All Posts By

Jason Hale

Dual Party eDiscovery

By | eDiscovery, Litigation | No Comments

The use of digital forensic experts and vendors is a common and often vital part of litigation. Traditionally, each party may hire their own expert to conduct work on their behalf. Each expert will typically perform a forensic collection of the data, conduct an independent analysis, and relay the results to the respective party. This approach works, but often means there will be duplicative work, delays, and increased cost of overall discovery. A dual party engagement is a fresh alternative that can be arranged to mitigate or eliminate some of the downsides of the traditional approach. However, there are several key considerations before deciding which is best for your case.

Verifiable and Repeatable Processes

It is helpful to have a baseline knowledge and appreciation of the nature of true digital forensic processes. Operations performed according to stringent digital forensic standards are verifiable and repeatable, regardless of the expert used. Simply put, this means that a forensic collection completed by one qualified expert will produce the same outcome that it would if it were completed by another qualified expert. This universal standard for digital forensics, when truly appreciated, tends to increase the comfort level between contentious parties.

Issues with the Status Quo

When each party retains a digital forensics expert, each expert will often be working with the same set of data. In most cases, the data under examination or subject to review is from a computer or smartphone. Each expert will conduct his or her analysis and relay the results to the hiring party. Those results may also be disclosed to the opposing party as part of a production, testimony, or otherwise.

If there is a set of stipulated keywords or an analysis protocol that has been agreed upon by the parties, the issue of duplicative work is often compounded. Both experts may indeed be conducting the same examination, running the same keyword searches, and arriving at the same results. This duplication of work is problematic for two reasons: it increases the overall cost of the litigation and it can also extend the amount of time required for discovery. If one party’s expert has a larger backlog or fewer resources than the other, the examination results may be delivered to each party at significantly different times.

Advantages of Coordination

Coordination between two parties with respect to retaining a digital forensics expert alleviates many of the issues encountered when each party retains their own expert. If a dual party engagement is to be arranged, both parties need to agree on the following, at a minimum:

  • The expert or third-party vendor to use
  • The specific tasks contemplated by the agreement (conducting the collections, keyword searches and/or examination of the data)
  • The protocol for communication that will be used by all parties
  • How the responsibility for payment will be assigned.

Dual party engagements help to ensure that both parties agree on the type of analysis to be conducted, keyword lists to be used, how the results of the search and examination are to be disseminated, and any other factors that are important to the matter. In some cases, the results of the search and examination are disclosed to both parties simultaneously. In other cases, deadlines are put into place to govern the production of documents after both parties review for privilege.

The specifications of a dual party engagement are limited only by the flexibility of the parties. Dual party engagements allow for the analysis, searching, and other related tasks to be performed once and disseminated to both parties. This arrangement reduces the overall cost of litigation as compared to two independent experts conducting the same analysis for their retaining party. When the results are provided to both parties at the same time, neither party is disadvantaged by the delivery time of the results.

Considerations for Dual Party Engagements

While dual party engagements solve a number of issues faced by traditional engagements, there are some important considerations that the parties must weigh before going this route.

  • Are both parties comfortable with the expert’s qualifications and prior work? If both sides have previously worked with the expert, they are much more likely to have a greater comfort level with the expert and his or her ability.
  • Having a qualified expert is critically important since both sides could be relying on the results produced by the expert.
  • Dual Party engagement does not preclude one or both of the parties from arranging a third-party review of the results.

Another consideration that demands careful forethought in dual party engagements is the impact of the communication and delivery protocol.

  • If both parties are to receive the analysis results simultaneously, the results cannot be examined or redacted by one party prior to disclosing to the other party.
  • If any type of review or redaction may be necessary prior to one of the party’s review, the manner of delivery will need to be detailed in the dual party engagement letter.

In many cases, each party will review the searching and analysis results of their own data for privilege prior to approving the release to the opposing party. This is easily accomplished, but should be addressed in the contract to ensure both parties agree on the delivery protocol.


The dual party engagement approach is increasing in popularity as practitioners become more comfortable with the concepts and techniques employed by forensic experts during electronic discovery. These practitioners have come to recognize the inherent safeguards afforded by a trusted digital forensic expert and welcome the cost and time savings benefits of dual engagements.

