Legal hold notification and custodial manual preservation of potential evidence was standard practice before complex digital systems became the primary sources. Many companies still rely on ‘do not delete’ hold instructions for mobile devices and cloud systems lacking central search, hold and collection capabilities. This approach may be appropriate in low-risk civil matters without any known bad actors or possible criminal elements. I cannot imagine how anyone thought it was acceptable for potential evidence after the events of January 6th.

The Secret Service’s latest letter on the data lost in the phone/InTune migration explained that the 24 employees were provided “step-by-step” instructions to preserve mobile phone content prior to the migration. It sounds like they were told to back up the phones to local or network storage. Any eDiscovery or forensic professional will tell you that a back up only gets certain types of phone ESI. It is roughly analogous to printing email to ‘preserve’ them.

Beyond texts or other chat apps I would be seeking location data, call logs, voicemail, photos, system logs (mute times, web history, etc.) and more to reconstruct key event sequences. It is simply not credible to think that all 24 named personnel had no relevant texts before/after the 6th and all disobeyed direct preservation instructions. The letter states that the Secret Service is currently unaware of text messages issued by Secret Service employees” that were requested by the inspector general “that were not retained. Having written more than my share of investigation affidavits and document production certifications, I recognize a carefully constructed statement that does not say that there were not any relevant texts lost.

The Secret Service now plans to do a “forensic examination” of agents’ phones, but apparently was confident enough to add that it did not expect that examination to find anything. I am sure that a bright attorney can tell me why the IG, FBI or other agencies do not have authority to seize phones, body cams or other potential ESI sources from the relevant Secret Service agents.  If the Secret Service wants to regain any public trust they should welcome external experts and transparency.

I have been called an ‘eDiscovery smoke jumper’ because I have a reputation for remediating eDiscovery disputes after mistakes have been made. I have always believed that full, timely 5W1H disclosure is the best defense against accusations of deliberate spoliation. Never attribute to malice that which is adequately explained by stupidity. I can only hope that the Secret Service takes this approach and that all of us take this opportunity to review our client’s preservation protocols.

Greg Buckles wants your feedback, questions or project inquiries at Contact him directly for a free 15 minute ‘Good Karma’ call if he has availability. He solves problems and creates eDiscovery solutions for enterprise and law firm clients.

Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment or advice. Greg is no longer a journalist and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being published. Do you want to share your own perspective? Greg is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations. 


Want to see my pandemic project? Visit KnowNow to explore how eDiscovery tools can be applied on your own data to create a personal knowledge management system. Apply for early access while you can!


See Greg’s latest pic on Instagram.

0 0 votes
Article Rating