E-Discovery Tools_ Tactics and Strategies

Electronic Evidence: New Challenges

for Information Security Officers



Presented by:

Tom Greene

Chief Assistant Attorney General, Public Rights

Division

Clark Kelso

Chief Information Officer, State of California



1

Overview



 Introduction to the recent FRCP amendments

for ―Electronically Stored Information‖ (ESI)

 Implications for Information Security

Officers

 Resources

 Questions





2

E-Data has been Discoverable

and Admissible for Some Time



 ―Fed. R. Civ. P. 34(a): ―document‖ includes ―data

compilations from which information can be obtained,

translated, if necessary, by the respondent through

detection devices into reasonably usable form‖



 ―Today it is black letter law that computerized data is

discoverable if relevant … The law is clear that data in

computerized form is discoverable even if paper ‗hard

copies‘ of the information have been produced….‖ Anti-

Monopoly, Inc. v. Hasbro, Inc., 94 Civ.2120, 1995 WL

649934 (S.D.N.Y. 1995)



3

FRCP Amendments and

E-Evidence

 Amendments to the Federal Rules of Civil

Procedure address ―electronically stored

information‖ (ESI)



 Apply to cases brought on or after 12/1/06

and all other cases unless ―would not be

feasible or would work injustice.‖ Rule 86.



4

Amended Rule 34(a):

―Electronically Stored Information‖



“Any party may serve…a request…to

produce designated documents,

electronically stored information—

including writings, drawings, graphs,

charts, photographs, sound recordings,

images, and other data or data

compilations stored in any medium from

which information can be obtained—

translated, if necessary, …into

reasonably useful form…‖

5

Four Concepts in the New Rules



 Early Consideration of ESI issues



 Two-Tier Approach to Back-up Media



 Practical Adjustments



 Shallow Safe Harbor for E-Document

Destruction



6

Critical Decisions Come Early!



 Rule 26(f) Conference Among Counsel

 ASAP but not later than 16 days before Rule 16

conference or issuance of scheduling order.

 Rule 26(a) disclosures of ESI

 At or w/in 14 days of 26(f) conference unless a different

schedule per stipulation or order.

 Rule 16 Conference Order

 ASAP but at least w/in 90 days of appearance of

defendant or 120 days from service of complaint.





7

Rule 26(f) Meet and Confer

Obligation



 Discuss ―any issues relating to preserving

discoverable information‖.

 ―changes in the timing, form or requirement for

disclosures under Rule 26(a)‖

 ―[A]ny issues‖ relating to ESI including the ―form

or forms‖ of production.

 New Form 35 for report to court.

 Consider bringing a consultant/expert.



8

Rule 26(a) Initial Disclosures



 26(a)(1)(A)—Witnesses

 May need to include e-evidence custodian(s);

might well be an ISO.



 26(a)(1)(B)—‖a copy of, or a description by

category of, all documents, electronically

stored information….that the disclosing party

may use to support its claims or defenses‖



9

Rule 26(a); Sanctions



 If fail to ―make a disclosure under Rule

26(a), any other party may‖ move to compel

and for ―appropriate sanctions‖. Rule

37(a)(2)(A).

 May not be ―permitted to use‖ the

undisclosed information ―at a trial, at a

hearing, or on a motion‖. Rule 37(c)(1).



10

Rule 16 Conference



 Per Advisory Committee, Court is to start w/

26(f) Report of Counsel.

 Order is to include ―provisions for disclosure

or discovery of‖ ESI. Rule 16(b)(5).

 Order may include ―any agreements the

parties reach for asserting claims of privilege

or of protection of trial-preparation material

after production.‖ Rule 16(b)(6).



11

Local Rules



 N.D. Cal. Civil Local Rule 16-9 requires a

description of:

 ―Steps taken to preserve evidence relevant to the

issues reasonably evident in the action, including

interdiction of any document-destruction

program and any ongoing erasures of e-mails,

voice-mails, and any other electronically-stored

material.‖



12

Duties of Litigation Counsel

 Communicate discovery obligations to client

 Identify sources of discoverable information

 Speak directly with key players in litigation as well as

IT personnel

 Put in place a litigation hold

 Reiterate instructions for litigation hold and monitor

compliance

 Call for employees to produce copies of e-evidence

 Arrange for segregation and safeguarding of archival

media (backup tapes) (Zubulake V, 229 F.R.D. 422

(S.D.N.Y. 2004)





13

Potential Role(s) of ISOs



 Consultant (How do your systems work?)

