Data Reduction and Document Review

By | Criminal Defense, eDiscovery, Employment Law, Litigation | No Comments

Litigation Preparedness in the Age of E-Discovery

Dr. Andy Cobb, PhD, CCE

Dr. Andy Cobb, PhD, CCE

Part 2: Data Reduction and Document Review



In Part 1 of this series, we discussed the proper preservation of data – including when the duty to preserve arises, litigation holds and the repercussions of not properly preserving data when litigation is possible.  Once data is properly preserved and/or collected, the focus shifts to review of the data. It is important to remember that not all data is created equal, in terms of relevance to the matter. While a large amount of data may have been properly preserved in previous phases, the challenge now becomes separating the wheat from the chaff in a cost-effective way.  In a 2012 study the RAND corporation found that over 70% of costs of the eDiscovery were in the document review phase. Thus, reducing the amount of potentially relevant documents to review has a large impact on the overall cost of eDiscovery.

Several approaches can be applied to narrow down the amount of data to be reviewed, ranging from technical best practices, that can/should be applied to almost any data set, to focused, case-specific tactical solutions. Two general approaches for data reduction are De-NISTing and De-Duplication. Both are general methods that should almost always be the employed. De-NISTing is the process of culling known files from the data set. Windows system files are examples of know files.   When De-NISTing is applied, these known files are “ignored” or removed from the review set.

De-Duplication is the process of culling out documents that have the same content.  De-duping can be helpful so that reviewers are not seeing and coding the same document two or more times, which saves time and money.

Other document culling techniques can be applied that depend on the nature of the case. A few examples of case-specific techniques are:

  • Filtering documents by custodian.  Many cases involve key custodians of interest. One widely used practice is to review emails to/from particular individuals of interest, then expand the scope of review out, as needed.
  • Filtering by dates of interest.  Eliminating documents outside a particular date range can be a very effective method of reducing data size.
  • Keyword Searches. This method involves searching for relevant documents using keywords. The first – and often most difficult – aspect of this approach is settling on a set of keywords that return relevant data, rather than false positives. 

Unless the document review is for an internal investigation and not discovery, the criteria used to reduce documents will most likely need to be agreed upon by both parties.  Courts are generally agreeable to – and may even be order – reasonable methods of reducing the number of document for review.

Document Review

Document review is the process by which documents are coded or categorized – and can be overwhelming. But having the right review platform and right people managing and performing the review process can dramatically reduce the heartburn. Look for a review platform that is efficient and has been time-tested by professional litigators that review routinely. Outside counsel may be a good resource for this.

Experienced reviewers and review managers can greatly improve the efficiency of the review process – they’ve got the battle scars and know what can go wrong and how to address the typical problems that arise. And they usually have a well-defined process by which to efficiently perform review for large or complex projects.

Document review, which is the most costly phase of eDiscovery process, requires preparation of the documents to help reduce the costs of overall discovery.  The phases leading up to document review are critical since they set the stage for both defensibility and lowering costs.

Technology-Assisted Review (TAR)

One other set of techniques, which might be considered a hybrid between data reduction and document review, are those that use software to aid in the review process known as Technology-Assisted Review or TAR.  Predictive coding (now called TAR 1.0) was introduced a few years ago as a technique in which reviewers “train” and test the software until it can accurately predict how documents should be coded.

Predictive coding evolved into the latest form of TAR called continuous learning, or TAR 2.0.  In this technique, the software automatically learns as the reviewers code documents. When the software reaches a certain confidence level, it “takes over” and begins to automatically code the remaining documents as long as the confidence level is maintained.  TAR techniques have been accepted in court under certain circumstances, especially for extremely large document sets.


In this article we’ve discussed several best practices that can be employed to reduce the volume of documents that need review.  These techniques can be instrumental in reducing the overall cost of eDiscovery. As TAR is increasingly accepted in courts for large document sets, the costs of document review for those cases will also dramatically be reduced.

In Parts 1 and 2 of this series, we’ve focused on the scenarios where attorneys handle the review of documents for discovery.  In the final part of this series of articles, we’ll tackle digital forensics investigations, in which a digital forensics expert is needed to perform a deep dive into devices to find the story the data tells.

Dual Party eDiscovery

By | eDiscovery, Litigation | No Comments

The use of digital forensic experts and vendors is a common and often vital part of litigation. Traditionally, each party may hire their own expert to conduct work on their behalf. Each expert will typically perform a forensic collection of the data, conduct an independent analysis, and relay the results to the respective party. This approach works, but often means there will be duplicative work, delays, and increased cost of overall discovery. A dual party engagement is a fresh alternative that can be arranged to mitigate or eliminate some of the downsides of the traditional approach. However, there are several key considerations before deciding which is best for your case.

Verifiable and Repeatable Processes

It is helpful to have a baseline knowledge and appreciation of the nature of true digital forensic processes. Operations performed according to stringent digital forensic standards are verifiable and repeatable, regardless of the expert used. Simply put, this means that a forensic collection completed by one qualified expert will produce the same outcome that it would if it were completed by another qualified expert. This universal standard for digital forensics, when truly appreciated, tends to increase the comfort level between contentious parties.

Issues with the Status Quo

When each party retains a digital forensics expert, each expert will often be working with the same set of data. In most cases, the data under examination or subject to review is from a computer or smartphone. Each expert will conduct his or her analysis and relay the results to the hiring party. Those results may also be disclosed to the opposing party as part of a production, testimony, or otherwise.

If there is a set of stipulated keywords or an analysis protocol that has been agreed upon by the parties, the issue of duplicative work is often compounded. Both experts may indeed be conducting the same examination, running the same keyword searches, and arriving at the same results. This duplication of work is problematic for two reasons: it increases the overall cost of the litigation and it can also extend the amount of time required for discovery. If one party’s expert has a larger backlog or fewer resources than the other, the examination results may be delivered to each party at significantly different times.

