What’s Wrong With This Picture? Star Trek Lessons for e-Discovery

All of the senior officers in Star Trek worked together on the bridge except for one, the Chief Engineer. Poor Scotty was always kept below in Engineering, far away from the command center. Scotty was never really part of the core team. Sure, he had a high rank, but he was not a decision maker, and was only rarely allowed on the bridge. In fact, the rest of the Star Trek team never even talked to him much unless there was a problem.

Still, there were problems aplenty, and the team needed Scotty to keep the Enterprise going. In just about every episode, he and the other techs would work around the clock to meet the Captain’s unrealistic time demands to save the day. Indeed, the pleas of other members of the team for Scotty to beam them up out of trouble became the signature line of Star Trek. Yes, the senior officers needed Scotty, but he was never given the respect and equality he was due.

According to Dan Regard, one of the keynote speakers at the Masters e-Discovery Conference in Washington D.C. last week, Star Trek has an important lesson to teach to e-discovery: bring the engineers onto the bridge and make IT an integral part of your core e-discovery team. Then, and only then, will the Enterprise succeed. As it turns out, many e-discovery aficionados are also Trekkies and so this analogy received a strong positive response.

Dan is an attorney and one of the founders of LECG, an expert services firm, where he is now a Managing Director in Washington D.C. He has 20 years’ experience as a consultant in the computer industry and in e-discovery. He is an obvious fan of the Vulcans on Star Trek because his other key message was to improve the e-discovery process by constantly asking why. In other words, subject your activities to reasoned analysis and logic. Do not impulsively do things because that is how you have always done them. Engage in extensive proactive analysis at the beginning of any project. Examine the assumptions behind your e-discovery activities. Do you really need to preserve your backup tapes for a particular case? Why collect, produce and review so much data? Dan claims that he has saved as much of 80% of projected costs in an e-discovery process by such an analytic approach.

Anne Kershaw was another excellent keynote speaker at the Masters Conference. She is an attorney and consultant involved with high tech litigation since 1993. Anne gave the first presentation I have heard concerning new proposals for amending Rule 8 of the Federal Rules of Civil Procedure concerning notice pleading. Rule 8(a)(2) merely requires a “short and plain statement of the claim showing that the pleader is entitled to relief” in order to state a cause of action. This notice pleading rule was enacted in 1938, and has been interpreted over the years to require only vague general pleading for a case to go forward. As Anne put it, in today’s federal court, all you have to do is say “I’m hurt and you owe me.”

The problem for e-discovery with this vague general approach is that defendants frequently have no good idea from such pleadings as to what evidence will be relevant. This forces defendants to guess what computer records may need to be preserved and collected. This drives up the cost of e-discovery and leads to mistakes when a defendant guesses wrong. Further, it allows frivilous law suits to proceed to expensive discovery that could have been weeded out by more stringent pleading requirements.

Anne and other members of the Rules Committee are proposing a series of possible amendments to the Rules to require more particularized pleading of facts, especially in complex litigation. This would permit the earlier dismissal of cases without merit. This is a hot political issue that the plaintiff’s bar has long opposed. You can help Anne out on this important project by sending her examples of frivolous lawsuits that ended up costing a small fortune to defend.

Another good event that I attended at the Masters Conference was the panel discussion on Career Development & Hiring Trends in Legal Technology. The panelists were Jeff Scarpitti of The Kennett Group, Clark Cordner of Orrick, Ben Hawksworth of Ernst & Young, and Jeff Ghielmetti of Cisco and Legal on Ramp. The group spoke about the entrepreneurial law firm model that has been always been dominant in e-discovery services. That is where law firms in effect create their own e-discovery vendor companies within their law firms. This captive billing center then provides e-discovery services to the firm’s litigation clients. This entrepreneurial model has been quite profitable to law firms for many years, and is apparently still going strong. There are many employment opportunities in this area for both techie lawyers and IT personnel.

But one of the panelists, Jeff Ghielmetti, offered a new model, which in my view is the wave of the future. Jeff told the story of how Cisco established the first internal corporate e-discovery team after the stock market crash of 2000 and 2001. At that time, Cisco was hit with a flood of litigation, often involving millions of pages of electronic documents. One of the first cases came with a $23,500,000 bill for e-discovery. Cisco could not continue at that kind of burn rate, so out of necessity they decided to try something new, and go in-house. For help they turned to Jeff, a Cisco engineer, not a lawyer, but he had the full backing of Cisco’s forward-looking (aka “desperate”) legal department.

