federal e-discovery rules – hindrance or opportunity? educause live! january 9, 2007 m. peter...
TRANSCRIPT
Federal E-Discovery Rules – Hindrance or Opportunity?
EDUCAUSE LIVE!
January 9, 2007
M. Peter Adler JD, LLM, CISSP, CIPPAdler InfoSec & Privacy Group LLC
January 9, 2007 Adler InfoSec & Privacy Group LLC 2
Agenda
Overview of the 12/1/06 Amendments to the Federal Rules of Civil Procedure concerning Discovery of Electronically Stored Information (ESI).
ESI Retention and Destruction Program Key Elements Overlap with Privacy and Security Programs Relationship with Litigation/Litigation
January 9, 2007 Adler InfoSec & Privacy Group LLC 3
Discovery
The Federal Rules of Civil Procedure provides the following discovery tools: Depositions Upon Written or
Oral Written Questions (Rules 30, 31 and 32)
Written Interrogatories (Rule 33)
Production of Document or Things (Rule 34)
Permission to Enter Upon Land for Inspection and Other Purposes (Rule 34)
Physical and Mental Examinations (Rule 35)
Requests for Admission (Rule 36)
And the following tools to ensure or excuse discovery: Motion to Compel (Rule
37(a)) Protective Orders (Rule
26(c)) Sanctions (Rule 37 (b),
(c)&(d))
“The pretrial devices that can be used by one party to obtain facts and information about another party in order to assist the party’s preparation for trial.” - Blacks Law Dictionary
January 9, 2007 Adler InfoSec & Privacy Group LLC 4
Potential Sources of ESI
Configuration of computers workstations and file servers
Mirror disks Swap files Removable media (diskettes, fobs,
tapes, etc.) Metadata
Temporary files and fragments Histories Embedded comments
Audit trails and log files Access control lists (ACL) EDI and VAN Legacy Systems
Internet information Corporate intranets Email Home Computers and laptops PDAs Backup tapes and facilities “Deleted” files Peripherals Non-textual electronic devices See also, Chapters I and IV of the
Federal Guidelines for Searching and Seizing Computers for additional sources of Electronic Evidence
http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm
January 9, 2007 Adler InfoSec & Privacy Group LLC 5
Overview of Federal Rules of Civil Procedure Relating to ESI New and amended rules of civil procedure governing the
treatment of electronically stored information (ESI) were effective December 1, 2006.
These Rules are broken into the following categories: Early attention to ESI discovery issues: Rules 26(a) and (f)
and 16 (b) Better management of discovery of ESI that is not reasonably
accessible: Rule 26(b)(2) Procedure for assertions of privilege after production: Rule
26(b)(5) Interrogatories and Requests for Production of ESI: Rules
33(d) and 34(a) and (b) Sanctions pertaining to ESI: Rule 37(f)
Note: As always, the Amended Rules may be subject to Local rules that impose more specific obligations on the parties.
January 9, 2007 Adler InfoSec & Privacy Group LLC 6
Early Attention to ESI Discovery Issues Rules 26(f) and 16(b)
Require that parties to a federal case consider, at the start of the case, the manner in which ESI will be preserved, maintained and provided.
Rule 26(a) As part of their automatic initial disclosures, the Rule
has been amended to include copies or descriptions of the categories or locations of ESI that the disclosing party may use to support its claims or defenses.
January 9, 2007 Adler InfoSec & Privacy Group LLC 7
Rule 26(f) Amendments
“(f)…discuss any issues relating to preserving discoverable information and to develop a proposed discovery plan…concerning: (3) any issues relating to disclosure or discovery of
electronically stored information, including the form or forms in which it should be produced;
(4) any issues relating to claims of privilege or protection as trial-preparation material, including – if the parties agree on a procedure to assert such claims after production – whether to ask the court to include their agreement in an order;”
January 9, 2007 Adler InfoSec & Privacy Group LLC 8
Rule 26(f) ESI Issues to be Discussed
Topics for discovery and time period Sources within the parties control that should be searched for ESI Whether the information is reasonably accessible to the party that
has it (including burden and cost of retrieval) Rule 26(b)(2)(B) Form or forms in which the information may be produced (See Rule
34(b)) Issues relating to preservation of discoverable information
Balance between competing needs to preserve relevant evident and continued operations. (Rule 37)
See discussion on ESI retention program Assertions of privilege or of protection as trial preparation materials
(Rule 26(b)(5)) Can parties through agreement prepare procedures for asserting such
claims and avoiding waiver of privilege?
