eDiscovery in investigations: Collecting evidence efficiently and defensibly
12 January 2021
The collection and review of data can be a large, important and potentially costly part of a corporate investigation. In this blog post, which is the first in a short series on eDiscovery, we will look at how to make data collection and review as effective and painless as possible, whilst at the same time doing it in a manner that can be fully justified to the authorities should they become involved at a later stage.
Collecting data without tipping-off
The collection of relevant data first requires understanding the scope of the investigation, but without tipping-off potential wrongdoers who may try to hide or delete evidence. Key questions to ask are:
- What type of data are we seeking?
- Who are the relevant data custodians?
- When was the data created?
- Where is it?
Through questioning of key custodians, you can learn how they communicated with one another, what kinds of electronic files may have been generated and where those communications and files may be found. Presenting key data custodians with questionnaires can be a good idea. It not only memorialises the process of identifying potentially fruitful data sources, but also helps to ensure that all relevant parties and timeframes are considered.
If there is any concern about tipping off, questionnaires and custodian interviews should not be used. Instead, consider entrusting a member of the firm’s IT group to help answer questions about data type and location. Should an even more covert approach be required, independent third-party data collection professionals may be called in to capture data during non-business hours, after telling users to leave their laptops at the office under the guise of a mandatory firm-wide IT update. This strategy has obviously become much more difficult during the increased move to home working caused by the pandemic; creativity may be required in order to gain access to laptops or other devices.
The obligation to preserve data takes hold very early on in an investigation. Parties must notify custodians, IT administrators and any third parties to cease regularly scheduled deletion cycles and preserve point-in-time backups for all applicable sources.
Where is the data?
Understanding where the data is located will impact how it can be collected. Enlisting eDiscovery experts to work closely with the legal team will enable a tailored data strategy to be developed based on the requirements of the investigation.
Data of almost any variety may be stored on individuals’ laptops or in a company’s centrally managed IT environment. In addition, more and more companies are using Software as a Service (SaaS) cloud-based solutions. Administration of these cloud-based solutions may be handled by the company leasing the service or fully outsourced.
Whether residing on laptops, company servers or in the cloud, data is almost always subject to data privacy or other applicable laws which may prevent or restrict its treatment and movement. Local law advice may be required.
How to collect
There are many different methods available, some of which are comprehensive, forensically sound and expensive, others of which are easily carried out without any need for specialist knowledge. The skill lies in knowing which method to use. Methods include:
- Forensic imaging of hard drives by third-party experts;
- Targeted copying of individual folders and files by client IT using readily available meta‑data‑preserving applications;
- Self-collection by custodians themselves; and
- Remote collection of web-based email using custodian-supplied login credentials.
The impact of Covid-19 on minimising unnecessary travel and physical contact has resulted in more collections being conducted remotely, greatly accelerating the pre-Covid trend from onsite to remote collections. Where physical access to devices is required for collection, but cannot be arranged (e.g. due to the country the devices are located in), forensic collections may need to be deferred.
When deciding which option to use, consider proportionality, practicality, cost, risk and defensibility. It is impractical and costly to take a forensic image of a multi-Terabyte hard drive from a file server if all that is sought is a small part of it (for example, two data custodians’ “home” drives or individual shares of that server). If, however, there is a suspicion that a data custodian has deleted damaging files or hidden important files (e.g. by changing their outward appearance) or perhaps copied valuable intellectual property to an external drive, it would be worthwhile forensically imaging the hard drive.
Independence of the party performing the actual copying or collecting is crucial to defending the process in case it is questioned at a later stage, for example by an investigating authority. While a third-party expert is the most independent and should be considered if expert testimony on e-discovery is foreseen, the cost may be unwarranted and company IT teams following a documented process have been regarded by the courts and authorities as sufficiently independent.
In our next blog post we will look at some specific issues relating to collection of data from email, chat, e-files, databases and laptops.
A&O’s in-house eDiscovery team offers assistance in navigating eDiscovery during investigations. Working as one team with our lawyers, the eDiscovery team leverages technology to get to the facts of a matter more efficiently. This translates to better, quicker and more informed legal decisions and therefore better value for our clients. To learn more about the services we offer, please contact Scott Robson or Christina Zachariasen.