Tag Archives: ESI

May 2, 2017 · 8:05 AM

The Three Categories of eDiscovery Spoliation Sanctions

My last post discussed the important new Sedona Conference guidance, The Sedona Principles, Third Edition: Best Practices, Recommendations & Principles for Addressing Electronic Document Production. The revised principles are compelling, providing important direction to lawyers and eDiscovery practitioners alike. The Sedona Principles often make their way into court opinions and thus inform eDiscovery case law. In my view, the most interesting component of the updated Sedona Principles is its stance against full disk imaging for routine eDiscovery preservation, labeling the practice as unnecessary and unduly burdensome. Full disk imaging is still very widely used (some attorneys would say abused) for eDiscovery collection, which is an issue I highlighted at length last year on this blog.

The Sedona commentary brings into focus the judges’ rationale when issuing sanctions for failure to properly preserve ESI. Specifically, what types of conduct resulting in the destruction of ESI do the courts actually impose penalties for? I have been monitoring the caselaw involving failure to preserve ESI sanctions for over 15 years, and such cases fall under three general categories.

The first and most obvious category involves intentional conduct to delete or otherwise destroy potentially relevant ESI. There are many examples of such cases, including Sekisui Am. Corp. v. Hart, 2013 WL 4116322 (S.D.N.Y. Aug. 15, 2013), and Rimkus Consulting Group, Inc. v. Cammarata, 688 F. Supp. 2d 598 (S.D. Tex. 2010).

The second category involves situations where there is no process in place and the organization asserts little or no effort to preserve ESI. In a recent example, a magistrate judge imposed spoliation sanctions where the Plaintiff made no effort to preserve their emails — even after it sent a letter to the defendant threatening litigation. (Matthew Enter., Inc. v. Chrysler Grp. LLC, 2016 WL 2957133 (N.D. Cal. May 23, 2016). The court, finding that the defendant suffered substantial prejudice by the loss of potentially relevant ESI, imposed severe evidentiary sanctions under Rule 37(e)(1), including allowing the defense to use the fact of spoliation to rebut testimony from the plaintiff’s witnesses. The court also awarded reasonable attorneys fees incurred by the defendant in bringing the motion. See also, Internmatch v. Nxtbigthing, LLC, 2016 WL 491483 (N.D. Cal. Feb. 8, 2016), where a U.S. District Court imposed similar sanctions based upon the corporate defendant’s suspect preservation efforts.

The final category involves situations where an organization does have a palpable ESI preservation process, but one that perilously relies on custodian self-collection. In a recent illustrative case, a company found themselves on the wrong end of a $3 million sanctions penalty for spoliation of evidence. The case illustrates that establishing a litigation hold and notifying the custodians is just the first step. Effective monitoring and diligent compliance with the litigation hold is essential to avoid punitive sanctions. GN Netcom, Inc. v. Plantronics, Inc., No. 12-1318-LPS, 2016 U.S. Dist. LEXIS 93299 (D. Del. July 12, 2016). Even with effective monitoring, severe defensibility concerns plague custodian self-collection, with several courts disapproving of the practice due to poor compliance, metadata alteration, and inconsistency of results. See Geen v. Blitz, 2011 WL 806011, (E.D. Tex. Mar. 1, 2011), Nat’l Day Laborer Org. v. U.S. Immigration and Customs Enforcement Agency, 2012 WL 2878130 (S.D.N.Y. July 13, 2012).

So those are the three general categories for ESI preservation sanctions. But here is the question that the new Sedona commentary indirectly raises: Are there any cases out there where a court sanctions a party who; one, had a sound and reasonable ESI preservation process in place, and two, reasonably followed and executed that process in good faith, but were sanctioned anyway because that one document or email slipped through the cracks, which theoretically could have been prevented by employing full disk imaging as a routine practice? I believe this is an important question because some organizations and/or their outside counsel cite this concern as justification for full disk imaging across multitudes of custodians as a routine (but very expensive and burdensome) eDiscovery preservation practice. This still occurs even with the 2015 amendments to the Federal Rules of Civil Procedure, specifically FRCP 26(b)(1), which requires the application of proportionality to all aspects of eDiscovery, including collection and preservation.

