Documenting Authenticity of Evidence for the E-Discovery Process
On TV, it is common for an attorney to "spring" surprise evidence on a witness in the courtroom. In real life, that is not the way it works. Discovery, in the legal world, refers to established procedures by which the parties in a lawsuit or criminal proceeding are required to provide one another with information about the case prior to trial. Part of this process includes the demand that the opposing party produce documents or other potential evidence for inspection, to ensure that both sides will have adequate time and resources to prepare and respond when such evidence is introduced in court. It does not make for as dramatic a show, but it does facilitate a smoother and fairer legal process.
The discovery process also requires that you provide the other side with evidence that may be unfavorable to your case. Thus parties might keep this information to themselves if they were not required by law to disclose it.
Today most businesses and many individuals keep most of their important documents, photos and other items that often become evidentiary in electronic format, stored on computers. This is known as electronically stored information, or ESI. Electronic discovery (E-discovery) has thus become an important part of the civil and criminal court processes. If your company is involved in pending litigation or a criminal action, chances are you will be required to submit potential digital evidence to the opposing attorneys. The inability to produce the material can hinder the legal process, damage your own chance of prevailing in the case, or even subject you to fines or other punishment by the Court. That's why it is essential to be prepared with a plan by which you cannot only find the evidentiary material that is asked for, but also prove its authenticity.
The problem with ESI
ESI has been defined by courts to include email messages (including backups and deleted messages), instant messages (IM) and chat logs, web site information whether in textual, graphic or audio format, log files, voicemail messages and logs, data files (documents, spreadsheets, database files, etc.), program files, cache files, cookies and just about any electronically recorded information.
Gathering, managing, preserving and presenting electronic evidence presents some unique problems in comparison with more traditional types of evidence. The biggest issues are the ease with which an electronic document can be tampered with or even fabricated completely and the inability to pinpoint an "original" vs. a "copy" as you can usually do with a paper document or the negative of a photograph.
To be admissible in court, evidence must be relevant, material and authentic. Because of the intangible nature of ESI, proving its authenticity becomes an issue. Unless special precautions have been taken, anyone who has handled it could have made changes to it such as adding or deleting content, making changes to file attributes such as the timestamp, or modifying the metadata that records information such as who authored the file. In court cases such as AmEx v. Vinhnee, Bouriez v. Carnegie Mellon University, and Lorraine v. Market, documents, email or other electronic data were not allowed to be admitted into evidence because they could not be adequately authenticated, even without clear cut proof that the items were not authentic. The point is that digital evidence does not enjoy the same presumption of authenticity as more tangible evidence such as paper documents.
Laws governing admissibility of digital evidence
All courts operate under rules regarding the admissibility of evidence, but those rules differ depending on jurisdiction. Jurisdictional divisions can be geographic (laws differ from state to state or country to country) or dependent on the court's area of responsibility (criminal, civil or administrative/regulatory). For instance, in the U.S., federal rules of evidence apply to cases filed in the federal court system, but cases tried in state, county or municipal court may follow different rules. However, many of the guidelines are based on the following federal rules:
- Federal Rules of Evidence (FRE), which includes 67 individual rules divided into 11 articles. Articles IX and X address authentication and identification of evidence and specific rules regarding writings, recordings and photos.
- Federal Rules of Civil Procedure (FRCP), which apply to federal civil actions and addresses procedural issues. Chapter V contains rules that specifically address electronic evidence in the discovery process.
Both the FRE and FRCP must be approved by Congress. Many U.S. District Courts have enacted their own local rules, as well.
Consequences of failure to comply
What happens if your company is a party to litigation and refuses to or is unable to produce the material demanded in the discovery process? The consequences can be very expensive, indeed, and you do not have to intentionally engage in misconduct to suffer those consequences. Sloppy document management and retention practices are enough to get you in trouble. If you are unable to produce requested evidence, the Court may allow jurors to presume that the lost evidence would have supported the other side's claims.
In the Coleman v. Morgan Stanley case in 2005, a jury issued a $1.5 billion judgment against Morgan Stanley, largely because of its inability to produce the electronic evidence that was requested by the opposition's attorneys. This was overturned on appeal, but the company still ended up having to pay $15 million in fines. (Morgan Stanley to Pay $15 Million Fine to Settle E-Discovery Charges)
In a wrongful termination case, Zubulake v. UBS Warburg, a $29 million verdict was returned against UBS because the company had destroyed email messages that were demanded as evidence in the case. Other cases in Minnesota, New Jersey, California, New York and Florida have resulted in sanctions based on failures to produce relevant email messages and other electronic evidence. (E-Discovery Sanctions: A Continuing Trend)
Even if you are not subjected to a judgment or fines, not having electronic data easily accessible can be costly. In general, the party required to produce the data must also bear the costs of retrieving and producing the material (there can be exceptions in the case of "inaccessible" data, such as recovery of fragmented or damaged data).
