Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2011-04-19 12:19:01Format, images and links may no longer function correctly. In my long career, I have had to explain client’s data losses to regulators, prosecutors, hostile experts and angry judges far too many times. It makes you paranoid about encryption, backups and other recovery efforts. Even the best of us can get so busy that we forget to kick off that simple process. In my case, I had gotten in the habit of full backups the night before every trip, which should have meant a week’s loss at most. That meant that I got out of my Friday back up habit. Now that we are actively conducting research projects, I occasionally get as much as a month off the road. See where this is going? I didn’t. Turns out that a month is long enough to break even long standing habits. I hope that the punk who smashed-n-grabbed my encrypted hardware gets what is coming to him. This whole exercise got me thinking about recovery and remediation when you have hardware or data loss while under hold.
First, a true if obfuscated war story about statistics….Everyone should know that backup tape has a definite lifespan, especially if it is not stored properly. I would guess that more than 75% of public corporations are holding tape in large quantities based on my experience over the last 5+ years. Your mileage may vary when you consider that I usually only get called when things have started to go south. In the early days of eDiscovery, I inherited a collection of poorly stored tapes that had pinholes and typical corruption issues. Many hundreds of thousands of dollars to Kroll later, we received millions of emails to process, index, search and review. We also received Kroll’s exception report listing the header information on three emails that could not be recovered. Six months later, I was sitting in the FBI’s hot seat explaining why the client had not produced one specific email out of all the data recovered. You guessed it. The most important exhibit was one of the three emails lost to the tape issues. We had the documentation to back up the sequence of events and to positively identify the lost email, but a better preservation process might have delayed the appearance of my first gray hairs.
There have been a lot of arguments about custodial self preservation vs. preservation collections. Having just lost a week of work while replacing hardware, software and trying to reload from backups, I am coming to believe that mobile sources need some kind of automated system to back up even the most responsible custodians. For instance, I generally kept segregated physical and virtual drives to manage the programs, communications, work product, source data and such. That preserved my critical files, but without a current backup of the operating system and program folders, I lost all my custom configurations, etc that made my life easy. These temp and .INI files can actually be critical information in investigations, but they are exempted from many backup profiles aimed at the User Directory. So take this opportunity to examine mobile device policies and recovery systems. The consequences of data loss can be dire in eDiscovery. Remember that unless IT has been brought into the discussion, they are operating under typical business remediation expectations and requirements that may not adequately protect ESI under hold.