Advantages of Coordination

Coordination between two parties with respect to retaining a digital forensics expert alleviates many of the issues encountered when each party retains their own expert. If a dual party engagement is to be arranged, both parties need to agree on the following, at a minimum:

  • The expert or third-party vendor to use
  • The specific tasks contemplated by the agreement (conducting the collections, keyword searches and/or examination of the data)
  • The protocol for communication that will be used by all parties
  • How the responsibility for payment will be assigned.

Dual party engagements help to ensure that both parties agree on the type of analysis to be conducted, keyword lists to be used, how the results of the search and examination are to be disseminated, and any other factors that are important to the matter. In some cases, the results of the search and examination are disclosed to both parties simultaneously. In other cases, deadlines are put into place to govern the production of documents after both parties review for privilege.

The specifications of a dual party engagement are limited only by the flexibility of the parties. Dual party engagements allow for the analysis, searching, and other related tasks to be performed once and disseminated to both parties. This arrangement reduces the overall cost of litigation as compared to two independent experts conducting the same analysis for their retaining party. When the results are provided to both parties at the same time, neither party is disadvantaged by the delivery time of the results.

Considerations for Dual Party Engagements

While dual party engagements solve a number of issues faced by traditional engagements, there are some important considerations that the parties must weigh before going this route.

  • Are both parties comfortable with the expert’s qualifications and prior work? If both sides have previously worked with the expert, they are much more likely to have a greater comfort level with the expert and his or her ability.
  • Having a qualified expert is critically important since both sides could be relying on the results produced by the expert.
  • Dual Party engagement does not preclude one or both of the parties from arranging a third-party review of the results.

Another consideration that demands careful forethought in dual party engagements is the impact of the communication and delivery protocol.

  • If both parties are to receive the analysis results simultaneously, the results cannot be examined or redacted by one party prior to disclosing to the other party.
  • If any type of review or redaction may be necessary prior to one of the party’s review, the manner of delivery will need to be detailed in the dual party engagement letter.

In many cases, each party will review the searching and analysis results of their own data for privilege prior to approving the release to the opposing party. This is easily accomplished, but should be addressed in the contract to ensure both parties agree on the delivery protocol.


The dual party engagement approach is increasing in popularity as practitioners become more comfortable with the concepts and techniques employed by forensic experts during electronic discovery. These practitioners have come to recognize the inherent safeguards afforded by a trusted digital forensic expert and welcome the cost and time savings benefits of dual engagements.

Cell Phone = Plethora of Evidence

By | Criminal Defense, eDiscovery, Employment Law, Litigation | 3 Comments

cell phone social media apps

Odds are good that you might reading this article on your cell phone. Mobile devices topped the 8 billion mark in 2016, with only 7.5 billion people. That means that cell phones now out number people. Think about all the data floating around and how this data could be potentially relevant in the legal realm. Before we get into that, while many of the principles discussed here apply to most mobile devices, for the purposes of this article we’ll be focusing on smartphones. Smartphones are defined as any phone with advanced computing capabilities (something more than the ability to make a cell phone call from your car) and 3G network connectivity. You might use a smartphone to browse Facebook, complete a Google search, check emails, watch a few videos, or even to complete a call.

Cell Phone Usage in the US

In the U.S. 95% of Americans own a cell phone of some type, 75% of those users own a smartphone. A majority of users consume more than 2GB (gigabytes) of data per month. Two gigabytes of data may not sound like much, however that would be equivalent to roughly two truckloads full of boxes of office documents stored on the average (low end) cell phone. As if that were not enough, consider the fact that unlimited data plans are making a comeback (and that the average unlimited plan usage is 7GB per month). The high U.S. ownership numbers span across all demographics – male/female, educated or not, rich or poor. In fact, the only demographic that has less than a 50% smartphone penetration is the 65+ age range – those who already spent a majority of their lives without cell phones.

Almost everyone is using a Cell Phone

All of these users – young or old – are using their phones for a number of tasks. Simple tasks like sending text messages, checking emails and perusing WebMD to see if their headache might mean they have a life-threatening disease (they don’t, but WebMD suggested it). They’re using dozens of applications (apps) for more specialized tasks – sometimes simultaneously – and they’re (rarely) making calls with their cell phone. Current statistics show that 80-90% of mobile device usage takes place in apps, the heavyweight being Facebook at a whopping 19% of the time spent. Messaging/Social apps fall in at 12%, and internet browsing is not far behind at 10%. Although most users are unaware of it, data associated with their activity is being written to their device (typically in real-time). This data sits idle and is innocuous until potential litigation arises.

In the event that a user’s smartphone activity is of interest, a qualified computer/digital forensic examiner can easily preserve and/or search the data held on the smartphone. In my experience, the following items were generally the most useful:

  • Active and deleted text messages (deleted text messages can usually be recovered)
  • Facebook conversations (without the need for a password)
  • Internet history
  • Full content of emails
  • Audit logs (they can offer a granular view of user activity, logs of the power cycles or the last computer the phone was plugged into, applications installed, and more)

The implications of the data stored on mobile devices in general is limitless. Below are some examples of how smartphone data can be used in criminal and civil matters to…

  • determine the user’s state of mind/motive/establish an alibi.
  • substantiate the user’s location at a given time.
  • identify known associates.
  • uncover evidence of plans to go to work for and/or take sensitive information to a competing company.
  • provide justifications for child custody (or lack thereof).
  • confirm/validate contractual terms/debts.
  • show excessive internet or app usage to deem a person “addicted to their phone” and unfit for full-time custody of special needs children.
  • provide proof of infidelity.
  • provide evidence of cyber bullying of a child.

