Interestingly I have a meeting with our legal team tomorrow just about something relating to "one bite of the apple" rule. I did not know it was called that, but the idea of the meeting is discussing my proposal of a "laundry list". It would allow our legal team to present the opposing side with the list, costs and time frames associated when demanded.
Obviously there are many issues to develop and work out, I still think having a … clue list? … would be highly beneficial.
The "one bite of the apple" rule was designed to prevent the endless filing of discovery motions which could arise out of a fishing expedition or simply a desire to inflict cost and hardship on the producing party.
It has two important implications, however.
First, you need to be very specific about what you want to have produced and in what format. For example, while it is generally accepted that the production should be in the native file format the courts have ruled that unless this is specifically requested and defined, once produced the requesting party cannot return for additional data. Many commercial eDiscovery solutions produced documents in PDF or TIFF format which can obscure or remove relevant metadata. There have been court rulings in favor of the producing party which have precluded the requesting party from requesting metadata production after the fact.
The second implication is that the requesting party needs to think through precisely what it needs to make its case, and that means anticipating what issues might arise from production or from the facts of the case that would require a broader scope than actual document production. For example, if the intent is to allege intentional spoliation, or if there is a need to verify details about the system on which the requested data resides, then you had better anticipate that in your request.
For example, I worked on a case involving an alleged copyright infringement where the critical question was establishing, to a reasonable degree of certainty, the dates and times that certain files had been created. The suit was filed a few years after the alleged copyright infringement and the defendant's position was that the expressive elements had been created after the date of the alleged infringement.
The producing party produced a CD with the files and MAC times but there was no way to verify, with certainty, that the times were real. Under today's interpretation of the FRCP, it is likely that the requesting party might be denied the opportunity to inspect the system from which the files were produced to verify the dates once they had agreed to the CD production.
From my perspective what this means is that we can no longer assume that we'll be given unrestricted access to forensic copies of the source media and unlimited time to explore them and we need to consider how to function with less than this.
From my perspective what this means is that we can no longer assume that we'll be given […] unlimited time to explore them and we need to consider how to function with less than this.
I would say this is about as good of a reason to come up with a … clue list… as any, wouldn't you say?
On a side note, how involved are you with the Sedona Group or Conference?
David, I clearly heard you volunteered for something here… wink
Greetings,
I accept my volunteer position with grace….
-David
In the area of hardship and ESI, there seems to be a move toward those files which are readily accessible. Some courts have, for example, excluded backup tapes from discovery as the contents of these are not readily available. The same has applied to data store in unallocated space.
I have actually seen backup tapes and deleted files becoming more common in discovery requests as companies have come out with tools that can do the job more cheaply, especially in the realm of backup tapes
Hardship can also apply to the cost to recover the information as well as the potential injury to the producting party, such as might occur if devices needed to be seized or shutdown or the producing party alleges than there are irrelevant trade secrets which might be revealed during a forensic examination.
Typically, from my experience, confidentiality is not something that a producing party can hide behind to prevent discovery. But that does not mean the requesting party gets full access. Instead, protective orders are drawn up and then an independent expert is assigned the task of acquiring relevant sources of data (hard drives, tapes), performing the search and allowing the producing party to review before providing to the requesting party.
Now I do agree that with mission critical (or maybe just "missing important") machines, the idea of taking them down must be thought out and the burden to the owner considered.
Another issue is that of privacy and the expectation of privacy. In some cases the courts have ruled that making a forensic copy of an individual's computer violates the user's expectation of privacy (including a famous case where someone found CP on a computer that had been discarded by the landlord which had belonged to an evicted tenant). In these cases, the court may permit a limited examination restricted to the logical rather than physical volumes or it may exclude the forensic evidence altogether.
There is also the notion of the "one bite of the apple" rule, which is that the requesting party gets one shot at formulating a discovery request and can't go back at another time. So, you don't go for the low hanging fruit with the "readily available" data and then, on the basis of that, go back and ask for a forensic examination (unless you can show that the producing party likely deliberately hid discoverable ESI from view).
