New Federal Rule of Evidence to Directly Impact Computer Forensics and eDiscovery Preservation Best Practices

At X1, an essential component of our mission is to develop and support exceptional technology for collecting electronic evidence to meet eDiscovery, investigative and compliance requirements. It is also our goal to keep you abreast of important developments in the industry that could ultimately impact collection strategies in the future and, consequently, your business.  To that end, I recently learned about a crucial new legal development scheduled to take place on December 1, 2017, which we believe will have a very significant impact on the practices of our customers and partners.

In a nutshell, the new development is a significant planned amendment to Federal Rule of Evidence 902 that will go into effect one year from now. This amendment, in the form of new subsection (14), is anticipated by the legal community to significantly impact eDiscovery and computer forensics software and its use by establishing that electronic data recovered “by a process of digfederalrulesofevidence-188x300_flat2ital identification” is to be self-authenticating, thereby not routinely necessitating the trial testimony of a forensic or technical expert where best practices are employed, as certified through a written affidavit by a “qualified person.” Notably, the accompanying official Advisory Committee notes specifically reference the importance of both generating “hash values” and verifying them post-collection as a means to meet this standard for self-authentication. This digital identification and verification process can only be achieved with purpose-built computer forensics or eDiscovery collection and preservation tools.

Rule 902, in its current form, enumerates a variety of documents that are presumed to be self-authenticating without other evidence of authenticity. These include public records and other government documents, notarized documents, newspapers and periodicals, and records kept in the ordinary course of business. New subpart (14) will now include electronic data collected via a process of digital identification as a key addition to this important rule.

Amended Rule 902, in pertinent part, reads as follows:

Rule 902. Evidence That Is Self-Authenticating
The following items of evidence are self-authenticating; they require no extrinsic evidence of authenticity in order to be admitted:
* * *
(14) Certified Data Copied from an Electronic Device, Storage Medium, or File.
Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).

The reference to the “certification requirements of Rule 902(11) or (12)” is a process by which a proponent seeking to introduce electronic data into evidence must present a certification in the form of a written affidavit that would be sufficient to establish authenticity were that information provided by a witness at trial. This affidavit must be provided by a “qualified person,” which generally would be a computer forensics, eDiscovery or information technology practitioner, who collected the evidence and can attest to the requisite process of digital identification utilized.

In applying Rule 902(14), the courts will heavily rely on the accompanying Judicial Conference Advisory Committee notes, which provide guidance and insight concerning the intent of the laws and how they should be applied. The Advisory Committee notes are published alongside the statute and are essentially considered an extension of the rule. The second paragraph of committee note to Rule 902(14) states, in its entirety, as follows:

“Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by ‘hash value.’ A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file. If the hash values for the original and copy are different, then the copy is not identical to the original. If the hash values for the original and copy are the same, it is highly improbable that the original and copy are not identical. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates. This amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.”

The Advisory Committee notes further state that Rule 902(14) is designed to streamline the admission of electronic evidence where its foundation is not at issue, while providing a notice procedure where “the parties can determine in advance of trial whether a real challenge to authenticity will be made, and can then plan accordingly.” While this rule provides that properly certified electronic data is now afforded a strong presumption of authenticity, the opponent may still lodge an objection, but the opponent now has the burden to overcome that presumption.  Additionally, the opponent remains free to object to admissibility on other grounds, such as relevance or hearsay.

Significant Impact Expected

While Rule 902(14) applies to the Federal Courts, the Rules of Evidence for most states either mirror or closely resemble the Federal Rules of Evidence, and it is thus expected that most if not all 50 states will soon adapt this amendment.

Rule 902(14) will most certainly and significantly impact computer forensics and eDiscovery practitioners by reinforcing best practices. The written certification required by Rule 902(14) must be provided by a “qualified person” who utilized best practices for the collection, preservation and verification of the digital evidence sought to be admitted. At the same time, this rule will in effect call into question electronic evidence collection methods that do not enable a defensible “digital identification” and verification process. In fact, the Advisory Committee notes specifically reference the importance of computer forensics experts, noting that a “challenge to the authenticity of electronic evidence may require technical information about the system or process at issue, including possibly retaining a forensic technical expert.”

