EDRM.NET
"$%&'(&)'*%*+& INTRODUCTION TO THE EDRM " CAVEAT EMPTOR$ SYSTEM MANAGEMENT AND SECURITY% APPLICATION PLATFORM AND USER INTERFACE & EDRM IDENTIFICATION' EDRM PRESERVATION' EDRM COLLECTION( EDRM PROCESSING) EDRM ANALYSIS * EDRM REVIEW+ EDRM PRODUCTION ", CONCLUSION"" -./0123-/4567-689:5;<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"$
As the e-discovery market space and its many solution providers continue to evolve, so does system complexity. Organizations looking for e-discovery solutions may become overwhelmed by the breadth and depth of the market. This paper is intended to serve as a guide to assist organizations in vetting such software. While the document aims to be comprehensive, not all criteria listed will apply to every organization. Therefore users are advised to treat this guide as a starting point and tailor its advice to the specific needs of their own organizations. At a minimum this paper should serve as thought provoking input and better prepare readers to make a well informed decision regarding e-discovery software and services." INTRODUCTION TO THE EDRM " Traditionally, no matter which tools an organization uses to address the EDRM at a minimum the data must be identified then collected, processed for analysis, internally reviewed and culled, and then that reduced data set must be processed again for import into to a legal review tool for outside counsel. Some organizations use three or four different products, one to address each phase. In this case, the data must be processed each time it moves from one tool to the next. Any analysis, comments and tagging done during the internal review phase are lost when the data is imported to the legal review product." Traditional Model" SOURCE: EDRM.NET EDRM BUYER S GUODE 1
While it has been recognized that the traditional model is purely conceptual, non-linear and iterative, the practical workflow for e-discovery frequently looks something like this:" " " Iterative Process At each cycle of data ingestion, processing, analysis and export expense is incurred and information and time are lost. This is a problem, as it is risky, costly and inefficient. Each time data leaves one cycle to begin another it is exposed to risk and data loss. Also, since new products and services are needed at every phase, costs for law firms and corporations rise with each iteration. Frustration levels also rise as professionals who are trying to focus on practicing law or critical business processes, instead find themselves juggling multiple data load formats, service providers and review platforms." " CAVEAT EMPTOR" Unfortunately the e-discovery space is still very much buyer beware due to the large number of service providers and myriad of software choices. It s impossible for a firm to do an exhaustive review of all providers in the market. As a stand-in for a total market survey, a firm looking to purchase software or services should include testing and a thorough proof of concept process as basic best practices for each candidate in a set of possible solution providers. Any vendor requiring upfront payment for POC activity is likely after a quick dollar, not interested in solving the firm s business problem, and should therefore be avoided. Vendors should be happy to work with organizations to show them what their software can do in a real environment. Any reluctance to do this can only be seen as a red flag. % Another warning sign is the existence of a pay-per-use billing model. Many vendors have adopted this pricing model which can seem manageable in the beginning, but will become burdensome and lead to proportionality conflicts once cases progress. The amount of electronically stored information is not decreasing, but growing "$%&'()*%+',"% "
exponentially, which means per-gig fees will only continue to climb. A realistic and forward thinking cost analysis performed before adopting pay per use solutions can be illuminating and useful for organizations. A thorough review of the vendors health should be included. Financial standing along with years in business and client base should be reviewed and evaluated against other players in the space. A client list should include those willing to provide reference calls. The calls should be with clients that are actually using the solution in a way that closely maps to your planned implementation. References can provide you with an objective assessment of product and vendor support, so make sure to ask about both. Finally, no solution is complete without some level of professional services engagement. Whether it be for simple training or to augment the existing team, verify your chosen provider has the breadth and depth to meet the ever fluctuating demands of your organization. SYSTEM MANAGEMENT AND SECURITY Before even entering the realm of EDRM preparedness, an organization should consider its system management and security needs. At a minimum any software the firm purchases should accommodate flexible user access, including the ability to support the existing roles and responsibilities of the organization. Consideration should be given to: User roles and access rights should be customizable and not force the organization to adopt a specific workflow or team makeup. If the organization uses Active Directory, that should also be integrated by the chosen software to allow for centralized ID management and authentication. The solution must provide a rich set of system audit and logging reports to determine user activity at a specific date and time. Access to the logging feature should be severely restricted to serve as valid input for establishing chain of custody, as well as supporting user management activities by showing who has what access. The system s communication and security protocol must also be robust and support the organization s needs and current configuration. The security feature s overarching function should be to prevent unauthorized use of the system or system components. Workflow steps should be clearly broken out and allow for tasks to be input into the system without an undue burden on multiple parties. Further customization to fields within the user interface should support organization requirements and changes. %,-.&/0%-1+&2/3,%& %