Under Jeff’s direction, Cisco turned away from the traditional model of hiring lawfirms and e-discovery vendors to manage their data preservation, collection and analysis, and they started to do it themselves. Cisco set up the first internal, multi-disciplinary corporate e-discovery team. Jeff reported that Cisco’s program has been a huge success, not only in cutting costs, but also in better management of risks.

The Cisco model is basically the same internal team paradigm I promote on this blog and in my practice. Although I had heard rumors about Jeff and Cisco’s team, I had never seen any writings about their program, and this is the first time I had heard Jeff speak. It was very encouraging. After explaining the background, Jeff went into some of the details of how the Cisco team operates. He explained that the team work begins by preparing a map showing where all of the company’s ESI is located. At Cisco, they call that the “treasure map” and it is constantly updated. I agree completely with this approach and write about ESI maps in the blog page above.

Ben Hawksworth of Ernst & Young spoke of the consensus now forming that the internal corporate team approach is the “holy grail” of e-discovery. Under this new model corporations preserve and collect their own data, and do initial processing and analysis, and then turn the data over to the outside law firm for review and production. Once again, this is exactly the model I have been promoting, as is explained in the About blog page above. It appears that the internal e-discovery team approach to e-discovery may finally be catching on, and will soon overtake the traditional law firm entrepreneurial model. In the language of Star Trek, Scotty’s on the bridge and the Ferengi are on the run.

Sherlock Holmes in the Twenty-First Century: Definitions and Limits of Computer Forensics, Forensic Copies and Forensic Examinations

If Sherlock Holmes were alive today, he would surely be a master of  computer forensics. Just as he sometimes used his chemistry set in the 19th Century to analyze clues, today he would use forensic software to examine digital devices. Holmes would know how to make forensic copies of computers, i-phones, thumb-drives and other ESI storage devices, and also know when not to waste his time doing so. No doubt Dr. Watson would be amazed at the evidence Holmes would sometimes uncover. The forensic examination of computers is an important tool in twenty-first century detective work, but it is no panacea. Sherlock Holmes of all people would know that it is not a substitute for clear thinking and rational deductions, and is not appropriate in every case. 

Lots of trial lawyers do not really understand computer forensics, and are prone to think that a full scale forensic examination of all computers is needed in every case. They want their tech-guys to make ”forensic copies,” work their mumbo-jumbo on each, and like Sherlock Holmes, come up with an amazing and unexpected clue that solves the case. Sometimes this fantasy comes true, but only rarely. The attempt to search every bit and byte of every computer, including the deleted files and slack space, is expensive.  Most experts agree that this kind of “deep dive” forensic examination work should be done sparingly, and is not needed in most e-discovery cases. Even when a special case suggests it may be needed, such forensic exams rarely produce the killer email that wins the day. The lawyer who uses this kind of full scale forensics approach in every case is setting himself up for major disappointments and wasting his client’s money.

What is ”computer forensics,” and the related terms, ”forensic copy” and “forensic exam”? Let’s begin by defining “forensic copy,” which is fairly simple.  A forensic copy is an exact bit-by-bit copy of the entire physical storage media, including all active and residual data and unallocated space on the media. This is also sometimes called an “image copy” or “mirror image.” See The Sedona Conference Glossary: e-Discovery & Digital Information Management, The Sedona Conference Working Group Series, May 2005.

A forensic copy allows for a “forensic exam” of the copy. You do not examine the original because the act of examination would, in itself, change the original. (This is called the Heisenberg Principle of computer forensics.) In a forensic exam, all of the information on a disk is carefully probed and searched, even the otherwise hidden information: the deleted files, residual data, unallocated space, corrupted files, encrypted files. In a forensic exam, everything that is scientifically possible to restore and search is searched, including ESI classified as not-reasonably-accessible under Rule 26(b)(2)(B).

The definition of the more general term “computer forensics” is more challenging. It is not a specific procedure like forensic copy or exam, it is an entire field of study or scientific discipline. The National Institute of Standards and Technology special publication (SP) 800-86 Guide to Integrating Forensic Techniques into Incident Responses provides an authoritative definition of computer forensics:

. . . the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data. Data refers to distinct pieces of digital information that have been formatted in a specific way.  . . .

