October 2006
“You want me to do what?”
A practical look at the question of proper preservation of electronically stored information in today’s business litigation environment.
By Sergio D. Kopelev and Michael R. Bandemer
LECG
An old proverb from the American west tells us: “It doesn't work to leap a twenty-foot chasm in two ten-foot jumps.” One of the twenty-foot chasms in today’s business litigation environment is the question of the proper preservation of electronic data. It’s a chasm that can only be leaped after the questions of when to preserve and how to preserve are adequately addressed from both technical and legal perspectives. While some profess clear-cut answers to these questions, all solutions carry with them an inherent quantity of risk, not only from the litigation (either current or future), but also risks to the operation, productivity and profitability of the business in question.
It is fortunate that for those seeking answers to the question of “when to preserve,” some guidance does exist. From a purely legal perspective (at least in the Southern District of New York) in the matter of Zubulake v. UBS Warburg, Judge Shira Scheindlin ruled that the "obligation to preserve evidence arises when the party has notice that the evidence is relevant to litigation or when a party should have known that the evidence may be relevant to future litigation." (Zubulake IV, 220 F.R.D. at 216.) What is interesting about this ruling is not just its substance, which is fairly consistent with the mood of other rulings and legislation in this area, but that in making it, Judge Scheindlin quoted a 2nd Circuit decision regarding preservation of evidence far removed from any technology issues (Kronisch v. United States, 150 F.3d 126 - 2d Cir. 1998 regarding a 1981 matter). This underscores a basic fact: while technology changes, the risk issues of preservation and spoliation remain virtually unchanged from the paper days of yesteryear (the Kronisch case dealt with paper files destroyed in 1973) to the electronic word of today.
Yet if the application of these older standards of preservation was fairly straightforward regarding “when to preserve,” it becomes infinitely more complex when we address the question of “how to preserve.” Electronic documents are dramatically different from their paper brethren. Not only are they harder to totally destroy, easier to disseminate and easier to analyze in volume; not only do they contain information about the document that the paper versions never did, such as Metadata (data attributes that identify when a document was created, modified, accessed or printed and who performed these actions) or Dynamic Content (such as formulas in spreadsheets or revision information in word processing documents); but they are also much easier to either purposely or accidentally alter. Simply opening, copying, moving or printing an electronic document will result in alteration of the Metadata associated with that document and could result in the alteration of the content of that document as well. What this means is that while paper records could have simply been copied in an effort to preserve them, electronic documents need additional steps to adequately deal with this adverse risk from the litigation. A common pitfall of parties gathering electronic documents is to have an internal resource copy the original documents to CD-ROM or another form of media. Doing so alters the current state of the electronic documents by changing the date attributes of the original file and the copy and also leaving behind certain metadata, either of which might be critical to one’s defense or allegations.
The most widely accepted method of preservation of electronically stored information is forensic acquisition or imaging. This is the bit-level capture of information from a device (hard drive, RAID Array, Blackberry, etc.). While it is easy to get caught up in the details of specific forensic imaging and collection procedures, such as the type of forensic software, hardware, etc. that is used (which change with the technology that is being imaged), there are four basic principles to a correct process:
1. Procedures must exist to ensure that no changes are made to the electronic data through the imaging process.
2. Procedures must exist to ensure that the forensic preservation is made on a bit or sector level and captures not only the logical files visible to the user but also all of the unallocated and system areas of the device which could contain previously deleted files, as well as transactional data from the device’s activities (generally referred to as Swap file information).
3. Procedures must exist to ensure that the integrity of the image can be verified as being complete, true and accurate.
4. Proper documentation must exist to particularly identify the hard drives or other devices imaged and to maintain a proper chain of custody for the images.
The great benefit of using forensic imaging to preserve potentially relevant data is that this is generally accepted as a proven process to ensure that data is preserved. Yet even this process is not without risk. For example: some data structures (such as e-mail servers or file servers) have such huge amounts of storage, the majority of which could be irrelevant, that forensically preserving all of the data could present a financial and operational risk to the company. Additionally, forensic imaging could add risk from future litigations, since each time you create a population of preserved data, you add another data source that would need to be searched for future discovery requests.
In today’s world of huge data volumes, forensic imaging could very well become an unacceptable option, but forensically preserving only the relevant data (versus ALL of the data) will become viable. The same four principles outlined above must be followed for this process as well, but the data will be filtered for some level of relevance (particular time period, particular custodians, etc.) prior to preservation The obvious risk with this method is the change in preservation requirements (new time period, new custodians, etc.) after the initial data is preserved. Does the risk of initially not preserving data that later becomes relevant outweigh the expense and operational risk of preserving ALL of the data? It is important to note here that while a party’s comprehensive effort to collect and produce electronic documents responsive to a particular subpoena might be commendable, it may not fulfill that party’s duty to preserve information potentially relevant to the matter.
While it might be hard to achieve unanimous consent on an answer to this question, it is the understanding and discussion of the underlying legal and technical issues that bring with them help – help in not blindly falling off the edge of a cliff, but instead comfortably taking a running start for that 20-foot leap.