The convergence of all of these seems to be heading toward a point where doing a complete forensic analysis of the subject media is an exception rather than the rule.
I disagree. I think that we are staying right in the world of cloning entire devices, at least in the civil realm, and performing smarter, more targeting examinations to properly categorize the data as relevant, privileged, confidential, etc. to go along with opining on how a computer was used. To attempt to slice and dice the data before preserving and understaning what data is on the computer, is working backwards.
In part, the notion of a boilerplate for, say, Encase plays right into the privacy concerns to which I alluded. To say that "in every case I do A then B then C" without justification for those steps creates the impression of using a shotgun to kill a mosquito.
There can be an exception, however. If the data are needed to establish the authenticity or authorship of the documents, then it may be requested and allowed. If the information from registry analysis, Internet history, scanning of unallocated space, etc., can be shown to be relevant, the courts are more likely to allow it or at least a less restrictive analysis.
The importance, however, is not simply to say that I did it because I could, but to be able to state the reasons why examining some aspect of the computer was necessary to establish the facts of the case.
I do agree that it is necessary for an examiner to explain why one took certain steps vs just following a guideline. That being said, I think the guideline is an excellent idea because it allows everyone here to share what they do when conducting an examination.
Sorry if I took this thread in a completely different direction, but I just wanted to comment on some items that I didn't agree with and haven't seen occurring.
In the area of hardship and ESI, there seems to be a move toward those files which are readily accessible. Some courts have, for example, excluded backup tapes from discovery as the contents of these are not readily available. The same has applied to data store in unallocated space.
I have actually seen backup tapes and deleted files becoming more common in discovery requests as companies have come out with tools that can do the job more cheaply, especially in the realm of backup tapes
I can't disagree with your experiences, but I can share mine as well as case law.
The old standard was Zublake v. UBS Warburg, LLC in which the court held that backup tapes were a legitimate target for discovery even when it could not be ascertained what might be on the tapes. However, this was before the revisions to Rule 26 which establishes a two-tiered approach to "inaccessible data". First, the requesting party must be able to show that the data cannot be retrieved from a more accessible source. Second, and most importantly, the requesting party must be able to demonstrate to a reasonable degree of certainty that the inaccessible data could have a material effect on the outcome of the case.
http//
http//
http//
http//
Your mileage may vary. In my experience, when you are dealing with terabytes of backup data and the requesting party is not willing to assume the cost of recovery, the producing party has been able to successfully argue that without sufficient evidence to warrant such a broad search, the backups were excluded.
If you have case law that says otherwise, I'd be happy to have the references for future cases.
The problem is not simply the technology. There is also the operator time involved as well as the sheer volume of data. In McPeek v. Ashcroft the court allowed for sampling of the backups, but required production of only one after the sampling had been completed. The court denied the request to force production of all of the backups.
Hardship can also apply to the cost to recover the information as well as the potential injury to the producting party, such as might occur if devices needed to be seized or shutdown or the producing party alleges than there are irrelevant trade secrets which might be revealed during a forensic examination.
Typically, from my experience, confidentiality is not something that a producing party can hide behind to prevent discovery.
Again, your mileage may vary. First, there are two separate issues, here. One is the reasonable expectation of privacy which may be afforded employees of a company and even individuals. I've been involved in two cases in which the judge has ruled that a complete forensic examination of the subject's computer was unreasonable because of the expectation of privacy and I suspect that we'll see more of these. And the courts have held that employees have a reasonable expectation of privacy if the employer had not notified them that their activity could be monitored and actually taken steps to do so.
The other is confidentiality and trade secrets and while I agree that processes can be constructed to isolate the producing party's non-relevant data from the requesting party (I prefer a court appointed special master to the approach that you outline), I have also witnessed cases where the courts have ruled that discovery requests are too broad (usually involving copying of an entire or server).
Confidentiality agreements can be structured but the fact remains that if everyone could be trusted none of us would be in this line of work.
In Daimler Truck v Younessi
(http//
The court determined that plaintiff's request to have its forensic experts examine the hard drive of the defendant was unreasonable and ordered that the defendant search the drives, themselves.