The NIST explains how the process of computer forensics has four basic phases:

Collection: identifying, labeling, recording, and acquiring data from the possible sources of relevant data, while following procedures that preserve the integrity of the data.

Examination: forensically processing collected data using a combination of automated and manual methods, and assessing and extracting of particular interest, while preserving the integrity of the data.

Analysis: analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination.

Reporting: reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, procedures, tools, and other aspects of the forensic process.

A well known IT site, SearchSecurity.com, provides another good definition of computer forensics:

Computer forensics, also called cyberforensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.

Forensic investigators typically follow a standard set of procedures. After physically isolating the computer in question to make sure it cannot be accidentally contaminated, investigators make a digital copy of the hard drive. Once the original hard drive has been copied, it is locked in a safe or other secure storage facility to maintain its pristine condition. All investigation is done on the digital copy.

Investigators use a variety of techniques and proprietary forensic applications to examine the hard drive copy, searching hidden folders and unallocated disk space for copies of deleted, encrypted, or damaged files. Any evidence found on the digital copy is carefully documented in a “finding report” and verified with the original in preparation for legal proceedings that involve discovery, depositions, or actual litigation.

The Sedona Conference Glossary also defines computer forensics:

Computer Forensics (in the context of this document, “forensic analysis”) is the use of specialized techniques for recovery, authentication and analysis of electronic data when an investigation or litigation involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel, and generally requires strict adherence to chain-of-custody protocols.

A recent commentary by forensic expert, Ken Zatyko, in Forensic Magazine focused on the difficulty of defining what he called “digital forensics,” which for purposes of this article, I consider equivalent to “computer forensics.” Ken Zatyko is a recently retired Air Force Lt. Colonel who was the director of the Department of Defense Computer Forensics Laboratory for many years, and is now an Adjunct Professor with John Hopkins University. Ken reviews several other definitions as I have done, and then settles on his own definition that he urges others to adopt:

The application of computer science and investigative procedures for a legal purpose involving the analysis of digital evidence after proper search authority, chain of custody, validation with mathematics, use of validated tools, repeatability, reporting, and possible expert presentation.

This is the best definition I have seen, and my personal favorite, perhaps because it includes “validation with mathematics,” a reference to my favorite subject in computer forensics, hash analysis (See the Blog Page above, HASH, and my law review article on this subject: HASH: The New Bates Stamp).  Zatyko then goes on to delineate an eight-step forensics process:

1. Search authority
2. Chain of custody
3. Imaging/hashing function
4. Validated tools
5. Analysis
6. Repeatability (Quality Assurance)
7. Reporting
8. Possible expert presentation

The various definitions make clear that ”computer forensics” is a disciplined, scientific approach to electronic discovery and evidence validation.  Computer forensics in this general sense should be followed whenever electronic evidence is involved in a legal proceeding, which in today’s world means almost every case. In that sense, the trial lawyer may need a person familiar with computer forensics on every case to supervise e-discovery activities. Trial attorneys must be able to verify that proper procedures, authenticity and chain of custody were followed in order for the ESI discovered to be admissable as evidence at trial. This is, however, a far cry from a full scale Sherlock Holmes forensic examination of all computers.  It is important for attorneys to understand the difference between forensics as a general discipline to lay a proper predicate for evidence, and forensic copying and forensic examinations as particular applications of this discipline, applications that are not necessary in every case.

One person who has a good grasp of this difference is John Patzakis. He is the General Counsel of Guidance Software, makers of EnCase, the forensics software tool used by over 80% of computer forensics experts. Although it might be tempting for him to push the over-use of forensics, he does not do so.  He and his company are a class act, which is one reason I am pleased that John agreed to do a West-Thompson Webinar with me later this year: ”Computer Forensics and E-Discovery.” We will be joined by another e-discovery attorney, a modern-day Sherlock Holmes of computers, Bill Speros, who also understands this distinction very well, and by a well-known accountant forensics expert, Frank Wu of Protivity. 

John Patzakis was interviewed in 2007 by Forensic Focus, a website for “computer forensics news, information and community.” John’s interview provides some good advice on the prudent and restrained use of computer forensics in e-discovery. 

