E-Discovery for System Administrators
Russell M. Shumway
Russell M. Shumway, [email protected]
Admin
• I am not a lawyer
• This is not legal advice
• Interrupt me if you have questions
• IANAL
Our Goals Today
• Understand the eDiscovery Process• Identify Ways to Make the eDiscovery
Process More Cost Effective and Efficient• Learn What you can do to Save Money and
Reduce Burden in the Future• Learn how to avoid common pitfalls• Understand the need for cooperation
between IT and counsel
Discovery, generally
– Discovery process provides opportunity to both parties in litigation to acquire information in support of its case
– BUT – more than just litigation! Government subpoenas, CIDs, etc.
– -Rules developed, historically, based on paper records
Discovery: “the ascertainment of that which was previously unknown…[t]he pre-trial devices that can be used by one party to obtain facts and information from the other party in…preparation for trial.”
- Black’s Law Dictionary
E-Discovery
– Courts struggled with how to handle electronic information, but (most) have become a lot more savvy and judges are more educated.
– E-discovery has surpassed paper:
• 95% of business records exist in electronic form
• E-Discovery includes document metadata When it was created or modified When an email was sent and to whom
Sanctions
• Cost Shifting• Fines• Administrative actions• Ethical sanctions (e.g., disbarring)• Legal sanctions (contempt of court order)• Adverse inference• Directed verdict
Let’s Talk the Same Language
• Where might information hide?– Usually (not always!) in three “buckets” – network data, local data and email– Network (Home) Drives– Shared Network Drives– Desktops/Laptops– Mail servers – Databases
• Other Helpful Terms– ESI– Native Format– Metadata– TIFF/PDF– Review Platform– Readily Accessible
Discovery Process
1. Litigation (or investigation) is anticipated2. Counsel issues litigation hold3. Parties meet and confer4. Data is extracted from various sources5. Review
– Responsiveness– Privilege– Confidentiality
6. Data is produced to opposing counsel7. Repeat 3-6 as necessary
Litigation Hold– Identify potentially relevant custodians– Issue written litigation hold to all potential custodians– Interview key custodians to obtain information regarding data
storage habits and to ensure compliance with legal hold
– Figure out where the data resides– Understand backup and autodelete functions– Collect and preserve potentially relevant evidence
Preservation
Acquisition
• Method may vary with custodian • Refer to custodian interviews so you know where to look
– Photos on cell phone? Documents on iPod? Flash drives?• Self collect or outside consultant?
– This will depend on nature of case, extent of discovery and your resources
– Understand chain-of-custody requirements– Potential appearance of bias
Pre-Processing for Review
• Keyword Searches– Consider agreeing on these with opposing counsel– Consider separate search for privileged documents
• De-duplication?– Understand vendor’s method of de-duplication to ensure
defensibility • Sampling?• Concept searching?
Attorney review is overwhelmingly the most expensive part of electronic discovery – more effective processing can reduce attorney review costs by focusing the relevancy of the review material
Forensics and Discovery
– Forensics process provides digital evidence based on digital media
– May be used in litigation (criminal or civil) or administrative actions
– Very strict procedures and processes help ensure repeatability
Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis
- Kruse & Heiser, Computer Forensics
Convergence
• Both eDiscovery and forensics involve the extraction of data from electronic media
• Both must be repeatable• Both may involve personal testimony as to the
process• Both may use the same or similar tools and
techniques
Divergence
• Inaccessible files• Deleted data• Data location and/or context• Duplicate copies• Data format
Concerns
• Deleted files– Deleted– Overwritten– Recycle Bin– Deleted emails
• Unallocated and slack space• Temporary files (web cache)
Tools, general
• Indexing search tools– May or may not include desktops– Typically handle common mail formats (Exchange)
and common file formats– Typically do not handle proprietary formats or
apps– Cost
• Location (server, personal folders, cloud)• Format for extraction• Format for production• Attachments• De-Duplication
• Native utilities (exmerge)• 3rd party tools (PowerControls)• Other utilities (dtSearch)• How to handle the cloud?
• Microsoft Office and similar– Easily viewed– Printable
• Location• Format• Extraction
• Native utilities (grep)• 3rd Party tools (indexing and non-
indexing)
Documents
Others
• Databases– Canned or custom reports– Paper output– May require assistance and/or software
• Custom applications– Paper output– May require assistance and/or software
• Location
• Native utilities (grep)• 3rd Party tools (indexing and non-indexing)
Questions?