4 décembre, 2006 18:16
E-Discovery May Target Unexpected Sources
E-Commerce Law & Strategy
December 4, 2006
On Friday, the long-discussed and much-awaited amendments to the Federal Rules of Civil Procedure (FRCP) went into effect. Among the elements of these amendments are changes to how electronic evidence is treated in discovery.
This issue and the changes to the rules affect most particularly counsel advising clients in e-discovery matters, but e-discovery and the treatment of information and communications -- before discovery is developed or considered, or before lawsuits are filed -- are issues critical to e-commerce, and that will become more important as this segment of the economy grows, for businesses and for law firms.
This article describes how nontraditional sources of electronic data may provide important evidence in investigations. These data sources, including instant messaging (IM), voicemail, Web-based e-mail and sales-management systems, present distinct challenges in terms of procuring and analyzing raw data.
For instance, many of these systems operate independently from the standard corporate e-mail and general-ledger systems in a company's information-technology environment.
Frequently, the company's document-retention policies are not applied to these systems as stringently as they are to the better-known IT systems, resulting in the storage of data beyond expected date ranges. In cases where these secondary systems are hosted and stored by third parties, they may not even be governed by data-retention policies. In the authors' recent experience, these sources have proved very useful in determining the outcome of investigations and should be considered by counsel, or by forensic investigators.
IT'S A NEW WORLD, WITH NEW WAYS
From teenagers to retirees, the digital revolution has touched almost all aspects of our everyday lives. Widespread business use of voicemail, e-mail, IM, sales-management systems, as well as the use of portable devices, simplifies our work in many ways, but also makes electronic data discovery much more complex.
E-commerce counsel should be mindful of some of the more prominent nontraditional sources of electronic data when he or she is responding to a discovery request, and should weigh the costs and benefits of addressing these sources through policies prior to discovery.
According to the FRCP amendments, electronically stored information (ESI) has been added to the official list of items subject to production. Typical ESI sources include forensic copies of personal computers, company file servers, e-mail servers and backup tapes. In our experience, alternative sources of ESI (whether from external data sources or from a more detailed review of forensic hard-drive images) can take many forms and can produce additional evidence. Examples of nontypical ESI, which we will examine in further detail, include: Web-based e-mail, IM, voicemail, internal database systems, iPods and other portable storage devices.
NONTRADITIONAL COMMUNICATIONS TOOLS
Understandably, much attention has already been paid to e-mail in electronic discovery. One of the main reasons why is that e-mail can help show intent, as well as fact, and the data has been relatively easy to access through the system's centralized location and the availability of backups. Often overlooked are other frequently used communication methods such as those described below.
1. Web-Based E-Mail
Outlook Express is one of many e-mail clients commonly available. Because it is usually installed automatically with Microsoft Windows, users often set it up to access e-mail from their personal accounts. This information is easily accessible and is frequently asked for in discovery.
Corporate e-mail systems often allow access to server-based company e-mail through Internet browsers. Also, countless users have turned to Web-based e-mail services, such as Hotmail, as a parallel method of personal and corporate communication. Commonly used to communicate to friends and family, Web-based e-mail is also used to conduct company business outside normal channels. This circumvents many companies' restrictions, internal controls and retention policies on e-mail. Some companies have instituted policies that filter or restrict attachments, or prohibit personal use of corporate e-mail altogether. These actions have the unintended consequence of forcing employees to use Web-based e-mail accounts for personal communications and workarounds when the restrictions are "inconvenient."
e-Mail messages viewed through Web-based accounts are often recoverable on the users' computers via an advanced forensic review of PCs' temporary files. Fragments, and sometimes entire messages, often can be identified on a computer long after the message has been deleted from the server. E-mail attachments downloaded to temporary folders on a local computer for viewing can actually remain on the PC for extended periods.
2. Instant Messaging
IM programs are ubiquitous, and many corporate users employ this method. Often, IM is preferred over e-mail because of the added dimension of presence and the ability to get an immediate response. IM conversations are often less formal than even e-mail communications, and users are usually under the impression that the conversations are not recorded.
Similar to e-mail, IM programs are available in corporate enterprise and public versions. The most popular public networks are AOL Instant Messenger, .NET Messenger Service and Yahoo Messenger, but there are many others. All of these platforms have their own programs that allow access to their network for communication and file sharing. Many IM services also provide proprietary services, such as ties to e-mail accounts, offline messaging and voice-mail capability.
Enterprise IM platforms allow file transfer, as well as group chat and individual conversations via centralized servers but may or may not allow connectivity with public IM networks. Enterprise IM servers can also be set up to automatically log all communication. In certain regulated industries, companies may be required to retain these logs along with other data covered by their retention policy.
These logs may reside on a PC for an extended period, and when deleted, they may be recoverable via forensic analysis, like any other deleted file. In one recent investigation, the targets' IM logs described an exchange over how to turn off the logging feature. Even though these technologically savvy individuals were able to conceal the relevant portion of their discussion, this evidence was added to their list of transgressions. In another recent case, an IM exchange included instructions for an upcoming meeting with company auditors that, to paraphrase, said: "Remember not to show the auditors the real numbers. Show them book B."
