Learn the what, when, and how of planning ESI collection strategies

What if your organization was faced with the task of collecting electronically stored information (ESI) in light of pending litigation? Do you ask your employees to collect their own emails and digital documents? After all, they know what documents they have and where they are stored. Asking data custodians to organize and collect the relevant documents on their own seems like it could be time and cost-effective.

Self-collection of ESI may be appropriate when in-house or outside counsel give custodians careful direction and instructions. More often than not, relying on custodians to determine the parameters of ESI collection leads to insufficient, incomplete results. Instead, develop a collection plan that encompasses various strategies for capturing accurate data from all relevant sources.

This article addresses the elements of successful ESI collection strategies based on subjects covered in the CEDS Exam Preparation Manual and part of the exam itself.

"Custodian self-collection is appropriate when you have custodians that are not personally involved in alleged wrongdoing and also where you have custodians who you expect would otherwise be trustworthy and follow direction and good competence on IT-type things, and where you, vendors are giving very specific direction," said Seth Row, Of Counsel at Parsons, Farnell & Grein LLP in Portland, Oregon.

"There are a number of tools now available to facilitate custodian self-collection, to make it idiot-proof, so custodian doesn’t have too much discretion," he added.

A reasonable collection strategy must address what ESI should be collected, when, and how.

What. The total universe of potentially collectible ESI will usually have been defined during the process of formulating the internal preservation directive, or “litigation hold.” The universe usually consists of four main categories of data stores: 1) individual employee files (files controlled by the individual custodian, such as their email accounts, and data on their work station hard drives); 2) department/group files; 3) enterprise databases (which may also include "cloud" databases; and 4) backup media.

If individual custodians were not interviewed during the preservation assessment, a collection interview may be warranted while developing the collection strategy. Depending on what is learned from custodians during the collection, and also on new information received during the investigation and litigation of the case, additional sources may be identified. For example, it may come to light that some data has been deleted, and data must now be collected from the unallocated space on a hard drive, which may require preserving the entire hard drive.

Some data may exist in more than one place, such as on servers and on individual hard drives. A party is generally not required to collect identical data from multiple sources. For example, a party need not collect email from both an Exchange server and backup tapes. It may be necessary, however, to ensure that data stores that look identical are in fact identical before deciding to collect from only one source. Also, it may be relevant or significant that the same data resides in more than one location (because it may indicate that the data was transmitted). Such issues should be discussed with trial counsel.

When. Not all data identified for preservation needs to be collected right away, or even at the same time. Some data, such as data in backup media may never be collected. Collecting all data that has been preserved may inflate costs unnecessarily and overwhelm the trial team with irrelevant data. Courts have endorsed the concept of proportionality in electronic discovery, one tenet of which is that the data that is least expensive to collect should be examined first for responsive information. In general, the least expensive ESI to collect (and, therefore, the ESI that is usually collected first) will be active data. Generally, that is data that can be seen in a file manager such as Windows Explorer. Archival data is usually more burdensome and more costly to access. Often, forensic data including deleted, hidden, or damaged files is still more expensive and difficult to access. Finally, legacy data, which is created using applications or systems that are no longer in use or available, is usually still harder to collect in a usable manner.

Cost alone will not determine the timing of collection, however.

• Some ESI will be collected early because it is highly important to critical issues in the case and necessary either for early case assessment or for identifying other potential custodians.

• Some ESI should be collected as soon as it is identified, in order to protect it from inadvertent destruction. This is particularly the case with data sources that must continue to be used. Data that fall into this category would include necessarily transient data, deleted or hidden data, data that is regularly overwritten or changed (such as RAM, some kinds of access or usage logs, and Web page content) and data stored in media where the risk of accidental deletion is high, such as PDAs and SD cards.
   
• Some ESI media will be preserved and secured (and in that sense, “collected”) early in the case, but not made fully available to the trial team. A common example is backup tapes. Backup tapes must be preserved if they are known to contain data that is unavailable from other sources, and may be preserved if there is a concern that they may be the only source of such data. They should be secured (that is, taken out of rotation for recycling) as part of the preservation of data. Backup tapes are often difficult and expensive to restore, however, and collection of data from these tapes is frequently deferred until it is determined that the data is necessary.

How. Once the timing of collection from a data source has been decided upon, the trial team must assess what level of forensic defensibility should be employed for the collection (see next section for a description of various methods of collection). Generally speaking, this decision will be driven by the needs or anticipated needs of the case, the state of the ESI being collected, the client’s internal resources, the volume of ESI, and accessibility of the ESI.

• The needs of the case include any agreements that have been reached with opposing parties, the jurisdiction, the type of case (particularly if it is criminal or quasi-criminal), and time constraints. One important consideration is whether it is anticipated that issues may arise in the case that can be resolved by data (such as metadata) that might be degraded depending on the method of collection. For example, there may be an issue about precisely when a certain document was created, viewed, changed, or sent. It should be kept in mind that proving authenticity of electronic data is essential to its admissibility in court.
• The ESI to be collected may have already been moved, consolidated, or otherwise degraded in its forensic qualities, resulting in little gain from employing forensic means to collect it.
• The client may have internal resources that allow it to use its own personnel, with or without the assistance of outside experts, to perform the collection.
• The volume of the ESI to be collected may mean that full forensic collection is costly. The collection team should not make assumptions about cost or burden based on the volume of ESI alone, however. It is often the case that a large quantity of ESI is just as easy to collect as a smaller amount, but simply requires more storage space.
• The accessibility factor includes where the ESI is located. For example, if the ESI is located far from the location of the forensic collection vendor, it may be preferable to use the client’s internal IT resources to collect the data, with guidance from the vendor. Also, if the ESI is in a legacy format, the data itself may need to be manipulated or transformed in order to be reviewable.

Special attention should go to collection of data from sources outside of the United States. Many countries including the European Union have laws, regulations, and policies that restrict a company’s ability to collect and transmit data (including customer information and employee “personal” data, including emails) outside of the jurisdiction for use in legal proceedings in the US. Careful evaluation should be given to collection of data outside the US and extra time needs to be allocated for such collections.

You can read more about developing successful collection planning strategies in the CEDS Exam Preparation Manual, which you’ll receive when you register for the CEDS Exam.

Click here to see the Table of Contents and Introduction.

The CEDS certification exam may be taken at more than 540 ACEDS-Kryterion Testing Centers worldwide. Click here to learn more.

About Seth H. Row, Of Counsel, Parsons Farnell & Grein LLP

An experienced commercial litigator and consultant to businesses on electronic discovery and risk management, he has extensive experience “in the trenches” litigating electronic discovery issues and managing ESI-intensive matters large and small.  At Holland & Knight he was one of the founding members of the Electronic Data Discovery Specialty Team, providing e-discovery training firm-wide and consulting to litigation teams across the country.  A graduate of Yale University and Georgetown University Law Center, he has handled e-discovery disputes from many angles: judicial law clerk, insurance defense counsel, and more recently private litigation counsel and mediator.  He is co-editor of the leading ABA newsletter on pretrial practice, an author of the ACEDS manual, and a regular presenter at CLE programs on electronic discovery. He will be a speaker at the ACEDS Annual E-Discovery Conference, March 23-25, 2011 at the Westin Diplomat in Hollywood, Florida. Learn more.