Electronic Discovery Behind Enemy Lines: Inspection Of An Adversary's Network Pursuant To FRCP 34(a)

Thursday, November 1, 2007 - 01:00

Searching for electronically stored information on "friendly" computers (your client's or your own) is challenging, expensive, and time consuming. However, it is far less difficult than the "flip side" of electronic discovery, inspecting an adversary's computer systems under Federal Rule of Civil Procedure ("FRCP") 34(a) (as amended Dec. 1, 2006).

While FRCP 34(a) was "not meant to create a routine right of direct access to a party's electronic information system" such access "might be justified in some circumstances."1The factors considered in allowing such an inspection are the same as those used to determine the discoverability of non-readily accessible electronic data, namely:

(1) the specificity of the discovery request; (2) the quantity of information available from other and more easily accessed sources; (3) the failure to produce relevant information that seems likely to have existed but is no longer available on more easily accessed sources; (4) the likelihood of finding relevant, responsive information that cannot be obtained from other, more easily accessed sources; (5) predictions as to the importance and usefulness of the further information; (6) the importance of the issues at stake in the litigation; and (7) the parties' resources.2

Suitable "circumstances" have included discovery irregularities, such as document deletion, other evidence that the responding party had not otherwise fully complied with discovery requests, and situations where the electronic files were closely related to the asserted claims."3, 4In general, FRCP 34(a) provides a mechanism for the requesting party to verify that it has received the discovery to which it is entitled when the court has reason not to trust the responding party to meet that obligation on its own.5

Under all circumstances, care must be taken to avoid "undue intrusiveness resulting from inspecting or testing such systems."6 Typically, a protocol is crafted by the parties and ratified by the Court to provide inspection guidelines. Cases to date have only addressed relatively simple protocols for inspecting hard drives.7 Special consideration is required for inspections of complicated computer systems, such as an entire corporate network. While there is no universal solution for such circumstances, some basic considerations follow:

Specifying Where To Search

The request to inspect must specify where and for what the requesting party intends to search, or it is likely to be denied. See, e.g., Balfour , 2007 WL 169628, at *3. Examples of possible data repositories in a typical corporation include: live e-mail systems, archive e-mail files (such as Outlook .PST files), laptop and desktop computers, portable backup media, BlackBerries, USB "keychain" drives, network servers, home directories, shared files, and backup tapes. Where applicable, the inspection may be limited further to specific data custodians most closely tied to the inspection's basis.

How The Search Is Conducted

The methodology for data harvesting should be specified in the protocol and must conform to forensic principles for data preservation, including obtaining accurate and complete copies. An accurate copy requires every bit of data on the destination copy to be a true copy of the corresponding bit of data on the source. A complete copy is one where every bit of the source data has been copied to the destination.

An independent forensic expert should be employed to conduct the actual inspection.8With simpler inspections of hard drives, the expert can perform the actual collection, creating a bit stream image pursuant to standards such as those promulgated by the Department of Justice ("DOJ") or National Institute of Standards and Technology ("NIST"). Hash values, such as those specified by the MD5 standard, can be generated for any given set of data. If so much as a comma in any of the collected documents is subsequently altered, the hash value should no longer match. Through this methodology, the integrity of the collected data can be confirmed.

When dealing with complex computer systems, specifying who will perform the actual collection is critical. The risk of liability if a live network or e-mail server were to be accidentally damaged during the inspection - thereby disrupting the target's business - is often too great for the expert to perform the actual extraction. The protocol should obligate the responding party to perform the extraction at the expert's direction and under his or her supervision.

Locating Searchable Areas

Routine discovery (such as interrogatories, depositions, review of document meta-data, etc.) is the first source of information as to the electronic repositories to search. However, these mechanisms do not provide the "real time" data ultimately needed to conduct an effective inspection. The protocol should address this by establishing a procedure whereby the responding party is obligated to identify the locations of electronic data, both before and during the inspection.

A pre-inspection telephone call with the adversary's IT personnel may allow the forensic expert to obtain necessary technical information and coordinate logistics in advance of the inspection. Provisions should be made for continued guidance.

