←All Posts Posted on October 17, 2014 By admin
As a society our increased reliance on computers, smartphones and other electronic gadgets means that more and more of our information is stored in digital form. From a lawyer’s point of view this electronically stored information (ESI) presents a number of challenges in terms of capturing and preserving material relevant to a particular case.
What is ESI?
Put simply, any device containing electronic storage can be a source of ESI. These can be company servers, desktop or laptop PCs and workstations used by employees, as well as mobile devices such as smartphones and tablets.
ESI isn’t limited to these, however, it may also be extracted from equipment like telephone systems – call records for example – email servers and even websites such as social networks. In recent times it’s increasingly common for data to be stored on third-party ‘cloud’ services too.
The data can come in both structured and unstructured forms. Structured data, such as database records can be easily searched and records extracted, often using the tools that were employed to create it in the first place.
Unstructured data comes in many forms like spreadsheets, word processing files and emails for example. Because this data lacks a formal index it’s harder to search and the process is likely to take longer as it may need to rely on, for example, scanning the text for specific keywords.
It’s also worth considering what the IT world calls ‘metadata’. This is the information that systems store about files, which can be used to pinpoint when they were created, modified and so on. Metadata can play a key role in filtering to determine which ESI is relevant and useful.
There is then a vast number of potential sources and formats of ESI and, as we’ll see, that makes it essential to take a professional, controlled approach to the discovery process.
Information Overload
Technology makes it easy to store data and that means that it’s often kept just because it can be. It also means that it’s often retained way beyond its natural lifespan. These factors together mean that huge volumes of information need to be sifted in order to find what’s relevant.
Even for computer professionals the volume of this data and its complexity can be overwhelming. It’s also often the case that – because of factors like staff changes, lack of adequate documentation, organisational restructures and so on – knowledge within a business of where ESI can be found is missing or at best sketchy.
Having said that, the first steps in discovery of electronic records aren’t too much different from more traditional methods. It’s still important to find out which parties are involved, the time scale, what the focus of the matter is and whether it’s subject to any court order or regulatory request for disclosure.
Preparation is Key
Establishing a timeline is one of the first steps to take. It’s vital to have key dates relating to the time period under review, when the matter came to light, what actions have been taken since – which may have led to ‘spoilation’ – and any known deadlines. The review period usually takes in the time of the incident under investigation plus two months either side to ensure that nothing important is missed.
It’s also vital that the eDiscovery team has the right contacts in the organisation. At the very least this will require a business contact at a sufficiently high level to take decisions, an IT administrator who will be able to help in extracting information, a legal contact who is able to deal with consents under data privacy legislation, and an HR contact who can advise on organisational structure, lines of reporting and so on.
Armed with all of this it should be possible to establish the custodians of the ESI, the equipment used during the period of the investigation and its current location. The eDiscovery team also needs to identify at an early stage alternative data sources, such as backups, and decide which need to be preserved and collected.
Once sources are identified a meeting needs to be held with the parties involved to agree the scope and methodology of the eDiscovery process.
Data Policy
Most organisations will already have some way of dividing their data into different categories. This is partly to determine the level of security required, medical records for example will have stronger measures in place to ensure they’re not accessed without authority.
There may be various levels of confidentiality at work within an organisation, ranging from information that’s completely open, to sensitive and confidential files. This is further complicated if employees are allowed to use personal devices, such as mobile phones, for work purposes.
Larger organisations are more likely to have policies in place relating to the use and storage of ESI. To an extent this can make the discovery process easier, as the policy will determine how long data needs to be stored for regulatory purposes.
A good policy should also cover how ESI is to be disposed of when it reaches the end of its life and what, if any, definitive reference documents need to be maintained. It may also set out how employees are allowed to access and use data.
If the organisation has a BYOD (Bring Your Own Device) policy it should set out how staff are allowed to use data on their own machines. This needs to include any safeguards, such as security software, along with measures to ensure data is securely removed should the employee leave or the device be lost or stolen.
Collecting Data
Digital information is by its nature volatile, so steps need to be taken to preserve ESI as soon as possible. These include identifying sources that are at risk of loss or destruction, identifying issues that may hinder preservation and identifying custodians. It may be necessary to issue notices to parties involved to ensure that they preserve or hold the data. This may mean taking a snapshot copy of a system at a particular time and storing it separately so it can’t be modified.
For this it may be necessary to determine who has access to and control over the data – custodianship if you prefer. The policies discussed above may help to determine this but, it’s important to consider that employees may have copies of information stored on their desktop or portable systems. In these cases the individual may be considered responsible for that data.
