Good practice guide to Electronic Discovery in Ireland

Transcription

1 Good practice guide to Electronic Discovery in Ireland Version April 2013

2 First published in 2013 by the ediscovery Group of Ireland. The ediscovery Group of Ireland owns the copyright and other intellectual property rights in the content of the Guide. You are permitted to print and download any part of the Guide for your own use and/or for other third parties use, free of charge, provided that: the content of the Guide is not modified in any way; our copyright notice is retained on all copies; you acknowledge the ediscovery Group of Ireland, and it appears on as the source of the Guide; and you inform said third parties that the terms of this copyright notice and the disclaimer contained in the Guide apply to them and that they must comply with it. All rights are otherwise reserved. For the avoidance of doubt you are not permitted to incorporate the Guide or any part of it in any other work or publication, whether in hard copy, electronic, or any other form, without the prior written permission of the ediscovery Group of Ireland, except as permitted by law. Applications for written permission should be sent by to Full acknowledgement of the authors and source must be given. We reserve the right to modify the terms of this copyright notice at any time. Disclaimer The opinions expressed in this publication, unless otherwise attributed, represent the consensus views of the members of the ediscovery Group of Ireland. The views expressed are not otherwise attributable to any of the individual members of the group or any undertaking associated or connected to any of them whether as employer, client, or otherwise. The information in this guide is intended to provide a general outline of the subjects covered and the information may become obsolete in whole or in part at any time without notice. It should not be used in place of professional advice. The authors accept no responsibility for damage or loss arising from any action taken or not taken by anyone using this guide. 1

3 Document revisions Version Date v April 2013 About the ediscovery Group of Ireland Established as an ad-hoc working group of technology and legal professionals, who deal on a day-to-day basis with the practical aspects of ediscovery, and have significant experience based on handling ediscovery in numerous matters, in Ireland and internationally. The ediscovery Group of Ireland is dedicated to addressing ediscovery issues and the development of ediscovery within the jurisdiction of Ireland. The subject continues to demand attention from all those involved in matters which necessitate ediscovery. The ediscovery Group of Ireland collectively seeks to share their experience in order to address the apparent void which currently exists in how best to engage with the ediscovery process. It is therefore the understanding of the ediscovery Group of Ireland that users of this Guide may wish to refer to it in whole or in part for the purpose of developing their own procedures in addressing the requirements of ediscovery. The users of this Guide should note that the views expressed in the Guide represent the consensus views of the Group only. The ediscovery Group of Ireland is comprised of the joint authors of the Guide as listed in the table immediately below, otherwise referred to as the Group in the Guide. They have acted in their individual capacity and do not represent their respective organisations. Members of the ediscovery Group of Ireland Member Organisation Contact Simon Collins Ernst & Young [email protected] Andrew Harbison Grant Thornton [email protected] Dr. Vivienne Mee Rits [email protected] Rithika Moore-Vaderaa Barrister at Law [email protected] Colm Murphy Espion [email protected] Owen O Connor Cernam [email protected] Dermot Moore Acknowledgements Information Governance Professional [email protected] We would like to thank The Honorable Mr. Justice Frank Clarke who has provided valuable assistance in producing this guide. 2

4 Table of contents Table of contents... 3 Foreword... 4 Introduction... 6 Phase One Preparing for ediscovery - Information management Phase Two - Identification Phase Three - Preservation Phase Four - Collection Phase Five - Processing Phase Six - Review Phase Seven - Analysis Phase Eight - Production Phase Nine - Presentation Appendix A The Sedona Canada Principles Appendix B ediscovery checklist Appendix C Data custodian questionnaire Appendix D IT questionnaire Appendix E Sample Custodian-ESI inventory Appendix F Information sharing Appendix G - Glossary of terms Appendix H Suggested further reading

5 Foreword It can, I think, be said that Ireland has been late in addressing ediscovery. Many countries have addressed, in one way or another, the growing problems associated with complying with disclosure obligations (whether in civil litigation or to regulators) in an electronic world. The volume of materials that are retained and which might, at least theoretically or one view, have some bearing on issues arising in litigation or in the legitimate enquiries of regulators is at the heart of the problem. While the problems are not confined to electronic materials or countries in the common law world they are at their most acute where significant obligations of disclosure arise involving materials likely to have been retained in a relatively haphazard manner ( s perhaps being the best example) across a large organisation where no one person is likely to have anything remotely resembling complete knowledge of what has been retained and how it can be retrieved. It is a far cry from the days when almost all retained documents could be found in hard copy files readily identifiable. Different countries have begun to explore different solutions to the problem. In at least some jurisdictions significant changes in the Rules of Court and other procedural laws have been adopted in an attempt to control the disclosure process and to prevent the very real risk that the costs associated with complying with disclosure obligations (which can in many cases reach 40% to 50% of the total costs of litigation) do not become a barrier on access to justice. In Canada the Sedona Principles have been developed to provide best practice guidance in the field of discovery and disclosure. Those principles are, in my view, essential reading for anyone who has any interest in ensuring that discovery remains an important tool for establishing the truth while at the same time ensuring that the cost and complexity of discovery does not, of itself, become a barrier to the truth being established. With the kind permission of its authors the Sedona Canada Principles are reproduced in this guide and can be seen in Appendix A below. Ireland certainly has not been at the forefront of developments in relation to ediscovery although it has been said that Ireland now has an opportunity to learn from the experimental experience of others and to consider adopting a more focused approach to rule change relying on the experience from other jurisdictions. However, in one respect I think it is fair to say that Ireland may be about emerge at the forefront of developments in the field of ediscovery. This guide represents that development. Many of the leading service providers in the field of providing electronic tools and assistance in relation to discovery have come together to produce this Good Practice Guide. I believe that this Irish innovation is something of a first. It will provide invaluable assistance to anyone, whether lawyer or IT professional, who becomes involved in the discovery process. It is not intended to provide a set of rigid rules from which there can be no deviation. Rather it represents the distilled wisdom of those involved on the technological side of ediscovery as to how, from that perspective, an electronically aided discovery process should be conducted. It may well be that real progress in Ireland in the area of ediscovery will require changes both to procedural law together with the development of good technological practices. This guide seeks to address the second part of that equation. I am particularly happy that the method adopted is the publication of a good practice guide. 4

6 There can be little doubt but that any recommendations in this field will need to be reviewed from time to time (and perhaps quite quickly). This is an area where the technology moves at quite a pace. But even apart from that important factor it is inevitable that the practical application of a first edition of a good practice guide such as this will lead to a learning curve whereby refinements and improvements will become obvious to all. It is sometimes said that the best is the enemy of the good; that in attempting to produce the perfect solution extreme delay can be encountered in implementing many measures where a good, though less than perfect, solution could easily have been introduced at a much earlier stage and to the significant benefit of all. I have always believed that, at least in most areas, putting in place a good solution, seeing how it works, and being prepared to revisit it to see what improvements can be made, after some actual experience of its operation had been obtained, was likely, in an overall sense, to lead to the best result. In my view this Good Practice Guide should be seen as a good solution which can, doubtless, be made better as those who use it assess its strengths and, possibly, weaknesses. A good practice guide has the merit of being flexible. It would be impossible, without going through significant formalities to change substantive procedural law whether in the form of statute or rules of court. However, a good practice guide can be changed as soon as any material improvements can be identified. It can also be changed early and often. The industry professionals who have come together to produce this guide are to be highly commended for their cooperation (despite the fact that they are, in many senses, competitors) in helping to move the question of the technological implementation of ediscovery forward in Ireland in a most innovative way. They have been involved in a project which places Ireland at the front of developments in establishing appropriate standards for ediscovery at the technological end. It is to be hoped that the development of this guide will not end here and that it will be reviewed and updated as experience dictates. This is an excellent first step on that road. I can, perhaps, end by expressing the wish that the other side of the equation, rule change and review of procedural law generally, may also take place in Ireland in a manner which brings us to the forefront of developments in the ediscovery area. Frank Clarke The Supreme Court April

7 Introduction (a) Background to this guide Electronically Stored Information 1, or ESI, is now an integral part of both our business and personal lives. Consequently, it now forms an increasingly important source of evidence in modern disputes or matters. It is common practice by legal practitioners to use the discovery process, whereby the parties to a matter disclose to each other an affidavit of all documents in their possession, custody, or power, relating to issues in a matter. Electronic discovery, or ediscovery, is the term coined for addressing the electronic element of traditional discovery. The process typically involves identifying, preserving, and collecting, ESI which may be relevant to a matter. This ESI is then processed using a technology tool and, as ever, reviewed for relevance by legal and/or subject matter experts. Relevant documents are then produced to the opposing party, alongside any relevant hard copy documents. While this Guide has been written with the requirements of civil matters in mind, the practices outlined throughout can be applied to any process which requires ESI to be reviewed in support of a matter. These can include regulatory requests, freedom of information requests, and internal investigations, amongst many others. It is recognised that the cost of discovery can be high, which may inhibit access to justice and generate undue cost. It is therefore necessary to adopt a reasonable approach to discovery which is proportionate and cost-effective given the matter at hand. The treatment of ediscovery, in the context of procedural steps in discovery applications, is currently governed by S.I , Rules of the Superior Court (Discovery) These rules provided that any order for discovery of documents could include electronically stored information, and set out new provisions and procedures in relation to same. There are currently no similar amendments to the Circuit Court Rules or District Court Rules. Objectives of the Guide The purpose of this Guide, as prepared by the authors in their collective experience, is to present a practical and reasonable approach to assist those who must meet the challenges of discovery of ESI within this jurisdiction. This Guide is for individuals and/or organisations with responsibility for carrying out the processes and procedures necessary to produce ESI as part of discovery or other matters. 6

8 The objectives of this Guide are: I. To promote a common approach, understanding, and language, when addressing and delivering an ediscovery project. II. To encourage practical and cost-effective discovery by those tasked with managing ESI through the process. III. To promote awareness and communication of best practices between those responsible for delivering ediscovery projects, (e.g. legal practitioners, services providers, independent experts, courts, and any other parties engaged in the process). IV. To encourage a competent and reasonable approach in matters involving ediscovery. V. To promote an environment within which parties can agree reasonable searches or, are encouraged to challenge unreasonable search requests, whilst in addition, being encouraged to pursue reasonable lines of enquiry. VI. To promote co-operative and agreed discovery plans which narrow the scope of discovery to that ESI most likely to be relevant to the issues. VII. To promote the proactive use of technology, in reducing costs and risks, while increasing efficiencies throughout the discovery process. VIII. To achieve early consideration of disclosure and discovery of documents in electronic form in those matters in which early consideration is necessary and appropriate for the avoidance of unnecessary cost and delay. IX. To limit the risk of failing to comply with an ediscovery obligation. X. To limit the risk of inadvertently disclosing irrelevant, potentially privileged, confidential, or sensitive, ESI. Limitations of this Guide This Guide has been written within the context of the Republic of Ireland, and limited to court rules and practices in this jurisdiction. While this guide addresses many concepts which are necessarily legal in nature, it does not contain any legal advice. It should be observed that this Guide is limited to the approach taken to delivering a successful ediscovery project. Each party using this Guide should consider that they may be required to tailor their approach, in order to observe or comply with various legislation or regulatory requirements (e.g., Data Protection (Amendment) Act 2003, and Freedom of Information Act 1997). This is particularly so when the discovery process involves cross-border aspects, such as ESI and parties in other jurisdictions. While the information and recommendations in this Guide stand independently, they are partially drawn from, and are largely consistent with, the Electronic Discovery Reference Model ( 7

