In This Issue:

	FROM THE BENCH: COURT ISSUES DEFAULT JUDGMENT FOR BAD FAITH DESTRUCTION OF COMPUTER EVIDENCE
	THE BRILL FILES: PROCESS-DRIVEN SPOLIATION - PART I
	TECHNOLOGY YOU SHOULD KNOW: WEB-BASED E-MAIL ACCESS INCREASES SECURITY RISK
	NEWS & EVENTS

FROM THE BENCH: COURT ISSUES DEFAULT JUDGMENT FOR BAD FAITH DESTRUCTION OF COMPUTER EVIDENCE

PML N. Am., LLC. v. Hartford Underwriters Ins. Co., 2006 WL 3759914 (E.D. Mich. Dec. 20, 2006). In this fraud case, the plaintiff filed for default judgment sanctions against one of the defendants for failure to preserve electronic evidence and bad faith destruction of documents. The defendant failed to produce a USB drive and backup servers and produced a badly damaged hard drive from a vital computer in the case. The damaged hard drive showed evidence that the computer casing had been opened and the hard drive removed with a screwdriver. A computer forensic expert testified the computer had been tampered with and because of the tampering no electronic data could be harvested from the key piece of evidence.

The plaintiff argued such failure to produce the information and the badly damaged hard drive was evident of willful, bad faith spoliation. The defendant did not produce any logical explanation for the damaged computer or the failure to produce the thumb drive and backup servers. The court agreed with the plaintiff’s argument and found evidence that the hard drive belonging to the defendant was tampered with before production. The court held that the hard drive was proof of the defendant’s willful and intentional destruction of evidence and that default judgment was proper since all parties were substantially prejudiced. Furthermore, the court ordered the defendant to pay all attorney’s fees and costs.

THE BRILL FILES: PROCESS-DRIVEN SPOLIATION - PART I

Under the latest changes to the Federal Rules of Civil Procedure (FRCP), companies are only afforded limited protection when electronic evidence is destroyed through automated deletion programs or other process-driven spoliation. Although the new FRCP creates a “safe harbor” for such inadvertent spoliation, judges can still sanction parties using their inherent authority. As such, there is a burden on counsel to see to it that steps to avoid process-driven spoliation are observed and followed.

“Process-driven spoliation” or “PDS” is data destruction that takes place as a result of business or system processes that occur without a specific, willful decision on the part of a person. For example, a company may program its e-mail system to automatically delete all e-mails older than 90 days. This is different from deliberate spoliation, where an individual initiates actions they know will result in the destruction of data that is subject to a “litigation hold.” For example, a CEO orders all e-mails relating to a lawsuit be deleted. Clearly, there is no “safe harbor” provided in the FRCP for deliberate spoliation.

Several forms of PDS are well known, and should be recognized by counsel when considering how to avoid data destruction. These include:

• Tape and Backup File Recycling: This is one of the oldest problems, dating back to the 1960s. For disaster recovery purposes, it is necessary to store backup copies of key files in an offsite location. However, problems arise when older backup tapes are recycled and re-used for backing up new data. This is the main reason lawyers instruct their clients to stop recycling tapes during litigation. Instead, the tapes should be retained and protected until further advised by counsel.

• E-mail Elimination: To avoid excessive e-mail volumes, many companies set an automated instruction within their e-mail systems that instructs the system to regularly search for and delete e-mails that have been held for more than a specified period (often 30-90 days). Obviously, this represents a very easy way to lose e-mail. In a number of cases, companies, claiming not to have realized that this was happening, permitted such destruction to occur for years despite a duty to preserve. Reasonable delays to stop an automated system may be a few days, but weeks and months of delay are unlikely to be ignored by the courts. Counsel must be prepared to work with their client to get the word out quickly, and to look for feedback confirming that the destructive processes have been stopped.

• Hard Disk Maintenance: Some IT departments schedule automatic computer defragmentation which reorganizes a user’s data and overwrites data contained in the computer’s slack and unallocated spaces. This slack and unallocated data is oftentimes recoverable by computer forensics experts. If it is anticipated that a computer forensic investigation may be necessary in a case, it is vital that both the IT department and end users be instructed not to use a defragmentation tool during a litigation hold.

• Self-Destruction Systems: This new technology should be considered. To prevent sensitive data from being compromised when a laptop is lost or stolen, some companies have installed self-destruction software. These systems operate in different ways:
  
  
• The system may initiate the destruction command when a password is entered incorrectly a certain number of times.
  
