After many years of examining digital devices, I have come to the conclusion that many, if not most, claimants will attempt to hide or delete information, which may cause them to lose their case. As completely ethical and honest people rarely become involved in litigation, I find a discovery process that relies on opposing parties to be truthful is extremely flawed. It should be much easier, at least for a neutral examiner, to have forensic access to all digital data involved in a dispute. This does not mean the unfettered access that most forensic examiners will attempt to obtain.
There is a distinct difference between family law and civil litigation. As the well-being of children is involved, most family law courts are more apt, with the proper protocol, to allow forensic access to digital devices and online data. For civil litigation, we have primarily have two Texas Supreme Court rulings, Honza, 242 S.W.3d 578, 581-2 (Tex.App.-Waco 2008, orig. proceeding) and Weekley Homes, Inc., 295 S.W.3d 309, 317 (Tex. 2009), to provide guidelines to follow when the ediscovery process fails.
From these rulings, four guidelines were established to assist the lower courts in evaluating when it is appropriate to order a forensic examination:
- The expert is familiar with the particularities of the computer drives sought to be examined;
- An expert proposed by the party seeking the forensic exam is qualified to perform the exam;
- The proposed methodology for searching the computer drives is “reasonably likely” to yield the information sought; and
- The party must show that there has been inadequate production.
Let’s discuss each of these items one at a time.
1. The expert is familiar with the particularities of the computer drives sought to be examined.
“Particularities,” according to Webster, are the minute details. This isn’t just the knowledge of a computer hard drive and how it physically functions or even the knowledge of the file system it contains. This is knowledge about what data is stored on the computer, laptop, phone, server, tablet, firewalls, routers, etc., how this data is or may be stored, and the means of forensically locating and accessing this data. These things are extremely difficult for any expert to know for sure without the Rule 26(f), planning conference, otherwise known as “meet and confer.”
Rule 26(f), planning conference, was modified in December 2006 to provide for a discussion of the issues related to electronic discovery, privilege assertion, and preservation. The outcome of this conference would be a report utilizing Form 35, the discovery plan, which has been amended to address electronically stored information and privilege. This report and any unresolved issues would be discussed at the scheduling hearing under Rule 16. The following are examples of the types of issues and topics that should be discussed at this conference:
- Which information systems will potentially be involved in discovery
- Any anticipated claims of “not reasonably accessible”
- Information retention policies
- Security and computer-use policies
- The form, or forms, of production desired
- Should metadata be preserved and produced (see whitepaper – Metadata)
- Discovery limiting features, such as, keywords and date ranges
- What would be considered reasonable preservation
- Issues relating to claims of privilege
The legal profession, lacking the technical expertise, should turn to their Computer Forensic expert for support in deciphering the multitude of systems and the many forms of data storage in use by individuals and businesses. Potential sources for evidence may include mainframes, Unix systems, Linux servers, Windows servers, Novell servers, SQL databases, cloud computing, email servers, network attached storage, document management systems, online backups, offline backups, near-line storage, Intranet sites, source code, instant messaging, SMS/text messages, and list goes on.
Determining the location of potentially discoverable data is necessary in order to effectively handling this item in both family law and civil litigation. Executives, key players, IT management, records management, and potential custodians will need to be interviewed to identify how and where relevant data may be stored and what information may not be “reasonably accessible.”
2. An expert proposed by the party seeking the forensic exam is qualified to perform the exam.
What makes an expert qualified to perform the exam? It’s not just about the examination itself. It’s also about the preservation and/or the collection of the evidence. It’s about knowing where data, and therefore evidence, resides within a corporate environment. Each expert has different experiences and areas of expertise. Be prudent and thorough when selecting your forensic expert. Protegga has successfully challenged, and will continue to challenge, the knowledge and capabilities of opposing experts.
Family law is typically about a single computer connected to the Internet and possibly some smartphones and tablets. While this takes a certain level of expertise, it does not require the same level as a corporate networked environment. Most forensic examiners I know have little to no experience in the setup or maintenance of any component on the Internet. They may have taken a class or two, usually boot camp style, and declared themselves experts. Of course, it’s not that difficult to convince those without any experience that you indeed have the prerequisite knowledge.
As civil litigation usually involves corporate networks, it is not as simple as family law. How can someone without any Information Technology experience be an expert when dealing with a corporate environment? It’s not possible. Corporate infrastructures are made up of switches, routers, bridges, firewalls, proxies, DNS servers, DHCP servers, mail servers, file servers, databases, multiple protocols, in-house developed software, commercial software, cloud services, and other items mentioned above in Item 1. It would be impossible for someone to take a class and be an expert in this area. I would even say that someone with a Bachelor of Information Technology (BIT) would struggle with the intricacies of these environments without the experience to back it up.
3. The proposed methodology for searching the computer drives is “reasonably likely” to yield the information sought.
Of course, this does not refer to the original requests for production. This item refers to the forensic methodology proposed. Here are a few pointers, but your Computer Forensic expert would need to provide specifics based upon the needs of the matter at hand. It is necessary to:
- Be open to opposing counsel review prior to receiving data;
- Not seek data you already received in production;
- Limit the scope by focusing on important custodians, specific devices, and key datasets;
- Be precise by choosing distinct keywords. Most forensic examiners prefer unfettered access to all information. This is not the best approach in adhering to this item;
- Be flexible in the use of a third party neutral, but retain the right to assist in the selection of a fully vetted qualified expert;
- Show how, through your forensic expert, this examination will lead to relevant data;
- Consult your forensic expert throughout this process.
4. The party must show that there has been inadequate production.
Sometimes this is an easy task, and other times it is not. Protegga has successfully supported arguments both for and against this issue. One cannot simply argue that there should be more data. One must show indications that other information and/or devices exist within the scope of discovery. One cannot argue for forensic access before any production is made, much less before the first Request for Production.
