Ricoh eDiscovery

Preservation and Collection is not a Linear Process

Posted by Marketing |5 minute read

Oct 20, 2015 3:28:15 PM

Traditionally, Preservation is seen as the logical next step after Identification. In most cases however, Preservation and Collection are ongoing processes. For example, data for a custodian may be identified, then preserved and collected. During the collection phase, an additional source of data may be located that has yet to be preserved, starting the cycle over again.

It’s important to remember that ediscovery is a fluid process, and that the steps are far from linear. Notice that all sections of the EDRM model are connected along the bottom by double-sided arrows. This can also serve as a reminder to re-evaluate your process throughout and return to any steps that may need review, or to handle additional data sources.

Chart-EDRM-Preservation-Collection

Preservation and Collection are grouped together in the EDRM model, joined by double-sided arrows. 

Preservation: Keeping Things Fresh

Even before you identify custodians, the client should be advised to suspend destruction of potentially responsive data. Encourage defensibility by tracking all details of the Litigation Hold, including date and time, sources of data, who completed the preservation, and the method that was used.
If the client hasn’t already done so, at this point they will likely advise their Information Technology department they are contemplating litigation. IT’s job is to create a defensible copy of the data and prevent data from being overwritten.

It’s important to consider the impact on business when deciding which type of preservation is appropriate. Stopping all systems from auto-deleting may not be reasonable, and may be cost-prohibitive. On the other end of the spectrum, making two copies of a USB drive containing responsive data may not be thorough enough. Many of the Collection methods listed below can also be used in the Preservation stage.

In addition to a client-wide Litigation hold, custodians need to be notified not to delete or alter any data. As soon as custodians are identified, they should also be instructed to preserve existing data. 

The most important step in this process is to remind everyone of the time sensitive nature of the preservation process. It can be helpful to prepare templates for preservation that you can provide to the client or legal team, especially for those who have little experience in eDiscovery.

Collection: Something Tangible

It’s finally time to get client data transferred for processing, analysis and review. But first it has to be assembled and saved in a way that it can be delivered from the client to you.

From Forensic Collection, where deleted information can sometimes be recovered, to copying and pasting a handful of Excel spreadsheets, collection methods vary tremendously. No single method is appropriate in all situations. In fact, in a given situation it’s possible to use a variety of different collection methods for different types of data.

It’s important to consider the manner in which the data will be used, as well as the sensitivity of the data. For example, a hard drive that has likely been tampered with will require a different method of collection than a Gmail account containing 10 relevant messages.

When deciding on a method of collection, review the different data types and sources and consider a number of factors, including:

  • Is this the only existing copy of the data?
  • Is there potential the data has been tampered with?
  • Is the metadata potentially relevant or will authenticity need to be confirmed?
  • Does the client have IT resources to assist with the collection?
  • What is the value of the file?

Depending on your responses to these (and additional) questions, you can narrow down the appropriate methods for any given file. Discuss the options with the legal team and the client to weigh the risks and benefits of each.

To understand the potential variability in collection within a single file, consider the following scenario:

An employee is terminated from an energy company for selling trade secrets to a competitor immediately before the company contemplates litigation in an unrelated contract matter that the employee had worked on.

  1. The laptop of the terminated employee is seized and forensically imaged to create a backup so the laptop can be formatted and put back into circulation.
  2. All custodians who worked on the contract matter have their email accounts collected by IT through the company’s Exchange Server, and the resulting PSTs are searched by date range and keyword.
  3. Each custodian reviews documents on their C: drives and within their personal DropBox accounts, and copies responsive documents to encrypted USB drives.
  4. A folder of documents on Sharepoint relating to the contract is saved to DVD by the IT department.
  5. In addition, the project manager coordinating the litigation searches the network shares and document management system, identifying folders so they can be exported by IT in a forensically sound manner, preserving metadata.

Common Collection Methods

  • Forensic Image | A highly-defensible exact bit-by-bit replica of the source in question.
  • Targeted Image | A forensic copy of specific folders and files.
  • Non-Forensic Copy | Copies of files created by the user, using functions such as Copy and Paste.
  • Email Collection - Server | An automated export of mailboxes or subset of mailbox folders.
  • Email Collection - Client | An export of email through the mail client.
  • Email Collection - Web-based | Collection of web-based email by downloading messages to a local email client such as Outlook or Mac Mail.
  • Other | There are a number of other types of collection methods, including social media, instant messaging and mobile devices. Consider discussing these types of collections with a vendor in order to create a defensible collection plan.

There is no one-size-fits-all method for defensible document collection. There are however, common methods that work in most situations. Documenting your internal standards once you have established a go-to method is important to promote defensibility. Deciding which method is most appropriate takes some practice. It’s also important to audit your collection processes on a regular basis as technology changes and can quickly become outdated. Once you have developed your processes, you can use the EDRM’s eMSAT-1 to help evaluate your maturity.

For a detailed breakdown of the various collection methods, take a look at the EDRM’s Collection Standards page.


Don't miss the opportunity to learn firsthand how the EDRM applies to your firm. Come see Tiana Van Dyk at Technology in Practice 2015 in November at the Four Seasons Hotel, Toronto. Register today!

New Call-to-action

   

Tell Us What You Think.