Computer Forensics & E-Discovery Specialist : Electronic Evidence Retrieval L.L.C. : Data Recovery, Hard Drive Retrieval, Deleted Files : New Orleans, Louisiana

  I had a client that was a small company. They were embroiled in some bitter litigation with an ex-partner who was demanding some Electronically Stored Information (ESI) as of the date of the dissolution of the company. Helping them respond to the discovery request taught them a lot about their handling of their ESI.

While discussing their situation, the owner marveled at how much he had learned in this process. He volunteered that he would now start counseling his own clients about their ESI quite differently! So I’m taking today’s blog as an opportunity to pass on to you some of my client’s new-found wisdom concerning ESI.

What should an organization do about ESI when an employee leaves? It’s natural to want to reuse the desktop and laptop computers. However, just passing them on to another employee is fraught with danger. There may be personal information, “remembered” passwords, and confidential information the new owner should not have access to. Worse still, there may be evidence of questionable web surfing activity. 

One might think the easiest solution to this is to erase the hard drive and build a new one. However, I have seen a number of suits filed after an employee has left and employers no longer had valuable evidence that could have helped their defense. Here is my advice: Preserve the ESI on the ex-employee’s drives. Create an inventory of what is on the drives.  A simple “print directory” program will work; there is no need for a full forensic image. Remove the drives and replace them with new ones. Store them in antistatic packaging and in a secure location for at least 3 years. This way, if you are ever faced with litigation, you have preserved the ESI and you know its location and content, as required by the e-discovery amendments.

Does this cost? Yes, the new drive and the work of installing and building the new system cost. But I think my client would assure that those costs are negligible “insurance” compared to the level of costs in having to try to reconstruct it years later!

Does the ex-employee have files stored on an office server? Email on a mail server? Are there backup tapes of the employee’s data, on their PC and/or on the servers? My advice concerning ESI on servers mirrors that for desktop and laptop computers. Inventory and archive a copy of all their server files. Delete any personal files to free up space on the server. 

Organizations face other changes that impact ESI, such as migrating to a new server. Prior to taking such actions, the organization should make a complete backup of the current server and place in safe storage. This backup should not go into a regular backup rotation procedure (since such tapes may soon be reused), but kept separate.

Computer storage has become, relatively speaking, cheap. Given the e-discovery amendments’ emphasis on preservation of evidence and the increasing number of cases involving ESI, preserving ex-employees’ hard drives intact makes good economic and litigation sense.

 

• Email This
• Print
• Comments & Questions
• Trackbacks

 Law.com has an interesting article “Work Blogs Take Off, and So Do the Suits” that discusses various approaches to the issue of employee blogging. Since blogging is so very public, an employer has a vested interest in the images its employees portray in their blogs.

Initially, employers prohibited employee blogs. That turns out to be hard to do since one can blog anonymously. In many cases, employers are not only encouraging blogging, but providing the resources to do so. They do this for many reasons. Some view it as marketing and actually employ media firms to help get positive messages in the blogs. Others, perhaps facing layoffs or stock declines, do it to keep a finger on the pulse of employees. Some law firms encourage associates to blog as part of their recruiting effort.

The problems that employee blogging can create for an employer seem almost endless: libeling a competitor, harassment, negative images of the company, exposure of trade secret information, leaking confidential information, defamation, and attempts to influence stock prices. Furthermore, employees can claim that company actions, such as termination, are retaliation for material in their blog. And , as Law.com points out, the suits have begun:

Earlier this year, Cisco Systems and one of its lawyers, Richard Frenkel, were sued for defamation over an anonymous blog in which Frenkel allegedly accused two Texas attorneys of engaging in criminal conduct in a case against Cisco. Ward v. Cisco, No. 2007-2502 (Gregg Co., Texas, Dist. Ct.); Albritton v. Cisco, No. 2008-481-CCL2 (E.D. Texas).

 

In Georgia, a former Delta Air Lines flight attendant who claims she was fired after she posted photos of herself in uniform on her blog sued the airline for sexual discrimination. The case was stayed last year while the airline is in bankruptcy. Simonetti v. Delta Airlines Inc., No. 5-cv-2321 (N.D. Ga. 2005).

 

In Colorado, a group of Quiznos Master franchisees last year sued the company for wrongful termination, claiming they were retaliated against for posting on their blog the suicide letter of a former franchisee, who attributed his suicide to troubles at work. The case settled in December. Bray v. QFA Royalties, No. 06-cv-02528-JLK-CBS (D. Del.).

My point here is that blogging is a fact of life and businesses need to take steps to protect themselves from liability. That means they need a clear policy on employee blogging. At a minimum, they need what Cisco did as a result of the Ward case: require a disclaimer stating that the opinions are those of the blogger and not the employer. 

