A Tale of Two Companies: A Guide to Preserving Electronic Information in a Crisis
By: DULCE J. FOSTER & OLIVER FUCHSBERGER
March 4, 2010
What steps has your company taken to plan for its next legal crisis? Are the processes you have in place sufficient to handle the overwhelming amount of electronically stored information, or “ESI”, that must be managed if an in-depth internal investigation is required? One critical component of a sound investigation process, which most companies ignore until it is too late, is preserving the ESI on company computers, hand-held devices and network servers. Taking careful steps to ensure the integrity of ESI early in an investigation will secure a more accurate outcome and prevent potential legal challenges to evidence spoliation later on.
Whether you are preparing to initiate litigation, responding to a lawsuit, or conducting an internal compliance audit, your first thoughts and actions concerning ESI should be focused on preservation. A corporate investigation is no different than a crime scene investigation: Just as a crime scene investigator takes steps to secure the crime scene before gathering and processing evidence, a corporate investigator’s critical first step is to preserve ESI and the digital environments on which it resides. This article illustrates ESI preservation challenges and techniques through two hypothetical companies that have launched investigations in response to litigation against each other.
Fourteen months ago, Acme Company hired a sales manager from its competitor, XYZ, Inc. Six months later, the sales manager hired two of his former team members from XYZ. Coincidentally (or maybe not), Acme’s sales have increased dramatically in that fourteen-month period. Now XYZ has sought a temporary restraining order and injunction against Acme, claiming that its three former employees took customer lists and other confidential business documents from XYZ and used them to benefit Acme. XYZ will seek to prove that the employees had access to the computer systems in which the information was stored, and that they signed binding nondisclosure agreements. The futures of both companies hinge on the outcome of the litigation, and it is critical they make no mistakes in gathering the information needed to assert their claims and defenses.
Everyone embroiled in this case will have one thing in common: the immediate urge to investigate and determine whether evidence of the alleged improprieties exists. Their first instinct will be to turn on the employees’ computers, blackberries and cell phones, and then scour the files on those systems for a virtual smoking gun. While these would seem to be the most natural and prudent courses of action, in reality they could lead to the loss of critical evidence, jeopardize the admissibility of key evidence, and leave a traceable path of files that have been recently reviewed.
Before Acme and XYZ take any steps they might later regret, they would be well-advised to keep in mind three key aspects of electronic data storage which most people fail to fully understand and take into account:
- The act of deleting a file on a computer does not actually destroy the file. The information still exists on the computer; it is just inaccessible without special tools and expertise. The deleted information resides on the portion of the computer disk called “unallocated space” Deleted information can also reside in computer recycle bins and in another category of space called “slack space.” Over time and usage, all or portions of the deleted information will be overwritten by new information, but it does not disappear immediately. An in-depth investigation will entail retrieving and reviewing the deleted files that still reside on the system.
- The activity that occurs on a computer or server is always recorded. Logs are generated on networks and computers tracking activity. Each file contains “metadata” fields that record file information and activity. IT experts can utilize this information to reconstruct a history of the actions that took place on a computer or with respect to a computer file. A rogue employee’s act of downloading trade secrets just before his departure may be reflected in his computer’s activity logs and files.
- Even the simple act of booting up a computer results in a loss of information. Each process that a computer runs – whether user requested or automated – will modify, overwrite, or delete information on the computer. A conscientious investigator will avoid destroying relevant information by not booting up computers until a computer forensic expert can take steps to preserve the computer images.
After the Arthur Andersen scandal, almost everyone knows that destroying key documents can lead to trouble. But many don’t know that courts evaluating discovery disputes are increasingly concerned about the destruction of metadata. Not every case is the same. In some cases, metadata will be directly at issue. In other cases, rigorous attention to preserving metadata may be unnecessary. Since the ultimate scope of the claims at issue in a case is typically unknown when preservation efforts must be executed, deciding how much time and effort to spend on ESI preservation may be difficult. Unfortunately, there are no second chances when it comes to preserving electronic information. For this reason, initial preservation steps should err on the side of being over-inclusive.