The Right to Search a Cell Phone

After reading all of this, it may seem like the world is your oyster – you can get a hold of a mobile device and all this great evidence automatically rains down from it, right? The legality of gathering this information is a little more complex than that. The biggest issue of all is the right to preserve and/or search the device/data. To determine if you have those rights or will need a court order to gain access to the phone, consider the following:

  • Did you purchase the mobile device, or did someone else?
  • Do you pay the monthly bills?
  • Did you sign anything providing another individual or company the right to access your data, or is it yours and yours alone?
  • For the parents out there – depending on your jurisdiction, the fact that you bought and pay for your child’s phone may still not be enough to allow you the right to take possession of the device and review its content.
  • Husbands and wives – depending on the shared property laws in your jurisdiction, you may or may not have the right to view your spouse’s data.

Does the right to review that data create a roadblock? Certainly. But in reality it’s little more than the thresholds for other evidence. With due legal process, the right can be obtained for a forensic examiner to preserve the devices and their contents, search that data based on the particulars, and present the findings for review. If you’re new to the incorporation of ESI (electronically stored information) in your practice, it may seem like a daunting task. But, as with any new evidence category, there are qualified experts in the digital forensics field ready to help you navigate the waters and ensure you get reliable evidence. Regardless of the type of law you practice, you likely have current cases that could benefit from the inclusion of digital evidence.

Ryan Ferreira is a Digital Forensic Examiner at One Source Discovery who specializes in mobile device forensics and call detail record analysis. He has a Master’s degree in Digital Forensics and holds the Certified Computer Examiner (CCE) designation from the International Society of Forensic Computer Examiners, among various other certifications.

Wearable Technology: What Are You Wearing and What Is It Saying About You?

By | Criminal Defense, eDiscovery, Employment Law | No Comments

WEARABLE TECHNOLOGYJenny leaves the gym, pleased that she reached her step goal for the day. Johnny glances at his wrist quickly during a meeting, and swipes to the left. Billy finishes a marathon and checks his time at the finish line station. What do these people all have in common? They’re all integrating wearable devices into their everyday life. Wearables are arguably the next big craze in portable technology. A recent study by IDTechEx found that the market for wearables will increase 10% annually to over $40 billion in 2018, and by 2026 is anticipated to be over $150 billion per year. The reality is that whether it’s a chip connected to someone’s shoe at a marathon, a smartwatch, a fancy pedometer, or an activity band, it seems like every other person has at least one (if not more) of these devices. Yet little attention has been paid to these devices outside of the fashion and fitness realms until recently.

It is important to note that most of these devices log and in some instances analyze various metrics collected from the wearer’s daily activity. Many of these devices track the number of steps taken in a day, some monitor your heart rate to make sure you’re getting in a good workout or a restful night’s sleep. Recently FitBit and Medtronic announced a partnership to develop the ability for diabetics to track their blood glucose levels using wearables. Other devices, while lacking in intrinsic health benefits, instead tend towards the cool factor of the scale. For instance, Levi’s Jeans company now has a “smart jacket” capable of interacting with a Bluetooth-linked device such as your cell phone. The possibilities for wearable technology are endless, and so are the potential uses of this data in digital investigations.

Think about it – assume there is a harassment (sexual or otherwise) claim. The argument could be made that changes in heart rate corresponding with the timeline of the alleged event corroborate the claim, or they could be indicative of whether someone did or did not in fact feel threatened during an exchange. Wouldn’t it be useful to know exactly how someone reacted physiologically during and around the time of the alleged infraction? The data from these devices could also be useful in evaluating injuries. Take a workman’s compensation injury claim. It would be key to the investigation to know if someone with a neck injury was spending their off time getting in a vigorous workout at a gym or recuperating within the confines their house.

While these methods of investigation may seem intrusive, in some jurisdictions they are already in use. Attorneys at McLeod Law in Calgary, Canada, used wearable device data to show that their client, a former personal trainer, had in fact been seriously injured and that those injuries impacted her quality of life. In the case, she wore a FitBit during an “assessment period” to show that her levels of activity were well below what someone of her age and profession should be exhibiting on a regular basis. Using actual data from the wearer’s daily life has the potential to carry much more weight than traditional clinical assessments, as an assessment often only examines a person for short segments of time. Wearable device data has also played a part in alleged sexual assault cases. In Lancaster, Pennsylvania, police officers responded to an alleged sexual assault and opted to collect the victim’s FitBit as evidence for their investigation. In reviewing the data from the device, a different story unfolded. Rather than corroborating the victim’s story that she was sleeping and awoken by the assailant, the device data showed that the alleged victim was awake and exhibiting signs of normal activity during the time of the alleged assault. Ultimately, the police department stopped their investigation into the assault and instead charged the alleged victim with filing a false police report.

But this technology does not come without its issues. It’s equally important to know that there can be shortcomings to the usage of data from wearable devices in litigation. First, data can be accidentally falsified, such as in the case of fidgeting (for movement data) or having someone jump out from behind a wall and yell “boo!” (for heart rate data). Second, the data collected can also be intentionally falsified. For instance, a workman’s comp claimant could opt to skew the results by sitting on the couch and doing nothing for two weeks when they are perfectly healthy. Or someone could easily let a friend (known to be exhibiting the desired level of activity) borrow the device and wear it to record data that supports the user’s story.