I am unaware of any such case described in the previous paragraph. But if anyone is, please let me know in the comments below!

 

5 Comments

Filed under eDiscovery

Tagged as , , , , ,

March 28, 2017 · 8:25 AM

Key to Improving Predictive Coding Results: Effective ECA

Predictive Coding, when correctly employed, can significantly reduce legal review costs with generally more accurate results than other traditional legal review processes. However, the benefits associated with predictive coding are often undercut by the over-collection and over-inclusion of Electronically Stored Information (ESI) into the predictive coding process. This is problematic for two reasons.

The first reason is obvious, the more data introduced into the process, the higher the cost and burden. Some practitioners believe it is necessary to over-collect and subsequently over-include ESI to allow the predictive coding process to sort everything out. Many service providers charge by volume, so there can be economic incentives that conflict with what is best for the end-client. In some cases, the significant cost savings realized through predictive coding are erased by eDiscovery costs associated with overly aggressive ESI inclusion on the front end.

The second reason why ESI over-inclusion is detrimental is less obvious, and in fact counter intuitive to many. Some discovery practitioners believe as much data as possible needs to be put through the predictive coding process in order to “better train” the machine learning algorithms. However this is contrary to what is actually true. The predictive coding process is much more effective when the initial set of data has a higher richness (also referred to as “prevalence”) ratio. In other words, the higher the rate of responsive data in the initial data set, the better. It has always been understood that document culling is very important to successful, economical document review, and that includes predictive coding.

Robert Keeling, a senior partner at Sidley Austin and the co-chair of the firm’s eDiscovery Task Force, is a widely recognized legal expert in the areas of predictive coding and technology assisted review.  At Legal Tech New York earlier this year, he presented at an Emerging Technology Session: “Predictive Coding: Deconstructing the Secret Sauce,” where he and his colleagues reported on a comprehensive study of various technical parameters that affect the outcome of a predictive coding effort.  According to Robert, the study revealed many important findings, one of them being that a data set with a relatively high richness ratio prior to being ingested into the predictive coding process was an important success factor.

To be sure, the volume of ESI is growing exponentially and will only continue to do so. The costs associated with collecting, processing, reviewing, and producing documents in litigation are the source of considerable pain for litigants. The only way to reduce that pain to its minimum is to use all tools available in all appropriate circumstances within the bounds of reasonableness and proportionality to control the volumes of data that enter the discovery pipeline, including predictive coding.

Ideally, an effective early case assessment (ECA) capability can enable counsel to set reasonable discovery limits and ultimately process, host, review and produce less ESI.  Counsel can further use ECA to gather key information, develop a litigation budget, and better manage litigation deadlines. ECA also can foster cooperation and proportionality in discovery by informing the parties early in the process about where relevant ESI is located and what ESI is significant to the case. And with such benefits also comes a much more improved predictive coding process.

X1 Distributed Discovery (X1DD) uniquely fulfills this requirement with its ability to perform pre-collection early case assessment, instead of ECA after the costly, time consuming and disruptive collection phase, thereby providing a game-changing new approach to the traditional eDiscovery model.  X1DD enables enterprises to quickly and easily search across thousands of distributed endpoints from a central location.  This allows organizations to easily perform unified complex searches across content, metadata, or both and obtain full results in minutes, enabling true pre-collection ECA with live keyword analysis and distributed processing and collection in parallel at the custodian level. To be sure, this dramatically shortens the identification/collection process by weeks if not months, curtails processing and review costs from not over-collecting data, and provides confidence to the legal team with a highly transparent, consistent and systemized process. And now we know of another key benefit of an effective ECA process: much more accurate predictive coding.

Leave a comment

Filed under ECA, eDiscovery

Tagged as , , , , , , , , , ,

June 7, 2016 · 9:21 AM

Full Disk Imaging is Expensive Overkill for eDiscovery Collection

Early in my tenure as co-founder at Guidance Software (EnCase), we commercialized full-disk imaging circa 2001 with EnCase Forensic edition, which was the first Windows-based computer forensics tool. EnCase Forensic enabled broader market adaption of computer forensic drive imaging, but the tool was originally designed for law enforcement to perform criminal computer evidence seizures. We were thinking more CSI than ESI.