9 (b) Group approach As referred to above, this Guide has been developed by a number of local ediscovery practitioners. This group deals on a day-to-day basis with the practical aspects of ediscovery and has significant experience based on handling ediscovery in numerous matters. The principles adopted while developing this Guide were: I. All matters are different; however the authors believe that this Guide should be considered as a starting point in all matters involving ESI. II. The processes and procedures outlined in this Guide can be applied to all parties and matters, regardless of size. III. Nothing in this Guide should require the use of any particular technology, or require specialist ediscovery service providers to be engaged. IV. The steps outlined in the Guide are linked to the legal processes which they support. V. Consideration has been given to ESI security, confidentiality, and data protection. (c) Additional considerations ESI should be considered at the earliest possible stage in a matter. It can be extremely fragile and is easily lost or modified, even through apparently inconsequential processes, such as opening a document. It is not necessary to undertake the full ediscovery process from the outset; however completing the identification, preservation, and possibly the collection phases in the early days after becoming aware of a matter would be considered good practice and can lead to significant cost savings in the longer term. This Guide recommends that parties to a matter, within reason from the outset, be pro-active, cooperate, and engage with each other to seek to reach agreement on the scope and approach to the ediscovery process. More so than with traditional paper-based discovery, there are a number of technical processes in ediscovery which can be costly to repeat at a later date in the event that another party disputes the scope and approach taken in relation to ESI. Appendix F contains a list of information which the authors believe should be shared between parties. This Guide encourages those responsible for delivering ediscovery projects to work closely with legal practitioners and be aware of the legal principles relating to this area. It is recognised that technology is ever changing, and that new and innovative ways to address the challenges posed by ESI are frequently developed. Any process and/or technology which provides greater cost reduction, and/or introduces efficiencies to the ediscovery process should be embraced. Caution should however be applied to new technologies which have not yet been widely accepted. In the event that a technology or process which has not been widely accepted is proposed for use, then agreement with the other parties to the matter should be sought. 8

10 (d) Outline of the guide phases The substance of this guide is set out in a phased approach, in that each phase typically follows the previous. It is however, usual that an overall ediscovery project will be iterative in nature, with some phases being repeated as the matter evolves. In addition, not all projects will use all phases and all phases may not be carried out by the same team. Currently, the Rules of the Superior Courts expressly provide for such an iterative approach. Having described the general approach to the Guide, we turn to provide a brief outline of each phase within. Each phase contains the following sub-headings; objective, background, and good practice steps. Phase Name Objective One Preparing for ediscovery Information management The objective of information management in the context of ediscovery is to understand and retain an organisation s ESI in a manner which, whilst addressing the normal business objectives, also facilitates the ediscovery process. Two Identification To identify the possible sources 2 of ESI which may, by its contents or as a material object, be tendered as evidence relevant to the facts in issue, and if agreed, the categories of discovery. Three Preservation To preserve the ESI sources identified. Four Collection To make a copy of the ESI sources, while preserving the integrity of the ESI. Five Processing In the processing phase, ESI which has previously been collected is prepared for searching, review, or other analysis, while preserving the integrity of the ESI. Six Review The review phase is primarily concerned with performing a review of the documents resulting from the filtering process undertaken in the processing phase in order to determine if they are responsive. Seven Analysis To take a deeper look at a document, for example to determine its provenance. This phase is not always necessary. Eight Production To produce the ESI which have been determined as responsive from the review phase. These are produced to the requesting party. Nine Presentation To present the ESI at a formal hearing. 9

11 There are a number of technical terms used throughout this Guide. The first time a term is used it is annotated by a superscript number. It is recommended that readers refer to the Glossary of Terms in Appendix G as they consider the main sections of this Guide. That Glossary provides essential explanations to many of the common technical terms used throughout an ediscovery project. Appendix B to this Guide contains an ediscovery checklist which can be used as an aide memoire by those responsible for delivering ediscovery projects. The next section gives a brief overview of Information management. Whilst not directly repeated for each matter, guidance on this phase is provided here as a high level summary for those who may be responsible for delivering ediscovery projects as an initial reference to the concepts and principles of Information management practices. Parties who may find themselves involved in litigation or the subject of investigation may wish to research this topic in greater detail. This section is followed by sections for each of the phases which comprise a typical ediscovery project. 10

12 Phase One Preparing for ediscovery - Information management (a) Objective The objective of information management in the context of ediscovery is to understand and retain an organisation s ESI in a manner which, whilst addressing the normal business objectives, also facilitates the ediscovery process. (b) Background Managing ESI increasingly impacts us all in our business and personal lives. The volume, size, complexity, and range of ESI can often be overwhelming. It is often not a priority until the true value and cost of locating ESI becomes apparent as part of a matter. Often organisations: I. Focus their ESI retention efforts on retention for purely business operational purposes rather than considering the wider context. II. Have minimal consideration of their compliance obligations in respect of electronic records. III. Have a limited understanding of the evidential value of good business records. IV. Do not have a good understanding of the cost and risk to the organisation of poor information management practices. Good practice in the management of ESI is often overlooked due to the ease with which vast volumes of such ESI can be stored, and the perceived ease with which ESI can be searched and accessed. Traditionally, organisations retained close control over their ESI. Exchange of ESI with external parties was restricted to the conversion of ESI to a physical or paper format. These days ESI is exchanged and shared across the globe instantaneously, increasingly using publicly available services. The boundaries of the organisational premises no longer constrain the access to and the processing of ESI in business activities. Likewise, the boundaries in the use of ESI between our business and personal lives are evaporating quickly. ESI which represents the evidence of our business activities and acts as our corporate memory requires effective management through well-defined and executed information governance and management processes. Organisations that manage their ESI in a manner which facilitates its efficient retrieval in the event of a matter will find themselves at a distinct advantage when involved in the prosecution or defence of a legal matter, or when responding to regulatory requests. The costs associated with litigation and particularly with ediscovery can be significantly reduced through effective management of the information assets of an organisation. 11

13 Information governance and management is a vast area and beyond the scope of this Guide. However, this section has been included to provide an insight into how effective information management can facilitate the ediscovery process. First, it is important to understand that, although there are many types of ESI (for instance a simple document such as this Guide, an trail, a sophisticated accounting system, or more complex types such as voice, video, and instant messaging), ultimately all those types fall into just one of two categories: I. Structured ESI is data which is identifiable because it is organised within a formal structure using pre-defined fields, rows or tables. Common examples are HR or accounting database systems. The primary feature of structured ESI is that it can easily be searched, and the results retrieved, by use of the system itself. Consider this to be akin to books on a library shelf. II. Unstructured ESI is all the other types of ESI that are not contained within a formal structure (folders or directories are not considered a sufficient structure for these purposes). Common examples are , word processing documents, or spreadsheets. The primary feature of this category of ESI is that it is not easy to search or retrieve as it has not been defined by or within a formal structure. Consider this to be akin to loose paper in a box. Note: Some examples of different types of ESI can be seen in the identification questionnaires at Appendices B and C below. There are several major reasons why organisations face significant challenges when it comes to identifying and retrieving ESI in response to a discovery or regulatory request: I. It is often and unnecessarily stored beyond its required lifespan. II. There is often little knowledge within the organisation as to where potentially relevant ESI can be found. III. The volume and complexity is overwhelming even for Information Technology (IT) professionals. IV. Turnover of staff and organisational changes (e.g., mergers, acquisitions, and divestitures) which result in retention of ESI but the loss of organisational knowledge and context. V. The IT environment and systems may be poorly documented. These factors lead to unavoidable, expensive, and disruptive trawls through vast quantities of ESI in order to locate that which may be relevant to the matter in hand. This can introduce delays and increase the cost of the discovery process, in addition to increasing the risk of relevant ESI being overlooked. 12

14 (c) Good practice steps There are a number of steps an organisation may consider in managing ESI on a day-to-day basis. Whilst these form part of best practice in information management, they additionally prepare the organisation for more efficient response to ediscovery requirements. These include, but are not limited to: 1. Create a culture in the organisation which values the information on computer systems as a valuable corporate asset. Consideration should be given to making information management a recurring board topic, or in larger organisations, the appointment of an individual board member with responsibility for information management may be appropriate. 2. Maintain an information classification 3 and retention 4 policy that is based on compliance obligations and legal risk as well as business operational requirements. Ensure that this is implemented and consistently followed. 3. Dispose of information older than is required by the retention policy. In doing this, however, care should be taken to ensure the preservation of information where there is a reasonable anticipation of it being relevant to current or upcoming legal proceedings. 4. Consider developing an ESI map 5 for your organisation that defines the what, where, who, and how, for information, including information held with third parties or outside the direct control of the organisation. 5. Maintain a storage policy which is aligned to your classification and retention policy and provides timely access to the most valuable information. 6. Educate staff regularly on the importance of information to the organisation and to their obligations. Highlight the benefits to them personally of better managed information. 7. Consider implementing IT systems which provide specific mechanisms to support the management of information e.g., document and records management, electronic archiving systems, de-duplication and storage management systems. 8. Regularly test your ability to access older information on systems in place to ensure they operate as expected. 9. Integrate information management considerations in planning for significant corporate changes, for example layoffs/reductions-in-force, divestitures, site closures and mergers/acquisitions. In each case, consideration should be given to the ESI associated with staff or business units being acquired or disposed of, and the retention of any ESI required for business or compliance purposes. 10. Integrate information management considerations into the system lifecycle for complex IT systems, for example document management systems and other enterprise applications. The introduction of new systems may require updates to ESI maps or the development of 13

15 new processes for ediscovery, while the disposition of systems may require extraction or conversion of ESI so that it remains accessible if required. In respect of each of these steps, organisations should consult with legal and compliance advisors about appropriate steps and the interaction of good information management with other compliance mandates. In the view of the authors and based on their collective experience, organisations that manage ESI throughout its lifecycle in a proactive manner find that the burden of responding to a discovery request which includes ESI is significantly reduced. 14

16 Phase Two - Identification (a) Objective To identify the possible sources of ESI which may, by its contents or as a material object, be tendered as evidence relevant to the facts in issue, and if agreed, the categories of discovery. (b) Background Taking diligent steps to identify potentially discoverable ESI and determining if it is in a searchable form 6 is an essential part of the ediscovery process. Gathering information on the existence and location of potentially discoverable ESI is therefore a prerequisite to analysing whether ESI should be preserved, collected, and reviewed, since a party clearly cannot comply with its obligations if it does not know where its own documents are stored. Identification typically takes into consideration the facts of the matter, preservation demands, disclosure requirements, and discovery demands, including categories of ESI requested. Typically identification will involve firstly determining what ESI exists and secondly identifying its location or the means of accessing it. ESI can be held in a vast array of different electronic storage media 7, which, in turn, can be in a myriad of physical locations, often in different jurisdictions or even with third parties. The end user of the computer, or the data custodian 8, will usually know how to access his or her active ESI 9 (e.g., I read my using Outlook on my laptop or I save my reports to the F drive ), however they are typically unaware of exactly where their ESI (and any copies of it) is actually stored, for example, specific folders on particular servers. (c) Good practice steps 1. Draft an ediscovery plan, taking into account all of the phases set out in this Guide. Continually review and update the plan as the ediscovery project progresses. Note: it is prudent to engage with the other party in the matter to discuss and agree the scope and approach to ediscovery. Such a meeting should discuss how ESI will be managed throughout each of the phases of this Guide. This meeting should be used to narrow the scope of the ediscovery exercise to those categories of documents which are likely to be relevant to the matter, before embarking on the ediscovery project. The list of information at Appendix F is what the authors recommend to be shared at a minimum. 15

