Understanding e-Discovery Data Types and Collection Costs
In this post, Corporate Technology Counsel for Fios, Mary Mack, discusses the differences between electronic discovery and computer forensic services, and gives some tips for choosing which service to employ for different types of matters.
With the rapid growth of electronically stored information (ESI), even well-informed lawyers and support teams are often unclear about the differences between computer forensics and electronic discovery. The differing processes of collecting and reviewing ESI involve varying levels of technological sophistication, data interpretation and costs. The choices made about which type of collection service to use will depend on the matter at hand.
While negotiating the scope of discovery in the early "meet and confer" stages, you may already have limited the potentially responsive data universe to a certain type of data. The following table outlines the four main types of data and their characteristics:
Data Type Cost of Collection Characteristics
Data Type |
Cost of Collection |
Characteristics
|
Active |
Easiest to get, least costly. |
Documents that "actively" reside on the custodian's computer hard drive or other storage device. Active documents are generally those that you can see in a file manager or explorer type of tool. Examples include e-mail and standard office documents like word processing and spreadsheets.
Active files are generally easy to access and collect. Challenges include dealing with large volumes of data and preserving file date information. Most requests for production ask for active files.
|
Archival
|
Requires restoration, costs vary on volume and backup |
Documents and files stored, often in a compressed format, on off-line devices, including backup tapes or disks, floppies, and optical media. Archived documents are harder and more expensive to retrieve than active documents because they often require restoration, have complex file structures or are on media that can't be accessed at high speeds. Challenges include dealing with old backup formats or tapes that are not cataloged.
De-duplication is an additional challenge when faced with multiple backups of the same set of data over time.
Lines are being blurred with the widespread acceptance of "near line" storage where "archives" are written to an online media, for speed of disaster recovery or automatic failover.
This data is often deemed "not reasonably accessible". Sampling may be helpful for quantifying costs, time and likelihood of non duplicative discoverable data.
|
Forensic |
Most expensive, Requires special tools |
Documents and files that are hidden or have been erased, fragmented, or damaged, and that can reside on either on-line or off-line storage devices. Forensic collection provides the most detail and is the only approach for retrieving deleted or fragmented files; however, it requires an expert to operate special tools and is time consuming.
Collect forensically when you need maximum preservation protection, such as when you are responding to a specific event like a wrongful termination law suit. Often, the only way to collect data from a PDA is forensically. Due to cost and/or exposure, opposing counsel is usually not willing to provide forensically collected data, but as with archival data, will need to document this burden in the FRCP 26(f) meet and confer conference. Typically, the requesting party will be required to bear the cost of forensic collection.
|
Legacy |
Tools may no longer be available; may need experts
|
Documents or files contained in very old systems that are no longer in use, but may have been mothballed and still can be turned on. Many systems from prior to Y2K fall into this category. Also data on extremely old media where equipment is no longer common to read them.
|
Sedona Principle 9:
Absent a showing of special need and relevance, a responding party should not be required to preserve, review, or produce deleted, shadowed, fragmented, or residual electronically stored information.
Is It Always Necessary to Collect Forensically?
There are many factors to consider before collecting forensically. The legal team will need to assess the case, the jurisdiction, the custodians, data types and the judge to determine whether forensics are warranted. Factors include whether sanctions have already been applied, the trust level for custodians, whether the case is criminal or quasi criminal and other such considerations.
The following chart can assist your decision making:
e-Discovery vs. Computer Forensics
Factors |
e-Discovery |
Computer Forensics
|
Number of reviewers |
Hundreds at a time |
One at a time |
Location of reviewers |
Geographically dispersed |
One place |
Type of data |
Live (unless other data provided by forensics partner) |
Live, resurrected, reconstructed fragments |
Recover deleted files |
No (unless provided by forensics process) |
Yes |
Recover Web-based e-mail, instant messages |
No (unless provided by forensics process) |
Possibly |
Encrypted and password-protected files |
Yes |
Yes |
Testimony |
Fact (protocol) |
Opinion (expert) |
Who conducts and refines aearches |
Legal team and/or vendor |
Forensic technician |
Search time |
Minutes |
Hours or days |
Type of collection |
Bit image and/or copy |
Bit image only |
Downtime of client computers |
Sometimes |
Usually |
Chain of custody forms |
Yes |
Yes |
Special collection tools |
Yes |
Yes |
Testifying expert necessary |
Seldom |
Often |
Cooperation of IT staff |
Yes |
No |
File Listings and structures |
Yes |
Yes |
Metadata |
Yes |
Yes |
Production |
Native file, print, Web review, litigation support load files with images and searchable text |
Native file, print |
The above information comes from Chapter 6 of Fios' newly re-written book, "A Process of Illumination: The Practical Guide to Electronic Discovery" by Mary Mack. The completely re-written book will be available for purchase in mid-July on Amazon.com.
Additional Resources
Instant Messaging, Preservation and e-Discovery Collection Obligations
Instant messaging presents a new set of technical and legal issues in the discovery process, much like e-mail did a few years ago. Download now >
About the Author:
Mary Mack, Esq.
As Corporate Technology Counsel for Fios, Mary Mack has more than 20 years experience delivering enterprise-wide electronic discovery, managed services and software projects with legal and IT departments in publicly held companies. She is a hands-on strategic advisor to counsel for some of the largest products liability class actions, government investigations and intellectual property disputes. A member of the Illinois Bar, ACC and the ABA's Section on Litigation, Mack received her J.D. from Northwestern University School of Law (1982) and a B.A. from Le Moyne College in Syracuse, NY. She holds certifications in Computer Forensics and Computer Telephony. Mack is one of the leading speakers and authors on e-discovery issues, technology and the law. She is co-author of eDiscovery for Corporate Counsel, published by West; author of the popular book, A Process of Illumination: The Practical Guide to Electronic Discovery; and hosts the blog, Sound Evidence, featured on DiscoveryResources.org.