GPSolo Magazine - June 2004
What Dangers Lurk in the Virtual Abyss
Electronic evidence has burgeoned—over 90 percent of documents are now electronic, and most of them will never be converted to paper. In North America, our e-mail-happy residents transmit more than 4 trillion e-mails per day. The average worker now receives between 20 and 80 non-spam e-mails per day. Most lawyers experienced in working with electronic evidence suggest that there isn’t much difference between being the sender or the recipient of notice for electronic discovery: You’re either about to stir up a maelstrom or you’ve just been caught in one.
Electronic discovery by itself may cause Advil consumption to quadruple in the next several years. For most attorneys, it is still an alien and formidable territory, as beset by mythic monsters as the seas early mariners once believed contained fearsome creatures that would swallow them whole. Don’t discount such fears entirely, though—those churning electronic evidence waters could capsize your whole case. This article will help you navigate without being devoured by sea monsters—or opposing counsel.
Marco! Polo! Hide-and-Seek Beneath the Digital Waves
If you initiate a discovery request:
• Don’t forget to designate the expert.
If you receive a discovery request:
• Muddy the waters.
Find an Expert to Chart the Depths
Of course you’re going to choose an expert carefully when you prepare to initiate an electronic evidence discovery request. But finding a well-qualified expert to work with may be the hardest part of your mission. These days, everyone and her brother and his sister is hanging out a shingle and claiming to be a computer forensics and electronic evidence expert. Be sure you know the difference between them. Computer forensic technologists first and foremost are technologists—people you hope have a wall full of technical certifications, because they are going to actually lift electronic evidence from computers and peripherals such as digital copiers, PDAs, zip discs, floppy discs, CD-ROMs, and so on. Electronic evidence experts generally help organize, manage, and analyze the electronic evidence unearthed by the forensic technologist. There is some crossover between the two fields, and some companies do provide both services.
A good forensic expert should have a strong background of technical certifications, including a computer forensic certification. Beware of those who claim to be certified when all they really did was attend training classes. By and large, new graduates lack broad experience and exposure to multiple platforms, operating systems, networks, and applications. And because technology truly makes global access to experts available—and although it seems obvious—ensure that your expert is fluent in English. An expert who cannot reduce technicalities to simple terms and examples for a judge or jury cannot testify effectively.
Review the expert’s credentials by asking for and examining at least a few of the following qualifications:
1. A list of courts in which the individual is qualified as or has been appointed as an expert.
2. Recent cases in which he or she was involved. Ask for a sample expert report, which can tell you a lot about the quality of the expert’s work.
3. A list of publications the expert authored and seminars at which he or she presented programs.
4. Most importantly, a list of references. Reluctance to fulfill this request is a red flag. And after you get the list, contact a few of the sources on it (a step many interviewers neglect). Ask whether the expert was responsive, worked professionally and to schedule, and billed in the ballpark of the quoted fee. The most bitter accusations by attorneys to experts in this field involve costs that spiraled out of control without the attorneys’ knowledge or consent and resulted in greatly aggrieved clients.
If you use a specialty firm or group of experts, ask whether any have backgrounds in law or are lawyers. This of course can be very useful because a technologist may not recognize the legal significance of the data recovered. (This is less important if you are going to have the data turned over to in-house or outside electronic evidence experts.)
Additional charges by experts in a case always are an issue. Larger companies charge as much as $500 an hour, which is very high for some cases. On the other hand, if the charge falls below $250 per hour, scrutinize the company’s qualifications with extreme care. Some computer forensics companies simply lack experience in complex legal cases and frequently don’t know the scope of work involved in the beginning, so estimates may vary from the quoted fee—but a reliable company will inform you of this at the first sign. Checking references should give you some guides in this area.
Dredging Up E-vidence
The following are representative of the kind of questions you need to ask specific individuals involved in the case, whether by interrogatories or during deposition:
• Do you make individual backups of your system, files, or any portion of the network?
Draft a Preservation of Evidence Letter
The fear factor looms large in the electronic evidence arena, and this can help when you put the other side on notice with a preservation of evidence letter. In your notice, be as specific as possible. Define the exact nature of the data in issue. If you know which individuals may be involved, identify them and ask that their machines be taken offline until their computers can be forensically imaged. Warn the company or party to take backups out of rotation; not to defrag or optimize machines; not to dispose of machines; and to take steps to preserve evidence on all computer-related equipment and media, including PDAs, digital printers, telephonic systems, floppy and zip disks, CD-ROMs, DVDs, and so on. Above all, explain what spoliation is; how it relates to deleting, modifying, or moving evidence; and the consequences such alterations may bring. Fear may stifle a natural urge to expunge damaging information, but if you have reason to suspect spoliation may occur, go to court and get a protective order.