Interviews with custodians whose computers or network areas are being searched are another source of guidance. Such informal interviews can be conducted during the actual inspection, often with the interviewee's computer right in front of him or her, either by an attorney for the requesting party or by the technical expert,

Of particular difficulty is locating relevant data in shared repositories on a network file server. Shared repositories, which are sometimes referred to as group shares, are storage areas that cannot be readily identified with a specific custodian. For example, some corporations organize shared repositories by department, others by business project. In our experience, shared repositories are often the largest data repositories in a corporation's network, comprising hundreds of gigabytes of documents. Careful consideration and collaboration between the parties are essential to avoid a burdensome and costly ordeal for both sides.

Finding Target Data In The Collected Data And Disclosing It To The Requesting Party

The inspection of electronic information systems raises issues of confidentiality and privacy.9Accordingly, the forensic expert should not be allowed to turn collected data over to the requesting party until the responding party has had the opportunity to remove irrelevant and privileged information.10

The expert can use specialized tools to further refine the collected data to a manageable number of documents to turn over to the requesting party. The protocol might specify what narrowing efforts are expected as these can vary widely in terms of cost, time, and result. A reasonable solution may rely wholly on automatic searches, manual review, or some combination of both. The protocol may also allow the requesting party to play some part in this process by allowing the expert to reveal certain information, such as volume or metadata, that would allow the requesting party to help the expert narrow the searches used while not revealing any of the contents of the collected documents. The search mechanisms employed, including what search terms are used, may or may not be disclosed to the responding party.

After initial culling, the remaining collected data is turned over to the responding party for a privilege and relevance review. The protocol should specify the format of the data to be provided for review and the contents of any reports that accompany the data. After a specified period of time for review has passed, any non-privileged data, the relevance of which has not been disputed, can be turned over by the expert to the requesting party.

One review strategy that is becoming increasingly common to facilitate the privilege and relevance review is for the parties to agree upon an online litigation review tool. Once the responding party completes its privilege and relevance review, it identifies the documents that can be viewed by the requesting party. Access controls within the online review platform then allow for the requesting party to view documents to which it has been granted access, but prohibit the requesting party for accessing documents that responding party has designated as privileged or irrelevant.

Disputes Over Privilege Or Relevance

The inspection protocol should provide a mechanism for the resolution of disputes as to whether a given document collected during the inspection should be disclosed. With the simpler inspections of hard drives considered by courts to date, some protocols provide for disputed documents to be submitted to the court for in camera review.11Other protocols provide for the requesting party to move to compel if it believes the target is improperly withholding responsive or non-privileged documents.12Regardless of how the dispute comes before the court, the requesting party is at a strategic disadvantage as it typically does not yet have access to the documents that the expert intends to produce. The protocol can allow for the expert to provide argument to the court as to why a given document falls within the scope of the inspection and should be produced.

While such procedures may be suitable for smaller inspections, network data is notoriously voluminous, and review by the court of each disputed document would be unduly burdensome for such quantities. Until the development of a better procedure for handling these higher volume disputes, the requesting party and its expert should plan on allocating sufficient resources to narrow the production down to a manageable number of documents.

Despite the complexity and cost, lawyers should not shy away from using FRCP 34(a), as the inspection of an adversary's computer systems can be a powerful discovery tool in the right circumstances. Proper planning and a judicious use of cost-benefit analyses are critical to this process . 1 Advisory Committee Notes to the Dec. 1, 2006 Amendment.

2Ameriwood Indus., Inc. v. Liberman, No. 4:06CV524-DJS, 2006 WL 3825291 at *4 (E.D. Mo., Dec. 27, 2006), citing Advisory Committee's Note to FRCP 26(b)(2); see also Advisory Committee Notes to the Dec. 1, 2006 Amendment.

3See, e.g., Ameriwood, 2006 WL 3825291 at *5 (finding "specific evidence establishing the defendants had not produced all responsive documents from their computers"); Frees, Inc. v. McMillian, No. 05-1979, 2007 WL 184889, at *2 (W.D. La., Jan. 22, 2007) (compelling inspection because "such computers areamong the most likely places McMillian would have downloaded or stored the data allegedly missing from Frees' laptop"); Cenveo Corp. v. Slater, No. 06-CV-2632, 2007 WL 442387, at *2 (E.D. Pa., Jan. 31, 2007) (allowing inspection of hard drives of ex-employees who were alleged to have misappropriated trade secrets allowed despite defendant's willingness to conduct its own inspection and production because of "the close relationship between plaintiff's claims and defendants' computer equipment").

