6/20/20131The EDRM - UnderstandingFoundational ElectronicDiscovery PrinciplesDavid J. KearneyILTA Volunteer City RepresentativeJune 20, 2013EDRM - Overviewhttp://www.edrm.net/Stands for The Electronic Discovery ReferenceModelFirst launched in 2005 and released publically in2006Developed to provide a standardized approach toe-Discovery related activitiesHelps visually depict the movement of electronicdiscovery components from one phase to the next.Contains 9 phases/stagesEDRM - OverviewInformation ManagementIdentificationPreservationCollectionProcessingReviewAnalysisProductionPresentation
6/20/20132EDRM - OverviewStages standardize workflowStages are not fixed sequentiallyNot meant as a literal, linear orwaterfall modelThe EDRM is meant to be iterativein natureEDRM - OverviewRecent Article – January 22, 2013[Elleanor] Chin says one way to create greatercost predictability is for lawyers to recognizethe elements of e-discovery projects (asdefined by the EDRM model) that remainlargely consistent from matter to matter and“reuse existing technology, workflows, andinfrastructure and to conserve the cost of legaldecision making, for executing the big picturestrategy.”Modernizing E-Discovery Planning and Budgetinghttp://www.exterro.com/e-discovery-beat/2013/01/22/modernizing-e-discovery-planning-and-budgeting/By: Andrew Bartholomew6/20/2013EDRM - Overview
6/20/20133Information ManagementInformation ManagementMany issues can be better managed if thisstage is taken seriously and implementedwith consistent & sound practices.This is THE STARTING POINT for the entireprocess. Sound and comprehensiveinformation management strategies aidorganizations in the identification,preservation, and collection steps of theprocess and can lower the number ofdocuments that need to be preserved,collected, reviewed and produced. This iswhere more organizations can GET IT RIGHT.Furthermore, risks and costs are reduced.Information ManagementInformation ManagementHas morphed into InformationGovernanceInformation governance,records and informationmanagement, and datadisposition policies are ways tohelp lower costs and mitigaterisks for organizations.Information Management“Part of the reason eDiscovery is soexpensive is because companies haveso much data that serves no businessneed. … Companies are going torealize that it’s important to get theirinformation governance under controlto get rid of the data that has nobusiness need … in ways that willimprove the companys bottom line…”— U.S. Magistrate Judge Andrew J. Peck, CGOCFaculty Member, in a video interview courtesy of JDSupra Law News, February 4, 2013.
6/20/20134IdentificationLocating potential sources of ESI & determining itsscope, breadth & depth.IdentificationIdentify individuals responsible for the resource.Interview end-users who input data, and the personnel who performmaintenance on the resource.Custodian ESI may include:E-mailPersonal storage on hardware devices (handheld devices, DVDs, thumb drives)Allocated network storagePrivate data storage (home computer, personal e-mail)Data associated with social networking sites used by the custodianNon-custodian ESI sources are those not held by a particular person.Examples of non-custodian sources:DatabasesWikisShared network storage locationsPreservationEnsuring that ESI is protected against inappropriatealteration or destruction.
