Tag Archives: Case Law

May 19, 2026 · 8:33 AM

De-NISTing in eDiscovery: A Costly Provision That Shouldn’t Be in Model Orders in the First Place

By John Patzakis

A model eDiscovery order I recently came across from a federal district court issued by a respected judge included a provision requiring parties to de-NIST their files in the course of eDiscovery production. On its face, this may seem like a reasonable technical requirement to some practitioners. But this provision reflects a fundamental misunderstanding of how proportional, targeted eDiscovery collection should work — and it points to a broader problem in our industry that deserves some attention.

For those unfamiliar with the term, de-NISTing refers to the process of filtering out known, irrelevant system files from a forensic collection using the National Institute of Standards and Technology’s reference database of known file signatures. The NIST database catalogs hundreds of thousands of known operating system files, executables, DLL files, and other system-generated data that have no evidentiary value whatsoever. De-NISTing removes these files from a collection so that reviewers are not burdened with wading through mountains of irrelevant system data. The reason you need to de-NIST in the first place is because you collected a full-disk image — capturing everything on the drive, relevant or not.

And that is precisely the problem with requiring de-NISTing in a model eDiscovery order. As I have written extensively, including in our recent white paper on proportionality in eDiscovery, courts have consistently held that full-disk imaging is not the appropriate default for civil litigation collections. Going all the way back to Deipenhorst v. City of Battle Creek in 2006, courts have warned that imaging a hard drive results in the production of massive amounts of irrelevant — and potentially privileged — information. More recently, in Motorola Solutions v. Hytera Communications Corp., the court emphasized that forensic examination of a party’s computers “is no routine matter” and that courts must use caution to avoid unduly impinging on privacy interests. A model order that presupposes full-disk imaging by requiring de-NISTing is, at minimum, inconsistent with this well-established body of case law.

The 2015 amendments to Federal Rule of Civil Procedure 26(b)(1) established a clear six-pronged proportionality framework for eDiscovery, requiring parties and courts to weigh factors including the importance of the issues at stake, the amount in controversy, the parties’ resources, and whether the burden or expense of proposed discovery outweighs its likely benefits. Courts have taken these amendments seriously and have consistently limited overbroad discovery requests on proportionality grounds. A blanket model order requirement to de-NIST implicitly endorses a collect-everything methodology that runs counter to the proportionality principles embedded in Rule 26(b)(1) and the extensive case law that has developed around it.

So how does a provision like this end up in a model court order? The answer, I believe, lies in the undue influence that certain eDiscovery service providers have had on collection practices and, ultimately, on the drafting of court orders and guidelines. Some service providers have a clear financial incentive to collect as much data as possible, since their fees are calculated on a per-gigabyte basis — meaning the more data collected, processed, and hosted, the higher the bill. This volume-based business model has shaped industry “best practices” in ways that favor over-collection, and that mindset has quietly seeped into the thinking of some federal judges and the model orders they issue. What gets dressed up as technical diligence is, in many cases, simply an artifact of a business model that profits from excess.

If you are conducting a properly scoped, targeted eDiscovery collection that is consistent with the principles of proportionality — as the Federal Rules and overwhelming case law require — there is simply no reason to de-NIST. A targeted collection does not reach system files, executables, DLLs, or other non-user-generated data in the first place. You are collecting potentially relevant ESI from identified custodians, scoped by search terms, date ranges, file types, and data sources. You never touch the data that de-NISTing is designed to filter out, which means the entire de-NISTing step — and its associated cost and processing time — is unnecessary overhead born entirely of an overbroad collection methodology.

This is precisely the approach built into X1 Enterprise, which enables legal and IT teams to conduct targeted, remote collections across large numbers of custodians without ever capturing the system-level data that necessitates de-NISTing. X1 Enterprise collects only the user-generated, potentially relevant ESI within defined parameters, preserving full metadata integrity and maintaining a documented chain of custody — satisfying every requirement for forensic soundness without the bloat, expense, and proportionality concerns of full-disk imaging. In an era where courts are increasingly scrutinizing eDiscovery costs and demanding proportionality, practitioners and judges alike should be asking not how to manage the mess created by over-collection, but how to avoid creating that mess in the first place.

Leave a comment

Filed under Best Practices, Case Law, Cloud Data, Cybersecurity, Data Audit, Data Governance, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, GDPR, Information Governance, Information Management

Tagged as , , , , , ,

October 17, 2024 · 1:59 PM

Dale vs. Deutsche Telekom AG Illustrates the Importance of Effective ECA to Attain Proportionality

By John Patzakis

In Dale v. Deutsche Telekom AG, No. 22 C 3189 (N.D. Ill. Oct. 4, 2024), a class-action antitrust litigation stemming from the 2020 merger between T-Mobile and Sprint, the Court denied the plaintiffs’ motion to expand a proposed custodian list from fifty custodians to sixty, including three in-house attorneys. The court stated that adding the additional custodians would be “out of proportion to the needs of the case.”

Magistrate Judge Jeffrey Cole began the order by quoting Vakharia v. Swedish Covenant Hosp.: “The discovery rules are not a ticket to an unlimited, never-ending exploration of every conceivable matter that captures an attorney’s interest. Parties are entitled to a reasonable opportunity to investigate the facts—and no more.” He also added: “The inescapable reality is that discovery has come to dominate civil litigation…Proportionality, like other concepts, it is not self-defining; it requires a common sense and experiential assessment…In other words, all are agreed that discovery has gotten out of hand over the years and needs to be reigned in.”

The Court’s opinion detailed the ill-fated negotiations between the parties, with a key take-away being the lack of visibility Deutsche Telekom’s in-house counsel had into their own custodians’ data, which stymied their ability to effectively eliminate guess work and limit the number of custodians. This case illustrates that while there is a keen awareness of proportionality in the legal community, realizing the benefits requires the ability to operationalize workflows as far upstream in the eDiscovery process as possible. For instance, when you are engaging in data over-collection, which in turn incurs extensive labor and processing costs, the ship has largely sailed before you are able to perform early case assessments and data relevancy analysis, as much of the discovery costs have already been incurred at that point. The case law and the Federal Rules provide that the duty to preserve only applies to potentially relevant information, but unless you have the right operational processes in place, you are losing out on the ability to attain the benefits of proportionality.

However, traditional eDiscovery services typically involve manual collection, followed by manual on-premises hardware-based processing, and finally manual upload to review. These inefficiencies extend projects by often weeks while dramatically increasing cost and risk with purposeful data over-collection and dozens of manual data handoffs. The good news is that solutions and processes addressing the first half of the EDRM involving collection and processing are now far more automated.

To accomplish the goals of gaining early visibility into your data to foster more intelligent early case assessment, informed discovery negotiations with opposing counsel, and targeted, proportional data collection, corporate legal department should utilize index and search in-place technology. Indexing and search in-place in this context means that a software-based indexing technology (as opposed to an expensive and cumbersome stand-alone hardware appliance) is deployed directly onto the laptop, file server or in the cloud for Microsoft 365 data sources. This indexing occurs without a bulk data transfer of the data. Once indexed, you can search through terabytes of information in seconds, with complex Boolean operators, metadata filters and regular expression searches. Legal teams can iterate and repeat their searches without limitation, which is critical for large data sets.

These capabilities supporting targeted and proportional collection of loose files, emails, and large network file shares and M365 are uniquely provided in the X1 Enterprise Platform.

Leave a comment

Filed under Best Practices, Case Law, eDiscovery, eDiscovery & Compliance, Enterprise eDiscovery, ESI, Information Governance, m365, Preservation & Collection, proportionality

Tagged as , , , , , , , ,