Electronic

Discovery

FOR

DUMMIES

Prepare and
protect your
electronic data
for legal action

A Reference

Rest of Us!

Electronic Discovery
FOR

DUMMIES

RENEWDATA
SPECIAL EDITION

by Ryan Williams

Wiley Publishing, Inc.

Electronic Discovery ForDummies,RenewData Special Edition

Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
Copyright 2007 by Wiley Publishing, Inc., Indianapolis, Indiana
Published by Wiley Publishing, Inc., Indianapolis, Indiana
No part of this publication may be reproduced, stored in a retrieval system or
transmitted in any form or by any means, electronic, mechanical, photocopying,
recording, scanning or otherwise, except as permitted under Sections 107 or 108 of
the 1976 United States Copyright Act, without the prior written permission of the
Publisher. Requests to the Publisher for permission should be addressed to the
Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN
46256, (317) 572-3447, fax (317) 572-4355, or online at www.wiley.com/go/
permissions.
Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man
logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun
and Easy Way, Dummies.com, and related trade dress are trademarks or registered
trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and
other countries, and may not be used without written permission. RenewData is a
registered trademark of RenewData Corp. All other trademarks are the property of
their respective owners. Wiley Publishing, Inc., is not associated with any product
or vendor mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE
NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETE
NESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES,
INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE.
NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS.
THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITU
ATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT
ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PRO
FESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL
PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE
FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS
REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER
INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE
INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT
MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN
THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRIT
TEN AND WHEN IT IS READ.

For general information on our other products and services, please contact our
Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at
317-572-3993, or fax 317-572-4002. For details on how to create a customFor
Dummies book for your business or organization, contact bizdev@wiley.com.
For information about licensing the For Dummies brand for products or services,
contact BrandedRights&Licenses@Wiley.com.
ISBN: 978-0-470-22607-0
Manufactured in the United States of America
10 9 8 7 6 5 4

Contents at a Glance

Introduction.

Part I: E-Discovery: It's Not a

New Dating Service.

................

Part II: You Mean It's IN the Computer?.... 7

Part III: Getting With the Plan....

17

Part IV: Getting Your Hands On It.

23

Part V: Reviewing the

Fast and Easy Way

Part VI: Making E-Discovery

Results Available

31

....39

Publisher's Acknowledgments
We're proud of this book; please send us your comments through our
online registration form located at www.dummies.com/register/.
For details on how to create a custom ForDummies book for your
business or organization, contact bizdev@wiley.com. For infor
mation about licensing the ForDummies brand for products or
services, contact BrandedRights&Licenses@Wiley.com.
Some of the people who helped bring this book to market include
the following:

Acquisitions, Editorial,
and Media Development
Project Editor: Jan Sims
Editorial Manager: Rev Mengle
Business Development Representative: Karen Hattan

Production
Project Coordinator:
Kristie Rees

Layout and Graphics:

Carl Byers,

Stephanie D. Jumper,

Julie Trippetti
Proofreader: Charles Spencer
Special Help: Trisha Wattier

Publishing and Editorial for Technology Dummies

Richard Swadley, Vice President and Executive Group Publisher
Andy Cummings, Vice President and Publisher
Mary Bednarek, Executive Director, Acquisitions
Mary C. Corder, Editorial Director
Publishing for Consumer Dummies
Diane Graves Steele, Vice President and Publisher
Publishing for Travel Dummies
Michael Spring, Vice President and Publisher
Composition Services
Gerry Fahey, Vice President of Production Services
Debbie Stailey, Director of Composition Services

Introduction

Discovery is a part of our legal system that allows

parties suing each other to request documents,
interviews, evidence, and other factual items from the
other side to help them build their case. In essence, it
is a tool that is used to help dig for "the truth" about
what happened. Before the information revolution this
consisted mostly of depositions (recorded sworn inter
views of witnesses) and perhaps requests for some
typed memos or accounting records. Government
investigations follow the same principle as the discov
ery process. However, in criminal and regulatory inves
tigations the government is often granted more access
and has more power to investigate and seize electronic
records.
Electronic discovery, or e-discovery, is a term used to
define this process now that we are knee deep in billions
of e-mails and electronic documents like Microsoft Office
documents or other business records. Corporations may
spend millions on collecting, processing, reviewing, and
producing these electronic documents.

About This Book

E-discovery presents a whole new set of rules and regu
lations. As this book will show, virtually every litigation
or investigation may involve electronic discovery. This
means that those in the legal profession need to learn
a lot more about computers than they ever wanted to,
and IT professionals are going to have to learn more

about the law than they ever wanted to. If you are read
ing this book, you're off to a good start.
E-discovery can be a complex process, but this book
has reduced it to its essential components, making it a
valuable tool in understanding the fundamental con
cepts. It tells you what you need to know when you
need to know it. You can read through it from front to
back (it's short, so that shouldn't be too much of a
challenge), or you can go straight to a chapter and
read what you need to know right then.

Icons Used in This Book

It's easy to get sidetracked, so we tried to keep every
thing as focused as possible by adding these icons.
When a critical fact comes up to bear in mind,
this icon reminds you where you saw it, in
case you forget.
When there's a time for a little additional infor
mation, the Tip icon highlights some extra
background.
Sometimes you need a little reminder to keep
you from big trouble. This icon brings that info
to your attention.
Ever get more information than you need from
a Web site or computer expert? Like those
gems, this info is useful, but you may not want
to concern yourself with it at the time. Skip or
indulge as you like.

