e-Discovery Investigations

Related Articles

• Automagic search and replace for spreadsheets
• e-Discovery Investigations
• Absence of Evidence Does Not Equal Innocence

Subscription Options

Subscribe Magazine

Subscribe Newswire

Widgets & RSS Feeds

The near collapse of the U.S. economy has had a staggering effect on IT budgets. Setting priorities has become a reactive response to whatever emergency has risen to the top of the list. In essence, today’s IT, security, and legal teams have become a triage unit, addressing each new corporate wound as it arrives in their inbox, or worse, as it’s splashed across the Web as an unfortunate headline. Operating in survival mode, companies no longer have the luxury of addressing the what-ifs of security. If it isn’t actually happening, or hasn’t yet happened, it may not get considered.

Among the many things impacted by budgetary strain is the e-Discovery process—the steps taken to find, analyze and preserve electronically stored information (ESI). In their January 2009 report, Trends 2009: eDiscovery, Macroeconomic Factors and A Rapidly Evolving Market Present Challenges, Forrester predicts that information and knowledge management (I&KM) professionals would start off 2009 facing major challenges in grappling with e-Discovery demands. They cite bankruptcies, major financial losses, and other adverse events stemming from the poor macroeconomic climate as fueling an increase in litigation. As a result, executives will look to I&KM professionals to help manage legal risk using cost-effective approaches. However, poor internal communications, disjointed applications, and ad hoc efforts will make e-Discovery a painful process for many organizations.

Once the domain of subpoena-wielding investigators, computer forensics as a discipline is now a known, useful and necessary part of doing business in today’s complex and litigious corporate climate. Employed to explore everything from the theft of intellectual property to sexual harassment claims, the information unearthed through the e-Discovery process is an important part of HR, legal, security, IT and executive operations. Five years ago investigations routinely involved the removal of physical computer assets, which often left organizations at a standstill until the computers were returned. The investigative process was then carried out at the experts’ offices using highly advanced, secret service style software.

Forensics software quickly progressed to allow for the on-site imaging of hard drives that were most likely done in the evening with no employees around and when any network disturbance would go unnoticed. Then came remote access, with imaging done out of sight of company employees and causing only the most minor impact to network performance.

Economy vs. Expertise

In recent years there has been a noticeable shift in the people involved in the e-Discovery process and how it is being performed. There are now myriad tools available that automate the most cumbersome duties and there are a number of aspects of e-Discovery that can be accomplished (if done correctly) by internal teams. “10 years ago all there really was in terms of forensic imaging was Guidance Software. In order to search, analyze, review and produce information you had to use a bunch of other homegrown or repurposed tools,” says Dean Gonsowski, vice president of e-Discovery services for Clearwell Systems. “There wasn’t really much in the way of e-Discovery tools. The industry got its foundation, in my opinion, from the forensics world. Everyone used forensic tools because that’s all they knew about. They’re realizing now that there are instances where you’ll use a forensic tool and then there are instances that won’t require expert testimony or forensic tools to have the right level of proof for trial. The physical elements of chain of custody and authentication are still very important, yet an HR investigation involving basic access to email no longer requires advanced hard drive imaging software and a trained forensic investigator. Forensically sound tools now exist that are safe to use—a sort of democratization of the analytical tools.” Those tools, Gonsowski adds, are available to everyone: small, medium, and large-sized organizations that want to do analysis in which they don’t need to view forensically recoverable files—such as deleted files—and who may only need access to emails or Microsoft Office documents. “You don’t need to go quite to the level of a computer forensic investigator [to examine internal issues], you can typically find a ton of smoking guns just looking through somebody’s email.”

“I’ll tell you what I’m noticing,” says Brett Tarr, director of marketing for eMag Solutions, “in this current day and stage of the economy a lot of companies are taking the step of trying to bring their discovery matters in house. They’re saying, ‘I don’t want to pay someone on the outside to do this when we have someone on the inside already on salary that can do this instead.’ The truth is that any time these matters end up in a trial you are putting the risk of managing the chain of custody and the risk of performing these processes on an organization that is not built to handle that risk. They may be able to handle it in certain instances, but they don’t have processes that are built around it [e-Discovery].” Tarr goes on to say that more than cost should to be considered, and that there are other factors and risks involved. Tarr sees several things pushing people away from using professional investigators, chief among them are the cost and complexity involved in performing simple investigations coupled with the recognition that they don’t have to hold up to the same evidentiary standards and traditional courtroom ethics. “I definitely notice many instances of low-level, sort of generic data collection as opposed to true forensic collection and analysis.”

