Category Archives: Best Practices

Court Compels Forensic Imaging of Custodian Computer, Imposes Sanctions Due to Non-Defensible eDiscovery Preservation Process

By John Patzakis

HealthPlan Servs., Inc. v. Dixit, et al., 2019 WL 6910139 (M.D. Fla. Dec. 19, 2019), is an important eDiscovery case addressing what is required and expected from organizations to comply with electronic evidence discovery collection requirements. In this copyright infringement and breach of contract case, a Federal Magistrate Judge granted the plaintiff’s motion to compel immediate inspection of a defendant employee Feron Kutsomarkos’s laptop after the defendants failed to properly preserve and collect evidence from her. The Court granted plaintiff’s motion to compel the forensic examination, which set forth specific improprieties in their opponent’s ESI preservation process. The Court also granted the plaintiff’s motion for fees, sanctions, and a punitive jury instruction.

 

There are several key takeaways from this case. Here are the top 5:

  1. Custodian Self-Collection Is Not Defensible

Ms. Kutsomarkos conducted her own search of the emails rather than having an expert or trained IT or legal staff overseen by her attorney perform the search. The court found this process to not be defensible as the production “should have come from a professional search of the laptop” instead. This is yet another case disapproving of this faulty practice. For instance, another company found themselves on the wrong end of a $3 million sanctions penalty for spoliation of evidence because they improperly relied on custodians to search and collect Federal Court their own data. See GN Netcom, Inc. v. Plantronics, Inc., No. 12-1318-LPS, 2016 U.S. Dist. LEXIS 93299 (D. Del. July 12, 2016). Even with effective monitoring, severe defensibility concerns plague custodian self-collection, with several courts disapproving of the practice due to poor compliance and inconsistency of results. See Green v. Blitz, 2011 WL 806011, (E.D. Tex. Mar. 1, 2011), Nat’l Day Laborer Org. v. U.S. Immigration and Customs Enforcement Agency, 2012 WL 2878130 (S.D.N.Y. July 13, 2012).

  1. Producing Party Expected to Produce Their Own Data in a Defensible Manner

When responding to a litigation discovery request, the producing party is afforded the opportunity to produce their own data. However, the process must be defensible with a requisite degree of transparency and validation. When an organization does not have a systematic and repeatable process in place, the risks and costs associated with eDiscovery increase exponentially.  Good attorneys and the eDiscovery professionals who work with them will not only ensure their client complies with their own eDiscovery requirements, but will also scrutinize the opponent’s process and gain a critical advantage when the opponent fails to meet their obligations.

And that is what happened here. The corporate defendants had no real process other than telling key custodians to search and collect their own data. The eDiscovery-savvy plaintiff counsel filed motions poking large holes in the defendant’s process and won a likely case-deciding ruling. The stakes are high in such litigation matters and it is incumbent upon counsel to have a high degree of eDiscovery competence for both defensive and offensive purposes.

  1. Forensic Imaging is The Exception, Not the Rule

The court compelled the forensic imaging of a defendant’s laptop, but only as a punitive measure after determining bad faith non-compliance. Section 8c of The Sedona Principles, Third Edition: Best Practices, Recommendations & Principles for Addressing Electronic Document Production, provides that: “Forensic data collection requires intrusive access to desktop, server, laptop, or other hard drives or media storage devices.”  While noting the practice is acceptable in some limited circumstances, “making a forensic copy of computers is only the first step of an expensive, complex, and difficult process of data analysis . . . it should not be required unless circumstances specifically warrant the additional cost and burden and there is no less burdensome option available.”  The duty to preserve evidence, including ESI, extends only to relevant information. Parties that comply with discovery requirements will avoid burdensome and risk-laden forensic imaging.

  1. Metadata Must be Preserved

Metadata is required to be produced intact when designated by the requesting party, which is now commonplace. (See, Federal Rule of Civil Procedure 34(b)(1)(C)). Metadata is often relevant evidence itself and is also needed for accurate eDiscovery culling, processing and analysis. In her production, counsel for defendant Kutsomarkos provided pdf versions of documents from her laptop. However, the court found that “the pdf files scrubbed the metadata from the documents and that metadata should be available on the hard drives.” There are defensible and very cost effective ways to collect and preserve metadata. They were not used by the defendants, to their great detriment.