3. Voicemail
Voice-mail messages have also become a growing part of investigations. In addition to a standard server that houses voice mails that a user can call into, providers are making a deliberate effort to integrate voicemail into other messaging platforms. Messages can now be attached to an e-mail as a sound file, and transcribed in an e-mail or text message to a mobile device. All of this information can and has been used in several cases. For example, a recovered voice-mail message was a primary piece of evidence listed in the U.S. Attorney's indictment against former WorldCom CEO Bernie Ebbers.
4. Internal Systems and Productivity Tools
An important aspect of any investigation is to identify the programs and databases a company uses, and to design a plan to effectively analyze the relevant information stored in the company's data systems. This becomes increasingly challenging as the amount of data continues growing -- in volume and complexity. If the scope spans several years, for instance, data often can be found in multiple versions of a system, and in legacy systems.
Many organizations also use sales force automation (SFA) tools. These may be as simple as a contact manager, or may involve a more robust system used by the sales force to track opportunities and individual notes on each meeting with a potential customer. This type of data can be quite valuable in any investigation involving sales practices, such as Foreign Corrupt Practices Act, Anti-Trust, but they also have unique challenges. Corporate retention policies may not include the SFA system, which may be located on a separate corporate or third-party server -- resulting in compliance challenges.
5. Portable Devices and Other Storage Media
Portable productivity tools, in the form of Blackberry, Palm and Windows CE-based personal digital assistants (PDAs), are mainstream. These devices provide users with e-mail and Internet access separate from their company networks and policies, and employees and principals of e-commerce ventures are wont and willing to carry -- and use -- these tech-tool toys. Even standard cell phones now have the ability for minor scheduling and note taking, not to mention text messaging. While this information may be synchronized or backed up to the user's computer and the company's server, that's not always the case. Many of these devices have the ability to synchronize not only with the corporate system, but also with Web based-e-mail accounts -- another avenue used to circumvent internal controls.
The physical dimension and cost of external storage devices (including thumb drives) has shrunk while their capacity continues to grow. A consumer external hard drive can have more capacity than some small business servers, and the newest iPod can hold as much as common PCs used by most businesses. Ease of installation and use also presents benefits and challenges. Document servers and fax machines can also contain data in memory and, similar to voicemails, faxes can be sent directly to e-mail accounts. Investigators shouldn't ignore these capacities, because they can hold information important to their cases.
In a recent case, important nonphoto documents were located on a digital-camera memory card. In another case, computerized cash registers were acquired to search for payments on a transactional basis and compared to what was posted in the accounting system. This involved analyzing data from two different types of sources, one of which is definitely not commonly examined. If the camera or the cash register had been ignored, then important evidence would not have been found.
OBSTRUCTIONIST ACTS
In many investigations, suspects try to hide or delete important information. This activity can range from simply deleting documents and e-mail to installing wiping software and reinstalling operating systems. With the right expertise, it's possible to recover much of this evidence, and to provide this obfuscation as evidence. In a recent case involving an executive at a prominent software firm, a PC was completely "wiped," and then the Linux operating system was installed. Use of sophisticated forensics analysis led to the conclusion that the installation of the Linux operating system took place after government subpoenas had been issued; these actions were identified and factored as evidence detrimental to the defendant in the case.
In the Lotus Notes environment, it's possible to identify the date and number of e-mails recently deleted. This can prove useful in determining compliance when a preservation order is in place.
A particularly useful (from an investigator's perspective) option in Outlook is the "Journal" feature, which, if turned on logs activity associated with Microsoft Office applications including Outlook e-mail activity. The logs track when e-mails are viewed and for how long, including any activity involving attachments. This was very useful in a recent investigation when an interviewee denied that an attachment to a certain critical e-mail had been reviewed. While the interview was in progress, we were able to access the journal logs for the interviewee's mail file and sent the proof to the interviewers that not only had the interviewee opened the e-mail, but that the attachment had been opened for 6 minutes at 2:54 p.m. of the day in question.
DESIGNING SYSTEMS WITH FORESIGHT
Corporate investigations have grown in size and expense in part because of the increasing amounts of data available. It's important to design your systems to reduce the impact on your company when you need to respond.
It's impossible to plan for every instance as new technologies continue to expand the possible sources of information in an investigation. Companies should, though, create policies that clearly state the correct use of corporate data and systems, and make sure that information-technology systems are designed to conform to these policies.
SUMMARY
Investigations of data held or misused by bricks-and-mortar firms and their e-commerce-based counterparts, and electronic discovery, present some unique challenges. An inventory of the systems a person of interest to an investigation uses daily should be compiled through some method such as interviewing a peer.
More often than not, one will encounter a system or process wholly separate from the standard corporate e-mail and shared-file networks that could provide critical data.
With that in mind, when designing and updating IT infrastructure, consider what common types of data might come into demand in an investigation and how this might be done, while minimizing the impact on business. Here are some questions that company officers and counsel advising them in such matters should ask when considering costs and benefits:
