Legal Technology Journal

A robust litigation technology strategy is vital for disputes in today’s hi-tech environment. Legal systems are built on clarity, certainty and consistency, so it is little wonder that lawyers crave those qualities in the management of engagements. Equally, it is little wonder that electronic documents pose difficulties for many (if not most) lawyers. Centuries of legal advice has been based on paper evidence. When faced with a new instruction, lawyers instinctively know where to look to find the evidence.

If it is a dispute about the termination of an employment contract, the lawyer knows to look at the personnel files, the files held by the individuals involved in the decision to terminate, maybe even the directors’ files if the decision went up to that level. Dealing with paper is clear and certain. The lawyer needs little help and feels in control of the process. But what does the lawyer do about the electronic material? Where is it? Does the lawyer know about the typical architecture of a business’s electronic storage systems? Does the lawyer know where to look?

This is really the beginning of the problem. That lack of familiarity can create discomfort, fear and mistrust. For many people, information technology seems like a black art best left to IT experts. But for the law firm, this raises further questions. When should those technology tasks be performed by the law firm’s in-house technology team? What is the appropriate level of technology support that a client might reasonably expect to be provided by such a team? What level of investment in infrastructure and personnel is required to implement and support that system? When should tasks be outsourced to the client? When should they be outsourced to an external service provider?

In this article, I will not seek to answer all of these questions. On the issue of the scale of technology use, this diagram below was produced in conjunction with a law firm and a client to summarise our perceptions of the use of technology in different sizes of engagement, based on our experience.

(Scale of technology use)

As a former litigator myself, I know that lawyers like to be in control of their engagements. The fear with electronic evidence is that it introduces an element which is beyond their control. This is a misplaced fear. The management of electronic evidence is simply another process. In comparison to the centuries of experience in dealing with paper, the experience of managing electronic business records is embryonic. Corporations are still riding the learning curve of effective management of those records, and it is understandable if lawyers are riding in procession behind their clients. Ultimately, they can and will master that process. My aim in this article is to help lawyers to better understand the typical sources of electronic evidence and set out a typical methodology for the management of electronic evidence review exercises. I hope, thereby, to demystify the process.

What is so special about electronic documents?

Electronic evidence is very important for a number of reasons.

First, there is a lot of it. Statistics vary, but it is estimated that up to 90% of business documents are created electronically and up to 70% are never converted to paper. The business community is moving towards a paperless world. In future disputes and other engagements, the evidence will be principally electronic.

Electronic evidence is extremely durable. It is surprisingly difficult to erase data permanently and it is possible for IT experts to retrieve ‘deleted’ items.

The move to the electronic age has created new types of objective documentary evidence. Computers routinely store ‘invisible’ information without the knowledge of the user. For instance, a computer may store information as to when and where a particular letter was created, modified or read and by whom. Such information (or ‘metadata’) has obviously useful applications in cases where the authenticity of documents is an issue (the conviction of Harold Shipman was assisted by metadata indicating that he had backdated prescriptions). Computers also routinely store earlier versions of documents without the user’s knowledge. E-mails drafted in the heat of the moment but not sent may be retrievable.

Electronic evidence can be dynamite. Smoking-gun evidence is now more likely than ever to be uncovered, probably sitting in somebody’s e-mail account, and there is a high-profile string of people caught out by careless use of e-mail.

Obligations to review and disclose electronic documents

Businesses and their lawyers may have a number of reasons for reviewing electronic documents: there may be an internal review for investigative or regulatory compliance reasons; there may be a dispute; there may be an external investigation; there may be a joint venture, merger or other corporate transaction in the offing. For those same reasons, it may be necessary ultimately to disclose relevant electronic documents to an opponent, a regulator, an investigator or a prospective business partner. The legal principles that regulate that collection and review of evidence will vary depending on the purpose of the review. Some useful legal principles have emerged in the practice direction under CPR Part 31, which governs the disclosure of relevant documents in a dispute, and it is possible that these principles will be used as aids to interpretation of other provisions requiring the disclosure of electronic documents.

In particular:

• the definition of a ‘document’ extends to electronic documents, including e-mail, word processed documents, databases, ‘deleted’ documents, metadata and documents stored on servers or back-up systems;
• a person is only required to make a reasonable search for electronic documents;
• it may be reasonable to use keyword or other searches to identify relevant material; and
• a crucial factor is likely to be the ease and expense of retrieval of any particular document.

An electronic evidence management methodology

Typically, there are six phases in an electronic evidence management exercise.