  1. A Defensible But Streamlined Process Is Optimal

HealthPlan Services, is yet another court decision underscoring the importance of a well-designed, cost-effective and defensible eDiscovery collection process. Such a capability is only attainable with the right enterprise technology. With X1 Distributed Discovery (X1DD), parties can perform targeted search and collection of the ESI of hundreds of endpoints over the internal network without disrupting operations. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%), thereby bringing much needed feasibility to enterprise-wide eDiscovery collection that can save organizations millions while improving compliance by maintaining metadata, generating audit logs and establishing chain of custody.

And in line with concepts outlined in HealthPlan Services, X1DD provides a repeatable, verifiable and documented process for the requisite defensibility. For a demonstration or briefing on X1 Distributed Discovery, please contact us.

Leave a comment

Filed under Best Practices, Case Law, eDiscovery, Enterprise eDiscovery, ESI, Uncategorized

USDOJ Expects Companies to Proactively Employ Data Analytics to Detect Fraud

By John Patzakis and Craig Carpenter

In corporate fraud enforcement actions, The US Department of Justice considers the effectiveness of a company’s compliance program as a key factor when deciding whether to bring charges and the severity of any resulting penalties. Recently, prosecutors increased their emphasis on this policy with new evaluation guidelines about what prosecutors expect from companies under investigation.DOJ

The USDOJ manual features a dedicated section on assessing the effectiveness of corporate compliance programs in corporate fraud prosecutions, including FCPA matters. This section is a must read for any corporate compliance professional, as it provides detailed guidance on what the USDOJ looks for in assessing whether a corporation is committed to good-faith self-policing or is merely making hollow pronouncements and going through the motions.

The USDOJ manual advises prosecutors to determine if the corporate compliance program “is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives,” and that “[p]rosecutors should therefore attempt to determine whether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed, and revised, as appropriate, in an effective manner.”

Recently, Deputy Assistant Attorney General Matthew Miner provided important additional guidance through official public comments establishing that the USDOJ will be assessing whether compliance officers proactively employ data analytics technology in their reviews of companies that are under investigation.

Miner noted that the Justice Department has had success in spotting corporate fraud by relying on data analytics, and said that prosecutors expect compliance officers to do the same: “This use of data analytics has allowed for greater efficiency in identifying investigation targets, which expedites case development, saves resources, makes the overall program of enforcement more targeted and effective.” Miner further noted that he “believes the same data can tell companies where to look for potential misconduct.” Ultimately, the federal government wants “companies to invest in robust and effective compliance programs in advance of misconduct, as well as in a prompt remedial response to any misconduct that is discovered.”

Finally, “if misconduct does occur, our prosecutors are going to inquire about what the company has done to analyze or track its own data resources—both at the time of the misconduct, as well as at the time we are considering a potential resolution,” Miner said. In other words, companies must demonstrate a sincere commitment to identifying and investigating internal fraud with proper resources employing cutting edge technologies, instead of going through the motions with empty “check the box” processes.

With these mandates from government regulators for actual and effective monitoring and enforcement through internal investigations, organizations need effective and operational mechanisms for doing so. In particular, any anti-fraud and internal compliance program must have the ability to search and analyze unstructured electronic data, which is where much of the evidence of fraud and other policy violations can be best detected.

But to utilize data analytics platforms in a proactive instead of a much more limited reactive manner, the process needs to be moved “upstream” where unstructured data resides. This capability is best enabled by a process that extracts text from unstructured, distributed data in place, and systematically sends that data at a massive scale to an analytics platform, with the associated metadata and global unique identifiers for each item.  One of the many challenges with traditional workflows is the massive data transfer associated with ongoing data migration of electronic files and emails, the latter of which must be sent in whole containers such as PST files. This process alone can take weeks, choke network bandwidth and is highly disruptive to operations. However, the load associated with text/metadata only is less than 1 percent of the full native item. So the possibilities here are very compelling. This architecture enables very scalable and proactive solutions to compliance, information security, and information governance use cases. The upload to AI engines would take hours instead of weeks, enabling continual machine learning to improve processes and accuracy over time and enable immediate action to be taken on identified threats or otherwise relevant information.

