What’s Wrong With This Picture? Star Trek Lessons for e-Discovery

All of the senior officers in Star Trek worked together on the bridge except for one, the Chief Engineer. Poor Scotty was always kept below in Engineering, far away from the command center. Scotty was never really part of the core team. Sure, he had a high rank, but he was not a decision maker, and was only rarely allowed on the bridge. In fact, the rest of the Star Trek team never even talked to him much unless there was a problem.

Still, there were problems aplenty, and the team needed Scotty to keep the Enterprise going. In just about every episode, he and the other techs would work around the clock to meet the Captain’s unrealistic time demands to save the day. Indeed, the pleas of other members of the team for Scotty to beam them up out of trouble became the signature line of Star Trek. Yes, the senior officers needed Scotty, but he was never given the respect and equality he was due.

According to Dan Regard, one of the keynote speakers at the Masters e-Discovery Conference in Washington D.C. last week, Star Trek has an important lesson to teach to e-discovery: bring the engineers onto the bridge and make IT an integral part of your core e-discovery team. Then, and only then, will the Enterprise succeed. As it turns out, many e-discovery aficionados are also Trekkies and so this analogy received a strong positive response.

Dan is an attorney and one of the founders of LECG, an expert services firm, where he is now a Managing Director in Washington D.C. He has 20 years’ experience as a consultant in the computer industry and in e-discovery. He is an obvious fan of the Vulcans on Star Trek because his other key message was to improve the e-discovery process by constantly asking why. In other words, subject your activities to reasoned analysis and logic. Do not impulsively do things because that is how you have always done them. Engage in extensive proactive analysis at the beginning of any project. Examine the assumptions behind your e-discovery activities. Do you really need to preserve your backup tapes for a particular case? Why collect, produce and review so much data? Dan claims that he has saved as much of 80% of projected costs in an e-discovery process by such an analytic approach.

Anne Kershaw was another excellent keynote speaker at the Masters Conference. She is an attorney and consultant involved with high tech litigation since 1993. Anne gave the first presentation I have heard concerning new proposals for amending Rule 8 of the Federal Rules of Civil Procedure concerning notice pleading. Rule 8(a)(2) merely requires a “short and plain statement of the claim showing that the pleader is entitled to relief” in order to state a cause of action. This notice pleading rule was enacted in 1938, and has been interpreted over the years to require only vague general pleading for a case to go forward. As Anne put it, in today’s federal court, all you have to do is say “I’m hurt and you owe me.”

The problem for e-discovery with this vague general approach is that defendants frequently have no good idea from such pleadings as to what evidence will be relevant. This forces defendants to guess what computer records may need to be preserved and collected. This drives up the cost of e-discovery and leads to mistakes when a defendant guesses wrong. Further, it allows frivilous law suits to proceed to expensive discovery that could have been weeded out by more stringent pleading requirements.

Anne and other members of the Rules Committee are proposing a series of possible amendments to the Rules to require more particularized pleading of facts, especially in complex litigation. This would permit the earlier dismissal of cases without merit. This is a hot political issue that the plaintiff’s bar has long opposed. You can help Anne out on this important project by sending her examples of frivolous lawsuits that ended up costing a small fortune to defend.

Another good event that I attended at the Masters Conference was the panel discussion on Career Development & Hiring Trends in Legal Technology. The panelists were Jeff Scarpitti of The Kennett Group, Clark Cordner of Orrick, Ben Hawksworth of Ernst & Young, and Jeff Ghielmetti of Cisco and Legal on Ramp. The group spoke about the entrepreneurial law firm model that has been always been dominant in e-discovery services. That is where law firms in effect create their own e-discovery vendor companies within their law firms. This captive billing center then provides e-discovery services to the firm’s litigation clients. This entrepreneurial model has been quite profitable to law firms for many years, and is apparently still going strong. There are many employment opportunities in this area for both techie lawyers and IT personnel.

But one of the panelists, Jeff Ghielmetti, offered a new model, which in my view is the wave of the future. Jeff told the story of how Cisco established the first internal corporate e-discovery team after the stock market crash of 2000 and 2001. At that time, Cisco was hit with a flood of litigation, often involving millions of pages of electronic documents. One of the first cases came with a $23,500,000 bill for e-discovery. Cisco could not continue at that kind of burn rate, so out of necessity they decided to try something new, and go in-house. For help they turned to Jeff, a Cisco engineer, not a lawyer, but he had the full backing of Cisco’s forward-looking (aka “desperate”) legal department.

