By Craig Ball

It’s challenging. It’s expensive. But it’s the single greatest litigation advantage for plaintiffs’

counsel willing to learn the ropes and aggressively assert their clients’ rights. It’s electronic data

discovery (EDD).

The world has changed, and the traditional approach to discovery--casting the widest net and

poring over bankers boxes of documents--is history. Most of the evidence in your case isn’t on

paper and never will be. The volume of discoverable electronic information is exploding,

growing at a rate that makes paper review unthinkable. Although data volume depends on the

case--with a car wreck case generating less data than a pharmaceutical products liability class

volume affects every case.

Getting discoverable data and making sense of it requires plaintiffs’ counsel to gain an

understanding of where digital evidence lives, the forms it takes and how it’s preserved, altered

and destroyed. It also entails learning as much as you can about the architecture and

operations of the defendant’s systems and networks, and how the key players—such as those

whose conduct forms the basis of the contemplated claim or suit—interact with a fast-growing

universe of digital devices and data repositories.

Plaintiffs pursuing electronic discovery face entrenched ignorance and outright obstinacy.

Evidence on paper was never destroyed and suppressed with the ease and frequency seen with

electronic evidence. Folks who wouldn’t dream of shredding paper files hit the “delete” button

without a moment’s hesitation.

One EDD challenge is that foxes guard the henhouse. The common practice in large

organizations is to issue a “litigation hold” notice to employees instructing them to retain and

segregate relevant electronic evidence. This is the starter pistol for the race by those with

something to hide to delete it as quickly as possible. Though motivated to hide workplace

pornography or e-Bay shopping, the clumsy delete-o-thons that follow sweep away relevant and

discoverable electronic evidence, too.

Another vexing problem is defense counsels’ cluelessness about electronic discovery. Your

opponent may be a courtroom whiz, but if he or she has a tenuous grasp of computer systems

or doesn’t understand his or her client’s devices and data, defense counsel can’t give sound

guidance about preserving digital evidence or pose the right questions to knowledgeable IT

computers! Whether due to poor judgment or a client focused on shortsighted cost savings,

computer-illiterate counsel don’t always seek out the expert help they need. Is this malpractice?

Probably, but the lack of expertise is so pervasive, it may take years and several more highprofile

e-discovery debacles before lawyers fully appreciate how much their lack of knowledge

hurts their clients.

This leaves you on the horns of a dilemma. Do you lay low while evidence is overlooked or lost,

banking on spoliation sanctions to protect your client, or do you seek to educate your opponent

and improve the odds that you’ll get the electronic evidence? The latter is clearly the better

approach, and your ability to succeed in securing sanctions for discovery abuse is only

enhanced when you can show how hard you tried to help the defendant “get it.”

The reality of electronic discovery is that the responding party will fail, partly due to the nearabsence

of prudent electronic records management. Once upon a time, a discovery request

sent a file clerk scurrying to a file room set aside for orderly information storage. There, the

drawer, box or folder, but went only to the place where the company kept items responsive to

practices. Correspondence was dated and its contents or relevance described below the date.

Documents and files were sorted and aggregated within a structure that made sense to those

who accessed them. A responding party could affirm that discovery was complete on the

strength of the fact that they’d looked in the places where responsive items resided. This was

Today, evidence is spread willy-nilly across servers, back up tapes, workstation hard drives,

laptops, home systems, personal digital assistants, online storage and thumb drives, so most

collection efforts overlook many venues. What records management exists takes a thousand

quirky forms as individual employees adopt their own peculiar folder structures and retention

practices. Those fearing the consequences of their digital evidence are empowered by the

delete key to attempt its destruction. The power of place has waned, making failure inevitable.

Recognizing that your opponents will fail to preserve and produce all discoverable evidence and

may even seek to destroy it, what can you do to forestall that failure or ameliorate the harm to

your client?

A successful e-discovery effort entails most or all of the following elements:

A successful effort also requires us to rethink our traditional approach to discovery. Pursuing

paper discovery, we wove expansive nets of the finest mesh to seine anything and everything.

Electronic discovery demands the narrow aim of a harpoon. No opponent can satisfy nor court

enforce a demand for “any and all electronic communications and records.” That’s a fishing

Successful cost-effective electronic discovery is far easier when you know what your case is

about and what you need to prove it. Trials still come down to a few key people and documents.

Start by learning all you can about the defendant’s systems. Examine what you have for clues

about what else is out there (e.g., by checking path statements on documents or e-mail

circulation lists). Check the defendant’s website, press releases and public filings for

descriptions of IT assets. Talk to former employees about system architecture and data

retention practices. Take 30(b)(6) depositions of designated IT personnel—but be sure you also

get past the managers and talk to those in the trenches who know about that box of old back up

tapes in the storeroom. Get copies of document retention policies and ask witnesses about

compliance. Demand that the defendant furnish network topology diagrams and asset tracking

inventories for computer hardware, but take these with a grain of salt, as they’re often outdated

or fail to reflect real-world configurations. Finally, remember that you’re not alone. Use

resources like the ATLA Exchange to network with other lawyers who’ve pursued e-discovery

against the defendant and to locate qualified electronic discovery and computer forensics

experts.

Effective e-discovery begins before suit with your preservation letter to the defendant. The goal

of the preservation letter is to remind opponents to preserve evidence, to be sure the evidence

doesn’t disappear. But, the preservation letter also serves as the linchpin of a subsequent claim

for spoliation, helping to establish bad faith and conscious disregard of the duty to preserve

relevant evidence. It is today’s clarion call that underpins tomorrow’s, “I told you so.” The more

effectively you give notice and convey what must be retained—including methodologies for

preservation and consequences of failure—the greater the likelihood your opponent will be

punished for destruction of evidence.

Wouldn’t it be sufficient to remind your opponent that the laws and rules prohibiting destruction

of evidence apply to electronically stored information in the same manner that they apply to

other evidence and that they must take every reasonable step to preserve this information until

the final resolution of the case? Perhaps in a decade or so it will be enough; but today, we face

an explosion of electronic evidence untamed by sound records management and marshaled by

preservation letter helps bridge this knowledge gap.

