Essays

I try to read the actual opinions on cases that providers seize onto. Many times the actual fact pattern and conclusions are subject to interpretation. More importantly, there are often little facts or findings that are fascinating. In the case of Rosenthal Collins Group, LLC v. Trading Techs. Int’l, No. 05 C 4088, 2011 WL 722467 (N.D. Ill. Feb. 23, 2011), I chased down this rabbit hole to figure out exactly who had reset the last modified dates and why. The summaries all mention the plaintiff’s “agent” and I expected to find a service vendor, IT contractor or even a hard up consultant in the actual opinion. Instead, I found a tech savvy programmer/contractor/custodian who used utilities to forensically wipe all of his media and then reset his dates by changing his system clock. Bill Tolson’s blog title, Spoliation does not require purposeful destruction of evidence, focuses on District Judge Coleman’s $1,000,000 sanction and clear statements that the plaintiffs were responsible for their agents actions.

Lately, it seems like predictive coding is all over the eDiscovery blogosphere. The most recent example is Ben Kerschberg’s entry at Forbes.com law and technology blog. When we wrote about the topic last fall, a majority of readers believed that predictive coding was not defensible. I took a new look at the data on our poll question and found that attitudes are evolving.

Email is everywhere. We are seeing a lot of corporate clients making the transition from preservation notices to actual preservation/collection systems. Whether using an email archive, collection appliance or search software with connectors into Exchange, the IT administrators tend to interpret Legal’s custodial preservation request very literally. They still see email in the Mailbox model. When assessing the existing preservation process (if any), I almost always find gaps and unmanaged sources that slipped through the net. Public companies that have been around for more that 3-5 years have gone through M&A activities, RIFs, bankruptcies and other corporate wide reorganizations that leave ESI skeletons in the corporate closet. I have blogged recently about the tendency to create corporate digital landfills, but the recent string of preservation sanction cases has reaffirmed the need to know where your email hides.

One of the first instructions that IT practitioners will hear from the legal department is “preserve everything”. It doesn’t matter what the context is or whether the information may or may not be relevant, at the first pass a lawyer will always tell you to preserve everything in sight. The problem with preserving information is that preservation is only half the battle – you need to be able to make use of it somewhere down the line and that’s a fact that sometimes gets lost in the shouting.

Internal retention battles are a good way to torpedo even the most defensible position in litigation. Preparing a cross functional team for working together at the start of a matter will pay dividends – both figuratively and literally – later in the case. As has been previously discussed here, “the beginning” is rarely where these teams are pulled together. The key to success is to determine an appropriate path no matter what stage of the matter you’re pulled in at. Taking inventory of your data and thinking about current and future retention possibilities helps to provide a framework for future decision making.

Last week, an unfortunate incident occurred in our industry: A blog post containing inaccurate information rocketed through the internet, creating its own misinformation and unrest. A blog post from Dominic Jaar of KPMG Canada implied that Judge Shira Scheindlin was calling for the US Immigration and Customs Enforcement (ICE) Agency to discontinue its use of a major eDiscovery industry application. The incident is unfortunate because the facts were not correctly reported initially and because the ever increasing use of re-quoted blogs, tweets and other social media resulted in widespread repetition of the error. Many of our readers have asked for our perspective on what happened, so we did some investigating with the principals and have our own opinions on the incident.

At the IPRO Innovations 2011 customer conference in Phoenix last week, I participated in an excellent panel discussion focused on the potential impact of large enterprise ECM and archiving platforms expanding into the eDiscovery lifecycle. Panelists Ronald Sotak of Ryley Carlock & Applewhite and Olivia Gerroll of Esentio brought excellent if divergent perspectives. The first thing to realize is that the majority of our audience consisted of IPRO channel partners, i.e. eDiscovery service providers. Some service providers are threatened by global software companies’ recent push to incorporate eDiscovery features into enterprise platforms. Specialty markets like eDiscovery can be eroded when their services are absorbed into normal corporate business processes. So the real question was, “Will in-house software platforms replace the vendors?”

There are many reasons that the large SIs have not moved into eDiscovery with full force. First, eDiscovery requires legal advice. Plain and simple, there is too much potential liability for a large consulting firm to come in and tell a company what it is “reasonable” and “good faith” for eDiscovery efforts. Second, there is not necessarily a large, multi-million dollar software deployment that will always go along with eDiscovery. The Accentures of the world are used to dropping off a bus of consultants to spend months deployment enterprise software. In the eDiscovery world, consumers can spend $80K on a collection and processing appliance. Hard to convince a company to spend millions when it can spend less than $100K.

In my long career, I have had to explain client’s data losses to regulators, prosecutors, hostile experts and angry judges far too many times. It makes you paranoid about encryption, backups and other recovery efforts. Even the best of us can get so busy that we forget to kick off that simple process. In my case, I had gotten in the habit of full backups the night before every trip, which should have meant a week’s loss at most. That meant that I got out of my Friday back up habit. Now that we are actively conducting research projects, I occasionally get as much as a month off the road. See where this is going? I didn’t. Turns out that a month is long enough to break even long standing habits. I hope that the punk who smashed-n-grabbed my encrypted hardware gets what is coming to him. This whole exercise got me thinking about recovery and remediation when you have hardware or data loss while under hold.

I hit on a couple articles today that raised awareness on yet another mobile device security issue, this one applies to all the iPhones and iPads with active GPS. A little deeper digging uncovered an excellent forensic discussion and rebuttal by Alex Levinson that details his own research, paper and even forensic software that has been available for some time. The primary issue is that the Apple iOS has been storing your unsecured location history within different file locations since GPS enabled iPhones were available. The only way to prevent this slow accumulation of time-location information is to turn off your Location Services. Although this information has been available previously through the Lantern 2.0 application from Katana Forensics LLC, it is now accessible via a free open source utility called the iPhoneTracker. The June 2010 iOS 4.0 release by Apple moved all the diverse tracking information into a new Consolidated.db central location that is easier to access.