Jeannie Wyatt of Schwabe, Williamson & Wyatt wrote an excellent guest editorial for the Puget Sound Business Journal on how businesses should discuss employee blogging. She offers four fundamentals in establishing blogging policy: 

• Instruct, don't restrict, employee bloggers. Keeping in mind that not all employee blogging may be restricted, use your blog policy to educate employees. The policy should clearly define permitted and prohibited content, as well as acceptable use of employer-owned technology. For example, employees should be prohibited from posting confidential company and trade secret information, as well as using unauthorized copyrighted material or trademarks. Finally, employees must be instructed not to criticize competitors, customers, or fellow employees.
• Educate and follow through. Once a blogging policy is in place, train employees on the policy and enforce it. If the blogging policy prohibits employee use of employer-owned technology for anything other than job-related duties, do not turn a blind eye when it is violated. Down the road, it will be very difficult for the employer to establish that violation of the company's blogging policy is grounds for termination if it is not consistently enforced. As with all company policies, be sure to revisit the blogging policy from time to time. This way, it will always adequately express expectations and reflect current law.
• Don't be too quick to terminate an employee for violating the blogging policy. It is important to consult with an attorney before terminating an employee for blogging. There are some instances where an employee's blog may be damaging to the reputation of the company but still be protected. This was the case in Konop v. Hawaiian Airlines, a case involving the blog of a Hawaiian Airlines pilot, Robert Konop. He claimed that he was wrongly disciplined based on the content of his blog. In his blog, Konop stated that the president of Hawaiian Airlines was suspected of fraud, incompetent, and "did his dirty work like the Nazis in World War II." Konop also criticized labor concessions sought by Hawaiian Airlines and the pilots union, and encouraged blog readers to consider alternate union representation. The Ninth Circuit Court of Appeals determined that the content of the blog represented protected union activity and lacked the actual malice needed to make it defamatory.
• Lead by example. Many probably remember the trouble Whole Foods CEO John Mackey found himself in last summer when it was discovered that over the course of several years, he had submitted anonymous posts bad-mouthing competitor Wild Oats. Mackey did not reveal that he was disparaging Wild Oats at the same time the two progressive grocery brands were considering a merger. When Mackey was found out, the Federal Trade Commission stepped in and halted the merger until it could assess what damage Mackey's postings might have had on Wild Oats' financials. While the merger eventually closed, the Securities and Exchange Commission is still investigating Mackey's postings -- a development that is likely the subject of many postings.

I wonder how many of you have Internet posting policies. 

Do they include blogging?

How many of your clients understand their risk in employee blogging? 

 

• Email This
• Print
• Comments & Questions
• Trackbacks

<  Mark Fass has an excellent article on the divorce woes of Frank Moore. Ms. Moore filed for divorce citing cruel and inhuman treatment, including an extramarital affair. According to her attorney, she found "hundreds and hundreds of pages" of “really salacious instant message conversations” on a laptop computer Mr. Moore left in the trunk of a car. The parties disputed the ownership of the laptop: Ms. Moore saying it was used by the family and Mr. Moore saying it was issued by his employer for his use. Ms. Moore wanted to use these messages to support her claim. Mr. Moore argued that she had improperly seized his computer.

New York Supreme Court Justice Saralee Evans ruled that Ms. Moore had done nothing wrong and she cited the “filing cabinet” analogy put forth in Byrne v. Byrne, 168 Misc.2d 321. She went on to say “Ms. Moore's actions also did not constitute computer trespass or using a computer without authorization, as the files were on a readily accessible computer.”  The judged ruled that the laptop was subject to discovery.

Note that the messages were in plain sight and discovered by a casual user not extracted by a forensic specialist. Users of text messaging and email often seem to feel invisible, as if no one will know what they have written. I have seen some truly extraordinary sentiments put in email and text messages. I suggest you don’t email or text anything you wouldn’t want your mother or boss to read or to see written in lights in Time Square!

 

• Email This
• Print
• Comments & Questions
• Trackbacks

  The ease at which data in the Information Age can be stored and deleted is both a blessing and a curse.   We create new letters, new invoices, and new emails. We clean out old emails, buy new and bigger hard drives, and archive old reports.  Our IT staff (if we have one) rotates backup tapes. We update databases, usually over-writing what was there before. We delete old files (or at least we should!) to make room for more. We defragment our drives to speed up our computer’s responsiveness. We use spam filters to delete, or at least hide, unwanted email and advertising. 

But what if, in these day-to-day processes, we delete evidence relevant to litigation that is pending or that we should have known about?

The e-discovery amendments to the Federal Rules for Civil Procedure recognize the concept of reusing computer resources and include the concept of a Litigation Hold. As soon as a party knows of, or should have known of, pending litigation, it must stop all activities that could delete relevant information and preserve all potentially relevant electronically stored information (ESI).

As the trial attorney, how do you get the word out to your client to stop deleting potential evidence? The answer is a Litigation Hold Notification. The plaintiff attorney should issue such a notification to his/her client and to opposing counsel. Such notices should also spell out whether there are any requirements to preserve new ESI as well.   In my next blog, I will discuss the need for clients to have a Litigation Hold Plan, but attorneys need to be prepared to ensure that ESI is preserved. In real life, that often means creating a preservation plan for the first time.