 Informal Advice; Attend 26(f) session or 16(b)

conference

 Witness

 Persons Most Knowledgeable (PMK)

Depositions

 Design/Implement Litigation Hold; Search

for Information



14

What Should You Explain to

Your Lawyers?

 Discuss Email System

 Hardware, Software, Versions, Location, etc.

 Discuss File Servers

 Hardware, Software, Versions, Location, etc.

 Discuss PCs

 O/S, Recent Upgrades, Applications, Versions

 Discuss PDAs

 Blackberry, Treo, Palm, etc.

15

Talking to Your Lawyers, Part

2

 Backup Policy

 Retention Policy

 Destruction Policy

 Capable of Litigation Holds?

 Other considerations:

 Thumb drives

 Working from home

 Personal Archives

16

Special Problems with Voice Mail



 Voice mail typically Not under Your Direct

Control



 Contact 3rd-Party Vendor ASAP



 Secure hold on Voice Mails for ―Key

Players‖



17

Two-Tier Approach; Rule

26(b)(2)(C)

 ―A party need not provide discovery of [ESI]from sources

that the party identifies as not reasonably accessible‖



 Committee note states that fact that archived data expensive

to access does not mean don‘t have to preserve back-up

media.



 Demanding party can motion for production if value

outweighs burden taking into account amount in

controversy, parties‘ resources, issues in case and

importance of the proposed discovery.





18

States of Data: Cheap to Expensive



 Active data ($)

 Metadata ($)

 System data ($)

 Backup tapes ($$$)

 Deleted and altered files ($$$$)

 Legacy data ($$$$$)



19

Budget Issues: Costs for Managing

E-Evidence

 Collect data

 $250-500 per hard drive or backup tape

 $2,000-3,000 per server

 Cull and Search for Relevant Data using Tech Tools

 $1,800 per hard drive; more for backup tapes.

 $450 per e-mail box

 Produce Relevant Data

 $750 per hard drive to prepare data for production in proper format

 Convert data to litigation support repository for privilege

review

 $4 per Megabyte plus $.10/page for Bates numbering and tiffing the

images

20

Practical Adjustments: Form(s) of

Production



 FRCP 34(b) authorizes demanding party to

―specify the form or forms in which [ESI] is

to be produced‖; subject to challenge.



 Per Advisory Note, can specify different

forms for spreadsheets and documents.





21

Metadata and Why It May Be

Important in a Lawsuit



 Classic e-mail metadata fields

 From, To, Subject, Date, cc, bcc, Text of email

 Date and time e-mail and/or attachment opened

 50-60 other types of fields are available

 Embedded data (e.g., Excel formulas, Word

Processing prior versions)

 Expensive to manage and produce; relevance

depends on the nature of your case.



22

Typical Forms of Production



 Native Format – ESI is produced as it was

maintained and used; contains metadata.

 Quasi-Native – ESI is produced in a format

similar to, but not the same as, the format in

which it was maintained and used.

 Proprietary software

 Large databases



23

Forms of Production, Part 2



 Quasi-Paper – ESI is converted to image

files, typically TIFF or PDF; meta data and

full text are extracted.

 Quasi-Paper Hybrid – Meta data and text are

extracted with a link to the native file.

 Paper

 What do you really need?

 Be careful what you ask for. . .

24

Rule 37: ―Shallow Safe

Harbor‖

 FRCP 37(f) provides that ―absent exceptional

circumstances, a court may not impose

sanctions…[for ESI]… lost as a result of the

routine, good-faith operation of an electronic

information system.‖

 Good faith per Committee Note includes

retention under common law, etc. and

existence of effective litigation hold.



25

Retention Obligation: Practice

Tips

 Normal business destruction will not yield

sanctions under FRCP.