  
• The system may destroy data when a stolen computer is connected to the Internet because the computer automatically connects to a specific Internet address that lists identification numbers of stolen machines.
  
  
• The system may destroy the data on a specific date if the machine has not been connected to the Internet for a specified period to renew its "authorization to live."

Whatever the approach, the end result is the same; data that may be relevant to the suit, is destroyed and typically cannot be recovered by a computer forensics expert.

Conclusion

Although the FRCP create a safe harbor from sanctions for inadvertent data loss, the breadth and depth of that safety net is untested. Counsel should be aware of their clients’ mechanisms for process-driven spoliation, and take steps to mitigate any risk of data deletion.

Be sure to read next month’s “Brill Files” which will cover discussing the PDS issue with your client and opposing counsel.

*** If you would like to explore the opportunity of Alan Brill speaking at a conference you are supporting or organizing, please contact Amanda Karls at 952 516 3637 or at akarls@krollontrack.com. ***

TECHNOLOGY YOU SHOULD KNOW: WEB-BASED E-MAIL ACCESS INCREASES SECURITY RISK

In today’s digital age, many employees use web-based e-mail programs, such as Hotmail or Yahoo!, for business purposes. Some employees have their work e-mail automatically forwarded to their web-based mail because they simply prefer its options, format, and accessibility over traditional network e-mail. Although web-based e-mail may be convenient for employees, it can leave an employer vulnerable to several business and legal risks, including some of the e-discovery and computer forensics dangers described below.

Content Filtering - The largest risk for companies when allowing web-based e-mail is a loss of the ability to filter employee e-mail. With web-based e-mail accounts, a company has no way of knowing what information is going in and out until it is too late. Many cases involving trade secret misappropriation involve employee use of a web-based e-mail program. See Easton Sports, Inc. v. Warrior Lacrosse, Inc., 2006 WL 2811261 (E.D. Mich. Sept. 28, 2006) (former employee of the plaintiff forwarded several e-mails containing crucial trade secrets to his Yahoo! account shortly before beginning employment with the defendant).

Discovery Collections - When litigation ensues, a company may be required to produce archived e-mail messages from particular employees. With a network e-mail system, the search for and collection of relevant employee e-mail is reasonably straightforward. When web-based e-mail is involved, however, the company will not have any record of the employees’ e-mail communications. Computer forensics investigations of employee workstations may be necessary to exactly determine what transpired.

Home Computer Searches - If an employee accesses a web-based e-mail program for business purposes from home, the employee’s personal home computer may be subject to discovery and investigation. Production of information from an employee’s home computer raises privacy and personal security issues, yet most courts typically order such investigations when good cause is shown. For example, in a recent trade secrets case, Ameriwood Industries, Inc. v. Liberman, 2006 WL 3825291 (E.D. Mo. Dec. 27, 2006), the plaintiff moved the court to order the production of the defendant’s home computers for forensic imaging. The plaintiff argued that the defendant’s home computers may contain relevant e-mail information related to the trade secrets since much work was performed at home by the defendant. The court agreed with the plaintiff and ordered the defendant to produce its hard drives from home computers that were used for work purposes.

Viruses and Hacking - Web-based e-mail can expose a company’s confidential communications and files to possible hacking by outsiders and dangerous viruses not protected by the company’s own security mechanisms. All incoming e-mail and attachments may not be scanned with the same veracity as other network e-mail, and a company opens itself up to risk.

By and large, businesses need to assess the risks versus the benefits of allowing web-based e-mail access for employees. More importantly, attorneys involved in an internal employee investigation or e-discovery production should know whether any employees have web-based e-mail and attempt to preserve, collect, and review those communications as soon as possible.

NEWS & EVENTS

Meet our representatives at the following events:

Visit www.krollontrack.com/upcomingevents/ for more information on these events and others.

Back To Top

WE REQUEST YOUR INPUT

Our legal consultants, project managers, and technology experts strive to stay on top of e-discovery law. If you are aware of any additional local court rules or new cases in this area of the law, please contact us by writing to mlange@krollontrack.com.

This newsletter is written by Michele C.S. Lange, an Ontrack Forensics staff attorney with Kroll. Ms. Lange has published numerous articles and speaks regularly on the topics of e-discovery, computer forensics, and technology’s role in the law. She can be contacted by writing to mlange@krollontrack.com.

For more information about e-discovery and computer forensics services, please call 800 347 6105 or visit www.krollontrack.com. To view a complete archive of Cyber Crime & Computer Forensics e-newsletters, please visit www.krollontrack.com/newsletters/cybercrime.aspx