17 2. Understand the obligation to preserve and the background to the matter. It is recommended that this should include the likely date range and file types of relevance, and the types of ESI which may contain relevant material. 3. Request a prioritised list of data custodians from the legal team responsible for the ediscovery project. This list will likely grow as the case develops, and should take account of assistants, staff turnover (predecessors and successors of key personnel) and name changes. Individuals on the data custodian list, as well as other key stakeholders such as the responsible managers, should be informed of what is about to happen and why. 4. Assign responsibility for maintaining the data custodian list so that it is clear who will be responsible for updates. For example, a member of the ediscovery team might take responsibility for updating the list based on decisions and other input communicated through a member of the legal team. 5. Arrange for appropriate enquiries with the data custodians using a standard set of questions designed (1) to elicit an understanding of where they think their ESI is stored and (2) an awareness of which of those stores is likely to contain the potentially relevant ESI. A sample data custodian questionnaire can be seen in Appendix C. 6. Compare the results of the enquiries with relevant IT managers and convert what the data custodians believe regarding their ESI into the actual details of the underlying systems. For example, to translate my F drive to a specific directory on a particular server. Include important technical questions designed to understand the organisation s particular practices around back-up policies, document deletion policies, use of portable media, hardware/software updates, treatment of damaged or upgraded equipment, access to /shared drives, system lifecycle (application decommissioning), etc. A sample IT questionnaire can be seen in Appendix D. 7. In collaboration with legal personnel, key business and IT contacts, consider which noncustodian ESI sources may be relevant to the matter. For example, a document management system or customer relationship management (CRM) application may not be associated with a specific employee but could contain relevant records. File servers will typically contain a large number of non-custodian ESI sources, outside of individual home directories. For example, shared folders related to teams or departments, projects, locations, etc. Other non-custodian ESI sources may include legacy 10 systems and cloudbased or externally-hosted applications. This type of source will often not be identified through the data custodian enquiries and instead may require analysis of past business practices and information flows, for example to determine where a particular business group stored customer correspondence at a certain point in the past. The sample IT questionnaire in Appendix D can be used to assist in this process. 8. Draft a list (see Appendix E for an example) of the ESI sources to which each of the data custodians has access. This can be referred to as the Custodian-ESI inventory. This should also include non-custodian ESI sources. 16

18 9. Using the results of the enquiries, and in conjunction with the legal team, determine which of the ESI sources is likely to contain potentially relevant ESI, taking into account the date range of relevance to the matter, and the date ranges when different ESI sources were in use. In addition, it is also important to consider whether the ESI source is readily accessible 9 or not readily accessible 11. Note: Consideration should be given to the impact of over-preservation and the mechanics of long-term preservation holds. In some cases, it may be appropriate to identify specific ESI which is likely to be relevant to the matter, rather than identifying the source as a whole and filtering it after collection. For example, rather than identifying, preserving, and collecting the full of a data custodian, time may be taken at the outset to identify the specific sub-set of within the larger ESI set which may be relevant. 10. Decide which ESI sources will need to be preserved and then which of those will need to be collected. This should take into account the cost/effort involved, along with the likelihood of obtaining relevant ESI. The underlying requirement being to fulfill what is considered to be a reasonable search given the matter at hand. It may be sensible to prioritise ESI sources in order of likely relevance, volume, ease of collection, etc. Note: In considering the costs of preservation, collection and subsequent phases, it may be prudent to adopt a staged approach to the ediscovery. For example, ESI for a number of key data custodians may be brought through the process first, and then depending on the number of relevant documents identified, a decision can be made as to whether additional data custodians need to be included in the process. Furthermore, a sampling 12 approach may be taken in determining which ESI sources are likely to contain relevant ESI. 11. Formulate data protection 13 and privacy 14 strategies. 12. Draft preservation and collection plans and consider developing a cost estimate if one is needed. 17

19 Phase Three - Preservation (a) Objective To render safe from modification, fabrication, or deletion, identified sources of ESI which may contain relevant material, irrespective of whether material from those sources is subsequently collected. (b) Background Preservation is necessary where potentially discoverable ESI may be lost or altered in the normal course of business before a party has the opportunity to collect it. Examples of where a party may not have an opportunity to collect ESI are where the relevance of the source is itself in dispute or where, in the interest of proportionality, collection from less accessible sources may be postponed until more accessible sources have been considered. The act of collecting a copy of ESI, as described in Phase Four below, is in itself a form of preservation. It is for this reason that the preservation and collection phases are often carried out together, or that timely collection addresses the need for preservation. The key differentiator of the preservation phase is that it involves taking steps to preserve ESI where it normally resides, in advance of collecting it. The likelihood of modifying or deleting ESI is much greater than it is for hard copy documents: I. ESI can be easily deleted 15, either intentionally or as part of an automated process, and either with or without the data custodian s knowledge. Once deleted it requires additional technical effort to retrieve it, which (in many cases) may not be possible. II. ESI can be easily altered, again either intentionally or automatically. If it is likely that an understanding of the precise content of an item of ESI at a particular moment in time is required then it is important to preserve it as soon as possible to ensure that it is not altered. III. Metadata 16 associated with each item of ESI can also be easily changed. As discussed in Phase Four below, having intact metadata can provide significant efficiencies when filtering for relevancy. It is also an essential piece of information when the provenance and journey of an item of ESI needs to be determined. It is for these reasons that it is prudent to preserve sources of potentially discoverable ESI as early as possible. The average computer user will not be familiar with many of these issues and can easily alter data unintentionally. It is recommended that preservation (and collection) be carried out by IT and/or ediscovery professionals who are aware of these challenges and competent to deal with them. 18

20 (c) Good practice steps 1. Issue a hold/preservation notice 17 to all appropriate parts of the organisation, including data custodians (if known at that stage) and IT administrators. Explain the reasons and set out less obvious examples (such as stopping the recycling of back-up media). Consider requiring explicit acknowledgement from all data custodians or certain key custodians. Repeat as necessary over time, for example with refresh memos issued regularly. Implement arrangements to ensure that ESI continues to be preserved from loss or destruction even when custodians leave the organisation. 2. If a party is seeking to preserve ESI held by another party, it may be appropriate to notify them. Note: Both this step and step 1 above may be completed as part of Phase Two, if the necessary information is available at an early stage. 3. Take the list of ESI sources identified for preservation in Phase Two and identify which are at risk of loss or destruction. Determine whether technical measures can be taken to preserve the ESI in place. Examples of technical measures include: I. Prevent the deletion of s from a data custodian s mailbox. II. Prevent the alteration or deletion of files from a server computer. III. Increase mailbox size limits to prevent overwriting of older items. IV. Ensure items due to be purged by automatic processes are preserved. 4. Test technical measures (if any) used to preserve ESI. 5. Implement measures in line with the preservation plan and update the Custodian-ESI inventory with the status of preservations. 6. Monitor the controls at regular intervals in advance of the collection of each ESI source. 7. Continually consider, with the organisation and its advisors, which ESI sources or data custodians can be released from the preservation notice (which can be an onerous burden, especially over time). 19

21 Phase Four - Collection (a) Objective To take a copy of the agreed ESI sources so that their content can be processed and made available for review. One of the additional objectives of collecting ESI, in many cases, is to secure a forensically sound copy of certain ESI as it was stored on a particular date and time. This may be necessary if the admissibility or validity of the ESI is later questioned. (b) Background The collection phase is, in certain ways, akin to making a photocopy of a document. Continuing that analogy, there are a number of practical considerations, such as: will the photocopying take place on site, or will the originals be taken away, copied and then returned? Acquiring a copy of a source of ESI is quite similar in concept, with some advantages. It is often quite simple to make a copy of ESI in a short timeframe, and multiple copies can be made at the same time. (c) Good practice steps 1. Where appropriate, with the organisation, individual, and their legal advisors, consider, resolve, and ensure procedures are in place to address data protection/privacy/security issues which might be of concern to those whose ESI is being collected (which will probably not be limited to the data custodians). 2. Work with the appropriate advisors to determine the type of collection. For example; whole vs. targeted collection 18, forensic vs. non-forensic collection Work with the IT organisation to agree on the most appropriate method and time of collection for each ESI source. For example: collection after hours vs. during the working day, and ESI collection from live servers vs. extraction from recent back-ups. 4. With the organisation and their legal advisors, review the costs and benefits of the selected approach in order to determine what is appropriate and reasonable for the matter. 5. Once the type and method of collection has been decided for each source of ESI, plan the collection schedule, including as much input as necessary from individual data custodians and the organisation s IT function. 6. Commence collection according to that schedule. 20

22 7. Verify the completeness 20 and accuracy 21 of the ESI collected as soon as possible after each collection has been completed. 8. If deemed appropriate, initiate and maintain a chain of custody 22 for each copy of ESI. 9. Update the Custodian-ESI inventory with the collection status. 21

23 Phase Five - Processing (a) Objective In the processing phase, ESI which has previously been collected is prepared for searching, review, or other analysis, while preserving the integrity of the ESI. (b) Background In order to efficiently search and review ESI, it is necessary to prepare, or process, the ESI. The extent and nature of processing required in any given project will depend on the nature of the ESI collected, the technology being used, and the expected review process. This typically consists of three high-level steps: I. ESI which is known to be irrelevant to the matter is firstly removed or suppressed. II. The remaining ESI is then prepared in a way which facilitates its further filtering and review. This includes the expansion of containers, categorising ESI types, text extraction and indexing, and often conversion to a format which facilitates the review method chosen. III. Finally, further filters are applied, such as deduplication, date range, and keywords, in order to highlight for review that ESI which is likely to be relevant to the matter. Processing is a complex process typically performed using specialist software tools. As such it is likely that some or all of these logical steps may occur transparently, including during other phases. Certain steps may also not be relevant in all scenarios, e.g., the generation of load files may not be necessary where the processing and review phases are closely linked. (c) Good practice steps 1. Transfer a copy of all ESI to be processed to a processing system or provider, maintaining an original, or reference copy, in secure storage. 2. Identify and isolate all ESI which is known to be irrelevant, and select for further processing only that ESI which is user-generated and likely to be relevant. For example system files and documents which fall outside of a particular date range may be excluded at this stage. Note: It is highly advisable to consult with the other parties in the matter in order to gain agreement on the criteria to be applied in this and all filtering or culling steps. This is often a contentious point in the ediscovery process and explicit agreement helps to avoid later disputes. 22

24 3. Agree with the relevant legal team the specific options to be used for processing, for example taking account of parent/child relationships, the treatment of document metadata in text extraction, reporting of exceptions, etc. Steps may include: I. Expansion of containers the expansion of each file into its component parts, for example to address documents attached to s, spreadsheets embedded within presentations, zip files, etc. II. File categorisation the identification of the file types within an ESI set, for example to distinguish graphical files, which may not be expected to contain text, from Microsoft Office-type documents which require text extraction. III. Text extraction and indexing the parsing of each file to extract its text contents, i.e., the text within each cell in a spreadsheet or each slide in a PowerPoint presentation. Text is typically indexed following extraction to enable complex but efficient searching. 4. Following processing, review and address any exceptions 23 which have occurred, for example by obtaining passwords or attempting to "break" the protection on any encrypted 24 or password-protected 25 files. In certain cases addressing exceptions may require additional ESI collection, for example to replace files which were found to be corrupt 26. Exception handling should also address any non-searchable 27 ESI, e.g., certain PDF or TIFF files which were originally scanned versions of hardcopy documents, may require additional processing in order to render them searchable. 5. If necessary, convert all or selected files into a specific format for review or production. For example, if the earlier processing steps have identified uncommon file types, such as Microsoft Visio, which may not be readable on the reviewer systems, consider converting those files to a more common format such as PDF to facilitate review. The requirement for conversion will vary significantly between projects and this step may not be required in all matters. 6. Having processed all relevant ESI, consider whether further filtering is required prior to review, for example to deduplicate 28 the ESI, or to apply keyword 29 or date filters. This type of secondary filtering prior to review can significantly reduce the cost of an ediscovery project since it reduces the number of documents to be reviewed and therefore the amount of review time required. 7. Transfer the processed ESI to a review platform 30 or service provider, if required, and document all processing steps including ESI transfer. This may include the preparation of a load file 38 which may be required to facilitate transfer to a review system. 23