When evidence is a paper document, preserving it is simple: We set the original or a copy

aside, confident that it will come out of storage exactly as it went in. Absent disaster or

tampering, the status quo is maintained. But despite lawyers’ ardor for paper, 95% of

information is born digitally, and the majority of that information is never printed. Preserving

electronic data presents its own unique challenges, such as:

Route a document through a dozen hands and, aside from a little finger grime or odd coffee

stain, the document won’t spontaneously change by being moved, copied or read. But open

that same document in Microsoft Word, or copy it to a CD, and you’ve irretrievably changed that

file’s metadata when it’s moved from hard drive to a recordable CD. The two media use

different file systems such that the CD-R doesn’t offer a structure capable of storing all of a file’s

Windows metadata.

Much modern evidence doesn’t lend itself to paper. For example, a spreadsheet displays

values derived from embedded formulae, but you can’t embed those formulae in paper. In large

databases, information occupies expansive grids that can’t fit on a printed page or make much

sense if it could. And, of course, sound and video evidence can’t make the leap to paper. So

preserving on paper isn’t always an option, and it’s rarely an inexpensive proposition.

If legible and in a familiar language, a paper document can convey information directly to the

reader. A literate person can interpret an alphabet, aided by blank space and a few punctuation

ones and zeroes. For those streams of data to convey anything intelligible to people, the data

must be interpreted by a computer using specialized programming called “applications.”

data is wholly inaccessible. Successfully preserving data also entails preserving applications

capable of correctly interpreting the data as well as computing environments—hardware and

software—capable of running these applications.

If your great grandfather put a letter in a folder a century ago, chances are good that

notwithstanding minor signs of age, you could pull it out today and read it. But changes in

storage technology and rapid obsolescence have already rendered fifteen-year-old digital media

largely inaccessible absent considerable effort and expense. How many of us still have a

computer capable of reading a 5.25” floppy? The common 3.5” floppy disk is disappearing, too,

with CD-ROMs fast on its heels to oblivion. Data stored on back up tapes and other magnetic

and even optical media fades and disappears over time like the contents of once-common

thermal fax paper. Disks expected to last a century are turning up illegible in a decade. Back

up tapes stretch a bit each time they are used and are especially sensitive to poor storage

conditions. Long-term data preservation entails either the emergence of a more durable

medium or a relentless effort to migrate and re-migrate legacy data to new media as it comes

into common usage.

By and large, paper is not erased and reused for information storage; at least not in a way we’d

confuse its prior use as someone’s Last Will & Testament with its reincarnation as a recycled

cardboard carton. By contrast, a hard drive is constantly changing and recycling its contents.

A later version of a document may overwrite—and by so doing, destroy—an earlier draft, and

storage space released by the deletion of one file may well be re-used for storage of another.

This is in sharp contrast to paper preservation, where you can save a revised printout of a

document without affecting—and certainly not obliterating-- a prior printed version.

At what point does the duty to preserve evidence arise? when the lawsuit is filed? upon receipt

of a preservation letter? when served with a request for production?

The duty to preserve evidence may arise before—and certainly arises without—a preservation

letter. In fact, the duty can arise long before an opponent takes any action. A party’s obligation

to preserve evidence has generally been held to arise when the party knows or has reason to

know that evidence may be relevant to future litigation. This “reasonable anticipation of

litigation” standard means that any person or company who should see a lawsuit on the horizon

to destroy electronic or tangible evidence and must take affirmative steps to preserve such

evidence.

Thus, the preservation letter may be only one—albeit a decisive one--of a number of events or

circumstances sufficient to trigger the duty to preserve evidence. Nevertheless, arrival of the

preservation letter is often the first time responding parties focus on what evidence exists and

what they will elect to save.

The problem with preservation letters is that they often must be sent when you know little to

nothing about your opponent’s information systems; consequently, they tend to be everythingbut-

the-kitchen-sink requests, created without much thought given to the “how” and “how much”

issues faced by the other side. For a preservation letter to work, it must be reasonable on its

face. Demanding that an opponent retain “any and all electronic communications” is nonsense.

A preservation letter should seek to halt routine business practices that destroy potential

shredding; scheduled destruction of back up media; re-imaging of drives; drive hardware

exchanges; sale, gift or destruction of computer systems; and, when computer forensics may

come into play, disk defragmentation and maintenance routines. Most digital evidence

disappears because of a lack of enterprise communication (“legal forgot to tell IT”) or individual

initiative (“this is MY e-mail and I can delete it if I want to”). So, highlight your opponent’s duty

to communicate retention obligations to those with hands-on access to systems.

custodian of discoverable data and that such communications stress the importance of the duty

to preserve, you are demanding no more than the developing law suggests is warranted. See,

Focus on specifics—relevant business units, activities, practices, procedures, time intervals,

jurisdictions, facilities and key players. Follow the “who, what, when, where and how” credo of

good journalism.

The preservation letter is more than just a litany of storage media to be preserved. Its purpose

prompt, affirmative steps to see that evidence remains accessible. Educating the other side

isn’t a noble undertaking—it’s sound strategy. Your goal is to slam the door on the “it was an

oversight” excuse.

sustain. Doing so could hurt your credibility with the court right out of the gate. Finally, don’t be

so focused on electronic evidence that you fail to direct your opponent to retain the oldfashioned

paper variety.

A pre-suit preservation letter may be your opponent’s first inkling they’re facing litigation. Don’t

reasonable person should have known to preserve particular evidence, and be sure to include

names of key players, dates, business units, office locations and events.