6/20/20135PreservationPreservation is the process of retaining documents,including electronic documents, for legal purposesand should include the suspension of normaldocument retention/destruction practices andpolicy.That means that any data must be retained as it is,status quo, either by copying the data to anotherlocation or stopping all automated or manualchanges or destruction of the material.It must also be determined if there is a possibility ofthe data being modified, deleted, and if so, needsto be preserved to another location.CollectionGathering ESI for further use in the e-discovery process (processing, review, etc.).Once documents/files have been preserved (sometime one and thesame), collection can beginTransfer/acquisition of data for reviewIncludes; Servers, PCs, Macs, Linux, Windows, iOS, Android, handhelddevices, flash/thumb drives , tablets, MP3 players, phone systems, backuptapes, CD/DVD, databases (financial, CRM, ERP), structured/unstructureddata, Cloud/Social Networking SitesProper planning and careful implementation can reduce time & moneyspentEnsures integrity of evidenceProper collection can guard against future disputes (discovery aboutdiscovery – causes unneeded rancor between parties)Process must be defensible, proportionate, efficient, auditable, andtargeted.May impact and expand the scope of the discovery processCollection costs can be significantCollectionA reasonable collection strategy must addresswhat ESI should be collected, when, and howWhat: The total corpus of potentially collectibleESI will usually have been defined during theprocess of formulating the internal preservationdirective/litigation hold. Usually consists of fourmain categories of data locations:1. Individual employee files2. Department/group files3. Enterprise databases4. Backup Media
6/20/20136CollectionWhen: Not all data identified for preservationneeds to be collected right away. Some datamay never need to be collected. Collecting alldata that has been preserved may unnecessarilyinflate costs and overwhelm the case team withirrelevant dataHow: Once the timing of collection from a datalocation has been decided, the team mustassess what level of forensic defensibility shouldbe employed for the collectionCollectionNormal collection processes generally involvestraight forward copying, that maintains theintegrity of the metadata, of the ESI as it exists onthe systemA forensic protocol must ensure that the process iscarried out in a way that will produce reliableinformation consistently, so the individualconducting the collection can testifyThe protocol must also provide for a means ofverifying the integrity of the work that has beendone by maintaining an untouched mirror copy ofthe inspected materialsCollectionMaintaining Integrity of Metadata…The single most important thing that can be doneis to use a software or hardware write blocker.
6/20/20137CollectionMetadataSystem Metadata - Data about the architectureof the systemFile Metadata - Data about the data in a specificfile that is recorded internal to that fileCollectionAcquisition is actually the proper term forcollecting electronic data. In digital forensics,examiners refer to the copying of data asacquiring to avoid any confusion that might becaused by using “copying”, since copyingdoesn’t imply that the copy was made in aforensically sound manner.CollectionTools Used During Collection:Write BlockerLEOSuitesTask SpecificSoftwareHardware
6/20/20138CollectionForensically Defensible Collection – a forensically soundcollection will preserve all potentially relevant metadatathat may be of use to the trial team in its claims. Thiscollection type utilizes a “write-blocker” to preventalteration of source media when a device is attached toretrieve the data.Maintains rigorous chain-of-custody controls thatdocument all collection steps, from initial access to thepoint of storage or processing.Ensures that nothing about the data is altered ordegradedA collection by a third-party vendor will often be the bestmethod.Typical of a targeted collectionCollectionForensic Collection – a forensic copy of a harddrive will include every byte of data on thatdrive, including data in unallocated space andslack space. Forensic inspection of a party’scomputer system is rarely necessary.Because forensic collections are much moreinvasive and inclusive, there is a greater risk ofdisclosure of information that is either irrelevant tothe matter or protected by privilege claims. Theforensic protocol must therefore take steps tomitigate risks and protect the producing party.CollectionThe decision regarding the degree of forensicdefensibility will be required for ESI collection. Thisdecision must be made on an individual basisdepending on the cost, accessibility, and needs ofthe case.The software & process used must, at least, becapable of write protecting the files during thecollection process and maintaining the integrity ofboth the system and file metadata associated witheach file/documentOne constant is the need to have detailed andcomplete documentation of the critical decisionsand actions made during the collection process