APPLICATION PLATFORM AND USER INTERFACE The application platform of any competitive product should make full use of current technology including 64-bit operating systems, clustering technologies, true multi-threading and various OS versions. It should also be lightweight, flexible and allow for remote access. Include evaluation of the following: The application should support both the novice and experienced user and require minimal training to operate. Reduced learning curve equates to more time spent on business critical functions. The solution should be as agnostic as possible, because it s essential that the system play well with others (for example supports numerous files types and forensic containers and able to export multiple load files) since the market is diverse with many organizations using different providers with unique requirements. As for hardware, the application should not have limitations on number or size of RAM or CPU and must have the ability to scale to meet the geographic, network and workload demands of your organization. Make sure the solution doesn t create chokepoints for other business processes. Evaluate based on peak processing and/or collection requirements and be certain that the solution can support them, but also assume the current workload and organization structure will grow exponentially over time. The chosen solution should not require material reinvestment to meet growth requirements. Some basic performance metrics to measure can include collection times, processing times per/gb, per/tb, time it takes to open a document in review panel, time needed to export GB or TB of data, time to render (TIFF/PDF) GB or TB of documents. Finally, the user interface driving this whole process must be web enabled. Preferably the interface will leverage web browser technology cleanly, requiring few third-party add-ons or the installation of native applications for viewing certain file types. This allows for an access anywhere capability while being lightweight from a resource and IT management perspective. The web-enabled UI should also support dual monitor review with interchangeable review panels for maximum reviewer efficiency and flexibility. %,-.&/0%-1+&2/3,%& &
EDRM IDENTIFICATION The EDRM Identification phase includes development of a plan, as well determination of sources for potentially relevant ESI. One of the essential parts of the identification phase is custodian tracking, because it helps organizations be proactive about where information resides and facilitates litigation preparedness. Historical custodian detail should be readily accessible to understand what other cases/matters a custodian was involved in and what data was collected in conjunction with that matter. Commonly stored data will include custodian email, phone numbers, business unit, case and other pertinent workflow details, which the system should be able to preserve and organize. Part of the system s ability to track custodians should be supported by structured data connectors, which should integrate between the system and the firm s existing programs. The Data Map may be the most crucial part of the Identification phase, because knowing where the data is and its accessibility level is intrinsic to planning the entire case strategy. Thus the data mapping functionality should be robust and should include the ability to record and update potentially relevant data repositories, such as PCs, email systems, SharePoint, archiving systems, other structured data repositories. It is essential that this functionality be built-in so that organizations do not have to incur the additional expense or complexity of using a third-party provider. Hand-in-hand with the Data Map is the pre-collection audit capability, which allows organizations to survey their information universe before they start the onerous work of collecting. Support for this functionality should include the capability to run search criteria against a potentially relevant target and provide results without actually copying the underlying files. The pre-collection audit option is preferable to solutions that have to pull data back to index and report on potential search criteria, because it is much faster. This can be a key advantage especially early in a case or when tight deadlines are approaching. Pre-collection auditing minimizes system and network impact and eliminates overhead, because it reduces the storage of extraneous data for early case assessment activities. The importance of the pre-collection auditing capability should not be understated because the practice will continue to grow in significance as organization data grows in size and complexity. EDRM PRESERVATION The EDRM Preservation phase includes data isolation and notification to appropriate parties that data related to an upcoming law suit must be preserved. The largest, most important part of the preservation functionality is the Litigation Hold System. This piece of the software comes into play the moment litigation is contemplated by the parties and thus should lay the foundation for a highly organized and efficient case work flow. Litigation hold functionality should be fully integrated and not require %,-.&/0%-1+&2/3,%& '
third-party add-ons. This is because integration provides the benefit of centralized management of all custodians and eliminates the complexity and cost of introducing a distinct system into the IT environment. Some essential components of a comprehensive litigation hold system include: Up to the minute progress tracking of all statuses within the matter (including custodians and IT specific managers or data owners) Optional workflow approval sequence for attorney or paralegal review Templates and other customization tools to increase efficiency Distribution and management of attachments and custodian interview Q&A recording and support The system should be able to produce electronic and hard copy reports for use internally or with external parties EDRM COLLECTION The EDRM Collection phase includes acquisition of potentially relevant electronically stored information (ESI). Collection should include both the document/file, as well as any associated metadata. Collection is a crucial part of the e-discovery process, which