The conventional wisdom is that preservation letters should be dispatched as soon as potential

defendants are identified. Nevertheless, there may be cause to delay sending a preservation

letter, as when you face opponents likely to destroy evidence intentionally. A preservation letter

could serve as the starting gun and blueprint for their delete-o-thon. In that instance, consider

seeking a temporary restraining order or the appointment of a special master. You may elect to

wait when your investigation is ongoing and sending the preservation letter will lead to opposing

counsel being hired and trigger privileges tied to the anticipation of litigation. There could even

If counsel has not appeared for your opponent, to whom should you direct your perfect

preservation letter? Here, err on the side of inclusion. Not only the target defendant, but others

holding evidence (such as a defendant’s spouse, accountant, lawyer, employer, banker,

customers and business associates) should be put on notice that you seek preservation.

For corporate defendants, consider preservation letters to the Chief Executive Officer, General

Counsel, Director of Information Technologies, Head of Corporate Security and the registered

agent for service of process. You’re seeking to put all who hold evidence on notice, but you

also want broad awareness of the preservation obligation to foster uncertainty in those who

might destroy evidence.

receives a preservation letter. Sending preservation letters to a person likely to destroy

notice against the potential for triggering irretrievable destruction.

Is a preservation letter best delivered as a single giant salvo across the bow of your opponent’s

armada, or might it instead be more effectively launched as several carefully aimed shots?

Instead of an encyclopedic request, consider drafting your preservation demand as a series of

players. As an exhibit to a motion to compel or for sanctions, a lean, specific preservation

notice beats a bunch of bloated boilerplate.

Preservation letters don’t specify the form in which the data should be preserved because you

don’t want to appear to demand anything more onerous than maintaining evidence in the way

specified form is just one acceptable format).

The e-discovery wars rage in the mountains of e-mail and flatlands of Excel spreadsheets, but

consideration in a preservation letter.

When should the retention and restoration of server back up tapes be an objective? Though

some companies keep selected back up tapes for years, the only legitimate purpose of a back

up system is retention of data required to get a business information system “back up” on its feet

in the event of disaster. Why would a business need to re-populate its information systems with

stale data? Because only the latest data has value, the tapes containing the oldest backed-up

information are typically overwritten with newer data. This practice is called “tape rotation,” and

the interval between use and reuse of tapes is the “rotation cycle.”

Data on back up systems would be cumulative of active server data and not a factor in

discovery but for the deletion of evidence by users and system maintenance routines. When

digital evidence is deleted, back up tape restoration and computer forensics may be the only

means to recover missing evidence. Compelling a large organization to interrupt its tape

rotation and preserve back up tapes can carry a princely price tag, but if the tapes aren’t

preserved, deleted data may be gone forever. This is the Hobson’s choice of e-discovery.

A preservation letter should target just the back up tapes likely to contain deleted data relevant

to the issues in the case—a feat easier said than done. Additionally, make clear whether you

seek back up tape preservation on a going forward basis. For a fixed event, it may be that only

the oldest back up set should be pulled from the rotation, whereas for a matter involving

continuing injury, ongoing conduct and communications may be relevant and discoverable.

Avoid compelling a significantly broader level of tape retention than you can reasonably defend.

When data is deleted from a personal computer, it’s not gone. The operating system simply

releases the space the data occupies for reuse and treats the space as empty. Information can

be erased from personal computers in only three ways: (1) overwriting the places where the

data is stored on disk or tape with new information; (2) encrypting the data and losing the

encryption key; or (3) physically destroying the storage media. Otherwise, the data can be

restored. Like fingerprints, fibers and DNA left at a crime scene, digital detritus often holds keys

to the truth. Computer Forensics is the science dealing with resurrection of deleted data and

analysis of digital evidence.

In routine computer operation, deleted data is overwritten by re-use of the space it occupies and

by system maintenance activities; consequently, the ability to resurrect deleted data through

computer forensics erodes over time. When the potential for discovery from deleted files on

personal computers is an issue, preservation letters should specify that computers on which the

deleted data resides should be removed from service or imaged in a forensically competent

manner. Such a directive might read:

For computers (including portable and home systems) used by those named

during the period from ____ to _____, demand is made that you act to prevent

modification, destruction or concealment of evidence on network and local hard

drives due to deleting or overwriting files, using data shredding and erasure

applications, defragmenting, re-imaging or replacing drives, encryption,

compression, steganography or the like. You can preserve data on hard drives by

immediate acquisition, authentication and preservation of forensically qualified

duplicates (also called a “bitstream images” or “clones”) of all sectors of the drives,

as well as recording and preserving the system time and date of each such

computer. Forensically qualified images should be labeled to identify date of

acquisition, person or entity creating the image and system from which it was

Metadata, the “data about data” created by computer operating systems and applications, may

be critical evidence in your case, and its preservation requires prompt and decisive action.

Information stored and transmitted electronically must be tracked by the system that stores it

and often by the application that created it. Consequently, electronic evidence always exists in

at least two parts: the data itself (“the file”) and a separate body or bodies of information

describing the data (“the metadata” ).

For example, a Microsoft Word document is comprised of information you can see (e.g., the text

of the document and the data revealed when you look at the document’s “Properties” in the File

menu), as well as information you can’t see (e.g., tracked changes, revision histories and other

data the program uses internally). This “application metadata” is stored inside of the document

file and moves with the file when it is copied or transmitted. In contrast, the computer system on

which the document resides keeps a record of when the file was created, accessed and

modified, as well as the size, name and location of the file. This “system metadata” is typically

not stored within the document, at least not completely. Therefore, when a file is copied or

transmitted—as when burned to disk for production—its potentially relevant and discoverable

system metadata is not preserved or produced. Worse, each time someone looks at the

document, copies it or even runs a virus scan, the metadata can be irreparably altered. Most

lawyers don’t appreciate that, absent safeguards, simply reviewing electronic evidence can be

an act of spoliation.

Metadata is not a critical element in all disputes, but in some, the issue of when a document or

record was created, altered or copied lies at the very heart of the matter. If you reasonably

anticipate that metadata will be important, it is essential to make the producing party aware of

the need to preserve it and the risks that threaten its corruption. Because many aren’t aware of

metadata—and even those who are may think of it only in the context of Office application

metadata—the preservation letter needs to define metadata and educate your opponent about

where to find it. The letter should flag common operations that corrupt metadata and perhaps

suggest ways by which metadata can be preserved (e.g., by capturing screen shots of detailed

folder listings or exporting metadata information to a spreadsheet).