XYZ’s trade secrets case against Acme requires careful planning and IT expertise on the part of both companies to properly preserve ESI. To minimize potential conflicts of interest, independent outside counsel should be consulted immediately, and any employees with a direct interest in the litigation should be excluded from the process. The first step each company should take is to hold a meeting that includes representatives from its legal team, IT department and records management department. The goals of this meeting should be: to identify where, within the company’s IT infrastructure, the relevant information exists; to determine the steps needed to preserve that information; and to evaluate the financial and business impact on the company to preserve and collect the information. Based on these considerations, each company should develop an ESI preservation plan tailored to its unique circumstances and the specific facts involved in the underlying litigation.
ESI Preservation Methods
After the initial planning meeting, each company should immediately begin implementing the steps outlined in its ESI preservation plan. The following describes the special concerns Acme and XYZ might have and describes the different ways in which each might handle ESI preservation in light of those concerns.
Issuing Litigation Hold Notices
Acme: Acme will need a few weeks to collect and secure all of the relevant ESI and paper documents it has. So the first step Acme takes is to issue a “litigation hold” notice to its employees to prevent the inadvertent destruction of evidence during the investigation. Acme’s legal team drafts the notice and distributes it to all employees in the division where the three former XYZ employees work. The notice generally describes the claims and instructs the employees not to delete or destroy any documents related to them. The notice further describes the types and subject matter of the information to be preserved, outlines the steps required to preserve it, and emphasizes the importance of doing so. To further monitor compliance, Acme requires each employee to certify in writing that he or she has read and understands the obligations under the notice. A separate notice instructs the company’s IT and Records Management Departments to suspend all routine document destruction policies and processes that might delete or overwrite information described in the notice. The legal team schedules a follow-up meeting with IT and Records Management for the purpose of determining whether and when these policies and processes can be re-enabled.
XYZ: To support its claims, it is to XYZ’s advantage to preserve as much of the relevant data within its possession and control as possible. But since the three employees have already left the company, any relevant information XYZ might possess dates back to the period during their employment. XYZ determines that none of its current employees are likely to have relevant information, and for this reason decides not to issue a litigation hold notice to its employees. Like Acme, however, XYZ instructs its IT and Records Management Departments to suspend any routine document destruction policies that could overwrite information related to its claims.
Preserving Computer Hard Drives
Acme: Acme must identify individuals within the company who might possess information related to the case, and then take steps to secure the information on the computers of each of these information “custodians.” When it issues its litigation hold notice, Acme should locate and secure the computers used by the three former XYZ employees to prevent them from deleting any relevant information. Acme believes in their innocence, but understands that securing these computers and the metadata they contain may be the only way to prove it and avoid a potential spoliation argument from XYZ.
Acme has multiple options for preserving the information on the three computers, ranging in effort and expense from: 1) securing the computer hard drives for later analysis; to 2) having Acme’s IT staff create images of the hard drives; to 3) having an outside expert create forensic images of the hard drives. Acme rules out the second option because the software its IT staff uses to create images would not preserve all deleted files and activity logs. Acme has a credible jurisdictional argument for early dismissal and wants to limit costs in the early stages of the lawsuit, so it also decides against hiring an outside expert. Instead, Acme removes the hard drives from the employees’ computers and replaces them with new hard drives. Fortunately, Acme runs a weekly backup of files and settings for each computer. Acme is able to copy those files and settings to each employee’s new hard drive to prevent any loss of productivity. The old hard drives are locked away in a temperature-friendly environment until later, when Acme is better able to assess whether a full forensic analysis of the drives (and the associated costs) are necessary.
In addition to the three former XYZ employees, Acme identifies four other employees who work on their team as information custodians who might have information related to the lawsuit. Because there is little risk XYZ will accuse these additional custodians of inappropriate destruction or transfer of files, Acme decides it is unnecessary to preserve the activity logs or capture deleted files on their computers. Instead of securing their hard drives for future forensic analysis, Acme opts for a less costly alternative. It instructs its IT Department to use the company’s computer imaging software to create images of their computers. These images will capture the active data (the visible files) on the computers, but may not capture activity logs or deleted files.