January 9, 2007 Adler InfoSec & Privacy Group LLC 9
Meeting of Parties: Timing
The parties should meet to address ESI issues as soon as possible under Rule 26(f) Rule 26(f) provides that the parties are to
confer 21 days before the Rule 16(b) scheduling conference.
The Rule 16(b) scheduling conference is to be held 120 days after the complaint is filed.
That leaves 99 days to get the ESI issues worked out.
January 9, 2007 Adler InfoSec & Privacy Group LLC 10
Early Attention to Electronic Discovery: Rule 16(b) Pretrial Conference Form 35, is appendix to the Rules intended to serve as a
model for a joint report of the parties to the court on the outcome of the Rule 26(f) conference; and the basis for the Rule 16(b) pretrial conference with the judge
The Rule 16(b) pretrial conference will result in a scheduling order delimiting time for discovery, filing motions and other pretrial activities.
Amended Rule 16(b) provides that the scheduling order may include: provisions for disclosure or discovery of ESI any agreements the parties reach for asserting claims of
privilege or protection as trial-preparation material after production
January 9, 2007 Adler InfoSec & Privacy Group LLC 11
Early Attention to Electronic Discovery: Automatic Initial Discovery Rule 26(a)
Rule 26(a) provides that litigants must include, as part of their automatic initial disclosures, the following information (except when it is used solely for impeachment):
The name, and if known, the address and telephone number of each individual likely to have discoverable information that the disclosing party may use to support its claim or defenses, identifying the subjects of the information; and
A copy of or a description by category and location of ESI that that are in the possession, custody or control of the party and that the disclosing party may use to support its claims or defenses.
January 9, 2007 Adler InfoSec & Privacy Group LLC 12
Discovery of ESI that is “Not Reasonably Accessible” Rule 26(b)(2)(B)
Under Rule 26(b) a responding party should produce ESI that is relevant, not privileged and reasonably accessible
Rule 26(b)(2)(B) provides that a party need not provide discovery of ESI from sources that the party identifies as not reasonably accessible because of undue burden or cost
Initially, the producing party makes the call on what reasonably accessible ESI it will produce
January 9, 2007 Adler InfoSec & Privacy Group LLC 13
Reasonably Accessible ESI
No hard rule, but will be ultimately determined on a case-by-case basis.
“Accessible information is electronically-stored information that is easily retrievable in the ordinary course of business without undue cost and burden.” State Trial Court Guidelines, 1.B.
“ESI is reasonably accessible when it is stored in a readily usable format that “does not need to be restored or otherwise manipulated to be usable.” Quinby v. WestLB, 2006 WL 2597900 at *7 (S.D.N.Y., September 2006 (quoting Zubulake v. USB Warburg, LLC, 217 F.R.D. 309, 320 (S.D.N.Y. 2003) (Zubulake I))
January 9, 2007 Adler InfoSec & Privacy Group LLC 14
Not Reasonably Accessible ESI
Although a decision on whether ESI is not reasonably accessible is made on a case-by-case basis, the Advisory Committee to the Rules identified the following as potential sources of ESI that is not readily accessible: Back up tapes intended for disaster recovery purposes that are
not indexed, organized or susceptible to electronic searching; Legacy data from obsolete systems that is unintelligible on
current systems; “deleted data that remains in fragmented form but would require
forensics specialists for reconstruction; or Databases designed to create information only in certain ways
not easily amenable to production. Backup tapes were considered not reasonably accessible in
Zubulake v. USB Warburg, LLC 217 F.R.D. 309 (S.D.N.Y. 2003) (Zubulake III),
January 9, 2007 Adler InfoSec & Privacy Group LLC 15
Challenging a Claim that ESI is Not Reasonably Accessible The Rules include a two-step procedure when
dealing with ESI that is not reasonably accessible: On motion to compel discovery (Rule 37) by
requesting party or for a protective order (Rule 26(c)) by producing party, the party from whom the information is sought must show that the information not reasonably accessible because of undue burden or cost
If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause
January 9, 2007 Adler InfoSec & Privacy Group LLC 16
“Good Cause” Even if a source of ESI is not reasonably accessible, the
requesting party may still obtain discovery by showing good cause by balancing the costs and potential benefits, looking at:(1) the specificity of the discovery request; (2) the quantity of information available from other and
more easily accessed sources; (3) the failure to produce relevant information that seems
likely to have existed but is no longer available on more easily accessed sources;
(4) the likelihood of finding relevant, responsive information that cannot be obtained from other, more easily accessed sources;
(5) predictions as to the importance and usefulness of the further information; and
(6) the importance of the issues at stake in the litigation; and the parties' resources.