In the eDiscovery context, I have previously highlighted the perils of both custodian self-collection for enterprise ESI collection and “print screen” methods for social media and website preservation. Rule 902(14) should provide the final nail in the coffin for those practices. For instance, if key social media evidence is collected through manual print screen, which is not a “process of digital identification” under Rule 902(14), then not only will the proponent of that evidence fail to take advantage of the efficiencies and cost-savings provided by the rule, they will also invite heightened scrutiny for not preserving the evidence utilizing best practices. The same is true for custodian self-collection in the enterprise. Many emails and other electronic documents preserved and disclosed by the producing party are often favorable to their case.  Without best practices utilized for enterprise data collection, such as with X1 Distributed Discovery, that information may not be deemed self-authenticating under this new rule.

In the law enforcement field, untrained patrol officers or field investigators are too often collecting electronic evidence in a manual and haphazard fashion, without utilizing the right tools that qualify as a “process of digital identification.” So for an example, if an untrained investigator collects a web page via the computer’s print screen process, that printout will not be deemed to be self-authenticating under Rule 902(14), and will face significant evidentiary hurdles compared to a properly collected web page via a solution such as X1 Social Discovery.

Also being added to Federal Rule of Evidence 902 is subpart (13), which provides that “a record generated by an electronic process or system that produces an accurate result” is similarly self-authenticating. This subpart will also have a beneficial impact on the computer forensics and eDiscovery field, but to a lesser degree than subpart (14). I will be addressing Rule 902(13) in a future post. The public comment period on amendments (13) and (14) is now closed and the Judicial Conference of the United States has issued its final approval. The amendments are currently under review by the US Supreme Court. If the Supreme Court approves these amendments as expected, they will become effective on December 1, 2017 absent Congressional intervention.

To learn more about this Rule 902(14) and other related topics, we’d like to invite you to watch this 45 minute webinar discussion led by David Cohen, Partner and Chair of Records & eDiscovery Group at Reed Smith LLP. The 45 minute webinar includes a Q&A following the discussion. We look forward to your participation.

Watch now > 

Leave a comment

Filed under Authentication, Best Practices, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, Information Governance, Social Media Investigations

Effective Information Governance Requires Effective Enterprise Technology

Information governance is the compilation of policies, processes, and controls enforced and executed with effective technology to manage electronically stored information throughout the enterprise. Leading IT industry research firm Gartner states that “the goal of information governance is to ensure compliance with laws and regulations, mitigate risks and protect the confidentiality of sensitive company and customer data.” A strong, proactive information governance strategy that strikes the balance between under-retention and over-retention of information can provide dramatic cost savings while significantly reducing risk.

However, while policies, procedures and documentation are important, information governance programs are ultimately hollow without consistent, operational execution and enforcement. CIOs and legal and compliance executives often aspire to implement information governance programs like defensible deletion, data migration, and data audits to detect risks and remediate non-compliance. However, without an actual and scalable technology platform to effectuate these goals, those aspirations remain just that. For instance, recent IDG research suggests that approximately 70% of information stored by companies is “dark data” that is in the form of unstructured, distributed data that can pose significant legal and operational risk and cost.

To date, organizations have employed limited technical approaches to try and execute on their information governance initiatives, enduring many struggles. For instance, software agent-based crawling methods are commonly attempted and can cause repeated high user computer resources utilization for each search initiated and network bandwidth limitations being pushed to the limits rendering the approach ineffective. So being able to search and audit across at least several hundred distributed end points in a repeatable and quick fashion is effectively impossible under this approach.

Another tactic attempted by some CIOs to attempt to address this daunting challenge is to periodically migrate disparate data from around the global enterprise into a central location. The execution of this strategy will still leave the end user’s computer needing to be scanned as there is never a moment when all users in the enterprise have just finished this process with no new data created. That means now that both the central repository and the end-points will need to be searched and increasing the complexity and management of the job. Boiling the ocean through data migration and centralization is extremely expensive, highly disruptive, and frankly unworkable as it never removes the need to conduct constant local computer searching, again through problematic crawling methods.