is reflected in the wide spectrum of offerings and definitions in this area. Many providers offer some level of collection, but few have years of experience and a solid track record of delivering defensible results. Collection and Processing capabilities should be heavily scrutinized to separate inflated marketing spin from the real thing. Organizations should take particular care to test and ensure data is not being dropped or missed (open files and email, system files, large files, etc.) during collection. While certainly not a court requirement, forensic data collection inherently achieves a degree of defensibility not available in a non-forensic collection. Forensic collection has other advantages, as well as heightened defensibility, including the ability to audit the collection and the ability to collect deleted files. No longer solely the domain of law enforcement, forensic collection is rapidly becoming understood and sought by opposing counsel and the courts. The organization that chooses a tool with forensic collection capability not only chooses the strongest level of collection stability, but puts itself at the front of a developing trend. Whether the chosen solution offers a forensic collection capability or not, the collection solution must have a certain set of functionality in order to be minimally acceptable. Organizations should review and ensure: Solution needs the ability to collect open files or files currently in use. Tools that fail to meet this critical criteria fall short of being legally defensible and leave organizations open to charges of incomplete preservation. %,-.&/0%-1+&2/3,%& (
Ability to (but not require) capture a full disk imagethis becomes especially useful in criminal investigations when a collection window is short. Case or custodian specifics can dictate the necessity for full-disk imaging (employee malfeasance or termination). The collection tool must have a full spectrum of criteria for both inclusion and exclusion, including the following: keywords (with full set of operands), file extensions, file type (internal file identification), file dates (accessed, modify, create, etc.), file path, file size, MD5 hash, archive search (ability to search and collect from compressed file types). Incremental collection capabilitymeaning the solution should offer the ability to collect all modified or newly created data since the date of last acquisition. This is particularly critical for lengthy matters or matters that have a large number of mobile custodians. Also important since most organizations have many potential custodians located offsite and outside the corporate network, is the ability to collect from employee laptops that are not logged into the corporate network. There should be a robust and valid throttling capability to limit network and resource impact when acquiring data during peak utilization periods or where available network bandwidth comes at a premium. The system should generate reports on non-responsive files (list of all files which did not meet search criteria and were therefore not collected), reports which describe the collection criteria w/associated hit counts, data sources, legal matter as well as custodians involved, and report a list of all collected files by name, type, source and size. Finally a solid collection tool should not interrupt custodian s day to day business activities. The process should be transparent to the end user and be automated to the extent that a collection is completely repeatable from one custodian to the next. EDRM PROCESSING The EDRM processing phase typically includes indexing, itemization and some level of data identification within the subject data universe. The processing phase is the real workhorse of the e-discovery lifecycle. Within this phase all data that was collected previously gets extracted and turned into information that can be culled down for greater relevance and read by review platforms in the next phase. As such, speed and accuracy are at a premium and a great deal of marketing dollars has been spent on claims related to data processing speeds (e.g. TB/day). The reality is that most of these claims are made using state of the art hardware platforms (prior to any licensing fees). The ideal solution should be one that can easily and affordably scale using existing hardware to achieve processing speeds of terabytes per day. %,-.&/0%-1+&2/3,%& )
As always, the best advice is to run a thorough POC (proof of concept) with your own exemplary data set and a full understanding of the service level objectives within your company. The single criterion that carries the most variance across e-discovery vendors is processing diligence (accuracy); meaning the thoroughness and accuracy of the processing tool. Because processing happens under the hood, data can easily go missed and undetected or unreported to end users. This is another area where vendors have produced elaborate pieces of marketing collateral to cover deficiencies in their processing routines deficiencies, such as the lack of extensive exception handling and reporting and QA/QC methodologies. However, we are strong advocates that the only way to truly assess and make a wise investment is to do a side by side comparison ( bakeoff ) of the competing technologies to see if one or both are dropping data or missing important information. All data as well as metadata should be maintained and tracked throughout the collection and processing sequences. Every organization should create a representative data set, run it through the competing tools, and perform a side by side analysis. The organization should then repeat with the same dataset. The results may be surprising and but will reveal which tools are doing the most accurate and comprehensive job. Other key capabilities include: Integrated Optical Character Recognition (OCR); the ability to extract text from document images or PDFs so that it can be searched in subsequent e-discovery phases. The program should also be able to perform full text extraction from electronic documents and email to facilitate the same. The application should support a full range of document de-duplication (identification of exact duplicates) options and should flag and optionally