January 9, 2007 Adler InfoSec & Privacy Group LLC 17
Options Available to Court: General Bases for Denial Even with the showing of good cause, the court may
deny discovery if it determines: The discovery sought is unreasonably cumulative or
duplicative or is otherwise obtainable from another source that is more convenient, less burdensome, or less expensive;
The party seeking discovery has had ample opportunity by discovery in the action to obtain the information sought; or
The burden or expense of the proposed discovery outweighs its likely benefit, taking into account the needs of the case, the amount in controversy, the parties’ resources, the importance of the issues at stake in the litigation, and the importance of the proposed discovery in resolving issues.
January 9, 2007 Adler InfoSec & Privacy Group LLC 18
Options Available to the Court: Sampling The court may specify conditions for the
discovery (Rule 22 (b)(2)(C)) Sampling
Rule 34 permits testing or sampling of the ESI that is claimed to be not reasonably accessible. Forensic capabilities can be used to inspect ESI sources.
Byers v. Illinois State Police, 53 Fed. R. Serv. 3d 740 (N.D. Ill. 2002); Xpedior Creditor Trust v. Credit Suisse First Boston, 309 Fed. Supp. 2d 549 (S.D.N.Y. 2003).
January 9, 2007 Adler InfoSec & Privacy Group LLC 19
Options Available to the Court: Cost Shifting
There is a presumption that the responding party must bear the expense of complying with discovery requests. Oppenheimer Fund, Inc. v. Saunders, 437 U.S. 340, 358 (1978).
A court may issue an order protecting the responding party from undue burden or expense by “conditioning discovery on the requesting party’s payment of the cost of discovery.” Oppenheimer Fund, Inc. v. Saunders, 437 U.S. 340, 358 (1978); Zubulake v. USB Warburg LLC, 216 F.R.D. 280, 283 (S.D.N.Y. 2003) (Zubulake III)
The order may be granted only on a motion for a protective order brought by the responding party and only for good cause shown. Rule 26(c)
The responding party has the burden of proof on a motion for cost-shifting. Quinby v. WestLB, 2006 WL 2597900 at *7 (S.D.N.Y., September 2006) (quoting Zubulake v. UBS Warburg LLC, 216 F.R.D. 280, 283 (S.D.N.Y.2003) (Zubulake III))
January 9, 2007 Adler InfoSec & Privacy Group LLC 20
Cost Shifting: Zubulake Seven-Factor Test If the responding party is producing from inaccessible sources
there is a seven factor test that must be considered:1. The extent to which the request is specifically tailored to
discover relevant information;2. The availability of such information from other sources;3. The total costs of production, compared to the amount in
controversy;4. The total costs of production, compared to the resources
available to each party;5. The relative ability of each party to control costs and its
incentive to do so;6. The importance of the issues at stake in the litigation; and7. The relative benefits to the parties of obtaining the
information.Zubulake v. UBS Warburg, LLC, 217 F.R.D. 309, 322 (S.D.N.Y.2003) (“Zubulake I” )
January 9, 2007 Adler InfoSec & Privacy Group LLC 21
Production of ESI: Rule 34
Rule 34(a) Adds ESI as a category subject to production in addition to “documents.”
Rule 34(b) adds procedures for requesting and objecting to the form for producing information and provides default forms of production.
January 9, 2007 Adler InfoSec & Privacy Group LLC 22
Production: Rule 34(a)
Production requests covers documents and ESI: Including writings drawings, graphs, charts,
photographs, sound recordings, images and other data or data compilations stored in any medium from which the information can be obtained.
January 9, 2007 Adler InfoSec & Privacy Group LLC 23
Form or Forms of ESI Production: Rule 34(b) The form or form of the ESI can be agreed in the initial meeting described in
Rule 26(f). If the parties do not reach agreement, Rule 34(b) provides a default procedure
for production of ESI. A request may specify the form or forms of the ESI to be produced. Responding party may object (in writing within 30 days after the request is
served) to the requested form or forms of the ESI, stating the reasons for objection.
If a request does not specify the form or forms for producing ESI, a responding party must produce the ESI in a form or forms in which it is ordinarily maintained or in a form or forms that is readily usable.
If an objection is not received or no form is specified, the responding party must identify the form it has chosen in its Rule 34 response.
If the form or forms are disputed: The requesting party then can move to compel production in a different form; or The producing party may seek a protective order.