It’s also important to be mindful that many of these wearable devices are unique – they do not fall under a unifying specification where each one has the same interface to extract the data contained within (unlike that of a computer hard drive, mobile phone, etc.). This means that the ease of collecting data from an activity band could vary greatly between models and/or manufacturers. While forensic examiners may be able to connect to one device and access data using a USB cable, they might have to entirely dismantle a second type of device (of the same general category) in order to manually read the internal data chips, and on the third device run into a scenario requiring a court order to a wearables provider to produce the user data stored on their servers.
So what does this all mean? Is the data gathered from this new technology unreliable? Definitely not. As with all information in a case, you should trust, but verify. Wearable technology certainly has its uses, and it’s important to make sure you’re not only aware of them but taking advantage of them when appropriate. From a corporate standpoint, it might be a good idea to start thinking about revising your BYOD (Bring Your Own Device) policies to contemplate wearable devices. But from a litigation standpoint, you should make it a habit to start asking your clients or adverse parties if they use and allow wearable devices. We predict that the use of data collected from wearable devices in legal matters has just begun – get ahead of the curve now.

Ryan Ferreira is a Digital Forensic Examiner at One Source Discovery who specializes in mobile device forensics and call detail record analysis.  He has a Master’s degree in Digital Forensics and holds the Certified Computer Examiner (CCE) designation from the International Society of Forensic Computer Examiners, among various other certifications.

eDiscovery Check-in: How Courts and Practitioners are Handling the 2015 FRCP Amendments

By | eDiscovery | No Comments


Many federal rules were updated in December 2015.  For example, Rule 34, which now requires specificity in objections to discovery requests instead of the boilerplate objections.  From an eDiscovery perspective, the rules that were most affected by the Federal Rules of Civil Procedure (FRCP) revisions were Rule 26(b)(1), which relates to discovery proportionality and relevance, and Rule 37(e), which relates to the failure to preserve electronically stored information (ESI). The increasing expense of preserving, collecting, reviewing and producing ESI provided the impetus for many of the recent revisions.

Rule 26(b)(1) Changes

While many courts have considered proportionality in discovery decisions, it has not been as explicitly outlined in the rules until the December 2015 changes. In addition to addressing proportionality, the changes to 26(b)(1) removed much of the broad language, such as the sentence: “For good cause, the court may order discovery of any matter relevant to the subject matter involved in the action.” In addition, one of the most significant changes to Rule 26(b)(1) was the removal of the provision that inadmissible evidence was discoverable if it “appears reasonably calculated to lead to the discovery of admissible evidence.”

Rule 37(e) Changes

Prior to the change of 37(e), U.S. District Courts were divided on how to address sanctions and when they were appropriate. Some found that mere “negligence” was enough, while others looked for “intentionality” and/or “bad faith” as the trigger. The result was confusion and over-preserving, which caused mainly large corporations to beg for more consistency. The intent of the changes to 37(e) was to create a uniform standard for imposing sanctions when a party failed to preserve. The rule was modified so that severe sanctions should only be imposed in the most extreme situations when a party acts willfully to avoid preserving ESI.

The revised rule, now called “Failure to Preserve Electronically Stored Information”, states that if data is lost “because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery,” the court has two options: (1) Upon finding prejudice to another party from loss of the information, the court may order measures no greater than necessary to cure the prejudice, or (2) Only upon finding that the party acted with the intent to deprive another party of the information’s use in the litigation, the court may:

  • Presume that the lost information was unfavorable to the party;
  • Instruct the jury that it may or must presume the information was unfavorable to the party; or
  • Dismiss the action or enter a default judgment.

Response to 26(b)(1) Changes

When the changes to 26(b)(1) first emerged and were being discussed, many believed the result would be a sea change in the courts, leading them to rein in the perceived excesses of the discovery process. Others felt that not much would change since the idea of proportionality was already being addressed in most courts. On one end of the spectrum is Bentley v. Highlands Hosp. Corp., 2016 U.S. Dist. LEXIS 23539 (E.D. Ky. Feb. 23, 2016) in which the court provided clear guidance on the parameters of relevance and proportionality in discovery. On the other end of the spectrum, the court in Wit v. United Behavioral Health (Case No. 14-cv-02346 JCS (N.D. Cal. Oct. 12, 2016)) cited an outdated 1978 Supreme Court opinion, Oppenheimer Fund v. Sanders, 437 U.S. 340 which supports a broad interpretation of “relevance”.

Generally, what looks like is happening in courts seems to be what was intended: a change in mindset related to discovery. For example, in Gilead Scis., 2016 WL 146574, the court touched on this new mindset: “No longer is it good enough to hope that the information sought might lead to the discovery of admissible evidence. In fact, the old language to that effect is gone. Instead, a party seeking discovery of relevant, non-privileged information must show, before anything else, that the discovery sought is proportional to the needs of the case.” The consensus seems to be that, while some courts already considered limitations and proportionality in discovery – and therefore would not be significantly affected by the changes – the revised rule hopes to move all courts in a unified direction with regard to this new discovery mindset.

Response to 37(e) Changes

Courts have struggled more with the rule changes to 37(e) than those to Rule 26. One issue that courts are struggling with consistently applying the meaning of “reasonable steps” to preserve ESI. The different types, complications and nuances of ESI have caused the courts to apply different standards under different circumstances. For example, in Best Payphones, Inc. v. City of New York, et al, No. 1:2001cv03934 – Document 295 (E.D.N.Y. 2016), the court had to deal with a variety of formats which required different analyses since each format had different definitions of “reasonable steps” for preservation.

In addition, there seems to be a trend in which courts are requiring stronger evidence that, when claimed, ESI is indeed missing, as in FiTeq Inc. v. Venture Corp., No. 13-cv-01946-BLF, 2016 WL 1701794 (N.D. Cal. Apr. 28, 2016). Finally, there seems to be two simultaneous trends that are interacting and complicating decisions for courts: the idea that reasonable steps should be taken to preserve ESI (and the definition thereof) and the fact that courts and litigants continue to learn and become aware of the complex nature of ESI. For this reason, it seems that courts will continue to evolve on the issue of ESI preservation to achieve fairness to the parties.