What has always been needed is gaining immediate visibility into unstructured distributed data across the enterprise, through the ability to search and report across several thousand endpoints and other unstructured data sources, and return results within minutes instead of days or weeks. None of the other approaches outlined above come close to meeting this requirement and in fact actually perpetuate information governance failures.

X1 Distributed Discovery (X1DD) represents a unique approach, by enabling enterprises to quickly and easily search across multiple distributed endpoints and data servers from a central location.  Legal and compliance teams can easily perform unified complex searches across both unstructured content and metadata, obtaining statistical insight into the data in minutes, instead of days or weeks. With X1DD, organizations can also automatically migrate, collect, or take other action on the data as a result of the search parameters.  Built on our award-winning and patented X1 Search technology, X1DD is the first product to offer true and massively scalable distributed searching that is executed in its entirety on the end-node computers for data audits across an organization. This game-changing capability vastly reduces costs while greatly mitigating risk and disruption to operations.

X1DD operates on-demand where your data currently resides — on desktops, laptops, servers, or even the Cloud — without disruption to business operations and without requiring extensive or complex hardware configurations. Beyond enterprise eDiscovery and information governance functionality, organizations offer employees at the same time, the award-winning X1 Search, improving productivity while effectuating that all too illusive actual compliance with information governance programs.

1 Comment

Filed under Best Practices, eDiscovery & Compliance, Information Governance, Information Management, Records Management, SharePoint, X1 Search 8

Federal Rules Advisory Committee Provides Key Guidance on Authenticating Social Media Evidence

Recently, the Advisory Committee on the Federal Rules of Evidence published an important treatise, “Best Practices for Authenticating Digital Evidence.” The Advisory Committee is an arm of the Judicial Conference of the United States, which drafts all proposed Federal Rules of Civil Procedure and Evidence, which the US Supreme Court and Congress ultimately ratify. Their advisory committee publications are given great weight by the courts in applying the Federal Rules of Evidence.  In fact, in the official minutes from its April 29, 2016 meeting, the Committee noted it considered whether to draft new specific Federal Rules of Evidence to govern authentication of electronic evidence, opting instead to draft the official best practices guide to serve as an accompaniment to the Federal Rules:

“The Committee concluded that amendments regulating authenticity of electronic evidence would end up being too detailed for the text of a rule; they could not account for how a court can and should balance all the factors relevant to authenticating electronic evidence in every case; and there was a risk that any factors listed would become outmoded by technological advances.

The Committee unanimously concluded, however, that publication of a best practices manual on authenticating electronic evidence would be of great use to the bench and bar. A best practices manual can be amended as necessary, avoiding the problem of having to amend rules to keep up with technological changes. It can include copious citations, which a rule or Committee Note could not.”

Federal District Court Judge Paul Grimm is the lead author on the best practices guide. Judge Grimm is widely seen as the one of the most influential judges concerning electronic discovery issues. He is known for several ground breaking decisions in the field including Lorraine v. Markel (2007), and Victor Stanley, Inc. v. Creative Pipe Inc. (2008), and The American Lawyer profiled him as one of the top 5 judges at the forefront of eDiscovery.

The best practices guide includes a very notable section dedicated to Internet website and social media evidentiary authentication, noting that “Parties have increasingly sought to use social media evidence to their advantage at trial.  A common example would be a picture or entry posted on a person’s Facebook page, that could be relevant to contradict that person’s testimony at trial.” However, “authenticity standards are not automatically satisfied by the fact that the post or the page is in that person’s name, or that the person is pictured on the post.” The guide notes that where affirmative direct testimony of the actual author is not available (which is often in the case of “smoking gun” type evidence), then circumstantial evidence is required for authentication.

