 HEX value), which is akin to a hallway conversation with the librarian, quickly forgotten, that one of her 800,000 books has gone missing.  Next, the FAT entry is “zeroed out” (i.e., its previously useful information is overwritten with zero values), which is tantamount in the physical library to pulling the card from its catalog drawer, tearing it up, and throwing it away.  Finally, the computer does something otherwise quite curious, it leaves the data itself alone (i.e., nothing is touched where the file has been written to the hard drive), which is equivalent to leaving the physical book on its shelf.

Obviously, for those looking through the library for the contents of a given book, the card catalog provides a wealth of time-saving information in that search.  However, forensic examiners consider it second nature to review the computer’s card catalog (FAT) exhaustively then to promptly discount that the catalog represents the complete holdings of that library.  These examiners then employ a host of techniques to identify the library’s true inventory—whether the files/books are known to the librarian or whether they have been partially destroyed but still reside on the shelf.  Put differently, when a forensic examiner performs an analysis of what is on the computer, no stone is left un-turned; the examiner will interrogate the librarian, pour over the card catalog, thoroughly review each individual bookshelf, and even delve into the dumpster out back for remnants of disposed books.

So the next time you’re thinking about your daily use of a computer, try to appreciate what is really going on related to file storage and retention.  The delete button is an eminently useful device, but it is somewhat of a misnomer.  To a trained forensic examiner, the delete button is a semi-transparent fig leaf that merely obscures the deleted file for a short while.

The author would like to acknowledge the early adoption of the card catalog metaphor by authors Steven C. Bennett, Esq. (partner at Jones Day and Chair of that firm’s eDiscovery Committee) and Thomas M. Niccum, Ph.D. (founder and President of Lancet Software).  While their original use of this metaphor dates back (at least in print) to 2003, it has only recently started to become commonplace among the judiciary seeking to become more savvy on evidence obtained via computer forensic techniques.  Like any clear picture, the Bennett/Niccum metaphor speaks more eloquently than volumes on the subject.

Posted in Computer Forensics, Records Retention | Comments Off on Perusing the Digital Library via your Computer’s Card Catalog…

The Promising ROI of eDiscovery Software…

Posted by Johnny Lee on September 13, 2010

Gartner LogoLast December’s Gartner report provided a new perspective for the debate for companies weighing whether to bring a portion of their Electronic Discovery (“eDiscovery”) management in-house.  While there is certainly a significant amount of nuance to this dialog that is difficult to quantify, the Gartner report strongly indicates that those companies with the wherewithal to in-source this function no longer have to guess at valuations related to the Return on Investment (“ROI”).

While the report does make some bold claims (e.g., a three-to-six-month payback period for eDiscovery software, even for systems costing $1 million or more), it is important to note that the cost savings required for such impressive returns must, of logical necessity, hinge on two key factors.  Namely, the organization [1] must be wrestling with significant (legal and/or regulatory) case loads to tip the balance and [2] must possess a staff capable of fully exploiting these technologies (especially in the areas of early case assessment and in-house data collection and evidence preservation).  Neither of these factors is especially trivial, and both should receive careful thought before embarking upon a serious in-sourcing transition.

The ROI math, of course, makes sense if a company is willing to invest in the technology itself as well as the proper implementation and continued use of these applications AND–perhaps equally important–the long-term retention of the skilled personnel required to integrate such cutting-edge technology into a cohesive program.  For many companies, the bitter irony is that they might be willing to take this plunge, only to have their newly trained and optimized program dismantled by personnel that now have a vastly more marketable skillset–one with a higher market demand and the logical corollary of higher salary demands.

Accordingly, while the diminishing return here is something to be wary of, there is good news for companies taking a systemic approach to addressing risk management in this area.  Put differently, Gartner’s analysis helps to quantify some of the “fuzzy math” that has heretofore been the province only of the vendors pitching their wares.  This makes the decision tree easier to follow, but the softer aspects of the ROI must still be considered.  Simply put, companies can realize the promised ROI only if they genuinely think in terms of a program that integrates policy, process, technology, and people into a sustainable model.