25 Phase Six - Review (a) Objective The review phase is primarily concerned with performing a review of the ESI output from the processing phase. (b) Background As with the traditional discovery process, it is necessary to review a document in order to determine whether any form of privilege applies, to assess relevance, and often to categorise it according to issues in a matter or based on a specific schedule of requests. Electronic documents or ESI, are no different in their requirement for review. The main difference is that there are usually more electronic documents than hardcopy (paper) documents. However, the technology used in the processing phase is used to reduce the number of documents for review, and to focus on those most likely to be relevant. While much of the work undertaken in order to complete the first five phases will be carried out by IT and/or ediscovery specialists, in conjunction with legal advisors, review work is typically carried out by subject matter experts, such as trained legal professionals, accountants, or investigators. (c) Good practice steps 1. Formulate a review plan, taking into consideration: I. Who will perform the review. II. Whether a specific review platform is necessary, and if so which one will be used and where it will be hosted (i.e., by the client, by a law firm, or by a service provider). III. Whether all phases of review will occur together (i.e., relevance, privilege and category/issue), or in multiple passes 31. IV. How ESI will be batched into review bundles 32, if required. V. How families 33 of ESI will be managed. VI. Whether annotations 34 or redaction 35 will be required, and if so how will they be completed. This should include if annotations will be propagated to duplicates and/or families. VII. Whether hardcopy documents will be reviewed in the same process. VIII. Whether the review will result in a single production or whether a rolling production approach will be used, with multiple productions over a period of time. IX. How data will be transferred for production purposes. X. Resources required to meet production deadlines. 24

26 2. It is recommended when a review platform is being used that it be configured to match the review plan, including cost, timeframe and the resources available. Review configuration will typically address document bundles, for example so that each reviewer is assigned a set of 500 documents at once rather than simply being assigned a fixed share of the document set. The review platform must also be carefully configured to respect document family links and/or to assist reviewers in applying review decisions to groups of documents (i.e., to specify that if a specific Word document is privileged that its parent is also privileged, along with any other child documents of that ). 3. In relation to privilege review, consider using the search and tagging features of a review platform to highlight potentially privileged documents, for example, by searching for the names of law firms and legal professionals associated with the issues in the case. Consider sampling a set of documents which are likely to be privileged to determine how the organisation labels privileged material. These key phrases can also be used to highlight the records which are most likely to be privileged, which will help reduce review time and reduce the risk of inadvertent production of privileged material. 4. Consider the steps required, either in designing the review process or configuring the review platform, to help ensure appropriate oversight and quality assurance in the document review. For example, a review supervisor or more senior team member might wish to review a sample of documents on a regular basis to ensure that the appropriate decisions are being made. 5. It is recommended that in order to maintain a high standard of quality review, a reviewer manual should be compiled. This manual should set out clearly the relevant and necessary facts in the issue and common language to be consistently used throughout the review. This may be of particular importance in cross border reviews. 6. Carry out review as planned in step 1 above and document the results. 7. Where privileged documents have been identified in the review, prepare a privilege log and carefully check all production sets (Phase Eight below) against the privilege log to avoid inadvertent production of privileged material. 25

27 Phase Seven - Analysis (a) Objective To take a deeper look at a document, for example, to determine its provenance. Structured data, such as accounting systems, can also be analysed to generate insights into specific transactions, or patterns of transactions. (b) Background The key difference between the review phase and the analysis phase is that the review phase is typically focused on determining if a document is relevant to a matter, while the analysis phase is not so much focused on the content of a document, but its provenance, or its lifecycle. Examples of analysis which is carried out on ESI include: I. Validation and authentication of documents. II. Tracing the journey of an . III. Reviewing for activity patterns, such as mass deletion of ESI. It is important to note, that the analysis phase is not always necessary. Analysis may be required for a single document, a subset of documents, or an entire category of documents. (c) Good practice steps 1. Determine the objectives of the analysis. (e.g., when an was sent and who received it, or who edited a document and what they did.) 2. Produce an analysis plan. 3. Perform further filtering, advanced searching, and analysis of an individual piece of ESI. 4. Determine the who, what, where, when, why, and how of a piece of ESI, and obtain evidence to support any findings. 5. Provide a report. 26

28 Phase Eight - Production (a) Objective To produce the ESI, which have been determined as relevant from the review, to the requesting party. (b) Background Quite often the final step in the discovery process is providing a copy of the ESI (and hardcopy documents) which have been found to be relevant to the requesting party. It is vital that parties engage early in the process, so that what is produced at the end of the process is not a surprise. The current rules (S.I. No. 93 of 2009 Rule 12, Order 31) state that production should be in a searchable format and/or in the format which they are held by the party making discovery. This is often referred to as native format 36. In most cases, this is the most efficient way to produce ESI, as it does not require the producing party to incur the cost of converting it to a different format. In the event that a party chooses to convert ESI into a different format, steps should be taken to ensure that elements of that ESI, such as metadata, are not unintentionally lost or obscured in the process. (c) Good practice steps 1. If not already completed at an earlier stage, agree with the receiving party the production format 37. This should include: I. Agree whether all documents will be produced at once or whether interim productions will be made (i.e., whether a rolling production will occur). II. Determine how documents will be referenced and how the consistency of families of documents will be maintained (i.e., keeping s and their attachments together). III. Determine how documents produced will be referenced back to their original source. IV. If necessary, provide a sample production in order to resolve any technical issues in advance of full production. V. Determine how production sets will be transferred. Transfer mechanics should also address security mechanisms, such as the use of encryption. VI. Determine the information which will be included in the production schedule (i.e., document identifier, date created/sent, author, etc.). 27

29 Note: The production format should allow the receiving party the same ability to access, search, and review the ESI as the producing party had. As a result, in most cases the printing of ESI to paper for production would not be considered efficient. 2. Produce a list of the responsive ESI (and often a portion of their metadata). 3. Produce a list of the ESI which is being withheld, e.g., due to privilege. 4. Ensure that each piece of ESI produced can be traced back to its original source. 5. Produce a copy of the ESI in the format agreed with the requesting party. This may also include a load file 38 which can be used by the receiving party to load the ESI directly into their review platform. The default option should be to produce ESI in its native format in a manner which preserves metadata, except where a document has been redacted and it must be converted to another format in order to preserve those redactions. Note: In the event that a process such as OCR 39 has been used to convert non-searchable ESI into a searchable format, then the ESI in its searchable format should be produced. 6. Produce a report of the process undertaken. Note: this Guide covers the steps taken by the producing party. It stands that the converse is relevant to the receiving party. 7. Often the producing party will also be a receiving party of ESI from another party in the matter. In such cases, the following should be taken into consideration: I. ESI received may be loaded into a review platform. II. Review ESI received for consistency and completeness (e.g., to ensure the type and volume of ESI is as expected). III. Review the ESI received against that produced. For example, check that s contained within your production set, which also contain the other party, are also contained within their production set provided to you. IV. If necessary, verify the authenticity of ESI. 28

30 Phase Nine - Presentation (a) Objective To present the ESI at a formal hearing, in a format which facilitates its efficient review by those required at the hearing. (b) Background Often the most efficient method to present a document at a formal hearing is in its native format. ESI is no different. This saves considerable cost in printing bundles of documents, and time in leafing through large bundles of documents to find the one under discussion at a certain point in proceedings. Conversely, it may actually be more efficient or cost effective to print key documents for presentation. Many venues, such as court rooms, are not equipped with technology, which allows ESI to be presented to the audience on-screen. Therefore, adequate preparation and planning should be undertaken when deciding on the best method to present ESI at a formal hearing. The presentation phase also includes the scenario where a professional or expert report detailing the results of the analysis phase above is presented in affidavit and/or oral form at formal proceedings. (c) Good practice steps 1. Agree with all parties involved whether ESI can and should be presented electronically, what technology will be used, how the ESI will be presented and who will be responsible for the logistics of electronic presentation. 2. Should it be decided that it is a good idea to present in electronic format, ensure that the presentation method does not alter the ESI, and does not lead to it being misinterpreted by those who need to understand it in order to make decisions. 3. Verify that the hearing venue has the technical capability in place, and test that capability in advance of the hearing. 4. Present ESI at the hearing. 29

31 Appendix A The Sedona Canada Principles Principle 1: Principle 2: Principle 3: Principle 4: Principle 5: Principle 6: Principle 7: Principle 8: Principle 9: Electronically stored information is discoverable. In any proceeding, the parties should ensure that steps taken in the discovery process are proportionate, taking into account (i) the nature and scope of the litigation, including the importance and complexity of the issues, interest and amounts at stake; (ii) the relevance of the available electronically stored information; (iii) its importance to the court s adjudication in a given case; and (iv) the costs, burden and delay that may be imposed on the parties to deal with electronically stored information. As soon as litigation is reasonably anticipated, parties must consider their obligation to take reasonable and good faith steps to preserve potentially relevant electronically stored information. Counsel and parties should meet and confer as soon as practicable, and on an ongoing basis, regarding the identification, preservation, collection, review and production of electronically stored information. The parties should be prepared to produce relevant electronically stored information that is reasonably accessible in terms of cost and burden. A party should not be required, absent agreement or a court order based on demonstrated need and relevance, to search for or collect deleted or residual electronically stored information. A party may satisfy its obligation to preserve, collect, review and produce electronically stored information in good faith by using electronic tools and processes such as data sampling, searching or by using selection criteria to collect potentially relevant electronically stored information. Parties should agree as early as possible in the litigation process on the format in which electronically stored information will be produced. Parties should also agree on the format, content and organization of information to be exchanged in any required list of documents as part of the discovery process. During the discovery process parties should agree to or, if necessary, seek judicial direction on measures to protect privileges, privacy, trade secrets and other confidential information relating to the production of electronic documents and data. 30

32 Principle 10: Principle 11: Principle 12: During the discovery process, parties should anticipate and respect the rules of the forum in which the litigation takes place, while appreciating the impact any decisions may have in related actions in other forums. Sanctions should be considered by the court where a party will be materially prejudiced by another party s failure to meet any obligation to preserve, collect, review or produce electronically stored information. The party in default may avoid sanctions if it demonstrates the failure was not intentional or reckless. The reasonable costs of preserving, collecting and reviewing electronically stored information will generally be borne by the party producing it. In limited circumstances, it may be appropriate for the parties to arrive at a different allocation of costs on an interim basis, by either agreement or court order. Copyright 2008, The Sedona Conference. Reprinted courtesy of The Sedona Conference. Go to to download a free copy of the complete document for your personal use. 31