Cyber Attack: Your Law Firm is a Potential Target

By | Criminal Defense, Data Breach, eDiscovery, Employment Law, Litigation | No Comments

law firm cyber attackLegal professionals take note: your firm is a potential target for a cyber attack. Recently, three Chinese citizens have been charged in the United States with insider trading activities based on information obtained through breaching multiple law firms. This fact illuminates that law firms are a prime target for cyber attackers. Given the nature of communication and documents that often comprise legal work product, it comes as no surprise that the same information can be used for financial gain if it falls into the hands of an unscrupulous party. Regardless of the type of cases handled by a firm, the resulting communication and work product could be useful to an attacker. For those firms working in mergers and acquisitions, the work product potentially becomes even more valuable.

Law Firms Entice Cyber Criminals

The previously mentioned cyber attack leading to insider trading activities was allegedly made possible through hacking into law firms and mining for information related to buyouts and other useful data for insider trading. To some, this comes as no surprise. Leveraging the wealth of information maintained by law firms, particularly those dealing with large corporations, is a natural and potentially lucrative avenue for cyber attackers. In Spring 2016, dozens of law firms were targeted by Russian hackers in an effort to obtain confidential information to be used for insider trading. It is clear that law firms are an enticing target for cyber criminals. Information technology and security may not be a focal point of law school, but it is a vital piece of protecting the information entrusted to law firms by their clients.

Simply put, law firms produce and store data that is often of great interest to cyber criminals. Whether it is information regarding an upcoming merger, bankruptcy, patent, or any other intellectual property, the type of data generated at law firms can be extremely valuable to attackers looking to profit from confidential information. Consider the attackers vantage point: breaching the security and gaining access to a specific corporation may yield fruitful information, but the effort and time involved in successfully hacking the company typically results in information about a single organization. If the same effort were applied to carrying out a successful cyber attack on a law firm, hackers could potentially gain access to confidential information regarding a multitude of companies in a single attack. To defend themselves, firms must take action through implementation and proper execution of cyber security policies and procedures.

Recognize the Risk of a Cyber Attack

It is imperative that law firms recognize the risk of a cyber attack and take appropriate actions to mitigate the chances of a data breach. There are numerous technology controls such as firewalls, intrusion detection and prevention systems, anti-virus, and sophisticated log aggregation and monitoring tools. While all of these are important and useful in their own right, it is the user that can play the most significant role in preventing or unwittingly facilitating a cyber attack. Users are more easily manipulated and coerced than firewalls and other technical measures, and must therefore be aware of the types of threats they are likely to encounter and trained on spotting issues and mitigating the successfulness of an attack.

Fishing for Sensitive Client Data

A technique known as spear phishing is one of the most common methods attackers use to gain unauthorized entry into an organization. In a spear phishing cyber attack, a very targeted email is sent to a specific party in hopes that the recipient will click a link within the email, opening a malicious attachment, or otherwise unintentionally degrade the security of the system enough to allow the attacker access. Spear phishing emails often contain seemingly personalized information, addressed to the correct recipient and perhaps referencing a past event the recipient spoke at or attended. Providing these types of details is an attempt to implicitly build trust with the recipient and detract from the true nefarious purpose of the message. In some cases, attacks like these can be blocked using technical controls. However, if not blocked by an email filter or other technical control, it is up to the recipient of the message to make the final determination on whether or not to complete the call-to-action urged in the email. This is where user awareness and training pay off. Users that are trained on spotting spear phishing attempts and other common scams can help a law firm prevent data breaches by blocking the initial effort of a cyber criminal.

Cyber Security is Essential for all Law Firms

Regardless of the security controls, policies, and procedures that a firm chooses to implement, it is clear that law firms are and will continue to be a target of cyber criminals. The recent charges filed against three Chinese citizens for allegedly hacking into law firms and leveraging confidential data to make millions off trades based on the stolen data is unlikely to be the only one of its kind. The valuable data held at law firms paints a target on the back of firms across the country. If your firm is lagging behind on its cyber security practices, now is the time to catch up. Protecting the information bestowed to firms by their clients extends well beyond the confines of the courtroom and into the digital realm of networks, data, and hackers looking to take advantage of vulnerable systems.

Jason Hale is a Digital Forensic Examiner at One Source Discovery who specializes in incident response. Jason has a Master’s degree in Digital Forensics and holds the Certified Computer Examiner (CCE) designation from the International Society of Forensic Computer Examiners and the GIAC Certified Forensic Analyst (GCFA) designation from the Global Information Assurance Certification.