There is More to ESI Besides Email Messages

The case of Emergency Response Specialists, Inc., v CSA Ocean Scis., Inc., is an excellent example of the challenges in civil litigation. The case is from Alabama that highlights the different types of ESI that can be relevant in a case. The case also highlights the importance of retaining collection experts and knowing phone passwords.

The first relevant opinion is by Magistrate Judge Harwell Davis, III. See, Emergency Response Specialists, Inc. v. CSA Ocean Scis., Inc. (N.D.Ala. Aug. 4, 2016, No. 2:14-cv-02214-WMA) 2016 U.S. Dist. LEXIS 113221 (Hereafter ERS 1). The second is by District Court Judge R. David Proctor, who adopted and accepted Judge Davis’ recommendations. See, (Emergency Response Specialists, Inc. v. CSA Ocean Scis., Inc. (N.D.Ala. Aug. 23, 2016, No. 2:14-cv-02214-RDP) 2016 U.S. Dist. LEXIS 112639 (Hereafter ERS 2).

Judge Davis explained that the Defendant’s president and majority shareholder had a computer crash that corrupted her email production. ERS 1, at *3. The Defendant used the recovery software from the server company in an attempt to recover her messages. Id. The Plaintiffs sought the email in native format. The Defendant claimed the recovered email was all that was available. This was very problematic, as the parent-child relationship between the email and attachments were broken. Moreover, the Defendant explained that if the Plaintiff looked at the email threads, they could determine who was the sender of the emails and the dates each message was sent. Id. As such, the Court gave the Plaintiff the opportunity to review the email production to determine if the messages could be put in chronological order with senders and recipients. Id.

The Court ordered the Defendant to produce any other unique emails with attachments if they existed on her Defendant’s laptop.ERS 1, at *3-4. The Defendant was also ordered to produce text messages and video files that were responsive to discovery requests. The text messages introduced a common wrinkle with smartphones: what is the phone password?

The context of the case made it appear that a former employee needed to provide his password for his former work phone, which was in the possession of his former employer, in order to recover the text messages on the device. ERS 1, at *4-5. Judge Proctor ordered the former employee to cooperate in providing password to the Defendant. ERS 2, at *2. The Court informed counsel that if the former employee refused to provide his password, to report that to the Court, so the Court could further order the former employee’s cooperation in recovering the text messages. Id.

There are many lessons from this case. The first is the collection of data in a defensible manner. It is wise to avoid having a party turn themselves into a collection expert. While it is entirely possible the Defendant properly used the recovery software, it would likely be less stressful on the party and counsel to have a computer forensic expert attempt to restore the data. It is likely forensic software would have greater options to recover data than server software. This is highly dependent on what caused the crashed, however, if email and attachments could be recovered, that could reduce the need for motion practice.

The other lesson is there are many forms of potentially relevant ESI. Video files can easily be overlooked in a case. Asking a client effective interview questions, and a meaningful meet and confer between attorneys can help identify the possible types of relevant ESI in a case. The final lesson is passwords on work issued phones. A service provider might have software that can crack a password. Alternatively, requiring this information when an employee leaves a company could also reduce this pain point.

Best Practices for the Collection of ESI

McGibney v. Retzlaff is a Federal case in the Northern District of California. Judge Beth Labson Freeman heard the Defendant’s Motion to Dismiss for Lack of Personal Jurisdiction. Her initial comment was “this case sees the Internet at is worst.” See, McGibney v. Retzlaff, No. 14-cv-01059-BLF, 2015 U.S. Dist. LEXIS 79434 (N.D. Cal. June 18, 2015).

I see a much different issue in this case. The identification of potentially relevant ESI is sorely lacking. The Court was informed about harassment via Internet postings on Twitter, Facebook, and a blog. The Plaintiff asserted that the Defendant used many aliases on these social media platforms, as well as with email.

Preservation and collection of data should occur once potentially relevant ESI is identified. There was no reference in the opinion that listed the Plaintiff’s efforts to preserve the relevant electronically stored information. We see these issues time and again. Here are our recommendations to acquire relevant ESI:

1. Propound Discovery upon the social media providers. The Stored Communication Act generally prohibits the production of stored content without a search warrant or government subpoena. However, those who receive a Discovery Request can identify subscriber information and account login information. Subscriber information may be anonymous, though at times will provide a lead to develop further, such as the IP Address that may be resolved to a specific Internet Service Provider. People are creatures of habit and may use the same username with their ISP, as they do with their social media account(s).