6/20/20139CollectionWhether or not a file server should be forensicallycollected depends on the nature of theinvestigation. More often than not, collecting theactive data and relevant network shares isappropriateIf extracting an event, log, intrusion, or other timecritical event, forensic imaging of the entireserver may be necessaryCollectionCollection can be accomplished by:The Client – Corporate/IT PersonnelCustodians – Potential dangers whencustodians/clients try to collect their own data –especially when seeking consistency and unbiasedprocess, e.g. 10, 25, 50 custodians and a delete key.Outside Law FirmVendorNot Reasonably AccessibleBalancing Test:Cost of converting data into more accessibleformatCost to review the data for responsiveness,privilege, or other concernsBusiness disruption and other internal costsOther issues to address:Relevance of data residing on the sourceOverall litigation value of the data at issueOther means to get informationCollection
6/20/201310Sources of ESIShared network resources are resources, files, orother data shared throughout the network beingexamined, such asE-Mail serversDocument ServersFiles ServersOther resources shared across the networkCollectionOther sourcesCloud/web-based storage and E-Mail (e.g. Gmail,Yahoo, Box, Dropbox, Facebook…Absent a subpoena or court order, it is nearlyimpossible to collect the data held by an ISPFlash, temporary, and ephemeral data storage(e.g., thumb/external drives leave data droppings)Social Networking applicationsDatabases (reports v. exporting the data)CollectionStructured v. Unstructured dataDifferences & SpecificsStructured Data - Information with a high degree oforganizationRelies on usersLegal Hold at application levelUnstructured DataNo identifiable structurePotential large number of usersMay be largely duplicativeHow it is applied to e-DiscoveryStructured Data – e-Discovery expenses are IT & User costsfor identification, Collection, and Legal HoldUnstructured Data – Costs are for Processing, Analysis &ReviewCollection
6/20/201311Cost Factors & ConsiderationsTravel to different locations to have personnel on-siteto perform collectionWhether the collection is performed by use of anautomated script that can run remotely or withoutmanual operationCustodian interviews at the time of the collectionmay raise initial costs, but are more efficient in thelong run since such interview will likely to beultimately neededForensic collection require the use of different, morecomplicated techniques, and the collected datawill need extra handling during processing andreviewCollectionCost Factors & ConsiderationsImpacted by the number of megabytes, gigabytes,terabytes, Petabytes, Exabytes, etc. needed to becollectedThe human review, which can be the most timeconsuming and expensive part of the entire e-discoveryprocess…even if using Technology AssistedReview…volume of review becomes larger with theamount of data collected, just by basic nature ofmore…Controlling, Monitoring, and being able to justify asound stepped approach to limit the data beingcollected (custodians, data range, etc.)CollectionCollectionQuality ControlValidating that all ESI has been collected. In general, over-inclusivecollections, coupled with repeatable, documented, and defensiblemethods to cull and search ESI will be most effective at validating thecollection of ESICourts are increasingly sensitive to the costs of electronic discoveryand the concept of proportionality, which should be taken intoaccount when assessing the scope of the collectionIn some cases, the use of software tools will aid in validating thecollection of ESI. Failure to use commonly accepted methods andtechnologies may expose the client to additional riskIn addition, each piece of digital data can generate a unique value,known as a HASH VALUE. Commonly used hash formats are “MD5”and “SHA-1”. If a dispute arises about the integrity of a piece ofinformation, the hash value of the original data can be comparedwith the originals hash value
6/20/201312CollectionOther commonly used tools and devices forcollectionFaraday BagsInventory & Tracking SystemCheck-in & Check-out ProceduresCameras and Video RecordingCollectionTipsWhen wrongdoing is suspected, don’t “take a quick peak” ata computer without forensic collectionDon’t delay to preserve a deviceDon’t assume that all devices are the same a PCsAlways document the processDon’t assume that the device is not encryptedDo not save time/money by using traditional file copymethodsDon’t process everything at one time that was collectedTest and sample search terms and expressions against thedatasetExamine foreign language types – make sure you have a solidunderstanding od the dataProcessingReducing the volume of ESI andconverting it, if necessary, to formsmore suitable for review & analysis.