PartI

E-Discovery: It's Nota

New Dating Service

In This Part

Keeping in mind the principles of e-discovery

How to get started with e-discovery

hen corporations tally the possible costs of pro

ducing electronic documents in preparation for
a lawsuit, many adopt proactive methods for dealing
with this inevitable exercise. Loosely referred to as
e-discovery readiness, this can include documented and
strictly enforced methods of ridding themselves of doc
uments, dealing with Federal regulations on document
destruction, and other legal matters. (Reading this part
is a good first step.)

What To Keep In Mind

with E-Discovery
Electronic data storage generally makes the retrieval of
data much easier for companies and individuals. Just
do a couple of quick searches on a computer, and the
needed information is at your fingertips. It's certainly

better than trying to rummage through an entire ware

house of documents, no matter how well indexed, but
you still need to know exactly where to look.
Part of the ease of moving electronic data around is
that it can exist in several different locations. That data
may also be encrypted, or scrambled by a security fea
ture to prevent prying eyes from gaining access to it.
You may also need a password to access that data.
Done the right way, electronic discovery helps you to
know where data exists and how you can get at it with
a minimum amount of trouble.
The most important part of any e-discovery effort is
obviously the data contained in any relevant docu
ment, including e-mails, text documents, spreadsheets,
digital photos, databases, and the like. These can be
pulled up easily on any computer with basic software,
and they're usually easy to look at.
The question at this point is what exists in those files
beyond just the data they contain. These files can con
tain not only data, but also metadata, that is, informa
tion about these files that can prove useful during an
e-discovery process or investigation. These files can
tell you when they were created, if and when they were
altered, and who made those alterations. To para
phrase a famous quote from the Watergate era, these
files can make it clear who knew what and when they
knew it.
it's important to keep track of who had access
to these files and what changes might have
been made, up to and through the e-discovery
process. Those involved in the process have
to make sure that these files keep this addi
tional metadata intact and valid as evidence.

This means keeping exact copies of the data in

its original form, and working on these copies
to maintain the validity of the original.
Electronic data can exist within a variety of sources
above and beyond a single computer or a company's
server. You need to look at portable storage devices,
such as a portable hard drive stored in a briefcase, a
small flash memory drive on a keychain, or even some
body's personal iPod. You have to account for cell
phones or PDAs of all varieties, and you also have to
find out where and when these devices were used.
Electronic data can exist anywhere there's room for
storage or a connection to a larger network.
Most smart companies or individuals do thorough
backups of their data at an off-site storage facility to
make sure their valuable information is protected from
both accidental (or intentional) deletion or more physi
cal dangers like fire or flood. Whether it takes the form
of a few CDs or DVDs stored elsewhere or a profes
sional service that stores tape backups of a large
server system, you typically need to get your hands on
those as well.

Getting Started with the

E-Discovery Process
Although you need a lot less space than you would if
you were sorting through banker's boxes full of paper,
you're still going to need plenty of time to search, even
with modern tools and a working knowledge of how to
search for keywords and phrases. Depending on the
complexity of the situation, you may need to bring in
some outside assistance to help manage your search.

Trained professionals can make sure that the data is

properly maintained and ready for use in your case.
E-discovery follows some basic phases in any case, and
this book walks you through each one to help you get a
good overview of the process. The e-discovery process
includes:
1. Planning: Meeting with all involved parties,
searching for key terms in the available data, and
cataloging available sources of information (see
Part II)
2. Preservation and Collection: Performing investi
gations on the available data and retrieving infor
mation from computers, tapes, and other sources
(see Parts III and IV)
3. Processing: Culling through the retrieved data for
pertinent information and removing any duplicate
or irrelevant entries (see Part V)
4. Review: Deciding the best way to present the
information found and making sure it is available
in that format (see Part V)
5. Production: Actually exchanging or transferring
that information (see Part VI)
The rest of this book takes you from the start (looking
for data) to the point where the data is ready to pre
sent in a case.

Part II

You Mean It's IN the

Computer?

In This Part
Looking at common sources of electronic data
Examining relevant data found in those sources
Catching onto e-discovery technical terms

orporations need to be able to store and retrieve

literally billions of electronic documents. First,
each employee likely has their own personal computer.
Employees create dozens of records per week, and that
number is on a sharp rise. According to the Radicati
Group, 64 billion person-to-person e-mails and 10 bil
lion instant messages (or IMs, for those who don't
have children) were sent per day in 2004. By 2008,
that number is expected to be 103 billion e-mails and
43 billion IMs per day.
When litigation is pending, it's time to find all of the rel
evant electronic information and preserve it because
some of it may need to be available to both sides of the
dispute. This chapter helps you know what to look for
and the formats it's likely to be in.

That's One Big Filing

Cabinet...
These documents are stored on the individual's com
puter, and should litigation arise that could pertain to
this data, often these computers must be preserved,
searched, and relevant documents produced. Also,
every employee is likely connected to each other
through a corporate network that strings together all
of the computers so that documents can be shared.
Because these networks need to have their own
storage for example, to allow teams to collaborate
and to collect corporate data on customers or their
financial reports network servers are used as stor
age and hubs to route data to various employees.
Because these network servers are absolutely vital to
the survival of a corporation, they are backed up onto
backup tapes regularly. These three sources PCs,
network servers, and backup tapes comprise the
most common places electronic documents exist.

Personal computers (PCs)

E-discovery is often focused on the information stored
in a PC (a term that in this book includes Macs), most
likely on the hard drive, which is sort of like the brain
of the computer, where all of the data and programs
reside.
Without getting too far into hard drive mechanics, you
need to know that the data is stored magnetically on a
spinning disk in rings called sectors. Individual chunks of
data are stored on those sectors in units called clusters.

