About the Expert:

Thomas Plunkett has more than 20 years of experience specializing in forensic investigations involving network intrusions, hacking, malware and network inside threats. Mr. Plunkett has provided expert consulting in both civil and criminal cases and has lead incident response teams to address major breaches at large private and public organizations. Tom has also lead digital forensics investigations involving deleted data from mobile devices, suspected hacking and network intrusions. Clients have included law firms, state, local, the federal government, high-tech firms and many more. Tom writes and presents MCLE training presentations covering forensics and electronically stored information.

Transcription:

Rochelle: Good afternoon and welcome to today's presentation, "Ethical Duties and Electronically Stored Information." The information presented by the expert is not to be used as legal advice and does not indicate a working relationship with the expert. All materials obtained from this presentation are merely for educational purposes and should not be used in a court of law sans the expert's consent, i.e., a business relationship where she or he was hired for your particular case.

In today's webinar, Tom will discuss overview of formal opinion 205-193 timeline of a case example cases for reference. To give you a little background about our presenter, Thomas Plunkett has over 20 years of experience specializing in forensic investigation involving network intrusion, hacking, malware and network inside threat. Mr. Plunkett has provided expert consulting in both civil and criminal cases and has led incident response teams to address major breaches at large private and public organizations.

Tom has also led digital forensic investigations involving deleted data from mobile devices, suspected hacking and network intrusions. Clients have included law firms, state, local, the federal government, high tech firms and many more. Tom writes and presents MCLE training presentations covering forensics in electronically stored information. Attendees who require passwords, the word for today is "Ethical." During the Q&A session we ask that you enter this passcode into the Q&A widget for CLE reporting purposes. The Q&A is located to the left of your screen.

Please remember that if you are applying for CLE credit, you must log into your computer as yourself and stay for the full 60 minutes. You're also required to complete the survey at the end of the program. Please note that CLE credit cannot be given to those watching together on a single computer. Tomorrow morning, we will send out an email with a link to the archived recording of the webinar. The slides can be downloaded from the resource list located at the bottom of your screen. Thank you all for attending today. And, Tom, the presentation is now turned over to you.

Thomas: All right. Thank you very much, Rochelle. Hopefully everybody can hear me. Again, this is Thomas Plunkett. I am the Director of Digital Forensics for a company called Archer Hall out here in California. Been here for just over two years. I've been working in, obviously, thanks for the introduction. I've been working in IT cybersecurity digital forensics for since around 1995, actually, so round about 25 years now. I also teach at University of San Diego in the Masters degree program for cybersecurity leadership. So, if you have any [inaudible 00:02:44] out there, just let me know.

A little bit about Archer Hall. We're a firm of about 50 people, again, based out of Sacramento here in California. I am in Southern California. I run all the operations in say Orange County, LA, and just generally Southern California area. We work in business litigation, employment law, just about any type of law you can think of. We do a lot of family law, some criminal work. And we have some contracts with some of these schools, including University of California. I've served as an expert witness every now and then. A couple of times last year I've been on the stand.

Let's see. That's probably enough about myself and Archer Hall. You guys are here to get the presentation on ethical duties and electronically stored information. So what we're gonna do is we're gonna go through some definitions specifically about what is ESI? We'll talk about forensics a little bit, we're gonna go into some metadata. And then we're gonna move into what we call is the nine skills of competency. I'll tell you most of the data and most information in this presentation was designed for California. We have to get those ethics credits out here. And California State Bar put out the formal opinion 2015-193 which states what are your ethical duties that applies to ESI and e-discovery. So I'm gonna use that as the framework for this presentation.

But I believe most of what's in there applies to all attorneys anybody working within the law and dealing with ESI. The last section is, I call it the other considerations with ESI. As I go through the presentation, like I usually give the slide and I get a lot of questions. So I prefer to get that. So please do ask questions as we go through. And when we get to this point, usually at the end of the hour. So we'll step through it as necessary. I may end up skipping through a few things here. But this is really just some of the things that you need to consider when dealing with ESI and e-discovery.

I'll give you... There's some a few cases that dealt with some fun experience, sort of interesting experiences that I'll share with you. All right, so get ready. Let's get started. So what is electronically stored information? So the term electronic stored information or ESI, of course, that's all the, all that data that resides on the electronic media, whether it's hard drives, floppy disks, CDs, DVDs, what have you. We have in here floppy disks. I don't know if we can... We can't do a hand raising thing here. But I imagine most of you probably haven't even seen a floppy disk recently.

Surprisingly enough over the past five years I've actually had two disk or two floppy disk cases where I've had to pull data off of them. One was actually a sort of boot sector virus hadn't fixed on a floppy disk on a medical device. Another one just came in this week. And, essentially going back and digging out the content from these old applications that are relevant to the e-discovery. So you never know what you're gonna come across.

