Keri Farrell, Specialty: e-Discovery Former Senior Systems Consultant and Exchange Architect 12 years IT experience Specialization: Exchange and e-Discovery both for internal and external investigations Prior experience: Iron Mountain, Boston Scientific and Safety 1st BSBA with a concentration in Computer Information Systems from Bryant University
Agenda State of the Market e-Discovery and E-mail Moving from reactive to proactive e- Discovery –Reactive e-Discovery –Proactive e-Discovery Best practices recommendations Summary
State of the Market Recent decisions: The stakes are high Micron Tech., Inc. v. Rambus, Inc., 2009 WL 54887 (D. Del. Jan. 9, 2009) (when document retention policy implemented as part of litigation strategy, litigation was "reasonably foreseeable"; imposed sanctions for intentional destruction of email pursuant to policy). In re Fannie Mae Securities Litigation, _ F.3d _, 2009 WL 215282009, U.S. App. LEXIS 9 (D.C. App. Jan. 6, 2009) (affirming requirement that non- party spend $6 million to comply after non-party made an imprudent concession re: costs in court).
e-Discovery and E-mail e-Discovery Reference Model (EDRM)
e-Discovery and E-mail Keep E-mail or Delete it Keep E-mail Delete E-mail Organization Profile SOX, JSOX, CSOX, LSF, L262, etc. Financials/Government agencies Large Organizations Archives High Discovery Cost Organization Profile Litigation Risk Small & Medium Organizations Relatively tighter budgets Archive optional Selectively Retain Message Retention Management Mailbox Journaling Keep E-mail Third Party Archives Backups for Compliance Transport Journaling Delete E-mail Mailbox Quotas
e-Discovery and E-mail Discover E-mail Keep E-mail Delete E-mail Organization Profile SOX, JSOX, CSOX, LSF, L262, etc. Financials/Government agencies Large Organizations Archives High Discovery Cost Organization Profile Litigation Risk Small & Medium Organizations Relatively tighter budgets Archive optional Discover E-mail Organization Profile Federal Rules of Civil Procedure (FRCP) Includes non regulatory scenarios All Organizations Budgets variable, archive optional
e-Discovery and E-mail Glossary of key terms Chain of Custody (CoC) – accounting of the control (custody) of evidence at all times Custodian – person having administrative control of a document Data Culling – reducing a large document population to a smaller set ESI – electronically stored information Evidential Weight – value as evidence Preservation Order – temporary order to keep party from deleting data until a warrant or production order is issued Privilege - special and exclusive legal advantage or right (i.e. client/attorney communications) Redaction – removing privileged information Spoliation – destruction of records relevant to a case, with a culpable state of mind when a duty to preserve exists
e-Discovery and E-mail Finding the needle in the haystack Challenges in e-mail as a communications medium: –Volatile –Portable –Alterable –Distributed –Persistent –High volume –High quantity Challenges in scope: –Find the smoking gun (i.e., conclusive evidence) –Prove there is no smoking gun Challenges in process: –Moving from large volumes of data to relevant evidence –Preservation, chain of custody & defensibility –Maintaining transparency & validation of process –Ensuring accuracy & completeness of evidence –Proving reliability & trustworthiness of evidence
Where is E-mail Stored? E-mail storage: Understand where to look E-mail silos to be searched –On-premises E-mail Servers Mailboxes Public folders –Offline data PSTs, OSTs, Mobile devices, removable storage, deleted shadow data on hard drives,.msg files, etc. –Archives 3 rd party archives –Backups Tapes, VSS, CDP, Other Media –Exchange Online
Two-Tier Discovery Rule 26(b) Discovery Scope and Limits. Unless otherwise limited by order of the court in accordance with these rules, the scope of discovery is as follows: 2) Limitations. –(B) A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost.
Two Approaches to e-Discovery Reactive approach: –We dont know whats out there, or where it all is, but need to produce evidence for within x days Analogy: I lost my keys … I need them now! Proactive approach: –We need to set up our Exchange environment in order to facilitate discovery Analogy: Im going to put my keys in the right place so that I can find them easily!
