A. Early Case Assessment

Transcription

1 Electrnic Discvery Reference Mdel Standards fr the identificatin f electrnically stred infrmatin in discvery A. Early Case Assessment Once a triggering event ccurs, begin by assessing the case. This infrmatin serves as a fundatin fr develping verall case strategies as well as early data assessment. Belw is a checklist f items t cnsider during early case assessment. Type f triggering event Facts f case Case value Outside cunsel Case strategy Date range Key wrds Key departments/custdians including frmer emplyees Case merit, risk analysis Legal hld requirements B. Early Data Assessment Early data assessment shuld prvide cunsel with the infrmatin necessary t understand the types f relevant data and where it is lcated. Additinally it shuld cver any plicies related t the retentin r destructin f relevant data s apprpriate steps can be taken t preserve relevant data and avid spliatin. There are 3 key areas f fcus t cnsider. They include recrds management persnnel, ptential custdians and infrmatin management persnnel. Belw are basic guidelines fr cnducting an investigatin f each. 1. Recrds Management Interviews This summary assumes the recrds manager understands the case backgrund, the legal hld and their rle in this litigatin. Tpic Sample Questins Cmmentary Rles and respnsibilities f the recrds manager 1. What is this rle within the rganizatin? 2. Is this psitin invlved with electrnic discvery? 3. Hw des this rle interact with the Legal & IT? 4. Des this psitin have any dcumentatin re: t the rles and respnsibilities as recrds manager? Indicates the level f invlvement recrds manager may have in the identificatin f ptentially relevant data surces. Als helps srt ut wh knws what with respect t the lcatin f infrmatin. Recrds management 1. Des the cmpany have a recrds management prgram/plicy? If s, when did prgram r Indicates if recrds management plan(s) r

2 Tpic Sample Questins Cmmentary prgram/plicy plicy riginate? Are there different versins? 2. What types f infrmatin des the recrds management prgram/plicy cver? Are there types f infrmatin r areas in the cmpany that are nt cvered? 3. Is the recrds management prgram/plicy enfrced? If s, is all f it enfrced r just certain parts? 4. Is the recrds management prgram/plicy in writing? If s, hw lng has it been in writing? 5. Is there a litigatin readiness plan? If s, when did plan riginate? 6. Have changes been made t any aspect f the recrds management prgram/plicy during the relevant time frame? 7. Are any audits cnducted f the recrds management prgram/plicy? If s hw frequently? By wh? What happens with results? 8. Des the recrds management prgram/plicy cver what happens when an emplyee leaves the cmpany? If s what is the plicy? 9. If emplyee leaving the cmpany is a custdian in an active case/matter hw is their data handled? When an emplyee is nt a custdian in any case/matter hw is their data handled? 10. Hw is the emplyee s emplyment status identified? Is there an integratin with HR system/prcess t crrectly identify the emplyee terminatin date? 11. What are the retentin plicies fr back-ups? 12. D yu have any dcumentatin related t the recrds management prgram/plicy? plicy(s) exist that may impact electrnic discvery and whether they are enfrced. May identify types f infrmatin relevant t the litigatin. Identifies if cmpany has a litigatin readiness plan in place. Addresses changes and audits f recrds management prgram/plicy. Helps identify what plicies are needed r are in place if a custdian leaves the cmpany. Retentin schedule 1. Des a retentin schedule exist? If s, since when? 2. What types f infrmatin des the retentin schedule cver? Are there types f infrmatin r areas in the cmpany that are nt cvered? 3. Is the retentin schedule enfrced? If s, since when? 4. Is the retentin schedule in writing? If s, since when? 5. D yu have in-place retentin r a cllect-andpreserve mdel? 6. D yu use any sftware r systems fr retentin purpses (i.e. archives, etc.)? 7. Is there a plan t suspend dispsitin fr a legal hld? Are there any bstacles t ding s? If s, what are they? These questins identify what retentin/destructin plicies are and have been in place during the relevant time perid. The legal team may need t suspend r identify a wrk arund fr sme f these plicies t prevent the destructin f ptentially relevant data. The histry f these schedules prvides insight int what infrmatin may r may nt exist at the time f the triggering event. Audit f retentin schedules may be used t demnstrate hw well the plan is enfrced.