1. Plan

Failing to plan is planning to fail. Never is this adage more true than in relation to the management of an electronic evidence review. We live in an age where the average laptop computer has the capacity to store information that, when printed out, could fill several thousand lever-arch files. Consider the number of machines in the average business then multiply that many fold to take into account the data that resides on the higher-capacity storage media typically maintained by a business, eg servers and back-up tapes. It is thus very easy to feel overwhelmed by the amount of potential data to review. The objective in any review is to navigate that maze of information and to focus quickly and cost-effectively on the most relevant material. Speak with the client’s IT director and external service providers as necessary. At this stage, it is useful to form an early view on:

The available electronic documents

Is information stored centrally on servers and/or locally on PCs, laptops, mobile devices or on back-ups? Which users are likely to be relevant? What is the back-up policy?

The location of such media

In particular, is any data held outside the UK? Great care will need to be taken to ensure that local data privacy laws are observed as these rules impact on the ability to collect, process and transfer data. Particular care needs to be taken with proposed transfers between EU jurisdictions and the United States. Even within the EU, rules in member states vary. Countries such as France, Spain, Germany and Italy have particularly strong protection. In these countries, it may be necessary to obtain the consent of individuals or the relevant works council before collecting data, and it may be necessary to process the data on site at the business’s premises.

Any document retention policies that apply to electronic media

Take steps to suspend destruction policies and preserve electronic documents.

Whether metadata and/or deleted data are likely to be relevant

Do you suspect that certain individuals may wish to alter electronic records? If so, you may need to engage computer forensic experts to retrieve deleted data or to gather data of key personnel in a forensically sound manner so as to preserve its integrity.

The volume and likely value of any relevant material to be obtained from any particular source of electronic evidence

In many cases, it may be sufficient simply to concentrate on the readily accessible data (possibly limited just to the e-mail data).

How you would like to review the electronic documents, record the work product of that review and (if necessary) deliver those documents to any third party?

Often, it will be sensible to download the documents onto a database. There are a number of options. The client may be able to deal with the electronic material in-house or it may need assistance from its lawyers or specialist external service providers. Which option the client chooses will often depend on the volume of material to be processed, whether metadata is an issue, whether information is contained on an obsolete system, whether information is deleted or corrupt, the cost of retrieval, the type of data to be retrieved, the location of the data, the skills set of the individuals who will be responsible for retrieving the data and the number of people who will need to have access to the subsequent disclosure database.

2. Gather

The next step is typically to gather and preserve the electronic data from identified data sources. This involves:

Identifying where the relevant material may be held

It may be disproportionate to gather data from the entire business when the case relates to a particular function. In practice, this means identifying the ‘custodians’ of the data (individuals likely to have created or received relevant electronic documents). In essence, this is exactly what lawyers have done for centuries in relation to paper such that it has become instinctive.

Considering the range of systems on which the data is stored

It may seem that there is a confusing myriad of sources of electronic media. In fact, there are usually six types of electronic media that need to be considered in any review:

• Hard drives (for instance in laptop and desktop PCs).
• Network servers. There are two types of network data in particular that ought to be considered:
  (1) E-mail repositories (for instance on Microsoft exchange servers).
  (2) Network shared areas – for instance, when a law firm works on a case, typically it will create a file on a dedicated drive into which all people working on that matter will deposit the relevant documents – working papers, pleadings, correspondence etc. Clients often adopt the same approach in relation to their projects.
• Back-up tapes.
• Portable media (for instance, thumb drives, external hard drives, PDAs, Blackberrys, mobile telephones, CDs, DVDs etc).
• Databases (for instance, sales databases, stock databases, client relationship management databases). Essentially, these are often living documents that are live on a client’s systems and in constant use, so it may be necessary to take a ‘snapshot’ of such databases at any point in time.
• Web-based mail systems (for example, Hotmail, Yahoo, Gmail, AOL etc). The original data for such systems will likely be in the control of the relevant service provider rather than your client. However, the fact that such systems have been accessed from the client’s machines may leave a detectable trace on those machines that can be retrieved.

Gathering the evidence

A common practice for gathering the electronic evidence is to take ‘images’. These are forensically perfect copies, capturing every binary code 0 and 1 from the original media. The advantage of such images is that they are exact replicas of the original media so, for instance, this may facilitate the recovery of apparently deleted data. An alternative is to extract copies of parts of the media. It is likely that, in most cases, a combination of these approaches would be appropriate, and it is important to form a strategy for balancing these to manage the time, cost and quality of the exercise. For instance, in many cases, it may be more convenient to take images of hard drives on PCs and laptop computers. However, it may be too costly and cumbersome to take images of servers. It may be more sensible in many cases to simply extract copies (for instance, by copying mailboxes on network servers of specified individuals).

3. Process

Once collected, the data will undoubtedly contain a lot of operating system and other irrelevant material. A number of processes may be applied to reduce the data further to hone in on the relevant material. Throughout these processes, the integrity of the evidential trail ought be maintained so that the source of any given document can always be established if required to be provided in evidence in court at a later stage. The processing may include:

Focusing on file types by looking for file extensions

For example, searching for typical file extensions of interest such as .doc, .ppt, .xls, .pst etc.

