Avoiding Common Collection Blunders

Electronic discovery is filled with pitfalls and mistakes that can be avoided with proper planning and preparation. One area that can have the greatest impact on the defensibility and the cost of e-discovery is evidence collection. The effective execution of this phase will go the farthest in improving overall e-discovery success while lowering associated risks. In other words, if data is harvested and restored in a legally defensible, forensically sound manner, then the overall project will have a much better chance of achieving a favorable or expected outcome. Following are some common mistakes often encountered in e-discovery ' and some advice on how to avoid them.

Blunder #1

On-Site Collection Must Begin Now

A major law firm was representing a client in a backdating investigation. In facilitating the e-discovery process, the law firm was directing the collection of evidence with its client. Without consulting the client's IT department, the firm insisted on having a collection team on site to gather evidence from 30 custodians comprising more than 250 gigabytes of data. When the collection team arrived, the client wasn't ready. While some of the custodians were available, the IT department wasn't prepared to have an outside, third party inside its operations area. The collection team waited a full day before collection could begin and then had to wait for the other custodians to show up the following week. What should have been a two- to three-day collection ended up taking more than two weeks and costing five times more than budgeted.

Lessons Learned

Including IT early in planning will help ensure that the legal team, internally at the client and at the law firm, fully understands what's going to happen on collection day and what preparation must take place prior to having the 'strangers' come into the facilities to access computer systems. They will also be able to develop more realistic timeframes and better understand the following:

• Where the custodians are located, and what's the best time to collect the evidence with minimal disruption to the core business;
• Whether the client's IT staff have the bandwidth and the technical acumen to collect the evidence in a legally defensible, forensically sound manner;
• Whether the client's IT staff have access to the right tools to harvest data correctly; and
• Whether the client will need third-party training or supervision when harvesting the data.

Blunder #2

IT Is Already on It

A Fortune 500 company was facing a major class-action lawsuit involving 100 custodians and more than a terabyte of potentially relevant evidence. In preparation, the IT department had begun collection using off-the-shelf software and hardware, such as Norton Ghost and Simple-Tech backup hard drives. An initial testing of 10 custodians' collected drives showed that the hard drives were bad and that the evidence metadata had been altered. When seeking technical support from the manufacturer, the company learned that the software that came with the hard drives was no longer supported and that the systems were primarily intended for migration, not for e-discovery. The IT department had purchased 300 of these hard drive/software combinations with the intention of using them for other pending discovery matters. As a result, the client hired a third-party vendor to collect the data again from the initial 10 custodians, plus all the others. The process added an extra two weeks to the preservation process, plus wasted IT time and expense that could have been spent on routine business operations.

Lessons Learned

Most IT departments are tech-savvy enough to run an empowered collection on their own with minimal interaction from a third party. But sometimes, to reduce risk, it might be wise to have the IT staff receive training on a particular tool set or have an outside third party provide minimal supervision at the beginning of the collection. In determining how a collection should be performed and when it should begin, it's important to understand the following:

• The type of matter that data is being collected for, and how much data volume is anticipated;
• The anticipated discovery production dates;
• How soon the legal team needs the evidence;
• Any barriers to collecting the evidence;
• Whether data-restoration services will require any type of forensic analysis;
• Whether deleted files, file fragments or third-party e-mails are important aspects of the case;
• Whether data must be collected from non-traditional systems, as well as workstations, e-mail servers and shared file systems; and
• Whether any other loose media will need to be collected (e.g., CDs, DVDs, USB flash drives, PDAs).

Knowing these elements prior to harvesting evidence will save time and money when responding to discovery, and can drastically lower the risk of collecting too little or too much data.

Blunder #3

Forensic Images Are a Must

A major law firm was representing a Fortune 500 company in a product-liability lawsuit. The law firm insisted on having forensic images, versus forensic copies, taken of all 120 custodians' computer systems' hard drives. Following the collection, the drives were sent to the e-discovery service provider, who then had to restore all the files on the collected 120 hard drives into active files so they could be processed and prepared for review. The time and cost for the e-discovery collection and restoration stage of the project doubled.

Lessons Learned

There's a vast difference in process time when creating a bit-by-bit forensic image of a hard drive, which is stored in one or more binary container files, versus creating a forensic copy of the live data. Forensic images cannot be immediately loaded and processed into discovery platforms, like Prevail, and must be restored at additional time and expense before any such processing. Forensic copies are immediately loadable and processable, and require no further restoration. The only difference in data content between the two is that a forensic image can allow for recovery of deleted files or file fragments. For most large e-discovery matters, creating a forensic copy of live files from potentially relevant repositories will be more than adequate. In order to determine which approach is necessary, one must understand the details of the matter at hand and what level of collection is needed for defensibility. For example:

• How much extra will it cost for a forensics collection ' in time and in money?
• What does the client hope to accomplish by conducting a full forensics collection versus creating a forensic copy?
• Is the recovery of deleted files or partial file fragments needed?
• Is this a criminal matter or a quasi-regulatory investigation where there's a possibility of impropriety by one of the custodians?
• Is this an intellectual property matter in which there's a possibility of theft or abuse?
• Have company policies been abused or has a contentious situation been created due to an employee departure? and
• Does the full forensics collection need to be done on all custodians or just a few select key targets?

These requirements need to be discussed with the third-party experts prior to the start of collection. And these are all part of the planning that should be done, in partnership, among the law firm, the client, the client's IT department and the e-discovery services provider.