"While this is consistent with the general scope of the Rules allowing broad discovery, it is inconsistent with the adversarial aspect of trial practice and discovery because it contemplates granting opposing counsel, and opposing parties, direct access to information beyond the scope of discovery. That is, the Rule allows for a subpoena of an entire hard drive for the limited purpose of finding a few documents which may be stored therein. See Fed. R. Civ. P. 34(a)(1)(A) (requesting party may obtain information stored in any medium); Fed. R. Civ. P. 34(b)(1)(C) (requesting party “may specify the form or forms in which electronically stored information is to be produced”). This would be analogous to allowing the search of a party’s entire collection of file drawers for the purpose of finding a single class of documents."
The court applied the same logic that was used in Playboy v Welles which denied Playboy's request to examine the defendants drive as being too intrusive.
But that does not mean the requesting party gets full access. Instead, protective orders are drawn up and then an independent expert is assigned the task of acquiring relevant sources of data (hard drives, tapes), performing the search and allowing the producing party to review before providing to the requesting party.
I'm not saying that this can't happen. But I am saying that there is case law which affirms the notion that the requesting party is not always entitled to carte blanche when it comes to the raw data held by the producing party. And, I expect that these rulings will be used as arguments in upcoming cases as well.
I think that we are staying right in the world of cloning entire devices, at least in the civil realm, and performing smarter, more targeting examinations to properly categorize the data as relevant, privileged, confidential, etc. to go along with opining on how a computer was used. To attempt to slice and dice the data before preserving and understaning what data is on the computer, is working backwards.
I'm not saying that this is desirable. What I am saying is that increasingly, the courts seem to be sympathetic to the view that the requesting party is not always entitled to examiner all of the media in the possession of the producing party. This is, in part, due to the fact that consensus groups like Sedona are advocating on behalf of organizations that are subject to production requests rather than organizations that do forensics. The pendulum seems to be swing toward forensics as one tool, but not the first tool to be used in eDiscovery.
Increasingly, eDiscovery companies are incorporating forensic examiners in their teams, but theiremphasis is still on less invasive approaches to discovery and the courts appear, in many cases, to be sympathetic.
Your mileage may vary. In my experience, when you are dealing with terabytes of backup data and the requesting party is not willing to assume the cost of recovery, the producing party has been able to successfully argue that without sufficient evidence to warrant such a broad search, the backups were excluded.
I'm not talking about terabytes, but then again, terabytes of data is not as insurmountable as in the past. My only point was that the costs to process tapes have come down drastically and there are tools allowing them to be searched without being restored and often without having the software that the client used to backup the data.
If you have case law that says otherwise, I'd be happy to have the references for future cases.
There are numerous cases wherein we have used our protective order to assist the clients in getting access to the opposing side's data. It compensates for confidentiality and privilege. One in particular that I just got word of yesterday is Michael Mizarek, et al., v Richard Workman, et al. Court of Common Pleas Stark County, OH. 2009 CV 01858.
Again, your mileage may vary. First, there are two separate issues, here. One is the reasonable expectation of privacy which may be afforded employees of a company and even individuals. I've been involved in two cases in which the judge has ruled that a complete forensic examination of the subject's computer was unreasonable because of the expectation of privacy and I suspect that we'll see more of these. And the courts have held that employees have a reasonable expectation of privacy if the employer had not notified them that their activity could be monitored and actually taken steps to do so.
The other is confidentiality and trade secrets and while I agree that processes can be constructed to isolate the producing party's non-relevant data from the requesting party (I prefer a court appointed special master to the approach that you outline), I have also witnessed cases where the courts have ruled that discovery requests are too broad (usually involving copying of an entire or server).
But how do you determine what is confidential, private or not without examining the drive? Take the word of the operator who may have a vested interest in concealing data and who most likely is not an expert in determining where on their hard drive that data is stored? You still need to preserve the source of relevant data properly and then determine a method of search/examination that does the best job of alleviating everyone's concerns.
I do understand that some courts may be ruling against this, but it is up to us as the community to help educate on the benefits of this method.