Other things, we like to talk about e-discovery or ESI in terms of sources and the different types. These are all the sources here. So, Cloud services, social media, mobile devices, data centers. Here's another nice little slide that gives you a nice list of a lot of different data sources that are out there, and how to kind of map your way through it and discover the different sources where your ESI may reside.

But as you get into your investigation or you discover new cases, it pays to think outside the box a little bit as far as what are the sources that are gonna be involved? Again, of course it's laptops, desktops, those are fairly common. Almost every case you're gonna have is gonna have a laptop, desktop, mobile phone, or some email. Other things that you may not consider, of course, cloud services. A huge data source nowadays. What about IoT devices? Things like your Apple Watch, or Fitbit?

I have had cases where maybe it's a personal injury or an accident case and dealing with insurance. How fast was somebody moving at a time? Were they walking into the right place? Or were they walking to a place where they shouldn't be? Or riding a bicycle in a place they should or should not be? What was their general health? Were they having a heart attack at the time of an accident? Or were they using their Amazon Alexa to order something? Can you tell what room they're in during a certain time?

So IoT devices, I deal with those a lot more lately. Other things that you may not really consider are things like, well, let's see, vehicles. Vehicles have the vehicle Canvas onboard computer system, computing system. It has things like diagnostics or when does somebody put on the brakes, how fast was somebody going? A lot of insurance companies have devices that can plug into the port right there under the dashboard that allows us to get some of that information.

Even the infotainment system. We actually had a case about a year and a half ago, actually a little over two years ago now where somebody's Tesla was stolen. And the thief was bright enough to connect their phone up to, via Bluetooth, to the infotainment system. And we were asked to try to figure out who that person was based on maybe some of the saved contacts from their...good point there. If you ever rent a car and you connect your phone via Bluetooth or USB, make sure you clear out your phone profile later. There might be some residual contact information leftover.

Let's see, other things. How about printers? I usually ask the question here about who would ever think of a printer as a source of ESI? Most people think of printers as just something that prints out a physical hard copy of paper documents. As you may know, a lot of printers and fax machines have memory on them, especially in say enterprise-level type of printers where anything that you can send a print job to from the network, it's going to have a log. And the log is gonna last for a period of time. It may be volatile, so it may have some time restraints on it. You also may be able to get information about who sent that print out? At what time? What exactly was being printed?

Maybe you're gonna reproduce a case of intellectual property theft based on what was coming out of that printer at a certain time. But really, the point of this slide and the point to talk about the sources is that there are many sources that are out there. Not all of the time are they obvious, and it just pays to think outside the box. Now, one last thing I need to bring up is video game systems. Actually, I had a case where I had to do some forensics on an XBox a long time ago, which was kind of interesting. It was a trade secret theft case. I'm not gonna talk about that now. But yeah, you never know what's gonna come up out there. Does anybody have any questions about the sources of ESI? And, let's see.

Rochelle: None as of yet.

Thomas: Excuse me, none as of yet?

Rochelle: No.

Thomas: And so, this next slide, not quite as fancy as the previous one. These are different types of ESI. So we've talked about consider ESI in terms of sources and types. So, type of ESI, things like email, PDF documents, Word documents, things like that. Pretty standard types of ESI. Of course, text messages, I would say about 8% of the text message or cases that deal with involve text messages now, especially family law cases, sexual harassment type of cases, anything like that. Lots of text messages out there.

Voicemails or recordings, even video. Think of YouTube, YouTube videos. Say 20 years ago, there wasn't a lot of YouTube videos out there we had to deal with. Now videos, in general, come up fairly often. We'll have to analyze, well, was this video doctored one way or the other? When was this created? Was somebody who's smart enough to film their crime spree? I have in here deleted content. And it's highlighted mainly because if you're collecting information and having a vendor process it, you wanna consider whether or not you want to get that deleted content.

But there's some extra effort that has to go in to processing data to get that deleted content. And just be aware that you may not always get a full document, even though it's been deleted and recovered. Sometimes we just get back portions or file fragments. Let's see, other things, computer logs. An important thing to remember about different data types, and ESI in general, is that a lot of times there's a lifespan on these. There's some issues that might be very, fairly volatile data.

Think of computer logs, specifically, on a Windows computer. My computer, for instance, has a security log that tells every time I've logged in, and it's set to grow up to 20 megabytes in size, which is not huge. For a single user computer, that'll typically give you about maybe a year, year, and a half worth of logs. But I've had cases where I'm collecting data from computers that are shared, say in a lab, and maybe 10-15 people use the same computer. Those logs turnover more quickly. So something to consider, the timeframe on the logs. It pays to collect things early and understand, say retention policies and lifespan of the different types of ESI that might be important to you. So, any questions on types of ESI? All right, I'm gonna move on. I'm gonna talk about... I'm sorry. Was there something there?