Electronic discovery is filled with pitfalls and mistakes that can be avoided with proper planning and preparation. One area that can have the greatest impact on the defensibility and the cost of e-discovery is evidence collection. The effective execution of this phase will go the farthest in improving overall e-discovery success while lowering associated risks. In other words, if data is harvested and restored in a legally defensible, forensically sound manner, then the overall project will have a much better chance of achieving a favorable or expected outcome. Following are some common mistakes often encountered in e-discovery ' and some advice on how to avoid them.

Blunder #1

On-Site Collection Must Begin Now

A major law firm was representing a client in a backdating investigation. In facilitating the e-discovery process, the law firm was directing the collection of evidence with its client. Without consulting the client's IT department, the firm insisted on having a collection team on site to gather evidence from 30 custodians comprising more than 250 gigabytes of data. When the collection team arrived, the client wasn't ready. While some of the custodians were available, the IT department wasn't prepared to have an outside, third party inside its operations area. The collection team waited a full day before collection could begin and then had to wait for the other custodians to show up the following week. What should have been a two- to three-day collection ended up taking more than two weeks and costing five times more than budgeted.

Lessons Learned

Including IT early in planning will help ensure that the legal team, internally at the client and at the law firm, fully understands what's going to happen on collection day and what preparation must take place prior to having the 'strangers' come into the facilities to access computer systems. They will also be able to develop more realistic timeframes and better understand the following:

• Where the custodians are located, and what's the best time to collect the evidence with minimal disruption to the core business;
• Whether the client's IT staff have the bandwidth and the technical acumen to collect the evidence in a legally defensible, forensically sound manner;
• Whether the client's IT staff have access to the right tools to harvest data correctly; and
• Whether the client will need third-party training or supervision when harvesting the data.

Blunder #2

IT Is Already on It

A Fortune 500 company was facing a major class-action lawsuit involving 100 custodians and more than a terabyte of potentially relevant evidence. In preparation, the IT department had begun collection using off-the-shelf software and hardware, such as Norton Ghost and Simple-Tech backup hard drives. An initial testing of 10 custodians' collected drives showed that the hard drives were bad and that the evidence metadata had been altered. When seeking technical support from the manufacturer, the company learned that the software that came with the hard drives was no longer supported and that the systems were primarily intended for migration, not for e-discovery. The IT department had purchased 300 of these hard drive/software combinations with the intention of using them for other pending discovery matters. As a result, the client hired a third-party vendor to collect the data again from the initial 10 custodians, plus all the others. The process added an extra two weeks to the preservation process, plus wasted IT time and expense that could have been spent on routine business operations.

Lessons Learned

Most IT departments are tech-savvy enough to run an empowered collection on their own with minimal interaction from a third party. But sometimes, to reduce risk, it might be wise to have the IT staff receive training on a particular tool set or have an outside third party provide minimal supervision at the beginning of the collection. In determining how a collection should be performed and when it should begin, it's important to understand the following:

• The type of matter that data is being collected for, and how much data volume is anticipated;
• The anticipated discovery production dates;
• How soon the legal team needs the evidence;
• Any barriers to collecting the evidence;
• Whether data-restoration services will require any type of forensic analysis;
• Whether deleted files, file fragments or third-party e-mails are important aspects of the case;
• Whether data must be collected from non-traditional systems, as well as workstations, e-mail servers and shared file systems; and
• Whether any other loose media will need to be collected (e.g., CDs, DVDs, USB flash drives, PDAs).

Knowing these elements prior to harvesting evidence will save time and money when responding to discovery, and can drastically lower the risk of collecting too little or too much data.

Blunder #3

Forensic Images Are a Must

A major law firm was representing a Fortune 500 company in a product-liability lawsuit. The law firm insisted on having forensic images, versus forensic copies, taken of all 120 custodians' computer systems' hard drives. Following the collection, the drives were sent to the e-discovery service provider, who then had to restore all the files on the collected 120 hard drives into active files so they could be processed and prepared for review. The time and cost for the e-discovery collection and restoration stage of the project doubled.

Lessons Learned

There's a vast difference in process time when creating a bit-by-bit forensic image of a hard drive, which is stored in one or more binary container files, versus creating a forensic copy of the live data. Forensic images cannot be immediately loaded and processed into discovery platforms, like Prevail, and must be restored at additional time and expense before any such processing. Forensic copies are immediately loadable and processable, and require no further restoration. The only difference in data content between the two is that a forensic image can allow for recovery of deleted files or file fragments. For most large e-discovery matters, creating a forensic copy of live files from potentially relevant repositories will be more than adequate. In order to determine which approach is necessary, one must understand the details of the matter at hand and what level of collection is needed for defensibility. For example:

• How much extra will it cost for a forensics collection ' in time and in money?
• What does the client hope to accomplish by conducting a full forensics collection versus creating a forensic copy?
• Is the recovery of deleted files or partial file fragments needed?
• Is this a criminal matter or a quasi-regulatory investigation where there's a possibility of impropriety by one of the custodians?
• Is this an intellectual property matter in which there's a possibility of theft or abuse?
• Have company policies been abused or has a contentious situation been created due to an employee departure? and
• Does the full forensics collection need to be done on all custodians or just a few select key targets?

These requirements need to be discussed with the third-party experts prior to the start of collection. And these are all part of the planning that should be done, in partnership, among the law firm, the client, the client's IT department and the e-discovery services provider.