As I have written before, electronic discovery is my current horse.
Besides all the "funny" parts of this case, there are some interesting issues may arise form it for us FIs.
Note the court document regarding server image. Yeah. Think about "clouds", "distributed" or "redundant"… specially in a giant farm with terabytes and terabytes of empty space.
http//
As the court explained at length, files saved to the hard drive of a computer are said to be in "allocated space," i.e., space on the hard drive allocated by the operating system. When a file is deleted, it does not disappear from the hard drive. Rather, the operating system no longer allocates or saves that hard drive space for the file, meaning that other files can overwrite it.
However, the court also pointed out that because today's very large hard drives do not require the reuse of previously used space to store new data, deleted files can remain on the hard drive for a long time. The same holds true for other file artifacts in unallocated space, such as temporary files, created when a user opens a file. Unallocated space will also contain file fragments, deleted internet history and other artifacts retrievable through digital forensic means.
Thus, the user with a strong desire to guard his or her privacy would not want anyone to have access to the artifacts in unallocated space. Since deletion does not guarantee that such artifacts will be removed from the hard drive, "wiping" programs, which overwrite the hard drive … either targeted areas or the entire drive, as directed … are deployed to that end. The wiping application deployed by the defendant, called SecureClean, completely overwrote unallocated space on the computer and server hard drives and, therefore, made any data that might have resided there prior to its deployment unrecoverable.
It is certainly the case that wiping, even by continued normal use and overwriting of unallocated space, has been considered spoliation by various Federal courts. In fact, I was a witness in a case where the normal continued use of a laptop for 14 days after a protective order was granted was considered, by the court, to constitute spoliation in the absence of any positive evidence that contraband files had been deleted.
Sean,
Do you have a citation for that case? I am constantly telling my clients that they need to get the preservation done in hours/days else remove the computer system from usage, not continue to use it for weeks, and it would be good to have a case to back up that assertion.
Thanks.
Sean,
Do you have a citation for that case?
Nucor v. John Bell and SeverCorr, LLC
Civil No. 206 cv 02972 DCN
UD District Court of South Carolina, Charleston Division
The case settled prior to trial but not before the judge awarded the plaintiff an adverse inference instruction on the basis that the defendants had continued to use a laptop after they had become aware that a suit was likely to be filed and, therefore, spoliation of evidence was likely to have occurred.
Even more significant, the court opined that the duty to preserve began six months prior to the actual filing because Mr. Bell, upon telling his employer that he was leaving Nucor to go to SeverCorr was told that he would likely be sued under the terms of a non-compete clause.
Another significance to this case is that the judge applied the 2006 revisions to the Federal Rules of Civil Procedure even though the action occurred before they were ratified.
The plaintiff had gotten an ex parte preservation and discovery order but because the defendants had no chance for representation/rebuttal, the order was limited to the instruction that the defendants should take no steps to delete any data on the computers until they could be examined which should have left a "safe harbor" for normal use of the computers.
But Mr. Bell's computer was heavily infected with malware and approximately 2 weeks before production experience a BSOD. The IT support staff responded by removing his laptop profile (which was backed up as it was a roaming profile), running two AV products on the computer, then reinstalling the profile.
Technically, they did not delete any files, however, however the plaintiff successfully argued that the IT people should have taken into consideration the forensic significance of unallocated space and, in spite of the fact that there was no prohibition against routine system maintenance, should have taken greater care to preserve the system for forensic analysis.
Another interesting feature of the case is that, while the judge applied the 2006 revisions to the FRCP in terms of mandating a prediscovery conference of the parties and taking a broader view of the "duty to preserve" he did not limit the plaintiff's discovery motion to documents which were "reasonably accessible" although the courts seem to be inconsistent in the application of this principle.
The significance of this ruling cannot be understated. Even though the plaintiff was unable to present any evidence that the defendant had loaded its intellectual property onto the defendants computer(s), the judge granted the inference instruction which, effectively, would have told the jury to assume that such materials might have been present on the computer at one time or another.
This should be a sobering thought to your clients since the defendants actions, in the mind of the court, rendered any forensic defense (of the claim that plaintiff's IP was on the computer), moot.
Thanks! That's an excellent reference for me to use.
I am not as contentious about desktops and laptops and such, as the author of the article is - I am more concerned about server farms and such.
When does it become prohibitive to preserve unallocated space on server clusters/farms/clouds?!?
If the information was stored on a network cluster of 100TB, is it reasonable to image all of it 6 months prior to potential lawsuit as in the above case?
Or, is it reasonable to presume the suing party will not be willing to ask for it because of the cost?
I think you can clearly differentiate between a PC and a server cluster in the reasonableness of preservation of unallocated and such.
Thanks for the citation Sean. There seems to be some lack of standardisation from the courts where preservation is concerned but we can point that case as a possible outcome from failure to conduct timely preservation.
If the information was stored on a network cluster of 100TB, is it reasonable to image all of it 6 months prior to potential lawsuit as in the above case?
Or, is it reasonable to presume the suing party will not be willing to ask for it because of the cost?
The general rule for discovery is "readily accessible" unless the information cannot be obtained in any other way and there exists the burden of establishing relevance, a priori, which rests with the requesting party.
Where it gets complicated are cases where a party alleges that the information did exist but was deleted and when the enterprise, in addition to the individual is alleged to be complicit in the theft of IP and/or the destruction of evidence.
Also note that in some cases, costs may or may not be recovered by the prevailing party, especially where ESI is involved. For example, in Kellogg Brown & Root, Intern., Inc. v. Altanmia Commercial Mktg. Co. W.L.L., 2009 WL 1457632 (S.D. Tex. May 26, 2009), the court ruled that KBR was not entitled to the cost of extracting ESI from backup tapes because the ESI extracted was not actually used at trial.
And since, in most cases, the requesting party is responsible for the costs of production, it can be a risky venture to demand a forensic recovery.
That having been said, since the law requires preservation to start at the first moment when a lawsuit seems likely, it would be highly risky for an enterprise to risk an adverse inference instruction over a failure to preserve evidence, especially if that evidence would likely have exonerated them.
Consider as a hypothetical, the case of a product liability suit where the liability may not be apparent to the consumer for years after it is first detected by the producer. The duty to preserve may begin at the moment when management receives notice of the defect because they could reasonably conclude that legal action will follow.
The nightmare outcome would be the one like the case that I referenced where the plaintiff was unable to establish that their intellectual property was on the defendant's computer or network, yet got a favorable ruling anyway.
Had the case not settled, I suspect that the defendants would have appealed that decision on "safe harbor" grounds, but success was not guaranteed.