Rochelle: No.

Thomas: Okay, thank you. For e-discovery, or electronic discovery, this is really the process of locating, securing, and searching ESI. And we're gonna do it...we do it a number of ways, a number of tools we use out there. But specifically I wanna cover what's called the electronic discovery reference model or EDRM. So a lot of you are probably familiar with this. It's been around for a while. But if you don't do a lot of e-discovery, and you do get into a case where you need to do some e-discovery, this is a great little model to use to help design and form your processes.

I'll start off with there at the bottom you see volume, this volume wedge. What that indicates is that as you start at the beginning of the process, you have a large or a high volume of data. And as you flow through it, your goal is to reduce that volume. Similar is relevance, this green wedge. Compared to the volume, you have relatively low relevance of the data. And as you go through it, you end up with a low volume that's highly relevant to your case. That's all that means. And the first piece here, I don't really call this the stage but it's information governance. It's important for you to understand the intricate information governance policies of your clients.

Information governance, these are all those policies and procedures that your clients may have. One of the huge ones is retention policy. How long can, is data gonna stick around? A lot of times they might have a one-year or 14 months retention policy on an email server. Companies will do that to save space and save money and storage. You should really consider email like online email systems, not really as a data retention repo or data repository but as a communications tool. People who save data or save email should be saving them down to the desktops or some other similar platform. That is one philosophy for many companies out there.

Other things that would be covered in the information governance policy are backups, how often are things backed up? Where's the backup stored? How long are the backups stored? We get down to say tape backups, how often are those tapes turned over and reused? Or they even have things like we did take your digital signature. So, especially for attorneys working in the firms, it's gonna say something like, in your email footer or email signature, it's gonna say attorney-client privileged only. And it's gonna have some other language in there that helps identify this as possibly privileged information.

That's information governance. Again, pays to understand your clients' information governance policies. The next piece, or really the first stage of EDRM is identification stage. Identification is where you're determining the different sources and types of ESI you need to deal with, you're identifying custodians, at least your initial set of custodians, and coming up with key terms and date ranges for the relevant data that you're looking for. This is also a good time, let's again, have your meet and confer with opposing counsel to negotiate these key terms.

And I'll tell you as you're doing this, you're gonna want to test your terms as early as possible. So that's really the identification stage. Moving on, the next stage is preservation and collection. So preservation, this is the stage at which we are really taking the data we've identified, the ESI that we've identified, and making sure that it doesn't get deleted or otherwise modified. We do it in a number of ways. For instance, let's say your client uses Office 365 for email.

The paid versions of Office 365 allow you to have an e-discovery on piece of it. And you can put individual accounts, or the entire system, under a retention policy, or then even under a litigation hold based on dates or key terms or that individual account. And what that does, it allows somebody to go up, go throughout their day, and use their email as normal, delete things, move things around. But still, up on the server-side, that email stays and it's retained, whether it's deleted or not by the user on the client end. So that's what we call an in place preservation.

Other types of in place preservations might be, let's say there's a group share on the network to the IT group. We'll put that in a read-only mode, where nobody can actually delete anything but you can still access the data there. That's one way of doing it, in place preservation. Other types of preservation might be, we do a physical preservation of a desktop, laptop, or a cell phone. In these cases, we are actually getting a hold of that device, we are creating a forensic image of that device. And that is preserving it. And it's also known as a collection. We do a presentation and collection at the same time.

So, collection really is just going out and getting that data that's been preserved. I will say this, I wanna go back to preservation for a second. A lot of people think that you want to wait to preserve the data. You don't. You wanna preserve the data as early as possible due to the retention policies and the volatility of data. It's always better to preserve data and then not need it later. Sometimes you may settle or the case may be dropped and you don't even have to go to the collection stage. But you're always better off to have that data preserved as early as possible.

All right, the next stage is processing, review, and analysis. And if we look at that volume wedge, the yellow wedge again, this is really where the data starts getting culled down. It doesn't really happen in the presentation recollection, it starts right here. So processing. Processing is where we're taking the data that's been collected and we're preparing it to be analyzed and searched. So at this stage, we're doing things like indexing the data, or maybe converting it, doing something like, let's say we have a lot of scanned documents that are in an image file. And we're going to convert that or use optical character recognition to convert that into plain text that the computer can search. That way you can run key terms, what have you. Or even if they have voicemails or other recordings. People have used some transcription to get that information into something that we can process.

Analysis. This is where we're taking the process data or you can...things that haven't been processed this easily and analyzed for applying key terms, find date ranges, and other filters, such as privileged filters and really culling that. That's where we start really culling that data down. Once everything's been analyzed, we push that information into review. And this is where most of the attorneys and paralegals are really starting to see this data for the first time.