Reactive e-Discovery Common misconceptions We are safe because … …we delete all e-mail after 30 days... we have 7 years of backups …we bought an archive …we have e-mail policies signed by all our employees …were not in a heavily regulated industry …were government …we havent been asked to do anything by corporate legal
Reactive e-Discovery & Exchange Searching PSTs Options to search small numbers of PSTs –Gather PSTs –Manually map MAPI profiles –Use MSN Desktop Search or Lookout to index & search Options to search large quantities of PSTs –Search in place Third-party tools –Migrate to an archive Many third-party archive vendors
Reactive e-Discovery Searching mobile devices What is relevant? What is duplicative? –Does the case (proportionality) require, e.g. : Black-bag collection still the preferred approach –Nickel-Copper-Silver fabric to shield wireless signal and protect vs. over-the-air-synch, remote wipe Proactive e-Discovery from small-scale digital devices requires an understanding of whats out there as well as identifying low-hanging fruit versus the needle in a haystack
Reactive e-Discovery Searching archives All third-party archives include search Consult with archive vendor to understand: –How indexing works –What is indexed and what isnt –How search works –What search syntax to use –How evidence can be collected without altering relevant metadata –How Chain of Custody is maintained
Proactive e-Discovery Strategies Putting it all Together in an E-mail environment
Proactive e-Discovery Strategies Reduce data in mailboxes and public folders People –User education & corporate policies –Peer pressure (i.e., posting mailbox size reports publicly) Process –Controlled mailbox quotas with limited exceptions –IT charge-backs by mailbox size –Clear ownership of public folders –Inactivity and stale content analysis Mailboxes not sending or receiving mail, Empty public folders, etc. –De-provisioning processes 30-day retention upon termination, then delete Technology –Limited deleted item retention intervals –Mailbox manager & automated controls
Proactive e-Discovery Strategies Minimize your Attack Surface People –Ensure security checks for sensitive positions Process –Be proactive about electronic discovery of e-mail: Establish controls to minimize attack surface ahead of time Reduce the amount of e-mail data in: –Production mailboxes and public folders (on-prem silo) –PSTs & mobile devices (offline silo) –Backup media (backup silo) Ensure discovery processes & costs are covered in hosting agreements (online silo) Technology –Move e-mail that needs to be maintained into a centralized, searchable archive (archive silo) –Implement Data Leak Protection (DLP) or similar technologies for real-time protection, ethical walls, etc.
Proactive e-Discovery Strategies Reduce data in PSTs People –User education & corporate policies Process –Enable System Policy Prevent users from making changes to Outlook profiles Technology –Office XP SP2 and higher support Disabling PSTs HKLM\SOFTWARE\Microsoft\Office\10.0\Outlook Add DisablePst as REG_DWORD DisablePst = 1 Blocks opening or creating PST files.
Proactive e-Discovery Strategies Reducing data on mobile devices People –User education & corporate policies Process –What devices permitted, and what to do when lost Technology –Remote Wipe –Windows Mobile 5.0 device Wipes device memory but not storage cards –Blackberry
Proactive e-Discovery Strategies Reduce data in backup media Process –If possible … Keep only a minimum set of backup media Migrate backup data to an archive if you need to retain the Exchange data on them Control your backup media & ensure old tapes are erased –Companies who lost customer/client information via lost backup media over the past 24 months: 1 CitiBank – 3.9 million CityFinancial – 3.9 million Bank of America – 1.2 million Time Warner – 600,000 Ameritrade – 200,000 City National Bank – Unknown 1 Schwartz, Mathew. Backup-Tape Security: Enter the Brown Bag. Enterprise Systems. April 11, 2006.