33 Appendix B ediscovery checklist This checklist can be used as an aide memoire by those responsible for delivering ediscovery projects. It firstly contains a list of background information which is useful to collect at the outset of a new project. It then contains a section for each of the phases of a typical ediscovery project. The content in each of these phases is simply a short version of the main body of this Guide. Case background 1. Establish the background information regarding the matter, for example: I. Who are the parties involved in the matter? II. What is the focus of the matter, and what are the issues? III. Has the organisation received any correspondence from another party in relation to the matter? e.g., a letter from an opposing party, a court order, a regulatory request, or a request for voluntary discovery. 2. Establish key dates and timelines associated with the matter, for example: I. When was the matter brought to the attention of the organisation? II. What is the time period under review? III. What are the known deadlines? 3. Establish the key contacts who may interact with the e-discovery team, for example: I. Who is the business contact? II. Who is the IT contact? III. Who is the legal contact? Phase 2 Identification 1. Draft an ediscovery plan, taking into account all of the phases set out in this Guide. Continually review and update the plan as the ediscovery project progresses. 2. Understand the obligation to preserve and the background to the matter. 3. Request a prioritised list of data custodians from the legal team responsible for the discovery project. 4. Assign responsibility for maintaining the data custodian list so that it is clear who will be responsible for updates. 5. Complete data custodian enquiries. 32

34 6. Complete IT enquiries. 7. Consider non-custodian ESI sources. 8. Draft the Custodian-ESI inventory. 9. Determine which of the ESI sources is likely to contain potentially relevant ESI. 10. Decide which ESI sources will need to be preserved and then which of those will need to be collected. 11. Formulate data protection and privacy strategies. 12. Draft preservation and collection plans and cost estimate if one is needed. 13. Hold a meeting with the other parties in the matter to agree the scope and approach of the ediscovery. Phase 3 Preservation 1. Issue a hold/preservation notice. Repeat as necessary over time. 2. If a party is seeking to preserve ESI held by another party, it may be appropriate to notify them. 3. Take the list of ESI sources identified for preservation in Phase Two and identify which are at risk of loss or destruction. Determine whether technical measures can be taken to preserve the ESI in place. 4. Test technical measures (if any) used to preserve ESI. 5. Implement measures in line with the preservation plan and update the Custodian-ESI inventory with the status of preservations. 6. Monitor the controls at regular intervals in advance of the collection of each ESI source. 7. Continually consider, with the organisation and its advisors, which ESI sources or data custodians can be released from the preservation notice. Phase 4 Collection 1. Address data protection/privacy/security issues. 2. Determine the type of collection. 33

35 3. Agree on the most appropriate method and time of collection for each ESI source. 4. Review the costs and benefits of the selected approach in order to determine what is appropriate and reasonable for the matter. 5. Plan the collection schedule. 6. Commence collection according to that schedule. 7. Verify the completeness and accuracy of the ESI collected as soon as possible after each collection has been completed. 8. If deemed appropriate, initiate and maintain a chain of custody for each copy of ESI. 9. Update the Custodian-ESI inventory with the collection status. Phase 5 Processing 1. Transfer a copy of all ESI to be processed to a processing system or provider, maintaining an original, or reference copy, in secure storage. 2. Identify and isolate all ESI which is known to be irrelevant, and select for further processing only that ESI which is user-generated and likely to be relevant. 3. Agree with the relevant legal team the specific options to be used for processing. 4. Following initial processing, review and address any exceptions which have occurred. 5. If necessary, convert all or selected files into a specific format for review or production. 6. Having processed all relevant ESI, consider whether further filtering is required prior to review, for example to de-duplicate the ESI, or to apply keyword or date filters. 7. Transfer the processed ESI to a review platform or service provider, if required, and document all processing steps including ESI transfer. Phase 6 Review 1. Formulate a review plan. 2. It is recommended when a review platform is being used that it be configured to match the review plan, including cost, timeframe and the resources available. 3. In relation to privilege review, consider using the search and tagging features of a review platform to highlight potentially privileged documents. 34

36 4. Consider the steps required, either in designing the review process or configuring the review platform, to help ensure appropriate oversight and quality assurance in the document review. 5. It is recommended that in order to maintain a high standard of quality review, a reviewer manual should be compiled. 6. Carry out review as planned in step 1 above and document the results. 7. Where privileged documents have been identified in the review, prepare a privilege log and carefully check all production sets against the privilege log to avoid inadvertent production of privileged material. Phase 7 Analysis 1. Determine the objectives of the analysis. 2. Produce an analysis plan. 3. Perform further filtering, advanced searching, and analysis of an individual piece of ESI. 4. Determine the who, what, where, when, why, and how of a piece of ESI, and obtain evidence to support any findings. 5. Provide a report. Phase 8 Production 1. If not already completed at an early stage, agree with the receiving party the production format. 2. Produce a list of the responsive ESI (and often a portion of their metadata). 3. Produce a list of the ESI which is being withheld, e.g., due to privilege. 4. Ensure that each piece of ESI produced can be traced back to its original source. 5. Produce a copy of the ESI in the format agreed with the requesting party. 6. Produce a report of the process undertaken. 7. Often the producing party will also be a receiving party of ESI from another party in the matter. In such cases, the following should be taken into consideration: I. ESI received may be loaded into a review platform. II. Review ESI received for consistency and completeness. 35

37 III. Review the ESI received against that produced. IV. If necessary, verify the authenticity of ESI. Phase 9 Presentation 1. Agree with all parties involved whether ESI can and should be presented electronically, what technology will be used, how the ESI will be presented and who will be responsible for the logistics of electronic presentation. 2. Ensure that the presentation method does not alter the ESI, and does not lead to it being misinterpreted by those who need to understand it in order to make decisions. 3. Verify that the hearing venue has the technical capability in place, and test that capability in advance of the hearing. 4. Present ESI at the hearing. 36

38 Appendix C Data custodian questionnaire This questionnaire may be used to assist in the determination the ESI sources which a data custodian has access to. The data custodian may then be asked to provide information as to which of the sources may contain ESI relevant to the matter, given the background to the matter and the relevant time periods, etc. Further, for all sections below, it may be necessary to determine what was in place during the time under review, and what has become of those systems and ESI if they are no longer in use. Note: The data custodian questionnaire contains questions which go significantly beyond that required to identify ESI sources. This additional, often technical, information is usually required in order to plan and carry out the necessary preservation and collection steps. Further, while the questionnaire contains a large number of suggested questions, it should not be considered necessary to ask every question in every matter, nor should the list be considered finite. Section 1 Desktop and laptop computers 1. What desktop and/or laptop computer do you use? 2. What is the make and model? 3. Where is it located? 4. How long have you had it for? 5. Who owns it? 6. Is the internal storage media encrypted? 7. What operating system is on it? 8. What do you use it for? 9. How is the ESI stored on your computer backed up? 10. Do you have more than one computer? If so, please provide the information above in relation to each one. Section 2 Mobile devices 1. What mobile devices do you use? e.g., Blackberry, iphone, ipad, Tablet PC, Palm, GPS, and mobile phones. 37

39 2. What is the make and model? Please provide as much detail as possible, including carrier, phone number, device storage capability. 3. Where is it located? 4. How long have you had it for? 5. Who owns it? 6. Is the internal storage media encrypted? 7. What do you use it for? 8. How is the ESI stored on the device backed up? 9. Do you have more than one mobile device? If so, please provide the information above in relation to each one. Section 3 Portable storage devices 1. What portable storage devices do you have? These may include: a. USB/Memory keys b. Memory cards/mmc cards c. Floppy disks d. CDs e. DVDs f. ZIP disks 2. What is the make and model? Please provide as much detail as possible, including storage capacity. 3. Are there any security mechanisms, such as encryption in use? 4. Where is it located? 5. How long have you had it for? 6. Who owns it? 7. What do you use it for? 8. How is the ESI stored on the device backed up? 9. Do you have more than one portable storage device? If so, please provide the information above in relation to each one. 38

40 Section What account do you use? Please list the addresses? 2. How do you access your ? and from where? 3. How long have you had the account? 4. Is it a personal account, or is it supplied by your employer? 5. Who provides support in the event of technical issues? 6. What do you use it for? Just , or calendar, notes, tasks, etc.? 7. How is the ESI in this account backed up? 8. Do you archive your ? 9. Where do you archive it? 10. How do you archive it? 11. How frequently do you archive it? 12. Does anyone else have access to your account? 13. Do you have access to anyone else s account, or any shared accounts? 14. Do you use hosted services such as GMail, Hotmail, Yahoo Mail, etc.? 15. Do you have more than one account? If so, please provide the information above in relation to each one. Section 5 Shared network folders 1. Do you have access to a shared folder on a server computer? 2. What is the name of the folder and what is it used for? e.g., the Finance Share. 3. What drive letter is used to access it? e.g., the G drive. 4. Where do you access it from? 5. How long have you had access to it? 6. Who is the owner of the folder? 39

41 7. Do you know if the ESI in the folder is backed up? If so, how is it backed up? 8. Do you have access to more than one shared folder? If so, please provide the information above in relation to each one. Section 6 Private network folders 1. Do you have access to a folder on a server computer which is dedicated to you? i.e., only you can access it. 2. What is the name of the folder and what is it used for? e.g., My Documents or Personal share. 3. What drive letter is used to access it? e.g., the H drive. 4. Where do you access it from? 5. How long have you had access to it? 6. Who is the owner of the folder? 7. Does anyone else have access to your private folder? e.g., a personal assistant. 8. Do you know if the ESI in the folder is backed up? If so, how is it backed up? 9. Do you have access to more than one private folder? If so, please provide the information above in relation to each one. Section 7 Instant messaging 1. Do you use instant messaging? e.g., SMS text messaging, Sametime, Office Communicator, Microsoft Lync, Yahoo IM, Google Talk, Skype, etc. 2. How do you access the system? 3. How long have you had access for? 4. Who provides you with technical support in the event of issues? 5. What do you use it for? 6. Is it possible to use it for other communication methods, such as video, voice, or file transfer? 7. Do you have the ability to save chat sessions? If so, where do you save them to? 40

42 8. Do you have access to more than one instant messaging service? If so, please provide the information above in relation to each one. Section 8 Home computers/remote access 1. How do you remotely access your corporate IT systems? 2. Do you use your home computer or a computer supplied by your employer to perform the access? 3. What is the make and model? 4. Where is it located? 5. How long have you had it for? 6. Who owns it? 7. Is the internal storage media encrypted? 8. What operating system is on it? 9. What access do you have? e.g., only, full access to all features, limited access to certain applications. 10. Does anyone else have access to it? 11. How is the ESI stored on the computer backed up? 12. Do you have more than one computer or way of remotely accessing your corporate IT systems? If so, please provide the information above in relation to each one. Section 9 Transactional systems 1. What transactional systems do you have access to? e.g., accounting, Payroll, HR, manufacturing, funds transfer, etc. 2. How and where do you access these systems? 3. How long have you had access for? 4. Who owns the systems, and who would provide technical support in the event of an issue? 5. What do you use it for? 41

43 6. Do you have more than one transactional system? If so, please provide the information above in relation to each one. 7. Do you use other applications, such as spreadsheets or databases to store and/or process transactional data? Section 10 Internally hosted websites and/or collaboration sites 1. Do you have access to any internally hosted websites and/or collaboration sites? e.g., Internal file sharing websites, Sharepoint, eroom, etc. 2. What ESI is there and how do you access it? 3. How long have you had it for? 4. Who owns the ESI which is hosted? 5. What do you use it for? 6. Is the ESI backed up to another location? 7. Do you have more than one location where ESI is hosted internally? If so, please provide the information above in relation to each one. Section 11 Internet hosted ESI 1. Do you have ESI which is hosted on the Internet? e.g., externally hosted websites, filesharing websites, GoogleDocs, etc. 2. What ESI is there and how do you access it? 3. How long have you had it for? 4. Who owns the ESI which is hosted? 5. What do you use it for? 6. Is the ESI backed up to another location? 7. Do you have more than one location where ESI is hosted externally? If so, please provide the information above in relation to each one. 8. Do use any externally hosted networking websites? e.g., Linked-In, Facebook, Twitter. 42