This is the final stage of culling. You're going through and maybe identifying false positives. So things that were keyword responsive but not relevant, or finding other privileged information that may not have been caught during analysis, or even redacting the data that is private information or confidential information that's still relevant but needs to be redacted. And once you've finished that review process, the data or the ESI goes into the production stage.

Of course, the production stage has taken all of the data that you've deemed relevant and provided that to the opposing side in a matter, or in a manner that's been agreed upon earlier, ensuring your meet and confer. It'll be in say TIFFs or native files. Sometimes a combination of both, or a load file for a particular review platform such as relativity. That's production. Last stage finally is presentation. And this is where you're taking all the data that you've reviewed and prepared and presenting it in court in a manner that helps out your case as best as possible.

Last thing I wanna note here is that you see all the arrows are kind of going to the right, but they also go back down and to the left back to the very beginning. That's because as it gets, especially at the review and processing stages, we're gonna find things like a person who was cc'd on an email who we didn't know about before. And they may become a new custodian. You have to go back to the identification stage and talk to them and find out how much do they know and how much data do they have? Maybe that's something we need to preserve and collect. So, this is a very cyclical type of model but it gets you down to the end at preservation or to presentation. So, any questions about e-discovery in general or the e-discovery reference model?

Rochelle: There is a question. Question, is there an industry-standard way of capturing text message conversations that's better than simply a series of screenshots?

Thomas: Yes, absolutely. And a great question. This is something I deal with all the time. And I do give a presentation on cell phones and cell phone preservations. So screenshots are really, in my opinion, a bad way of preserving those text messages. For one thing, you don't get the metadata. You can't prove that this screenshot hasn't been modified. The industry standard is to use a forensic tool to extract the data, the entire text message database from that device, and then search that database and extract out all the metadata and all the content from that.

We use a tool called Cellebrite. And there's a few others out there. Parabens is another well-known tool. But Cellebrite is kind of known as the gold standard. That's what most law enforcement uses for mobile device preservation. And most of the major forensics firms use Cellebrite. But great question and hopefully, that answers your question.

Rochelle: So we have another question. As a law firm with a data retention policy that requires deleting certain client files over time, what tools do you recommend to make sure that all files that are intended to be deleted are actually deleted and not recoverable?

Thomas: Oh, another great question. I'm just dealing with one of those types of cases right now. We have a client who have...they're in litigation, they have a 14-month retention policy. I'm supposed to be making sure everything is deleted. And our job was to go in and look at their systems and verify their retention policies. What we found was that a lot of the data they thought they were deleting was still either easily recoverable or even forensically recoverable.

So, that being said, the question is really how do you do that? How do you make sure that your policies are being enforced properly? You have to look at what your retention policy is. Is it being applied to the endpoint devices such as desktops, laptops, mobile devices? So there are applications out there. There's many applications that can handle the data retention on those devices. But specifically, most people are applying their retention policies to email and it depends on your email service. But say Office 365, you can apply a retention policy.

Same with Gmail, whoever's providing your email service, you can set a retention policy so that it is deleted and not stored down to the user's end device. Professional tools like professional services, like Microsoft Office 365 specifically and Gmail will do that for you. And I've analyzed a number of PSTs and storage files for these and been able to verify that they are working properly. However, if you get back down to the endpoints, things you need to look at, you wanna make sure that you have something that's, an application that's going to wipe or otherwise destroy that data after it's been deleted. You wanna make sure that files in the recycle bin are actually emptied from that recycle bin, and that the unallocated space is wiped.

That being said, the way hard drives work, we have the old spinning disks. This used to be a much bigger problem with older spinning disks. Because we could recover a lot of data from unallocated space, which is the deleted content, stuff that you won't normally see as a regular user. Now, new solid-state drives, they have a function on them called trim and garbage collection. It works in combination with different operating systems. So when you delete items off of a solid-state drive, as long as it's not an encrypted, encrypted operating system, then the solid-state drive actually goes through and removes that data so it's permanently deleted. Otherwise wiping tools, there's some free wiping tools out there. There's some paid-for wiping tools out there that make sure that that is not recoverable any longer. Hopefully, that answers your question.

Rochelle: And next question. Have you seen mobile device preservation in a civil case? And if so, how was it done?

Thomas: A mobile device preservation in a civil case? I'd say most of my cases are civil. And most of my cases involve cell phone forensics and cell phones mobile devices in general. A lot of times I'm dealing with say a trade secret case or IP theft type of case. So the question is, I'm not sure what you mean by how is it done? Basically, we use, well, we request or subpoena the device for the other person, and or from the person who owns that device. But oftentimes, we're working for the attorney whose client provides us that device.