3 Tpic Sample Questins Cmmentary 8. Have changes been made t any aspect f the retentin schedule during the relevant time perid? 9. Are any audits cnducted n recrds retentin? If s hw frequently? By wh? What happens with results? 10. D yu have any dcumentatin related t the recrds retentin schedule? Pssible lcatins f relevant data 1. Are there paper dcuments r bjects in emplyee s ffices that may be relevant? 2. Are ptentially relevant paper dcuments r bjects stred centrally? (libraries, file cabinets, warehuses, etc.) 3. Hw is electrnic infrmatin stred? 4. Wh is the persn mst familiar with the fllwing cmputer systems and electrnically stred infrmatin? (Please prvide cntact inf. if knwn)(if recrds manager is mst knwledgeable ask questins under IT interview) servers Vice mail File servers r DMS Archives Back-ups Prtable devices Intranet, extranet, scial netwrking Databases Legacy systems Netwrk shares, hme drives Desktps, laptps SharePint, matter management, etc. Applicatins, structured data 5. D yu have any pertinent dcumentatin related t the lcatin f data? (data maps, diagrams, lists, etc.) These questins help t determine what relevant infrmatin exists and where it is lcated frm the recrd manager s perspective. They als can help determine if files are indexed r searchable in any way. If the recrds manager is the mst knwledgeable regarding the strage f any electrnically stred infrmatin the IT interview questins shuld be asked. Gathering any dcumentatin relating t the lcatin f data will be helpful in assessing all data surces. Access t relevant data Paper 1. Are there indices? Are they accurate? Are they searchable? 2. Is ptentially relevant paper scheduled fr destructin? Electrnic These questins help t determine hw accessible the data is, any ptential issues with preservatin and whether r nt any relevant data is currently scheduled fr destructin. 1. Is the ptentially relevant data text searchable?

4 Tpic Sample Questins Cmmentary 2. Using what tls? 3. Wh is the mst knwledgeable abut search capabilities and limitatins? 4. Is any ptentially relevant data difficult t preserve, find and/r retrieve? Hw s? 5. What departments are likely t have relevant data? 6. Is ptentially relevant electrnic infrmatin scheduled fr destructin? 7. D yu have any pertinent dcumentatin regarding accessibility f relevant data? 2. Custdial Interviews This summary assumes the custdian understands the case backgrund, the legal hld and their rle in this investigatin. Early data assessment may invlve interviews f the ptential custdians r fr sme custdians surveys may be used. Tpic Sample Questins Cmmentary General emplyee infrmatin 1. What is yur name? (cnsider gathering username, address, emplyee ID, etc.) 2. What is yur current psitin? What department d yu wrk in? Fr hw lng have yu wrked in department X? 3. Did yu have any previus psitins? If s, what was yur title, what departments and what dates were yu emplyed while yu held that psitin? 4. Have yu ever had a secretary r administrative assistant? If s, when and what were their names? 5. Wh were yur managers in each psitin yu held? 6. Wh frmerly held yur psitin? This general infrmatin prvides insight int what the individual s rle has been at the cmpany and identifies thers that might have ptentially relevant infrmatin. General cmputer infrmatin 1. D yu have any data r dcuments that may be relevant t this litigatin? 2. Is yur wrk cmputer a laptp r desktp? 3. Des yur secretary/assistant stre yur dcuments n his/her cmputer? 4. Have yu been issued a new cmputer recently? If yes, when? Were all files transferred t yur new cmputer? D yu knw what happened t the ld cmputer? 5. Are yu suppsed t receive a new cmputer in the next several mnths? This infrmatin is used t determine general infrmatin abut the custdian s cmputer usage. Data is mre likely t be stred lcally n a laptp althugh it culd als be stred n a desktp cmputer. The custdian s dcument culd be stred n ther cmpany cmputers. Files may r may nt be transferred t new cmputers and ld cmputers may nt be destryed.