 But Improper Destruction Creates Major

Risks for Your Agency.

 Written Litigation Hold Policies are Highly

Recommended.





26

What is ―spoliation‖?



 ―the destruction or significant alteration of

evidence, or the failure to

preserve…evidence in pending or reasonably

foreseeable litigation.‖ West v. Goodyear,

167 F.3d 776,779 (2nd Cir.1999)





 contra spoliatorem omnia proesumuntur.

Black’s Law Dictionary4th



27

Sources of Duty to Preserve



 Knew or should have known of possible

litigation

 Specific statutes, e.g. Sarbanes-Oxley; SEC

Rules

 Court order

 Agreement





28

When Does Duty Attach?



 Based on common law ―knew or should have

known‖ standard:

 When Product Designed. Carlucci, 102 F.R.D. 472

(S.D.Fl.1984)

 When Complaints Received. Remington, 836 F.2d 1104 (8th

Cir.1988)

 When litigation suspected. Zubulake IV, 220 F.R.D. 212

(S.D.N.Y.2003)

 When major accident occurs. Union Pac. R.R., 2004

U.S.App.LEXIS 6 (8th Cir.2004)





29

Preservation of Metadata May Be

Required



 Relevance of metadata depends on the case.



 Burden of disclosing metadata on the

producing party. Williams v. Sprint, 2005 U.S.

Dist. Lexis 29882 (D.Md. 11/22/05)





 Discuss at 16(b) conference.



30

What remedies?



 ―Most potent‖ is the adverse inference

instruction. Cedars-Sinai, 18 Cal.4th 1, 11(1998)

 Example: New CA standard instruction 205

reads: ―You may consider whether one

party intentionally concealed or destroyed

evidence. If you decide that a party did so,

you may decide that the evidence would

have been unfavorable to that party.”



31

Other Sanctions



 Monetary



 Evidence



 Issue



 Terminating



32

A Few Examples



 Leon v. IDX (9th Cir. 2006) 464 F.3d 951

(files deleted from laptop; dismissal)

 U.S. v. Gordon (9th Cir.2004) 393 F.3d 1044

(use of ―Evidence Eliminator to scrub drive;

pay costs and conviction affirmed)

 In re Napster (N.D.Cal. 10/25/06) 2006 WL

3050864 (deletion of e-mail; adverse

inference instruction)



33

More Examples



 World Courier v. Barone (N.D.Cal., No. C 06-

3072 THE, 4/13/07) (destruction of hard drive in IP case by

non-party husband; adverse inference instruction, costs;

relies on Residential Funding v. DeGeorge Fin. (2d Cir.

2002) 306 F.3d 99, 105)





 People v. Hanson Building Materials (Contra

Costa County, No. MSC04-00424, 5/3/07) (Failure to retain

e-mail; CA state agency ordered to pay $79K in fees/costs +

adverse inference instruction; writ pending)



34

Litigation Hold Requirement:

Policy and Implementation

 Create Policy to:

 Determine When Hold is to be Imposed

 Define what is to be preserved

 Staff responsibilities

 Implementation Issues:

 ID key players who are involved

 ID relevant records/docs/systems/computers

 Contact and interview all key players

 Will metadata be material? A forensics snapshot?

 Will legacy data or backup media need to be preserved?

 When do we need an outside expert?

35

Litigation Hold Procedures:

Training and Follow-up

 Follow-up

 Meetings and regular reminders

 Individual Interviews

 Determine if staff requires further clarification



 Document the process









36

Resources



 Sedona Guidelines (sedonaconference.com)

 Zubulake decisions

 Michael Arkfeld ,Electronic Discovery and

Evidence (All AGO libraries)

 BNA, Digital Discovery and E-Evidence

 Internet resources

 Discoveryresources.org; krollontrack.com;

FIOS.com; applieddiscovery.com; Note webinars.





37

Take-Aways?



 E-Discovery Presents Serious Risks to Your Agencies.



 ISOs Will Have Important Roles in Future Litigation



 Need to Partner Early with your CIO, the AG and your

General Counsel’s Office.



 Need for Standards and Guidelines (Which You Should

Help Write).





38

Thanks and Questions









39