But the attorney’s responsibility doesn’t stop with just issuing the letter. As Judge Scheindlin told the UBS Warburg attorneys in the Laura Zubulake case, counsel has an affirmative responsibility to ensure that ESI is being preserved. This affirmative responsibility means repeatedly contacting the major players to remind them of the responsibilities and auditing their compliance. A single letter just won’t do it in the light of Judge Scheindlin’s ruling.

One solution is for the trial attorney to have an e-Discovery Liaison or e-Discovery Coordinator. This can be someone in the firm or an outside technical expert. Another approach is to have a team (I often call it a SWAT team) within the client’s organization. This team has the responsibility for creating, documenting, and monitoring the company’s ESI preservation policy.

One thing is clear, the role of the trial attorney is changing.  I believe the attorney who knows the most about e-discovery, and about this changing role, will have an upper hand in litigation. 

• Email This
• Print
• Comments & Questions
• Trackbacks (2)

  When I start speaking at conferences and CLE seminars on the need for ESI Plans (also called Document Retention and Destruction Plans), eyes start glazing over.  I know it is not a glamorous topic.  I know that it seems like expensive drudgery.  I know it doesn't seem contribute to a client's ROI.  But cases are being lost because of missing and inadequate ESI Plans.

In Jerily Quon et al. v Arch Wireless and the City of Ontario, et al. the issue was text messages sent and received on City-owned pagers.  These pagers had a 25,000 character limits that were sometimes exceeded.  Employee text messaging was not monitored or audited, although it was supposed to be for City business and not for personal benefit or gain.  Employees were told that their usage would not be audited if they paid the overage any time there was one. They had been paying the overages when they occurred. 

The "bill collector" got tired of this role and conducted an audit, ostensibly to see if the 25,000 character limit was sufficient.  A major point in the opinion was that the employees had a reasonable expectation of privacy because of the "no-audit-if-you-pay-overage" policy.  Since several of the messages were of a sexual nature and between a husband and wife, I assume they did expect privacy.

The Ninth District ruled that the City had no right to the text messages.  As with many opinions, the discussion is complex and involves multiple concepts and precedents.  I'll let attorneys mull this one over, but I will comment on its practical implications. 

How did it happen?  The ESI policy was out of date and made no reference to text messaging.  The "Bill Collector" established a policy in practice that was not in writing and not approved.  The written policy was clear that employees had no expectation of privacy concerning files stored on the City's servers, but the text messages were stored on the Arch Wireless servers. 

I've read at least one blog arguing that now employers have to start paying to archive anything their employees store at a third party location.  It's not the third party location that is the issue, it is the ESI policy that told employees they had a reasonable expectation of privacy at that third party site.

I'm interested in hearing about what organizations are actually doing to create and update their ESI policies AND what law firms think their role should be in encouraging the practice.

• Email This
• Print
• Comments & Questions
• Trackbacks

  I've been concerned about the "safe harbor" rule in the FRCP e-discovery amendments.   The amendments acknowledge that it is normal to destroy ESI.  Examples include updating an address in a database, recycling backup media, and overwriting deleted files.  The rules say that if you are in litigation, if you have deleted relevant ESI, and if you can demonstrate it was done in the routine course of business and in good faith, then the safe harbor rule protects you from sanctions.

The way to do this is with a Document Retention and Destruction, "DRD" policy plus a monitoring plan that shows that you follow the policy.

Large organizations who are regularly in involved multiple litigations quickly understood the need for positioning themselves to take full advantage of the safe harbor rule.  But smaller companies don't always understand the importance of bringing their business practices into compliance.

I urge attorneys to do their clients a favor and tell them about this risk.  Small "Mom and Pop" businesses can get by with a Word document and a spreadsheet.  Larger organizations will require larger systems, but there are many options available.

Have your clients look at it this way: keeping old materials out of their files and hard drives is good business. They save money, have less risk of exposing confidential information, need new computer storage less often, and have the peace of mind that if the unthinkable-the dreaded litigation-comes along, they are prepared and protected. I tell my clients that systematically destroying old documents is like brushing your teeth twice a day, good business hygiene.

Savvy judges are on the DRD bandwagon: "I'm telling you, as long as you have a defensible, documented plan for ESI in place, you shouldn't have to worry…." Judge Lee H. Rosenthal of the U. S. District Court for the Southern District of Texas.

• Email This
• Print
• Comments & Questions
• Trackbacks

   

I have been concerned for some time that corporate clients are not getting the message about preparing for e-discovery.  Organizations that are in frequent litigation seem to understand the issues, but they are not necessarily prepared.  In a survey of in-house counsel, Kroll Ontrack found that only 25% of these counsel felt they were prepared for e-discovery.  Half of the counsel said they did not have an ESI policy.

Baseline has provided an excellent article-from the IT staff's point of view-on the need to prepare for e-discovery.  I recommend it to IT departments of both corporate clients and law firms themselves.

I'd like to hear what the various IT departments have to say about it.

• Email This
• Print
• Comments & Questions
• Trackbacks