In general, eDiscovery tends to involve a “computer forensics-like” approach, if you will, where aspects of traditional forensics such as chain of custody, metadata recovery and preservation, documentation and reporting and an overall defendable process are central requirements. Aspects of traditional forensics that are generally not as important include full disk imaging, deleted file and file fragment recovery, and deep dive analysis involving various artifacts.

This reference to ”traditional forensics” is what most people think of when they hear “computer forensics,” the expensive CSI-type criminal investigations where computer disks are imaged and forensic exams are performed to restore and search deleted files, fragments, Internet cache, slack space, memory, and the like.  A diagram providing a simple overview of the forensic examination process using EnCase software is shown below.

John Patzakis has written a very comprehensive treatise on electronic discovery law related to his company’s software tools and forensic related issues called the EnCase Legal Journal  (April 2007). At 143 pages and 446 legal citations, this is not your typical vendor white paper, and is well worth reading and using as a reference. Section 9.5 of the Journal is entitled ”Cost-Effective Searching of Data.” It pertains to my original point that many trial lawyers tend to over use computer forensics and seek full-disk imaging and other “deep-dive” analysis in every case.

Collection and preservation of ESI must incorporate a defensible process that accomplishes the objective of preserving relevant data, including metadata, and establishing a proper chain of custody. With the right technology, these results can be achieved without full-disk imaging. However, full-disk imaging and deleted file recovery are emphasized by many eDiscovery vendors and consultants as a routine eDiscovery practice. While such deep-dive analysis is required in some circumstances, full-disk imaging is unwarranted as a standard eDiscovery practice due to considerable costs and burden. Large-scale, full-disk imaging is burdensome because the process is very disruptive, requires much more time to complete, and, as eDiscovery processing and hosting fees are usually calculated on a per-gigabyte basis, costs are increased exponentially. . . .

Generally, courts will only require that full forensic copies of hard drives be made if there is a showing of good cause supported by specific, concrete evidence of the alteration or destruction of electronic information or for other reasons. Balboa Threadworks, Inc. v. Stucky, 2006 WL 763668, at *3 (D. Kan. 2006); However, “[c]ourts have been cautious in requiring the mirror imaging of computers where the request is extremely broad in nature and the connection between the computers and the claims in a lawsuit are unduly vague or unsubstantiated in nature.” Ameriwood Industries, Inc. v. Liberman, 2006 WL 3825291, (E.D. Mo. Dec. 27, 2006).

I wrote about the Ameriwood case in my blog, Employer Allowed to Mirror Employees-Home Computers and Obtain Inaccessible ESI. Ameriwood was one of the first decisions in the country to employ the new inaccessibility analysis under Rule 26(b)(2)(B). Although the court in Ameriwood was cautious, it decided to allow the employer to make a forensic copy of the employee’s computer, and search for otherwise inaccessible ESI, the deleted files and slack space.  The court only allowed this kind of forensic imaging because the employer had made a special showing of good cause under Rule 26(b)(2)(B). The general rule is to be cautious and not allow such forensic exams absent a showing of good cause. Good cause can come in a variety of forms, but usually arises from suspicious circumstances that suggest spoliation, such as a story of a midnight hacker erasing all of your files, or the loss of a laptop with all of your records just before a deposition duces tecum.

In another case, Hedenburg v. Aramark American Food Services, 2007 U.S. Dist. LEXIS 3443 (W.D. Wash. Jan. 17, 2007), the court applied the general rule and denied the application for a forensic exam. The employer requesting the forensic imaging did not provide good cause as required under Rule 26(b)(2)(B). I wrote about Hedenburg in my prior blog Forensic Fishing Expedition Rejected. This is an employment discrimination case where the employer wanted a forensic copy made of the employee’s personal computers. The employer proposed that the copy then be examined by a computer forensic expert serving as a special master. The employer’s attorneys had an expansive view of computer forensics not warranted by the facts or the law. 

In a move reminiscent of Inspector Lestrade, employer’s counsel provided no good reasons for the exam, and instead argued that such exams were common in these types of cases, and might lead to important clues. The Judge rejected the proposed forensics as a mere “fishing expedition.” Blind hope may be a fisherman’s credo, but it will not work in court, and is no substitute for the kind of cold logic and reasoned analysis made famous by Sherlock Holmes.