44 9. What ESI is there and how do you access it? 10. How long have you had it for? 11. Who owns the ESI which is hosted? 12. What do you use it for? 13. Is the ESI backed up to another location? 14. Do you have more than one location where ESI is hosted externally? If so, please provide the information above in relation to each one. 15. Is the data publicly accessible, or will authorisation or a court order be required in order to acquire a copy of it? Section 12 Voice and video systems 1. Do you use voice and/or video recording systems, including voic ? 2. Where are the systems located and how do you access them? 3. How do you record the voice/video ESI? 4. How long have you had access for? 5. Who owns the system, and who would provide technical support in the event of an issue? 6. What do you use it for? 7. Is it possible to search for historical ESI using the system? 8. How is the ESI stored on the system backed up? 9. Do you have access to more than one voice/video recording system? If so, please provide the information above in relation to each one. Section 13 Other systems 1. Are there any other systems which you use to access and/or store ESI? e.g., fax, scanning, etc. 2. Where are they located and how to you access them? 3. How long have you had the access for? 43

45 4. Who owns the system, and who would provide technical support in the event of an issue? 5. What do you use it for? Section 14 Data privacy and data protection 1. Do you have colleagues or an assistant who would have access to your ESI? 2. Do you have ESI which would be considered personal data under the Data Protection Acts? 3. What ESI do you have and where is it located? Section 15 General 1. Are there any other locations where ESI may be stored that you are aware of? Consideration should be given to having the data custodian acknowledge the information provided by way of a signature. Note: It may be necessary to request security details, such as passwords and/or encryption keys in order to access ESI which has been secured. 44

46 Appendix D IT questionnaire This questionnaire may be used to determine the ESI sources which a data custodian has access to, in addition to non-custodian sources, such as common file shares. It may be used to further map the data custodian s perceived ESI sources back to their underlying systems. It may be necessary to supplement these questions with further questions which help to determine which of the sources identified may contain ESI which is relevant to the matter. Further, for all sections below, it may be necessary to determine what was in place during the time under review, and what has become of those systems and ESI if they are no longer in use. Note: The IT questionnaire contains questions which go significantly beyond that required to identify ESI sources. This additional, often technical, information is usually required in order to plan and carry out the necessary preservation and collection steps. Further, while the questionnaire contains a large number of suggested questions, it should not be considered necessary to ask every question in every matter, nor should the list be considered finite. Section 1 IT environment 1. Who manages the IT infrastructure in the organisation? 2. Who supports the IT infrastructure in the organisation? 3. Are there any 3rd parties that either manage or support the IT environment? 4. Are there any 3rd parties who process or host ESI on behalf of the organisation? 5. How many IT users are there in the organisation? 6. What are the primary technologies in use? i.e., Windows, Linux, desktops, laptops, etc. 7. What standard applications are in use? e.g., Word processing, spreadsheets, Internet access, etc. 8. What encryption technologies are deployed? 9. Are there any in-house or industry-specific software programmes deployed? Section 2 Desktop and laptop computers 1. What make and model of desktop and laptop computers are deployed? 2. What is the hard disk type and size in these computers? 45

47 3. How old are the computers? 4. Are the disks encrypted? If so, how? 5. What operating system(s) (and Service Pack levels) are deployed? 6. Do users have more than one computer? 7. Do users have access to more than one computer? i.e., shared computers. 8. Is the data stored on desktop and laptop computers backed-up? Section 3 Portable storage devices 1. What portable storage devices are deployed? These may include: a. USB/Memory keys b. Memory cards/mmc cards c. Floppy disks d. CDs e. DVDs f. ZIP disks 2. What are the make and model deployed? Please provide as much detail as possible, including storage capacity. 3. Are there any security mechanisms, such as encryption in use? 4. How is the ESI stored on the devices backed up? Section 4 Mobile devices 1. What mobile devices are in use? e.g., Blackberry, iphone, ipad, Palm, GPS, Tablet PCs, and mobile phones. 2. What are the make and model of the devices in use? Obtain as much technical detail as possible? e.g., infrastructure set-up, device storage capability, phone numbers, etc. 3. What 3rd party service providers are involved and what ESI do they store? 4. What logging systems are in place surrounding mobile devices and how long are logs retained for? 46

48 5. Are there duplicate ESI sources which are more readily accessible? i.e., if all is stored on the mail server before being forwarded to a Blackberry, then is it necessary to acquire the Blackberry? 6. What elements of the mobile infrastructure are backed-up and how? 7. Is it possible for data custodians to store ESI on the device which is not also stored in another location which is controlled by the organisation? Section 5 Server computers 1. What server systems are in place and what business functions do they serve? e.g., file, print, , application. 2. What operating systems are in use on the servers? e.g., Windows, Linux, Novell. 3. What access controls are in place? e.g., security groups, by folder/share. 4. How are the servers accessed by the data custodians? 5. Are there login scripts in use and if so, do they map drives and printers? Obtain a copy of the script(s)? 6. What logging is in place on the servers and how long are the logs retained? 7. What automated processes are run on the servers? e.g., deletions, re-organisations, and/or scans. 8. Are Windows snapshots in use? 9. Are clusters of servers in use/multiple nodes? 10. How are the servers backed up? Section What platform(s) are in use? e.g., Exchange, Lotus Notes, Novell GroupWise. 2. Are hosted services, such as GMail, Hotmail, Yahoo Mail, etc. permitted for business use? 3. Where is the ESI stored? i.e., local or network. 4. What mailbox size quotas are in place? Are these different for various data custodians? 47

49 5. What happens when a user meets or exceeds their quota? 6. What automated processes are in place? i.e., deletions, sweeps, etc. 7. Where are the mail servers located? 8. How many mailboxes are there? What is the total volume of data? 9. Are there any shared mailboxes which the data custodians have access to? 10. How are mailboxes distributed across servers? 11. What access rights are in place on the mailboxes? i.e., do others have access to read, send as, etc. Obtain a copy of the access lists, if possible. 12. What journaling capabilities are in place? 13. What logging is in place and how long are logs retained for? 14. How and where is mail archived? Is it automated? 15. Is there a separate archiving system in place, and is there a facility to directly search the archive? e.g., MailMeter, Symantec CommVault, etc. 16. If Exchange is in use, is the Dumpster used, and if so, how long is data retained for? 17. What backup system is in place? Is this separate to the server backup system? If different from the server system, then complete the backup section below separately for each different system in place. 18. Is brick-level (mailbox-level) backup in place? Section 7 Shared network folders 1. What shared network folders are available to users? e.g., Finance Share. 2. How do users access these shares? Are there default mapped drive letters in use? e.g., the G drive. 3. What security controls are in place on the relevant shares? Obtain a copy of details, if possible. 4. How much data is stored in each share? 48

50 Section 8 Private network folders 1. Is My Documents redirection in place? Is it standard, or on a user-by-user basis? 2. Do users have their own private network folders? i.e., only the user has access? 3. How does the user access the folder? e.g., a mapped drive. 4. Are there data size quotas in place? What are they for the identified data custodians? Section 9 Instant messaging 1. What instant messaging systems are in place? SMS text messaging, Sametime, Office Communicator, Microsoft Lync, Yahoo IM, Google Talk, Skype, etc. 2. What version(s) of the system are in use? 3. Where is the system hosted? i.e., internal, web-based. 4. Are conversations journaled? 5. What archiving capabilities exist? Are these automatic or user controlled? 6. What additional capabilities does the solution have? e.g., file transfer, video, etc. 7. How is the system and/or ESI backed-up? 8. What logging is in place and how long are logs retained for? Section 10 Home computers/remote access 1. How are remote access services provided to users? 2. What functionality is provided remotely? i.e., full access to LAN, just , Citrix, etc. 3. What process do users go through in order to connect remotely? 4. Can/do users connect to work using personal home computers? 5. What logging is in place to monitor remote access and how long are logs retained for? 6. Is ESI worked on remotely backed-up? 7. Have remote access and network accounts been disabled for data custodians who have left the organisation? 49

51 Section 11 Transactional systems 1. What transactional systems are in use? e.g., accounting, payroll, HR, etc. 2. What system is used to manage customer accounts? 3. What system is used to maintain accounting records? 4. What payments systems are employed? i.e., SWIFT, Royline, etc. 5. Are other transaction systems in place, such as Microsoft Access and Excel? 6. How are transactional systems backed-up? 7. When does the system delete sub-ledger detail? 8. What logging is in place and how long are logs retained for? Section 12 Backup systems 1. Is there a legal/regulatory requirement that requires the organisation to retain ESI? 2. What back-up systems are in place? What is the make and model of the system in place, and what back-up media does it use? 3. What is the media rotation/retention policy? 4. Where is the media stored? 5. What volume (GB/TB) of ESI is backed-up? How long does it to complete a full backup and a full restore? 6. What restoration capabilities are present on-site? 7. Is there a disaster recovery site in place? It is hot or cold? 8. When were the back-up systems currently in use implemented? 9. What happened to the old backup tapes/system? 10. Is there a capability to restore old tapes? 11. Are backups created when systems are upgraded? How long are these retained for? 12. Would 3rd parties have retained backups of systems which they upgraded and/or previously maintained? 50

52 13. What backups are available? What date ranges do they cover and what ESI is stored on them? Section 13 Internally hosted websites and/or collaboration sites 1. Are internally hosted websites and/or collaboration sites in use? e.g., Internal file sharing websites, SharePoint, eroom, etc. 2. What ESI is processed/stored on these systems? 3. How are the systems accessed by the data custodians? 4. How long have the systems been in place? 5. How is the ESI stored on the system backed up? Section 14 Internet hosted ESI 1. Are there any externally hosted websites which hold potentially relevant ESI? 2. Are there any publicly available websites which host potentially relevant ESI? e.g., LinkedIn, Facebook, Twitter, My Space, etc. 3. Is the ESI accessible, or will authorisation or a court order be required in order to acquire it? Section 15 Voice and video systems 1. Are there any systems in place which record voice and/or video recordings, including voic s? 2. Who has access to the systems and how are they accessed? 3. Where is the ESI stored and how is it accessed? 4. What ESI is stored by them, for how long, and is it backed up? 5. Is there a facility to search for ESI within these systems? e.g., filter by phone number and/or date. 51

53 Section 16 Other systems 1. What other systems are in use by the organisation? e.g., Document management, Fax, scanning, etc. 2. How are these backed-up? 3. Who has access to them? 4. What ESI is stored by them, for how long, and is it backed up? 5. Does the organisation have an off-site location used for business continuity planning (BCP) or disaster recovery (DR)? If so, what IT systems are present, and what ESI do they contain? Section 17 Processes and policies 1. Is there a data classification programme in place? 2. Is there a data retention programme in place? 3. Are there data management, disposal, and protection policies in place? 4. Is there a computer use policy in place? 5. Have the data custodians in scope signed/acknowledged the computer use policy and does evidence of this exist? 6. Is there a remote access policy in place? 7. Is there a portable media policy in place? 8. Are there any other policies in place? 9. What is done when people leave the organisation? What happens to their ESI, computers, mobile devices, accounts, etc.? Section 18 Data privacy and data protection 1. Does the organisation store ESI which would be considered personal data under the Data Protection Act? 2. Has the authority been obtained to take custody of such ESI? 52