XYZ: XYZ wants to immediately identify whatever relevant files exist and the related computer activity that may have occurred on the three former employees’ computers. Fortunately, XYZ had a policy of securing the computer of any departing employee who signed a nondisclosure agreement, and had preserved the three employees’ computers under this policy. XYZ is willing to spend whatever is necessary to find evidence supporting its claims against Acme, and its first step will be to analyze the three employee hard drives. While XYZ’s IT department can create images of computers, the process it utilizes to do this may present issues with the admissibility of the information in court. Such admissibility issues would result from the failure to preserve an intact image of the computer. For example, its internal imaging process could result in overwritten files and would not capture all deleted information. To ensure that the images of the employees’ computers are complete and forensically sound, XYZ’s outside attorney retains a computer forensic expert to create the images and analyze the computers. The vendor acts at all times under the direction and control of XYZ’s attorney so that his analysis is protected from discovery under the attorney work product privilege.
Cell Phones, Blackberries and Other Handheld Devices
Acme: Acme provided one of the three former XYZ employees with a Blackberry when he joined the company. Acme asks the employee to turn in the device, and he gives it to the IT department turned on. Because Blackberries constantly receive data through wireless connections, Acme turns off its radio to prevent such transmissions from overwriting existing data. Acme leave the device on and plugged into the charger, however, because powering a device on or off may synchronize mail and calendar information, which could also cause existing information to be overwritten. Acme then connects the device to a computer with the Blackberry Desktop Manager installed on it, disables all synchronization options, and creates a backup of all data on the Blackberry. Acme saves the resulting file in a secure location on its network.
XYZ: XYZ distributed cell phones to each of the three former employees, but redistributed the phones when they left. Although the phones themselves contain no relevant data, XYZ had enough foresight to retain the SIM cards used by the former employees and issue new ones when it redistributed the phones. The former employees’ SIM cards are less likely to yield relevant data than their computers. To control costs, XYZ retains the SIM cards in a secure location for later analysis only if needed. Should circumstances warrant, XYZ also may subpoena the carrier for any text messages that may have been sent via these cell phones.
External Storage Media and Paper Files
Acme: Acme’s legal team interviews each of the three former employees and gathers all paper documents and external storage media (CDs, DVDs, flash drives, external hard drives, etc.) containing materials they either brought with them when they joined the company, or containing information regarding their communications and transactions with the company’s customers. All such materials are copied and stored in a secure location.
XYZ: XYZ asks the employees who now occupy the work stations of the three former employees whether any external storage media or papers were left in the workstations when they first moved in. No such materials existed. XYZ also interviews several employees who had close working or personal relationships with the three former employees, and determines that none either communicated with the employees after their departure or possesses information related to the case.
Network Email Accounts
Acme: To preserve relevant email, Acme creates a backup file for each of the seven information custodians that contains copies of all emails and attachments in that custodian’s mailbox on the company server. Acme then stores the backup files in a secure location on its server. Additionally, because Acme has no policy directing when or how its employees should archive old emails, it must conduct a time-consuming inquiry into whether and where any relevant email archives may exist. A member of Acme’s IT staff meets with each of the seven custodians and determines whether the employee may have archived emails in paper form, on his or her hard drive, or somewhere on the network server. Acme also runs a search of the employees’ hard drives and any network locations accessible to them to locate email files they may have archived. Acme then copies all such archived emails to a secure location on its server.
XYZ: XYZ is unlikely to have many relevant emails on its network because, under its routine email retention policy, XYZ deletes all emails kept in a user’s Inbox, Sent Items or Deleted Items folders after 30 days. However, unlike Acme, XYZ has a longstanding policy instructing employees who want to retain emails in these folders for a longer period to move them to a personal folder, and it regularly archives any emails moved to a personal folder. In connection with its investigation, XYZ searches its email archives for any messages relevant to its claims.
