Potential Litigation

Memorandum DATE: SUBJECT: March 24, 2013 Potential Litigation with Jane and Mike, Inc.

Purpose The purpose of this memo is to detail, in general terms, the requirements and concerns for the Internal Investigations (II) of Bill and Tom (BAM) as they relate to potential civil litigation investigations. The following guideline should be addressed to limit II and more importantly, BAM specifically, from accusations of spoliation of evidence, complaints of incompetent investigations, and to control the costs of future legal inquiries. Context Through extensive research and analysis of available resources including a leading textbook covering this issue, Eoghan Caseys Handbook of Digital Forensics and Investigations (2009) and multiple publications from The Sedona Conference, a research and education institute dedicated to the advanced study of law and policy, I will detail the obligations and responsibilities of the II in relation to potential civil litigation inquires. Specifically I will detail the Next Steps that will be expected of the II so that we can perform a comprehensive and competent investigation in the matter before us today, the John Smith resignation and employment with Jane and Mike, Inc. (JAM) and the potential loss of trade secrets by BAM.

Task You asked that I look into the matter of one of BAMs Regional Sales Managers, John Schmoe, who has recently resigned and accepted employment with JAM. I was informed by Human Resources about this issue today and I also received a call from the Director of BAMs Legal Department, Bill Cheatem, who notified me that the Director of the Sales Department is exploring litigation against JAM for illegally taking John Smith and for possible loss of trade secrets. Additionally, he stated, there is also the potential that other current employees will be investigated. While I am not a lawyer and cannot offer legal advice, I have enough experience in this area to know that JAM would not be liable for illegally taking John Schmoe because any company, can hire any person, at any time. However, John Smith could be found to be in violation of his employment contract and forced to resign from JAM if BAM can show the contract is valid and enforceable. Of most importance to II will be the potential theft of trade secrets by John Smith and the illegal use of those trade secrets by JAM. Additionally, now that II has been informed of the potential for litigation, we have an obligation to preserve all data concerning John Smith in our care and control. Summary The most important step that II can take to limit the liability of exposure to claims of spoliation (and their disastrous consequences) is to quickly and completely preserve all potentially relevant sources of data that might be associated with litigation. II will, as a policy, preserve first and present after reasonable debate with opposing counsel.

Discussion The II of BAM should, without hesitation, prepare to locate and preserve all relevant information under our control. E-discovery and Electronically Stored Information (ESI) I understand that your background is in Law Enforcement and therefore Criminal Litigation which differs from Civil Litigation is a number of important ways. I will detail a brief background of civil litigation, just to bring you up to speed. Casey (2009) details the concept of civil discovery and e-discovery in the following passage: As part of any piece of civil litigation, the parties engage in a process called discovery. In general, discovery allows each party to request and acquire relevant, nonprivileged information in possession of the other parties to the litigation, as well as third parties (F.R.C.P. 26( b)). When that discoverable information is found in some sort of electronic or digital format (i.e., hard disk drive, compact disc, etc.), the process is called electronic discovery or e-discovery for short (Kindle Locations 1802-1806). This is different than what you are used to under the Criminal Rules, so I wanted you to be aware of our obligation to work with the opposing side to provide potentially relevant information. Additionally, The right to discover ESI is now well established. On December 1, 2006, the amended Federal Rules of Civil Procedure (F.R.C.P.) went into effect and directly addressed the discovery of ESI (Casey, 2009, Kindle Locations 1808-1809) so we do not have any excuse not to preserve and later produce relevant ESI to the opposing side, after BAMs Legal Department has had the opportunity to review the data for privilege. The II must be prepared to locate this ESI in order to fulfill our obligation to preserve it.

Locating Sources of ESI Before we can preserve the ESI, we must know where all the potentially relevant information resides within (and outside) of our systems. Many of the ESI locations are obvious, such as Email and the custodians hard drive. The term custodian here refers to anyone who owns or has control over the potential relevant records and data. As a First Step, the II should: 1. Secure the hard drive of any custodian from the actual custodian or their manager. All appropriate Chain of Custody documentation must be completed for each item of evidence. 2. Create a forensics copy of the hard drive and secure that copy until such time as further evaluation is warranted. After the copy has been made and validated, the original hard drive may be returned to the custodian so that they can continue with their work. Due to the dramatic reduction in the price of hard drives in the last decade, the cost of making a forensics duplication is approximately $100 and therefore making the duplication outweighs any risks associated with claims of spoliation (for not making it) and should be standard practice for II. We can always reuse these hard drives if litigation is later withdrawn. 3. The II should immediately ensure the I.T. Department creates a copy of the custodians Email data from the server and we should preserve this data until further examination is warranted. 4. The II should immediately ensure the I.T. Department creates a copy of the custodians Personal and Department File Sharing data from the server and we should preserve this data until further examination is warranted.