These clusters and sectors are arranged to maximize the

speed a computer uses to find the information, not nec
essarily the easiest way to piece together files that have
been deleted or corrupted (rendered unusable through
hardware or software malfunction).
Even when a program or file is deleted, that
information doesn't automatically go away. It
just means that the computer is given permis
sion to write over the cluster in the future.
The easiest way to get a copy of a file is just to move the
file from one source to another. That gives you a copy of
the file itself, but it doesn't always preserve the records
of how that file was changed or altered. Programs such
as Norton Ghost can copy the contents of an entire hard
drive, just to make sure you didn't miss anything. This
doesn't create an exact clone of the hard drive, though.
To do that, you need either a program or service, such
as EnCase, that can preserve the exact state of a hard
drive (copying exactly the data and state of each sector
and cluster).

Network servers
Network servers are basically larger computers that have
been configured to serve as storage space connected to
either the Internet at large or smaller, company-based
networks called intranets. A server receives requests
from PCs and other devices (known collectively as
clients) and either shows data or stores it for future use
on its hard drives. Servers may be located either on-site
or at a remote location it's not uncommon for a com
pany to rent space from another company and store the
information there.

10
Servers can contain more than just documents
or e-mails. Servers can also handle databases,
voicemails, FAX transmissions, and other
types of data. To hold all this data, a typical
server may use several hard drives.
Servers can either see these hard drives as
one large hard drive, or they can use each
hard drive to make exact copies of the data
on several drives. In case one fails, another
has the data ready to go. Make sure you have
access to all the server hard drives when car
rying out e-discovery.
All hard drives will eventually fail. It's the
curse of any machine that includes moving
parts. Most last for several years, but disaster
could be around the corner at any time. That's
why it's important to get to data as soon as
possible and keep backups of all important
data.

Tape backup
Tape backup is usually the last line of defense against
the loss or destruction of data. Magnetic tape is used
to record the data stored on the servers (usually once
every twenty-four hours, at night when network usage is
slow), and these tapes are then stored off-site to prevent
them from being destroyed in any traumatic event that
might physically destroy the servers. In the event that
they must be used, the correct tapes have to be found in
the correct order to restore the data. This information
can also be stored in its raw format (the same size) or
its compressed format (data technology is used to store
more information in the same amount of space).

11
The tapes also have to be used in the same type of
machine as the one that created them. You can't just
connect them to any computer and pull the data off of
them. For that reason, backups are usually handled by
either a company's IT department or an outside vendor
only. Outside vendors, such as RenewData, can extract
data from tapes quickly and easily, even if the tapes are
incomplete, out of order, or damaged.

Other sources of data

In the never-ending quest to make data more portable
and accessible (or to further chain you to your office,
depending on your point of view), modern technology
makes it possible to carry data around on a multitude
of devices. Some are capable of actually creating, modi
fying, and deleting data, while others simply act as
storage devices.
Blackberries and Smart Phones: These devices
are essentially small computers coupled with net
working technology that allows them to transmit
both voice and data over wireless communication
lines. They can often hold the same types of data
that PCs do. In addition, they can carry records of
calls and data transfers made.
External Hard Drives: These devices are normal
hard drives freed from the confines of a desktop
or laptop. These are used for either moving data
around physically (affectionately known in tech
circles as "sneakernet") or making backup copies
of data. They connect to PCs via either a USB or
Firewire connection, which are common port
types.

12
Flash Drives: These tiny devices (also called
"thumb drives") use flash memory, a smaller type
of storage medium than the spinning disk in a
hard drive, to store information. They're easily
portable and can pass easily from computer to
computer.
CompactFlash and other card memory: These
devices are often used in cameras, video
recorders, cell phones, and other portable devices
to store information such as pictures, music, or
other small files. These typically function with
specific devices, and they don't often show up in
PCs or laptops.

Finding Relevant Data on a

Computer, Server, or Backup
The first step involves both sides agreeing on exactly
what information is "relevant" to the case. This can be
a complicated process, and several law firms and ven
dors (such as RenewData) specialize in facilitating
these kinds of meetings, known as a meet and confer.
For example, in the case of marketing companies
accused of price-fixing, this meeting could result in an
agreement to produce any electronic document con
taining the keywords of "base price," "rate" and "$200."
From there, whoever is handling the recovery of the
data must produce those documents (and document
and testify as to how these documents were found and
produced). This must happen in a forensically sound
way (that is, making sure the data doesn't get contami
nated by outside influences during the investigation),
just like conducting a DNA test in a criminal case.

13
It's also important to produce the smallest possible
amount of relevant data possible. That may sound
counter-intuitive, but it actually aids the investigation
efforts. As you might expect with a keyword search
like this, a great amount of data might be returned,
including several duplicates of the same information.
E-discovery vendors and software minimize duplication
of information (and the time and effort needed to weed
through this information) to facilitate the presentation
of this information.

Tech Terms You Never Had to

Worry About until Now
You're most likely already familiar with various types of
files and folders created by standard business software
applications. Yet you're bound to hear some technical
terms discussed when you get into e-discovery, and
unless you've spent a lot of time around computers and
data recovery, you may be baffled by some. The follow
ing list helps you become a little more familiar with the
technobabble you may encounter:
Analytics: Imagine a case where there are 1 tril
lion pages of electronic documents. It would take
a building of lawyers 10 years to review it all! In
this case, in order for lawyers to perform a review
of these documents for relevance, confidential
information, and attorney-client privilege, they
can load all the documents into an "artificial intel
ligence" tool that can mathematically analyze the
documents to find a smaller subset that is more
likely to be relevant. Attenex is the most popular
tool for doing this.