Proper preservation of electronic data can be costly and complicated. If your opponent is

exceptionally well versed in electronic discovery, he or she should seek to meet and confer with

you to arrive at an agreed preservation plan. The defendant benefits by reining in the high cost

of preservation while minimizing the threat of sanctions. What’s in it for your side?

You should welcome a meet and confer opportunity if the defendant furnishes complete and

accurate information about the nature and location of their electronic evidence (including back

up procedures and retention schemes) and the identity of, and devices used by, key players.

Absent such disclosure, it’s very risky to agree that the defendant may, e.g., rotate server back

up tapes, replace systems or delete older e-mail. Don’t concede that the defendant can destroy

any information item in any form until the defendant demonstrates that the information lost is not

likely to be relevant to any issue in the case or lead to the discovery of admissible evidence.

Such representation need to be unambiguously confirmed in writing and supported by a

showing that a person with the requisite knowledge and skill actually knows the contents of the

media to be overwritten, discarded or destroyed. For voluminous or costly-to-restore data sets,

sampling contents is prudent if there is any question as to what information resides on media

slated for destruction.

Your agreement may also serve to blunt the defendant’s ability to seek cost sharing for the

expense of electronic production and open doors to broader or easier access. To gain your

client’s consent to a narrower preservation obligation, the defendant may be willing to undertake

and bear the cost of, e.g., producing digital evidence in your preferred format or computer

forensic analysis of key player’s office and home computers.

Your opponent isn’t the only one who needs to prepare for a meet and confer session. Though

it may be difficult early in the case, you must be able to put forward what you want and why

you’re entitled to it. You don’t get the e-mail just because it’s there. Be prepared to articulate

the relevance and the appropriate interval for the digital evidence you seek.

Finally, it’s essential to reduce all preservation and production agreements to writing. Where

possible, submit agreed orders to the court, remembering that judges are much more willing to

impose sanctions for violations of their orders than for breach of an agreement between

counsel.

Having decided what you need and advised the defendant to preserve it, it’s time to seek

production. In the concluding installment, we’ll look at the pros and cons of production formats

and explore common e-mail systems, concluding with tips for getting the most out of your ediscovery

efforts and budget.

By Craig Ball

It’s challenging. It’s expensive. But, it’s the single greatest litigation advantage for plaintiffs’

counsel willing to learn the ropes and aggressively assert their clients’ rights. It’s electronic data

discovery (EDD). In last month’s issue of TRIAL, we addressed challenges unique to EDD,

elements of a successful e-discovery effort and steps to compel preservation of digital evidence.

This month, we look at the pros and cons of production formats and explore common e-mail

systems, concluding with tips for getting the most out of your e-discovery efforts and budget.

One of the biggest mistakes a requesting party makes is requesting or accepting production of

electronic evidence in a format ill suited to their needs. Electronic evidence can be produced in

five principal formats:

•

load file,

Sometimes you’ll have the chance to designate the format for production of electronic evidence.

Your choice of format should factor in both the type of data being produced as well as the way in

which you and your staff are capable of managing the evidence. In a perfect world, you’d want

everything in its native electronic format, but in the real world, you may lack the systems and

software to deal with and preserve the evidentiary integrity of all native formats. Plus, redaction

issues and other fears mean that your opponents will be unwilling to offer native data.

ask that electronic evidence be “blown back” to paper. True, converting searchable electronic

data to costly and cumbersome paper is usually a step backwards, but not always. Paper still

has its place. For example, in a case where the entire production consists of a few hundred emails

and several thousand e-documents, searching and volume aren’t a problem and paper

remains about as good a medium as any. But once the volume or complexity increases beyond

that which you can easily manage by memory, you’re better off insisting on production in

electronically-searchable formats.

documents, e-mails and other electronic records. These images are typically furnished in

accessible file formats like Adobe’s Portable Document Format (PDF) or in one of the Tagged

Image File Formats (TIFF). As long as the information lends itself to a printed format and is

electronically searchable, image formats work reasonably well, but for embedded information

(such as the formulae in spreadsheets) or when the evidence moves beyond the confines of

printable information (as voice mail, databases or video), image production breaks down.

Additionally, the requesting party must insure that the images are accompanied by electronically

searchable data layers and relevant metadata. Beware the defendant who tries to pawn off

“naked” TIFF images (devoid of searchable information and metadata) as responsive.

formats. For example, e-mail may be readable in any of several e-mail client programs

(Outlook, Eudora, Lotus Notes) or in generic e-mail formats (e.g., .EML). The contents of simple

databases can be exported to generic formats (e.g., comma or tab delimited output) and then

imported into compatible applications (e.g., Excel spreadsheets to Access databases). When

discoverable data lends itself to export formats, you may prefer to obtain exported, delimited

data in order to work with it in the compatible application of your choice. The key is to be sure

you don’t lose any important data, or the ability to manipulate it, in the export/import process.

Consider exported data for production of e-mail and simple databases (like contact lists).

However, as data structures grow more complex, it’s much harder--or impossible--to present

exported data in a way that accurately reflects the native environment, forcing you to seek

native production.

files containing responsive information. The benefit is that, if you have copies of software

programs used to create and manipulate the data, you have the ability to see the evidence

more-or-less exactly as it appears to the producing party. Sounds great, but native production is

not without its problems. The native applications required to view the data in its native format

may be prohibitively expensive or difficult to operate without extensive training (e.g., an Oracle

or SAP database). Additionally, great care must be taken not to change the native data while

viewing it. The rule of thumb is that native production is preferable, but only when you have the

experience, expertise and resources to manage native data.

