Security For All

Sometimes life is hard like trying bail out the ocean with a spoon
Sometimes life is hard like trying to turn December into June
And sometimes life is hard like trying lasso a quarter moon
From Life Is Hard by Eric Durrance

I’m trying really hard to catch up on all of the e-discovery news I’ve been ignoring in favor of goofing off. It is summer after all and I don’t get paid nearly enough for doing this. Okay, so I don’t get paid at all for doing this. That certainly isn’t nearly enough. But as I was saying before I was sidetracked by my schizophrenic alter ego, while catching up on what’s happening in e-discovery and legal proceedings related to security and privacy I came across several articles that while seemingly unrelated really do have a common and interesting thread. One, in fact, actually being about threads. But I’m ahead of myself.

The first article comes from the Electronic Discovery Law blog and is entitled New York Court Provides Detailed Instruction on Protocol for Discovery of Cloned Hard Drive. The background of the story is this.

In this matrimonial action, plaintiff sought access to her husband’s (the defendant) office computer to determine his true financial condition. After denying plaintiff’s initial motion, the court directed (by stipulated order) that a clone of defendant’s office hard drive be made at plaintiff’s expense.  Thereafter, the court denied plaintiff’s motion for access to the cloned drive upon finding her request for unrestricted access overbroad. “Equally important” to the court was plaintiff’s failure to propose any protocol for investigation of defendant’s hard drive. The court instructed that should the plaintiff wish to renew her motion, her renewal “must contain a detailed, step-by-step discovery protocol that would allow for the protection of privileged and private material.”

So in other words the court said, “We’re not going to give you carte blanche to do anything you want with hubby’s financial data. You have to have a plan. Just like real e-discovery and forensics guys – not to be confused with TV CSI guys – do. Furthermore, the court was good enough to provide such a plan to the plaintiff and her apparently clueless legal counsel. Here is the abbreviated list, but definitely check out the full text of the court’s opinion for some great information.

(a) Discovery Referee:  The parties [must] agree on an attorney referee, preferably someone with some technical expertise in computer science, to be appointed to supervise discovery.

(b) Forensic Computer Expert:  The parties [must] agree on a forensic computer expert who will inspect and analyze the [hard disk] clone.

(c) File Analysis:  The expert will analyze the clone for evidence of any download, installation, and/or utilization of any software program, application, or utility which has the capability of deleting or altering files so that they are not recoverable, extract all live files and file fragments and recover all deleted files and file fragments.

(d) Scope of Discovery:  Plaintiff will list the keyword and other searches she proposes to have the expert run on the files and file fragments, subject to a reasonably short time frame in [they] were created or modified.  Plaintiff is cautioned that she should narrowly tailor her search queries so as to expedite discovery and reduce the costs of litigation to the parties.

(e) First-Level Review:  The expert will run keyword or other searches on all of the extracted files and file fragments.  After performing searches, the expert will export to CDs or DVDs a copy of the native files and file fragments which were hit by such searches, and will deliver such media to defendant’s counsel to conduct a privilege review.  An exact copy of the media delivered to defendant’s counsel will be contemporaneously delivered by the expert to the referee.

(f) Second-Level Review:  Within twenty days after delivery of the media containing the extracted files and file fragments, defendant’s counsel will deliver to plaintiff’s counsel all non-privileged documents and information included in the extracted files and file fragments, together with a privilege log which identifies each document for which defendant claims privilege and describes the nature of the documents withheld, so as to enable plaintiff to assess the applicability of privilege.

(g) Discovery Disputes:  The referee will resolve any disputes concerning relevancy and privilege.

(h) Cost Sharing:  All costs for the expert will be borne by plaintiff, subject to any possible reallocation of costs at the conclusion of this action.

(i) Discovery Deadline:  The parties should agree to a fast-track discovery schedule.

(j) Retention of Clone:  The discovery referee will keep the clone until the action is concluded.

Yep – that’s quite a lot of detail. Certainly more than the “let’s clone hubby’s hard drive and take a look” that the plaintiff originally suggested (probably after watching CSI on TV). There’s a lot more to this e-discovery business than most people including, apparently, some lawyers think.

The next article comes from the e-discovery 2.0 blog and is entitled Courts Undecided on How to Handle Email Threads in Electronic Discovery. We’re all familiar with email threads, but just in case you’re not familiar with the “thread” terminology the article has a really good description.

Email allows us to communicate in a way that helps us associate context to our discussions, namely in its ability to be chained into a sequential thread when email users reply to or forward emails they previously received. This accomplishes two important tasks: 1) it allows the person sending the reply or forward to get an understanding of the issues so he/she can craft a meaningful response, and 2) it allows the person receiving the response to understand that response in the context of other on-going discussions. Email programs help by automatically including content from prior emails, thus producing a long chain of reference.

So see you really knew what they were all along. Anyway, as you can imagine email threads are quite valuable as evidence in litigation. Quite a bit more so, in fact, than the individual messages on their own would be. But unfortunately for courts, even something as straightforward as email threads isn’t really that simple. Once again the idea of priviledge rears it’s ugly (or beautiful depending on whether you get it or not) head.

The area of greatest confusion and uncertainty has been the determination of privilege when emails are exchanged with in-house counsel and attorneys and whether such emails are protected by attorney-client privilege or not. A central issue is the composition of privilege logs under these circumstances.

There are several legal opinions on the matter of intermingling privileged and non-privileged communications in an email chain. These opinions have left the matter with little clarity, especially regarding whether the entire email thread is privileged or whether individual emails must be separated out and classified as privileged, with a privilege log listing them. Typically, the most recent email in a thread contains all other emails in that thread. Separating out individual emails (i.e., the contained emails) from the containing email would allow for treatment of just the portions of the email thread that may have privilege. When such separation is permitted, some contained emails may be assessed as privileged while others may not. However, it is entirely possible that the contained email is also present as an independent email under possession of the same custodian or another custodian. When it is present, one could argue that the contained email can just be ignored, and if the corresponding email is responsive, one can ignore the contained email. But rarely does a collection include a complete set of custodians, so the question of whether the privilege log should include the contained item in question still remains. In terms of management of review, and for constructing a privilege log, treating the most recent email and all its contained emails as a single entity is less expensive and cleaner than separating and determining privilege status of each contained email.

Another complicating factor is simply a determination of privilege. Does the mere fact that an attorney was listed as a courtesy CC recipient make the entire email privileged? And, when such emails are then forwarded only to an attorney involved in the case, with a legal strategy discussed in the containing email, is only the new content added to the containing email privileged, or does the privilege determination extend to the other contained emails?

Wowzers! That makes my brain hurt. Confusing indeed. After some great legal references, the second article unfortunately devolves into a flack piece for the Clearwell E-Discovery Platform which you can read about if you are so inclined. Actually I’m being a bit harsh, since the author is simply stating the problem and presenting a product that helps solve the problem. I’m just not in the market.

So the common thread between these two articles is that admissible electronic evidence is not an easy, cheap or sometimes even well defined proposition. Which is why e-discovery and forensic specialists get paid the big bucks [Okay you e-discovery guys and gals can stop laughing now]. The points you can take from this are several including:

1. If you are thinking of enrolling on one of those “become a CSI” courses, read this post and these articles over and over until you understand what they really mean. Then go to Vegas instead.
2. If you are involved in litigation and your attorney suggests that you “snag the computer and take a look” for some evidence, point him/her to this blog entry as a handy reference on what “snag the computer and take a look” really involves. Then fire the fool and get an attorney with a clue.