The next series of blog entries will focus on different aspects of ESI. This first part focuses on where is the ESI and what types of ESI are out there. You may need a magnifying glass for this journey.
Electronically Stored Information Part I Where Should I Look? Discovery of ESI is generally thought of from the perspective of typical business documents such as email, office documents, or even databases. ESI that could be relevant to a particular litigation can be found in many forms and in many places. You may not even be aware of where all of ESI is maintained. More importantly, the client probably is not aware of where all potentially relevant ESI that is outside of its control, but that may be accessible. So where does your client maintain its ESI? This will require the assistance of people responsible for the client’s Information Technology (IT) systems. Although these people will generally have good knowledge of the actual systems and software used, they may not have the knowledge of the types of information maintained. Attorneys must have enough knowledge of typical ESI locations and information content to communicate with IT personnel and guide the search for ESI. We know or should know that ESI differs from paper information in several ways. The volume of ESI is almost always greater than paper information, and it may be located in multiple places. For example, draft and final versions of a single report may be stored electronically in multiple places. Some aspects of ESI have no counterpart in paper, metadata being the most obvious. Metadata, which most computer users never see, provide information about an electronic file, such as the date it was created, its author, when and by whom it was edited, what edits were made, and, in the case of e-mail, the history of its transmission. Also we know that deleting an electronic document does not get rid of it, as shredding a paper document would. An electronic document may be recovered from the hard drive, to the extent it has not been overwritten, and may be available on the computers of other people and on archival media or backup tapes used for disaster recovery rather than archival purposes. Deleted Files- If you delete a file, Microsoft Windows removes it from your view; however, at that same point in time, the contents of the file are still stored on your hard drive. In addition to removing the file from your view, Microsoft Windows flags the space where the file still resides, as available. Depending on whether the space is needed for other files and how much time has passed determines how much of the original file remains. File Slack- Files are created in varying lengths depending on their contents. DOS, Windows and Windows NT-based computers store files in fixed length blocks of data called clusters. Rarely do file sizes exactly match the size of one or multiple clusters perfectly. The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called "file slack". Cluster sizes vary in length depending on the operating system involved. Larger cluster sizes mean more file slack. A brief summary of some of the more important ESI sources: E-mail is a highly valuable source of information important in litigation. The content of e-mail may be informal and also subject to differing interpretations. Email may be found on company email servers; backup tapes; general server backup tapes; individual PCs used by company employees; personal PCs used by employees who do work at home; Blackberrys; Personal Digital Assistant (PDA) devices; servers of external email or individual storage devices such as USB drives and flash drives. E-mail is used for outside communications and is often forwarded, copied, or blind copied. Because of this emails can end up on the same list of devices for many different custodians. Emails can also be archived or converted to different formats and copied and posted on web pages. Email can be maintained in different directories (folders) on various devices. Some of these directories may not be visible or known to the email user. For example, most email programs will keep copies of mail sent in a “Sent Folder” or copies of deleted email in a “Deleted Folder” and each email program may use different names for these typical folders. E-mail deleted from an individual PC may not be deleted from an email server that received or sent the email. Email may also be filtered out by spam filters at both a server and an individual PC level and found in different directories than email that is not filtered out. Email may also be simply deleted without human intervention by a spam filter or by limits placed on individual email accounts by an IT administrator. However, even if deleted, email may still be recoverable. All this sounds like fun…eh? E-mail may also contain attachments of files that contain hundreds of pages of printed information, video or audio recordings, or information only accessible with specialized software such as a database or accounting program. Digital Files Typical documents include word processing files, spreadsheet files, and presentation files. This category of documents also includes pictures, scanned images, and video or audio recordings. Digital files can be easily copied, modified, combined with other files, and then transferred to a PC or server located anywhere. Digital files can be found on all of the same devices and storage media listed above for e-mail. Although digital files are easily copied, modified, and transferred, actual permanent deletion of these files is not easy and often will leave traces of the deletion activity. Even if the files cannot be recovered, the typical programs and processes used to permanently delete files and the information they contain will cause an “absence” of deleted or temporary files that are present on any PC or server. This absence of “deleted files” can often be a definitive indication that