Prepare for Discovery
If you don’t know your RAM from your ROM, you need expert help in drafting discovery requests. Bear in mind that all judges hate fishing expeditions. Requests should be tailored in such a way that relevant evidence will be preserved or produced without placing an overly broad and onerous burden on the other side, to the extent possible. Always include the word “electronic” in all definitions, where appropriate; for example, the definition of “document” always should include “electronic documents.”
The general rule of thumb in preparing discovery is that there is a lot you don’t know, and you have a lot of questions to ask, especially about technology. Work with the expert, allowing enough time to be thorough and precise. The answers you receive will probably dictate a second round of discovery. The following list contains most of the facts you must dredge up for cases involving electronic evidence, whether through discovery requests or depositions.
• Hardware and Software
1. Configuration of the company’s network, including operating systems used; number of work stations, laptops, and servers; their physical location; and a diagram of how all devices are interconnected.
2. Software applications that are used, both off the shelf and custom.
3. Databases used internally by the company, and their functions.
4. How the backup systems, software (including version), and hardware (including manufacturer name and model) work, including tape rotation schedule, what happens when tapes are overwritten, and what data is backed up and from which device.
5. Location of offsite backup storage, and a contact.
6. Current security measures that prevent unauthorized access to backup media.
7. All portable media that may contain data relevant to this matter, such as disks, zip disks, CD-ROMs, DVDs, tapes, thumb drives, etc.
8. System administrator(s) and contact information, as well as this person’s supervisor and contact information.
9. Information technology (IT) personnel who may have worked on or have knowledge of data relevant to this matter.
10. Network authentication procedures.
11. Descriptions of related intranets or extranets, their functions, and their security mechanisms.
12. Number of PDAs in use (if applicable) by manufacturer and model, and individuals who use them.
13. Number and location of all company workstations and laptops, including manufacturer, model, and class; operating systems; and user names.
14. Manufacturer, model, and location of networked digital copiers.
15. Whether employees work from home computers; whether a VPN or other form of remote access to the network exists, and authentication/security methods.
Just as in the paper world, the general rule is that the producing party pays discovery costs. There are, however, grounds for cost shifting, and they are cogently spelled out in the Zubulake v. UBS Warburg decisions (cases 1 through 4). Zubulake mandated that courts considering cost shifting in discovery consider multiple factors, in order of priority:
• Extent to which the request was tailored to discover relevant information,
The Zubulake cases, which also set forth a “sampling” procedure to see whether relevant evidence exists before either of the parties expends a fortune, are rapidly becoming the gold standard in the electronic evidence world and well worth perusing.
1. E-mail package used, including version.
2. E-mail server, with manufacturer and model, operating system and mail server software used, and location (if applicable).
3. Location of e-mail storage.
4. Network activities/events routinely logged (e.g., SNMP traps, router logs).
5. Active intrusion detection systems and configurations.
6. Internet provider.
7. Website host.
8. Who holds administrative rights to mail server.
9. Internet and e-mail use policy.
1. Monitoring policy regarding em-ployees’ computer activity, including what is monitored and by whom and retention period for logs.
2. Security policy and procedures.
3. Firewall manufacturer, model, and configuration.
4. Router manufacturer, model, and configuration
5. Application service provider and nature of data held.
6. Outsourcing policy for IT services, including provider, description of provider’s services, and contact information.
7. Security structure, including who has access to which applications, drives, etc. Note the distinction, if applicable, between read-only access, and read/write access.
8. Names, log-on IDs, passwords, and e-mail addresses of individuals who may have knowledge in this matter.
9. Encryption programs, including level of encryption and where/how they are used; decryption keys, and pertinent instructions for decryption.
• Phone/Voice Mail
1. PBX manufacturer, model, and whether it interfaces with telephone system and carries voice mail.
2. Retention policy for any voice messaging records.
3. Retention policy for phone usage records and categories of records kept.
4. Retention or disposal policies for such records.
5. Schemata of network or telephone system.
6. Company-issued cell phones and pagers, by manufacturer, model, and name of primary user.
• Post-Notice Review
1. Instructions given to all employees regarding need to preserve possible evidence, date they were given, and copies of all instructions.
2. List of specific data deleted, and when this was done, for all data relevant to the matter.
3. Disposal policy for data and hardware.
4. Company behavior regarding over-writing of backup tapes and selling, donating, or otherwise disposing of equipment since notice was given, and how such behavior might differ from company policy previously in force.