Once the data is preserved it needs to be collected. This again means addressing any data protection and privacy issues. It also means identifying the best method and time to collect the ESI and how that collection should be targeted. It’s also important to note that collection can be done using forensic or non-forensic methods.
Accessibility is an issue here, current data should be easy to obtain, however, if it’s necessary to go back several weeks or months it may be necessary to extract ESI from backup or archive copies. These should have been identified and secured as part of the classification process.
If data has been archived for a long time there may be additional problems due to the use of legacy systems. Old storage devices like tape or laser disc or degradation of storage media over time may require additional resources in order to recover the ESI.
Where very large volumes of data are involved it may be necessary to adopt a cost/benefit approach to determine what is appropriate for the particular matter. In some instances it may be possible to sample the data in order to test for the presence of relevant ESI. This can save time later as it eliminates the need to search large volumes of unrelated information.
Collection Methodology
As mentioned above, collection of ESI can be done in a forensic way. This ensures that all of the metadata associated with files is secured as well as the files themselves. If a hard disk is involved forensic collection may also mean preserving the free space so that it can be tested for deleted information. If forensic analysis is required the system needs to be taken out of use as soon as possible to remove the chance of information being overwritten.
Non-forensic collection can be carried out more simply by taking a copy of the required files to external disks, DVD or other media.
Once data is collected procedures need to be in place to ensure it’s properly stored and maintained. It’s vital to keep a secure original copy of any evidential data once it’s been collected. Any processing or queries must be run on a copy of the ESI never on the original as this may risk compromising the information. Even then processing methods need to be agreed with the appropriate legal team. This should include things like decryption, date ranges, software used as so on.
It may also be necessary to identify which files are relevant to the discovery process and isolate these from the rest of the data. This is something which may need to be reviewed after initial processing has been carried out in order to address any exceptions.
Review Details
The review process uses keyword searches in order to identify documents that are of possible interest. A reviewer will then read the document to determine its meaning and come up with new keywords to refine the search. For this to be successful the person or team undertaking the review needs to know the background of the case.
Depending on the volume of data there may be between several reviewers working on a case. They are allocated data in blocks, but because sharing of information is vital at this stage, there will usually be a meeting of reviewers at the end of each day to discuss their findings. A new set of keywords is devised based on this and used for the next stage. This process continues until the review is complete. Investigators need to have access to the latest version of the information and legal teams need to be briefed as soon as possible on any new findings.
The review process also needs to identify any privileged documents which don’t need to be disclosed. The manager of the review team will need to liaise closely with the legal team on this. If the ESI contains privileged documents, most review platforms have a tagging feature that can be used to highlight them.
It’s also a good idea to have a documented quality control process to maintain a high standard of review throughout the eDiscovery process.
Analysis of Data
This stage moves beyond keyword searches and reading the documents. Advanced textual analytics techniques are used to identify similar documents and chained duplicates – that is documents which may be similar to each other even though they differ from the original.
As we increasingly rely on electronic communication it’s important to analyse that too. Email is at the top of the list here with the volume and frequency as well as content of both incoming and outgoing messages being of interest. Analysis of other forms of communication such as instant messaging and social networking may be useful too. Visual analytics can be used to provide a graphical representation of communications, timelines and so on.
Weeding out irrelevant documents is done with the help of an automatic classifier. This is ‘trained’ by feeding it a mix of relevant and irrelevant documents to allow it to identify them. Once relevant documents have been picked out, a new keyword list is created and the review process starts over again, followed by a repeat of the analysis stage. It may be necessary to go through these stages several times to ensure all relevant ESI has been identified.
Some types of file – photos and videos for example – are hard to scan electronically for content and may need to be examined manually.
How detailed analysis of ESI is performed will depend to an extent on the objective of the investigation. At this phase, important decisions are made on how the eDiscovery process will proceed.
Production of Results
Once the discovery process is complete it’s time to deliver the results. At some point it will be necessary to agree the format used for this. PDF is a common choice as it ensures the recipient sees the format as the sender intended.
It’s necessary to provide a list or index of the ESI that’s being supplied and, equally important, any that’s being withheld – decisions on the latter will need to come from the legal team. Each piece of ESI that’s produced needs to be documented so that it can be traced back to its source and be verified as authentic.
If the ESI is to be presented in a hearing, all parties need to agree whether it can be used and what, if any, technology will be used to do so. The hearing venue needs to have appropriate technology in place. It’s vital that the method of presentation doesn’t alter the data in any way, nor leave it open to misinterpretation.
Most of these details will be for the legal team to negotiate but the eDiscovery specialists may be asked to advise and provide assistance.