E-evidence: Protection is in knowing where your data resides at all times

  • August 01, 2013
  • Jason Scott Alexander

E-evidence is the “smoking gun” of employee misconduct, cover-ups, anti-company propaganda. Ten years ago, it was primarily email that forged the route for hidden agendas, personal biases and various forms of intellectual property to freely float unchecked out the door.

Today’s litigators are dealing with significant new factors, including a surge in corporate data volumes, which has led to skyrocketing litigation costs.

Broader minefield

“Some clients will require guidance in order to understand all possible places where documents could be located," says Jennifer Dolman, a litigation partner with Osler, Hoskin & Harcourt in Toronto. From personal devices to social platforms, SaaS applications and cloud-based data storage and file sharing services, it’s important to understand how to preserve and collect available data.

“Further, who has possession, power and control of the data and how can it be preserved without alteration? Does the company have the right policies in place to enable it to access data off an employee’s smartphone? Does that employee understand that their device may be subject to discovery requests and forensic examinations?”

Organized chaos

In 2012, Minneapolis-based data recovery and e-evidence firm Kroll Ontrack handled more than 7,000 different file types when processing e-discovery data on behalf of law firms and corporations. Valid proportionality arguments aside, most courts will require that any data that is relevant and accessible be preserved and produced.

“If your organization is not equipped to handle this diversity of data volumes and types, the smart option is to bring in an experienced e-discovery provider,” says Michele Lange, director of Thought Leadership at Kroll Ontrack.

Crafting an effective data management policy is particularly challenging due to the mix of personal and corporate data on an employee’s device, which it makes it more difficult to ensure that all data are retained for compliance purposes, she says.

That mix also poses ownership questions—for example, in the event of a breach, when a corporation must remotely wipe a device containing both personal and work-related information. 

Litigators should consider placing people in charge of the preservation and collection process who know what they are doing; now more than ever, organization and expertise are key.

Addressing this, Dolman points to Osler’s new Discovery Management Group, headed by Sarah Millar, a litigation associate. The group consists of project managers and tech experts who specialise in eDiscovery.

Dolman says litigators who are not in a position to build in-house eDiscovery expertise could consider outsourcing this function.

“Whenever a lawyer thinks the collection process will be something the other side may attack or scrutinize closely, it is important that the process be performed flawlessly,” says Dolman. “The lawyer will want to be in a position to demonstrate that the integrity of the data has in all instances been maintained.”

Behind the yellow tape

Sgt. Paul Batista of the Ottawa Police Service eats and sleeps data integrity. As head of the Forensic Identification Section of the force’s Computer Forensics Unit, his objective on every e-crime scene is preservation of evidence.

He notes that the evidentiary medium, whether it’s a computer or any mobile device like an external hard drive, mobile phone, video camera, GPS, etc., should only be moved by an authority to preserve the evidence contained therein. “In the case of a cellular phone or laptop, for example, taking out the battery so that no data is altered or deleted is one consideration due to remote wiping,” says Batista.

Hardware that stores data is also considered part of the crime scene, and it must also be documented in situ – Batista advises people not to touch anything before an officer takes custody of the scene.

Maintaining the continuity chain for any data or devices to be used in evidence is vital for court purposes, he says.

“Police need to establish beyond a reasonable doubt that whatever evidence is found on the device is attributed back to the accused in the process of proving a prima facie case,” says Batista.

Staying ahead of the curve

E-crime scenes have many constantly moving and often invisible parts.

“The increasing number of connected devices makes it more difficult to monitor who is accessing the corporate network and what they’re looking at,” says Lange. “As such, the risk of third-party infiltration is very high. The sheer number of devices leaving the workplace and the increased risk of lost or stolen devices -- modern security teams are looking for corruption in these cutting-edge communication channels.”

Above all else, Dolman says, your process from identification to production has to be defensible.

“If pressed to do so, you must be able to describe each step you have taken accurately and completely, and it needs to meet industry standards. For example, identification and preservation need to be done at the earliest possible stage,” says Dolman. This could be even before a claim is issued and served if it is reasonably anticipated that litigation will ensue regarding a particular matter. “Hopefully a proper litigation hold has been circulated but, even so, the lawyer needs to make sure that the hold has actually been read (and understood) by the client’s employees, that it is regularly re-circulated as a reminder and updated as required. In collection the lawyer needs to ensure that the collection process is sound in that it keeps the document and its metadata intact in their original, unaltered form,” says Dolman.

Allowing a client to collect ESI (electronically stored information) without providing proper guidance can be highly problematic as certain processes, intended to be helpful, may alter the metadata. And culling data often involves the blind application of search terms which may not always be defensible, she further warns. Lawyers must therefore consider carefully what they hope to achieve with their culling strategy and how it is likely to work. It is a good idea to test a culling strategy by reviewing search terms hits to see whether the terms are actually generating relevant documents, and by randomly sampling documents that are not hit on to ensure the search terms are not excluding relevant documents.

“Ultimately, eDiscovery really is ... the process of making sure you have properly identified, preserved and collected the relevant documentation that matters,” says Dolman.

Jason Scott Alexander is an Ottawa-based freelance writer specializing in frontier-media and technology law topics.