54 3. Is there an expectation of privacy by data custodians which will need to be addressed? (e.g., will it be necessary to obtain consent?) Consideration should be given to having the provider of the information above acknowledge the information provided as complete and accurate by way of a signature. 53

55 Appendix E Sample Custodian-ESI inventory Custodian Priority Data source Unique ID Preserved Collected John Smyth 1 Laptop computer ID n/a Yes Server ID Yes Yes Personal network share ID Yes Yes Jane doe 2 Laptop computer ID n/a Yes Server ID Yes Yes Personal network share Multiple/Other 3 Sales department network share Forensic copy of sales department network share ID Yes Yes ID Yes Pending ID Yes Pending Note: It is often useful to insert statistics in such a table which includes, for example, the size of each ESI source, and the date collection was completed, etc. 54

56 Appendix F Information sharing In order to facilitate sharing of information relating to the discovery of ESI throughout a matter, it is recommended that the following information be shared at a minimum: Identification The list of custodians The types ESI sources identified and whether they are readily accessible or not Preservation Overview of any preservation steps undertaken Collection The ESI sources and/or types collected The method(s) of collection Processing The method(s) used to filter the ESI, which may include: Removal/suppression of irrelevant ESI ESI type Deduplication Date range Custodian Author/Sender/Recipient Keywords Any other automated searching/filtering techniques How exceptions were managed Any ESI conversion employed 55

57 Review The approach and level of review performed Production The form of production It should be recognised that many aspects of an ediscovery project will evolve as a project progresses. It is recognised therefore that information provided in the interest of cooperation may change. In such cases, efforts should be made to communicate changes to relevant parties in a timely manner. Note: in the event that there is disagreement in relation to filtering criteria employed during processing, a detailed report should be produced which informs the parties as to the issues involved. For example, in a disagreement over keywords employed, a report setting out the individual and combined number of documents identified by each keyword should be produced. This will assist parties and/or the court to determine the overall impact of an additional keyword. 56

58 Appendix G - Glossary of terms 21 Accuracy In addition to completeness, it is also necessary to verify that the process used to acquire the copy of the ESI did not alter the ESI in any way. For example, a digital fingerprint, or hash value, of the ESI can be used to compare two sets of ESI to verify that they are identical Annotations The markings applied to a piece of ESI during the review phase. These are akin to putting a sticky note on a document. A first pass review would typically have basic annotations, such as relevant and not relevant, while subsequent passes may also include annotations which signify which issue in the matter the document is responsive to. They do not change the original document. 3 - Classification Many organisations will classify ESI into different categories. These can include: Confidential, Sensitive, Personal, Open, etc. The classification of ESI is usually used to determine which controls are implemented in order to help ensure security. For example, medical records may be classified as sensitive personal information and therefore additional precautions must be applied in order to ensure such information is not accessed by unauthorised parties Chain of custody Refers to the documentation used to record who had custody of a piece of ESI from the time it was first obtained to the time where it is presented as evidence in formal proceedings Completeness When an ESI collection is completed, it is necessary to determine that the copy was successful, and that all of the ESI which was intended to be copied, was in fact copied, i.e., the volume of ESI, and/or the number of files, are as expected Corrupt files There are a large number of factors which can cause a piece of ESI to become corrupt, or unreadable. This can be due to damaged electronic storage media or errors induced during the copying process, amongst many others. The end result is that the ESI cannot be read and/or interpreted using standard techniques, and may require the use of specialist tools to read the ESI. It is however quite possible that it may not be possible to read corrupt ESI using any means. 57

59 8 - Data custodian For the purposes of this guide, the data custodian is the person or organisation which has custody or administrative control of ESI. While they may not physically hold the ESI, it is considered to be accessible to them, and/or under their control. For example, we would consider a typical employee to have files on their laptop, on a company server, and within the company system. The employee would be considered the custodian of the ESI sources which are attributed to them Data privacy For the purposes of this guide, data privacy refers to the confidentiality of ESI, or expectation of confidentiality of ESI, by an individual or organisation, which is the subject of the ediscovery process. This typically requires a determination to be made as to whether an organisation has the right to access ESI, and whether consent is required from the owner or the subject of the ESI Data protection Data protection refers to the protection of individuals with regard to the processing of personal data and on the free movement of such data. It entitles individuals to access their personal data and have inaccurate data rectified or erased. Those who hold data about individuals have various lawful obligations imposed on them to comply with data protection principles, e.g., not to disclose in any manner incompatible with those purposes and protected by adequate security measure. For the purposes of ediscovery, this typically involves identifying if any of the ESI involved in the ediscovery process would have content which would be covered by the relevant Data Protection Acts. If so, then steps should be taken to handle the ESI accordingly. See Directive 95/46EC the Data Protection Directive ) The Data Protection (Amendment) Act 2003 amended the 1988 Act to bring Irish Law into line with the provisions of this Directive. Please note at the time of writing this there were 11 separate sets of regulation under the Data Protection Acts. 28 Deduplication This is the process of identifying duplicate, or near duplicate, ESI in a set. Such ESI is typically identified as duplicate, allowing duplicates to be either removed or suppressed Deleted data When ESI is deleted from electronic storage media, it is often possible to recover it. This is not always possible, and the extent of the recovery is affected by many factors. It would typically require additional effort to recover ESI which had been previously deleted. 58

60 7 - Electronic storage media Technology devices, such as computers and mobile phones, will most likely contain media which is used to store ESI. These media are often referred to as memory, or hard disks. It is this electronic storage media which is contained within the device which is actually used to store the ESI, and therefore, is the location from which it is necessary to copy relevant ESI. 1 - Electronically Stored Information or ESI ESI is simply information or records stored in an electronic format. The converse to ESI is information which is stored in hardcopy format (i.e., on paper). The strict legal definition of ESI will vary between jurisdictions. However, for the purposes of this guide it is defined as any information which is stored in electronic form, regardless of the electronic format in which it is stored. 24 Encrypted document A file, for example a Word document, which has been protected so that its contents cannot be accessed without a password or encryption key. This is related to, but separate from, password protection which is a weaker form of protection which can typically be bypassed while processing ESI. 5 - ESI map** A method for an organisation to capture where it s ESI is stored, physically and virtually, in what format it is stored, backup procedures in place, how the ESI moves and is used throughout the organisation, information about accessibility of the ESI, retention and lifecycle management practices and policies, and identity of records custodians Exceptions When processing ESI for further review, it is expected that the system used to process each piece of ESI, will be able to read that ESI automatically and allow further filtering, such as date range and keywords be applied to it. There are a number of reasons why a piece of ESI may not be accessible. Examples are files which are encrypted, password protected, corrupt, or nonsearchable Families of ESI* A family relationship is formed among two or more documents that have a connection or relatedness because of some factor. The parent-child relationship is described as, in any taxonomy, the superior category can be called a parent, and its subcategories can be called children. An can be considered, for example, to be a parent of any of its attachments. Conversely, an attachment can be considered to be a child of the to which it is attached. 59

61 19 - Forensic vs. non-forensic collection A forensic collection of ESI utilises tools which preserve the metadata associated with ESI. In dealing with the contents of hard disks it is also necessary to obtain a copy of the unused space of the media, which can later be searched for previously deleted ESI. A non-forensic collection typically involves using tools which may not have been developed for the purposes of evidence collection and which may have deficiencies as regards collecting ESI and/or avoiding changes to metadata. A typical example of this would be using Windows Explorer to copy files to a USB storage device Hold order or notice** A legal hold is a communication issued as a result of current or anticipated litigation, audit, government investigation, or other such matter that suspends the normal disposition or processing of records. The specific communication to business or IT organisations may also be called a hold, preservation order, suspension order, freeze notice, hold order, or hold notice Keywords* Any specified word, or combination of words, used in a search, with the intent of locating certain results. A specific word used to search a database. It can also refer to words related to the case or specific issues, designated by the law firm and generally having their own field in the database. 10 Legacy system This typically refers to older computer systems which are no longer in active operation. It is often necessary to invest additional resources in order to recover ESI from such systems Load file An electronic file which is used to define a set of ESI in order that it be easily imported into a review platform, or other such system. It typically contains a copy of the metadata of each file in the ESI set, amongst other information. Such load files typically allow the recipient of ESI to import it directly into their review platform without any further processing Metadata Information about a piece of ESI, such as the date which it was created, last time it was printed, and the author. This is as opposed to the actual content of the ESI itself. There are almost as many types of metadata as there are ESI. These can be used to effectively filter ESI during the processing phase and can assist in analysing or authenticating a document. 60

62 36 - Native format This refers to the electronic format which the ESI was usually stored in the normal course of business Non-searchable files Most user created ESI will contain text which is readable to the human eye. When processing ESI, it is expected that the system used to process each piece of ESI, will be able to read that ESI automatically and allow further filtering, such as date range and keywords be applied to it. Exceptions to this include image, sound, or video files, in addition to scanned copies of hard copy documents. While the contents of these files are easily understood by humans their meaning is not readily understood by computers and they are therefore often not searchable using traditional means. There are a number of technical methods available for converting such ESI into a searchable format Not readily accessible ESI Converse to readily accessible ESI, this is ESI which the retrieval of which would incur additional cost and time. Such ESI is not accessible on an active system. Typical sources of this nature are backup tapes and decommissioned systems. Also included in this category are ESI which have been deleted from active systems. While it is frequently possible to recover deleted ESI, it does typically require greater effort. ESI, such as Internet history and/or cookies, and artefacts which are used to determine the use of a computer system, would also be considered not readily accessible. This is due to the fact that specialist skills and tools are required to recover the ESI OCR* Optical Character Recognition is the conversion of a scanned document into searchable text and the rendering of its text susceptible to copying for pasting into a new file. Following the scanning of a given document, OCR software evaluates the scanned data for shapes it recognises as letters or numerals. OCR technology relies upon the quality of the printed copy and the conversion accuracy of the software. Generally acknowledged to be only percent accurate Password protected This is akin to the lock on a door, which is used to block entry to the ESI unless the password, or key, is known. It is often used in conjunction with encryption to secure ESI Production format/data set The format in which ESI is presented to the requesting party. This can be in native format, or in another format which the ESI have been converted to. 61

63 9 - Readily accessible or active ESI This is ESI which is stored on an active computer system and is easily accessible using standard ESI collection techniques. Such ESI would typically be accessible without any restoration steps. For example, custodian s laptops and ESI on servers which are in active service Redaction* A portion of an image or document is intentionally concealed to prevent disclosure of specific portions. Usually accomplished by applying an overlay. Often done to protect privileged or irrelevant portions of the document, including highly confidential, sensitive, or proprietary information. 32 Review bundles In large reviews, it is often necessary to break the ESI set into smaller bundles in order to allow more than one reviewer complete the review. ESI can be treated in the same manner as boxes of documents which would be split up, checked out to different reviewers, and then checked back in when complete. One key concept which applies primarily to ESI, and not to hardcopy documents, is that it is necessary to ensure that only one reviewer has access to annotate each document at the same time. This is essential to ensure that conflicting annotations are not applied to the same document Review passes The number of passes required when manually reviewing a set of ESI for relevance to a matter. This may be a first pass review, completed by junior staff, who will determine if a document is relevant to the matter or not. All documents annotated as relevant in the first pass review will then be brought forward to the second pass review, which is typically carried out by more senior staff who make further annotations and decide if a document is to be produced or not Review platform The computer system used to facilitate the manual review of the ESI. Typical review platforms will allow large numbers of documents to be grouped into review sets or bundles, will present individual documents to human reviewers for a decision, and will receive and record the reviewer decision associated with each document. 4 - ESI retention/deletion policy Many organisations, especially those in regulated environments, will have requirements to retain records (or ESI) for certain periods of time. Such organisations typically will have a documented policy which describes what ESI/records are required to be retained, and for how long. They will also typically cover how ESI is to be disposed of when it is no longer required and will distinguish between convenience copies/personal copies and authoritative reference documents. Frequently, 62