Network File Servers
Acme: Acme has separate locations, or “home shares,” on its network that are assigned to each of its employees. An employee’s home share can only be accessed by that employee. Acme’s IT department copies the home shares for each of the seven information custodians to a secure location on the network, using a tool that retains the file metadata during the copying process. Acme determines that relevant information also may be contained in folders on the network that the Sales and Marketing Departments use to store files. There is also a Human Resources Department folder on company policies that may be relevant. Using the same protocol, those folders are copied to the secure network location.
XYZ: XYZ’s network structure is similar to Acme’s, but XYZ wants to do more than just preserve the information on its network. Through its attorney, XYZ instructs its outside computer forensics expert to create an image of any network servers to which the three former employees had access, and then to analyze that image.
Acme: Acme backs up its email and file servers to tape on a rotating basis. It backs up the servers daily and rotates each tape on a weekly basis. Acme also makes weekly backup tapes, which it retains for a month. Acme additionally retains one backup each month for a year, and one backup each year for seven years. Restoring data from backup tapes is costly, and Acme would object to any request by XYZ for information on the backup tapes. Nevertheless, for preservation purposes only, Acme decides to pull three tapes from the rotation. The three tapes Acme decides to pull are the current weekly backup tape; the monthly backup tape for the month after the last two XYZ employees joined the company; and the monthly backup tape from the month before they joined Since Acme’s yearly backup tapes won’t be destroyed for another six years, it takes no action with respect to the last year’s backup tape.
XYZ: XYZ keeps backup tapes for disaster recovery purposes only, and no backups beyond the prior six-month period exist. Unfortunately, this will limit XYZ’s ability to investigate its former employees’ network activities.
This list of steps is not exhaustive, but as the narrative illustrates, taking even the most basic steps to preserve ESI may be laborious and costly. So why bother?
Preserving ESI is not only good strategy for gathering evidence—in many cases it is required. A company investigating potential criminal conduct may be accused of obstruction if a prosecutor believes it destroyed ESI intentionally. And civil litigants in most federal cases are required to automatically disclose to the other side a description of any ESI they have that might be used to support their claims. Then they must meet with each other and attempt to agree on a discovery plan that addresses, among other things, the manner and extent to which they will exchange ESI. This plan will be submitted to the court and will govern each party’s ESI preservation obligations during the litigation.
Whether a written discovery plan exists or not, litigants who intentionally or unintentionally delete or destroy relevant ESI risk being sanctioned by the court or, at a minimum, becoming embroiled in a costly discovery dispute.
Because mistakes can be costly, companies should seek advice from legal, IT and records management experts about how to preserve ESI whenever a legal crises arises. When it comes to creating and executing an ESI preservation plan, there is no one-size-fits-all solution. Every set of claims is unique, as are each company’s policies, culture and IT infrastructure. The goal is to develop a plan that a court would deem reasonable and meets the company’s own need to ferret out the supporting evidence.
Moreover, since the need for an internal investigation at some point in the life of any company is predictable, it behooves everyone to consider ESI preservation well in advance of any legal crisis. While creating an ESI preservation policy may seem daunting, the alternative – being thrust into a situation where these complex legal and technical issues have to be addressed in the spur of a moment – is considerably worse.
Legal, IT and records management professionals with expertise in internal investigations can help companies establish policies that will outline the workflow and processes they will use to develop a case-specific ESI preservation plan if a crisis develops, and streamline the preservation and collection of information to minimize error, expense and the disruption of business. With careful planning and good advice, companies need not be afraid of managing their ESI.
Dulce Foster is a shareholder in Fredrikson & Byron’s White Collar & Regulatory Defense and Litigation Groups and Chairs the Internal Investigations Group. Her practice includes criminal and civil litigation in the areas of financial fraud, healthcare fraud, foreign corrupt practices, trade secrets theft, election fraud, illegal immigration, environmental crimes and False Claims Act defense.
Oliver Fuchsberger, Fredrikson & Byron’s Litigation Support Consultant, has over 20 years of litigation support experience. His background includes designing and implementing technology solutions and workflows for law firm practice support needs, working with attorneys and clients on properly preserving and collecting electronic stored information for litigation discovery purposes, and educating attorneys and legal support staff on effectively using litigation support technology tools.