Category Archives: Authentication

Full Disk Imaging Not Required for eDiscovery Collections

In Fact, Courts and Legal Commentators Disfavor the Practice

By John Patzakis[1]

The collection and preservation of Electronically Stored Information (ESI) in the enterprise remains a significant and costly pain point for organizations. Leading industry research firm Gartner notes that eDiscovery collection and preservation processes “can be intrusive, time consuming and costly.”[2]  And recent court decisions imposing sanctions on corporate litigants who failed to meet their ESI preservation obligations are symptomatic of these pain points.[3]

A key issue regarding collection is that many in the eDiscovery services community standardized on full disk imaging as their default collection practice.  This is problematic for several reasons. For one, full-disk imaging is burdensome because the process often involves service providers traveling out to the individual custodians, which is very disruptive to employees, not to mention time consuming. Additionally, as eDiscovery processing and hosting fees are usually calculated on a per-gigabyte basis, costs are increased exponentially. In a word, this is overkill, with much more effective and efficient options now available.

Full disk images capture every bit and byte on a hard drive, including system and application files, unallocated space and a host of irrelevant user-created data. While full disk images may be warranted in some limited situations, the expense and burden associated with the practice can be quite extensive, particularly in matters that involve multiple custodians.

It is established law that the duty to preserve evidence, including ESI, extends only to relevant information[4]  The vast majority of ESI on a full disk image will typically constitute irrelevant information. As stated by one court, “imaging a hard drive results in the production of massive amounts of irrelevant, and perhaps privileged, information.”[5] The highly influential Sedona Conference notes: “Civil litigation should not be approached as if information systems were crime scenes that justify forensic investigation at every opportunity to identify and preserve every detail.”

And that: “Forensic data collection requires intrusive access to desktop, server, laptop, or other hard drives or media storage devices.”  While noting the practice is acceptable in some limited circumstances, “making a forensic copy of computers is only the first step of an expensive, complex, and difficult process of data analysis . . . it should not be required unless circumstances specifically warrant the additional cost and burden and there is no less burdensome option available.”[6]

This disfavoring of forensic imaging is also reflected in the increased emphasis of proportionality under recent amendment to Federal Rule of Civil Procedure 26(b)(1). The over-arching theme from case law and the Federal Rules is that ESI preservation efforts should be reasonable, proportionate, and targeted to only relevant information, as opposed to being overly broad and unduly burdensome.

Courts do require that ESI be collected in a forensically sound manner, which does not mean a full forensic disk image is required, but generally does entail that metadata is not altered and a documented chain of custody is maintained. More advanced enterprise class technology can accomplish remote searches across multitudes of custodians that are narrowly tailored to collect only potentially relevant information while preserving metadata at the same time. This process is better, faster and dramatically less expensive than manual disk imaging.

In fact, The Sedona principles do outline such an alternative to forensic disk imaging: “Automated or computer-assisted collection involves using computerized processes to collect ESI meeting certain criteria, such as search terms, file and message dates, or folder locations. Automated collection can be integrated with an overall electronic data archiving or retention system, or it can be implemented using technology specifically designated to retrieve information on a case-by-case basis.”

This language maps directly to the capabilities of X1 Distributed Discovery (X1DD), which enables parties to perform targeted search and collection of the ESI of up to thousands of endpoints over the internal network without disrupting operations. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%). This method is sound from an evidentiary standpoint as the collected data is preserved in its native file format with its metadata intact. X1DD features a solid chain of custody and robust logging, tracking and reporting.

And in line with the concepts outlined in the revised Sedona Commentary, X1DD provides a repeatable, verifiable and documented process for the requisite defensibility. 


NOTES:

[1]John Patzakis is the Chief Legal Officer of X1.

[2] “Market Guide for E-Discovery Solutions” Gartner, June 30, 2016

[3] (Matthew Enter., Inc. v. Chrysler Grp. LLC, 2016 WL 2957133 (N.D. Cal. May 23, 2016). (Imposing severe evidentiary including allowing the defense to use the fact of ESI spoliation to rebut testimony from the plaintiff’s witnesses and payment of attorney’s fees incurred by the defendant) Internmatch v. Nxtbigthing, LLC, 2016 WL 491483 (N.D. Cal. Feb. 8, 2016), a U.S. District Court imposed similar sanctions based upon the corporate defendant’s suspect ESI preservation efforts.