remove duplicates, then generate reports showing which documents/email are duplicates with associated counts. EDRM ANALYSIS The EDRM Analysis phase includes evaluating the collected and processed data to determine overarching information about key case topics, players and documents. For the purposes of this guide Analysis is synonymous with Early Case Assessment and Early Data Assessment. The Analysis or Early Case Assessment ( ECA ) phase of the e-discovery process entails taking the large and unorganized set of data from the processing phase to determine what type of case you have and whether you should go forward with the discovery process or look at settling. For this reason, analysis tools support the functions of categorizing, refining and bucketing data. The most well-known function is keyword searches and culling. All applications should have an efficient and effective method for using keywords to analyze and reduce the subject corpus of data down to a manageable subset. %,-.&/0%-1+&2/3,%& *
In addition qualified candidates should include the following: In-document hit highlighting, keyword counts and summaries Data and evidence bookmarking at the global and case level to support categorization and organization Supports the easy addition of data and assigning it to a specific matter or custodian at any point during the analysis or review phase without requiring complete reprocessing Pre-defined buckets and document categorization, which allows the user to apply broad filters, such as file type or a date range to the data set Threaded view of email is also intrinsic to a quick and holistic analysis of the data. The application should support a dedicated view of email that allows for a contextual understanding of the chain of communication, including parties involved and subjects Comprehensive support for most legal review tools including; iconect, Introspect, Relativity, Ringtail, Summation, EDRM XML and generic. Load file templates for quick and consistent creation should be included. Finally, analysis and reporting in the ECA/EDA phase should be able to quantify and present which documents did and did not meet search criteria. These reports and metrics are critical input to further development of overall case strategy and can influence whether or not the user performs additional collections. Reporting can also help to quickly determine if chronological or conceptual gaps exist in the current data set. EDRM REVIEW The EDRM Review phase focuses on sub-categorizing documents to identify relevant facts, further refine case strategy, and reduce risk to the client. Review is generally conducted by an attorney or other skilled practitioner. The EDRM Review phase is the stage where documents receive the most scrutiny by the most highly trained (legally, not technically) users. Therefore clarity and ease of use are extremely important, as these practitioners need to spend more time on legal analysis and less time on mastering software. To be ideal, the system must give a very detailed picture into the evidence and individual documents, yet be extremely intuitive. Many successful systems employ a multiple tier user interface that can accommodate both novice users and those needing advanced functionality. This helps to solve the business problem of requiring clarity and ease of use with the ability to support all case needs completely within a single tool. The multi-tiered user offering should be administered via granular security permissions and grouping structures that allow case managers to be flexible in creating review hierarchies and strategies. These permissions should be easily configured at any point in the review cycle and should include the ability to restrict or allow access to all software functionality. %,-.&/0%-1+&2/3,%& +
Some of the basic components review software should offer include the following; Large and clear document viewer that can be undocked to move to a split screen Flexible review screen allowing user to design an optimal viewing area with document summary Image and tagging view; a near native document viewer which allows user to view multiple (preferably hundreds of) file types without requiring installation of the native application, thereby speeding review time and significantly reducing cost and installation complexity Bulk tagging/coding of document groups and document families Unicode support to enable viewing and searching of foreign languages Conversion and export into review platform load files and hard copy output Redaction and document marking support, including text overlay, as well as custom color schemes. Redactions should appear transparent when performing review but be optionally burned-in at time of production Persistent text highlighting to support the designation of chosen terms to always appear highlighted across email, attachments and loose files Ability to render (image) native TIFF and PDF documents on the fly so that native documents may be marked and produced. This should include support for single and multi-page TIFFs and PDFs, customization for compression, as well as color and B&W formats Near-duplicate capability that identifies similar documents, emails and loose files, and allows them to be visually compared with differences clearly called out EDRM PRODUCTION The EDRM Production phase encompasses export and exchange of electronically stored information in response to a production request between parties. Production completes the arc of the e-discovery process, but includes much more than just printing documents out of a review platform and attaching a privilege log. Today s productions come in many formats and some may never see paper. Therefore an organization s production capability has to be capable of handling not only the traditional production duties of redacting, printing and numbering, but be able to produce data in its many formats and load file %,-.&/0%-1+&2/3,%& ",