Under Jeff’s direction, Cisco turned away from the traditional model of hiring lawfirms and e-discovery vendors to manage their data preservation, collection and analysis, and they started to do it themselves. Cisco set up the first internal, multi-disciplinary corporate e-discovery team. Jeff reported that Cisco’s program has been a huge success, not only in cutting costs, but also in better management of risks.

The Cisco model is basically the same internal team paradigm I promote on this blog and in my practice. Although I had heard rumors about Jeff and Cisco’s team, I had never seen any writings about their program, and this is the first time I had heard Jeff speak. It was very encouraging. After explaining the background, Jeff went into some of the details of how the Cisco team operates. He explained that the team work begins by preparing a map showing where all of the company’s ESI is located. At Cisco, they call that the “treasure map” and it is constantly updated. I agree completely with this approach and write about ESI maps in the blog page above.

Ben Hawksworth of Ernst & Young spoke of the consensus now forming that the internal corporate team approach is the “holy grail” of e-discovery. Under this new model corporations preserve and collect their own data, and do initial processing and analysis, and then turn the data over to the outside law firm for review and production. Once again, this is exactly the model I have been promoting, as is explained in the About blog page above. It appears that the internal e-discovery team approach to e-discovery may finally be catching on, and will soon overtake the traditional law firm entrepreneurial model. In the language of Star Trek, Scotty’s on the bridge and the Ferengi are on the run.

Sherlock Holmes in the Twenty-First Century: Definitions and Limits of Computer Forensics, Forensic Copies and Forensic Examinations

If Sherlock Holmes were alive today, he would surely be a master of  computer forensics. Just as he sometimes used his chemistry set in the 19th Century to analyze clues, today he would use forensic software to examine digital devices. Holmes would know how to make forensic copies of computers, i-phones, thumb-drives and other ESI storage devices, and also know when not to waste his time doing so. No doubt Dr. Watson would be amazed at the evidence Holmes would sometimes uncover. The forensic examination of computers is an important tool in twenty-first century detective work, but it is no panacea. Sherlock Holmes of all people would know that it is not a substitute for clear thinking and rational deductions, and is not appropriate in every case. 

Lots of trial lawyers do not really understand computer forensics, and are prone to think that a full scale forensic examination of all computers is needed in every case. They want their tech-guys to make ”forensic copies,” work their mumbo-jumbo on each, and like Sherlock Holmes, come up with an amazing and unexpected clue that solves the case. Sometimes this fantasy comes true, but only rarely. The attempt to search every bit and byte of every computer, including the deleted files and slack space, is expensive.  Most experts agree that this kind of “deep dive” forensic examination work should be done sparingly, and is not needed in most e-discovery cases. Even when a special case suggests it may be needed, such forensic exams rarely produce the killer email that wins the day. The lawyer who uses this kind of full scale forensics approach in every case is setting himself up for major disappointments and wasting his client’s money.

What is ”computer forensics,” and the related terms, ”forensic copy” and “forensic exam”? Let’s begin by defining “forensic copy,” which is fairly simple.  A forensic copy is an exact bit-by-bit copy of the entire physical storage media, including all active and residual data and unallocated space on the media. This is also sometimes called an “image copy” or “mirror image.” See The Sedona Conference Glossary: e-Discovery & Digital Information Management, The Sedona Conference Working Group Series, May 2005.

A forensic copy allows for a “forensic exam” of the copy. You do not examine the original because the act of examination would, in itself, change the original. (This is called the Heisenberg Principle of computer forensics.) In a forensic exam, all of the information on a disk is carefully probed and searched, even the otherwise hidden information: the deleted files, residual data, unallocated space, corrupted files, encrypted files. In a forensic exam, everything that is scientifically possible to restore and search is searched, including ESI classified as not-reasonably-accessible under Rule 26(b)(2)(B).

The definition of the more general term “computer forensics” is more challenging. It is not a specific procedure like forensic copy or exam, it is an entire field of study or scientific discipline. The National Institute of Standards and Technology special publication (SP) 800-86 Guide to Integrating Forensic Techniques into Incident Responses provides an authoritative definition of computer forensics:

. . . the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Data refers to distinct pieces of digital information that have been formatted in a specific way.  . . .