As noted in the guide, absent uncontroverted and cooperative witness testimony, lawyers must turn to circumstantial evidence to help establish an evidentiary foundation for social media evidence. The guide provides many examples of circumstantial evidence that can be used to authenticate social media evidence. For instance metadata is particularly important as a “distinctive characteristic” under Rule 901(b)(4), as social media items contain a wealth of key metadata that represent or can establish “internal patterns or other distinctive characteristics” of the social media items in question.

In such situations, the testimony of the examiner who preserved the social media or other Internet evidence “in combination with circumstantial indicia of authenticity (such as the dates and web addresses), would support a finding” that the evidence presented is what the proponent asserts. See, Perfect 10, Inc. v. Cybernet Ventures, Inc. (C.D.Cal.2002) 213 F.Supp.2d 1146, 1154. (See also, Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, 546 (D.Md. May 4, 2007) (citing Perfect 10, and also referencing MD5 hash values as an additional element of potential “circumstantial indicia” for authentication of electronic evidence).

One of the many benefits of X1 Social Discovery is its ability to preserve and display all the available “circumstantial indicia” or “additional confirming circumstances,” in order to present the best case possible for authenticating social media evidence collected with the software. This includes collecting all available metadata and generating a MD5 checksum or “hash value” of the preserved data for verification of the integrity of the evidence. It is important to collect and preserve social media posts and general web pages in a thorough manner with best-practices technology specifically designed for litigation purposes.  There are over twenty unique metadata fields associated with individual Facebook posts and messages. Any one of those entries, or any combination of them could provide unique circumstantial evidence that would establish foundational proof of authorship.

The bottom line is that, as reinforced by the Federal Rules Advisory Committee, collection and preservation of all the metadata and other critically important circumstantial evidence, which can be effectively obtained with tools like X1 Social Discovery, is absolutely essential to an effective social media discovery practice.

 

 

1 Comment

Filed under Case Law, Uncategorized

New Sedona Commentary Provides Guidelines for Defensible eDiscovery Collection and Early Data Assessment

The Sedona Working Group on Electronic Document Retention & Production (WG1), recently published for public comment a Commentary on Defense of Process: Principles and Guidelines for Developing and Implementing a Sound E-Discovery Process (“The Commentary”). According to the authors, “the Commentary seeks to address what should be done to prepare for—or better yet, avoid—challenges to process, and how courts should address those disputes that arise.” Public comments are invited through November 15, 2016.

The Commentary provides excellent insight and guidance on many aspects of eDiscovery, with an extensive discussion on defensible ESI collection and culling that is particularly instructive for larger enterprises. This is important, as ESI is growing exponentially and even with the advent of predictive coding, the costs associated with ESI over-collection are often astronomical. The only way to reduce that pain to its minimum is to employ a smart but defensible process to control the volumes of data that enter the discovery pipeline. So the holy grail for large enterprises is a truly scalable capability that targets only potentially relevant ESI for collection. The Commentary provides general guidance on the reasonableness and defensibility of such a capability.

For instance, Principal 7 of the Commentary provides that “A reasonable e-discovery process may use search terms and other culling methods to remove ESI that is duplicative, cumulative, or not reasonably likely to contain information within the scope of discovery.” Comment 7.c notes in part that “search terms are a defensible technique for limiting the number of documents for review and production, provided that care is taken in their development and use.” Additionally, an iterative search process is recommended: “In an iterative process, information in documents returned by the first list of search terms can help attorneys to further refine existing terms or to identify new terms that should be added in subsequent rounds. This process can continue until a reasonable result is achieved.” It is also recommended that the search process be subject to validation and be properly documented.

Also instructive in The Commentary is a hypothetical “illustration” that reflects a smart and effective approach to an enterprise level ESI collection and preservation process:

“Illustration: The responding party has determined that the most efficient way of preserving discoverable emails is to collect the emails that “hit” on a broad set of search terms, rather than to modify the company’s default 30-day retention policy or rely on individual custodians to manually preserve potentially discoverable documents. Since a later determination that the responding party’s search terms were too narrow could come too late to prevent the loss of discoverable information, or cause a significant delay or expense from efforts to restore lost emails from back-up media, it may be prudent for the responding party to notify or seek agreement from the requesting party about the planned preservation approach and the specific search criteria to be applied.”