5. The II should immediately ensure the custodians manager has secured any thumb drives and/or external storage devices that the custodian may have left in their office and we should preserve this data until further examination is warranted. 6. The II should take all reasonable steps to ensure that the custodian did not have access to and was not using external online storage location sites (i.e. Dropbox), Remote Access Software (i.e. Log Me In), or any remote email systems (i.e. Gmail or Yahoo mail). This verification will be part of the actual examination of the custodians hard drive as well as any available network logs that we can preserve. 7. Unlike many of our competitors, BAM no longer relies on the use of backup tapes and instead uses offsite and onsite, redundant hard drive storage to replicate data for disaster recovery purposes. This system, known as BAM Back, will save us considerable time and money during any potential litigation because we will never have the huge expense of the recovery of data from tape. 8. Remember that in addition to the actual custodian, this persons assistant, their manager, and the other members of their team, might all possess potentially relevant data for the litigation and this needs to be preserved also. The Legal Department should send a Litigation Hold letter to all effected personnel immediately upon the decision to litigate or upon notice of litigation by an outside party on BAM. Assist Legal Department with Meet and Confer Conference The Legal Department will meet with the opposing side to discuss the case and at a point in time, early to the case, will need to come to an agreement concerning the specific type of data that will be requested (.DOC, .XLS, .PDF, .PPT, email, etc.) to be turned over, the limits on that data, and the format the data will be presented. The II will offer this assistance and will recommend

that the requested data be presented in its native format (if possible) for ease of use by all sides. We will also need to work with the Legal Department and the opposing side to develop appropriate keywords in order to conduct relevant and efficient searches of the data. The Legal Department will want to review any data prior to it being turned over to the other side, so II will need to develop a Document Review platform capability (i.e. Concordance, Summation, or Ringtail or the use of a third party vendor such as Kroll Ontrack to host this component with their Inview product). The Document Review platform discussion is beyond the scope of this memo. Examination of ESI After the determination has been made that litigation will move forward, II can schedule the examination of the ESI that we have previously preserved. This detailed examination will consist of a review of many of the types of data you are familiar with from your Law Enforcement examinations, such as the System Registry, unallocated space on the hard drive, and of course active files on the device. We also use advanced tools to create a timeline of all user activity and we are very adept at determining if a user copied files to an external device (thumb drive or hard drive) and if they emailed themselves copies of BAM data to personal email accounts. I have found that the majority of a companys data lose is from the above mentioned means and we will have to adopt policies with the Legal Department and I.T. to try to limit this loss in the future. Expansion of an Investigation In many investigations, the initial examination of the preserved ESI will lead to additional systems that need to be preserved and examined. If these systems belong to BAM, every attempt should be made to secure these systems A.S.A.P. Other locations that might become known to II during the examination include the custodians home computer, personal thumb drive and external

hard drives, and the custodians new employers computer equipment. II will work closely with the Legal Department to identify any of these locations and will detail our findings as to why we need access to these additional systems. Closing I will be glad to discuss these recommendations with you during our weekly meeting on Friday. Please feel free to contact be if you have any questions before then. I know you are well versed in the detailed examination of Digital Evidence from your Law Enforcement experience and I am certain we can get you up to speed quickly with the nuances of Civil Litigation. Please note that the above suggest actions are based on an investigation that is limited to a few select custodians. If II were to receive a request to produce data from a dozen or more custodians, we would have to develop specific protocols that would include the use of sampling, de-duplication of redundant data, and a clearly defined and tested group of keywords to facility an efficient search of BAMs systems.

References Casey, E. (2009). Handbook of Digital Forensics and Investigation (1st ed.). Academic Press. Sedona Conference. (2007). The Sedona Principles: Best Practices Recommendations & Principles for Addressing Electronic Document Production. Working Group on Electronic Document Retention & Production (WG1).