64 different types of ESI will have different retention periods, e.g., financial records may be retained for 7 years, whilst s may only be retained for 3 months. 12- Sampling** Sampling usually refers to the process of testing a database or a large volume of ESI for the existence or frequency of relevant information. It can be a useful technique in addressing a number of issues relating to litigation, including decisions about what repositories of data are appropriate to search in a particular litigation, and determinations of the validity and effectiveness of searches or other data extraction procedures. 6 - Searchable form Data in a format by which search terms or filters can be applied using a computer in order to locate or eliminate specific data types/content. 2 Sources of ESI* A source of ESI is any device which contains electronic storage media (see 7 above) which is used to store ESI. These can be items such as server, desktop, and laptop computers, in addition to web sites and mobile phones. For the purposes of ediscovery, it will be necessary to identify which sources of ESI may contain ESI relevant to the matter Whole vs. Targeted collection Where the whole ESI source is collected, this is referred to as a whole collection. This will typically include all ESI from the given source. It may not be required to collect all of the ESI from a specific source. In such cases a targeted subset of the ESI on a source may be collected. Both types of collection may be performed in either a forensic or non-forensic manner (see 19 above). * these terms have been directly obtained from the Electronic Discovery Reference Project glossary ( ** these terms have been directly obtained from the Sedona Conference Glossary ( 63

65 Appendix H Suggested further reading Books Giovannini (Teresa) and Mourre (Alexis), Written Evidence and Discovery in International Arbitration, New issues and Tendencies, (International Chamber of Commerce, 2009) Grenig (Jay E), Marean (Browning E), and Poteet (Mary Pat), Electronic Discovery and Records Management Guide: Rules, Checklists and Forms, 2011 edition (USA: Thomas Reuters 2010) Lange (Michele.C.S) & Nimsger (Kristin M). Electronic Evidence and Discovery: What Every Lawyer Should Know Now, 2 nd edition (USA: American Bar Association, 2009) Mack (Mary) and Deniston (Matt), A Process of Illumination: The Practical Guide to Electronic Discovery, 3rd edition (USA: Fios 2008) Mason (Stephen), Electronic Evidence, 2nd edition (LexisNexis Butterworth, 2010) Matthews (Paul) and Malek Q.C. (Hodge M.) Disclosure, 3 rd edition of discovery (London: Sweet & Maxwell 2007) Scheindlin (Shira A), Capra (Daniel J) & The Sedona Conference, Electronic Discovery and Digital Evidence: Cases and Materials, (USA: Thomas Reuters, Westlaw, 2009) McGrath (Declan), Delany (Hilary), Civil Procedure in the Superior Courts 3rd edition, (Round Hall 2012) Online references The governing rules of ediscovery, in the context of procedural steps in discovery applications, are currently governed by S.I. 93 of The website of the Electronic Discovery Reference Model (EDRM) project contains many useful resources including details of the EDRM diagram and an e-discovery glossary: Federal Judicial Centre - Managing Discovery of Electronic Information: A Pocket Guide for Judges, Second Edition. The Sedona Conference Principles underpin a lot of US ediscovery law and may have an influence on the development of Irish law in the future. They can be downloaded from Digital Evidence, Digital Investigations and E-Disclosure: A Guide to Forensic Readiness for Organisations, Security Advisers and Lawyers; Professor Peter Sommer for the Information Assurance Advisory Council; Third Edition March

66 Refer to Practice Direction Part 31 - Disclosure and Inspection of Documents Practice Direction (31B) -Disclosure of electronic documents, website link parts/part31.htm The Australian Law Reform Commission first circulated a consultation paper in November 2010 and tabled its report in the Federal Parliament on 25 May Managing Discovery: Discovery of Documents in Federal Courts, The Federal Court of Australia, Chief Justice issued on the 1 August 2011, new practice directions. This included the Practice Note, CM 6 on Electronic Technology in Litigation. Singapore Practice Direction 3 of 2009 (called PD3 of 2009) (the E-Discovery PD) on 1 October 2009, direction_no.3_of_2009.pdf; Appendix E, Part 1 provides for an agreed protocol, with practice direction amendments made in The New Zealand High Court Amendment Rules (No. 2) Reform of the Discovery (setting out two types of discovery, standard and tailored) was enacted on the 1 February Sedona Canada has issued a "public comment" version of The Sedona Canada SM Commentary on Proportionality in Electronic Disclosure and Discovery. Commentaries on privacy, cost containment and enforcement of letters rogatory in the summer of See 65

67 Articles Domestic Collins (Simon), Electric Avenue, ediscovery in Ireland (Law Society Gazette, December 2011) Harbison (Andrew), Documents to get out alive in E-Discovery, (Civil Practice and Procedure (CPP) 2011, 1 at 35) Mc Intyre (T.J.), Irish Supreme Court Extends Scope of Electronic Discovery: Dome Telecom v Eircom, (Digital Evidence and Electronic Signature Law Review 2008, 5 at 41) Moore-Vaderaa BL (Rithika), R. Discovery of electronically stored information - The new rules, (Commercial Law Practitioner, (11) at 240) Moore-Vaderaa BL (Rithika), R. E-Discovery in International Arbitration, (Irish Business Law Quarterly (1) at 16) Other Jurisdictions Foggo (Gavin), Suzanne (Grosso), Harrison (Brett) & Rodriguez-Barrera (Jose Victor), Comparing E-Discovery in the United States, Canada, the United Kingdom, and Mexico, (Committee on Commercial & Business Law Litigation, Section of Litigation, American Bar Association. Summer (4)) Satterwhite (Rodney A). and Quatrara (Matthew J), Asymmetrical warfare: The Cost of Electronic Discovery in Employment Litigation, (USA: Rich J.L. & Tech, 2008, 14 (3)) HM Courts Service. Electronic Disclosure: The report of a working party chaired by The Honorable Mr. Justice Cresswell (6 October 2004). Reports Review of Civil Litigation Costs, Final Report, December 2009 by the Right Honourable Lord Justice Jackson, (UK: TSO 2010, with the permission from Ministry of Justice), See part 8, (Controlling the Costs of Litigation) at Chapter 40, E-disclosure. Electronic Disclosure: A report of a working party chaired by the Honourable Mr Justice Cresswell (HM Courts Service 2004, October 6) The Law Society of Ireland, Civil Litigation, Discovery in the Electronic Age: Proposal for Change: (2007 October, The Litigation Committee of the Law Society of Ireland established a Sub- Committee to enquire and recommend possible changes to S.I. No 233 of It published a report which was submitted to the RSC Committee) Ernst & Young - Electronic evidence and the Irish legal process, Survey 2011, Breakdown of Results (Ireland: 2011, Ernst & Young, published a report on survey results, in August 2011, detailing the results on the use of electronic evidence in the Irish legal system). 66

68 Table of Cases Domestic Anglo Irish Bank Corporation Ltd v Browne, unreported, High Court, Kelly J., [2011] IEHC 140. (Costs, uncontrolled discovery give rise to enormous time and cost) Atlantic Shellfish Limited v Cork County Council and others, unreported, High Court, Budd J., [2006] IEHC 215 (reasonable and diligent search) Balla Lease Developments Ltd. v- Keeling, unreported, High Court, Kelly J., [2006] IEHC 415, (evidence tampering, validity of evidence) Dome Telecom v Eircom, unreported, Supreme Court, Kearns J. (as was then), Geoghegan J., and Fennelly J.,[2007] IESC 59, (reasonableness and form of discovery) Framus Limited v CRH plc [2004] 2 I.R.20, [2004] IESC 25, (proportionality) Irish Nationwide Building Society v Charlton, unreported, Supreme Court, Murphy J., March at 13. (how the process of discovery had become increasingly burdensome and often used as delay tactic). See also Allied Irish Banks plc v Ernst & Whinney [1993] 1 I.R. 375, at 396. Hansfield Developments & Ors v Irish Asphalt & Ors, unreported, Supreme Court, Finnegan J., [2009] IESC 4, (example of good practice in ediscovery and necessity to confer) Hollybrook (Brighton Road) Management Co Ltd v All First and Anon, unreported, High Court, Laffoy J., [2011] IEHC 423 (dicta on court resources) Net Affinity Ltd v Conaghan, unreported, High Court, Dunne J., [2011] IEHC 160 (useful in how discovery at interlocutory stage can assist in proving a party s case) Mulcahy v.avoca Capital Holdings Ltd, unreported, High Court, [2005] IEHC 136, (recognised discovery of electronic records). Myers v Elman, [1940] A.C. 282 at 322 (duty of care, solicitor) Ryanair plc v Aer Rianta, [2003] 2 I.R. 264, (consider whether discovery necessary having regard to all circumstances including burden, scale, and cost of discovery sought) R v Daye, [1908] 2 K.B. 330 (not to confine a document to paper) Thema International Fund International Fund Plc v HSBC Institutional Trust Service (Ireland), unreported, High Court, Clarke J, [2011] IEHC 357, (funding of litigation third party, disclosure) 67

69 Other jurisdictions Al-Sweady, R (on application of) v Secretary of State for the Defence, [2009] EWHC 2387, (critical of the States failure to carry out sufficient searches for documents) Digicel (St Lucia) Ltd v Cable and Wireless plc, [2009] 2 All ER 1094, [2008] EWHC 2522 (Ch) (23 October 2008), (recognised the importance of conferral, and issues relating to keyword searching) Earles v Barclays Bank PLC, [2009] EHWC 2500, (imposed sanction on costs on successful defendant for failure to conduct disclosure satisfactorily) Gooddale v Ministry of Justice (Opiate Dependant Prisoners Group Litigation, [2009] EWHC B41 (QB) (example of the approach which case management judge should take where documents appear voluminous, use of questionnaire) Infabrics Ltd v Jaytex Ltd [1985] F.S.R., (inference drawn from destruction of certain documents) Nichia Corporation v Argos Limited, [2007] EWCA Civ 241, (applied a proportionate approach, accepted risk that perfect justice would not be achieved) Madoff Investment Securities LLC, Re [2009] EWHC 442 (Ch), (the court authorised the transfer of data to New York by the Madoff liquidator on the grounds of public interest, necessity for the purpose of, or in connection with, any legal proceedings, and necessity for the purposes of establishing, exercising or defending legal rights) Omni Laborties Inc v Eden Energy Limited, [2011] EWHC 2169, (key search terms) Pension Committee, LLC, et al., USDC, SDNY, Jan. 10, 2010 (failure to adhere to contemporary standards can be considered gross negligence) Shoesmith R(on application of) v OFSTED & Ors, [2009] EWHC B35, (example of disclosure defect, where failure to find easily accessible documents, despite sophisticated technology incurred unnecessarily costs ) Vector Investments v Williams, [2009] EWHC 3601 TCC, (awarded reduction in costs, by failure to meet or to apply the court directions) Victor Stanley, Inc. v. Creative Pipe, Inc., 2008 WL (D. Md. May 29, 2008), (example of the importance of an audit trail) Zubulake v UBS Warburg LLC, 229 F.R.D. 422, (S.D.N.Y. 2004) (spoliation, discovery of inaccessible data, and reminder to counsel of obligations to ensure the thoroughness of clients discovery process) 68