Here's another installment of my outline of Electronic Discovery and Digital Evidence in a Nutshell, the second edition of the West Academic guide to electronic discovery law in the United States authored by Judge Shira Scheindlin (the judge in the Zubulake v. UBS Warburg) and members of the Sedona Conference. Tonight's outline covers Chapter IV on the Collection of ESI. An outline of the previous chapter was posted on December 6, 2016.

IV. Collection of ESI

A. Searching All Appropriate Sources

- Relevant ESI may be preserved in place, but not necessarily physically collected.

- Peskoff v. Faber (D.D.C 2006) - adequate search not performed by collecting emails from hard drive. Must also collect emails from:

1. email account

2. email inboxes, sent items of other employees

3. should search for keyword on all files on a hard drive.

4. emails may be recoverable from slack space.

- Obligation to search all emails, does not mean that they all have to be reviewed. i-Med Pharma v. Biomatrix (D.N.J. 2011) broad search terms find 95M pages of data in unallocated file space. Court relieves of burden to review because:

1. burden outweighs value of the data.

2. no evidence that data was relevant.

3. sheer vast number of results.

B. Custodian Based Collection

- Custodian may not be aware of shared drives, cloud based applications, or informal back-up media. IT staff may be more adept at searching and extracting ESI, but have no knowledge of its content.

- BreathableBaby v. Crown Crafts (D. Minn. 2013) - court order to reopen discovery after party refused to search by agreed upon keywords and instead instructed custodians to search 'everything'.

- Nat'l Day Laborer Org. v. U.S. ICE (S.D.N.Y. 2012) re-do of search ordered where government agencies responding to FOIA request didn't record search terms, how it combined them, and whether it searched full text of documents.

- Procaps v. Patheon (S.D. Fla. 2014), Court granted Patheon’s motion for a forensic analysis of Procaps’ electronic media because it permitted its personnel to self-search for ESI without ever seeing Patheon’s discovery requests or without receiving a list of search terms from its counsel.

C. Role of Outside Counsel

- case law does not reject custodian based collection, but instead emphasizes the importance of supervision of the process by counsel.

- Phoenix Four v. Strategic Res. Corp., (S.D.N.Y. 2006) - counsel sanction when unproduced relevant ESI was discovered on partitioned section of server.

- Qualcomm v. Broadcom (S.D. Cal. 2008) - witness testimony at trial that highly relevant emails were not produced. Lawyers sanctioned when 46K emails and documents not produced and no substantial justification for failure to do so. Qualcomm did not est. that it searched computers and databases; after the trial Qualcomm did not conduct an internal investigation; organization has obligation to confirm that person who is testifying as the most knowledgeable person on a subject has that knowledge. Court found it likely that lawyers chose not to look in the correct locations, and did not press Qualcomm employees for the truth. Sanctions against attorneys later vacated, but not against Qualcomm.

D. Forensic Collection

- Unsupported suspicion that responsive ESI may be missing or had been tampered with is not sufficient justification to require forensic collection.

- “mere skepticism that an opposing party has not produced all relevant information is not sufficient to warrant” John B. v. Goetz (6th Cir. 2008).

- Forensic collection warranted when:

1. File has been deleted but recovered is possible.

2. ESI may have been tampered with.

3. important to show ESI usage activity and patterns.

4. Necessary to authenticate a file to show that represented time of creation is accurate.

- Ameriwood v. Liberman (E.D. Mo. 2006) mirror image ordered with computer alleged to have been used to commit the wrong.

E. Collecting Data from Nonparty Hosts

1. Websites and Social Media

- individuals may erroneously believe that the privacy settings on their social media accounts mean that the information is immune from discovery.

- EEOC v. Simply Storage (S.D. Ind. 2010) - scope of production of SNS (social networking sites):

a. SNS content is not immune because it is locked or private.

b. SNS content must be produced when relevant to a claim or defense but not everything must be disclosed

c. “allegations of depression, stress disorders, and like injuries do not automatically render all SNS communications relevant.”

- Romano v. Steelcase (Sup. Ct. Suffolk Co. 2010) - no reasonable expectation of privacy in SNS.

- Facebook Procedures for Parties to Produce FB Accounts:

a. Stored Communications Act prevents private parties from obtaining account contents with subpoenas. Can satisfy discovery requests by using 'Download Your Information' tool. FB may attempt to restore access to deactivated accounts but it can't recover deleted content.

b. FB may provide basic subscriber information when it is indispensable to a case and not within a party's possession, upon service of a valid federal or California subpoena.

2. Mobile Devices

- Technicians must temporarily take possession of devices and image the data. Problems stemming from this can be avoided by Company Owned Personally Enabled 'COPE' policies that allow for data to be access remotely by the employer for preservation and collection.

3. Cloud Computing

- online remote data storage - reducing the need for massive servers

- online remote backup - reducing need for large collections of backup media.

- cloud based applications - reducing the need for technical support staff.

F. Data Collection Checklist

1. Initial Steps

- identify types of records likely to be relevant to claims & defenses.

- identify custodians likely to possess or have knowledge of these records.

- identify information services personnel who can locate custodial and non-custodial sources.

- identify email admins; hardware support personnel, system maintenance, back-up tapes; application & data admins

- identify 3rd party service providers with data in custody & control.

2. Investigating Custodians

- Ask about hardware, mobile devices, email, productivity software, office management software, instant messaging, text messaging, collaborative software, voicemail, databases, server/mainframe applications, internet browsers, publicly available third party platforms (e.g. Facebook, Linkedin), organization-supported platforms (e.g. Yammer or internally created with SharePoint), blogs, email.

- retention of final and draft documents on drives or servers.

- retention of downloaded files

- retention of files on mobile device

- use of removable media

- use of third party storage sites (e.g. Dropbox).

3. Investigating the Hardware Environment

- determine on the enterprise level where records are: use of desktops, laptops, tablets; networks with servers; use of mainframes; use of mobile devices; use of removable media; and use of voicemail systems.

4. Investigating Backup Systems and Archives

- existence of backup media

- frequency of data backups

- schedules for overwriting backup media

- locations of backup media

- process to restore backup media

- backup media solely for disaster recovery.

- existence of archived historical data.

- retention periods for archived historical data.

5. Investigating Applications and Databases

- CAD applications replacing blueprints

- quality assurance applications; financial records; supplier bidding and purchasing applications; product distribution and sales databases; litigation related databases; government relations databases; etc..

6. Investigating Electronic Communication Systems

- overview of systems structure and capabilities

- volume of traffic

- maintenance and retention of message logs.

- retention period for unread messages.

- autodelete settings.

- frequency of overwriting deleted items.

- shared systems with service providers, suppliers or corporate family.

- policies regarding storage of email