Defendants often resist production of native data because of the great difficulty they face in

redacting privileged information. An Outlook post office (.PST) file can hold both discoverable email

and privileged attorney-client communications, but as it’s a unified and complex database

file, it’s very difficult to produce the former without also producing the latter. Another risk to

defendants is that native data (like Word .DOC files) can contain embedded, revealing

metadata.

a controlled-access website. The requesting party reviews the data through an online

application (similar to a web browser) capable of displaying information from a variety of

electronic formats. More commonly, hosted data and online review tools are used by counsel

for the producing party to search the production set for privileged and responsive items rather

than as a means to afford access to the requesting party. The items identified are then burned

to CD or DVD and produced, usually in image formats as discussed above.

paper-like production formats (.PDF and .TIFF) are fine. As you approach the point where the

when they include a searchable data layer. Else, demand native production (.DOC, .WPD,

.RTF), but be mindful of embedded macros and auto date features that will change the

document when opened in its native application. Plus, word processor files can change their

appearance and pagination depending upon the printer attached to the computer used to view

the file. Be careful referring to particular pages or paragraphs because the version you see may

format differently from the original.

Consider whether system and file metadata are important to the issues in your case. If so,

require that original metadata be preserved and a spreadsheet or other log of the original

system metadata be produced along with the files.

volumes grow, accept only electronically searchable formats. These can take the form of

individual e-mails exported to a generic e-mail format (.EML files), images files (i.e., .PDF or

TIFF) coupled with a text data layer or native production in one of the major e-mail storage

formats (.PST for Outlook, .NSF for Lotus Notes, .DBX for Outlook Express). While native

formats provide greatest flexibility and the potential to see far more information than a print-like

format, don’t seek native production if you lack the tools and skill to access the native format

without corrupting its contents. All e-mail includes extensive metadata rarely seen by sender or

transmission. Require preservation and production of e-mail metadata when it may

impact issues in the case, particularly where there are questions concerning origin, fabrication

or alteration of e-mail. Read on for further discussion of e-mail systems and formats.

the spreadsheet can be formatted to fit on standard paper without a lot of cutting and pasting,

printed spreadsheets lack the very thing that separates a spreadsheet from a table: the formulae

beneath each cell. If the spreadsheet is just a convenient way to present tabular data, a print

out or image may suffice, but if you need to examine the methodology behind calculations or

test different theories by changing variables and assumptions in your opponent’s spreadsheets,

you’ll need native file production. Once again, decide if metadata is important and require its

preservation when appropriate. Also, when working with native spreadsheets, be mindful that

embedded variables, such as the current date, may update automatically upon opening the file,

changing the data you see from that previously seen by others, and metadata about use of the

spreadsheet may change each time it is loaded into its native application.

If metadata is disclosed, a simple PowerPoint can be effectively produced as an electronically

searchable image file in PDF or TIFF but, if a PowerPoint presentation is animated, it’s a poor

candidate for production as an image because animated images may be omitted or displayed in

incomprehensible layers. Instead, native production is appropriate. Like spreadsheets, native

production necessitates preservation of original metadata, which may be changed by viewing

the presentation.

obliged to record phone calls, but once those recordings exist, they should be preserved and

are subject to production as any other electronic record. Increasingly, taped phone

conversations and messages play a vital role in disputes, such as recordings of broker-client

transactions, not to mention all of those companies that claim to record telephone calls “for

quality control.” There is also an increasing convergence of voice mail and e-mail in

businesses, making it more common to see voice mail messages in e-mail boxes. Seek

production of voice mail in common sound formats, such as .WAV or .MP3. It’s essential that

you secure voice mail metadata along with the audio because information about the intended

recipient of the voice message or its time of its receipt is typically not a part of the voice

message.

Instant messaging or IM is similar to e-mail except that exchanges are in real-time, the client

application usually incorporates some way to know if the other party on your list of contacts

(“buddy list”) is online and available to chat and messages are only stored at the user’s option.

The use of IM in business is growing explosively despite corporate policies discouraging it.

Some companies cling to the head-in-the-sand practice of pretending their employees don’t use

IM in the workplace and echo that delusion in the replies to discovery. By pretending it doesn’t

exist, they naturally take no steps to preserve IM transactions, but in certain regulated

environments, notably securities brokerage, the law requires that IM discussions with customers

be preserved. Notwithstanding, requests for discovery of IM exchanges continue to be met with

the response, “we don’t have any.” Because individual users control whether or note to log IM

exchanges, a responding party can make no global assertions respecting the existence of IM

threads without checking settings on each user’s local machine. Additionally, even where IM

users have not enabled message logging, a computer forensic examination may facilitate

recovery of some IM traffic. Although each IM application uses proprietary formats and

protocols, most IM traffic is easily converts to plain text and can be produced as an ASCII- or

word processor-compatible file.

Enterprises increasingly rely on complex databases to manage business processes such that

the evidence in your case may exist only as a value derived by querying a database. If the

database is a rapidly changing one, today’s query may not dislodge data temporally relevant to

the matters in controversy, although restoration of back ups or journaled modifications may

permit the dataset to be temporarily restored to relevant contents.

Complex databases present enormous discovery challenges. If you seek production of the

underlying dataset and application so you can query it directly, you’ll face objections that the

request for production of the entire dataset is overbroad and intrudes into trade secrets or the

privacy rights of third parties. The producing party may decline to furnish a copy of the

database application arguing that to do so would violate its software user license. Further, the

cost to license your own copy of complex database software (e.g., Oracle and SAP) and create

the hardware environment needed to run it can be prohibitive, even in the largest cases.

If you go this route, specify in your request for production the appropriate back up procedure for

the database application geared to capture all of the data libraries, templates and configuration

files needed to load and run the database. All publishers of database software publish

recommended back up and restore procedures for their products. If you simply request the data

without securing a back up of the entire database environment, you may find yourself missing

an essential component. By asking that data be backed up according to recommended

methodologies, you’ll have an easier time restoring that data, but be sure the method you

specify accommodates the output media available to the producing party (i.e., don’t ask for back

up to tape if they don’t maintain a tape back up system).