The NIST explains how the process of computer forensics has four basic phases:

Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.

Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting of particular interest, while preserving the integrity of the data.

Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.

Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.

A well known IT site, SearchSecurity.com, provides another good definition of computer forensics:

Computer forensics, also called cyberforensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.

Forensic investigators typically follow a standard set of procedures. After physically isolating the computer in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the hard drive. Once the original hard drive has been copied, it is locked in a safe or other secure storage facility to maintain its pristine condition. All investigation is done on the digital copy.

Investigators use a variety of techniques and proprietary forensic applications to examine the hard drive copy, searching hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged files. Any evidence found on the digital copy is carefully documented in a “finding report” and verified with the original in preparation for legal proceedings that involve discovery, depositions, or actual litigation.

The Sedona Conference Glossary also defines computer forensics:

Computer Forensics (in the context of this document, “forensic analysis”) is the use of specialized techniques for recovery, authentication and analysis of electronic data when an investigation or litigation involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel, and generally requires strict adherence to chain-of-custody protocols.

A recent commentary by forensic expert, Ken Zatyko, in Forensic Magazine focused on the difficulty of defining what he called “digital forensics,” which for purposes of this article, I consider equivalent to “computer forensics.” Ken Zatyko is a recently retired Air Force Lt. Colonel who was the director of the Department of Defense Computer Forensics Laboratory for many years, and is now an Adjunct Professor with John Hopkins University. Ken reviews several other definitions as I have done, and then settles on his own definition that he urges others to adopt:

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

This is the best definition I have seen, and my personal favorite, perhaps because it includes “validation with mathematics,” a reference to my favorite subject in computer forensics, hash analysis (See the Blog Page above, HASH, and my law review article on this subject: HASH: The New Bates Stamp).  Zatyko then goes on to delineate an eight-step forensics process:

1. Search authority
2. Chain of custody
3. Imaging/hashing function
4. Validated tools
5. Analysis
6. Repeatability (Quality Assurance)
7. Reporting
8. Possible expert presentation

The various definitions make clear that ”computer forensics” is a disciplined, scientific approach to electronic discovery and evidence validation.  Computer forensics in this general sense should be followed whenever electronic evidence is involved in a legal proceeding, which in today’s world means almost every case. In that sense, the trial lawyer may need a person familiar with computer forensics on every case to supervise e-discovery activities. Trial attorneys must be able to verify that proper procedures, authenticity and chain of custody were followed in order for the ESI discovered to be admissable as evidence at trial. This is, however, a far cry from a full scale Sherlock Holmes forensic examination of all computers.  It is important for attorneys to understand the difference between forensics as a general discipline to lay a proper predicate for evidence, and forensic copying and forensic examinations as particular applications of this discipline, applications that are not necessary in every case.

One person who has a good grasp of this difference is John Patzakis. He is the General Counsel of Guidance Software, makers of EnCase, the forensics software tool used by over 80% of computer forensics experts. Although it might be tempting for him to push the over-use of forensics, he does not do so.  He and his company are a class act, which is one reason I am pleased that John agreed to do a West-Thompson Webinar with me later this year: ”Computer Forensics and E-Discovery.” We will be joined by another e-discovery attorney, a modern-day Sherlock Holmes of computers, Bill Speros, who also understands this distinction very well, and by a well-known accountant forensics expert, Frank Wu of Protivity. 

John Patzakis was interviewed in 2007 by Forensic Focus, a website for “computer forensics news, information and community.” John’s interview provides some good advice on the prudent and restrained use of computer forensics in e-discovery. 

In general, eDiscovery tends to involve a “computer forensics-like” approach, if you will, where aspects of traditional forensics such as chain of custody, metadata recovery and preservation, documentation and reporting and an overall defendable process are central requirements. Aspects of traditional forensics that are generally not as important include full disk imaging, deleted file and file fragment recovery, and deep dive analysis involving various artifacts.

This reference to ”traditional forensics” is what most people think of when they hear “computer forensics,” the expensive CSI-type criminal investigations where computer disks are imaged and forensic exams are performed to restore and search deleted files, fragments, Internet cache, slack space, memory, and the like.  A diagram providing a simple overview of the forensic examination process using EnCase software is shown below.