Proactive e-Discovery Strategies e-Discovery Reference Model (EDRM) Information Management –Process of identifying, classifying, archiving and destroying records Email impact –If e-mail within your Exchange environment is considered a corporate record, then you need to manage these e-mails as you would any other records –Getting your house in order to mitigate risk Information Management
1 Socha, George et al. Electronic Discovery Reference Model (EDRM). Glossary. May 2006. Proactive e-Discovery Strategies e-Discovery Reference Model (EDRM) Identification –Process of learning the location of all data which you or your client may have a duty to preserve and potentially disclose in a pending or prospective legal proceeding. 1 Email impact –Need clear documentation tying a custodian to accounts, mailboxes, distribution lists and, ultimately, all data owned by the custodian Current state History (including mailbox moves, etc.) IdentificationIdentification
1 American Bar Association Definition Proactive e-Discovery Strategies e-Discovery Reference Model (EDRM) Preservation –When it can be reasonably anticipated that an action will be filed, all parties have a duty to preserve potentially relevant evidence 1 Email Impact –Legal – communicate preservation requirements to company –Backup Operators – stop recycling backup media –Exchange Administrators – set deleted item & deleted mailbox retention intervals to maximum –Exchange Administrators – stop mailbox manager or other automated content-deletion services –Storage Administrators – source sufficient storage for long haul storage bloat associated with worst case scenario –End Users – stop manually deleting mail –Archive Administrators – stop all automated deletion policies from firing PreservePreserve
Proactive e-Discovery Strategies e-Discovery Reference Model (EDRM) Collection –Collection of all electronic data that is potentially relevant to an investigation –Includes metadata and contextual history –Requires maintenance of evidential integrity Email impact –Context needs to be captured and retained with every piece of evidence (messages & attachments, etc.) –Proving that you didnt change the evidence, including attachment metadata, is critical (i.e., MD5 hash, etc.) CollectionCollection
Proactive e-Discovery Strategies e-Discovery Reference Model (EDRM) Processing –The process of changing unstructured data (i.e., e- mail, etc.) into structured data –Involves culling datasets, de-duplication, triaging and prioritizing the evidence found –Also includes reporting of key performance indicators to assess cost and productivity as a case progresses Email Impact –Minimizing the number of duplicate copies of e-mail and attachments in your environment will minimize processing costs when e-discovery needs arise –Single instance ratios and co-location of mailboxes play a small factor –Minimizing overall attack surface by reducing number of e-mail storage silos is key ProcessingProcessing
Proactive e-Discovery Strategies e-Discovery Reference Model (EDRM) – No impact Review –Assess evidence that has been collected –Redact privileged content –Determining which e-mails to produce to other party i.e., responsive evidence Analysis –Tagging privileged and relevant email Attorney/Client and Corporate IP –Filtering ReviewReview AnalysisAnalysis
Proactive e-Discovery Strategies e-Discovery Reference Model (EDRM) - No impact Production –Export of evidence to the requesting party as negotiated by both parties early in the e-discovery process –Governed by the proposed amendments to the Federal Rules of Civil Procedure –Bates stamping –Convert to PDF, TIFF or other responsive format Presentation –Delivery of relevant evidence in court ProductionProduction PresentationPresentation
E-mail as Evidence Evidential weight in court Sample questions a judge could ask about e- mail presented as evidence: –Who accessed it? –What was done with it? –When was it changed? Why? –Where was it at all stages between discovery and court? –How was it collected? –Where was it collected from? Opposing legal teams will challenge everything!
Best Practices for e-Discovery Key steps to create an e-Discovery Easy Button Legal and IT must work together Reduce your attack surface Have an e-Discovery plan prior to litigation and during litigation Meet and Confer meeting (Rule 26) –Dont commit to an unrealistic timeline –Ignorance is no excuse! Know where data is stored and who your data owners are Communicate with entire team and have an audit trail of all communications and actions
Best Practices for e-Discovery Key steps to create an e-Discovery Easy Button Third party solutions –Search all data silos from a single console including online data –Support Preservation, Keep and Delete Policies –Include an advanced search to cull down data faster –Produce ESI in acceptable formats
Thank you for your time! firstname.lastname@example.org