In This Issue:

	FROM THE BENCH: COURTS ORDER COMPUTER FORENSIC EXAMINATIONS
	THE BRILL FILES: NEW FRCP RULES: WHAT YOU DON'T KNOW COULD HURT YOU AND YOUR COMPANY
	TECHNOLOGY YOU SHOULD KNOW: HANDLING HYBRID DISCOVERY
	NEWS & EVENTS

FROM THE BENCH: COURTS ORDER COMPUTER FORENSIC EXAMINATIONS

Parties Agree to Discovery Management Plan, Including Computer Forensic Examinations and Active Data Collection
In re Celexa and Lexapro Prods. Liab. Litig., 2006 WL 3497757 (E.D. Mo. Nov. 13, 2006). In this multi-district litigation regarding two prescription drugs, the parties agreed to a document management plan which the court incorporated into its order. The parties established that the plaintiffs would preserve the hard drives of computers used by the plaintiffs and the plaintiffs' decedents, and those hard drives would be imaged and analyzed pursuant to an agreed forensic examination protocol. The parties also decided the defendants would not be required to restore any of their backup tapes at this time, and instead, responsive electronically stored information would be collected from the defendants' active IT environment. They must preserve the 35 backup tapes set aside for this litigation, but may otherwise resume backup tape recycling. The plaintiffs deferred the production format decision to the defendants and allowed them to produce data in any format that is generally searchable and manageable. The parties were unable to agree on how costs should be apportioned, the scope of discovery into electronic databases, and who should perform the forensic examination of the computer hard drives. The court determined it would decide these issues after more briefing by the parties.

Court Orders Mirror Imaging of Computer Hard Drives, Citing New Federal Rules of Civil Procedure
Ameriwood Industries, Inc. v. Liberman, 2006 WL 3825291 (E.D. Mo. Dec. 27, 2006). In a suit alleging misappropriation of trade secrets inter alia, the plaintiff motioned the court for an order compelling the defendants to produce computer hard drives for imaging. The plaintiff sought e-mails from the defendants related to dissemination of trade secrets. The plaintiff not only requested all work-related computers, but any home computers that may have been used to transmit the trade secrets. The plaintiff argued it was entitled to the hard drives even if information was deleted since the computers may contain evidence that goes to the heart of the claims. Furthermore, the defendants failed to produce a later discovered e-mail which the plaintiff eventually discovered, thereby creating an argument to search for other undisclosed discovery material. The defendants argued the costs involved would be substantial and imaging should not be completed. The court determined the data requested was not reasonably accessible because of undue burden and cost. However, the court closely examined the newly implemented Federal Rules of Civil Procedure and determined that there was good cause for the plaintiffs to search the defendants' hard drives since "allegations that a defendant downloaded trade secrets onto a computer provide a sufficient nexus between plaintiff's claims and the need to obtain a mirror image of the computer's hard drive." The court then provided detailed guidance for the mirror-imaging process and discovery of documents on the defendants' hard drives. It held that the plaintiff would choose a qualified computer forensics expert and the defendants were required to produce all hard drives, including those from their homes. A disclosure process was also ordered which outlined the process regarding production of documents and privilege issues.

THE BRILL FILES: NEW FRCP RULES: WHAT YOU DON'T KNOW COULD HURT YOU AND YOUR COMPANY

*** Written by Alan Brill. The Brill Files reflects his work in the field with clients who have encountered some not-so-pleasant events and what was done to remedy the situation. With more than 25 years of consulting experience, Mr. Brill has assisted organizations with a wide range of technology security issues and is an internationally recognized speaker and instructor. ***

In the past few months, many articles have been written on the e-discovery changes to the Federal Rules of Civil Procedure ("FRCP"). While most of these have been on the mark, others have told only part of the story or left readers with inaccurate or incomplete information.

For example, depending on what you read, you may believe either or both of the following statements:

• The courts now require that your company maintain a copy of every e-mail message, document, spreadsheet and file an employee creates, sends or receives.

• When e-discovery occurs, you create a copy of the data and ship it off to the parties (or counsel for the parties) on the other side of the case, and they do the same.

As it turns out, neither of these statements are true. As IT professionals, you need to understand the implications associated with the new FRCP.

Keep Everything, and Keep It Forever?

Currently, there is no law requiring a company to maintain every e-mail, document, spreadsheet, database and file ever created or received. Under the new FRCP, however, you are obligated to take steps to safeguard information directly relating to an actual lawsuit or one that is reasonably likely to occur. This includes preserving relevant e-mails from automatic destruction or backup tapes with relevant data from being recycled. If you keep data beyond what is required by a lawsuit or impending suit, understand this: It is very likely that it will be discoverable.

In addition, it is important to understand that notice or reasonable anticipation of litigation warrants a litigation hold. Once a hold is in place, you are required to actively monitor suspension measures to ensure relevant data is not destroyed. If the "hold" is altered (or enacted) at some point, these business processes should always be crafted in conjunction with counsel, and once promulgated, should be followed and audited to be sure they are working as intended.

Is E-Discovery Really Just File Exchange?

The actual process by which e-discovery works can be fairly involved and requires specialized skills and knowledge to protect your company's interests. For example, e-discovery should be reasonably limited to information related to the matter of the lawsuit. The opposing party could ask for all e-mails sent and received by your company during 2004 and 2005, but your counsel would be the first to tell you that such a request is excessive and needs to be narrowed to include only information relevant to the suit.

Even when a request is well crafted to limit discovery to matters related to the subject of the suit, you should also know that not everything gets turned over to the opposing party. For example, there may be correspondence that is deemed to be privileged attorney-client communications. When this is the case, it is important to redact the specific privileged matter. In digital form, redaction is more complex and can require specialized tools, some of which are available in e-discovery software packages and services. For every redaction, counsel must prepare a "privilege log" explaining to the court why the redaction was made, so the judge can rule on the appropriateness of the cuts if a question arises.