5. List of equipment disposed of during the period in question.
6. Software and/or hardware modifications to computers during the period in question.
7. Individuals by job title, name, business address, and phone number with responsibility for enforcing Internet or e-mail usage policies, document retention policies, and employee monitoring.
8.Case names, courts, date of production, and media in which the evidence was produced for any matters during which the company previously produced electronic evidence.
9. Dates and details of any computer or computer-related crimes of which the company has been found guilty.
It is always helpful to have your expert present for depositions involving electronic evidence, if costs permit. He or she is more likely to understand some of the information than are you, so let the expert handle the questioning (making an agreement beforehand with the other side), or at least have the expert sit next to you to guide you. (See the sidebar “Dredging Up E-vidence” on page 37 for sample questions that can elicit the information detailed in the above lists.)
When the Maelstrom Catches You
If you are the recipient of electronic evidence discovery requests, you need your own expert to guide you through collecting information and preventing the spoliation of evidence. Begin the search for an expert using the criteria set forth at the beginning of the article—the sooner you get started, the better. If you receive a preservation of evidence letter, make sure it is promptly delivered to your client. Better yet, with or without a preservation of evidence letter from the other side, write a preservation of evidence letter of your own and a memorandum to be distributed to all your client’s employees who may be impacted.
Spoliation Dos and Don’ts. Spoliation is no joke. Judges are increasingly incensed by the revelation of spoliation, imposing fines and sanctions and, worst of all, allowing juries to draw adverse inferences from the spoliation. Make sure this is absolutely clear to your client. Pass along the following general advice at the very beginning of the matter:
• Do remove backup tapes from rotation.
• Don’t allow internal folks to go looking for evidence. They will stomp all over the place, changing “dates of last access” that may be legally significant. Keep in mind that they have a vested interest in the matter. Be forewarned, though: This is the most frequently violated advice because people can’t seem to resist sniffing out what evidence may actually exist.
• Don’t dispose of equipment or media.
• Don’t allow defragging, document deletions, or installation of new applications, all of which may compromise the evidence or be taken as spoliation.
Knowledge Is Power. Obviously, you will want to know how much trouble your client may be in, and nothing can prevent you from hiring your own forensic expert and forensically acquiring workstations or servers likely to contain relevant evidence. Doing this will not change anything on the underlying machine but will allow you to see whether digital smoking guns are pointed at your client’s forehead. Knowing in advance what’s out there will help immeasurably when you negotiate a computer forensics/electronic evidence protocol as the case proceeds. Of course, if the evidence is damning enough, an expeditious settlement may be in order. This is your call once you’ve seen the evidence.
Establish Protocols. Whatever happens, make sure that experts on both sides have signed confidentiality agreements. In the computer forensic protocol, specify that evidence will be turned over to counsel for the producing side to screen for privilege and to obtain whatever protection may be necessary for proprietary data. The protocol is also useful to narrow search terms, a date range, and specific files to search for. Include how the forensic image of the evidence will be handled when the case is concluded. Will the expert destroy it and prepare an affidavit attesting to its destruction? Should the imaged hard drive be returned to you or to your client? Sad as it may sound, you very well may need to deal with the issue of child pornography, which turns up in the most unlikely places. If child pornography is indeed found, analysis will have to be stopped and the drive turned over to law enforcement.
Safety First. A vital piece of information you can pass on to all your clients to help them avoid the risks inherent in the electronic discovery process is to implement or strengthen a document retention policy. Currently only larger companies tend to have document retention policies—often poorly enforced, at that. Immediately after litigation is threatened is not the opportune time to suddenly start enforcing a retention policy that was previously hit and miss. Bear in mind the disturbing statistic that 10 percent of employees will refuse to abide by any policy, just as some people are just plain pack rats and clog up the system with copies of everything.
E-mail presents the worst type of evidence threat because of our cavalier attitude toward it; we often speak unguardedly and without the personal or professional discretion we might exercise when writing a letter. And it can be forwarded or blind-copied to just about anyone with one click. E-mail is remarkably long lived. Nonetheless, a good policy, properly enforced, will mean less evidence lurking about to devour your client in court.
A Seafarer’s Prayer
By the time you’ve read all this, the ancient mariners’ custom of praying to Poseidon for protection from sea monsters probably doesn’t seem so far-fetched. Many lawyers have been swamped by the weight of damning electronic evidence—you need not be one of them.
Sharon D. Nelson and John W. Simek are, respectively, president and vice president of Sensei Enterprises, Inc., a legal technology and computer forensics firm based in Fairfax, Virginia. They can be reached at email@example.com.