I'm not talking about terabytes, but then again, terabytes of data is not as insurmountable as in the past. My only point was that the costs to process tapes have come down drastically and there are tools allowing them to be searched without being restored and often without having the software that the client used to backup the data.
Hit results on searches is not the problem. The problem is the false positive rate. At some point, no current technology is going to make up for the need to do a manual review of the information.
We had a case in 2007 where the discovery order returned 10 million pages of documents. No surprise, really. Both parties were in the same line of business and both used very similar technologies and the issue was whether one technology was sufficiently different from another as to not constitute a trade secret infringement.
Technology is great, to a point, but it can't solve every problem and it can make many other problems worse.
Not to mention the fact that the producing party was not a party to the lawsuit and so the requesting party had no grounds to ask for a forensic review of the producing party's system in order to ensure that all responsive documents had been produced.
There are numerous cases wherein we have used our protective order to assist the clients in getting access to the opposing side's data. It compensates for confidentiality and privilege. One in particular that I just got word of yesterday is Michael Mizarek, et al., v Richard Workman, et al. Court of Common Pleas Stark County, OH. 2009 CV 01858.
We have too. But we have also been in cases, in fact, we're in one now, where the judge has determined that requiring the producing party to allow the requesting party a forensic examination of their systems is too intrusive. Instead, they have asked the producing party to create a protocol by which the producer can ensure that all relevant documents have been produced.
We are seeing more and more of these and I was simply commenting that I think that this is a growing trend, i.e., the courts are not going to agree to the requesting party doing a full fledged forensic examination of a system or enterprise unless the requesting party can demonstrate that there is no other way to get the information. Federal law now reads that it is the responsibilty of the requesting party to establish the need for such.
But how do you determine what is confidential, private or not without examining the drive?
Again, in my experience, for what it is worth, I'm seeing a swing in the other direction, namely, that unless the requesting party can provide a compelling reason why a forensic examination of the media is necessary, the courts are tending to deny these requests in favor of the "readily accessible" criteria.
To be frank, we don't deal much with the isolated user's computer where we're talking about one drive (although a judge made just such a ruling in a case like that on which we worked). But, for example, the courts have recognized the reasonable expectation of privacy of employees in a business which did not have an explicit policy that stated that all activity would be monitored and/or that all data on the network was the exclusive property of the employer.
Take the word of the operator who may have a vested interest in concealing data and who most likely is not an expert in determining where on their hard drive that data is stored? You still need to preserve the source of relevant data properly and then determine a method of search/examination that does the best job of alleviating everyone's concerns.
I agree with the latter, however, in a recent case upon which I worked, we imaged 30 or so drives for preservation purposes in advance of a pending legal action. When the discovery motion was filed, we successfully fought the request to produce images of all 30 employees' drives. Instead, the court settled on the producing party doing a hash search on the requested files, followed by a deletion, followed by a keyword search followed by a deletion followed by a wiping of free space.
The requesting party never got to see the images.
I do understand that some courts may be ruling against this, but it is up to us as the community to help educate on the benefits of this method.
This is where I disagree. We are going to lose some of these cases (for forensic examination). What we need to do is understand how to formulate a production request which is most likely to give us what we want short of a forensic examination of the source media.
The point that I was trying to make is how do we do this?
I think we are talking too much about the forest, and forgot that it is made out of trees.
The notion I had in mind is a 'workflow clue list'. Trees that can be used to make the forest. I believe that is what David had in mind too, but I do not want to write for him.
Not all trees will be used, in all forest design, but all possible trees should be mentioned to be available, if and when needed.
Otherwise, keep on talking. It is quite interesting, albeit a bit still case by case. I believe it is so, because as both of you know this is so new most judges are still deciding themselves since most attorneys are not familiar with the new developments.
I don't have it in front of me at the moment, but I remember the ENCE book had a good guide (near the end of the book) which summarised the different steps available. Not every step had to be done in every case though, it was a suggested guide, not an SOP.
Greetings,
And that is pretty much where this thread started….
-David