What Should Practitioners Do?

As a result of the 26(b)(1) changes, practitioners should consider a couple of shifts in focus. First, attorneys should review the complaint with an eye towards phased or iterative discovery. This method starts small, with the most critical issues in question, and grows as information is discovered and produced to and received from opposing parties. This method helps drive relevance to the main issues and has the added benefit of saving resources.

Second, early conversations with clients will help determine where ESI is located and how much effort and resources will be required to review and produce any relevant ESI. Can the number of custodians be limited? Do we need all their ESI or would electronic communications suffice? What are the costs related to the production of that ESI and will they produce the most relevant results?

Since the impacts of the changes to Rule 37(e) are still being worked out in the courts, courts and litigants are still learning the complexities of ESI preservation and no broad consensus exists on what “reasonable steps” means, caution is still the prudent approach. The hope is that the Rule 37(e) revisions will, through the courts, settle into a few general guidelines and precedent that will provide more consistency and prevent the over-preservation of ESI, but we are not there yet.

andyCobbDr. Cobb currently serves as Partner at One Source Discovery, a local, full service eDiscovery firm. He developed the strict procedures used during forensic collections and analysis to ensure accuracy, verifiability and repeatability. Dr. Cobb is the creator of BlackBox, the patented remote forensic collection software tool. Prior to his position at One Source Discovery, he was the founder and President/CEO of AC Forensics and Assistant Professor at the University of Louisville. Dr. Cobb has served as a consultant on hundreds of Electronic Discovery matters, provided expert testimony on various Computer Forensics matters in Federal and State Courts, given several talks and CLE’s related to electronic discovery, and published numerous technology journal articles.

Data Privacy And Conflicting Search Warrant Rulings

By | Criminal Defense, eDiscovery, Employment Law, Litigation | No Comments

What happened?

On February 3, 2017 a federal magistrate judge ordered Google to comply with a search warrant to produce foreign-stored emails (In re Search Warrant No. 16-960-M-01 to Google). The magistrate judge disagrees with the U.S. Court of Appeals for the Second Circuit’s Microsoft Ireland Warrant Case, which was recently denied rehearing by an evenly divided court. This decision shows that the Justice Department is asking judges outside the Second Circuit to reject the Second Circuit’s ruling — and that at least one judge has agreed.

At issue are two routine Stored Communications Act (SCA) warrants served on Google for the contents of emails. Google responded with the emails that it knows were stored inside the United States, but it refused to turn over emails that could be outside the United States. Because Google breaks up its emails and the network might distribute them anywhere in the world, Google can’t know where many emails are located and declined to produce them under the Second Circuit’s Microsoft case.

The government moved to compel Google to produce all of the emails within the scope of the warrant. Magistrate Judge Thomas J. Rueter ruled that Google has to comply with the warrant in full because “the conduct relevant to the SCA’s focus will occur in the United States” even for the data that is retrieved from outside the United States. According to the judge:

“…[T]he invasions of privacy will occur in the United States; the searches of the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania. These cases, therefore, involve a permissible domestic application of the SCA, even if other conduct (the electronic transfer of data) occurs abroad.”

The court reasoned that when a network provider is ordered to retrieve information from abroad, that copying of information abroad and sending back to the United States does not count as a Fourth Amendment “search” or “seizure” outside the United States, stating “Electronically transferring data from a server in a foreign country to Google’s data center in California does not amount to a “seizure” because there is no meaningful interference with the account holder’s possessory interest in the user data.”

Further, the court saw no search abroad: “When Google produces the electronic data in accordance with the search warrants and the Government views it, the actual invasion of the account holders’ privacy- the searches – will occur in the United States.”  Because the search and seizure occurred in the United States, not abroad, the relevant privacy invasion was domestic and a domestic warrant could order it.

Legal Analysis

Bob Dibert is a Member at the Frost Brown Todd, LLC Louisville office practicing business litigation and electronic data discovery, privacy & security law. Referencing the warrants to Google and Microsoft, Dibert states, “These cases show how courts can focus on factual details in reaching different results when the law is uncertain.”

“In Microsoft, the data was located in a different country – the Republic of Ireland – and the account (perhaps including the account holder) was in or proximate to Ireland. In Google, the most that could be said about the data was that at least some of it was located somewhere outside the U.S., at least some of the time.”

It’s not clear what the reactions will be, if any, of other nations where US companies store data. While data privacy laws in European Union countries have tightly restricted access to their citizen’s data, particularly by outside nations, treaties and legal agreements include provisions for transferring data for criminal matters.

Dibert elaborates, stating, “Although neither decision discusses the context specifically, the Republic of Ireland has both legislation and treaties to provide assistance to foreign prosecutors and courts in criminal matters. And, it was a challenge in Ireland that ultimately declared U.S. laws to provide inadequate privacy protections for citizens and data located in the European Union (including Ireland). The specific case, Schrems v. Data Protection Commissioner, No. C-362/14 (Court of Justice of the European Union, Oct. 6, 2015), involved transfer of a European user’s Facebook data from Ireland to U.S. servers. So Google did not involve territory where it might have been prudent for Microsoft to tread lightly.”

Where do we go from here?

Many law experts believe that the actions ordered by the judge would still be considered seizure, citing Orin S. Kerr, Fourth Amendment Seizures of Computer Data, 119 Yale L.J. 700, 700 (2010), which argues that copying Fourth Amendment-protected files seizes them under the Fourth Amendment when copying occurs without human observation and interrupts the stream of possession or transmission.