14

Backup: As discussed earlier in this part, most

backups are done on tapes because they are
cheap and the likelihood of a disaster is low, so
they won't likely be used again. However, most
office workers have felt the pain and agony of a
failed hard drive (known as a crash), and they've
taken to backing up their own data. This can take
the form of portable hard drives, flash drives, or
CDs and DVDs burned with copies of these files,
which is a great way to preserve original data.
However, that means that legal teams may have to
run around and collect a hard drive and all of the
backups the person ever made of that informa
tion. They don't call it "leg work" for nothing.
Hash: Just as every car manufactured has a
unique VIN number that helps authorities keep all
of the blue BMW 325i's separate, each electronic
file has a unique hash value. This hash value is
created by applying a mathematical formula to the
contents of a file to arrive at a unique "thumbprint"
of that file, expressed as a long series of alphanu
meric characters.
Load File: After the lawyers have looked at all the
documents and blacked out the confidential sec
tions, they could just print out all the documents
and send them to the other side in boxes, a
process called blowback. However, with the quan
tity of documents created these days, that could
be ten trucks full of documents costing thousands
of dollars to print (and causing the unnecessary
death of innumerable trees). So, lawyers use a
load file to send DVDs to each other with these
blacked-out documents in a searchable format.

15
Metadata: As briefly explained in Part I, this term
translates to essentially "data about data." For
example, in the case of an e-mail about the price
fixing, the metadata would include Date Sent
and who was in the To: and From: fields. It may
even include the folder the data was kept in. If a
price-fixing e-mail were kept in a folder called
"CYA," that could be important in helping a judge
or a jury determine what a person's mental state
was when he or she kept a document. Metadata
may also include any tracked changes within a
document to prove when something was altered.
Native Data: If data hasn't been changed from its
original format or file type, it's known as native
data. The file hasn't been altered, and it's opened
up by the software that created it. Other varia
tions of data include paper (files printed out) or
semi-paper (files printed out with associated
metadata, like time and location of creation and
other details).
PST/NSF: A PST file is created in the Microsoft
Outlook e-mail program. It is basically a way to
compact a bunch of e-mails into one file. Users
and IT pros alike use PSTs to back up or archive
their e-mail folders. The Lotus Notes version of
this is called an NSFfile. They are called PSTs and
NSFs because of the alphabet soup that follows
the files when they are first created. For example,
a PST filename looks like f r a z i e r e m a i l . p s t ,
and an NSF file looks like j a k e s e m a i l . n s f .
These files are created automatically by the pro
grams, but the exact parameters of how e-mails
are stored in these files is up to the company.

16
PST and NSF files are the most common for
mats used in corporate e-mails. However,
when you're using Web-based e-mail services
such as Gmail or Hotmail or other mail pro
grams such as Mac OS X Mail, you need to
take those into account and find out more
about these services. In some cases, you need
passwords or other methods of access.
TIFF (Tagged Image File Format): You're probably
used to seeing TIFF files of digital photos, say
from your last vacation. In e-discovery, this file
type contains an exact image of a printed docu
ment, so that it exists as data viewed on a com
puter screen and not on paper. For example, if
your side of a case has a Microsoft Word docu
ment with a secret recipe on it that needs to be
redacted (blacked out) before sending to the
other side's lawyers, the document can be made
into a TIFF image, basically a photograph of the
page, so that the secret formula can't be digitally
uncovered.

Part III

Getting With the Plan

In This Part
Deciding what to keep and what to delete
Keeping the right records for the right
amount of time
Running a "meet and confer" session
Choosing the right person or company
to recover the data

f reactive e-discovery is a "root canal," then proper

planning is "brushing and flossing." As soon as you
know that an investigation or litigation is on, the next
step is to create a plan to preserve, collect, and pro
duce the electronic documents in question and make
sure that they can stand up under the rule of law. This
plan needs to take into account all sources of available
data and decide how that evidence can be produced to
be the most useful for all sides.

How Much Should Be Kept)

Deleting an e-mail may seem like the virtual equivalent
of running a document through a shredder. Once it's
gone (and any backups have been done away with), it's
difficult (if not impossible) to retrieve the data in that

18
communication. And although it's easier to store elec
tronic information than maintain a warehouse full of
paper documents, there's still a finite limit on how
much information can be stored (and how many hard
drives or tapes you can afford to maintain).

Federal regulations
Some professions, like the trading of stocks and securi
ties, are subject to federal regulation. In that case, the
rules for retaining data are clearly set forward (or as
clearly as federal law can be laid out). Stock brokers are
required by the Securities and Exchange Commission to
retain all e-mails between their clients and themselves
for three or six years, depending on the content of
those e-mails.

Sarbanes-Oxley
So what to do with industries that aren't subject to these kinds
of federal regulation? The Securities Exchange Acts of 1933
and 1934 set the foundation on how to handle most of these
cases, but Congress decided to punch these rules up a bit
with some more "teeth" in the wake of the scandals that
surrounded the implosion of companies like Enron and
WorldCom. Enter Sarbanes-Oxley, the regulations that pro
vided "teeth" like jail time and other sanctions for the misuse
or destruction of data and other information. This obviously
raised the stakes on making sure that relevant data is main
tained and made available in case of litigation. Not only must
the owner of that data prove that all the data has been pro
vided, but it must also prove that none of the information was
intentionally deleted or removed before the proper time.

19
See SEC 17(a)(4) for more information on this
subject.
Stockbrokers who are particularly attached to their
licenses will abide by these regulations and keep these
e-mails for the appointed time. There are similar regula
tions for other industries like health care (HIPAA regu
lations) and energy, and it's a good idea to refer to
those specific regulations for more information.