5 Tpic Sample Questins Cmmentary Relevant data 1. What type f files r sftware d yu have r use that may cntain relevant data? (e.g. , wrd prcessing, spreadsheets, databases, text messages, vice mail messages, websites, etc.) 2. D yu knw where these files are stred? (e.g. netwrk server, lcal pc, external media, mbile device, intranet/extranet/sharepint r ther web-based system, databases, hme cmputer, etc.) 3. If yu d nt knw where it is stred, wh wuld knw? 4. D yu knw f thers that may have relevant data? These questins are used t determine what type f files the user has and where they are lcated. It is imprtant t fllw-up with IT t determine additinal lcatins where files may be stred that the custdian is nt aware f. Legal hld 1. D yu understand what the legal hld requires? 2. D yu knw wh t cntact with questins regarding the legal hld? 3. Des the cmpany have infrastructure sftware t manage legal hlds? 4. D yu fresee any issues in preserving the relevant infrmatin yu have identified? If s, have yu cntacted the IT department fr their input? These questins cnfirm acknwledgment f legal hld and may be imprtant if the adequacy f the legal hld cmes int questin. 3. IT Interviews This summary assumes the IT staff understands the case backgrund, the legal hld and their rle in this investigatin. Depending n the size f the crpratin and the rles f IT yu may have t interview multiple individuals within the IT department. Belw are the basic tpics and questins t cnsider fr an IT Interview. There are numerus questins that culd be asked in fllw-up during an IT interview. Tpic Sample Questins Cmmentary servers 1. Is managed in-huse r in the clud? (if in the clud see Clud Cmputing sectin belw) 2. What type f system is used? 3. What versin is installed? 4. Hw many servers glbally? 5. Where are the servers lcated? 6. D yu have different dmains fr ? 7. Are retentin and archiving plicies the same amng all These questins are used t determine what type f system is utilized as well as specific details abut the system. It is imprtant t gather and dcument as much infrmatin as pssible abut the system t enable identificatin and cllectin f ptentially relevant data. D nt frget t find ut what happens t terminated emplyees .

6 Tpic Sample Questins Cmmentary dmains? 8. Are s able t be stred lcally n individual s cmputers (PSTs, NSFs)? Is this encuraged? 9. D yu retain deleted messages n the server? 10. What are yur Dumpster settings? 11. Is there an aut-delete system? If s, can it be turned ff fr preservatin purpses? If nt, what is the wrk arund? 12. Is there a limit impsed n individual mailbxes? If s, what is that limit and what happens when it is reached? 13. What sftware is used t back up servers? 14. Are backups brick level r individual mailbxes? 15. D yu use an archive? If s, please describe. 16. What type f back-up system d yu use? Tape r digital? Lcal r remte? 17. If tape, what tapes d yu use? By lcatin? 18. Hw ften are backups perfrmed? 19. What is yur rtatin schedule? 20. What is yur retentin plicy? 21. Hw are yur tapes catalged and inventried? 22. Are tapes sets clearly identified? 23. What d yu d with an accunt when emplyment is terminated? File servers 1. D all users have hme directries n the netwrk? 2. Is this their default strage directry? 3. D yu have grup directries and/r public shares? 4. Are there specific shares that may cntain relevant data fr this case? 5. Is there a standard naming These questins are used t determine whether r nt emplyees have the ability t stre electrnic data n the cmpany netwrk and details n their strage practices. It is imprtant t gather and dcument as much infrmatin as pssible abut the file servers t enable identificatin and cllectin f ptentially relevant data. D nt frget t differentiate between custdial and nn-custdial data surces.

7 Tpic Sample Questins Cmmentary cnventin fr the hme drives fr users? 6. Is there a universal drive letter assigned? 7. What are names f file server? 8. Hw many file servers d yu have glbally? 9. Hw many lcatins d yu have fr file servers? 10. What type f files can users stre n file servers? Any prprietary? ? What are the lcatins? 11. What type f back-up system d yu use? Tape r digital? 12. What sftware is used t back up file servers? 13. If tapes, what type f tapes d yu use? By lcatin? 14. Hw ften are backups perfrmed? 15. What is yur rtatin schedule? 16. What is yur retentin plicy? 17. Hw are tapes catalged and inventried? 18. Are tape sets clearly identified? 19. Is there replicatin in place? 20. Where are the replicatin servers/strage lcated? 21. Hw ften des replicatin ccur? 22. What d yu d with a user s hme drive when emplyment is terminated? 23. What d yu d with a user s files in public lcatins when emplyment is terminated? Laptps/desktps 1. What is yur plicy n users saving files n their assigned PCs? 2. D yu have an encryptin plicy (full disk and/r individual file)? 3. Can users install applicatins n their assigned PCs? 4. By default, are s stred in lcal PSTs/NSFs n emplyee cmputers? Is it different n These questins are used t determine whether r nt emplyees have the ability t stre electrnic data n their cmpany cmputer and details n their strage practices. It is imprtant t gather and dcument as much infrmatin as pssible abut the laptps/desktps t enable identificatin and cllectin f ptentially relevant data.