For more information on forensics check out the audio CLE I did for West Legalworks entitled: E-Discovery and Computer Forensic Investigations 101: When Does Your Case Warrant the Full “CSI” Treatment? With me on the panel for this 1.5 hour webcast were J. William Speros, Consultant and Principal, Speros & Associates LLC; Michael Michalowicz - Associate Director, Protiviti; and, John Patzakis, - Vice Chairman and Chief Legal Officer, Guidance Software.

Survey of Records Administrators Shows Negligent e-Records Management is Creating “Stunning Business Risks”

A new survey of records managers by Cohasset reveals continued neglect in the management of electronic records. The survey shows 40% of organizations do not include electronic records in their retention schedules and 55% do not include emails; only 14% always follow their records retention policy; 44% do not include electronic records in their litigation hold procedures; and, 46% do not think their electronic records are accurate, reliable or trustworthy.  These statistics are amazing to me, especially when you consider this survey is limited to those organizations with full time professional records managers. It is reasonable to assume that the statistics are far worse for companies that do not have a records management department. The bottom line of the study is that:

The majority of organizations are not prepared to meet many of their current or future compliance and legal responsibilities.

The outstanding challenges associated with the management of electronic information assets have the potential to be devastating in terms of costs, professional careers, and even corporate reputations.

The number and magnitude of organizational and operational problems reflected in the survey findings collectively represent stunning business risks.

The integration of electronic records into the organization’s records management program should be a priority, and electronic records control gaps should be the focus of immediate corrective action.

In a hopeful sign for the future, the survey shows that senior management of corporations and governmental entities are beginning to understand the consequences of this neglect, and take steps to resolve it. Also, believe it or not, the survey shows improvement from prior years.

This work has a high degree of credibility and should be a wakeup call for corporate America. It was co-sponsored by the leading professional associations in this area, ARMA (Association of Records Managers and Administrators) and AIIM (Association of Information and Image Management, a/k/a Enterprise Content Management Association). A white paper entitled Call for Collaboration, by Robert F. Williams and Lori J. Ashley, reports on the survey. It was based on information from more than 1600 respondents in 2007, and a total of more than 5500 respondents in the survey’s four prior years – 1999, 2001, 2003 and 2005.

Although much of the report is written in polite and correct jargon, it does not mice words as to the significance of most organizations’ failure to have a functioning litigation hold procedure:

The indisputable fact: an extraordinary number of organizations are negligent with regard to a formal system to ensure records hold orders are successfully administered. For any organization which is the likely target of litigation or regulatory inquiries, the absence of a formal plan to respond to discovery requests must be considered an unacceptable risk. Not having such a system is a legal land mine waiting for detonation. Where there is no formal system for records holds orders in their organizations, records management professionals need to work aggressively with their legal colleagues to correct this significant deficiency. (emphasis added)

Another interesting finding is that most IT departments administer electronic documents, but they have no understanding of the basic premise of records management, that all records should have a “life cycle.”  That is, they are born, have a useful life of some duration appropriate for the type of record involved, and then die. In other words, records are only supposed to be retained for as long as they are needed to meet the organization’s legal and business requirements.  After that, they are supposed to be destroyed, or in some rare instances, like with historical documents, archived for preservation. 

The survey shows IT has no clue about “records life cycle” (or at least that is what the records managers think). For this reason, IT tends to treat all electronic records like the original paper Constitution. They try to archive everything so that it will last forever, usually in multiple, ever spreading copies.  They tend to backup and preserve electronic records forever, or at least for as long as the latest technology permits, and are lax in the destruction of records.  IT fears that the day after they destroy a record someone in senior management will have a rush demand to retrieve it. The mistaken desire for immortal records has had draconian consequences well described in this report:

Higher Storage Costs - If electronic records are retained without a clearly defined disposition trigger (as determined by an organization’s retention schedules), the volume of records will grow rapidly and that growth will be mirrored in the cost for electronic records storage.

Greater Discovery Costs - Since unnecessarily retained records can be the subject of legal discovery, the costs associated with producing records that should have been destroyed are totally unnecessary expenses.

Unwittingly Assisting Plaintiffs - Unnecessarily retained records can be used against the organization in future litigation. This is potentially the most significant cost.

In line with the fundamental premise of this “e-Discovery Team” blog, the authors of this report recommend that senior management begin to address these problems by forming a

cross-functional team (business, legal-compliance, IS/IT, records management) and collaborative approach to ensure an integrated and sustainable records management program.