John Patzakis has written a very comprehensive treatise on electronic discovery law related to his company’s software tools and forensic related issues called the EnCase Legal Journal  (April 2007). At 143 pages and 446 legal citations, this is not your typical vendor white paper, and is well worth reading and using as a reference. Section 9.5 of the Journal is entitled ”Cost-Effective Searching of Data.” It pertains to my original point that many trial lawyers tend to over use computer forensics and seek full-disk imaging and other “deep-dive” analysis in every case.

Collection and preservation of ESI must incorporate a defensible process that accomplishes the objective of preserving relevant data, including metadata, and establishing a proper chain of custody. With the right technology, these results can be achieved without full-disk imaging. However, full-disk imaging and deleted file recovery are emphasized by many eDiscovery vendors and consultants as a routine eDiscovery practice. While such deep-dive analysis is required in some circumstances, full-disk imaging is unwarranted as a standard eDiscovery practice due to considerable costs and burden. Large-scale, full-disk imaging is burdensome because the process is very disruptive, requires much more time to complete, and, as eDiscovery processing and hosting fees are usually calculated on a per-gigabyte basis, costs are increased exponentially. . . .

Generally, courts will only require that full forensic copies of hard drives be made if there is a showing of good cause supported by specific, concrete evidence of the alteration or destruction of electronic information or for other reasons. Balboa Threadworks, Inc. v. Stucky, 2006 WL 763668, at *3 (D. Kan. 2006); However, “[c]ourts have been cautious in requiring the mirror imaging of computers where the request is extremely broad in nature and the connection between the computers and the claims in a lawsuit are unduly vague or unsubstantiated in nature.” Ameriwood Industries, Inc. v. Liberman, 2006 WL 3825291, (E.D. Mo. Dec. 27, 2006).

I wrote about the Ameriwood case in my blog, Employer Allowed to Mirror Employees-Home Computers and Obtain Inaccessible ESI. Ameriwood was one of the first decisions in the country to employ the new inaccessibility analysis under Rule 26(b)(2)(B). Although the court in Ameriwood was cautious, it decided to allow the employer to make a forensic copy of the employee’s computer, and search for otherwise inaccessible ESI, the deleted files and slack space.  The court only allowed this kind of forensic imaging because the employer had made a special showing of good cause under Rule 26(b)(2)(B). The general rule is to be cautious and not allow such forensic exams absent a showing of good cause. Good cause can come in a variety of forms, but usually arises from suspicious circumstances that suggest spoliation, such as a story of a midnight hacker erasing all of your files, or the loss of a laptop with all of your records just before a deposition duces tecum.

In another case, Hedenburg v. Aramark American Food Services, 2007 U.S. Dist. LEXIS 3443 (W.D. Wash. Jan. 17, 2007), the court applied the general rule and denied the application for a forensic exam. The employer requesting the forensic imaging did not provide good cause as required under Rule 26(b)(2)(B). I wrote about Hedenburg in my prior blog Forensic Fishing Expedition Rejected. This is an employment discrimination case where the employer wanted a forensic copy made of the employee’s personal computers. The employer proposed that the copy then be examined by a computer forensic expert serving as a special master. The employer’s attorneys had an expansive view of computer forensics not warranted by the facts or the law. 

In a move reminiscent of Inspector Lestrade, employer’s counsel provided no good reasons for the exam, and instead argued that such exams were common in these types of cases, and might lead to important clues. The Judge rejected the proposed forensics as a mere “fishing expedition.” Blind hope may be a fisherman’s credo, but it will not work in court, and is no substitute for the kind of cold logic and reasoned analysis made famous by Sherlock Holmes.

For more information on forensics check out the audio CLE I did for West Legalworks entitled: E-Discovery and Computer Forensic Investigations 101: When Does Your Case Warrant the Full “CSI” Treatment? With me on the panel for this 1.5 hour webcast were J. William Speros, Consultant and Principal, Speros & Associates LLC; Michael Michalowicz – Associate Director, Protiviti; and, John Patzakis, – Vice Chairman and Chief Legal Officer, Guidance Software.

Survey of Records Administrators Shows Negligent e-Records Management is Creating “Stunning Business Risks”

A new survey of records managers by Cohasset reveals continued neglect in the management of electronic records. The survey shows 40% of organizations do not include electronic records in their retention schedules and 55% do not include emails; only 14% always follow their records retention policy; 44% do not include electronic records in their litigation hold procedures; and, 46% do not think their electronic records are accurate, reliable or trustworthy.  These statistics are amazing to me, especially when you consider this survey is limited to those organizations with full time professional records managers. It is reasonable to assume that the statistics are far worse for companies that do not have a records management department. The bottom line of the study is that:

The majority of organizations are not prepared to meet many of their current or future compliance and legal responsibilities.