files have been intentionally deleted. This is again something that a computer forensic expert may be able to report. Other Types of ESI Company data repositories are typically databases containing business information. This information can consist of accounting records, personnel records, payroll records, sales records, mailing lists, customer lists, or any other large quantity of information that a company needs or wants to retain over time. The important thing to remember with database repositories is that the relationships between individual data records may be more important than the actual data elements. Print copies of ESI records will not generally reveal the metadata that is most valuable here. • Company and individual voice mail systems and telephone answering devices may contain phone messages for long periods of time. • Individual PC operating system logs maintain similar data as network system records although the level of detail is generally not as extensive. • Fax server or fax machine logs show dates, times, phone numbers, and the number of pages sent. • Phone records show dates, times, phone numbers, and the length of calls made calls • Credit card records will show dates, times, amounts, and the vendor for charges made. • Bank records will show dates, times, amounts, and the transmitting or receiving entity for each transaction. • Web sites may also contain information that has been deleted from other locations. Google search results have a small link shown as cached in the search results pages. Clicking on this link will provide the content of the web page that is stored on Google servers even though the original page is no longer available. • Systems that use Radio Frequency Identification (RFID) tags can also record the date and time that an identification card comes within range of a sensing station. • Many cell phones now have Global Positioning System (GPS) chips installed that can be turned on by law enforcement agencies or the owner of the phone. The Global Positioning System ("GPS") is a network of two dozen satellites orbiting at 12,000 miles above the earth. The network is capable of pinpointing precise locations anywhere on the planet. There are Internet based service providers that can track the location of a GPS enabled cell phone over an extended period of time. • Many automobiles have GPS navigation devices that maintain a record of the automobile’s location and speed over an extended period of time. • The United States Post Office and commercial delivery services such as FedEx, UPS, DHL, and Airborne allow tracking of packages and mail that shows mailing time and location, delivery time and location, and may also show the recipient’s signature. • Companies often elect to install or are required by law to install video or audio surveillance equipment covering a portion or most of their facilities. Many of these sources of ESI may require specialized software and personnel with the technical expertise to extract the information that is to be produced or analyze the information that was produced. ESI, like physical records, are subject to document retention policies and thus may be intentionally destroyed as part of a legitimate document retention policy. However, if litigation is reasonably anticipated, there is an obligation to suspend standard document retention policies and preserve discoverable information. IT staff responsible for implementing document retention policies with respect to ESI may not even be aware that there is an obligation to preserve ESI that they destroy on a routine periodic basis. Failure to notify responsible IT staff of what ESI must be preserved so that ESI is not destroyed could subject a company to sanctions. ESI, unlike physical records, is also subject to automatic destruction without any explicit action. Network and computer log files are usually limited by time or size so that new activity overwrites old activity. There may be a need to suspend the automatic destruction of ESI so that discoverable ESI that is subject to preservation obligations is not inadvertently destroyed. Let us now talk about the latest addition to the ESI family of discoverability which is Social Network Sites. Social networking websites have taken the world by storm. MySpace and Facebook, users chronicle the intimate details of their lives, post their current relationship status, provide opinions, and upload up to the minute photographs. However, users often post without considering the trail of muddy footprints they leave behind. Investigators visit these sites when looking into an individual for purposes of employment, college admission, background checks, investigating criminal activity, and so forth. This blog entry does not constitute legal advice. Next Up: Part II- FRCP and ESI John Randall President Randall Consulting
This growing use of social network information raises an important question in regards to electronic discovery:
If social networking sites are accessed using an employer's computer is it then fair game when it comes to electronic discovery?
One thing to remember is computers keep track of users internet passwords so their MySpace, Facebook, Twitter password and not to mention g-mail, hotmail, yahoo, AOL and other accounts when they sign on. This is because the website browser takes note of and saves the password. This information is stored in a protected area of Windows. Since the password does exist on the employer's hard drive, that password and therefore access to the social networking page, is it a situation where the possession and custody is now with the employer? With the right IT know-how, the employer can easily access the site. So what happens when the employee or employer gets sued, does the social networking page become responsive to document requests? Since I am not a lawyer I could not answer that but it does bring up some intriguing questions.
