eDiscovery

Discovery is the legal process that controls the production of evidence in litigation and related proceedings. It is the legal procedure that controls obligations to produce and rights to obtain relevant information in state and federal courts, arbitrations, investigations, and other means of fact finding in dispute resolution.

Traditionally, discovery took the form of recorded interviews, interrogations, testimony, or physical items such as a defective product, medical records, or a weapon used in a crime. However, it is useful to distinguish electronic records from other forms of discovery using the term eDiscovery since the entire discovery process is increasingly centered on electronically stored information (ESI).

Examples of ESI that might be considered legal eDiscovery are emails, documents CAD/CAM files, databases, image files, instant messaging chats from Slack and other platforms, websites, and any other relevant electronic information. The eDiscovery process also includes metadata and raw data which may include evidence forensic investigators can reveal.

Historically, parties to litigation or other dispute resolution processes exchanged documents in paper form—sometimes hundreds of boxes of them. Computer generated content has replaced paper documents over time, altering the discovery process with it. The average person now generates thousands of digital records during an average day, including data from apps, digital audio or video recordings, cell phone data, email, GPS data, household appliance and wearable data, data from onboard vehicle computers, and social media posts—all of it ESI.

ESI presents several unique challenges. First, it’s fairly easy to alter digital data without being detected. ESI is also typically accompanied by metadata, which can reveal more information than paper documents usually can, but metadata analysis also demands forensic expertise.

The advent of ESI has also meant that parties now cope with considerably larger volumes of information that is discoverable. Although hundreds of boxes of paper may sound (and be) excessive, digital storage media can hold as much information as tens of thousands of boxes. It’s not just a matter of storage capacity; it is now common for eDiscovery to include the production of millions of chats, emails, texts, and other digital files.

The Electronic Discovery Reference Model (EDRM) has provided the foundation for the eDiscovery process since 2005. Nine eDiscovery stages comprise the EDRM, connected in sequence. (Not every eDiscovery process follows every step, but the EDRM is still a useful reference.)

The first four stages concern the information collection and preservation functions:

Information governance. Information governance focuses on ESI management from initial creation through final disposition with the reduction of eDiscovery costs in advance of litigation as the goal.

Identification. In this stage, the team identifies the project’s technical issues and potential scope to begin to identify relevant evidence. The focus is on locating potential sources of ESI, custodians and locations of discoverable evidence, and the volume of potentially discoverable data.

Preservation. In the course of routine business, ESI is frequently deleted, but deleting potentially discoverable information may be spoliation—sometimes a sanctionable offense. Proper preservation of ESI that is discoverable for litigation ensures evidence is not destroyed or altered.

Collection. Similarly, despite the challenges, it is essential to avoid altering evidence by collecting ESI in a forensically sound manner.

The remaining stages deal with the data analysis and presentation side of things:

Processing. ESI may be converted to formats that are more easily reviewed yet forensically secure. Meanwhile, the native documents can be subject to forensic analysis and preserved.

Review. Relevant evidence must be available for review by parties while privileged information remains protected against accidental production.

Analysis. Attorneys must provide context for ESI and its content with their analysis, identifying key custodians, discussions, patterns, and subjects.

Production. ESI must be produced to the right parties in the correct formats, whether it be electronic production or via disks or hard drives.

Presentation. A relatively small proportion of ESI is ultimately produced in a hearing, deposition, or trial, and the parties must present this relevant evidence effectively. How ESI is presented can persuade, demonstrate key facts, or bolster witness testimony.

As a larger legal process, eDiscovery spans the time any type of legal conflict, including a lawsuit, complaint, or administrative hearing, is foreseeable, to the time parties to such a conflict present the digital evidence. At a higher level, there are three basic parts to the eDiscovery collection and review process:

Attorneys, government agents, auditors, managers, or others identify potential conflicts and relevant data. A legal team places the information that is in fact relevant on legal hold, subject to conditions consistent with goals for security and preservation.

Next comes negotiation, which determines the scope of eDiscovery. Obviously all parties have a hand in this part of the process, as legal teams identify the relevant ESI, challenge eDiscovery requests they find irrelevant, and make eDiscovery requests of their own. Typically, parties can negotiate and agree on search parameters for evidence and relevance to ensure the eDiscovery process is streamlined.

Finally, the legal teams and their experts extract and analyze the relevant evidence using digital forensic procedures. Experts may use machine learning, predictive coding, computer assisted review, and other techniques to identify trends and patterns and conduct deeper levels of analysis. After they review and produce their evidence, they will convert it into a useful format for court or an agency setting, such as PDF or TIFF.

Examples of eDiscovery and ESI include information in databases, documents, and spreadsheets; emails and voicemails; file fragments and file metadata; IMs and text messages; digital diagrams and images; and video. ESI can be stored in almost any type of electronic media, including back-up tapes; cloud storage; flash drives or thumb drives; hand-held devices such as iPods, mobile phones, PDAs; hard disk drives (HDD) and solid state drives (SSD); game consoles; optical disks such as CDs and DVDs; and network storage such as NAS or file.