To read the full Gartner write-up, please click here.

Posted in ECM, eDiscovery, Litigation Hold, Records Retention | Comments Off on The Promising ROI of eDiscovery Software…

Social Networking updates deemed discoverable evidence…

Posted by Johnny Lee on September 9, 2010

Facebook Update Sample

In a matter before the U.S. Equal Employment Opportunity Commission (“EEOC”) earlier this year, a discovery order in the district court case of EEOC v. Simply Storage Management (Southern District of Indiana) determined that certain types of information from social network sites are discoverable to employers defending a claim of sexual harassment.  While this introduction alone is worthy of its own article, it is interesting to note the electronic discovery complexities that may flow from such a precedent.

In the Simply Storage matter, two females filed claims of sexual harassment, and the EEOC filed a complaint on their behalf.  The employer, Simply Storage Management, requested the production both of [1] “all photographs or videos posted by [or of] claimants…on Facebook or MySpace” from the start of their employment to the date of the filed claim and [2] all “updates, messages, wall comments…for the same time period.”

The defendant posited that this discovery request was proper because the EEOC’s claim had put the “emotional health” of the claimants at issue, indicating that the alleged harassment had caused the claimants to be “depressed and [to suffer] from post traumatic stress disorder.”  The EEOC agreed, but it limited the requested social networking discovery to items that were responsive directly and exclusively to “matters alleged in the complaint.”

While the procedural maneuvering here is certainly interesting, what is also somewhat fascinating is that this discovery (of social networking updates) will now become de rigueur for employers defending harassment claims.  Accordingly, in addition to adding this move to defense counsel’s playbook, litigators will now need to appreciate even more the nuances and complexities of the data preservation, collection, and analysis of this seemingly ephemeral information—especially in light of the fact that some of these postings are likely to be outside the direct control of the parties to the lawsuit.

Posted in Computer Forensics, eDiscovery, Investigations, Privacy, Records Retention | Tagged: , , , , , , , , , , , , , , | 2 Comments »

Self-Collection Prohibited in Delaware (?)

Posted by Johnny Lee on September 7, 2010

Walking the Walk...A recent case from the Delaware courts from Vice Chancellor Laster has provided what some consider to be a significant departure from traditional notions of proper behavior related to electronic discovery in civil proceedings.  While some have interpreted this decision to mean that no company can perform its own data collections, the true meaning of the decision might be quite different than this…perhaps we simply need to be reminded that the courts wish us to walk the walk.

The case in question, Roffe v. Eagle Rock Energy GP, et al., C.A. No. 5258-VCL (Del. Ch. Apr. 8, 2010), should probably be framed more in the light of the recent line of decisions from the Qualcomm case from years back.  Specifically, it might be far more accurate to interpret this ruling not as a proscription from self-collection but as a warning to counsel who choose to “phone it in” during the data preservation and collection aspects of electronic discovery.  Better said, just as with the Qualcomm sanctions, the Delaware court seems to focus far more on a lawyer’s oversight duties than on any particular technique of forensic preservation and/or collection.

As indicated in this blog in prior posts, the principles of good faith, reasonableness, and transparency should guide the lawyer’s oversight in such matters.  Gone are the days when issuing dry memoranda (full of obtuse legalese) are sufficient to meet a lawyer’s eDiscovery burdens of modern civil litigation.  Read carefully, the Delaware decision reminds us that cases are unique things, requiring counsel to be actively engaged in the collection process and for counsel to have more than a passing involvement in the overall process of identifying discoverable repositories and the method by which those repositories are preserved, sourced, analyzed, redacted, and produced.

Let us all hope that this interpretation of the Delaware decision is proper.  Otherwise, we may see a significant increase in time, cost, and overall burden of producing electronic evidence in the state of Delaware.

Posted in Computer Forensics, eDiscovery, Litigation Hold, Records Retention | Tagged: , , , , , , , , , , , , , , | 1 Comment »

%d bloggers like this: