Category Archives: eDiscovery

Updated Sedona Principles Disfavor Forensic Imaging and Over-collection for Routine eDiscovery Preservation

Last week The Sedona Conference (“TSC”) published revisions for public comment to its very influential Sedona Principles:  The Sedona Principles, Third Edition: Best Practices, Recommendations & Principles for Addressing Electronic Document Production. Per the TSC, the update wasOLYMPUS DIGITAL CAMERA “necessitated by an even greater explosion in the volume and diversity of forms of electronically stored information, the constant evolution of technology applied to eDiscovery, and by further amendments to the Federal Rules of Civil Procedure” as well as by many years of experience in e-discovery.  Public comments are invited through June 30, 2017.

The third edition of the Sedona Principles are a must-read. They are well written, providing excellent and important guidance to lawyers and eDiscovery practitioners alike. The drafters do not shy away on taking some strong stands on important eDiscovery issues, such as the over-use of forensic disk imaging for eDiscovery preservations. While full disk images may be warranted in some limited situations, the expense and burden associated with the practice can be quite extensive, particularly in matters that involve multiple custodians. The Sedona Commentary correctly notes: “Civil litigation should not be approached as if information systems were crime scenes that justify forensic investigation at every opportunity to identify and preserve every detail.”

Section 8c of the newly revised Commentary is dedicated to forensic imaging, stating that: “Forensic data collection requires intrusive access to desktop, server, laptop, or other hard drives or media storage devices.”  While noting the practice is acceptable in some limited circumstances, “making a forensic copy of computers is only the first step of an expensive, complex, and difficult process of data analysis . . . it should not be required unless circumstances specifically warrant the additional cost and burden and there is no less burdensome option available.”

The commentators are absolutely correct here. It is established law that the duty to preserve evidence, including ESI, extends only to relevant information.  The vast majority of ESI on a full disk image will typically constitute irrelevant information. As stated by one court, “imaging a hard drive results in the production of massive amounts of irrelevant, and perhaps privileged, information.” Deipenhorst v. City of Battle Creek, 2006 WL 1851243 (W.D.Mich. June 30, 2006) at *3.  In noting that the “imaging of computer hard drives is an expensive process, and adds to the burden of litigation for both parties.”

This disfavoring of forensic imaging in the revised Sedona Principles also stems from the increased emphasis of proportionality under new Federal Rule of Civil Procedure 26(b)(1). In fact, of the 14 enumerated principles in this third edition, 12 of them address preservation in whole or in part. The over-arching theme is that ESI preservation efforts should be reasonable, proportionate, and targeted to only relevant information, as opposed to being overly broad and unduly burdensome.

In regard to forensic collection, courts do require that ESI be collected in a forensically sound manner, which does not mean a full forensic disk image is required, but generally does entail that metadata is not altered and a documented chain of custody is maintained. More advanced enterprise class technology can accomplish remote searches across multitudes of custodians that are narrowly tailored to collect only potentially relevant information while preserving metadata at the same time. This process is better, faster and dramatically less expensive than manual disk imaging.

In fact, The Sedona principles do outline such an alternative to forensic disk imaging: “Automated or computer-assisted collection involves using computerized processes to collect ESI meeting certain criteria, such as search terms, file and message dates, or folder locations. Automated collection can be integrated with an overall electronic data archiving or retention system, or it can be implemented using technology specifically designated to retrieve information on a case-by-case basis.”

This language maps directly to the capabilities of  X1 Distributed Discovery (X1DD), which enables parties to perform targeted search and collection of the ESI of up to thousands of endpoints over the internal network without disrupting operations. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%). This method is sound from an evidentiary standpoint as the collected data is preserved in its native file format with its metadata intact. X1DD features a solid chain of custody and robust logging, tracking and reporting.

And in line with the concepts outlined in the revised Sedona Commentary, X1DD provides a repeatable, verifiable and documented process for the requisite defensibility. For a demonstration or briefing on X1 Distributed Discovery, please contact us.

Leave a comment

Filed under eDiscovery

Key to Improving Predictive Coding Results: Effective ECA

Predictive Coding, when correctly employed, can significantly reduce legal review costs with generally more accurate results than other traditional legal review processes. However, the benefits associated with predictive coding are often undercut by the over-collection and over-inclusion of Electronically Stored Information (ESI) into the predictive coding process. This is problematic for two reasons.

The first reason is obvious, the more data introduced into the process, the higher the cost and burden. Some practitioners believe it is necessary to over-collect and subsequently over-include ESI to allow the predictive coding process to sort everything out. Many service providers charge by volume, so there can be economic incentives that conflict with what is best for the end-client. In some cases, the significant cost savings realized through predictive coding are erased by eDiscovery costs associated with overly aggressive ESI inclusion on the front end.

The second reason why ESI over-inclusion is detrimental is less obvious, and in fact counter intuitive to many. Some discovery practitioners believe as much data as possible needs to be put through the predictive coding process in order to “better train” the machine learning algorithms. However this is contrary to what is actually true. The predictive coding process is much more effective when the initial set of data has a higher richness (also referred to as “prevalence”) ratio. In other words, the higher the rate of responsive data in the initial data set, the better. It has always been understood that document culling is very important to successful, economical document review, and that includes predictive coding.

Robert Keeling, a senior partner at Sidley Austin and the co-chair of the firm’s eDiscovery Task Force, is a widely recognized legal expert in the areas of predictive coding and technology assisted review.  At Legal Tech New York earlier this year, he presented at an Emerging Technology Session: “Predictive Coding: Deconstructing the Secret Sauce,” where he and his colleagues reported on a comprehensive study of various technical parameters that affect the outcome of a predictive coding effort.  According to Robert, the study revealed many important findings, one of them being that a data set with a relatively high richness ratio prior to being ingested into the predictive coding process was an important success factor.

To be sure, the volume of ESI is growing exponentially and will only continue to do so. The costs associated with collecting, processing, reviewing, and producing documents in litigation are the source of considerable pain for litigants. The only way to reduce that pain to its minimum is to use all tools available in all appropriate circumstances within the bounds of reasonableness and proportionality to control the volumes of data that enter the discovery pipeline, including predictive coding.

Ideally, an effective early case assessment (ECA) capability can enable counsel to set reasonable discovery limits and ultimately process, host, review and produce less ESI.  Counsel can further use ECA to gather key information, develop a litigation budget, and better manage litigation deadlines. ECA also can foster cooperation and proportionality in discovery by informing the parties early in the process about where relevant ESI is located and what ESI is significant to the case. And with such benefits also comes a much more improved predictive coding process.

X1 Distributed Discovery (X1DD) uniquely fulfills this requirement with its ability to perform pre-collection early case assessment, instead of ECA after the costly, time consuming and disruptive collection phase, thereby providing a game-changing new approach to the traditional eDiscovery model.  X1DD enables enterprises to quickly and easily search across thousands of distributed endpoints from a central location.  This allows organizations to easily perform unified complex searches across content, metadata, or both and obtain full results in minutes, enabling true pre-collection ECA with live keyword analysis and distributed processing and collection in parallel at the custodian level. To be sure, this dramatically shortens the identification/collection process by weeks if not months, curtails processing and review costs from not over-collecting data, and provides confidence to the legal team with a highly transparent, consistent and systemized process. And now we know of another key benefit of an effective ECA process: much more accurate predictive coding.

Leave a comment

Filed under ECA, eDiscovery

ILTA eDiscovery Survey Reflects Increased Social Media Discovery

The International Legal Technology Association recently published a very informative and comprehensive law firm eDiscovery practice survey “2016 Litigation and Practice Support Technology Survey.” ILTA received responses from 204 different law firms — small, medium and large — on a variety of subjects, including eDiscovery practice trends and software tool usage.  The survey reveals three key takeaways regarding social media and website discovery.

The first clear takeaway is that social media discovery is clearly increasing among law firms and in the field in general. 77 percent of responding law firms reported conducting social media discovery in 2016, a 12 percent increase over 2015. Additionally, the responding firms reported a higher average volume of cases involving social media evidence, with a 23 percent increase in firms handling at least 4 matters per year involving social media evidence. (See Survey at pg. 23)

In terms of identified software solution usage, the survey establishes that X1 Social Discovery is the clear leader in the web and social media capture category among purpose-built tools used by law firms. 24 percent of all law firms rely on X1 Social Discovery on either an in-sourced or outsourced basis. The survey also reflects that X1 Social is the number one process used by eDiscovery service providers, by far surpassing the next common process of screen capturing. This is consistent with our own internal data, reflecting the industry’s standardization of social media evidence collection by the sheer volume of customers that have adopted X1 Social Discovery. Nearly 200 law firms and 500 eDiscovery services firms have at least one paid license of X1 Social Discovery. So while X1 Social Discovery is very popular with law firms, it is even more widely used by eDiscovery service providers.

ILTA survey2

Utilization of X1 Social also registered in the separate category of webmail collections.

The final takeaway is that the practice of using screen captures with general IT tools like Adobe and Snagit is still commonly employed by practitioners at law firms, but is virtually non-existent amongst service providers, who typically are on the forefront of adapting best practices. Screen capturing is neither effective nor defensible. It is ineffective because the results are very narrow and incomplete, and the process is very labor intensive resulting in much higher costs to the client than using best practices. (See Stallings v. City of Johnston, 2014 WL 2061669 (S.D. Ill. May 19, 2014), law firm spent full week screen capturing contents of Facebook account — which amounted to over 500 printed pages — manually rearranging them, and then redacting at a cost of tens of thousands of dollars).

In addition, simple screen captures are not defensible, with several courts disallowing or otherwise calling into question social media evidence presented in the form of a screen shot image. This scrutiny will only increase with Federal Rule of Evidence 902(14) coming into effect later this year. I have previously addressed Rule 902(14) at length on this blog, but in a nutshell, screen captures are not Rule 902(14) compliant, while best practices technology like X1 Social Discovery have the critical ability to collect all available metadata and generate a MD5 checksum, or “hash value,” of the preserved data for verification of the integrity of the evidence. The generation of hash values is a key component for meeting the requirements of FRE 902(14).

The ILTA Litigation Practice survey results can be accessed here. For more information about how to conduct effective social medial investigations, please contact us, or request a free demo version of X1 Social Discovery.

Leave a comment

Filed under eDiscovery, Social Media Investigations

Judge Facciola Addresses Impact of New Federal Rule of Evidence 902(14)

john_m-_facciola

As part of our continuing coverage and analysis of Federal Rule of Evidence 902(14), we are highlighting a  very notable Law Review article now available online, penned by Hon. Judge John Facciola as lead author, in the Georgetown Law Technology Review: Law of the Foal: Careful Steps Towards Digital Competence in Proposed Rules 902(13) and 902(14). U.S Magistrate Judge Facciola (Ret), who is now a Georgetown law professor, is well known for his many important and insightful court opinions involving eDiscovery issues when he was on the bench. So his analysis on Rules 902(13) (14), which exclusively address electronic evidence, will be influential.

To review, FRE 902(14) is a very important new rule, which provides that electronic data recovered “by a process of digital identification” is to be self-authenticating, thereby not routinely necessitating the trial testimony of a forensic or technical expert where best practices are employed, as certified through a written affidavit by a “qualified person.” This rule will have a significant impact on computer forensics and eDiscovery collection practices when it goes into effect later this year. A detailed discussion of Rule 902(14) can be found here.

A key takeaway from the Georgetown Law Technology article is that Facciola believes 902(14) will have a very positive impact by mainstreaming and standardizing electronic evidence collection practices and the supporting technology among the courts and attorneys. Facciola notes: “The proposed Rules will likely reduce litigation costs spent authenticating information, and help foster judicial efficiency and familiarity with technology. Authentication using hash values will allow courts and lawyers to focus on more pressing issues, and will provide courts with the assurance that presented digital evidence is, in fact, what it purports to be.”