Normal corporate practices

If a corporation or individual has data that isn't gov
erned by a specific regulation, it's usually up to that
corporation to set up a reasonable document retention
policy that is both published and enforced. The com
pany has to decide how long it can keep documents
(both electronic and printed) in storage, and when and
how those documents can be disposed of. Once a com
pany establishes its guidelines, it has to follow them
exactly.
For example, a company states that it will keep all
e-mails employees produce and receive for 30 days, and
then it will remove those e-mails from its servers and
backup files. As long as the company follows this proce
dure religiously, it'd be okay following this guideline.

Litigation Holds
The policies discussed in the previous section go out
the window when any threat of litigation occurs. At
that point, anything related to future litigation must be
retained. Deleting that information can result in sanc
tions against the company or individual. The rationale

20
for these sanctions is that you can't have a search for
the truth if the documents are destroyed, and it is
impossible for one side to make their case.
It may be a little hard to attach an exact start date to the
preservation period, but it's always better to err on the
side of caution. In this case, it's vital to make sure that
not only is the document retained intact, but that all the
information surrounding that document (when and how
it was created and altered) is retained as well. It's not
enough to just notify all employees that they have to
keep these documents. The company must actively
move to retain these documents and make sure they
stay intact. (Part IV covers this in more detail.)

Getting All Sides Together

The Federal Rules of Civil Procedure (FRCP) govern how
discovery should proceed, and they were amended on
December 1, 2006 to give guidance on how electronically
stored information (ESI) fits into the discovery process.
The "meet and confer" meeting is mandated by the
revised FRCP 26(0, which requires meetings between
all involved parties to confer about the issues related
to e-discovery early in the case. The main points
judges usually like to see covered include what formats
the data will be presented in, what to do about acciden
tal disclosure of privileged information, and where ESI
is stored.

Data formats
Part II explains what constitutes native, paper, and
semi-paper data. All have their advantages, and all lack
something another format is stronger in. For that

21
reason, you need to take into account all considera
tions when deciding what format to render the data in.
If there's a concern about when and where the files
were created, you want to preserve all of the associ
ated metadata, so an electronic format might be more
appropriate. If everybody is just concerned over what
information is present inside the actual e-mail or docu
ment, a paper copy might be appropriate. Electronic
images, paper, or semi-paper sources may also be bene
ficial if data had to be extracted from a larger or
unwieldy source of information, such as a database or
encrypted server. Information like that can't just be
opened in a PC without some undue effort.

Choosing a Vendor
Chances are that, unless you're working with a firm
or office that's already had a great deal of experience
with e-discovery, the actual process of dealing with
electronic data might be beyond the scope of your
expertise.
Keep in mind that the consequences for mis
handling electronic data are quite severe. It's
important to make sure that whoever handles
the process does so correctly.
In most cases, it's a good idea to let somebody outside
of the corporation handle e-discovery. When a third
party handles the collection and processing, it can ben
efit the investigation in two ways:
A vendor expert testifies in this case, not a corpo
rate employee
Any anomalies in the data can be explained with
more credibility than somebody involved in the
process.

22
Choosing a vendor is dependent on the needs of the
case. If the vendor can't handle backup tapes, then it
won't be able to help a case involving a multiple stream
server backup for a large corporation. Then again, a
vendor might be overkill if all that's involved is a few
e-mails and a Word document.
Part IV explains exactly what third-party vendors can
add to the security of the e-discovery process and how
to determine who pays for their services.

23

Part IV

Getting Your Hands On It

In This Part
Understanding common e-discovery legal terms
Notifying involved parties about the need
to hold evidence
Taking possession of the electronic
media responsibly
Figuring out who foots the bill

At

this point in the e-discovery process, it's obvious

that everybody involved needs to act quickly in
order to preserve as much data as possible, either to
help your case or to prevent somebody else from hurt
ing your efforts. Time and communication are essen
tial. This part helps you understand the processes of
preserving and gathering the data and their associated
jargon.

Getting a Grip on LegalTerms

For the layperson, legalspeak can be as intimidating as
(or even more than) techspeak. Following are some of
the terms you may run across on the legal side of the
process:

24
Preservation: The preservation process is a criti
cal part of e-discovery. As soon as a party such as
a company realizes it is under a duty to ensure
that documents are not destroyed, it must under
take preservation steps to avoid deleting data.
This may mean making a special copy of a
person's hard drive, or putting backup tapes in
safe storage in case they need to be searched
later. Again, this must be an active and affirmative
process. Just a passive warning to the employee
isn't enough.
Spoliation: When preservation is not done cor
rectly, spoliation occurs. Technically, spoliation is
a basis for a lawsuit when one party accuses the
other of allowing evidence to be changed or
destroyed. The party suing may allege that it
cannot make a case now, and should thus win the
case by default out of fairness. This includes
everything from maintaining the integrity of the
date to monitoring who has access to the evi
dence and what they've done (or not done) to it.
Adverse Inference: When one party is alleging
that another party allowed evidence to be
changed or destroyed, it may ask the judge to
issue an "adverse inference" jury instruction. This
means the judge tells the jury they may infer that
the destroyed evidence was harmful to the party
who allowed the destruction. The law gives the
benefit of the doubt to the party who wasn't
responsible for the destruction.

25

Sticking to the Plan

Part III explains the need to make a plan, but it's impor
tant to follow through at this point. Deviating from the
agreed-to course of action could mean invalidating your
efforts and leaving you with a useless pile of ones and
zeros. If a party has control of the evidence, demon
strates either a negligent or intentionally destructive
mindset, and destroys relevant information (willful
destruction automatically means the data is relevant),
spoliation has occurred and sanctions could result.
Consequences may range from the sanctions
of a judge to professional or criminal disci
pline and fines to the "death sentence" of dis
missal or a default or summary judgment.