The advice to in-house counsel is similar. They recommend that legal

Establish an ongoing interactive relationship with IS/IT and records management regarding the organization’s management of its valued information assets, especially electronic records.

I could not agree more. The “stunning business risks” created by the negligent management of electronic records is a high priority problem. It is too big and too complicated a problem for any one branch of a large organization to solve on its own. It is time for the legal departments, IT, records management and operations management to stop working in isolation. They have to work together on this common task. Every study seems to reach this same conclusion. Only an interdepartmental approach will succeed to fix this interdepartmental problem. Companies have to begin by forming, and empowering, a cross-functional team with members from each department, what I call an “e-discovery team.”  Only an e-discovery team can possibly clear the “legal land mine waiting for detonation” which was uncovered by this study, and many others like it.

Update of Two Prior Sanctions Blogs: Qualcomm and Morgan Stanley

This entry provides an update to two prior blogs concerning e-discovery sanctions: the Qualcomm attorney sanctions case, and the Morgan Stanley 9/11 disaster email case.

Qualcomm

The first sequel pertains to the blog of August 18, 2007, Heavy Sanctions Loom Against Attorneys for e-Discovery and other “Aggravated Litigation Abuses”.  Here I recounted the e-discovery “horror story” of the Qualcomm Inc. v. Broadcom Corp. patent case.  It involved a series of abuses culminating in an Order to Show Cause directed against Qualcomm’s attorneys as to why certain very harsh sanctions should not be entered against them. The Show Cause hearing date was originally set for August 29, 2007; upon a motion by the 14+ lawyers facing sanctions, it was postponed until October 12, 2007.

The attorneys accused of wrong doing are from two prominent law firms, Day Casebeer, a small IP boutique firm in Cupertino California, and Heller Ehrman, a 700 attorney firm founded in 1890 in San Francisco.  They advised the court that they could not defend themselves without revealing attorney client-privileges, and Qualcomm refused to waive the privilege. They asked the court for permission to reveal secret, privileged communications with Qualcomm under the “self-defense” exception. Their motion states that they have “very compelling exonerating evidence,” but it involves privileged communications. Apparently they plan to defend themselves by blaming the misconduct on their client. 

On September 28, 2007, Magistrate Judge Barbara Major heard oral argument on the privilege issues and ruled from the bench as to what the attorneys could and could not do to defend themselves. She held that the self-defense exception to the attorney-client privilege did not apply. This means the former Qualcomm attorneys cannot reveal their secret communications with Qualcomm.  But, Magistrate Major also held that the work product privilege could be waived without the client’s consent. According to the Law.com report, this means that ”attorneys can describe how various duties in the case were allocated, and possibly other insights.”  Magistrate Major also stated that if the information the attorneys can provide does not fully explain how the discovery abuses occurred, and Qualcomm still refuses to waive the privilege, then she will consider imposing sanctions against Qualcomm itself.

This situation is highly reminiscent of another recent case, Exact Software v. Infocon, 479 F.Supp.2d 702 (N.D. Ohio, Dec. 5, 2006), that I blogged about in Sanctions for e-Discovery Abuses - Is the Attorney to Blame?  In Exact Software, the court decided that sanctions were appropriate, but could not decide whether to impose sanctions against the plaintiff, or the plaintiff’s attorneys. The attorneys blamed the client, and the client, through its new attorneys, blamed the prior attorneys.

Is the “blame-game” the new litigation sport of e-discovery? If so, it is not a game anyone can win.  No matter what the final outcome, the message of these cases to the legal community is clear.  Your duties as an officer of the court, to be honest and truthful to the court and follow the rules of procedure, must be fulfilled. This duty trumps the duty to zealously represent your client. If a client requires you to depart from that duty, then you must decline, and, if necessary, withdraw from representation. There is no special exception allowed for complicated e-discovery issues. If you do not know what is going on, you had better figure it out. The integrity of the justice system is at stake, and so too is your reputation and career.