2. Email tracing and serving Discovery upon hosting providers. Email is a transitory medium that contains valuable metadata within the email “header.” Email servers and IP addresses may be identified, as well as accurate (and sometimes obfuscated) email addresses. In the case of Google, the Gmail username refers to the whole account. Again, these are leads to be explored.

3. Preservation notices. These communications should include as much specific information as possible, including account names and date ranges. Time is also of the essence. The opposing party and the third-party who hosts the content should be put on notice, although third parties will be held to a somewhat lower standard in many cases. Nonetheless, a recipient’s obligations and the propounding party’s expectations should be clearly identified.

4. ESI Collection. Social media and email collections should conform to industry standards for the handling of digital evidence. Methods should be defensible and repeatable, and qualified individuals should perform these tasks. Certain software solutions should be used to eliminate the alteration of evidence and its metadata, thereby reducing the potential for spoliation. Also, declarations should be submitted, when necessary, to reduce the risk of inadmissibility for key evidence.

Authenticating Photos with Metadata

The admissibility of digital evidence bridges the rules of evidence and computer forensics. In the case of Riverkeeper, Inc. v. Brooklyn Ready Mix Concrete, photos were offered by a witness to show unlawful dumping by the Defendant. Riverkeeper, Inc. v. Brooklyn Ready Mix Concrete, No. 14-CV-1055 (NGG) (SMG), 2016 U.S. Dist. LEXIS 108357, at *10-11 (E.D.N.Y. Aug. 16, 2016).

The Court explained, “The standard for admissibility of photographs requires the witness to recognize and identify the object depicted and testify that the photograph is a fair representation of what it purports to portray.” Riverkeeper, at *10, citingZerega Ave. Realty Corp. v. Hornbeck Offshore Transp., LLC, 571 F.3d 206, 214 (2d Cir. 2009). The witness stated in his affidavit that he was both the photographer and the photos were accurate representations of what he observed on the date the photos were taken. The Court held the proffering party had offered an adequate foundation for the photos.

The Defendants challenged the authenticity of the photos, claiming that the photos were not taken on the day the photographer stated the photos were taken. Riverkeeper, at *10. The Court rejected the challenge, explaining that the defendants did not produce “any evidence calling into question the reliability of the metadata establishing the photographs’ creation dates.” Riverkeeper, at *10. The Court went on to say that the defendants “did not arrange for a forensic examination of the camera or the photographs, despite being given such an opportunity by the Court. The Court found that the defendants’ challenges to the authenticity of the photographs were not persuasive. Riverkeeper, at *10.

This case illustrates a number of interesting aspects of authenticating and admitting digital photos as evidence, as well as a number of potential pitfalls of circumventing the forensic examination process. Let’s break down the basic facts: The Plaintiff submitted a number of digital photos taken with an unknown camera, possibly a digital camera or from a smartphone, which is very common these days. If the evidence had only been produced in hard copy form, a number of arguments could have been made against admission, including the ability of the Defendant to acquire and examine the evidence in its native file format.

In this case, the Plaintiff provided the Court copies of the original electronic files, including metadata that was not specifically described. The court noted the filenames appeared to correspond to date and time stamps, due to the naming convention. Exhibit O was listed with the filename 20150914_110215.jpg. The question arose as to whether or not the filenames were created programmatically from the digital device or if they were renamed as they were copied to new media. If the latter is accurate, the file date and time stamps would also have been altered, giving rise to a potential spoliation claim.

Unfortunately, the Defendant claimed the photos may have been taken on other dates, asserting they were not authentic. Also, the Defendant did not take advantage of the opportunity to validate the Plaintiff’s claims by utilizing a digital forensic examination of the evidence, nor did he challenge any potential chain of custody issues. This weakened his position and resulted in his testimony that “he really didn’t know when the pictures were taken.”

Recognition and identification of evidence are necessary characteristics for admissibility. The photographer claimed in an affidavit that he took the photos and they were an accurate representation of what he witnessed. His testimony was consistent in this regard. Although the standard was met, recommended practices with digital evidence would include the following:

1. Digital evidence is acquired in a forensically sound or defensible manner. Forensically sound ensures that no alteration to the evidence occurs. This is usually accomplished with various hardware or software solutions. With civil matters, a “defensible” collection may be required. Defensible may be defined as a repeatable process that is documented.
2. The evidence is authenticated with a hash algorithm. Common standards are known as “Message Digest 5 (or MD5)” or “SHA-1.” These are mathematical values that may be considered “digital fingerprints.”
3. Evidence is stored on a “forensically-prepared” piece of media. Removable “thumb drives” or external drives may be used. Forensically-prepared means the drive has undergone a data “wiping” process to prevent any potential cross-contamination or comingling of evidence.
4. A Chain of Custody form is completed to specifically identify the evidence, and to track who handled the evidence.
5. A digital forensic examination is conducted on the evidence. The file properties and hash values are recorded. The examination may reveal any alteration based on date and time stamps, and file sizes and/or hash values (if an exemplar is available for review). The file metadata may also include Exchangeable Image File Format (or EXIF) data. This information provides additional details, such as the specific make and model of the device the image was created with, photography settings such as f-stop and ISO speeds, software and version number, compression, and the distance from the source, to name a few.

To conclude, technology, processes and people trained in digital evidence exist to ensure that the evidence at issue is handled and authenticated properly before presenting to the Court. Additionally, these skills may be used when suspicions arise as to the reliability of the evidence that is proffered.

Proactive Approaches to Compliance Require Broad Optics

Highly-regulated industries such as healthcare, energy, financial and government are advised to stay on top of compliance needs which include legal and enterprise risk. This quest serves the health of the organization and keeps regulators happy. What best practices support this rather challenging goal? It begins with common-sense and continues with a centralized approach to research and investigation.

Common-Sense Approach

The goal of compliance efforts is to mitigate threats to the health of an enterprise and to stay within the legal requirements imposed by regulation and law. The primary focus in the compliance arena in most industries / sectors is on fraud and corruption. Nefarious actors are finding new ways to pillage and cheat and there are an almost infinite number of ways within which to carry out their schemes. But how does one herd these cats?

The most commonly used approach is to find anomalies – outliers that suggest activity is outside the “norm.” The idea is to find a baseline of “normal activity” and then identify any activity that falls sufficiently outside that baseline. If a salesperson’s average monthly sales at a company is $1 million a month, why is salesperson ‘A’ doing three times that amount? Does she simply have exceptional skills or is she taking bribes or kickbacks? Salesperson ‘A’ has sales that fall well outside the norm – this is an outlier or anomaly and a place to focus efforts. Using this approach, virtually any enterprise with changing needs can attempt to address risk. Merely redefine what is “normal” and the process starts anew.

How does one establish the norm? Of course, this is highly dependent on context but company records are a great place to start. Here are some ideas, to name only a few:

• What constitutes a typical transaction? Certain data analytics tools can take years of records and identify what constitutes a “typical” transaction. Are there transactions that deviate from this baseline? Do they suggest checks-and-balances are being bypassed? Are there unknown actors in the sequence of a transactional process?
• What are common communications patterns? An area of study called “graph theory” is helpful in this area; one implementation is what many know as “social network analysis.” Graph theory helps establish communication patterns that can then be used to find outliers. Among the many email domains, why do we find one small set of emails using a particular domain? Is someone communicating with a competitor? Are trade secrets being sent outside of the company?

Anomaly detection is one method. There are also technologies that find strong correlations between events or things. If there are thefts occurring, who was working at that time (i.e. is there a strong correlation)? Are dips in profit associated with transactions with certain entities (suggesting skimming or other misappropriation)? There are also ways to identify language used by those who are committing nefarious acts. The tool set is rich but the high-level attack must be a common-sense one.

A Centralized Approach to Investigation

A myopic approach to compliance only leaves cracks where risk can slip through. At times, compliance professionals focus on particular verticals within an organization without consideration of their entire eco-system.

An area of study called “Business Process Management” is used to identify all business units, their workflows and accompanying technical infrastructure. Compliance professionals are increasingly focusing in this area to wrap their solutions around the high-level needs and for a centralized approach. Some of the topics in the technical arena include:

• Review of Corporate Email – use of e-discovery tools to analyze employee communications.
• Log Analysis – collection of logs from all enterprise software applications to follow activity in a centralized way. Web servers, emails applications, ERP systems, network appliances and firewall software, among others, send their logs to one analytics’ implementation.
• Call center and Surveillance Monitoring Analytics – new solutions analyze call-center discussion in near real-time. Surveillance systems use facial recognition to help identify activity.
• Social Media and Online Sources – social media and other online sources can be monitored in real-time to track other enterprise-relevant activity.

The above approaches, while not an exhaustive list, are combined with more conventional approaches such as interviews, surveillance and database-records research to bring a holistic picture into focus.

Using common-sense approaches considered in a centralized way, compliance professionals will be able to find balanced and efficient ways to mitigate risk and to remain compliant with relevant regulation.