An alternate approach permitting analysis of the underlying data is to request an export of

relevant records and fields from the complex database to a common format for import into an

off-the-shelf application (e.g., Microsoft Access or Excel). One common export format is the

Comma Separated Variable or CSV file, also called a Comma Delimited File. In a CSV file,

each record is a single line and each field in the record is separated by a comma. Not all

databases lend themselves to the use of exported records for analysis, and even those that do

may oblige you to jump through hoops or engage an expert to get your results admitted at trial.

Although a plain language request for discovery of information contained in an enterprise

database should trigger interrogation of the database by the producing party, what if you can’t

be confident that the query used is suited to the task? In that event, consider formulating

specific queries to be run against relevant datasets using the application’s own query language

and structure. To do so, you will need to understand the application or get expert help. A

former employee of the responding party is the ideal candidate for consultation, or you may

want to depose a knowledgeable employee of your opponent to learn the ins-and-outs of

structuring a query, again assisted by someone who knows the application’s query language.

Futurist Arthur C. Clarke said, “Any sufficiently advanced technology is indistinguishable from

magic.” E-mail is one of those magical technologies most of use every day without really

understanding how it works. Though a discovery request for “the e-mail” may secure adequate

production, understanding e-mail systems helps you to see if something is missing and gauge

responsive messages. More to the point, e-discovery is increasingly a two-way street, and

plaintiff’s counsel needs to prepare for electronic discovery of client e-mail. Can you instruct

your client where to find and how to produce e-mail?

electronic mail a feeding frenzy, but it’s really just an inevitable recognition of how central to our

lives e-mail has become. More than fifty billion e-mails traverse the Internet daily, far more than

telephone and postal traffic combined, and the average businessperson sends and receives

between 50 and 150 e-mails every business day. At that rate, a company employing 100,000

volume to the Internet than web page content. Trial lawyers go after e-mail because it accounts

for the majority of business communications, and e-mail users tend to let their guard down and

share things online that they’d never dare put in a memo.

Aggregate volume is only part of the challenge for discovery and production of e-mail. Unlike

paper records, e-mail tends to be natively stored in massive data blobs. The single file

containing my Outlook e-mail is over three gigabytes in size and holds some 35,000 messages,

many with multiple attachments, covering virtually every aspect of my life, and many other

people’s lives, too. In thousands of those e-mails, the subject line bears only a passing

connection to the contents as “Reply to” threads stray further and further from the original topic.

E-mails meander through disparate topics or, by absent-minded clicks of the “Forward” button,

lodge in my inbox dragging with them, like toilet paper on a wet shoe, the unsolicited detritus of

other people’s business. To respond to a discovery request for e-mail on a particular topic, I’d

either need to skim/read all 35,000+ messages or I’d have to have a very high degree of

confidence that a keyword search would flush out all responsive material. If the request for

production implicated material I no longer kept on my current computer, I’d be forced to root

around through a motley array of old systems, obsolete disks, outgrown hard drives, ancient

back up tapes (for which I have no tape reader) and unlabeled CDs, uncertain whether I’ve lost

the information or just overlooked it somewhere along the way. The situation isn’t much

different in corporate America.

Computer network specialists are always talking about this “protocol” and that “protocol.” Don’t

let the geek-speak get in the way. An application protocol is a bit of computer code that

facilitates communication between applications, i.e., your e-mail client, and a network like the

Internet. When you send a snail mail letter, the U.S. Postal Service’s “protocol” dictates that you

place the contents of your message in an envelope of certain dimensions, seal it, add a defined

complement of address information and affix postage to the upper right hand corner of the

envelope adjacent to the addressee information. Only then can you transmit the letter through

the Postal Service’s network of post offices, delivery vehicles and postal carriers. Omit the

address, the envelope or the postage--or just fail to drop it in the mail--and Grandma gets no

Hallmark this year! Likewise, computer networks rely upon protocols to facilitate the

transmission of information. You invoke a protocol—Hyper Text Transfer Protocol—every time

you type http:// at the start of a web page address.

Although Microsoft Exchange Server rules the roost in enterprise e-mail, with Lotus Notes

coming in a distant second, these are by no means the most common e-mail system for the

individual and small business user. When you access your personal e-mail from your own

Internet Service Provider (ISP), chances are your e-mail comes to you from your ISP’s e-mail

server in one of three ways, POP, IMAP or HTTP, the last commonly called web- or browserbased

e-mail. Understanding how these three protocols work—and differ—helps in identifying

where e-mail can or cannot be found.

one most familiar to users of the Outlook Express, Netscape and Eudora e-mail clients. Using

POP, you connect to a mail server, download copies of all messages and, unless you have

configured your e-mail client to leave copies on the server, the e-mail is deleted on the server

and now resides on the hard drive of the computer you used to pick up mail. Leaving copies of

your e-mail on the server seems like a great idea, since you have a back up if disaster strikes

and can access all your e-mail using different computers. However, few ISPs afford unlimited

storage space on their servers for users’ e-mail, so mailboxes quickly become “clogged” with old

e-mails and the servers start bouncing new messages. As a result, POP e-mail typically resides

only on the local hard drive of the computer used to read the mail and on the back up system for

the servers which transmitted, transported and delivered the messages. In short, POP is

locally-stored e-mail that supports some server storage.

2004, supported by America Online (though AOL continues to furnish a proprietary e-mail client

to its subscribers). IMAP differs from POP in that, when you check your e-mail, your e-mail

client downloads just the headers (To, From, Date, Subject, etc.) of e-mail it finds on the server

and only retrieves the body of a message when you open it for reading. Else, the entire

message stays in your account on the server. Unlike POP, where e-mail is searched and

organized into folders locally, IMAP e-mail is organized and searched on the server.