The only solution that we are aware of that fulfills this vision is X1 Enterprise Distributed GRC. X1’s unique distributed architecture upends the traditional collection process by indexing at the distributed endpoints, enabling a direct pipeline of extracted text to the analytics platform. This innovative technology and workflow results in far faster and more precise collections and a more informed strategy in any matter.

Deployed at each end point or centrally in virtualized environments, X1 Enterprise allows practitioners to query many thousands of devices simultaneously, utilize analytics before collecting and process while collecting directly into myriad different review and analytics applications like RelativityOne and Brainspace. X1 Enterprise empowers corporate eDiscovery, compliance, investigative, cybersecurity and privacy staff with the ability to find, analyze, collect and/or delete virtually any piece of unstructured user data wherever it resides instantly and iteratively, all in a legally defensible fashion.

X1 displayed these powerful capabilities with Compliance DS in a recent webinar with a brief but substantive demo of our X1 Distributed GRC solution, emphasizing our innovative support of analytics engines through our game-changing ability to extract text in place with a direct feed into AI solutions.

Here is a link to the recording with a direct link to the 5 minute demo portion.

In addition to saving time and money, these capabilities are important to demonstrate a sincere organizational commitment to compliance versus maintaining a mere “paper program” – which the USDOJ has just said can provide critical mitigation in the event of an investigation or prosecution.

Leave a comment

Filed under Best Practices, compliance, Corporations, Data Audit, eDiscovery & Compliance, Information Governance

Social Media Statements: Key Evidence and Often Exceptions to the Hearsay Rule

By John Patzakis

Here is a quick legal evidence quiz: Identify the three distinct hearsay exceptions in the following Tweet:

Accident 5

 

The first exception would be under Federal Rule of Evidence 803(2):

“Rule 803. Exceptions to the Rule Against Hearsay: . . . (2) Excited Utterance. A statement relating to a startling event or condition, made while the declarant was under the stress of excitement that it caused.”

Pretty clear here. The four OMGs are a good indication. So no one can argue that the phrase “OMG” never has any legal consequence.

The second exception would be under FRE 803(1): “Present Sense Impression. A statement describing or explaining an event or condition, made while or immediately after the declarant perceived it.”

And if the witness some time later did not recall details of the incident (two words: Vegas, hangover), the statement could be introduced as a recorded recollection under 803(5).

Another key hearsay exception are statements offered as evidence of the then state of mind of the declarant. While YouTube is known for cat videos, Twitter and Facebook are in large part a platform for statements like this:

Happy Tweet

 

In other words, to quote FRE 803(3): “Then-Existing Mental, Emotional, or Physical Condition. A statement of the declarant’s then-existing state of mind (such as motive, intent, or plan) or emotional, sensory, or physical condition (such as mental feeling, pain, or bodily health)”

While social media is a great place to find out what Kim Kardashian and Justin Bieber are thinking or feeling on a given day, the state of mind of a party or witness is a common issue in many legal matters. (See Gordon v. T.G.R. Logistics, Inc. (D. Wy. May 10, 2017) (Court orders production of entire Facebook Account history as relevant to mental and emotional state of Plaintiff)).

And finally, arguably the most compelling social media evidence stems from the propensity to self-incriminate oneself on Twitter, otherwise known as a Statement Against Interest under FRE 804(b)(3).  This takes multiple forms, including flat out admissions of liability, or previous statements that contradict or otherwise impugn the integrity of a declarant. For instance:

Trump tweet

 

The bottom line is that social media provides a treasure trove of evidence that also tends to fall under evidentiary hearsay exceptions, unlike other forms of out of court statements.

But if you are offering social media evidence under a hearsay exception in court, that would likely mean you have an uncooperative or otherwise unavailable party who authored the social media statement in question. In such cases, the authenticity of the post must be established through circumstantial evidence since direct testimony is not available, and you will need the right software to both identify such evidence and properly collect it utilizing best practices to ensure its admissibility in court.

Leave a comment

Filed under Authentication, Best Practices, Case Law, Case Study, eDiscovery, Social Media Investigations