[4] Hynix Semiconductor Inc. v. Rambus Inc., 2006 WL 565893 (N.D.Cal. Jan. 5, 2006) at *27. (“The duty to preserve evidence, once it attaches, does not extend beyond evidence that is relevant and material to the claims at issue in the litigation.”)  As noted by the Zubulake court, “Clearly [there is no duty to] preserve every shred of paper, every e-mail or electronic document, and every backup tape…Such a rule would cripple large corporations.”  Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217 (S.D.N.Y. 2004) (“Zubulake IV”).

[5] Deipenhorst v. City of Battle Creek, 2006 WL 1851243 (W.D.Mich. June 30, 2006) at *3.  In noting that the “imaging of computer hard drives is an expensive process, and adds to the burden of litigation for both parties,” the Deipenhorst court declined to require the production of  full disk images absent a strong showing of good cause. See also, Fasteners for Retail, Inc. v. DeJohn et al., No 1000333 (Ct. App.Ohio April 24, 2014).

[6] The Sedona Principles, Third Edition: Best Practices, Recommendations & Principles for Addressing Electronic Document Production, 19 Sedona Conf. J. 1 (2018).

Leave a comment

Filed under Authentication, Best Practices, ECA, eDiscovery, ESI, Preservation & Collection

Social Media Statements: Key Evidence and Often Exceptions to the Hearsay Rule

By John Patzakis

Here is a quick legal evidence quiz: Identify the three distinct hearsay exceptions in the following Tweet:

Accident 5

 

The first exception would be under Federal Rule of Evidence 803(2):

“Rule 803. Exceptions to the Rule Against Hearsay: . . . (2) Excited Utterance. A statement relating to a startling event or condition, made while the declarant was under the stress of excitement that it caused.”

Pretty clear here. The four OMGs are a good indication. So no one can argue that the phrase “OMG” never has any legal consequence.

The second exception would be under FRE 803(1): “Present Sense Impression. A statement describing or explaining an event or condition, made while or immediately after the declarant perceived it.”

And if the witness some time later did not recall details of the incident (two words: Vegas, hangover), the statement could be introduced as a recorded recollection under 803(5).

Another key hearsay exception are statements offered as evidence of the then state of mind of the declarant. While YouTube is known for cat videos, Twitter and Facebook are in large part a platform for statements like this:

Happy Tweet

 

In other words, to quote FRE 803(3): “Then-Existing Mental, Emotional, or Physical Condition. A statement of the declarant’s then-existing state of mind (such as motive, intent, or plan) or emotional, sensory, or physical condition (such as mental feeling, pain, or bodily health)”

While social media is a great place to find out what Kim Kardashian and Justin Bieber are thinking or feeling on a given day, the state of mind of a party or witness is a common issue in many legal matters. (See Gordon v. T.G.R. Logistics, Inc. (D. Wy. May 10, 2017) (Court orders production of entire Facebook Account history as relevant to mental and emotional state of Plaintiff)).

And finally, arguably the most compelling social media evidence stems from the propensity to self-incriminate oneself on Twitter, otherwise known as a Statement Against Interest under FRE 804(b)(3).  This takes multiple forms, including flat out admissions of liability, or previous statements that contradict or otherwise impugn the integrity of a declarant. For instance:

Trump tweet

 

The bottom line is that social media provides a treasure trove of evidence that also tends to fall under evidentiary hearsay exceptions, unlike other forms of out of court statements.

But if you are offering social media evidence under a hearsay exception in court, that would likely mean you have an uncooperative or otherwise unavailable party who authored the social media statement in question. In such cases, the authenticity of the post must be established through circumstantial evidence since direct testimony is not available, and you will need the right software to both identify such evidence and properly collect it utilizing best practices to ensure its admissibility in court.

1 Comment

Filed under Authentication, Best Practices, Case Law, Case Study, eDiscovery, Social Media Investigations