January 9, 2007 Adler InfoSec & Privacy Group LLC 24
Sampling, Inspections, Tests
Amended Rule 34(a)(1) provides that parties may request an opportunity to inspect, copy, test or sample ESI sought.
Burden and intrusiveness can be addressed under Rules 26(b)(2) and 26(c). Issues of privacy, security, trade secrets, etc. Does not include a routine right of access to a
party’s information system, although access may be justified in some instances.
January 9, 2007 Adler InfoSec & Privacy Group LLC 25
Privilege and other Limits on Discoverability Attorney-Client Privilege Work Product Doctrine (Trial
Preparation) Trade Secrets and Proprietary
Information Copyright and License Restrictions
January 9, 2007 Adler InfoSec & Privacy Group LLC 26
Privilege and ESI: Rule 26(b)(5)
Guarding against privilege waiver is more difficult when discovery of ESI is sought. The volume of the available information is enormous. The forms in which ESI is stored make review and
determination more difficult, expensive and time-consuming and less likely to detect all privileged information.
Inadvertent production and waiver may occur. The failure to screen out even one privileged item may
result in an argument that there has been a waiver as to all other privileged materials related to the same subject matter.
January 9, 2007 Adler InfoSec & Privacy Group LLC 27
Procedure: Asserting Party
A party asserting a claim of privileged must give notice to the receiving party: In writing, unless circumstances preclude it
(e.g., during deposition); Specifically identifying the information and
stating the basis for the claim; and Detailed enough to enable the receiving party
and the court to understand the claim basis and whether waiver has occurred.
January 9, 2007 Adler InfoSec & Privacy Group LLC 28
Procedure: Receiving Party
After receiving notice, each party that received the information must promptly return, sequester, or destroy the information, and: May not use or disclose the information pending
resolution of the privilege claim; and Must retrieve all information disclosed to third parties
prior to receiving notice. The receiving party may present to the court
questions whether the information is privileged or protection has been waived. The party must provide the court and producing parties
notice and serve all parties.
January 9, 2007 Adler InfoSec & Privacy Group LLC 29
Interrogatories: Rule 33(d)
Permits analysis of records, including ESI, to answer interrogatories when the cost is roughly the same for both parties Cost analysis will be key:
Do costs include overhead costs of maintaining the necessary hardware and software and training personnel to use them?
May not be a good option considering potential business disruption, security compromise and privilege issues involved in having opponent access the system. Better answer may be to produce the ESI
January 9, 2007 Adler InfoSec & Privacy Group LLC 30
Discovery of ESI from Non-Parties through Subpoena: Rule 45
Applies to entities that operate computer networks for persons in litigation (e.g., ISPs, ASPs, employers, schools).
These non-parties are increasingly being asked to respond to subpoenas for ESI about a party’s computer use.
The amended Rule adds ESI and requires non-parties to face the same questions of preservation, cost, privilege, accessibility and form of production as parties.
Upon receipt of the subpoena, the non party to discuss with the requesting party about the scope of the request, protective measures and costs. Court will relieve nonparties from “substantial costs” rather than
“undue burden” which is a lower threshold
January 9, 2007 Adler InfoSec & Privacy Group LLC 31
ESI Retention
Duty to PreserveLegal Duty
e.g., Sarbanes–Oxley, HIPAA, FACTA and other document retention requirements
Lawyer’s duty to preserve evidence in discovery and litigation
Continued OperationsNormal system
OperationsData BackupData Destruction
January 9, 2007 Adler InfoSec & Privacy Group LLC 32
Duty to Preserve
Duty attaches when a person knows or reasonably anticipates litigation involving identifiable parties and identifiable facts. Encompasses potential evidence related to identifiable
facts, which may shift as litigation proceeds. Stevenson v. Union
Pac. R.R., 354 F.3d 739 (8th Cir. 2004) Exists independent of any preservation demand letter,
or court order. Wigington v. Ellis, 2003 WL 22439865 (N.D. Ill. 2003) (Wigington I); Treppel v.
Biovail Corp., 233 F.R.D. 363 (S.D.N.Y 2006).
The fact that ESI is not reasonably accessible does not relieve a party from its duty to preserve the information if potentially relevant. Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2003) (“Zubulake IV”)
January 9, 2007 Adler InfoSec & Privacy Group LLC 33
Failure to Preserve: Sanctions for Spoliation Duty to monitor preservation falls on inside and
outside counsel. Potential sanctions will vary on intent and behavior of
producing party (bad faith, gross negligence, negligence) and degree of prejudice to the requesting party caused by spoliation. Possible sanctions include: Fines; Adverse inference jury instruction; Striking of a pleading or defense; Dismissal or default; and Costs for supplemental discovery.
