• Adam Cohen

Don’t Get Scorched by Unearthed ESI: Lessons Learned About Collecting Data Properly

In an important sense, electronic discovery gets harder each time a great new smartphone hits the market, or a cool messaging app sweeps up piles of new users. When new technology happens, it usually means new challenges for compliance with legal obligations to monitor, search and disclose ESI created using such new technology. Existing forensics and e-Discovery tools may be at least temporarily inadequate to deal with new ESI-generating technologies, lagging behind until appropriately updated capabilities are developed and implemented. No doubt we all agree that this does not mean we are free to ignore electronic evidence that isn’t easy to find by a few clicks of the mouse. So how do we make sure we aren’t missing important evidence when the current versions of our tools—even widely accepted “industry standards”—aren’t able to recover content created using the latest and greatest app? Addressing such challenges directly requires taking an approach that is grounded in a thorough forensically sound methodology, recognizes the inevitable lag between new technologies and the capability of existing forensics tools to handle them, and involves the application of expert knowledge about ESI and e-Discovery rather than solely reliance on the use of a software tool as per the instruction manual.

Time and again we see a variant of the following situation. Lawyers come to us frustrated that they cannot find critical evidence on a mobile device. They are frustrated because: a) their witness is telling them there was a conversation using a certain messaging app, but b) their vendors are telling them the messages cannot be found. The messages are there, and they are indeed highly relevant. However, they cannot be found by simply following the instructions for the industry standard tools. Retrieving the critical evidence instead requires thorough understanding of how the app and the device store data and where the data can be found, as well as how it can be intelligently analyzed. The rest is easy.

In a sense this is a less “sophisticated” approach—instead of using state-of-the-art technical tools to find the evidence, it requires the application of brainpower in the form of experience and expertise. It also requires recognizing that even state-of-the-art in forensics is necessarily behind developments in smartphone or social media user functionality. Forensic tools are developed reactively, and reaction is never simultaneous or instantaneous, although perhaps not far behind.

There are many important reasons why it does not make sense to take the ostensibly easy way out and give up when the forensics tools do not discover what is expected to be discoverable. One reason is that ignoring evidence does not make it go away, especially when it is electronic. A failure to produce ESI may be revealed in an unflattering way when another party (or non-party) produces its own copy and the question arises: what else have you failed to disclose?

Another reason is the trend towards transparency in the e-Discovery process. A perfect example of this is provided in the recent decision in Burd v. Ford Motor Company. When the plaintiff wanted more information about how the defendant conducted its searches for ESI, the defendant objected on the basis of attorney work-product protection, as well as arguing that such “discovery about discovery” is not within the scope of Rule 34.

The court ruled against the defendant, in a manner that is generally consistent with a number of cases where courts have forced parties to reveal details about how they searched for ESI. This means that where you decide to stop digging when your tools do, you may be forced to expose this decision. If the ESI is then unearthed by other means, the import of what may have been only marginally harmful if disclosed voluntarily may be exaggerated by a suggestion that you were trying to hide it.

Reminders are everywhere that collection is not a good time to skimp on the e-Discovery process. But even well-intentioned and adequately funded investigative or litigation lawyers may be stymied when their “technical experts” tell them the evidence can’t be found. Red flags should go off when software tools don’t find content a witness reports generating. At least in this arena, technology will never replace human understanding and creativity.

11 views0 comments

Recent Posts

See All

DevOps and the Fate of Secure Software Development

Reconciling Technology Development, Security and the Lawyer’s Role (originally published in the Cybersecurity Law Report) No matter how much new law is written on the topic of cybersecurity or data pr