Two such examples are listed below in Garrett Draper, Grant Draper, and Antonio C. Garcia, III v. Campus Crest Communities, Inc., et al. and INX LLC v. Lumenate, LLC et al. Here are a few key areas to look at:
- Inadequate collection and/or preservation (e.g. self-preservation, improper tools, lack of expertise)
- Inadequate searching tools (e.g. Windows Explorer, Microsoft Outlook)
- Inadequate keywords (Campus Crest)
- Locations the information was searched (e.g., cloud, computers, servers)
- Production forms which eliminate descriptive metadata
- Cleary doctored documents
- Missing documents (i.e., individual emails, chains, or attachments) within email strings
- Missing custodians based upon certain emails, other metadata, and admissions
INX LLC v. Lumenate, LLC et al. (429th Judicial District Court, Collin County, Texas)
This case was interesting and somewhat simple to maneuver. INX had requested forensic access to every defendant’s personal smartphone, each defendant’s personal tablet, each defendant’s personal computer, each company computer, and all online personal email accounts. Not very intrusive, is it? INX was even courteous enough to bring a prepaid independent forensic expert to court for the judge to select as a neutral examiner.
The basis for their request was that the defendants had yet to produce any data in response to their request for production and that they believed the defendants were deleting information. As to production, keywords were still being negotiated. Nothing could be produced until that issue was resolved. In addition, all evidence had not yet been preserved, as the custodian list was the subject of a motion to limit.
Without any productions, INX had no basis to support their claims of data deletion and, of course, could not yet claim inadequate production. Fortunately for Protegga’s client Lumenate, the plaintiffs offered to pay for all costs associated with the production. At that time, INX was expecting a ruling in their favor. In the end, the judge allowed Protegga to conduct the search protocol and ordered INX to pay our fees.
INX further insisted on a complete search of unallocated space and file slack. With the three-letter keywords that they insisted were proprietary, the hit list was massive. As the plaintiffs were paying the bill and no data had been deleted, counsel for the defendants were more than happy to allow such an insane search. Clearly, INX and their counsel received some rather poor advice from the two sets of experts they retained.
Lumenate could have filed a writ of mandamus to eliminate the extremely unjustified, intrusive, and ridiculous search of unallocated space. INX could have filed a similar action with regard to having to pay for all preservation, processing, searching, filtering, and hosting review data for production.
Garrett Draper, Grant Draper, and Antonio C. Garcia, III v. Campus Crest Communities, Inc. et al. (250th Judicial District Court Travis County, Texas).
If you reside in Texas, you likely are aware of the incident in Denton that led up to this case. As a refresher, three college age men were visiting the college apartment of a female acquaintance. At some point that evening, the men opened the double doors and stepped onto the balcony. The Juliet balcony collapsed under the weight and all three men fell to the concrete below. The injuries sustained were severe enough to justify the use of CareFlite.
This incident eventually led to the personal injury suit. Immediately upon filing, a preservation hold letter was sent to the defendants though counsel. The collection process performed by Campus Crest consisted of doing nothing claiming that data within their environment is never modified or deleted. It was verified through the limited production that home computers, remote business computers, and online personal email addresses were utilized both prior to the incident to discuss construction issues and following the incident to discuss what had occurred and the resulting liabilities.
Through the deposition of the IT manager, it was determined that a single search term of “Denton” was utilized to search the corporate Microsoft Exchange server emails and that this search was limited to a subset of custodians. Protegga provided testimony about a non-intrusive protocol that could be utilized, by a neutral provider or Protegga, in a manner that would not compromise confidentiality or privilege. Protegga provided further testimony about the inadequacy of the tools, the search locations, the custodians, and the keywords. Detailed explanations were provided as to why these were all insufficient.
Protegga provided a list of proper keywords, custodians, and three qualified experts. The court then ordered a forensic examination by a neutral party.
As Protegga did not assist in the following case, we have minimal knowledge of all the issues that were faced. Jordan, 364 S.W.3d 425 (Tex. App. Dallas 2012).
According to Bow Tie law, “A plaintiff sought a writ of mandamus after a trial court ordered the production of the plaintiff’s personal computer and email accounts. The Court of Appeals of Texas granted the writ. In re Jordan, 364 S.W.3d 425 (Tex. App. Dallas 2012).”
From the Court of Appeals:
“Here, Gajekse’s written requests merely asked for the hard drives of relator’s computers without informing relator of the exact nature of the information sought. Gajekse also failed to demonstrate “the particular characteristics of the electronic storage devices involved, the familiarity of its experts with those characteristics, or a reasonable likelihood that the proposed search methodology would yield the information sought.” In re Weekley Homes, L.P., at 311. In fact, the record before us does not reflect any attempt by Gajekse to explain its search methodology or its expert’s credentials.”
I would have to assume counsel had selected an expert unfamiliar with these challenging issues. Given the failures to clearly demonstrate items 1, 3, and 4, the knowledge and capabilities of the expert are definitely questionable.
Another case of writ of mandamus worth reviewing is Pinnacle Engineering, Inc., Pinnacle Project Services, Inc., Jeffrey Liggett, and Terrence F. Townend, Relators (Texas Court of Appeals, Houston, Texas 1st District, March 12, 2013).
While Honza and Weekley arguments can be won, they can just as easily be lost. Don’t attempt these arguments without a Digital Forensic expert at your side. You will likely lose your motion or have it turned over later on appeal. Try your best to reach a Rule 11 Agreement, as you will be more likely to gain access without the court’s involvement. If an agreement cannot be reached, prepare arguments clearly on the four points above. Be methodical and precise and focus on the immediate needs of the case. Request only that which is needed and be flexible in the process. Get your evidence. Win your case.