4 Cases allowed much the same relief under similar circumstances before the 2006 Amendment . See, e.g., Playboy Enter., Inc. v. Welles, 60 F.Supp.2d 1050, 1053 (S.D. Cal. 1999) (allowing inspection to recover deleted e-mails because "[d]efendant's actions in deleting those e-mails made it currently impossible to produce the information as a 'document,'" which would have fallen under existing document requests); Simon Property Group L.P. v. mySimon, Inc., 194 F.R.D. 639, 641 (S.D. Ind. 2000) (plaintiff entitled to recover deleted computer files from computers used by employees of defendant. See Rowe Entm't, Inc. v. William Morris Agency, Inc., 205 F.R.D. 421, 428-33 (S.D.N.Y. 2002) (addressing the inspection of defendants hard drives and backup tapes containing discoverable e-mail in the context of cost-shifting to place the expense of requested broad electronic discovery on plaintiff).

5 "The discovery process is designed to be extrajudicial, and relies upon the responding party to search his records to produce the requested data. In the absence of a strong showing that the responding party has somehow defaulted in this obligation, the court should not resort to extreme, expensive, or extraordinary means to guarantee compliance." Scotts Co . LLC v. Liberty Mut. Ins. Co., No. 2:06-CV-899, 2007 WL 1723509, at *1-2 (S.D. Ohio, June 12, 2007); see, e.g., McCurdy Group v. Am. Biomedical Group, Inc., 9 Fed. App'x. 822, 831 (10 th Cir., 2001)("Although [plaintiff] was apparently skeptical that [defendant] produced copies of all relevant and nonprivileged documents from the hard drive(s), that reason alone is not sufficient to warrant such a drastic discovery measure"); Balfour Beatty Rail, Inc. v. Vaccarello, No. 3:06-cv-551-J-20MCR, 2007 WL 169628, at *3 (M.D. Fla., Jan. 18, 2007) (plaintiff had not specifically identified what it was looking for or made any contention that defendant had failed to produce the requested information, therefore inspection would be a "fishing trip"); Calyon v. Mizuho Sec. USA, Inc., No. 07CIV02241RODF, 2007 WL 1468889, at *3 (S.D.N.Y., May 18, 2007)(denying the requested inspection as "Defendants have represented that their expert can and will conduct an exhaustive search of the hard drives for the information Calyon seeks. . . and the Court, at present, has no basis to question this representation)" and Memry Corp. v. Kentucky Oil Tech., N.V., No. C04-03843 RMW, 2007 WL 832937 at *3 (N.D. Cal., Mar. 19, 2007) (denying a request to inspect as the "computer content was [not] intricately related to the very basis of the lawsuit" and any flaws in defendant's production did "not rise to the level of necessitating" inspection).

6 Advisory Committee Notes to the Dec. 1, 2006 Amendment.

7See Ameriwood Indus ., 2006 WL 3825291, at *5-6; Cenveo, 2007 WL 442387, at *2-3; Frees, 2007 WL 184889, at *3-4 ; Playboy Enter., 60 F. Supp.2d at 1054-5; and Simon Prop. Group L.P., 194 F.R.D. at 641-2.

8 An independent forensic examiner can be appointed by the court, paid for by one of the parties, or retained jointly by both parties subject to a cost-sharing agreement.

9 Advisory Committee Notes to the Dec. 1, 2006 Amendment.

10See, e.g., Rowe, 205 F.R.D. at 432 (noting that even with a protective order in place "the disclosure of privileged documents cannot be compelled," and therefore the defendant needed to be given the opportunity to do a complete privilege review at its own expense).

11See e.g.,Travers v. McKinstry Co., No. 01-1206-JO, 2001 U.S. Dist. LEXIS 22317, at *2 (D. Or. Nov. 16, 2001); see also, Experian Info. Solutions, Inc. v. I-Centrix, C LLC , No. 04 4437, 2005 U.S. Dist. LEXIS 42868 , at *4 (N.D. Ill. July 21, 2005).

12See e.g., Cenveo, 2007 WL at*3.

Nolan M. Goldberg is a Senior Associate in the patent group of Proskauer Rose LLP. Michael F. McGowan is Director, Digital Forensics and Investigations, at Stroz Friedberg, LLC.

Please email the authors at ngoldberg@proskauer.com or mmcgowan@strozllc.com with questions about this article.

More like this