http://www.law.com/jsp/article.jsp?id=1029171611801 Albert Barsocchini Law Technology News 08-28-2002 Electronic data discovery quickly is becoming mainstream in civil discovery. Recent surveys confirm that more than 90 percent of all documents produced since 1999 were created in digital form. You don't need surveys to prove that point; just walk into any office these days and the first thing you will see is a computer! Surprisingly, many attorneys fail to do any electronic discovery because of concerns that it is costly, time-consuming and complicated. The irony: It is usually wildly cheaper to conduct discovery electronically. New computer forensic techniques allow the cost effective and safe recovery of evidence normally invisible to the user. What used to cost tens of thousands of dollars can now be done for less than $5,000 using trained computer forensic examiners. There is an incredible amount of electronic evidence that can be harvested, preserved, documented and authenticated. Some firms get it. Aggressive law firms are now seeking computer-generated evidence, especially in cases related to defamation, trade secret and intellectual property theft, sexual harassment in the workplace, fraud, breach of contract, divorce proceedings and spoliation of evidence. Even in small personal injury auto cases, defense attorneys are going after e-mail and other electronic evidence related to wage and injury claims. GETTING HELP Knowing where to get help is an important part of your successful electronic discovery plan. Because of the growing demand, many legal vendors are retooling their businesses to include electronic discovery. There are a variety of services now available including electronic discovery consultants, computer forensic investigators, and litigation support services offering electronic document conversion, scanning, indexing and online repositories. Depending upon the size, type of case, and experience of counsel in electronic discovery, it may be wise to consider retaining an electronic discovery consultant. He or she can help create an effective strategy for collecting, analyzing and processing the data. The scope of the consulting services normally includes assisting the attorney in preparing discovery requests related to electronic documents, reviewing and evaluating discovery responses, protecting clients from overly broad demands, and assisting in the collecting, analyzing and producing of relevant electronic data. Electronic discovery in civil litigation has been hampered in the past by a lack of streamlined procedures to access computers in the control of opposing litigants or third parties. Unlike government investigators, who can seize computers pursuant to warrant without any advance notice, a civil litigant often gains accesses to opponent's computer systems only after weeks of protracted objections and discovery motions. With the help of a good consultant, unnecessary objections and motions can be avoided. Your best bet: an electronic discovery consultant who is both a lawyer with litigation experience and trained in computer forensics. WHAT TO DO Recent case law has helped define procedures that counsel should consider when computer evidence may be relevant: 1. Send a preservation letter. 2. Appoint a neutral forensic expert. 3. Prepare an order detailing the inspection protocol. 4. Hire a forensic expert to acquire and preserve computer data for examination. 5. Examine and analyze image data files for evidence. 6. Document the findings. See Playboy Enterprises v. Welles, 60 F.Supp.2d 1050, 1054 (S.D. CA 1999); Simon Property Group v. mySimon, Inc. 2000 WL 963035 (S.D.); Trigon Insurance Company v. United States, 204 F.R.D. 277 (E.D. Va 2001); and Rowe Entertainment v. The William Morris Agency, 2002 WL 63190 (S.D.N.Y.). Proper electronic discovery should always begin with the issuance of a demand letter requesting the preservation of all relevant computer evidence. At that point in time, any document retention and destruction policy in effect should be suspended and the company is on notice that any destruction of documents from that time on could turn into a spoliation of evidence case. After an electronic discovery plan has been created, interrogatories and depositions follow to flush out information about what types of relevant evidence might be found, what form that evidence may take, information about the computer network configuration, what software is in use, any document retention policies, data backup and storage locations, and who has control and the most knowledge about a particular computer network. From this first discovery fly-over, a document production request can be carefully crafted. FORENSICS If the responses indicate that relevant evidence may exist in electronic form, the next step is to bring in a computer forensic examiner to perform the evidence harvesting. Computer forensics deals with the collection, preservation, analysis, and presentation of computer related evidence. Besides recovering documents in specified directories, evidence also lives in so-called swap files, slack files and in unallocated space (free space) on your hard drive. Important evidence called "shadow data" can be also be found living within the imperfections on a hard drive and by any misalignment in the hard disk head when it writes, reads and deletes data. When looking for computer-related evidence, forensic experts first create a complete non-invasive sector-by-sector "mirror image" backup of all data contained on the target computer media in order to recover all active, deleted and temporary files. This process allows the examiner to "freeze time" by having a complete snapshot of the subject drive at the time of acquisition. A so-called "hash file" (digital fingerprint) is created of the original hard drive and the back copy in order to prove that it has not been altered during the examination process. After the mirror image is created, the examiner conducts the examination on the mirror image without ever altering the contents of the original hard drive. This process is the only practical means of searching and analyzing computer files without altering date stamps or other information. Oftentimes, a file date stamp (file creation date, last modified, or last accessed) is a critical piece of evidence that may weigh in the balance of a dispute. The importance of a proper forensic examination can be illustrated by a single Word or WordPerfect document. Each document can include historical information in a variety of places. Information can be stored as "metadata," in timed backup files and related slack within it, in a swap file, in temporary files and related slack within it, in temporary print files and related slack within it, and possibly in OLE files, too. So depending on how the discovery request is phrased, the Request for Production of a single specific document can generate up to 11 separate pieces of evidence with valuable historical information about it. Depending upon the scope of the request and volume of evidence to be produced, counsel may need to engage a litigation support service to help in the conversion, scanning, coding and indexing of the electronic evidence generated. For small cases with limited documents, all you really need is a good computer forensic examiner. Many vendors and individuals offer these computer forensic services. When engaging a forensic examiner, always scrutinize his or her résumé for the amount of training they have received, on-the-job experience and how many times they have served as an expert witness in a civil matter and actually testified in court. Normally, a forensic expert will be retained by both parties and experienced ones often act as a discovery referee or a special master, too. The requesting party normally pays the cost of the forensic examination; however, many courts will shift the cost of the forensic investigation when the producing party is shown to have deleted files in bad faith. FRAGILE The bottom line: Electronic discovery must be both taken seriously and done properly because the evidence is fragile, easily erased and can be compromised by untrained parties. Litigators practicing in today's digital environment must understand the various ways information can be stored and retrieved not only to ensure compliance with discovery rules, but to build the best possible case for their client. Failing to do so may not only prejudice the case, but may be malpractice. California attorney Albert Barsocchini, a member of the Law Technology News Editorial Advisory Board, is a senior law technologist and electronic discovery consultant at San Rafael, Calif.'s The LawTek Group. E-mail: lawtechat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 03:00:34 PDT