6/20/201313Native FormatDocuments in native format:Have not been converted in any way from itsoriginal formWill appear and behave exactly as they did at thepoint of creationIf produced in native form, no costs incurred toconvert into another formatContains full metadata, which often includesprivileged or sensitive information (subject, author,date, tracking changes, etc.)Imaged FormatDocuments in imaged format:Equivalent to printing a document and creating astatic page imageCan be time-consuming, expensive to processCan lead to loss of information useful to requestingparty, i.e. the loss of metadataMetadataMetadata, which is a part of all types of ESI, existsin fields that can be used to populate a load filedatabase created by the requesting party.Examples of metadata fields are:Names (author, sender, recipient, blindrecipients)Dates (create date, sent, received, modified)Subject (primarily for e-mail)Document type“Text” (searchable field containing the text orbody of the document itself) –
6/20/201314ProcessingAssessmentAssessment is a critical first step in the workflow asit allows the processing team to ensure that theprocessing phase is aligned with the overall e-discovery strategy, identify any processingoptimizations that may result in substantive costsavings and minimize the risks associated withprocessing. A critical aspect of this step is toensure that the processing methodology will yieldthe expected results in terms of the effort, timeand costs, as well as expected output datastreams.ProcessingPreparationDuring assessment a determination is made as towhich classes of data need to be moved forwardthrough processing. At that point there may be anumber of activities required to enable handlingand reduction of that data.ProcessingSelectionOne of the primary reasons for “processing” datain an e-discovery project is so that a reasonableselection can be made of data that should bemoved forward into an attorney review stage
6/20/201315ProcessingOutputThe data that has been selected to moveforward to review is transformed into any numberof formats depending on requirements of thedownstream review platforms, or in certaincircumstances simply passed on to a reviewplatform in its existing format; or it may beexported in a native format.ProcessingOverall Analysis / ValidationThroughout the four phases of processing thereare opportunities to analyze the data or results ofcertain sub-processes to ensure that overallresults are what was intended, or that decisionsas to the handling of the data are valid andappropriate.ProcessingOverall Quality ControlValidation is the testing of results to ensure thatappropriate high level processing and selectiondecisions have been made, and ensuring thatultimate results match the intent of the discoveryteam. Quality Control (“QC”) involves testing tosee that specific technical processes wereperformed as expected, regardless of what theresults show.
6/20/201316ProcessingOverall ReportingTo meet the needs of project management;status reporting; exception reporting; chain ofcustody and defensibility it is important thatprocessing systems track the work performed onall items submitted to processing.ProcessingCollected ESI must first be entered into anappropriate software program or tool withprocessing abilityRegardless of who processes the data, it isimperative that the resulting data sets arereviewed and that the process is validatedThe processing software must provide logs ofwhat was accomplished and what failed duringprocessing.ProcessingTools Used for ProcessingPC/Server-BasedCloud-BasedVendor-Based
6/20/201317ProcessingMethods for limiting volume include:Culling to exclude particular document typesDe-duplicationElimination of system filesApplication of search terms and date limitationsProcessingCullingProcessing methods must account for and removeirrelevant dataBefore data is indexed for processing, it can beculled by the following criteria:Remove all files of file types deemed to have notevidentiary valueRemove documents with certain file pathsEliminate files that fall below a size thresholdProcessingDe-duplication:The process of removing exact copies of the samemessage or file from a data set, thus reducing thenumber of files that need to be reviewed.Within-custodianAcross-custodian“Near duplicates” – slight changes to a document;different hash values
6/20/201318ProcessingCulling MethodsDeduplicationDeNISTingPathsSizeNo evidentiary valueProcessingDeduplicationDeNISTingProcessing• Budget based on assumptions from actual data– Client should have a good idea of custodian data– Know the data being worked with, e.g. E-mail willhave a much different volume vs.databases/spreadsheets– Having more time permits greater cost control, &consistency– Open communications and discussions withopposition to agree on scope and methods– Collecting all data that has been preserved mayinflate costs unnecessarily
6/20/201319AnalysisEvaluating ESI for content & context, including keypatterns, topics, people & discussion.AnalysisAnalysisFact FindingIncludes:• Information Management• Litigation Readiness• Data Assessment• Collection