However, soon a funny thing happened. For a two to three year period in the mid-2000s, a majority of standalone forensic software purchases came from eDiscovery service providers. Law enforcement represented a sizable minority during this “surge period” of commercial sector purchases, but we eventually realized that the eDiscovery services community was in the process of standardizing on full disk imaging as their default collection practice.

I have a few theories on why this trend occurred, but suffice to say that one of the many reasons that full-disk imaging is burdensome is because the process often involves service providers traveling out to the individual custodians, which is very disruptive to employees, not to mention time consuming. Additionally, as eDiscovery processing and hosting fees are usually calculated on a per-gigabyte basis, costs are increased exponentially. In a word, this is overkill, with much more effective and efficient options now available.

However, many eDiscovery practitioners continue to collect or direct the collection of Electronically Stored Information (ESI) through full disk forensic “images” of targeted media as a routine practice. Full disk images capture every bit and byte on a hard drive, including system and application files, unallocated space and a host of irrelevant user-created data. While full disk images may be warranted in some limited situations, the expense and burden associated with the practice can be quite extensive, particularly in matters that involve multiple custodians.

The Duty to Preserve Only Extends to Relevant Information

It is established law that the duty to preserve evidence, including ESI, extends only to relevant information. Hynix Semiconductor Inc. v. Rambus Inc., 2006 WL 565893 (N.D.Cal. Jan. 5, 2006) at *27. (“The duty to preserve evidence, once it attaches, does not extend beyond evidence that is relevant and material to the claims at issue in the litigation.”)  As noted by the Zubulake court, “Clearly [there is no duty to] preserve every shred of paper, every e-mail or electronic document, and every backup tape…Such a rule would cripple large corporations.”  Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 217 (S.D.N.Y. 2004) (“Zubulake IV”).

The vast majority of ESI on a full disk image will typically constitute irrelevant information. As stated by one court, “imaging a hard drive results in the production of massive amounts of irrelevant, and perhaps privileged, information.” Deipenhorst v. City of Battle Creek, 2006 WL 1851243 (W.D.Mich. June 30, 2006) at *3.  In noting that the “imaging of computer hard drives is an expensive process, and adds to the burden of litigation for both parties,” the Deipenhorst court declined to require the production of  full disk images absent a strong showing of good cause. See also, Fasteners for Retail, Inc. v. DeJohn et al., No 1000333 (Ct. App.Ohio April 24, 2014).

Similarly, in Zubulake v. UBS Warburg LLC, 2004 WL 1620866 at *8 (S.D.N.Y. July 20, 2004) (“Zubulake V”), Judge Scheindlin suggested that eDiscovery could be more manageable for producing parties but still defensible by taking advantage of the development of technology like X1 Distributed Discovery, which would be capable of conducting distributed keyword searches.  She anticipated that, due to the expansion of eDiscovery in coming years, counsel “must be more creative” because:

[It may not always] be feasible for counsel to speak with every key player, given the size of a company or the scope of the lawsuit, counsel must be more creative. It may be possible to run a system-wide keyword search; counsel could then preserve a copy of each “hit.” [FN75] Although this sounds burdensome, it need not be. Counsel does not have to review these documents, only see that they are retained. For example, counsel could create a broad list of search terms, run a search for a limited time frame, and then segregate responsive documents. . .

FN75. It might be advisable to solicit a list of search terms from the opposing party for this purpose, so that it could not later complain about which terms were used.

The recommended collection and preservation approach described by Judge Scheindlin is a far cry from obtaining full-disk images of the hard drives of each potential custodian, and in fact maps directly to the capabilities of X1 Distributed Discovery.

Courts do require that ESI be collected in a forensically sound manner, which does not mean a full forensic disk image is required, but generally does entail that metadata is not altered and a documented chain of custody is maintained. Historically, eDiscovery collection efforts not involving full disk imaging would often result in the loss or alternation of metadata. More advanced enterprise class technology, such as X1 Distributed Discovery, can accomplish system-wide searches that are narrowly tailored to collect only potentially relevant information while preserving metadata at the same time. This process is better, faster and dramatically less expensive than manual disk imaging. As with the Zubulake V decision, which advocates employing technology to perform “system-wide keyword searches”, courts recognize that advanced computer software can be deployed to limit the scope of computer searches and thus support reasonable discovery efforts.