8 Tpic Sample Questins Cmmentary laptps vs. desktps? 5. Is aut archive enabled by default? 6. Are cmputers assigned t individual users, r are they shared? 7. What is yur naming cnventin fr usernames? 8. What is yur plicy fr terminated emplyee? 9. In the case f re-imaging a PC/laptp fr a different user, what happens t the existing data? 10. If a PC/laptp is being reimaged fr the same user, hw is the data preserved and transferred back? Des the methd preserve metadata fr the files? Transactinal data 1. D yu have any transactinal data servers/systems that may be relevant in this case? 2. What types f user have access t these systems? 3. Hw many servers are there glbally? What are the lcatins f the servers? 4. D yu purge data frm these systems? If s, why and can it be stpped? 5. What type f back-up system is used? Tape r Digital? 6. What sftware is used t back up transactinal servers? 7. What type f tapes d yu use, by lcatin? 8. Hw ften are backups perfrmed? 9. What is yur rtatin schedule? 10. What is yur retentin plicy? 11. Hw are tapes catalged and inventried? 12. Are tape sets clearly identified? 13. Is there a replicatin in place? These questins are used t identify structured data systems. It is imprtant t gather and dcument as much infrmatin as pssible abut the transactinal systems t enable identificatin and cllectin f ptentially relevant data. D nt frget t differentiate between custdial and nn-custdial data surces.

9 Tpic Sample Questins Cmmentary Off-site media backup/strage 1. What is the name f the ff-site strage vendr? 2. What is the address and telephne f the facility? 3. Wh is the cntact? 4. What type f data d they stre? 5. Des the vendr have relevant data that is nt accessible frm yur current systems? 6. Is there any type f written agreement with the vendr regarding strage requirements and retentin? If s please prvide a cpy. 7. Is there a current inventry f the material in strage? These questins help t determine hw accessible the data is, any ptential issues with preservatin and whether r nt any relevant data is currently scheduled fr destructin. It is imprtant t gather and dcument as much infrmatin as pssible abut the backup media. Web-based applicatins & clud cmputing 1. What type f web-based systems d yu use that may have relevant data? SharePint? Intranet? Extranets? Scial media? Cllabratin sites? Sftware as a service? Management systems r databases? 2. Are these maintained by yu behind yur firewall? 3. Are they searchable? 4. Is there ptentially relevant data that cannt be searched r cllected? 5. Is the system lcked dwn r can users create sites withut yur knwledge? 6. If systems are nt maintained by yu behind yur firewall, where is this infrmatin stred? 7. Des yur vendr have their wn servers r d they purchase space frm server farms? 8. Des the vendr back-up this infrmatin? If s, fr hw lng? 9. Des the vendr purge any f this infrmatin? 10. D yu have any written agreements with these vendrs? If s, please prvide a cpy. 11. Has this vendr been placed n a legal hld?

10 Tpic Sample Questins Cmmentary 12. What kind f Internet security is in place? 13. Are public blg sites allwed (Facebk, Twitter, etc.) Prtable devices 1. What are the general types f PDAs/cell phnes that emplyees use? Blackberries? iphnes? Drids? 2. Are they issued by r wned by the cmpany? 3. Is synched t yur server? 4. Are text messages captured by yur server? 5. Is vic stred n yur server? 6. What type f data may be stred n the device that is nt n the server? 7. Is the security plicy n smart phnes the same as internet settings n the cmputers? 8. If nt, culd users access any kind f site frm the smart phne? These questins help t determine what relevant infrmatin exists and where it is lcated. D nt frget text messages. Instant messaging Vice mail 1. Des the cmpany use IM? If s, what type? 2. Are sessins lgged? If s, any prprietary strage slutins? 1. Is vice mail stred n yur systems? What is the retentin? 2. D yu have unified messaging? 3. Are there any plicies in place regarding vice mail strage? Please prvide a cpy. 4. Are there any plicies in place regarding unified messaging? Please prvide a cpy. These questins help t determine what relevant infrmatin exists and where it is lcated.