And we recreate a forensic image of that. And we do searches of that device. There are times to where we handle the privacy concerns, where we use something we call a triangle agreement where let's say I need to search opposing side's device, my client would provide me search terms and a date range. I'll go to the office of opposing counsel and work with them and their client. We'll preserve that phone and then I'll run the searches there. Notice I get to review the responsive results. And then I can do a secondary extraction of that and provide that to my attorney. That's one way we deal with it. That's a fairly common way of handling it. All right, any more questions?

Rochelle: All right. Next question, how are text messages admitted into evidence at trial? For example, how do you respond to the objection that the text messages may not be the defendant's text messages? In other words, how do you authenticate that the text messages are actually defendant's text messages?

Thomas: That's why we want to do that forensic preservation and extraction versus the screenshots. Because the forensic preservation and the image that we get from that is going to show and be able to authenticate the phone numbers and the devices that these text messages where they originated and where we pulled them from. So we have all the metadata that's able to back up that claim. That's why you don't want to use the screenshots because you don't have any of that information.

Rochelle: Next question, do you have any involvement in the healthcare space? And any tips for ESI in that sector?

Thomas: Yes, we do have some involvement in the healthcare sector. So tips for ESI. ESI needs to be obviously protected very well. Typically need in place and in-transit encryption. And that's gonna protect that information. You have to have, if you're transferring the data, chain of custody logs. Who is accessing this? They have to, very robust logging in this, especially in the databases that are being used to serve up this ESI. If you're going to get into say a collection preservation and litigation with this ESI, make sure that you have a vendor who does have experience in that area, specifically dealing with HIPAA regulations, and a good background in digital security and cybersecurity. That way we can ensure that the data is handled properly. That's probably the best I can tell you for right now. Any more questions before we move on?

Rochelle: Thank you, Tom. You can continue with the presentation.

Thomas: All right, so I'm gonna skip a little bit of this digital forensics because I could probably talk all day. I teach courses in digital forensics. But forensics is really the use of specialized tools and techniques to do that preservation, the collection, and analysis of the data. Make sure we don't modify it to our processes. Forensics person is going to, let's see, recover deleted content, write expert reports. They'll get on the stand for you as an expert witness as necessary.

The way that the word digital forensics is really applied in e-discovery. Of course, the collection of preservation of all that data and the analysis of it. That's where a lot of what we're looking at is not really the content so much as a forensic examiner. We're looking at the metadata of this data. The metadata, that is all of the information about the data. There's two different types. There's, and this is fairly important, there's external metadata and internal metadata. So speaking of external metadata, this is really kind of a subset of information.

Things like modified access created date, the name of the file, where it's stored on that, on the storage device as all that metadata that is stored outside of the file itself. Internal metadata, on the other hand, is stored within that file. Think of a JPEG image. So, a JPEG is a photo, or it could be a photo. But it's a picture of some sort. If the picture was taken with a camera, and the internal metadata might have things like the make and model of the camera, the flash settings of that camera. If it's a phone that is GPS-enabled, it might have longitude and latitude of that device when the photo was taken.

None of that's gonna be stored externally, only internally. One thing to note here is that you might get conflicts between internal dates and external dates. For instance, if I was...if you were to take a photo of December 25, 2019, and send that to me in a text message today, the external metadata on my phone is gonna show February 4th, 2020. But internally, it's gonna show a created date of December 25th. That's when we start getting conflicts. We have to deal with those conflicts to understand why there is a conflict oftentimes.

Also, remember that that data can be, if the file's been handled properly, the internal metadata can be wiped out. If you ever receive a PDF printout of a file or photo, you're probably not gonna get the internal metadata. Or if someone texts that to you and sends it to you as a message or small message, it creates a copy of that file. All you get is all the metadata about the new copy, so you lose all the original metadata. So you have to be very careful how you handle these files, in particular photos.

Other types of metadata, email. Any email file that you have is probably mostly metadata. Of course, you're gonna see things like the "to", the "from", other recipients, the subject and the body. Outside of that, there's a ton of information of things like for the time that the email was created and sent, there's a timestamp within the headers of this email that you don't see. Every time that file traverses, the email traverses a server across the internet, it gets a timestamp. Different servers do different things.

Maybe as it's going through the enterprise, I might say here's what came in. Then a firewall came in and gets a timestamp, then it goes through a virus scan. It gets a timestamp there. Then it gets delivered to the actual email server, gets a timestamp there. Then it gets delivered to the account. And it gets another timestamp. A lot of things happen. I find oftentimes that, well not often. I've had cases where people have taken an email and modified say, a visible date, like the sent date, they'll either backdate it and then apply that in a PDF document. So you can't see the internal metadata.

