Here is a shortlist to determine what is classified as Electronically Stored Information (ESI).
Have you ever had to wing it? I mean Have you ever worked a legal matter and ask questions about ESI when you didn’t understand what was available and how each phone, laptop, and email system is slightly different?
Grey Wolf CyberSecurity had recently attended a continuing education seminar for about 200 lawyers and the majority of the questions we were asked related to what is available, how difficult the data is to capture and how can it be reported in summary form to allow for introduction as evidence. As a result of all those great questions, I thought I would craft this article to share a quick checklist. For more articles, visit us at GreyWolfCyberSecurity.com
A targeted and cooperative forensic discovery plan is the best way to control costs and to advocate for the client efficiently. So if you or the client has only a basic understanding of how the data collection formats for each platform like phones, laptops, and even Gmail work, how do you know what to look for to keep costs down?
Grey Wolf’s CyberSecurity team suggests that you start by making a list of the evidence you need and where it may be located. Ask your client pointed and direct questions to determine why they believe the data is relevant. In fact, I suggest that you ask them three follow-on questions to get to the real meaning. The client knows more than they know and by asking follow-ups, it can ensure you get to the root of the evidence.
Questions can be formatted to narrow the focus on what you are looking for during this discovery request. For example:
• What are the three most common methods do/did you communicate with the other party?
• Were mobile devices or computers company-issued and do you still have access to them?
• Did your office/spouse communicate with instant messaging or social media?
• Did you communicate through email, text messages, or share photographs?
• Who else other than the related party in the legal matter would have communicated regarding the pending legal matter?
• What are the date range and list of keywords/phrases that you can recall searching for evidence?
It doesn’t matter what specialty of law you practice, as a lawyer in today’s digital environment your job now includes being a subject matter specialist regarding how to identify and collect relevant data. I suggest that you establish a relationship with a company like Grey Wolf who has experts in the areas of data collection, cybersecurity, and digital forensic recovery. When selecting a partner for ESI, be sure that they are certified computer examiners, and they can provide expert testimony at trial if needed.
Here are a few more data points that you should collect in the initial planning session with your client as you are developing your eDiscovery strategy:
- Data source. Is the correspondence in Email, IM, social media, database, CRM, Project management program, shared files on a server, accounting programs, or hr software? Is the data on laptops, desktops, servers, smartphones or in a data center -cloud-based, and who owns the devices?
- The date range of events that initiated the legal matter. What the event date the same as the data date, or could data from before the known incident be useful? If so, Determine a reasonable date range. If a new or updated system was created after the duty to preserve arose the ask for legacy files. Most companies will create a legacy or backup of all data when migrating to a new platform. This legacy data may be discoverable, so ask for it.
- Data retention policy. How long before the data is purged? A company will have a different policy than Google or Gmail so ask about the policy so that you can develop a proper forensic discovery plan. Ask when and why the retention policy has the defined purge date. Remember that you don’t need to see the policy unless you are searching for something that was not there when you send a notice. When you receive the policy, you can now use those parameters to determine IF any data was purged outside the policy and potentially identify spoliation.
- How long will it take to get the requested data? Knowing this will allow better planning for reviewing the discovery and to avoid a bottleneck at the end of the discovery period. Who manages the storage of the data? Is it local on a server or remote device or could it be a third-party cloud storage provider? If it were in the cloud and stored as part of a third-party solution, how long will it take for them to provide teh data? What barriers beyond obtaining written authorization from teh account holder are in place?
- The format of the data. What format is the data available in? You need to know what to plan. Some systems will need only to export .pdf files, while others will allow you to export native data. Ask. Most databases provide reports, most in .csv format, which is readable by any spreadsheet application (think Excel, Numbers, etc.).
- Who has access? You want to know who can create, store, send and receive data from this source. Determine the user permission settings for each person. Generally, there are less than three admin-level users and most are restricted to view only privileges. Knowing each user’s permissions and access points can allow forensic examiners to determine if a user hopped into another’s profile to create the security breach.