iterations. The Production workflow should also be flexible and allow for the creation of empty production set buckets to which documents can be added or from which documents can be removed as case objectives change. While production is not quite synonymous with export, the way data gets out of a system is still an intrinsic part of the production process. Data should be available to export from the system in various formats, including load files, native files, images or forensic containers (supports portability or in cases of criminal matters). Exporting data should not incur an additional expense/fee or require the use of a third-party application. Since the legal world is far from giving up paper, production features for the classic method should be strong. An application should include the ability to burn in redactions, mark-ups and stamps and to Bates number productions sequentially. The stamping/bates number functionality should include header or footer placement, a prefix option, as well as a starting sequence and padding. The option to start numbering from a previous production set must be included for proper data management. Along with supporting the output of documents from the system, a good product will also give the user ways to manage and track productions throughout the life of the case. For example, load file volume and document options support should be included for any number of foldering options to support work with an outside vendor upstream or downstream of the production phase. Also, custom data columns should be present in the case database to assist in meeting the needs of existing processes systems, outside counsel and partners. Support for rolling productions sets is also key to allow an organization to maintain continuity and track data at the file level. Production set status should be readily available to support decision processes and Doc ID and Bates numbering should pick up where the previous production set left off. Full logging of production sets including user, file name, file counts, production set size and associated matter should be available to track progress and support data management. Branding history, including numbering, Doc ID and any watermarks should be logged and available for reference. CONCLUSION Please use this guide as it was intended; as a series of suggestions and best practices to help organizations choose the best e-discovery software for their workflows and practices. While this guide is primarily focused on the underlying technology evaluation of the vendor, a vendor s willingness and ability to be a full, skin-in-the-game partner should be integral to the overall evaluation process. Institute a POC policy and test the software in a pseudolive environment before purchasing. If possible, do a side-by-side comparison of various products to see which performs best. And always shy away from vendors who are not completely open about their product and service limitations. Hopefully with this guide in hand you will be helped to make a well-informed decision regarding e- discovery products and services. %,-.&/0%-1+&2/3,%& ""
EDRM BUYER S CHECKLIST This document is intended to be a tool to assist in vetting e-discovery software. As the market space and solution providers continue to evolve, so does the complexity of the systems. While this checklist is intended to be a comprehensive document, we understand that not all criteria listed apply to every organization. Therefore please use this guide as a starting point and tailor to the specific needs of your organization. At a minimum, it should serve as thought provoking input and better prepare you to make a well informed decision. Unfortunately this space is still very much buyer beware. The best advice is to test and conduct thorough POCs with your set of considered solution providers. Vendors requiring upfront payment for POC activity are likely after a quick dollar and not interested in solving your business problem and should therefore be avoided. Additionally many vendors have adopted a pay-per-use model, which can become burdensome and lead to proportionality conflicts. Thought and cost analysis should be performed before adopting pay per use solutions. SYSTEM MANAGEMENT AND SECURITY User Access Provide the flexibility to support existing roles and responsibilities of your organization. User roles and access rights should be customizable and not force your organization to adopt a specific workflow or team makeup. Active Directory Integration System Audit/Logging System Dashboard/Application Management System Communication and Security Protocol Automated Notification Framework Workflow User Interface Web Enabled Support full Active Directory integration to allow for centralized ID management and authentication. Provide a very rich set of audit and logging reports to determine user activity at a specific date and time. This logging should severely restrict access and serve as valid input into establishing chain of custody as well as determination of who has what access for user management activities. Allow for quick and effective assessment of the application s health, including disk space, RAM utilization and network connectivity. Support intra-component authentication through use of 802.1x certificates or other authentication factor commensurate with your organizations standards. User of the organizations certificate hierarchy should also be an available option. The security feature should be aimed at preventing unauthorized use of the system or system components. If possible the communication and security protocol should have thirdparty validation to limit your need to validate as the end user. Customized notifications through email should be available. These notifications should support a more effective use of time by those involved in day to day operations. Automated notification based on user roles can make notification of pending tasks (approvals and other workflow activity) a very robust and auditable event. System workflow should support full delegation of duties without forcing an organization to adopt an inefficient process. Workflow steps should be clearly broken out and allow for tasks to be input into the system without undue burden on multiple parties. Further customization to fields within the user interface should support organization requirements and changes. Preferably leverages web browser technology with minimal need for third-party complex add-ons or installation of native application for viewing certain file types. This allows for an access anywhere capability while being lightweight from a resource and IT management perspective. User Interface Dual Screens Review panes must be interchangeable and support dual screens for efficiency and user preference. AccessData EDRM Buyers Guide 2011