Further to this point, Facciola notes that the written certifications provided by eDiscovery and computer forensics practitioners under Rule 902(14) “could illuminate for the court the underlying forensic science that will explain why the evidence being offered can be trusted and relied upon. This is, of course, a welcome alternative to lawyers and courts looking everywhere except the technological basis to determine the authenticity of an email or a Facebook entry.”

The article contains a detailed discussion of hashing as a process of digital identification, which Judge Facciola identifies as a very important process to fulfill the requirements of the Rule: “Hashing provides exactly the proof that Rule 902 requires: that the document is what the attorney states that it is.”

In one regard, Judge Facciola believes the goal of the new Rule is modest, but the Judge is addressing the overall admission of the electronic evidence at hand, including other potential evidentiary objections related to its content, such as hearsay, relevance, and other matters that are generally beyond the scope of a forensic collection and examination. From the perspective of eDiscovery and computer forensics collection practices however, the article confirms that the impact will be very significant and widespread across the practice.

Most of all, Judge Facciola  predicts a meaningful intangible impact from the rule as judges and lawyers will surely become much more familiar with computer forensic technology, which will lead to more widespread adaption and more rapid development in the law in this area:

“[T]he technology properly understood can lead to further advances in creating new rules that will deal with the other issues of authenticity that are based on a forensic evaluation of how computers operate, and create vitally useful information. Forensic technology may answer quickly whether a particular computer produced this electronically stored information because data created by the system itself can answer that question indubitably in particular case.”

We definitely agree, and in terms of supporting technology to enable compliance with Rule 902(14) and any future related legal developments, X1 Distributed Discovery for enterprise collections and X1 Social Discovery for social media and website collections are geared toward providing such quick and unequivocal answers to questions of ESI authenticity.

Leave a comment

Filed under eDiscovery

New Federal Rule of Evidence to Directly Impact Computer Forensics and eDiscovery Preservation Best Practices

At X1, an essential component of our mission is to develop and support exceptional technology for collecting electronic evidence to meet eDiscovery, investigative and compliance requirements. It is also our goal to keep you abreast of important developments in the industry that could ultimately impact collection strategies in the future and, consequently, your business.  To that end, I recently learned about a crucial new legal development scheduled to take place on December 1, 2017, which we believe will have a very significant impact on the practices of our customers and partners.

In a nutshell, the new development is a significant planned amendment to Federal Rule of Evidence 902 that will go into effect one year from now. This amendment, in the form of new subsection (14), is anticipated by the legal community to significantly impact eDiscovery and computer forensics software and its use by establishing that electronic data recovered “by a process of digfederalrulesofevidence-188x300_flat2ital identification” is to be self-authenticating, thereby not routinely necessitating the trial testimony of a forensic or technical expert where best practices are employed, as certified through a written affidavit by a “qualified person.” Notably, the accompanying official Advisory Committee notes specifically reference the importance of both generating “hash values” and verifying them post-collection as a means to meet this standard for self-authentication. This digital identification and verification process can only be achieved with purpose-built computer forensics or eDiscovery collection and preservation tools.

Rule 902, in its current form, enumerates a variety of documents that are presumed to be self-authenticating without other evidence of authenticity. These include public records and other government documents, notarized documents, newspapers and periodicals, and records kept in the ordinary course of business. New subpart (14) will now include electronic data collected via a process of digital identification as a key addition to this important rule.

Amended Rule 902, in pertinent part, reads as follows:

Rule 902. Evidence That Is Self-Authenticating
The following items of evidence are self-authenticating; they require no extrinsic evidence of authenticity in order to be admitted:
* * *
(14) Certified Data Copied from an Electronic Device, Storage Medium, or File.
Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).

The reference to the “certification requirements of Rule 902(11) or (12)” is a process by which a proponent seeking to introduce electronic data into evidence must present a certification in the form of a written affidavit that would be sufficient to establish authenticity were that information provided by a witness at trial. This affidavit must be provided by a “qualified person,” which generally would be a computer forensics, eDiscovery or information technology practitioner, who collected the evidence and can attest to the requisite process of digital identification utilized.