So I always ask if there's ever any question about the validity of an email, I always ask for the native file so we can take a look at those headers and verify the dates in the other content. A lot of information there in the headers of an email. Other documents, so Word files, PDFs, what have you, a lot of other information there. So let's say we're dealing with an IP theft case or trade secret case. Somebody claims that they created this file and they did it at home.

And it's just theirs. It's not the company's file, not the company's information. We can look at the internal metadata and see things like the author, who owns the license or the software that was being used to create this file. We can see the different changes, especially the tracked changes in a Word document or a Microsoft Office document. We'll of course see the dates and times. These were created and when it was modified.

Might be able to backtrack through all the different changes that have happened. Even we can see the application, actual application that was used to create this file for what we see in the screenshot here. This is Adobe PDF, this is created by the Adobe lifecycle output, whatever, they will do some forensics on this computer and say, yeah, you couldn't have created this file on your home computer because you didn't even have this application installed at that time that this was created. So there's no way this could be your document. And so that's how we use metadata and forensics to help in the e-discovery cases. All right, any questions for anything we've covered so far?

Rochelle: None as of yet.

Thomas: All right. Excellent. So we're gonna move into the nine skills of competency. And we're gonna start off with a hypothetical case. And, again, this...a lot of this comes from the California State Bar. But I think it applies to pretty much everybody. But as a hypothetical case, we have a distributor who's suing the manufacturer, a manufacturer of whatever product it is. We have an attorney who's defending the manufacturer. He's been working with this client for quite some time.

Opposing side says we can get some e-discovery. We need to search your network, your client's network. Of course, like most attorneys, they're gonna push back and say, "Yeah, this is over burdensome. We don't need to do this." But the judge insists and says you have to meet and confer and come up with some search terms, a clawback agreement and I'll get ready to get this e-discovery underway. So the CEO tells the attorney, so I'm not worried about this e-discovery stuff, everything that's gonna come up based on the search terms, that's all printed out in those documents in those boxes under your desk. We've had them for a couple of years, so not worried about it.

Also says that they have a large IT department, so we're gonna have them help out and just bring the vendor in and let them search. Have our IT guy deal with them. Don't care about it, not worried about it. So vendor comes in, our attorney allows them in. He hasn't, I'll give you a couple of heads up here. He hasn't tested these search terms. So he doesn't know what he's gonna get. He hasn't read it, but he gets the response results back from the vendor. He doesn't review what he had, what he found. And next thing you know, two weeks later, he's getting hit with spoliation accusations and they're seeking sections.

So our attorney hires somebody to come in and take a look. And sure enough, the expert says yeah, there was a lot of deleted content there. Says, however, you might be safe. We have a retention policy. They're asking for five year's worth of data but we have a retention policy of two years. So I think most of it falls within that retention policy. So you're probably good there. But he says, that's not your biggest problem. The biggest problem is that your clawback agreement, which allows you to get data back that was inadvertently produced, only covers privileged information.

But we also produced, due to our over broad search terms, other plans for our new product that we're gonna produce next year and provided that to one of our major competitors. So a lot of bad things happen here. Hopefully, none of you have been involved in something like that. But I want you to...think about that case as we go through the next few slides. So one of the nine scopes of competency is the state bar here in California says that you need to have a basic understanding and facility with issues related to e-discovery and ESI.

I think we've covered a lot of that so far, a lot of the issues that might come up. Says your duty of competence may vary from case to case. And I will tell you, I have worked on single cell phone cases where I just need to get text messages off of one phone. I can finish that up in a few hours on a single day. I've also had cases where I've had to travel internationally, negotiate collection protocols.

I spent once in Macau. Actually not. I spent about three months in Macau. It was crazy, I was living in a casino out there. Not three months straight but on three different trips, working for, like I said, a casino. Got to be very complex, a lot of laws regarding how we're gonna handle the ESI saying we cannot take data outside of the country. Much more complex but I think you get the picture. Opponent says an attorney lacks the required competence for e-discovery, she has three options.

Number one is acquire sufficient learning and skill before that performance is required. Number two, work with and consult with experts in the field or somebody who is competent, or number three, decline representation. As attorneys, that's not what you wanna do. You want to represent as often as possible.

Finally, if you're deemed to have a lack of competence dealing with these e-discovery issues, and you do take these cases, you may find yourself with an ethical issue. All right, so how do you measure your level of competency? The next slide is the actual nine scopes of competency. Number one, I'll read through these real quick but initially assessing e-discovery issues and needs, implement or cost implement appropriate ESI preservation procedures. Actually, I'm not gonna read through all these because we're short on time, just hit them one by one.

So number one, initially assess e-discovery needs and issues, if any. So what does this mean? It means you have to think about your different sources, different data types. What is it you're looking for? Who has this stuff and where is it? On this, some of the primary things. So is the data, is it in your client's possession? Does the opposing counsel have that? Is that on their cell phone? Is it a third-party possession? Do you need to subpoena or get information from maybe a mobile cellular carrier such as AT&T or Verizon?