The outstanding challenges associated with the management of electronic information assets have the potential to be devastating in terms of costs, professional careers, and even corporate reputations.

The number and magnitude of organizational and operational problems reflected in the survey findings collectively represent stunning business risks.

The integration of electronic records into the organization’s records management program should be a priority, and electronic records control gaps should be the focus of immediate corrective action.

In a hopeful sign for the future, the survey shows that senior management of corporations and governmental entities are beginning to understand the consequences of this neglect, and take steps to resolve it. Also, believe it or not, the survey shows improvement from prior years.

This work has a high degree of credibility and should be a wakeup call for corporate America. It was co-sponsored by the leading professional associations in this area, ARMA (Association of Records Managers and Administrators) and AIIM (Association of Information and Image Management, a/k/a Enterprise Content Management Association). A white paper entitled Call for Collaboration, by Robert F. Williams and Lori J. Ashley, reports on the survey. It was based on information from more than 1600 respondents in 2007, and a total of more than 5500 respondents in the survey’s four prior years – 1999, 2001, 2003 and 2005.

Although much of the report is written in polite and correct jargon, it does not mice words as to the significance of most organizations’ failure to have a functioning litigation hold procedure:

The indisputable fact: an extraordinary number of organizations are negligent with regard to a formal system to ensure records hold orders are successfully administered. For any organization which is the likely target of litigation or regulatory inquiries, the absence of a formal plan to respond to discovery requests must be considered an unacceptable risk. Not having such a system is a legal land mine waiting for detonation. Where there is no formal system for records holds orders in their organizations, records management professionals need to work aggressively with their legal colleagues to correct this significant deficiency. (emphasis added)

Another interesting finding is that most IT departments administer electronic documents, but they have no understanding of the basic premise of records management, that all records should have a “life cycle.”  That is, they are born, have a useful life of some duration appropriate for the type of record involved, and then die. In other words, records are only supposed to be retained for as long as they are needed to meet the organization’s legal and business requirements.  After that, they are supposed to be destroyed, or in some rare instances, like with historical documents, archived for preservation. 

The survey shows IT has no clue about “records life cycle” (or at least that is what the records managers think). For this reason, IT tends to treat all electronic records like the original paper Constitution. They try to archive everything so that it will last forever, usually in multiple, ever spreading copies.  They tend to backup and preserve electronic records forever, or at least for as long as the latest technology permits, and are lax in the destruction of records.  IT fears that the day after they destroy a record someone in senior management will have a rush demand to retrieve it. The mistaken desire for immortal records has had draconian consequences well described in this report:

Higher Storage Costs – If electronic records are retained without a clearly defined disposition trigger (as determined by an organization’s retention schedules), the volume of records will grow rapidly and that growth will be mirrored in the cost for electronic records storage.

Greater Discovery Costs – Since unnecessarily retained records can be the subject of legal discovery, the costs associated with producing records that should have been destroyed are totally unnecessary expenses.

Unwittingly Assisting Plaintiffs – Unnecessarily retained records can be used against the organization in future litigation. This is potentially the most significant cost.

In line with the fundamental premise of this “e-Discovery Team” blog, the authors of this report recommend that senior management begin to address these problems by forming a

cross-functional team (business, legal-compliance, IS/IT, records management) and collaborative approach to ensure an integrated and sustainable records management program.

The advice to in-house counsel is similar. They recommend that legal

Establish an ongoing interactive relationship with IS/IT and records management regarding the organization’s management of its valued information assets, especially electronic records.

I could not agree more. The “stunning business risks” created by the negligent management of electronic records is a high priority problem. It is too big and too complicated a problem for any one branch of a large organization to solve on its own. It is time for the legal departments, IT, records management and operations management to stop working in isolation. They have to work together on this common task. Every study seems to reach this same conclusion. Only an interdepartmental approach will succeed to fix this interdepartmental problem. Companies have to begin by forming, and empowering, a cross-functional team with members from each department, what I call an “e-discovery team.”  Only an e-discovery team can possibly clear the “legal land mine waiting for detonation” which was uncovered by this study, and many others like it.