Relevance filters

It may be desirable to filter the material based upon relevant time periods or by searching for keywords or phrases that are relevant to the case.

De-duplication and near de-duplication

The practice of sending e-mails to multiple recipients and the nature of back-ups is such that there will be significant duplication of records. Electronic documents may be compared according to a number of characteristics in order to remove exact duplicates. With certain sophisticated technology, it is possible to remove near duplicates (for instance where there are lots of e-mails in a chain, certain applications make it feasible to retain for review only the last and most complete e-mail in the chain, rather than multiple copies of e-mails containing all or part of the chain).

Decryption

The material may contain documents that are password protected. It may be possible to obtain passwords from custodians. Alternatively, processes may be applied to decrypt such documents, though this can be a lengthy and costly process.

4. Publish

The evidence is usually then prepared for loading to an appropriate document management system. This will sometimes involve the creation of electronic images of the documents (in the standard TIFF format) and the extraction of associated metadata. There are a number of options for hosting and viewing the documents:

Hosting

The data may be hosted on either an internal or an external server (or other storage device). Where the review team is restricted to a single organisation, an appropriate solution may be to host the data on an internal server (or other storage device) at the lawyer’s or client’s offices. However, where access is required from a number of locations, the use of an internet-delivered application managed and hosted by an external service provider is often favoured.

Viewing

There are a number of software applications available to enable the efficient review of the electronic documents. Most will allow simple word-searching to identify key documents. A number offer other key review features enabling annotation, redaction or categorisation of the data or advanced word-searching such as proximity searches (eg to identify documents where ‘offshore’ is found in the same paragraph as ‘bank account’).

5. Review

With the documents loaded on to an appropriate document management system, the next step is for the review by the lawyers and others to identify material relevant for their purposes. Most web-enabled services allow real-time classification of documents as they pass through the review process and may be structured so as to assist the management of that process.

In many cases, other tools may be required to focus on relevant material quickly. Given, in particular, the English focus on proportionality as a guiding principle, I anticipate an increasing reliance on evidence visualisation applications such as Attenex Patterns (see box) and Autonomy/Aungate products. Essentially, these work by automatically searching the content of the documents for the nouns or concepts used. By a combination of understanding the language used and/or statistical connections, the application detects nouns or concepts which are connected. It then represents the entire data set visually in a diagrammatic form, connecting clusters of documents on similar issues. Thus the data speaks for itself, enabling efficient review by issue. As the reviewer gains leads in an enquiry, it is possible to re-cluster the documents around, and focus on, identified issues of specific interest. These applications are therefore flexible enough to meet the developing demands of a review. They can also be used to show social network maps to identify, in diagrammatic form, which individuals have been corresponding with each other and on what issues.

(Attenex Patterns - Attenex Patterns enables document reviewers to dynamically combine views of a document collection for more rapid understanding.)

Such applications can be particularly effective at quickly identifying hot spots of activity that might otherwise take a long time to expose by conventional investigative methods. For instance, in one case, use of the Attenex application exposed a large number of documents using baseball terminology such as ‘reaching first base’ and ‘hitting a home run’. In fact, these were code words used by wrongdoers to indicate the fact and extent of the payment of secret commissions. Concept maps are therefore a useful tool to expose the secret argot employed by wrongdoers.

6. Disclose

The final step in the process is the disclosure of the appropriate documents to relevant parties (opponents, regulators etc). Often, it may be appropriate for documents to be disclosed in an electronic format so that they can be delivered in a convenient form to enable them to be loaded on to a third party’s systems. Where the material is hosted on an internet-enabled system, an alternative is to allow such third parties to access the relevant material live on the document management system. The security of many of these systems is such that access can be restricted only to those documents that have been disclosed. In my experience, this approach is more likely to be adopted with the provision of a virtual data room or deal room in the context of a corporate transaction than it is in disclosure in a dispute or investigation.

Conclusion

Whether we like it or not, the world is moving inexorably towards an electronic age. Technology creates many problems along the journey, but it also creates the solutions. Lawyers are developing their understanding of electronic systems and familiarising themselves with those technological solutions. Ultimately, the pace of that learning process will be driven by client needs. Many lawyers already perceive that knowledge of where electronic evidence resides and how to get access to it quickly and effectively gives them a competitive edge, particularly in disputes. Ultimately, it is that desire for a competitive edge that will continue to drive lawyers to embrace technology. Further proof, if it were needed, that for lawyers, it is the winning, not the taking part, that counts. 

Sanjay Bhandari is the UK head of e-disclosure for KPMG and is a member of its forensic technology services group.