While the above-cited guidelines are very instructive for a well-designed, cost-effective and defensible process, such a goal is only attainable with the right enterprise technology. With X1 Distributed Discovery (X1DD), parties can perform targeted search and collection of the ESI of hundreds of endpoints over the internal network without disrupting operations. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%), thereby bringing much needed feasibility to enterprise-wide eDiscovery collection that can save organizations millions while improving compliance.

And in line with concepts outlined in The Commentary, X1DD provides a repeatable, verifiable and documented process for the requisite defensibility. For a demonstration or briefing on X1 Distributed Discovery, please contact us.

Leave a comment

Filed under Uncategorized

LTN: Social Media Evidence Even More Important than email and “Every Litigator” Needs to Address It

legaltech-news-thumbBrent Burney, a top eDiscovery tech writer of Legaltech News, recently penned a detailed product review of X1 Social Discovery after his extensive testing of the software. (Social Media: A Different Type of E-Discovery Collection, Legaltech News, September 2016). The verdict on X1 Social Discovery is glowing, but more on that in bit. Burney also provides very remarkable general commentary on how social media and other web-based evidence is essential for every litigation matter, noting that “email does not hold a flicker of a candle to what people post, state, admit and display in social media.” In emphasizing the critical importance of social media and other web-based evidence, Burney notes that addressing this evidentiary treasure trove is essential for all types and sizes of litigation matters.

Consistent to that point, there is a clear dramatic increase in legal and compliance cases involving social media evidence. Top global law firm Gibson Dunn recently reported that “the use of social media continues to proliferate in business and social contexts, and that its importance is increasing in litigation, the number of cases focusing on the discovery of social media continued to skyrocket.” Undoubtedly, this is  why Burney declares that “every litigator should include (X1 Social Discovery) in their technical tool belt,” and that X1 Social Discovery is “necessary for the smallest domestic issue all the way up to the largest civil litigation matter.” Burney bases his opinion on both the critical importance of social media evidence, and his verdict on the effectiveness of X1 Social Discovery, which he lauds as featuring an interface that “is impressive and logical” and providing “the ideal method” to address social media evidence for court purposes.

From a legal commentary standpoint, two relevant implications of the LTN article stand out. First, the article represents important peer review, publication and validation of X1 Social Discovery under the Daubert Standard, which includes those factors, among others, as a framework for judges to determine whether scientific or other technical evidence is admissible in federal court.

Secondly, this article reinforces the view of numerous legal experts and key Bar Association ethics opinions, asserting that a lawyer’s duty of competence requires addressing social media evidence. New Hampshire Bar Association’s oft cited ethics opinion states that lawyers “have a general duty to be aware of social media as a source of potentially useful information in litigation, to be competent to obtain that information directly or through an agent, and to know how to make effective use of that information in litigation.” The New York State Bar similarly weighed in noting that “A lawyer has a duty to understand the benefits and risks and ethical implications associated with social media, including its use as a … means to research and investigate matters.” And the America Bar Association recently published Comment [8] to Model Rule 1.1, which provides that a lawyer “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

The broader point in Burney’s article is that X1 Social Discovery is enabling technology that provides the requisite feasibility for law firms, consultants, and other practitioners to transition from just talking about social media discovery to establishing it as a standard practice.  With the right software, social media collections for eDiscovery matters and law enforcement investigations can be performed in a very scalable, efficient and highly accurate process. Instead of requiring hours to manually review and collect a public Facebook account, X1 Social Discovery can collect all the data in minutes into an instantly searchable and reviewable format.

So as with any form of digital investigation, feasibility (as well as professional competence) often depends on utilizing the right technology for the job.  As law firms, law enforcement, eDiscovery service providers and private investigators all work social discovery investigations into standard operating procedures, it is critical that best practices technology is incorporated to get the job done. This important LTN review is an emphatic punctuation of this necessity.

 

Leave a comment

Filed under Social Media Investigations