January 9, 2007 Adler InfoSec & Privacy Group LLC 34
Right to Destroy
Courts have acknowledged that organizations have the right to destroy - whether or not it is consciously deleted - electronic information that does not meet the internal criteria of information or records requiring retention. “‘Document retention policies,’ which are created in
part to keep certain information from getting into the hands of others, including the Government, are common in business …. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances’ Arthur Andersen, LLP v. United States, 125 S. Ct. 2129,
2135 (2005).
January 9, 2007 Adler InfoSec & Privacy Group LLC 35
Safe Harbor: Rule 37(f)
The court will not impose sanctions parties who fail to produce ESI that was lost as a result of routine, good faith operation of an electronic information system, absent exceptional circumstances. Rule 37(f)
Good faith destruction of potentially relevant ESI will be difficult to establish when there is a claim pending or has received a credible threat of a claim. A Committee Note to Rule 37 (f) states: “Good Faith in
the routine operation of an information system may involve a party’s intervention to modify or suspend certain features of that routine operation to prevent the loss of information if that information is subject to a preservation obligation.
January 9, 2007 Adler InfoSec & Privacy Group LLC 36
ESI Production – Responding Party
Identifying ESI. Locating ESI on media and information systems using state-of-
the-art applications and forensic capabilities. Retrieving ESI using specialized computer hardware and
software and computer forensics methods. Preserving ESI and providing notices to personnel and placing
holds on destruction of the information. In this phase document retention procedures for preserving ESI are invoked.
Analyzing ESI to determine which is relevant and responsive. Sorting through ESI and removing privileged electronic
information and records from the production set and prepare logs in compliance with applicable law.
Producing ESI to the opposing party in an accessible or agreed to form.
January 9, 2007 Adler InfoSec & Privacy Group LLC 37
ESI Retention Risks
Spoliation and Sanction Risks. Because of retention duties, a party persuade the court that those documents that no longer exist were purged pursuant to a policy and were not willfully destroyed or spoliated.
Cost of Retrieval Risk. Knowing where information is stored or if it has been destroyed pursuant to document retention policies will avoid the high costs associated with e-discovery fishing expeditions.
Inability to Defend Risk. The loss of critical evidence potentially leads to the inability to properly defend a claim.
January 9, 2007 Adler InfoSec & Privacy Group LLC 38
ESI Retention Program
Compliance and Auditing Plan Create or Amend Policy on ESI Retention and
Destruction Indexing and Document Naming System Attorney-Client Privilege Procedures Litigation Hold Procedures Employee Training Post-Implementation Compliance and
Auditing
January 9, 2007 Adler InfoSec & Privacy Group LLC 39
Hindrance or Opportunity?
An ESI Management Program contains many of the elements found in security and privacy programs.
Removal of sensitive ESI on a regular basis will enhance an organization’s privacy and security.
January 9, 2007 Adler InfoSec & Privacy Group LLC 40
Examples of Overlap of elements of ESI, Security and Privacy Programs
Data classification Map data flow Identify systems Evaluate IT function in creation, receipt transmission and
processing of data System Backup Access rights Third party contracts Roles and responsibilities Management of email
Procedures for storage of confidential, restricted access electronic records
Formal technology standards (ISO 17799, ISO 15489) Auditing and review function
January 9, 2007 Adler InfoSec & Privacy Group LLC 41
ESI Retention
Review Written vs. Actual ESI Retention Practices Creation Use Disposal
Are electronic records being kept as required by law and internal procedures?
Are electronic records being managed over their entire lifecycle?
January 9, 2007 Adler InfoSec & Privacy Group LLC 42
Litigation/Investigations Procedures, roles and responsibilities for identifying and
retrieving ESI. Does offsite storage of ESI exist? If so, is it indexed or
stored in a manner that adequately identifies them? Litigation Hold
What is the process for determining when a claim arises? Responsibility for determining necessity for litigation hold?
How is it authorized and communicated? Scope? What is the time frame?
Where are suspended electronic records kept? How is the end of the litigation hold communicated, carried out
and monitored? What are the procedures for disposal of electronic records
after a case closes?
January 9, 2007 Adler InfoSec & Privacy Group LLC 43
Telephone: (202) 251-7600Facsimile: (703) 997.5633Email: [email protected]
M. Peter Adler
2103 Windsor RoadAlexandria, VA 22307
Adler InfoSec & Privacy Group LLC
Contact Information