Although some level of analysis is certainly part of advanced eDiscovery, digital forensics is its own analysis-driven investigative process. Digital forensics involves identifying, collecting, reviewing, preserving, analyzing, and presenting digital information to answer specific questions in civil litigations, criminal prosecutions, employment law cases, family law cases, and particularly in fraud investigations, white-collar criminal investigations, and any other legal case that relies heavily on documentary evidence.

Experts in eDiscovery digital forensics can often:

• analyze internet or social network usage and peripheral device usage such as printers, USB drives, etc.
• analyze movies, images, and other media
• determine electronic communications outside standard channels
• determine timelines of computer activity
• install and execute applications
• recover deleted information and detect alterations

During the eDiscovery process, massive amounts of data are transferred and stored. In some proceedings, digital forensics can achieve a deeper view of the data, including hidden data and deleted files found by a forensic specialist.

An expert can identify the possible data that exists, find a way to retrieve it, and then testify about the process to ensure the evidence is admissible. The forensic expert creates an exact copy of the data to work with so that the information is preserved. This protects the chain of custody and data integrity.

ESI is here to stay, and while each proceeding is unique, eDiscovery responsibilities under the rules remain consistent. Creating a defined process for managing eDiscovery and compliance, using advanced eDiscovery platforms and tools is the best way to protect against sanctions and achieve positive outcomes.

These kinds of eDiscovery solutions are also more cost-effective. Although an hourly employee may have a lower rate for reviewing case-related ESI manually, the approach is cumbersome, lengthy, and error-prone, ultimately costing more.

In contrast, a comprehensive eDiscovery software solution enables parties to expedite the process significantly while improving accuracy—and increasing actionable findings.

An eDiscovery service should achieve several goals:

Redaction. Redactions are essential to eDiscovery review to prevent sharing of privileged information. Manual redactions are costly, prone to error, and slow, so auto-redaction capabilities with version history features are desirable in an eDiscovery solution. This way, the legal team retains a trail of all redactions made by all users, and the original document content remains preserved and searchable.

Proactive collection. eDiscovery tools that allow for proactive user data collection and preservation across various endpoints and applications enable a more targeted result, allowing for massive savings at both the collection and review stages.

Advanced search. This is another area where eDiscovery tools really stand out. Approximately 80 percent of discovery costs accumulate during review, mostly due to the need to hone in on specific topics, search parameters, keywords, or mentions in ESI material across all devices, users, and storage locations. Advanced search functions in eDiscovery solutions enabled by robust tagging and metadata search allow the eDiscovery team to cull the amount of data that must be reviewed by a significant amount, making review  much faster and driving down review costs. Look for eDiscovery tools that allow you to cull data by file, date range, run multilingual eDiscovery queries, and access deleted files and their data for analysis and processing.

Annotation features. Many members of the legal team may review various documents, which risks data siloing or sidetracking parts of the project. Annotation features can help centralize information for reference and structure the review collaboration.

Chain of custody reporting. To ensure compliance with Department of Justice and EDRM requirements, the best eDiscovery software and tools use chain of custody reporting and extended metadata and file fingerprinting. This guarantees data authenticity and the party’s ability to meet defensibility requirements.

Ease of sharing. After review files must be shared, and this requires merging and converting documents into certain file formats. Manually this is time-consuming, so eDiscovery solutions with easy document conversion tools are preferable. Also look for the ability to share data with other eDiscovery providers without exporting, including cloud to cloud.

eDiscovery costs spike for businesses as the volume of ESI they collect and analyze grows, because most eDiscovery services, tools, and platforms charge by data volume. Without a collection strategy or better tools for analysis in place, over-collection of data, missed information, and overspending on data analysis are all problematic.

Collecting ESI via traditional eDiscovery methods demands excessive time, effort, and money. Data siloing between IT, desktop administrators, SaaS apps, forensics, legal, and other teams reduces employee productivity.

Druva offers data backup and recovery service to users who want to protect against data loss due to device upgrades, ransomware, stolen/damaged devices, or accidental deletion. Druva also provides eDiscovery data collection and preservation features at a fraction of forensic collection costs, eliminating the siloing issue.

Druva inSync collects data continuously from employee endpoints, G Suite, Microsoft 365, and Slack accounts. This data is already collected for backup and recovery on the Druva Cloud Platform, so in the event of a lawsuit, employee data can be put on legal hold—preserved and made forensically admissible—with a single click. This data collection and preservation remains completely silent which means there is no loss of productivity.

Druva legal hold and inSync eDiscovery enables customizable data collection, so you collect only the data that is relevant to a particular case. You can cull the data further by date, for example.

This ensures a complete, forensically admissible data set of relevant information, ready for presentation and processing. Customers who use Druva legal holds have drastically reduced overall eDiscovery spending and data collection costs. Druva even offers a Slack eDiscovery solution. Learn more about how Druva is providing proactive data collection and preservation across endpoints, and how your organization can significantly reduce eDiscovery costs.

https://www.druva.com/solutions/endpoint-ediscovery/

Now that you’ve learned about eDiscovery, brush up on these related terms with Druva’s glossary:

• What is a backup policy?
• What is data archiving?
• What is data encryption?