eDJ Migrated

Internal retention battles are a good way to torpedo even the most defensible position in litigation. Preparing a cross functional team for working together at the start of a matter will pay dividends – both figuratively and literally – later in the case. As has been previously discussed here, “the beginning” is rarely where these teams are pulled together. The key to success is to determine an appropriate path no matter what stage of the matter you’re pulled in at. Taking inventory of your data and thinking about current and future retention possibilities helps to provide a framework for future decision making.

Last week, an unfortunate incident occurred in our industry: A blog post containing inaccurate information rocketed through the internet, creating its own misinformation and unrest. A blog post from Dominic Jaar of KPMG Canada implied that Judge Shira Scheindlin was calling for the US Immigration and Customs Enforcement (ICE) Agency to discontinue its use of a major eDiscovery industry application. The incident is unfortunate because the facts were not correctly reported initially and because the ever increasing use of re-quoted blogs, tweets and other social media resulted in widespread repetition of the error. Many of our readers have asked for our perspective on what happened, so we did some investigating with the principals and have our own opinions on the incident.

At the IPRO Innovations 2011 customer conference in Phoenix last week, I participated in an excellent panel discussion focused on the potential impact of large enterprise ECM and archiving platforms expanding into the eDiscovery lifecycle. Panelists Ronald Sotak of Ryley Carlock & Applewhite and Olivia Gerroll of Esentio brought excellent if divergent perspectives. The first thing to realize is that the majority of our audience consisted of IPRO channel partners, i.e. eDiscovery service providers. Some service providers are threatened by global software companies’ recent push to incorporate eDiscovery features into enterprise platforms. Specialty markets like eDiscovery can be eroded when their services are absorbed into normal corporate business processes. So the real question was, “Will in-house software platforms replace the vendors?”

There are many reasons that the large SIs have not moved into eDiscovery with full force. First, eDiscovery requires legal advice. Plain and simple, there is too much potential liability for a large consulting firm to come in and tell a company what it is “reasonable” and “good faith” for eDiscovery efforts. Second, there is not necessarily a large, multi-million dollar software deployment that will always go along with eDiscovery. The Accentures of the world are used to dropping off a bus of consultants to spend months deployment enterprise software. In the eDiscovery world, consumers can spend $80K on a collection and processing appliance. Hard to convince a company to spend millions when it can spend less than $100K.

In my long career, I have had to explain client’s data losses to regulators, prosecutors, hostile experts and angry judges far too many times. It makes you paranoid about encryption, backups and other recovery efforts. Even the best of us can get so busy that we forget to kick off that simple process. In my case, I had gotten in the habit of full backups the night before every trip, which should have meant a week’s loss at most. That meant that I got out of my Friday back up habit. Now that we are actively conducting research projects, I occasionally get as much as a month off the road. See where this is going? I didn’t. Turns out that a month is long enough to break even long standing habits. I hope that the punk who smashed-n-grabbed my encrypted hardware gets what is coming to him. This whole exercise got me thinking about recovery and remediation when you have hardware or data loss while under hold.

I hit on a couple articles today that raised awareness on yet another mobile device security issue, this one applies to all the iPhones and iPads with active GPS. A little deeper digging uncovered an excellent forensic discussion and rebuttal by Alex Levinson that details his own research, paper and even forensic software that has been available for some time. The primary issue is that the Apple iOS has been storing your unsecured location history within different file locations since GPS enabled iPhones were available. The only way to prevent this slow accumulation of time-location information is to turn off your Location Services. Although this information has been available previously through the Lantern 2.0 application from Katana Forensics LLC, it is now accessible via a free open source utility called the iPhoneTracker. The June 2010 iOS 4.0 release by Apple moved all the diverse tracking information into a new Consolidated.db central location that is easier to access.

Recently, Iron Mountain announced that it might sell of its digital business unit and focus on its traditional physical storage strengths. Having watched Iron Mountain unfurl its transition into the digital world over the past decade, it’s not surprising that the company is retrenching. It’s not easy for a large physical storage company to become a software company. While many (including me) thought that the Iron Mountain brand name might translate well into the digital world, ultimately, the company was not able to turn acquisitions of small digital businesses (Stratify and Mimosa Systems) into a viable digital competitor.

This morning’s keynote speech by Symantec CEO Enrique Salem had several interesting take-aways for those of us focused on the intersection of legal and IT. Legal discovery was mentioned in the first 5 minutes as a key business requirement. That means global software companies now see eDiscovery and Information Governance as a market driver, not just a niche area. I remember having to do eDiscovery 101 talks with execs back in 2006 to explain the purpose of the software company that they had just acquired. So I see this as FRCP to market driver in a short 5 years. The eDiscovery market and industry as a whole has grown incredibly quickly and is still immature in many ways. Symantec started the eDiscovery acquisitions in 2001 with the Veritas/KVS merger. EMC, IBM, Iron Mountain and others have followed with acquisitions of Stratify, PSS,Kazeon, Mimosa, Legato and other products that are directly or indirectly used for eDiscovery.

Software vendors tend to be out a bit in front of a market in order to be well-positioned to capitalize when customer requirements mature. That’s why it was interesting to see Greg Buckle’s report from the Symantec Vision conference that eDiscovery is a major part of Symantec’s strategy going forward. The company is combining eDiscovery, data loss prevention, and encryption in an offering it defines as information governance. Other large software vendors couple eDiscovery offerings with content and records management, storage, and search offerings. From a market perspective, the reality is that eDiscovery is recognized as a major component of information governance. This creates some pragmatic challenges for enterprises that want to address eDiscovery challenges today, though.

All of us techies are familiar with strange computer requests from friends and family. I had one today from a good friend in the middle of a business dispute that got me thinking about what we now take for granted in civil discovery. The key question boiled down to, “So can you tell if this Excel 2007 spreadsheet was created or changed right before being sent?” I’m staring at the email with the attached spreadsheet and knowing that my friend will not like the answer. It only takes seconds to check the internal properties and see that the spreadsheet was created three months ago, but modified just prior to being emailed. But what does that really tell us? Not much. The sender could have popped open the original spreadsheet to recheck it and then hit save instead of just closing it. Without the key file system metadata that would have been acquired with any proper discovery collection, there was just no good answer for my friend. Friends, family and counsel all seem to expect that we will be able to do some kind of technical CSI magic to reconstruct every instant of a file’s life. Reality is that improper collection or preservation can effectively destroy any chance of being able to actually authenticate critical properties like dates, authors and more.