The other things you might need to consider, think of information governance policies. Does your client have a Bring Your Own Device policy? And does that cover litigation? How hard is it gonna be for you to get data off of somebody's personal phone who may be using that for work? Other things, you're not gonna need to consider. By the way, any questions so far? If not, I'll just wait for questions at the end of these nine skills.

Rochelle: Okay, we can wait, that's fine.

Thomas: All right. Number two, implement or cost implement appropriate ESI preservation procedures. So what is appropriate? I mentioned that the data is often oftentimes very volatile, or can be very time-sensitive. So it's a good idea to preserve early. So things are temporary, such as data in some of these logs are ephemeral. Think of the memory on a computer. Maybe the clues to get what you need to have are sort of the memory and we have to get that before the computer is turned off, or it just goes away. So what is appropriate preservation?

Appropriate preservation means that when we collect it, we don't modify it. Don't delete it, don't cause any changes when we do the collection. Or in some cases, sometimes we have to make a change in order to make that collection and those changes are actually documented. And we can show that. We'll have a chain of custody, we'll take photos and make sure everything is fully documented. Our full processes are documented. And that the data is stored. It's stored in a protected mode where we can always authenticate that data later.

Number three is, analyze and understand a client's ESI systems and storage. So do they have a large network with a data center in Denver, one in DC, and one in Singapore? Or do they just have a bunch of laptops sitting around a small office? How hard is it gonna be to get this data? How many people have their hands on it? Do you have to go to off-site backups? Do you have backups to deal with in case maybe somebody left and IT people deleted or wiped out that laptop that they used to use and it's been reissued?

So you'll need to understand how the network and health systems and companies here or your clients are set up. Are they creating new types of ESI or new sources of ESI that maybe nobody's dealt with before? I mentioned a number of different sources. I even, I've talked about YouTube a little bit. We actually have a urinalysis machine sitting in our office right now. And that, guaranteed nobody in our office ever touched one of those and most places have it, so we had to figure that out.

New types of new sources come up all the time. Number four is advise client on the available options for collection and preservation. You don't always need an expert vendor to come in and do these collections and preservations for you. If you feel that the case is getting more complex, involving a lot of sources, that's where you really wanna start calling somebody in. Or if you're not familiar with how to preserve and collect a cell phone, for instance, vendors are highly recommended at those times.

But maybe just some good copy of a file is all you need. But you wanna make sure that that is done properly. And that you can maintain the chain of custody of that, that file, and ensure that it hasn't changed. So believe it or not, I've had cases where the IT staff actually, in an effort to help me collect some deleted email, they actually deleted or remove the encryption from a solid-state drive. And early in this presentation, I mentioned somebody asked the question about ensuring that the retention policies are in place. One of the caveats with the solid-state drives are that if the data, if it's an encrypted operating system, encrypted image, that this garbage collection is not gonna run.

We had a lady who had deleted 25 year's worth of email or a computer and asked for help for recovering it. And IT staff in order to help me out once he got a hold of it, he said, don't worry. I just removed the encryption so you can get to a more easily. I didn't need to remove it. I can get around encryption through proper processes, not hacking it. But unfortunately, once I got ahold of it, I actually saw the email that was there, 25 years worth of email. It was still intact.

As I started trying to copy it out, even though I was using write blockers, that garbage collection ran in the background had actually over wrote all that data within seconds, maybe within a minute, and lost 25 year's worth of email. The big point here is that while IT is great, they can tell you where everything is at, they know where everything's wrong, skeletons are buried and all that kind of thing, all the bodies are buried, they don't always understand how the metadata can be modified or how the data can be damaged by doing an improper collection.

All right. Number five, identify custodians of potentially relevant ESI. Again, very important. This is what IT guys can come in and help out a lot, help you identify where stuff is and who has access to stuff. And this is also, this is the identification stage. We wanna interview your custodians and get as much information as possible to help identify where this data is. And I realize I've got 10 minutes left, so I'm gonna speed things up a little bit.

Number six, engage in competent and meaningful meet and confer with opposing counsel regarding an e-discovery plan. This goes back to using that the EDRM, the e-discovery reference model. How are you going to structure your e-discovery? And are you gonna design a good clawback method? What type of production are you gonna do? And when are all these things gonna happen? So you can say, I wanna be in the processing stage by this date, I wanna make sure all the preservation and collection is done by this date.

Number seven, perform data searches, probably the most important part of these nine skills. Doing data searches is really important. Make sure you use good key terms. Don't use short terms like single words. Or anything five characters or less I think it's a horrible term. Use Boolean Logic as much as possible. The "ands, ors, and nots." I used one of the examples of peanut butter and jelly sandwich, the peanut butter within one of jelly things like that, so you get a proximity search to make it more precise. That way you don't have peanut butter on one page and jelly on page 500.