Because of the ambiguity of the location of the data that results from the methods Google uses to store data, some data service providers may re-think whether to pursue this hybrid model as opposed to the more “cut-and-dry” methods. Will Google completely overhaul the way they store data?  Probably not. But by appealing the decision, they will force the issue with the courts to address the Fourth Amendment ambiguities. Stay tuned.

andyCobbDr. Cobb currently serves as Partner at One Source Discovery, a local, full
service eDiscovery firm. He developed the strict procedures used during
forensic collections and analysis to ensure accuracy, verifiability and
repeatability. Dr. Cobb is the creator of BlackBox, the patented remote
forensic collection software tool. Prior to his position at One Source
Discovery, he was the founder and President/CEO of AC Forensics and
Assistant Professor at the University of Louisville. Dr. Cobb has served as
a consultant on hundreds of Electronic Discovery matters, provided expert
testimony on various Computer Forensics matters in Federal and State
Courts, given several talks and CLE’s related to electronic discovery, and
published numerous technology journal articles.

Impacts of the FRE 902 Amendments

By | eDiscovery, Employment Law, Litigation | No Comments

courthouse fre 902 amendments""Federal Rules of Evidence 902 (FRE 902) generally outlines evidence that can be described as “self-authenticating”, meaning they don’t require extrinsic evidence of authenticity in order to be admitted. Some examples of self-authenticating documents are public records that are signed and sealed, newspapers and certified copies of government documents. Often times, trial attorneys rely on FRE 902 for the authentication of evidence that is crucial to their cases. In order for digital evidence to be introduced in court, the source of this electronic evidence (also known as electronically stored information or ESI, for short) must be verified, a process known as authentication. The FRE 902 Amendments go into effect December 2017.

The FRE 902 amendments seek to clarify and streamline the acceptable authentication methods for system-generated electronic records and for data copied from storage media thus making it easier to authenticate ESI evidence. Later we will discuss the impacts of the amendments, but first let’s briefly review and define them.

The FRE 902 Amendments

“(13) Certified Records Generated by an Electronic Process or System. A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).”

Here an electronic process or system can mean any IT system, for example, an email system.

“(14) Certified Data Copied from an Electronic Device, Storage Medium, or File. Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).”

Here an electronic device could be a phone or a laptop, for example. A storage medium could be a thumb drive, a CD or a computer hard drive.

It is Important to note that both of these additions require notice per Rule 902 (11) or Rule 902 (12), which stipulates, among other things, that the certification be produced to opposing parties for inspection, thus opening the door for a possible certification/authentication challenge.

Implications for the Production of ESI

The FRE 902 amendments will have broad implications on the processes that data custodians and attorneys follow when producing potentially relevant ESI evidence for legal matters. Chad Main, attorney and the founder of Percipient, a legal technology company, defines data custodians in lay terms as, “a witness (or potential witness) with control of relevant evidence.” He provides the following example: Assume in a products liability case an employee authored the “smoking gun” research document and saved the document on his or her computer. The employee is the “custodian” of the document because he or she has control of it. However, the data custodian is not always the owner of the data. The data custodian can also be a system administrator or IT department within an organization.

Risks of Self-Collection

One of the biggest impacts will affect the practice known as custodian “self-collection.” Self-collection occurs when the data collection is performed by custodian of the potentially relevant data, rather than independent and qualified third party. The problem with self-collection is that it takes place without the expertise or means to authenticate the data being collected. Guidance software, creator of EnCase, has identified the following eight areas of risk of self collection when the employee/individual completing the collection…

  • has a potential self-interest and intentionally deletes, omits or modifies the ESI.
  • has a potential self-interest and properly preserves the ESI, but opposing counsel discredits the collection based on the self interest.
  • is too busy and uninterested in the case and ignores the preservation instructions.
  • completes the preservation in a haphazard manner and accidentally omits relevant ESI.
  • does not understand how to properly preserve relevant ESI and accidentally deletes or modifies the evidence.
  • moves the ESI to another folder causing changes to important file system metadata.
  • misinterprets the preservation instructions and omits relevant ESI.
  • moves the data to a central location, thereby destroying the context of the document in regards to where it was originally stored.

Application of the FRE 902 Amendments

Properly applying FRE 902 (14) will now involve using specialized digital forensic tools that support authentication methods, such as the practice known as digital hashing. Digital hashing produces a digital “fingerprint” of a chunk of data such as a file or even the contents of an entire hard drive. For example, the simple action of changing the letter “O” to the the number “0” within a file stored on a hard drive, changes the hash for the entire hard drive.










Digital forensics experts routinely use hashing methods to verify that copies of digital evidence match the original data from which the copies are made, i.e. their hashes or “fingerprints” match. The figure shows an example of a hashing algorithm called Message Digest 5 or MD5, which produces a 32-character alpha-numeric fingerprint for a file, email or entire hard drive.

Self-collection has always been inherently risky because it provides a ripe opportunity for challenges. The new FRE 902 amendments place more focus on how ESI is collected and authenticated than ever before. Amendment FRE 902(14), in particular, draws a bright red line by requiring that the digital evidence be verified by a “Qualified person”. To drive home the point, the committee notes even go as far as to spell out that digital verification techniques, such as the hashing techniques discussed above, must now be used to verify digital evidence.


The impact of these amendments, especially considering the rapid volume in which data is created, should not be ignored. Experts predict that the FRE amendments, while aiming to clarify and support proper certification of digital evidence, will also provide a foundation for parties to more readily challenge the admission of digital evidence in court. To mitigate or even bypass these challenges altogether, parties presenting digital evidence would be wise to ensure that all ESI evidence is certified either by having qualified digital forensic technicians perform the preservation and collection of the ESI or by setting up reliable systems that utilize built-in, tested digital verification methods when copying digital evidence.