In applying Rule 902(14), the courts will heavily rely on the accompanying Judicial Conference Advisory Committee notes, which provide guidance and insight concerning the intent of the laws and how they should be applied. The Advisory Committee notes are published alongside the statute and are essentially considered an extension of the rule. The second paragraph of committee note to Rule 902(14) states, in its entirety, as follows:

“Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by ‘hash value.’ A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file. If the hash values for the original and copy are different, then the copy is not identical to the original. If the hash values for the original and copy are the same, it is highly improbable that the original and copy are not identical. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates. This amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.”

The Advisory Committee notes further state that Rule 902(14) is designed to streamline the admission of electronic evidence where its foundation is not at issue, while providing a notice procedure where “the parties can determine in advance of trial whether a real challenge to authenticity will be made, and can then plan accordingly.” While this rule provides that properly certified electronic data is now afforded a strong presumption of authenticity, the opponent may still lodge an objection, but the opponent now has the burden to overcome that presumption.  Additionally, the opponent remains free to object to admissibility on other grounds, such as relevance or hearsay.

Significant Impact Expected

While Rule 902(14) applies to the Federal Courts, the Rules of Evidence for most states either mirror or closely resemble the Federal Rules of Evidence, and it is thus expected that most if not all 50 states will soon adapt this amendment.

Rule 902(14) will most certainly and significantly impact computer forensics and eDiscovery practitioners by reinforcing best practices. The written certification required by Rule 902(14) must be provided by a “qualified person” who utilized best practices for the collection, preservation and verification of the digital evidence sought to be admitted. At the same time, this rule will in effect call into question electronic evidence collection methods that do not enable a defensible “digital identification” and verification process. In fact, the Advisory Committee notes specifically reference the importance of computer forensics experts, noting that a “challenge to the authenticity of electronic evidence may require technical information about the system or process at issue, including possibly retaining a forensic technical expert.”

In the eDiscovery context, I have previously highlighted the perils of both custodian self-collection for enterprise ESI collection and “print screen” methods for social media and website preservation. Rule 902(14) should provide the final nail in the coffin for those practices. For instance, if key social media evidence is collected through manual print screen, which is not a “process of digital identification” under Rule 902(14), then not only will the proponent of that evidence fail to take advantage of the efficiencies and cost-savings provided by the rule, they will also invite heightened scrutiny for not preserving the evidence utilizing best practices. The same is true for custodian self-collection in the enterprise. Many emails and other electronic documents preserved and disclosed by the producing party are often favorable to their case.  Without best practices utilized for enterprise data collection, such as with X1 Distributed Discovery, that information may not be deemed self-authenticating under this new rule.

In the law enforcement field, untrained patrol officers or field investigators are too often collecting electronic evidence in a manual and haphazard fashion, without utilizing the right tools that qualify as a “process of digital identification.” So for an example, if an untrained investigator collects a web page via the computer’s print screen process, that printout will not be deemed to be self-authenticating under Rule 902(14), and will face significant evidentiary hurdles compared to a properly collected web page via a solution such as X1 Social Discovery.

Also being added to Federal Rule of Evidence 902 is subpart (13), which provides that “a record generated by an electronic process or system that produces an accurate result” is similarly self-authenticating. This subpart will also have a beneficial impact on the computer forensics and eDiscovery field, but to a lesser degree than subpart (14). I will be addressing Rule 902(13) in a future post. The public comment period on amendments (13) and (14) is now closed and the Judicial Conference of the United States has issued its final approval. The amendments are currently under review by the US Supreme Court. If the Supreme Court approves these amendments as expected, they will become effective on December 1, 2017 absent Congressional intervention.

To learn more about this Rule 902(14) and other related topics, we’d like to invite you to watch this 45 minute webinar discussion led by David Cohen, Partner and Chair of Records & eDiscovery Group at Reed Smith LLP. The 45 minute webinar includes a Q&A following the discussion. We look forward to your participation.

Watch now > 

Leave a comment

Filed under Authentication, Best Practices, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, Information Governance, Social Media Investigations