For multinational firms, there are a number of challenges during collections including staff in different countries or data stored in centres across the globe or in the cloud. These all present difficulties accessing data so it’s critical to ensure data is collected efficiently.
The important concept is effective collection. Data can be collected efficiently, but if relevant data is not collected then the case will not come together.
There are a few ways to ensure effectiveness. Firstly, run comprehensive interviews with relevant organisational staff, starting with the Legal Team, to get an understanding of the scope. These discussions inform the conversation with IT who will know the most about the data and how it is stored. Next, understand the organisation’s policies around data and how employees handle data, including whether they use personal devices for work. For example, if they use a personal mobile phone to access work emails and are then investigated, they may be required to surrender their personal mobile phone.
The aim is to prepare multi-dimensional metrics linking the employees to the data sources and how best to collect them.
By the end of the interviewing process, the organisation may only have 10 or 20 employees relevant to the investigation. From that group, there may be 100GB of data that needs to be collected.
Personal devices create intricacies around collections. The main concerns of an individual during investigation is how long will they be without their personal device and whether their personal data be viewed.
The next challenge is scheduling. Collections performed on shared resources need to be conducted with least disruption. This is more difficult with people travelling or if the collection needs to be performed covertly.
The data collection plan is essential as there is only one chance to collect a device in a forensically sound manner. The contents of an employee’s computer today may be very different tomorrow. If they receive notification of the collection through their device, the employee can wipe everything and nothing can be recovered.
How is this addressed? To ensure relevant data is retained, a Document Preservation Notice is sent. It could be an email or memo notifying relevant employees that the organisation is putting a litigation hold on their devices, not to delete any of their data and to back up everything. The auto-deletion process is disabled and the custodian of the data is told what to do to preserve the data.
Measures need to be put in place so that if someone tries to release the data, it can be recovered. The organisation may not know every method to preserve all the different types of data as they generally won’t have forensic training.
What sorts of data would be collected? Typically, data is divided broadly into two groups — structured and unstructured. Unstructured data is day to day data such as emails and documents. An example of structured data is a database, eg Client Relationship Management system, Document Management System or HR database. Structured data can create complications as it needs to be exported and you may need to allow extra weeks or months to get the relevant data ready for discovery and engage the assistance of the external system provider. For unstructured data, a backup or forensic collection can be performed quickly depending on data volume.
Data must be preserved when exported, eg document creation date, when it was last modified and by whom, document owner and what happened to the document. If you know the criteria, depending on relevance, keyword searches can be performed and searches run to produce the relevant data. These keyword searches may be possible within the system that houses the data or may require processing into an eDiscovery platform.
Regarding investigations, sexual harassment matters, victimisation and bullying where it’s likely that data will be deleted, the only way to recover deleted data is through forensic imaging and data carving. Data carving means any deleted data could potentially be recovered.
Throughout the process, contemporaneous notes are completed by all members of the Team so every element is documented. These notes will ensure chain of custody of devices is maintained, methods utilised to perform the collections, any issues faced whilst onsite and any limitations faced are recorded. These notes ensure admissibility of the evidence collected and provide the information required to give thorough statements on the overall collection process.
Law In Order is a leading provider to the legal profession of eDiscovery and legal support services including forensic data collection, information governance, managed document review, and virtual arbitration or mediation services. We provide a secure, flexible and responsive outsourced service of unparalleled quality to law firms, government agencies and inhouse corporate legal teams. The Law In Order team is comprised of lawyers, paralegals, system operators, consultants and project managers, with unparalleled knowledge and experience in legal technology support services.
By David Kerstjens