Cyber Attack: Your Law Firm is a Potential Target

By | Criminal Defense, Data Breach, eDiscovery, Employment Law, Litigation | No Comments

law firm cyber attackLegal professionals take note: your firm is a potential target for a cyber attack. Recently, three Chinese citizens have been charged in the United States with insider trading activities based on information obtained through breaching multiple law firms. This fact illuminates that law firms are a prime target for cyber attackers. Given the nature of communication and documents that often comprise legal work product, it comes as no surprise that the same information can be used for financial gain if it falls into the hands of an unscrupulous party. Regardless of the type of cases handled by a firm, the resulting communication and work product could be useful to an attacker. For those firms working in mergers and acquisitions, the work product potentially becomes even more valuable.

Law Firms Entice Cyber Criminals

The previously mentioned cyber attack leading to insider trading activities was allegedly made possible through hacking into law firms and mining for information related to buyouts and other useful data for insider trading. To some, this comes as no surprise. Leveraging the wealth of information maintained by law firms, particularly those dealing with large corporations, is a natural and potentially lucrative avenue for cyber attackers. In Spring 2016, dozens of law firms were targeted by Russian hackers in an effort to obtain confidential information to be used for insider trading. It is clear that law firms are an enticing target for cyber criminals. Information technology and security may not be a focal point of law school, but it is a vital piece of protecting the information entrusted to law firms by their clients.

Simply put, law firms produce and store data that is often of great interest to cyber criminals. Whether it is information regarding an upcoming merger, bankruptcy, patent, or any other intellectual property, the type of data generated at law firms can be extremely valuable to attackers looking to profit from confidential information. Consider the attackers vantage point: breaching the security and gaining access to a specific corporation may yield fruitful information, but the effort and time involved in successfully hacking the company typically results in information about a single organization. If the same effort were applied to carrying out a successful cyber attack on a law firm, hackers could potentially gain access to confidential information regarding a multitude of companies in a single attack. To defend themselves, firms must take action through implementation and proper execution of cyber security policies and procedures.

Recognize the Risk of a Cyber Attack

It is imperative that law firms recognize the risk of a cyber attack and take appropriate actions to mitigate the chances of a data breach. There are numerous technology controls such as firewalls, intrusion detection and prevention systems, anti-virus, and sophisticated log aggregation and monitoring tools. While all of these are important and useful in their own right, it is the user that can play the most significant role in preventing or unwittingly facilitating a cyber attack. Users are more easily manipulated and coerced than firewalls and other technical measures, and must therefore be aware of the types of threats they are likely to encounter and trained on spotting issues and mitigating the successfulness of an attack.

Fishing for Sensitive Client Data

A technique known as spear phishing is one of the most common methods attackers use to gain unauthorized entry into an organization. In a spear phishing cyber attack, a very targeted email is sent to a specific party in hopes that the recipient will click a link within the email, opening a malicious attachment, or otherwise unintentionally degrade the security of the system enough to allow the attacker access. Spear phishing emails often contain seemingly personalized information, addressed to the correct recipient and perhaps referencing a past event the recipient spoke at or attended. Providing these types of details is an attempt to implicitly build trust with the recipient and detract from the true nefarious purpose of the message. In some cases, attacks like these can be blocked using technical controls. However, if not blocked by an email filter or other technical control, it is up to the recipient of the message to make the final determination on whether or not to complete the call-to-action urged in the email. This is where user awareness and training pay off. Users that are trained on spotting spear phishing attempts and other common scams can help a law firm prevent data breaches by blocking the initial effort of a cyber criminal.

Cyber Security is Essential for all Law Firms

Regardless of the security controls, policies, and procedures that a firm chooses to implement, it is clear that law firms are and will continue to be a target of cyber criminals. The recent charges filed against three Chinese citizens for allegedly hacking into law firms and leveraging confidential data to make millions off trades based on the stolen data is unlikely to be the only one of its kind. The valuable data held at law firms paints a target on the back of firms across the country. If your firm is lagging behind on its cyber security practices, now is the time to catch up. Protecting the information bestowed to firms by their clients extends well beyond the confines of the courtroom and into the digital realm of networks, data, and hackers looking to take advantage of vulnerable systems.

Jason Hale is a Digital Forensic Examiner at One Source Discovery who specializes in incident response. Jason has a Master’s degree in Digital Forensics and holds the Certified Computer Examiner (CCE) designation from the International Society of Forensic Computer Examiners and the GIAC Certified Forensic Analyst (GCFA) designation from the Global Information Assurance Certification.

Germany Bans ‘My Friend Cayla’ Doll Over Spying Concerns : NPR

By | Data Breach, eDiscovery | 12 Comments

Listening to NPR, we learned that “My Friend Cayla” dolls are the newest (and cutest) culprits in data breaches. Don’t let the googly eyes fool you.

My Friend Cayla
Germany has banned an interactive doll manufactured by an American company that German regulators charge can spy on children and collect personal data from them and their parents. But some consumer watchdogs say the ban alone is not enough.

Source: Germany Bans ‘My Friend Cayla’ Doll Over Spying Concerns : NPR

eDiscovery in 2016: Can Hillary’s emails teach us anything?

By | eDiscovery, Litigation | No Comments

The Hillary Clinton Email Saga, By The Numbers

From Visually.


Looking back at 2016: Can Hillary’s emails teach us anything?

by Andy Cobb, PhD, CCE


While many cases that affected the practice of electronic discovery popped up in 2016, no eDiscovery topic got more attention or had more impact than the Hillary Clinton email server saga. Are there some lessons we can all take away from the Hillary email debacle? Yes. But before we discuss those lessons, let’s refresh our memories on what happened during the Clinton email debacle according to the USA Today’s summary:

March 2, 2015: The New York Times reports that Hillary Clinton used a private email server while serving as Secretary of State.

