E-Discovery: Know What You Have Before Your Adversary Does

By John J. Coughlin

March 6, 2007

Understanding "What, Where & How" in the New Technological Landscape

Federal Rule 26(f)(2) and (3), as well as many similar local federal court rules and state court rules, requires parties to begin the discovery process by identifying and resolving "any issues relating to the disclosure or discovery of electronically stored information, including the form or forms in which it should be produced." The requirement of Fed. R. Civ. P. 26(f) necessarily imposes a duty to survey and identify precise locations of electronically stored information (ESI), a host of possible sites that until now have been collectively referred to as "cyberspace."

The incorporation of ESI into the text of the rule alters profoundly the "what, where and how" of discovery. Failure to understand the technological landscape at the onset of litigation may result in the loss or alteration of important evidence, impairing the ability to prosecute or defend against claims. Likewise, the inability to understand the potential complexities involved in continued preservation, collection and production may place litigants at a disadvantage from the moment that the mandatory discussion with the adversary and the court begins.

In order to avoid pitfalls and maximize the benefit of an early conference (whether required by court rule or simply initiated as good practice), one should understand the new "what, where and how" of e-discovery.

Where?

Perhaps the most challenging question is "where," that is, the quantity and technological variations in the media that are now the subject of discovery. The list of "where" can be exhausting, and parties often don't fully comprehend the extent of their sources until they already have a discovery problem, such as lost or altered data. For evidence of the challenge, one need look no further than the recent news stories revealing the inability of the FBI to determine exactly how many of its own laptops containing sensitive files have gone missing. (See "FBI Lags in Securing Its Laptops and Weapons," The New York Times, Feb. 13, 2007.)

Of course, the more centralized network servers are the primary repositories for e-mails, word-processing documents and other relevant forms of communication within a business. However, the size of a business and the configuration and location of hardware still create challenges for the seemingly basic task of specifying locations of active network information.

The active network is rarely the only place one needs to look for relevant ESI, however. In many network environments, users are permitted access to, or at least are not physically "locked out of," the hard drive of their workstations, where they may store drafts or versions of documents that never resided in a server location, or that may have been automatically deleted over time (such as old e-mails).

The thorough inquiry does not end with networks and office desktops. A complete investigation calls for interviews of users and persons with knowledge (administrative assistants, for example) to determine the extent to which a user transfers ESI to portable disks, laptops, home computers, even portable MP3 players, PDAs and cell phones.

Fortunately the rules draw a bright line distinction between "accessible" and "inaccessible" data, with the latter receiving more protection from discovery when there is "undue burden or cost" associated with production. (See Fed. R. Civ. P. 26(b)(2).) This topic will be discussed in more detail in the next Alert of this series, but the significance of evidence should not be discounted or dismissed simply because the potentially relevant data reside exclusively on "backup tapes" used for disaster recovery or "legacy systems," which have been replaced or updated by more modern applications. Under certain circumstances, such sources may be discoverable, and it may be necessary to suspend destruction protocols until a determination can be made by the parties or the court.

When assessing the ESI inventory, the inquiry is only limited by the array of technology available to a particular user or the party in general. As noted at the onset of this discussion, the question of "where" often requires the recruitment of multiple resources, and a lot of stone-turning.

What?

After identifying "where" such data reside, one must determine "what" the data are, i.e., the "format" in which electronic information is stored. Fed. R. Civ. P. 34(b) (ii) states that parties, in the absence of a more specific demand, "must produce the information in a form or forms in which it is ordinarily maintained or ? that are reasonably usable." Depending on the medium and application, there may be reasons to avoid or object to production of ESI in the format in which it is maintained on the system.

Understanding format requires an understanding of "metadata," which are generally defined as "data about the data." The discoverability of metadata is necessarily implicated by the requirement of production "in the form in which it is ordinarily maintained." However, it behooves parties to explore the option to produce instead in a form that is "reasonably usable," if production in "native" format would produce undesirable results. The importance of the choice - to both parties - will, of course, depend on the content of the metadata and the context of the litigation.

In one of the first and most widely discussed cases to deal with the issue, the U.S. District Court for the District of Kansas analyzed the obligation to produce metadata in the context of revised Federal Rule 34. Williams v. Sprint/United Management Company, 230 F.R.D. 640 (D. Kan. 2005). The Williams Court rejected the producing party's argument that the new rules "articulate a presumption against the production of metadata."

Instead, the Court held, after thoughtful analysis:

When a party is ordered to produce electronic documents as they are maintained in the ordinary course of business, the producing party should produce the electronic documents with their metadata intact, unless that party timely objects to production of metadata, the parties agree that the metadata should not be produced, or the producing party requests a protective order.

The lesson learned from Williams is not necessarily that all metadata are always discoverable; a thorough reading of the decision will quickly dispel such a belief. Rather, the point is one of caution and due diligence. The party who understands the format in which ESI exists, as well as the potential alternative modes of production (if available), will be in the best position to understand and manage the manner in which it is produced.

How?

Once ESI is identified and accounted for, the next question is "how," as in "how to preserve, collect and possibly produce" the discoverable data. The step of preservation was discussed in the two previous Alerts in this series. It is worth reiterating the basic premise here: once you find relevant ESI, make sure it is being preserved. For the purpose of this mantra, "saved" and "preserved" are not interchangeable terms, since "saving" in computer parlance necessarily means updating metadata to reflect that a "save command" was selected. "Preservation" requires that the data and metadata do not change, and such steps may require the assistance of an experienced IT professional or computer forensics expert.

This is not to say that business systems should come to a grinding halt to preserve a virtual pinpoint in time and, in fact, the law does not impose such a requirement. However, one should be aware of the environment in which ESI is residing and the extent to which safeguards should be taken to avoid changes that might occur which later may call a party's credibility into question.

Collection and production invoke similar concerns. The defendants in Williams chose to produce the Excel spreadsheets at issue in a "TIFF" (Tagged Image File Format) image format rather than the "active" or "native" file version in which they were created on the system. As a result of the court's ruling, they were required to incur the redundant expense of production again in native format. Similar consequences often befall litigants who do not even knowingly change the format, but simply allow their IT department or an outside vendor to collect and produce using methods that alter the evidence.

Such issues can be avoided simply by taking the time to understand whether the envisioned production meets with the expectations of the party demanding production. At the risk of stating the obvious, one should also understand their own expectations and the implications and consequences of choices made concerning mode of production. On one hand, it is potentially dangerous to produce more than what is expected. On the other hand, a unilateral decision to produce in a format that is unacceptable to the adversary and the court could result in an order to produce in another format at significant additional expense.

The final two Alerts in this series will address the issues that arise when the data are located, and whether and how to collect them for review and production.