APPLICATION PLATFORM AND USER INTERFACE Application Platform Support Should make full use of current technology including 64-bit operating systems, clustering technologies, true multi-threading and various OS versions. As data volumes grow, the need to make use of these and other platforms will grow. Hardware Support User Interface Application should not have limitations on number or size of RAM or CPU. Application should be as agnostic as possible to support existing standards and needs to scale as case and legal matters dictate. Application should be lightweight, flexible and allow for remote access. Application should support both the novice and experienced user and require minimal training to operate. Performance Scalability Metrics should be evaluated for large data sets. While a comprehensive list is beyond the scope of this document, suggestions include (processing times per/gb, per/tb, time to open a document in review panel, time to export GB or TB of data, time to render (TIFF/PDF) GB or TB of documents, etc.) Solution should have the ability to scale to meet the geographic, network and workload demands of your organization. Solution should further support peak processing and or collection requirements. Thoroughly test and scrutinize your vendor(s) for the extremes. Assume your current workload and organization structure will grow exponentially over time. Your solution should not require material reinvestment to meet growth requirements. EDRM IDENTIFICATION The identification phase includes development of a plan, as well determination of sources for potentially relevant ESI Custodian Tracking Data Mapping Pre-Collection Audit Capability Structured Data Connectors Addition of potentially relevant custodians should be a very straight forward process. Addition should include ability to add from external sources like Active Directory. Historical custodian detail should be readily accessible to understand what other cases/matters that custodian was involved in and what data was collected in conjunction with that matter. Data should include custodian email, phone numbers, business unit, case and other pertinent workflow details. System should have the ability to record and update potentially relevant data repositories, such as PCs, email systems, SharePoint, archiving systems, other structured data repositories, without additional expense or complexity of a third-party provider. This information should be readily available to serve as input into the planning phase of the case. System should have the capability to run search criteria against a potentially relevant target and provide results without actually copying the underlying files. A pre-collection audit capability is much faster than solutions that have to pull data back to index and report on potential search criteria. This can be a key advantage especially early in a case or when tight deadlines are approaching. System and network impact is also minimized, as well as elimination of the overhead in storing extraneous data for early case assessment activities. This capability will continue to grow in significance as organization data and grows in size and complexity. Integrated collection capability should be included as part of the overall systems without additional cost of introducing a third-party tool or process. Complexity of e-discovery activity need not be complicated with additional vendors or unnecessary procedures. At a minimum integration should be offered for your organization s email system, but others may include Microsoft Exchange Lotus Notes Microsoft SharePoint Oracle URM FileNet (IBM) Documentum (EMC) Opentext Symantec Enterprise Vault AccessData EDRM Buyers Guide 2011
EDRM PRESERVATION This phase includes prompt isolation and notification to appropriate parties that data must be protected in a way that is legally defensible; reasonable; proportionate; efficient; auditable; broad but tailored and ultimately mitigates risks. Integrated Litigation Hold System should include integrated litigation hold functionality. Integration provides the benefit of centralized management of all your custodians. It also eliminates the complexity and cost of introducing a distinct system into the IT environment for the sole purpose of lit hold. Lit Hold Progress Tracking Lit hold should include immediate and up-to-the-minute progress tracking of all status within the matter, including custodians and IT-specific managers or data owners. Electronic and hard copy reports should be available for internal and external parties. Lit Hold Approval System should support a workflow approval sequence for attorney and paralegal review when necessary. Lit Hold Customization The lit hold system should have a rich set of customization features, including templates to introduce efficiency. Distribution and management of attachments should be managed within the lit hold interface. There should also be the capability to include custodian interview questions with feature for responses. EDRM COLLECTION This phase includes acquisition of potentially relevant electronically stored information (ESI). Collection should typically include both the document/file, as well as any associated metadata. Forensic Collection Capability Though not required by the courts, a forensic collection does ensure your collection methodology is legally defensible and infers a level of auditability not present with non-forensic solutions. Forensic collection is no longer the domain of law enforcement and is rapidly becoming a term understood and sought by opposing counsel and the courts. Forensic collection capability also provides the additional protection of collecting deleted files, which can occasionally be called into scope. Collect Open Files Collection solution must have the ability to collect open files. Tools that fail to meet this critical criteria fall short of being legally defensible and leave organizations open to charges of incomplete preservation. Full Disk Image Acquisition Targeted Collection Capability