You have to read through that entire document to realize that this is not a relevant document even though it was responsive. Let's see. Another point I wanna make here. Let's say you're representing a client in LA that makes makeup, maybe color, COLOR, even that sort in a bad term might be a good search term for LA. But if they have a London office, COLOUR would be a better search term. So, consider those misspellings, alternate spellings, and multiple languages.

Number eight, collect responsive ESI in a manner that preserves the integrity of that ESI. So, make sure you have a chain of custody based on the collection of preservation so we can tell who's handled this. Make sure the access is limited by using write blockers, physical write blockers as well as forensic tools that are designed not to modify the data. The last one I wanna focus here a little bit on what is the integrity of that ESI. The integrity can be measured. Integrity just means that it hasn't changed or been deleted. We can measure that through checksums and hashes.

These are just mathematical algorithms that we can apply to a file or a set of files, and get a unique digital signature as the output. Digital signature or a digital fingerprint. So we can use these, say MD5 or SHA1s, a couple of common type of hashes, we can use that to say, I've received a file, it has this hash. I'm gonna check it. Maybe if the hashes match, that file is good, we preserve the integrity. If they don't match then its lost the integrity. We need to ask for another copy of that go back and recollect it. I also use the hashes to de-duplicate files.

Maybe I've got a collection of 10,000 files, 500 of them have the same hash. I only have to review 1 of those 500, because I know the rest of them are exactly the same. I'm gonna go to number nine, the last skill, produce responsive non-privileged ESI in a recognized and appropriate manner. So what is recognized? So there's a number of things, load file such as relativity, load file, concordance load file, what have you. Native format, which is those are the original forms of those files. So, Word documents, Excel spreadsheets, or PDF format. It means a copy of something that visually represents the original.

And always make sure you get all the common metadata, modified access created date. And I always say ask for the native. That way you have that internal metadata also so you can go through and really verify what you have. So those are nine skills. On this next slide, if we go back to the case study, so ask yourself. Did that attorney serve his client well? I don't think so. A lot of things he didn't do. He didn't really direct that search. Didn't test the search terms. I don't think he actually met the standards of competency for a number of reasons.

And I think that the search terms produced overbroad results and provided a product to the other side because he didn't test the search terms. He had no idea what was really gonna come up. He made a lot of assumptions. So don't make assumptions on what your search terms are going to produce. Did spoliation actually occur? In this case, I don't think so. They had a retention policy. But maybe he could have conveyed that retention policy to the other side during the meet and converse. And yeah, you're not gonna get everything you have because we only save things going back for two years or five years.

So that would have headed off any spoliation accusations if there wasn't actual spoliation going on. All right, we have five minute, four minutes left. And this is, I would say most of the time, this is where I stop. I used to hit the hour. And it turns out we did today. But I do wanna ask, are there any questions right now before? I probably won't have a chance to get into the rest of the presentation. Any questions?

Rochelle: Yes. Question, do you have any recommendations about software to strip metadata?

Thomas: Software to strip metadata? Let's see. There are some out there. I don't have any specific recommendations. I used to use, I know Adobe can actually strip metadata. Let's say if you wanna produce something from a Word document, the best way to do is convert it into say a TIFF or a PDF and you will lose the metadata there. But unfortunately, I can't think of any specific software out there for you.

Rochelle: Okay. And if all the attendees can enter in the passcode, which is "Ethical", and the next question, can you override backup copies of data as part of a standard backup as long as you preserve a copy of data subject to a litigation hold?

Thomas: And the answer to that is yes. As long as you document what you've done and do it good preservation of that backup. That's going to preserve the metadata. Again, it goes back to preserving the integrity of that data, but copies are great. So, let's say they have a backup, a tape backup. You wanna pull it off that tape backup and put it onto a hard drive so it's easier to access? Perfectly fine as long as you document what's been done.

Rochelle: [inaudible 00:55:08] continue. That's all the questions we have.

Thomas: All right. Well, thank you guys very much. Thank you, everybody, for attending. I really appreciate it. And you have a great day. Thanks for all the questions. I appreciate it.

Rochelle: Thank you. Please remember that if you are applying for CLE credit, you must attend for the full presentation. You're also required to complete the survey at the end of the program. Please note, I will be sending out all certificates via email in 24 to 48 hours. I wanna take this opportunity to thank everyone for attending and most especially, Thomas Plunkett for his time and effort in creating this presentation.

If you would like to speak with Tom or if you would like to speak with a TASA representative regarding an expert witness, please contact TASA at 1-800-523-2319. One of my colleagues will be followed up with you regarding your feedback on today's presentation. Again, thank you all for attending today. This concludes our program for today.