March 10, 2015: Clinton defends her use of a private server, saying it was for “convenience” so she could use a single device for personal and business use. “Looking back, it would have been better for me to use two separate phones and two separate e-mail accounts,” she said. “I thought using one device would be simpler. Obviously, it hasn’t worked out that way.”

July 24, 2015: The inspectors general at the State Department and Director of National Intelligence ask the Justice Department to review whether classified information was compromised in Clinton’s use of private email.

August 2015: A federal official confirms the FBI is investigating.

Aug. 11, 2015: Clinton’s campaign says she has directed that her server be turned over to the Justice Department

May 25, 2016: The inspector general at the State Department issues a report critical of Clinton’s use of private email, saying department policies dating to 2005 require that “normal day-to-day operations” be conducted on government computers.

July 1, 2016: Attorney General Loretta Lynch says she will accept recommendations from the FBI and career prosecutors in the email case in an attempt to dispel criticism of her potential conflict of interest after she met with former president Bill Clinton on a Phoenix tarmac.

July 2, 2016: Clinton is interviewed by the FBI for 3-1/2 hours in Washington, D.C.

July 5, 2016: FBI Director James Comey announces the recommendation not to prosecute Clinton.

October 28, 2016: In a letter to Congress, Comey says the FBI is reviewing new emails related to Clinton’s time as secretary of state, according to a letter sent to eight congressional committee chairmen. The emails are discovered as part of an investigation into Anthony Weiner and were sent or received by Clinton aide Abedin.

November 6, 2016 — Based on a review of the newly discovered emails, Comey tells lawmakers that the agency has not changed its opinion that Clinton should not face criminal charges.

Sifting Through the Talking Points

After all of this, Clinton’s campaign Communications Director, Jen Palmieri said she was “glad this matter is resolved.” Trump, however, pushed back against the announcement: “Right now, she is being protected by a rigged system,” Trump said Sunday night at a rally in Michigan. “It’s a totally rigged system. I’ve been saying it for a long time. You can’t review 650,000 new emails in eight days. You can’t do it, folks.”

Actually you can – easily. And you can do it in a matter of a couple of days. It’s a matter of filtering emails by metadata (fields such as: to, from, dates, etc.). 650,000 emails become a few hundred with some smart filtering and maybe some keyword searching. Which brings us to Comey, who said the email review wouldn’t be complete until after the election. This is what we call managing expectation in our industry.

What Can we Take Away from how this played out?

From an information governance and eDiscovery perspective, Clinton’s use of a personal server to send State Department messages, some of which were at some point deemed classified, was clearly a mistake. One must keep in mind that the records/emails policies of the state department were fluid from 2000 through 2014, when they were strengthened. We’ve seen this same tightening of records retention policies in the private sector over the past decade, with the appending of the Federal Rules of Civil procedure and court decisions. Clearly she didn’t err on the side of caution, which is always the best policy. Our advice would have been to keep the email sets entirely separate – separate email accounts, separate physical server, separate service provider, separate location. Notice the emphasis on separate. There is a lesson here for all of us: keep professional and personal emails separate. At the very least, in the event of an inquiry, this practice prevents the work of having to sort out which emails are professional and which ones are personal.

BYOD and Hillary

If there was one trend that emerged in 2016 for which Clinton’s personal/State Department emails were a metaphor, and a serious topic that will remain a concern for information governance past 2016, it’s the critical importance of BYOD (Bring-Your-Own-Device) policies. These policies are designed to address issues related to an organization’s data being stored on devices that are owned by employees or associates, rather than being owned by the organization. Even though an individual may have two different email addresses, they may still have one device in a BYOD-friendly environment. So a client using their own personal device for professional and personal communication can, at the very least, complicate discovery.

For example, say a client sends you, their attorney, a question via text and a privileged conversation ensues. The following week, opposing counsel issues a discovery request for client’s phone because they believe there are relevant, non-privileged communications relating to the legal matter at hand. Now you must take the extra step (and the client must incur the extra cost) of reviewing the information on the phone since you knew there were protected text messages and possible emails, before other information is turned over.

eDiscovery Implications

The key, as was missing with Clinton’s handling of her emails, is to have in place, and follow, good records retention and BYOD policies outlining how communications should be preserved and managed. Ideally, IT (Information Technology) and the legal department should collaborate on policies for the security of corporate data (and devices that data could be transferred to/ accessed from). Specifically, policies that contain the following elements can make a big difference:

-Restrictions on usage of devices on unsecure networks, which can be common attack venues for hackers
-Encryption of sensitive corporate data should be implemented to prevent access by those other than the end-user and/or select IT staff
-Regular audits of the system to ensure securities are in place and effective
-The capability to remotely wipe a lost or stolen device

Additionally, from a legal standpoint there are certain guidelines that can prevent lawsuits arising from an employee’s loss of data. Some of those measures can be captured in an agreement signed between the employer and each employee with elements such as:

-Acknowledgement by the employee that personal data on BYOD devices is subject to potential exposure during discovery proceedings

-Acknowledgement that the data on the device may be wiped if the device is lost or stolen

-An indemnity clause, stating that while the employer will make efforts to protect employee’s personal data on devices, the employee acknowledges that data placed on the device is at risk of deletion

-Acknowledgement that the employer has the right to audit device(s) upon request


Hillary Clinton’s email server has brought into the public eye the complications of having personal and professional communications in the same location (and may have cost her the election!). Unfortunately, this issue is not limited to presidential candidates; it can have major impacts on individuals everywhere involved in discovery for legal matters.

Dr. Andy Cobb, PhD, CCE

Andy Cobb is a Partner with One Source Discovery, a full-service eDiscovery firm, and is the creator of the patent-pending BlackBox remote forensic collection software tool. He has served as a consultant on eDiscovery matters, provided expert testimony on various computer forensics matters and published numerous technology journal articles.