Does Safe Harbor Mean 'No Harm, No Foul'?

The new FRCP contains "safe harbor" protections to avoid penalizing honest mistakes but this provision has yet to be tested. The rules strengthen the role of counsel in telling a company's IT group what is required of it under e-discovery. If an attorney instructs an IT group to halt destruction of e-mails or other documents, the company cannot hide behind defenses of "we were too busy." The court may sanction such behavior. Consequently, assumptions that the safe harbor provision is all the protection you need if you ignore counsel's instructions could prove to be a costly mistake.

Conclusion

There is a lot more to e-discovery than meets the eye. So, at the end of the day, do not underestimate their importance or the potential disasters that can result from keeping too much or too little potential evidence in your systems.

As an IT professional, you play the dual role of first responder and gatekeeper, ensuring that proper protocols are in place and followed. Staying up to speed on the changes to the laws and technology relating to e-discovery will certainly help you and your company retain the strategic edge when litigation ensues.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at (952) 516-3637 or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: HANDLING HYBRID DISCOVERY

Introduction

E-discovery projects and computer forensics examinations do not occur in isolation. Despite technical distinctions and differing operational best practices, many civil litigation cases will involve aspects of both e-discovery and computer forensics. This is known as "hybrid" discovery and is likely to occur where active or archived electronic documents and inaccessible, concealed electronic data are equally important to the case. If a client is not aware of their differences during discovery, time and money may be wasted when handling e-evidence multiple times.

E-Discovery v. Computer Forensics

The differences between e-discovery and computer forensics are subtle but important. E-discovery involves the collection of active data on a custodian's computer system and active and archival data from the corporation's hard drives, servers, and backup tapes. It is generally used as a tool to discover documents in response to discovery requests in litigation, and the recent amendments to the Federal Rules of Civil Procedure are making e-discovery a customary part of civil litigation.

Computer forensics, on the other hand, is more inclusive than the standard e-discovery process and goes beyond active data collection. It involves a bit-by-bit, mirror-imaging of all data on a hard drive. Once imaged, a hard drive may then be searched for active, deleted, and residual information. This process often involves specialized computer forensics knowledge and tools. The information discovered is generally reduced to an expert report which is used as evidence in trial.

Increasingly, courts are beginning to order both processes to occur during litigation. For example, in a recent pharmaceuticals case, the court in In re Celexa and Lexapro Prods. Liab. Litig., 2006 WL 3497757 (E.D. Mo. Nov. 13, 2006) ordered the defendant to produce all available data from their active IT environment, including 35 backup tapes needing to be preserved for possible discovery. It also ordered the plaintiffs and the plaintiffs' descendents to produce their computer hard drives for mirror-imaging and examination by a computer forensics investigator. The court not only recognized the importance of e-mails and other electronic documents from the pharmaceutical company relating to the drugs in the suit, but it also realized the importance of concealed electronic data on the plaintiffs' computers and its possible impact on the claims of the suit.

Three Tips - How to Manage Your Hybrid Case

How do you know if both e-discovery and computer forensics are involved in your next case? Below are three tips to help you identify and manage hybrid discovery.

• Identify the scope of evidence for the claims in your case.

Is opposing counsel asking for all active data - accessible word documents, spreadsheets and e-mails- for a targeted custodian? If so, e-discovery is required. Do you also need to know what Web sites a custodian visited, what files were deleted, or exact time sequences of computer conduct? If yes, then a computer forensics examination is required and your hybrid discovery case is underway. At this stage, it is important to plan your data collection appropriately, erring on the side of a mirror image to preserve more data rather than less.

Further, know what type of information you are looking for in a hybrid case. What are your search terms and data criteria for e-discovery filtering? In a computer forensics examination, are you looking for a copy of all native files, authentication of data, or an expert report regarding a custodian's computer activity? Each activity requires different procedures, tools and techniques and a failure to properly plan could mean collecting and handling the data twice, resulting in wasted time, irrelevant results, and misused resources.

• Think long term.

When hybrid projects are involved, a party cannot over prepare to ensure a successful end result. How are you going to review the e-discovery data? Does your service provider have an online tool to review the information or can you use local litigation support software to manage your own data? How will you evaluate the computer forensics files returned in the investigation? How will this data bolster your case? How will you explain your processes to the opposing party and judge? What are the timeframes for both the e-discovery and computer forensics?

• Utilize one service provider for both processes.

One service provider means increased communication, streamlined timeframes, and better support for any of your problems and questions. Further, pay attention to how your service provider will deliver both the e-discovery and computer forensic services. Will outside contractors be used or does the service provider handle all aspects of the hybrid project in-house? Lastly, many service providers will offer price incentives for hybrid projects, saving your client money.

Conclusion

A computer forensics investigation does not have to occur separately from the e-discovery process; rather, more often than not they coincide during litigation. With proper foresight and knowledge to realize when hybrid discovery is right for your case, you can save your corporate clients time and money.

NEWS & EVENTS

Meet our representatives at the following events:

Visit www.krollontrack.com/upcoming-events for more information on these events and others.

Back To Top

WE REQUEST YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of electronic discovery law. If you are aware of any additional local court rulings or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, an Ontrack Forensics staff attorney with Kroll. Ms. Lange has published numerous articles and speaks regularly on the topics of electronic discovery, computer forensics, and technology's role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about electronic discovery and computer forensics services, please call 800 347 6105 or visit www.krollontrack.com.To view a complete archive of Cyber Crime & Computer Forensics e-newsletters, please visit the newsletter archive.