What can you do to comply?
The time to prepare for the E-discovery process is before you find yourself involved in a legal case. At the very least, you must take steps to retain any relevant files as soon as there is any indication that a lawsuit could occur; do not wait for it to be officially filed. Here are some steps you should take to ensure that if (or perhaps more accurately in this litigious age, when) that happens, you can minimize the damage:
- Create an e-discovery response team that includes persons from management, IT, the legal department, internal auditors and possibly outside consultants with expertise in the e-discovery process.
- Appoint an employee to be responsible for collection of electronic evidence.
- Prepare a written policy for retaining records.
- Document all the actions that are taken to preserve and collect evidentiary material.
- Create forms and/or use software to track hold orders and document steps taken in response.
- Review and simplify your backup, retention and data disposal policies to ensure that they comply with local laws and regulations. Centralization of these processes can help ensure compliance across the board.
What you need to be able to prove
Producing the evidence is not enough. To establish its authenticity, you may need to be able to prove:
- Who created the file
- When it was created
- Where it was stored
- Who had access to it
- Who viewed, copied, edited, forwarded or otherwise interacted with the file over its lifetime
- When, why and by whom any part of it (including metadata) was modified or deleted
Issues to consider
There are a number of issues to consider in establishing your retention and storage procedures and policies.
- Consider the purpose and type of data. Some types of data, such as a signed contract, may be given more weight than other, less formal types of data, such as an IM message. However, this depends on the context and the issue that is in question.
- Consider how data is organized in storage, to make it easier to find.
- Consider the use of good enterprise search tools to help you quickly locate the data you need, wherever it's stored on the network.
- Consider the format in which data is stored. This can affect the ability to prove authenticity because some types of files are more easily modified than others. It also determines whether conversion will be necessary when producing the data for the Court. Electronic information may be requested in PDF or XML format, as a hard copy, or in its original format (such as DOC or XLS).
- Consider the security measures implemented to protect the data when stored or transferred across the network and thus preserve its authenticity.
Security measures to establish authenticity
The more you can show that the data was properly secured, the easier it is to convince the Court of its authenticity. Data that has been accessible to many different persons could more easily have been modified. Some security measures you should implement beforehand to help secure and preserve the authenticity of potential evidence include:
- Have in place firewalls, anti-virus, anti-malware and intrusion detection prevention software to prevent data from being changed or deleted by attackers or malicious software.
- Use network security mechanisms such as Network Access Protection (NAP) to enforce health policies on computers that connect remotely to your network.
- Be able to show that you use the most secure client and server operating systems (for example, Windows Vista rather than an older version of Windows), that you have policies in place ensuring that built-in security features are enabled, and that operating systems and applications have all the latest security patches applied.
- Use the most secure file system (e.g., NTFS vs. FAT32) for all disks on which data is stored.
- Use access control measures such as file level permissions, ACLs, etc. to limit who can access the data.
- Enable file access auditing so you can show who has accessed the data and when.
- Implement data encryption to protect the potential evidence both when stored on disk and when transferred across the network (EFS, IPsec, third party encryption).
- Deploy a public key infrastructure (PKI) and digital certificates based on the most secure cryptographic algorithms (e.g., Cryptography Next Generation or CNG Suite B algorithms).
- Use rights management such as Windows RMS/IRM to prevent important email messages and documents from being changed or forwarded to unauthorized persons.
- Digitally sign important documents and email messages to authenticate the identity of the creator or sender and ensure that no changes were made.
- Use SMIME, PGP or other content security mechanisms to protect the confidentiality of email messages.
- Utilize and document the security features available for your email server (e.g., Exchange 2007's ethical firewalls, default TLS encryption for server-to-server traffic, etc.)
- Log and archive IM traffic (e.g., using Office Communications Server) and encrypt sensitive IM communications.
- Deploy an identity management solution to validate the identities of those who create or have access to data within the organization.
- Deploy a robust and reliable backup solution (e.g., Microsoft Data Protection Manager) to help prove authenticity of primary data by comparing it with the backup data.
Digital data is increasingly playing an important role in legal proceedings of all kinds, and organizations must be prepared for demands that they produce such data for court as part of the E-discovery process. By taking steps beforehand, you will be ready to find the data that is requested and you'll be able to show the Court that the data you provide is authentic. For much more detailed information, specifically on how to use various Microsoft products to establish the authenticity of digital evidence, see the U.S. National Security Team whitepaper Establishing the Foundation of Authenticity for Electronically Stored Information: Strategies using Microsoft Technologies, authored by Debra Littlejohn Shinder and Mike Wolfe.