Consequently, the server (and its back up tapes) retains not only the messages but also the way

the user structured those messages for archival. Since IMAP e-mail “lives” on the server, how

does a user read and answer it without staying connected all the time? The answer is that

IMAP e-mail clients afford users the ability to synchronize the server files with a local copy of the

e-mail and folders. When an IMAP user reconnects to the server, local e-mail stores are

updated (synchronized) and messages drafted offline are transmitted. So, to summarize, IMAP

is server-stored e-mail, with support for synchronized local storage.

Microsoft’s Exchange Server application. Like IMAP, MAPI e-mail is typically stored on the

server, not the client machine. Likewise, the local machine may be configured to synchronize

with the server mail stores and keep a copy of mail on the local hard drive, but this is user- and

client application-dependent. If the user hasn’t taken steps to keep a local copy of e-mail, e-mail

is not likely to be found on the local hard drive, except to the extent fragments may turn up

through computer forensic examination.

the local e-mail client and handles all activities on the server, with users managing their e-mail

using their Internet browser to view an interactive web page. Although some browser-based email

services support local (POP) synchronization with an e-mail client, typically users do not

have any local record of their browser-based e-mail transactions except for messages they’ve

affirmatively saved to disk or portions of e-mail web pages which happen to reside in the

browser’s cache (e.g., Internet Explorer’s Temporary Internet Files folder). Gmail, Hotmail and

Yahoo Mail are well-known examples of browser-based e-mail services, although many ISPs

(including all the national providers) offer browser-based e-mail access in addition to POP and

IMAP connections.

The protocol used to carry e-mail is not especially important in electronic discovery except to the

extent that it signals the most likely place where archived e-mail can be found. Companies

choose server-based e-mail systems (e.g., IMAP and MAPI) for two principal reasons. First,

such systems make it easier to access e-mail from different locations and machines. Second,

it’s easier to back up e-mail from a central location. Because IMAP and MAPI systems store all

e-mail on the server, the back up system used to protect server data can yield a mother lode of

server e-mail. Depending upon the back up procedures used, access to archived e-mail can

prove a costly and time-consuming task or a relatively easy one. The enormous volume of email

residing on back up tapes and the often-high cost to locate and restore that e-mail makes

discovery of archived e-mail from back up tapes a big bone of contention between litigants. In

fact, most reported cases addressing cost-allocation in e-discovery seem to have been spawned

by disputes over e-mail on server back up tapes.

Faced with a discovery request for e-mail, where does one look to find stored e-mail, and what

form will that storage take? Because individual e-mails are just text files, they could be stored

as discrete text files. However, that’s not an efficient or speedy way to manage a large number

of messages, so e-mail client software doesn’t do it that way. Instead, e-mail clients employ

proprietary database files housing e-mail messages, and each of the major e-mail clients uses

its own unique format for its database. Some programs encrypt the message stores. Some

applications merely display e-mail housed on a remote server and do not store messages locally

(or only in fragmentary way). The only way to know with certainty if e-mail is stored on a local

hard drive is to look for it. Merely checking the e-mail client’s settings is insufficient because

settings can be changed. Someone not storing server e-mail today might have been storing it a

month ago. Additionally, users may create new identities on their systems, install different client

software, migrate from other hardware or take various actions resulting in a cache of e-mail

For many, computer use is something of an unfolding adventure. One may have first dipped her

toes in the online ocean using browser-based e-mail or an AOL account. Gaining computersavvy,

she may have signed up for broadband access or with a local ISP, downloading e-mail

with Netscape Messenger or Microsoft Outlook Express. With growing sophistication, a job

change or new technology at work, the user may have migrated to Microsoft Outlook or Lotus

Notes as an e-mail client. Each of these steps can orphan a large cache of e-mail, possibly

unbeknownst to the user but still fair game for discovery. Accordingly, a producing party

shouldn’t assert that a user has no e-mail unless the user’s local machine(s) and server storage

areas have both been thoroughly searched by someone who knows where active and orphaned

e-mail reside.

150 million people get their e-mail via a Microsoft product called Exchange Server. Though the

preceding paragraphs dealt with finding e-mail stores on local hard drives, in disputes involving

medium- to large-sized businesses, the e-mail server is likely to be the principal focus of

electronic discovery efforts. The server is a productive venue in electronic discovery for many

reasons, among them:

shield e-mail stores from those who, by error or guile, might delete or falsify data

on local hard drives.

need for costly and sometimes fruitless forensic efforts to restore lost messages.

physical and system security measures typically dedicated to centralized computer

facilities as well as the inability of the uninitiated to manipulate data in the morecomplex

server environment.

and may lessen the need for access to workstations at multiple business locations

or to laptops and home computers.

e-mail stored on a server can usually be located with ease and adheres to a

common file format.

effective chokepoint to grab the biggest “slice” of relevant information in the

shortest time, for the least cost.

Of course, the big advantage of focusing discovery efforts on the mail server (i.e., it can deliver

up thousands or millions of messages) is also its biggest disadvantage (someone has to extract

and review thousands or millions of messages). Absent a carefully-crafted and, ideally, agreedupon

plan for discovery of server e-mail, both requesting and responding parties run the risk of

runaway costs, missed data and wasted time.

Server-based e-mail data is generally going to fall into two realms, being online “live” data,

which is easily accessible, and offline “archival” data, which may be fairly inaccessible. Absent

a change in procedure, “chunks” of data shift from the online to the offline realm on a regular

basis--daily, weekly or monthly—as selected information on the server is duplicated onto back

up media and deleted from the server’s hard drives. The most common back up mechanism is

a tape drive, really just a specialized version of a cassette tape recorder or VCR. These back

up drives store data on magnetic tape cartridges not unlike a VHS tape As time elapses, the

back up media may deteriorate, be discarded or re-used, such that older offline archival data

entirely disappears (except, of course, from the many different places it may exist, in bits and

pieces, on other servers and local systems).