Sending Out the Notice

Once a duty to preserve arises, the legal team must
send out a notice to all affected that they cannot delete
records that may be relevant to the matter. This step is
often called a litigation hold. A famous case known in
the trade simply as Zubulake (after the litigant) con
tains some key points about the duty to communicate
this hold to the "key players" directly and repeatedly,
and not just by one casual e-mail.
Once the litigation hold notices have been
issued, it is incumbent that all efforts be made
to actively preserve the data in question. It's
better to err on the side of caution and pre
serve anything that could remotely concern
the matter at hand.

26
Zooming in on the Significance of Zubulake
Laura Zubulake was a stockbroker who worked for UBS

Warburg. She alleged that UBS did not promote her due to

her gender. UBS Warburg was not able to preserve or pro

duce their electronic records to the judge's satisfaction, and

eventually Zubulake was awarded nearly $30 million dollars.

The seven opinions written by the judge during this case are

a full analysis of the issues surrounding e-discovery, and the

duties on the parties.

Taking Possession of Equipment

and Forensics
In the case of a fire due to a frayed wire, the fragments
of the frayed wire would need to be collected and pre
served, perhaps by a neutral third party, or at least in
a safe place where it cannot be tampered with. If the
"frayed wire" is an ill-advised e-mail, the same rules
apply. Because e-mail can be easily altered an e-mail
saying "please alter these financials to show more rev
enue" can be changed to "please alter these financials
to print on one page" with a few keystrokes perhaps
with electronic data the need for taking possession of
evidence quickly is even greater.
Also, with hard drive crashes, viruses, autodelete and
cleanup programs, and normal corporate shredding and
deletion of records, the need is even more apparent.
Even a highly professional IT department occasionally
has to deal with an unfortunate crash or physical loss of
data, and a backup may not be available for perusal.

27

Gathering data with minimum fuss

It's not really feasible to take all sources of data off-site
immediately and expect employees to continue func
tioning. Some businesspeople have been known to
exhibit strong symptoms of withdrawal when forcibly
separated from their Blackberries, after all. Because
people cannot be productive without their PCs, phones,
and other electronic devices, many times a forensic
image can be made of a PC, server, or other electronic
storage media. This process results in an exact "bit-by
bit" replica of a hard drive.
This image gives a much more complete picture of the
computer than just what can be burned off to a DVD or
put on an external hard drive (you should still ask for
those backups as well, though).
Even if the hard drive doesn't seem to be
working, it should still be examined. This can't
be done in an office, though. Forensic exami
nation of a "dead" hard drive requires the
attention of trained professionals in a clean
room environment. Trust me, even your neatfreak co-worker's office doesn't qualify.
Programs are available to create forensic images of
hard drives in the office, or you can entrust this matter
to a third party.
It's easy to focus on the main computers in
an office, along with servers and even smart
phones. In today's world of multimodal com
munications, there's always more, however.
Don't forget to check for electronic faxes,
voice-mails, digital audio and video record
ings, and other potential sources of informa
tion, such as instant messaging archives or

28
cell phone logs. These data sources may con
tain not only actual information, but also
metadata on these files as well.

Establishing the chain of custody

Once the "frayed wire" or forensic image of a PC is col
lected, where it travels and who has control of it is of
key importance. To be admissible in a court of law, a
clean line of possession must be established to make
sure that the data remains valid and inviolate. Every
person who had even the slightest amount of access
to the evidence must be documented and vetted.
Here's where a third-party vendor comes in handy. That
vendor has been cleared by both sides, and it most
likely has a sterling reputation when it comes to han
dling and preserving data. The vendor needs to take
possession of the potential evidence as soon as possi
ble in the investigation and should document every
step performed in its evaluation to prove that the data
was not inadvertently changed or modified. These steps
may include any or all of these actions:
Providing physical security of the media
Documenting all details about the media
Tagging each piece of original media
Storing each piece of original media correctly,
keeping it safe from harm
Tracking and documenting each use of the media
and when it was accessible
Using forensically sound technology in imaging of
original media

29
A good vendor takes all of these steps to ensure that
your data remains intact and admissible in court.
Remember, those individuals performing the work are
just as liable to be called in to testify about their work
as those involved in the original disagreement. A federal
test known as the Daubert Standard allows judges to
determine whether the testimony of an expert witness
is admissible. Taking the proper steps (and making sure
that both sides agree that the proper steps are being
taken) ensures that you get usable results.

They're jamming our signals!

Plenty of tools are available to even nontechnical
laypeople for obscuring data. Whether it's simply over
writing an entire hard drive with ones and zeros or
using disk encryption built into many operating sys
tems or more active tools, anyone bent on concealment
can choose from quite a few methods to hide informa
tion from prying eyes. Such attempts to obscure data
can complicate matters, but forensic data recovery
professionals may still be able to piece together usable
fragments of data from the wreckage.