Advanced Collection Options In some instances, a full disk image may be the most prudent collection methodology, especially when a collection window is short or case specifics dictate (criminal, etc.). At a minimum, the collection solution should offer a fully defensible solution to remotely acquire a full forensic disk image for secondary investigation or in-house processing. Disk acquisition should allow for both logical and physical identification and collection. Collection tool should have a full spectrum of collection criteria for both inclusion and exclusion to include the following: 1. Keywords (with full set of operands) 2. File extensions 3. File type (internal file identification) 4. File dates (accessed, modify, create, etc) 5. File path 6. File size 7. MD5 hash 8. Archive search (ability to search and collect from compressed file types) These filter criteria should allow for combination to further reduce false positives and increase proportionality when collecting data. Occasionally advanced collection options may be required by opposing counsel or the courts. Some of these unique requirements may be worth evaluating: 1. Collect deleted files 2. Search slack or unused disk space 3. Search hidden system files 4. Collect files that are missing a file extension 5. Collect encrypted files AccessData EDRM Buyers Guide 2011
Collection Logging and Reporting Incremental Collection Capability Multi-Source Collection Ability to Collect from Sources Outside the Corporate Firewall Bandwidth and Resource Throttling At a minimum to support chain of custody and to present a legally defensible collection solution reports should include: 1. Non-responsive files report (list of all files which did not meet search criteria and were therefore not collected) 2. Report describing the collection criteria w/associated hit counts, data sources, legal matter, as well as custodians involved. These search hit reports should maintain the structure of complex search terms. 3. List of all collected files, name, type, source and size Additional suggested reporting criteria includes: 1. A real-time status report for each collection target providing current file and time to completion 2. A summarized report of the entire collection and all associated statuses and targets Solution should offer the ability to collect all modified or newly created data since the date of last acquisition. This is particularly critical for lengthy matters or matters that have a large number of mobile custodians. Solution should support multiple sources for a single collection. This could be organized by custodian or particular data platform. Increasingly organizations have more and more potential custodians located offsite and are outside of the corporate network. The chosen e-discovery solution should offer the ability to remotely collect data regardless of network location or domain membership. Most organizations have a separate reporting responsibility and set of concerns when it comes to network and resource utilization. There should be a robust and valid throttling capability to limit network and resource impact when acquiring data during peak utilization periods or where available network bandwidth comes at a premium. Collection Templates Templates for routine or standard collection approaches should be available to improve efficiency and reduce the chances for errors. Agent Architecture Deployment of collection agents or service should be lightweight, compatible with existing deployment infrastructure and NOT require a complete reinstallation to accommodate new features or software updates. NOTE: A vendor claiming their collection solution does not require an agent or service should be heavily scrutinized. A thorough proof of concept should be run to ensure data is not being dropped or missed (open files, system files, large files, etc.) during collection. EDRM PROCESSING This phase typically includes indexing, itemization and some level of data identification within the subject data universe. Processing is always conducted on data which has been collected in the preceding phase. Processing Performance Processing Diligence A great deal of marketing dollars has been spent on claims related to data processing speeds (e.g. TB/day). The reality is most of these claims are made using systems which can run in the $100k USD. That s the investment prior to any licensing fees. Solution should easily and affordably scale using existing hardware to meet peak or increased processing demands. Vendors that are unwilling to spend the time educating you on their processing performance scalability should be avoided. Again, the best advice here is to run a thorough POC and make sure you understand any service level objectives within your organization. This single criterion carries the most variance across e-discovery vendors and unfortunately carries the biggest risk. Because processing happens under the hood, data can be missed and that undetected data is usually not reported to end users. Deficiencies in many vendors processing capabilities include the lack of extensive exception handling and reporting, as well as QA/QC methodologies. The only way to assess a product s processing performance and accuracy is to do a side-by-side comparison of competing technologies. Criteria should include: 1. Processing / presentation of embedded objects (aka OLE streams) in MS Office documents and other files 2. Nested emails 3. Email attachments 4. Duplicate file identification 5. Call-outs or comments in MS Excel and MS Word documents 6. Embedded formulas 7. Full processing/indexing of large (GB+) files AccessData EDRM Buyers Guide 2011