When e-mail is online, it’s an easy and inexpensive task to duplicate the messages and their

attachments in their native form to a discrete file or files and burn those to CD or otherwise

transmit the e-mail for review and production. When e-mail is offline, it can be no mean feat to

get to it, and the reason why it’s challenging and costly has to do with the way computers are

backed up. The customary practice for backing up a server is to make a copy of specified files

and folders containing data. Sometimes a back up will copy everything, including the operating

system software and the date; but, more often, time and cost constraints mean that only the

stuff that can’t be reloaded from other sources gets copied. Another common practice is to only

copy all the data every once and a while (e.g., monthly) and just record changes to the data at

more frequent intervals.

A daunting challenge to using back up tapes to restore e-mail is the very large volume of

duplicate e-mail found on successive back ups. If a user tends to keep e-mail on the server, a

back up of the user’s Inbox in one month will look very much like a back up the next. Perhaps

90% of the messages will be identical, month-to-month. Unless steps are taken to filter out

these identical e-mails (to “de-duplicate” the data), both the producing party and the requesting

party may have to plow through a bloated, redundant production.

Another pitfall of back up tapes is that any e-mail received and deleted between back ups is

usually not saved. For example, if the defendant’s e-mail server is backed up nightly, an e-mail

received in the morning and immediately deleted likely won’t be backed up because the system

no longer “sees” the deleted e-mail in the user’s Inbox.

As the volume of e-mail mounts, producing parties are increasingly turning to search tools to

identify relevant messages. Be wary of searches based upon subject lines alone. As an e-mail

“conversation” threads from one message to the next, aided by the Reply button, contents can

veer far afield of the stated subject. Keyword searches alone also tend to overlook a significant

percentage of responsive items, particularly when users employ unfamiliar terms-of-art,

shorthand references and nicknames in their exchanges. If the producing party employs search

tools in lieu of human judgment when responding to discovery, you have a right to know about it

and to challenge the methodology if it proves inadequate to the task.

If relevant, be sure to seek production of BCC fields for responsive e-mail, which fields only exist

on the sender’s copy of the e-mail. Understand that what a user sees in their e-mail client

program (e.g., Outlook or Eudora) is just part of the data that accompanies every e-mail. The

data fields seen by the user may be sufficient for your purposes, but sometimes you’ll need

more extensive information, such as e-mail header data and routing information.

Don’t give up. There is always at least one “e-mail pack rat” who keeps a copy of everything,

notwithstanding policies to the contrary. The more Draconian the policy compelling e-mail

destruction, the greater the likelihood employees have invented ways to circumvent the system

(such as by forwarding old e-mail to himself or herself, burning it to disc or shipping it off to a

free Gmail account). When opposing counsel says, “There isn’t anything else,” they may or may

not be leveling with you, but they are almost certainly wrong. It’s the rare case where a truly

exhaustive e-discovery search is even begun prior to the first motion to compel and for

sanctions. It’s the rarer case where that subsequent search fails to turn up items that should

have been produced in the first place.

strategic value of being most challenging to your opponent. Narrow requests necessitate

careful qualitative review by the producing party.

Second, get your preservation letter and your e-discovery out fast. Data will disappear over

time, and you’ll be in a poor position to complain about it if you didn’t ask for the evidence while

it was still around.

Third, don’t expect to get it all in a single set of discovery. Digital evidence is everywhere, and

you may have to go back to the well many times as you learn more about your opponent’s

operations and systems. Don’t allow the fear of missing something to cause you to cast your

net too wide. Keep the focus on what you need to prove your case, and be tenacious.

Fourth, remember that electronic evidence is easy to corrupt but hard to eradicate. It’s probably

not gone. Few private entities take effective steps to obliterate electronic information, and those

Fifth, get help. You may have to hire an EDD expert to guide you through the first time or two

and anytime you’re in over your head. Ask the court for help, too. Seek a TRO or protective

order and move for appointment of a special master skilled in electronic discovery.

e-discovery, so anticipate boomerang discovery, meet and confer early and often, share

expectations, seek solutions and don’t promise what you may not be able to deliver.

By Craig Ball

recipients don’t know their own systems and don’t understand computer forensics. Use

the letter to educate them so they can’t use ignorance as an excuse.

2. Do your homework: use the Net and ask around to learn about the nature and extent of

your opponent’s systems and practices. You’re probably not the first person to pursue ediscovery

against the defendant. Others may know where the bodies are buried.

3. Get your e-discovery out swiftly. Data is going to disappear. You’re in a poor position to

complain about it if you didn’t seek the missing evidence while it was still around.

4. Force broad retention, but pursue narrow discovery.

5. What they must keep and what they must give you are different obligations. Keeping the

first broad protects your client’s interests and exposes their negligence and perfidy.

Keeping requests for production narrow and carefully crafted makes it hard for your

opponent to buy delays through objection. Laser-like requests mean that your opponents

must search with a spoon instead of a backhoe. Tactically, ten single, surgical requests

spread over 20 days are more effective than 20 requests in one.

6. Be aware that opposing counsel may not understand the systems as well as you do, and

won’t want anyone—especially his client--to know. Help him “get it,” so he can pose the

right questions to his client.

7. Question the IT people and focus on the grunts. They’ve spent less time in the

8. Get their document retention policies, network topology and inventory of computing

resources (including laptops, home systems, PDAs and removable media).

9. Invoke the court’s injunctive power early to force preservation. The agreement reached

to avoid a court order may be better than the relief you’ll get from the judge.

10. If you can’t get make any headway, seek appointment of a neutral expert or special

master.

11. Ask all opponent employee witnesses what they were told to do in the way of e-document

retention, then find out what they actually did.

12. Digital data is easily forged. Know how and when to check for authenticity of data

produced.

13. Be sure to get metadata whenever it may be relevant.

14. Don’t accept image data (TIFF or PDF) when you need native data.

15. Have the principal cases on e-discovery and cost shifting at hand. Tailor your requests to

the language of the cases.

16. Set objections for hearing immediately. Require assertions of burden and cost to be

supported by evidence.

17. Analyze what you get promptly after you get it, and pin down that it’s being tendered as

“everything” that’s responsive. Follow up with additional requests based upon your

analysis.