Deciding Who Picks

Up the Check
Whether you use an in-house program or a third-party
service, e-discovery is not an inexpensive process.
Somebody has to pay for the work done, and parties
to litigation are not always on the same page when it
comes to shelling out money. Most cases take a look at
several factors, including:

30
Ability to pay
Which party will benefit more from e-discovery
Exactly what data is being requested
Cost of recovery versus the amount involved in
the controversy
The importance of the information in question
The likelihood of finding relevent data
The purpose of the requested data
Whether that data can come from another source

31

Part V

Reviewing the Fast

and Easy Way

In This Part
Removing duplicate documents from the evidence
Evaluating the results of de-duplication and culling
Tagging relevant documents for later
Removing or redacting privileged information

f you've ever searched for a generic term, such as

"dogfood," on Google or a similar search engine,
you've already demonstrated to yourself the need for
precise keywords and searching techniques for search
ing out relevant information. The phrase "Feeding
Needs for Grand Pyrenees" will likely gather better
information for your special pet's diet, and will also
keep you from dealing with all manner of unnecessary
data.
In e-discovery, it's even more important to reduce the
amount of information that must be addressed by
legal teams (who cost more than a Google search, after
all). Using automated tools to cull only relevant files
and then to review them eliminates wasted time and

32
produces necessary information with a high degree of
accuracy, making it a valuable use of time and money.

De-duplication and Cutting

Eliminating duplicate documents from the pile of data
you're reviewing is called de-duplication. Culling is
cherry-picking the most useful documents out of the
pile and discarding the rest. You know the drill: In
today's so-called paperless office, you're likely to find
about six different incarnations of the same memo elec
tronically from a rough word-processed draft to the final
version sent out as e-mail to 12 team members. The
rough drafts are probably not at all helpful and you
don't need a dozen copies of the same memo. Typically,
only the final draft that was sent by someone important
on a date relevant to your e-discovery case matters.
You can choose among several ways to approach the
de-duplication process; the best way depends on those
parties involved in the case and what you're looking
for. Take a look at the options and consult with either
your legal team or your third-party vendor to decide
which approach is the best for your investigation.
No de-duplication: You get everything included,
with no effort to sort through the material or
determine its relevance. If you're looking at a
single machine or user with limited access to a
network, this could save you some time and
money. But for a more complex case, it's not terri
bly efficient.
Within target user: Also known asintra-user
de-duplication, this process sorts out relevant
information from documents, e-mails, and other
assorted records associated with a single person.

33
If you're sure that the focus of the investigation is
restricted to a single individual, this process will
get rid of a lot of information for you.
Within folders or directories within target
user: This process is also called intra-folder deduplication, and it represents a more focused
effort to find information. If the focus of the inves
tigation is restricted to incriminating e-mails
received or originating from a single user, this
process can further reduce the amount of data
you deal with by keeping the focus on the relevant
topics.
Global de-duplication: With this broad approach
to de-duplication, all users' e-mails and user files
are culled, and only one instance of each message/
user file will reside across all target users. This
does generate a large amount of data, but at least
you'll have some information to ferret out the more
useful documents.

Reviewing Results
Now that the vast mountain of information has been
reduced to a few profitable veins of evidence, the con
cerned parties can begin searching through the results
to see what actually goes into the case. Attorneys used
to sit in large rooms with these huge boxes of paper
and read each document, using magic markers and
stickers to code documents. Today, this is all done
online, either over the Internet or using software within
a law firm's or corporate network. It saves time and
effort, but it seems to have cut deeply into the profits
of various food delivery services. Somewhere, a pizza
shop owner is crying.

34
Establishing procedure
There are no exact standards for electronic review. The
tools available may use different methods of presenting
information, and some firms even refuse to perform
extensive reviews, citing cost and comfort issues.
Others just use the search functions loaded on their
computers' operating systems. If it's a small review,
that might be enough. If a legal team is sorting through
hundreds upon hundreds of pages or documents, it
may be time to consider a larger plan.
In the case of such larger plans, it's important to look
at the best way to maximize the time spent while estab
lishing your priorities. It's also important to set up an
appropriate schedule for this review to keep from
delaying matters, and to assure the relevance and qual
ity of the information produced. While there aren't
established standards, there are experts that can help
plan and execute this process. If you're feeling over
whelmed, it may be time to look one up.

Holding back on some info

After the relevance of the information has been estab
lished, you need to look for other factors that might
keep them from being used in your case. Companies
may have any of several major reasons to hold them
out, and they revolve around their legal nature.
Responsiveness: If a document is deemed non
responsive to the issue, it might be time to dis
card it and move on to more important docu
ments. Conversely, a document or e-mail marked
"Responsive" should be moved to the head of the
list for use in the case.

35
Privileged: If a document falls within the domain
of attorney-client privilege, it must be excluded or
redacted during the review process.
Confidential: This refers to trade secrets or other
information that shouldn't be revealed because
it could affect the livelihood of an individual or
company.

Choosing whether to remove or redact

It's up to the attorneys at this point to determine
whether a document must be withheld entirely or
simply redacted (blacked out) to remove controversial
information.

Preserving the tweaks and deletions

Although the production of native files is sometimes the pre
ferred method of producing electronic documents to the other
side, you must consider that information you may not want to
share could be seen by the other side by simply viewing track
changes. For example, when documents on the operation of
the Coalition Provisional Authority in Iraq were released to
the public, the files were released complete with the track
ing changes information. Reporters simply had to enable the
"Track Changes" function in their word processor to see what
information was added, removed, or rephrased before it was
opened for the world to see. Needless to say, that kind of
information could prove embarrassing (or damaging) if it were
given out unintentionally.

36
Remember that PDF or TIFF files are easier to
redact than native files. Native files may con
tain tracked changes or metadata that could
inadvertently reveal confidential or privileged
information.

Tagging and Bagging

The review process is also the time to identify and
group documents and files based on their contents.
Tagging each file with identifying characteristics such
as "Price Fixing," "Rate Negotiations," "E-mails,"
"Spreadsheets," or other keywords makes it easier to
locate and search out what you're looking for in prepar
ing the case. This tagging can be accomplished either
manually or by using software-based tools. Using ana
lytic tools that apply algorithms based on content to
group similar documents and cull out potentially rele
vant or privileged documents, lawyers can get through
thousands of documents per day.