Morgan Stanley

The second sequel of interest pertains to the blog of January 19, 2007, E-Mail Woes Hit Morgan Stanley Again. In this blog, I reported that a disciplinary proceeding had been commenced against Morgan Stanley for allegedly failing to produce any pre-9/11 e-mails to regulators and investor plaintiffs.  For years, Morgan Stanley claimed that the Sept. 11, 2001, terrorist attacks on New York’s World Trade Center had destroyed all of its pre-9/11 email.  That is the response they gave in hundreds of arbitration and other proceedings when claimants against Morgan Stanley sought pre-9/11 emails. NASD alleged that this was a lie, that even though their main servers were destroyed in the 9/11 attacks, they had backup tapes and other copies, and millions of the pre-9/11 emails were restored from the tapes, but still never produced. Many people were outraged by this alleged misuse of a national tragedy as a “dog-ate-my-homework” type of excuse to hide evidence.

On September 27, 2007, NASD announced a settlement wherein the disciplinary action was resolved by Morgan Stanley paying $12,500,000. The NASD has, by the way, changed its name since this proceeding was commenced and is now called FINRA, which stands for the Financial Industry Regulatory Authority. FINRA came about through the consolidation of NASD and NYSE Member Regulation. It is now the largest non-governmental regulator for all securities firms doing business in the United States.

According to FINRA’s Press Release:

In settling this matter, Morgan Stanley neither admitted nor denied the charges, but consented to the entry of FINRA’s findings.

The FINRA press release summarized the findings that Morgan Stanley, a/k/a “MSDW,” consented to as follows:

FINRA found that MSDW failed to provide pre-9/11 emails to claimants in numerous arbitration proceedings and in response to three regulatory inquiries during the period from October 2001 through March 2005. FINRA found that MSDW made statements in numerous arbitration proceedings and to the former NASD, New York Stock Exchange Regulation and the Massachusetts Securities Division that those emails had been destroyed. Those statements were not true. In fact, MSDW possessed millions of pre-9/11 emails that had been restored to the firm’s system shortly after Sept. 11, 2001 using backup tapes. Many other emails were maintained on individual users’ computers and had not been affected by the events of 9/11. Among the matters where MSDW failed to produce e-mail was an NASD investigation that resulted in an August 2005 settlement with the firm.

FINRA also found that MSDW later destroyed many of the pre-9/11 emails it did possess. The firm did so in two ways - by overwriting backup tapes that had been used to restore the emails from 11 of its 12 servers to the firm’s system, and by allowing users of the firm’s email system to permanently delete the emails over an extended period of time. As a result, between September 2001 and March 2005, MSDW deleted millions of pre-9/11 emails from the firm’s systems.

In addition, FINRA found that MSDW failed to provide updates to the firm’s supervisory manual for branch office managers to claimants in numerous arbitration proceedings over a period of years. The Branch Manager’s Manual was issued in 1994 and was subsequently supplemented with numerous updates. FINRA found, however, that MSDW repeatedly failed to provide updates to the manual in discovery in numerous arbitration proceedings from late 1999 through the end of 2005.

Under the settlement, a $9.5 million fund will be established by Morgan Stanley to pay certain arbitration claimants.  Another $3 million will be paid to FINRA as a fine. Further, FINRA announced that certain future remedial measures are part of the settlement:

Also as part of the settlement announced today, Morgan Stanley is required - again, at its own expense - to retain an independent consultant acceptable to FINRA to review the firm’s procedures for complying with discovery requirements in arbitration proceedings relating to the firm’s retail brokerage operations. The firm will be required to implement the independent consultant’s recommendations for improving those procedures, or alternative improvements acceptable to the independent consultant.

According to the Bloomberg reports of this settlement, Morgan Stanley issued the following emailed statement on its behalf:

We are pleased to have reached an agreement with FINRA to resolve these legacy legal matters and put them behind the firm.

This is not the first time the government has sanctioned Morgan Stanley for mishandling electronic messages.  Last year, it paid a record $15 million to settle an SEC probe of deficient e-mail preservation. Before that, in 2002, the SEC and other regulators faulted the New York-based firm (and others) for destroying emails and backup tapes, and Morgan Stanley was fined $1.65 million. 

It is very interesting to note that FINRA’s investigation did not find proof of intentional wrongdoing, but rather incompetence on a grand scale.  As usual, there was a complete disconnect between IT and legal. Susan Merrill, FINRA’s chief of enforcement, said in an interview with Reuters:

The failure to produce e-mails was a huge problem.   . . .   We didn’t find evidence that Morgan Stanley intended to hold back e-mails, but it was a case of one hand not knowing what the other was doing.

Susan Merrill also said that FINRA is “focused” on e-mail retention practices, not only at Morgan Stanley, but with other brokerages where it is also a problem.