6/20/201321AnalysisProcess AnalysisValidation/Quality AssuranceIncludes:• Testing• DocumentationReviewEvaluating ESI for relevance & privilege.Privilege issuesReview methodsBudgeting and costsEvaluating ESI for content & context, includingkey patterns, topics, people & discussion.Review: Privilege IssuesWe review to:Distinguish relevant from irrelevantProtect privileged materialAttorney-client communicationsAttorney work product
6/20/201322Review: Privilege IssuesWaiver of privilegeClawback agreementsAgreement that inadvertent production ofprivilege material will not constitute a waiverQuick peek agreementsNo effort to weed out privileged material upfrontEvidence Rule 502Generally establishes that inadvertentproduction will not result in waiverEncourages use of protective orders includingclawback agreementsReview: Review MethodsCodingResponsive or non-responsivePrivilegedConfidentiality“Key” documentsBasic linear reviewConcept searchingClustering (uses linguistic, latent semantic technologies)E.g., when searching the term “diamond,” clustering willallow you to distinguish between “baseball” diamond anddiamond “ring.”Predictive codingTechnology Assisted Review…or Predictive Coding• …or Computer AssistedReview…or Intelligent Review• …or ???? Review
6/20/201323EDRM - CARRMEDRM’s Computer Assisted Review ReferenceModel6/20/2013OLP - eDiscovery Certification CourseReview & Analysis:Budgeting and CostsDiscovery costs may well be the largest budgetitem, other than trialSince few cases ever get to trial, discovery isoften the single most expensive part of anylitigation matterReview:Budgeting and CostsUnderstand the cost driversNumber of custodiansVolume of ESI each custodian will handleReview of ESICreate a budget of the estimated costs as earlyas possibleAll assumptions should be stated explicitly in thebudget so that variances can be noted and theclient can adjust expectations accordingly
6/20/201324Review:Budgeting and CostsThe complexity of the case will have a directimpact on the cost of e-discoveryComplexity of the coding schema (number oftags the reviewers will be applying)Sophistication of the privilege issues presentedby the facts of the caseNumber of passes of review that areanticipatedThe most efficient way to organize a review iswith numerous decisions during a single passreview rather than through separate reviewphases of the same materialProductionDelivering ESI to others in appropriate forms &using appropriate delivery mechanisms.ProductionParties should agree on a form of production atthe outset of discovery, ideally at the earlieststage of discovery.Under Rule 34, the requesting party may specifya format to which the producing party mayobject and offer an alternative format.Rule 34 of the FRCP states that the format mustbe either the form in which it is ordinarilymaintained in the usual course of business or areasonably usable form.
6/20/201325ProductionNative formatThe form in which the document is maintained in thesystem where it was createdReasonably useable formatsAny imaged format of the ESI such as TIFF or PDFShould include metadataProduction: Native FormatDocuments in native format:Have not been converted in any way from itsoriginal formWill appear and behave exactly as they did at thepoint of creationIf produced in native form, incur no cost to convertinto another formatContain full metadata, which often includesprivileged or sensitive information (subject, author,date, tracking changes, etc.)Production: Imaged FormatDocuments in imaged format:Equivalent to printing a document and creating astatic page imageCan be time-consuming, expensive to processCan lead to loss of information useful to requestingparty, i.e. the loss of metadata
6/20/201326Production: MetadataMetadata, which is a part of all types of ESI, existsin fields that can be used to populate a load filedatabase created by the requesting party.Examples of metadata fields are:Names (author, sender, recipient, blindrecipients)Dates (create date, sent, received, modified)Subject (primarily for e-mail)Document type“Text” (searchable field containing the text orbody of the document itself) –TIP: “Text” field needs to be removed whenredactingDocumenting ProductionESI productions should include correspondence,production shipments, confirmation and shippingreceipts, and a tracking log showing:What material was producedOn which type of storage media (CD, DVD, harddrive)How it was transmittedDocumenting ProductionThe production media should be subject toquality-control checks to:Assure completenessShow lack of corruptionConform with production format (as agreed upon inthe parties’ 26(f) discovery plan)Documentation of these processes should bekept to show timely and accurate compliancewith production requests.
6/20/201327PresentationDisplaying ESI before audiences (at depositions,hearings, trials, etc.), especially in native & near-nativeforms, to elicit further information, validate existingfacts or positions, or persuade an audience.Overall TipsConsult FRCP and local rules of pertinent jurisdictionStay organized and keep complete records, specifically about criticaldecisions and actions during the processesTrack what was done, by whom, when & how it was doneMaintain specific routine practices across cases/projects to increaseefficiency and ensure critical steps are not missedIT IS NOT IF PROCESSES/ACTIONS WILL BE SCRUTINIZED……BUT WHENBE PREPARED!EDRM UmbrellaEDRM’s Computer Assisted ReviewReference ModelThe EDRM Talent Task MatrixEDRM Model Code of ConductInformation GovernanceReference Model