With X1 Distributed Discovery (X1DD), parties can perform targeted search collection of the ESI of thousands of endpoints over the internal network without disrupting operations. The search results are returned in minutes, not weeks, and thus can be highly granular and iterative, based upon multiple keywords, date ranges, file types, or other parameters. This approach typically reduces the eDiscovery collection and processing costs by at least one order of magnitude (90%). This method is sound from an evidentiary standpoint as the collected data is preserved in its native file format with its metadata intact. X1DD features a solid chain of custody and robust logging, tracking and reporting.

The authorities cited above establish that effective technology can enable corporate counsel to establish a highly defensible process that at the same time minimizes cost. Routine full-disk imaging, over collection, and high eDiscovery costs are symptoms of an absence of a systemized process.  By establishing a scalable and system-wide eDiscovery process based upon the latest technology, large organizations can save millions while improving compliance.

Leave a comment

Filed under eDiscovery

Tagged as , , , ,

October 20, 2015 · 4:01 PM

New FRCP Rule 37(e) Calls Out Importance of Social Media Evidence

By John Patzakis

A new version of Federal Rule of Civil Procedure 37(e) FRCP bookgoes into effect December 1, 2015, barring an unexpected act of Congress to amend or rescind the changes. Proposed rule 37(e), features a new title: “Failure to Preserve Electronically Stored Information,” and replaces the current subpart in its entirety, providing a uniform standard to resolve a split in case law among different Judicial circuits concerning serious ESI spoliation sanctions. Rule 37(e) will be the only Federal civil rule section addressing the duty to preserve ESI and thus serves as key guidance governing eDiscovery collection and preservation efforts.

Proposed Rule 37(e) is accompanied by official Committee Advisory notes. Judges and counsel refer to these Advisory notes to provide guidance and insight concerning the intent of the laws and how they should be applied. The Advisory notes are published alongside the statute and are in fact widely seen as an extension of the FRCP. The Advisory notes for new proposed Rule 37(e) include the following key section:

Another factor in evaluating the reasonableness of preservation efforts is proportionality. The court should be sensitive to party resources; aggressive preservation efforts can be extremely costly, and parties (including governmental parties) may have limited staff and resources to devote to those efforts. A party may act reasonably by choosing a less costly form of information preservation, if it is substantially as effective as more costly forms. It is important that counsel become familiar with their clients’ information systems and digital data — including social media — to address these issues (emphasis added).

This reference to social media is particularly notable as it is included in very important guidance concerning overall ESI preservation requirements.  The implication of the new law is clear:  social evidence is given at least equal weight and import as other forms of ESI such as email and documents. As an aside, the Advisory notes to the 2006 Federal Rules Amendments, specifically for Rule 37(f)  state: “When a party is under a duty to preserve information because of pending or reasonably anticipated litigation, intervention in the routine operation of an information system is one aspect of what is often called a ‘litigation hold.’”

Due in large part as a result of this mention, legal holds quickly became a core eDiscovery requirement, with an entire sub-industry spawned.  So there is no question that the Advisory notes are highly influential.

It is notable that social media evidence is already a core component of eDiscovery evidence collection efforts by most lawyers and practitioners.  Recently, the global law firm Gibson Dunn released their influential 2015 Mid-Year eDiscovery and Information Law Update. In a section dedicated to social media, the Gibson Dunn update reports that “the use of social media continues to proliferate in business and social contexts, and that its importance is increasing in litigation, the number of cases focusing on the discovery of social media continued to skyrocket in the first half of 2015.”

And as succinctly noted by The Florida Bar Association in its publication, Florida Law Journal, “Social Media Evidence: What You Can’t use Won’t Help You” (2014) Volume 88, No. 1:

“Social media is everywhere. Nearly everyone uses it. Litigants who understand social media–and its benefits and limitations– can immeasurably help their clients resolve disputes. If not properly researched, preserved, and authenticated, the best social media evidence is worthless.”