Available Toots
Whether you're doing e-discovery in-house or hiring a
vendor, you'll want to become familiar with the software
tools that are available to aid the review process and
reduce eyestrain from computer monitors and the
amount of time spent. Each one has its own advantages
and appropriate uses.
The following list gives an overview of four common
e-discovery applications:

37
Summation is one of the most common tools for
performing review. It allows for linear, or docu
ment-by-document, review. This tool is most often
installed within the network of a law firm or cor
poration, and it's ideal for smaller reviews.
Concordance is the major competitor to
Summation, and it also conducts a document-by
document review. This tool is ideal for smaller
reviews, and the software can be housed easily
within a corporate network.
iCONECT helps users to do a "native review" of
the important documents, enabling them to view
the files themselves. This procedure can provide
more information than just a TIFF image of files.
This approach means that customers can save
money by converting into TIFFs only those docu
ments that will be actually produced and used in
the case, as opposed to all documents that need
to be reviewed.
Attenex is a state-of-the-art native review tool that
utilizes complex algorithms to categorize data and
interactive visual clustering to speed review and
improve analysis or case assessment. Imagine
seeing a keyword or tag on your screen, with
actual lines drawn to relevant information. Attenex
provides that kind of picture during the review
process. Attenex literally means "At Ten X" (where
the X stands for "times") because it can help con
duct a review at ten times the speed of a linear
document-by-document review.

38

Part VI

Making E-Discovery

Results Available

In This Part
Distributing the data to clients and investigators
Deciding between native files and images
Using additional resources in your e-discovery
process

Now

that the hard work has been done and the data
is ready to be distributed to all involved parties,
it's important to decide how that data will be presented.
A lot of this has probably already been decided by this
point, because of decisions on whether to preserve
metadata and other information about documents aside
from the original content.

Getting Data to Clients

and Investigators
Don't worry about having to pack banker's box after
box with the information you've come up with during
the e-discovery process. All of the data can probably be
shipped on a hard drive, DVD, or even via the Internet.

40
Many hosted online review tools now can easily be con
figured to allow clients, investigators, and even adverse
parties to simply log in to the review platform to see
documents. Basically, the legal team's IDs are set up to
allow them to see all fields and documents, and the wit
ness or adverse party's ID is set up to be able to see
only small subsets of data. This approach cuts down on
the cost of smaller productions that happen through
out discovery.

Knowing When to
Go Native or Not
As discussed in Part II, native data simply means the
actual computer file in its original state. So for a
Microsoft Word document called memo.doc, a native
production would mean sending a CD with the file on it
rather than a TIFF image of that file. This approach is
advantageous because it saves money by not having to
convert the document to an image, and it preserves all
metadata. However, there are technical challenges
regarding being able to redact, label, or tag a native
document, because doing so would alter the metadata
such as "last modified date." Native data should be
used only when its attributes are specifically required.
Otherwise, it might be more advantageous to use a
format such as TIFF or PDF files, as explained in Part V.
They present an image of the document that contains
the information, but it's also easier to redact and con
trol once it's out of your possession.
No matter how it's presented, remember that
only the information that needs to be distrib
uted should be made available. Not only can

unintentional production cost time and

money, but it could endanger your case.

Further Resources
Despite the extraordinary introduction to e-discovery
you've received in this book, it can be helpful to check
the Internet for more information on this subject. Just
like technology itself, the laws and decisions regarding
technology are constantly changing and evolving, and
it's important to keep on top of it. These sites can help
keep you stay up to date.

Sedona Best Practices Guidelines

The Sedona Best Practices Guidelines are put together
by the Sedona Conference (http://www.thesedona
c o n f e r e n c e . o r g / ) , a group of legal experts that
engage in regular dialogue about complex legal issues
involving anti-trust and intellectual property issues.
The guidelines are a result of the Working Group Series
founded in 2002, and it represents the best efforts to
discuss and evaluate the evolving nature of legal mat
ters. You can find a great amount of guidance from
their Web site and associated publications.

EDRM
The Electronic Discovery Reference Model (EDRM) is
available online at http://www.edrm.net/, and it
represents a clear path to evaluate and maintain the
integrity of electronic data. The EDRM site helps formal
ize what was once a muddied and unclear process. By
firmly identifying steps to be used in the e-discovery
process, this project helps retain the integrity of elec
tronic data and helps ensure that it will be admissible in

42
courts, no matter where the location. Current projects
include working on keeping the process relevant and
updated, setting forth a clear and voluntary code of
conduct for those involved in e-discovery, and docu
menting the use of metrics data in e-discovery.

RenewDataWeb site
To find out more about e-discovery, you can visit the
e-discovery Resources section of the RenewData Web
site (http://www.renewdata.com). This section
contains dozens of archived expert panel webinars,
peer-reviewed articles from legal journals, and news
updates on e-discovery. You'll also find reference cards
and interactive risk calculators, and you can sign up
for an e-discovery newsletter. For a demonstration of
online review tools, including Attenex, you can send an
e-mail to info@renewdata.com.

43

Notes

What if you could have it all?

Planning

Archiving

Preservation & Collection

Analytics & Review

Processing

Production

One Solution Provider. One Secure Facility.

www.renewdata.com
Copyright 2007 Renew Data Corp. All rights reserved. RenewData, the sphere logo and ActiveVault are registered
trademarks of Renew Data Corp. All other company and product names may be trademarks of their respective owners.