Gonsowski explains the move toward in house e-Discovery this way: “Over the past several years practitioners have gotten smart about what components of an investigation they want to use forensic examiners for and what components or other tools and other experts—paralegals, attorneys, or internal IT folks—can do. The cost and expertise associated with using forensic examiners doesn’t scale well if you try to use them on every single type of investigation you do.”

Despite the rising trend toward bringing the e-Discovery process in house, Tarr cautions that there are times in which hiring a professional investigator is critical. “The fundamental question is: what is someone investigating? Is it purely an internal matter? Is it something that involves another company? Is it something that could potentially involve lawsuits or some sort of government investigation? You only get one shot to collect the information before the traditional chain of custody is destroyed. The question someone needs to ask up front is: ‘Is this something we can even remotely contemplate ending up in front of a court of law or a judge or a magistrate?’ If the answer is ‘yes’ they really need to consider using a professional and having a full forensic investigation that follows proper step by step procedures and rigid maintenance of the chain of custody.”

Gonsowski illustrates the difference between what can and can’t be handled in house, “I had a forensic case where the question was whether an HR memo was ever read by the CEO when he took action and fired somebody. There was no question that he got the email, the ultimate question was whether he opened the email and read the attachment. The first part you could just use ordinary tools to figure out whether the individual got the email but in the second instance we had to use forensic examiners to try to figure out by looking at metadata and other things whether that CEO actually read the email in question.” That said, they do not need a forensic investigator for the collection of routine, active, ESI. “Most organizations now have tools, whether it’s the Clearwell tool or others, that work well in the hands of the IT department or someone that knows how to collect information safely, maintain the metadata and create chain of custody,” he says. “They’re not trying to do a forensic investigation per se, they just need to handle email in such a way that it doesn’t degrade or otherwise spoliate.”

Choose Your Weapon

Gonsowski feels that in order to determine whether or not you bring the e-Discovery function in house really depends on the variety and frequency of litigation. “Every organization, in my mind, needs to have tools and expertise to be able to preserve ESI and in some instances collect that information. No matter what you do, there will be significant sanctions if you don’t make sure that you have what you’re supposed to have from an ESI standpoint. You need to be able to identify where the information is, preserve it and then collect it. Where Clearwell and other tools come into play is for organizations that know they’re seeing X number of matters a month that are internal investigations and Y matters a quarter that are litigation. Then they can review the business case if bringing tools in house to do processing analysis and review of the information makes sense. It’s an evolution as companies go quarter over quarter. The smart ones see that if they just collect information, and give it to outside counsel or some other third-party, there’s a certain amount of cost associated with it. If they had certain tools in house they could do investigations and other things on their own that would add to both control the speed of the process and help significantly with the cost savings.”

With organizations down to skeleton crews, assigning the detail-intensive duties of the e-Discovery process to in house staff takes careful planning along with the formation of an evidentiary task force. “We are starting to see the formulization of different e-Discovery programs, especially for those enterprises that have a high legal risk profile,” says Brian Hill, senior analyst, Forrester Research. “If they get sued a lot it’s likely they will move toward starting different cross-functional teams, including IT and legal but also including a number of secondary stakeholders. That’s very encouraging because previously these groups had been operating in isolation and that’s actually contributed to very inefficient processes and a very fragmented technology infrastructure.”

Tarr continues, “I think that any organization that remotely is likely to face either litigation, government investigation or any sort of compliance issue needs to not only have a group of people to address things but also they need to have a rudimentary outline of what steps they will take to actually respond to the different types of actions—general steps that spell out the people that have to get involved at various stages and the timetable they’re on after they are sued to find out what type of information they need. Regardless of how they collect information, the ability to access, find and get to that information quickly is very critical. Organizations need to understand their universe of data, what is contained within it, how that information will relate to each of the different business units, how that info flows between those different units and ultimately where they can find it.”

Hill agrees that before considering bringing the eForensics function in house—whether by implementing an automated solution or assigning the function to internal employees—you should clearly understand where your information assets are throughout your organization and keep an inventory of what the associated retention policies across these assets might be. “For many organizations there won’t be a large number of repositories that don’t have any type of retention policies whatsoever. So having a really clear idea where your information assets are, what the discovery policies are, who’s responsible for them, and what types of content these repositories represent, is an important first step.”