And:

“Social networking sites have grown from a few thousand users to more than a billion. These sites have become a preferred form of electronic communication, surpassing email in 2009. As of March 31, 2011, 9,370,620 Floridians had registered for a Facebook account, which is approximately half of the state’s population. Based on these statistics, it is inevitable that the social media accounts of at least one person involved in a dispute will have potentially relevant and discoverable information.

And we are of course seeing this explosive trend in the adoption of X1 Social Discovery ahead of new FRCP Rule 37(e). X1 Social Discovery is the undisputed leader in its field for the preservation and analysis of social media and other internet evidence. If you are not one of the several thousand eDiscovery, legal, and digital investigation professionals who have enthusiastically incorporated X1 Social Discovery into your standard preservation protocols, new FRCP 37(e) should be your final call to action.

1 Comment

Filed under Case Law, eDiscovery, Social Media Investigations

Tagged as , , , , , , , , , , , , , , , , , , , , ,

February 26, 2014 · 1:13 PM

Avoid SharePoint eDiscovery Headaches Before They Begin

by Barry Murphy

Sharepoint no colorLast week, this blog featured highlights from the very successful SharePoint eDiscovery webinar with Reed Smith.  It is a topic that came up time and again in my tenure as an analyst; companies and government Agencies are becoming tightly bound to SharePoint and want to be sure that eDiscovery ordeals can be avoided.

Microsoft SharePoint continues to gain widespread traction in organizations large and small.  A recent Forrester Research survey found that 66% of respondents will deploy SharePoint server in the next 12 months (source: Forrester Research August 2013 Global SharePoint Usage online survey).  The attraction to SharePoint is obvious – the system creates business benefits: enabling collaboration in efficient ways; providing ways to track versions of documents edited by multiple parties; allowing non-technical business people to apply basic workflow to content-driven processes, and providing faster access to information (via search and integration with the MS Office suite of apps).

For the value it creates, SharePoint can cause eDiscovery and information governance headaches if proper planning does not take place.  It is all too easy to assume that if information is searchable, eDiscovery will be no problem when the time comes.  But, as is often the case in life, the devil is in the details.  Because SharePoint allows users to add value to content (e.g. adding workflow tasks), there is the factor of metadata to consider.

In eDiscovery, metadata is a critical component of ESI that can wreak havoc on collection efforts.  When we talk about metadata for native ESI, we are usually concerned about the Operating System (OS) fields that are kept in the File Allocation Table (FAT). Different OS formats support a wide variety of fields such as different dates, attributes, permissions and file name formats (long vs. short). These fields are not usually stored within the actual file and so are very vulnerable to alteration or complete loss when items are read or copied. Forensic collection is focused on preserving this ‘envelope’ information so that evidence can be authenticated and the context reconstructed in court. That is only half of the metadata story. Microsoft Office and other programs retain non-displayed information within the header and body of all common file types, especially with the adoption of the XML based Office 2007 file formats.

This metadata issue is only extended with SharePoint because most collection efforts are focused only on grabbing SharePoint document libraries (as they are stored on file systems).  But SharePoint is so much more than document libraries (if it weren’t, it would simply be another file share sitting out there).

A defensible SharePoint collection solution will be able to capture document libraries, metadata, and truly enable contextual preservation.  When considering a SharePoint collection tool be sure that it:

  • Allows for incremental preservation, monitoring changes, identifying and preserving different document versions, and incrementally preserve to multiple matters over time
  • Maps to custodian access and prevent over-preservation, collecting and preserving only what is relevant to a particular custodian, not the entire SharePoint site
  • Is deployable in the same fashion as SharePoint, which tends to be highly decentralized and siloed; thus the collection solution should be deployable on-demand, directly to SharePoint sites through a highly automated, remote installation, with intuitive administration and operation performed through a standard web browser

At the end of the day, informed customers will make sure that the collection tool can get more than just SharePoint document libraries, but all metadata, as well.  Also, look for solutions that will not impact the production environment too heavily; you don’t want to bring SharePoint to its knees when it is a valuable business application.  And finally, get legal and IT together on the same page about how to reasonably prove that your SharePoint preservation and collection methodologies and tools are defensible.

Leave a comment

Filed under Information Governance

Tagged as , , , , , , , , , , , , , , ,