8. Older file types (typical for e-discovery) 9. Media files 10. Metadata, metadata, metadata Create a representative data set, run it through the competing tools and perform a side-by-side analysis. Then do it again with the same dataset. You will be surprised by the results. Optical Character Recognition (OCR) Text Extraction Processing should include steps to process all image type documents and provide searchable text during subsequent e-discovery phases. Processing sequence should include full text extraction of all documents and email to provide for a quick and expedient search during subsequent e-discovery phases. Encrypted File Support Deduplication Options While not necessarily restricted to the processing step, support for encrypted files and disk security technology should be included if they apply to your organization. Popular technologies include: 1. Microsoft s Encrypted Files System (EFS) 2. Lotus Notes NSF and File level encryption 3. Credent (full disk encryption) 4. Safeboot (full-disk encryption) The message here is to simply understand your environment and take care in evaluating your solution so roadblocks are identified early in the vendor assessment phase. Application should support a full range of deduplication (identification of exact duplicates) options, including but not limited to: 1. Duplicate file at the Case or Custodian level 2. Deduplicate email at the Case or Custodian level with options for a. To: b. From: c. CC: d. Bcc: e. Subject: f. Sent/Received time g. Attachment count h. Email Hash (body or attachment) Duplicate identification should be flagged with reports available to note what documents/email are duplicates with associated counts. EDRM ANALYSIS While this phase appears in the EDRM after Review, the practical application of Analysis should be prevalent throughout all phases. For purposes within this guide we have chosen to represent Analysis as the Early Case Assessment and Early Data Assessment activity. Keyword Culling Pre-defined Filters Application should have an efficient and effective method for analyzing and reducing the subject corpus of data down to a manageable subset, using keyword and keyword variations. At a minimum filter criteria should include the following 1. Stemming 2. Phonic 3. Synonym 4. Related 5. Fuzzy 6. Multi-word 7. Boolean Inclusive filters should offer in-document hit highlighting and keyword counts. Pre-defined filters should be available within the review interface for efficient culling of irrelevant files or simply to better understand the overall dataset. Pre-defined filters should include, but are not limited to: 1. Encrypted Files 2. Decrypted Files 3. Duplicate Files 4. Graphics 5. Email fields (To:, From:, Subject, etc.) 6. Custodians Analysis Reporting and Metrics Analysis and reporting of the ECA/EDA phase should simply be able to quantify (what and how many) documents DID and DID NOT meet search criteria. These reports and metrics are critical input to further AccessData EDRM Buyers Guide 2011
Email Discussion (thread) Support Additional Evidence Data/Evidence Bookmarks Security Audit Report development of overall case strategy, as well as additional collection steps. Reporting should further be able to quickly determine if chronological or conceptual gaps exist in the current data set. Application should support a dedicated view of email data that allows for a contextual understanding of the chain of communication, including parties involved and subjects. This email view should further support an easily navigable interface to sort according to any variety of email fields including, but not limited to: 1. To: (CC:, Bcc:) 2. From: 3. Subject: 4. Email Domains 5. Display Name 6. Date Sent 7. Date Received 8. Email with attachments 9. Email with replies Support for easily adding data to current review set should be available at any point during the analysis or review phase. Complete reprocessing of data should not be required to add new evidence and assign to a specific matter and custodian. Bookmarks should be available at the global and case level to support data organization and analysis for operations in bulk. While a good deal of time is spent in securing data once it has been collected, a minimal amount of time is spent understanding who and what has interacted with the data once it enters the Analysis and Review phases. Sensitivity and concerns over disclosure are no less relevant further downstream in the EDRM, in fact it is likely that a greater number and less controlled team is conducting Review and Analysis. Therefore we are strong advocates for a thorough reporting function that clearly illustrates who viewed what data and when. The report should include the user, case, action taken and data object of reported action. EDRM REVIEW This phase is generally conducted by an attorney or other skilled practitioner and is intent on sub-categorizing documents in a cost effective and efficient manner. The overall objectives are to identify relevant facts, further refine case strategy and to reduce risk to the client. User Interface Intuitive Security Permissions Redactions and Tagging/Coding Bulk Tagging/Coding User interface should be relatively intuitive for the novice user, while offering advanced features for those performing unique case requirements. There should be a balance between ease of use and lacking the functionality to solve the business problem completely with a single tool. Application security should support the ability to limit access to redactions, documents and tags to specific application roles or audiences. These permissions should be configured easily at any point in the review cycle. Tagging of document families, large search results or email threads should be supported to expedite review. Unicode Support Duplicate Management Application should support viewing and searching of foreign languages, including conversion and export into Review platform load files and hard copy output. 1. Duplicate coding is consistent across custodians and includes redactions 2. As new data is added existing coding/redactions are auto applied Redaction Support Text Highlighting Persistent Redactions should be supported and include text overlay, as well as custom color schemes. Redactions should appear transparent when performing review. Redactions should offer the ability to be burned in with text. Hits from previously executed searches should remain highlighted across email, attachments and loose files. Support for customized highlighting during review for marking privilege, attorney names and search terms. Near-Native Document Viewer Documents should be viewable in near-native context within a single interface without requiring the native application. This speeds review time and significantly reduces cost and installation complexity. AccessData EDRM Buyers Guide 2011