How to preserve critical data and avoid being fried in court

You know that feeling you get when you realize you forgot to do something important? That’s how you’ll feel if you overlook something during the e-discovery process when your company is involved in legal proceedings.

And the consequences could be devastating. Judges don’t take kindly to lost or destroyed evidence, so your company could be hit with multimillion-dollar fines or lose an otherwise winnable court case. Here are some best practices to help you avoid such a scenario.

Related stories:

E-Discovery lapse could decimate a small business, experts say

Managing electronic data retention effectively – a 10 point plan

Talk to your legal department on a regular basis. Let’s face it — the legal department isn’t an IT manager’s favorite place to spend time. However, it’s vital that legal and IT are on the same page when it comes to information management policies and e-discovery processes. One benefit of meeting with in-house counsel regularly is that you’ll get to know the key contacts so you’ll be prepared to act fast if your company does face legal action. And the best part is that it greatly reduces the surprises you could face down the road.

Make your information-handling practices routine and consistent. It’s critical to be able to prove in court that your standard operating procedures are maintained and followed by every individual in your company.

For example, waiting until your backup system pages you because it needs a tape mount and then grabbing the last few tapes from an old backup that you “know is out of date” and sticking them in for overwrite should not be routine or consistent. Trust me; you don’t want to have to explain later why you chose those specific tapes to overwrite. And no, “because they were on top” isn’t an acceptable or defensible answer.

If your data retention policy requires the destruction of data, then it’s even more critical for you to be unfailingly consistent with your approach. Destroying data on time is just as important as backing it up.

Keep a trail. Backup logs, system and event logs, shipping receipts, help desk tickets, work requests, e-mail, meeting notes, journal entries, and yellow sticky notes can all be resources for you to draw on when (not if) you need to recall or prove what you did or didn’t do in the course of a typical day.

Resist the power of the mouse. Making the mistake of copying pictures of last weekend’s camping trip into the “corporate sales” folder instead of the “camping” folder is one thing. But copying corporate files to the wrong folder during an e-discovery project can not only jeopardize your chain of custody, but also expose sensitive data to the wrong people.

In short, it can be a really big deal. In court, a mistake like that will cast doubt on your procedures and allow the other side to question whether your methods were consistent in the first place.

Using Windows Explorer and a mouse to copy or move files works great for most purposes, but in an e-discovery project, you’ll need something that’s more reliable and auditable. Tools such as Microsoft Corp.’s Robocopy, Access Data Corp.’s Forensic Toolkit and Guidance Software Inc.’s EnCase are popular alternatives.

Once an e-discovery project starts, you’ll hear the term chain of custody often. Basically, this means that you need to know — and that you should be able to prove — who had the data and when. The tricky part is that the chain has to start long before the e-discovery matter begins, so you need to take steps now to ensure that you can track the chain of custody in the future.

For instance, when an employee creates a file on your network and then you back it up, you need to keep track of the original author. Most backup software does this, or, at the very least, you can tell from the directory structure whether the file was in someone’s home directory.

Your description of the chain of custody should indicate when a file was a shared resource for a group of users, as opposed to something held by a specific individual. For example, you may know that a file named StatusReport2.doc was created by Ann Smith, but she saved it in a shared folder where her seven teammates could, and frequently did, open it and enter their own comments.

In that case, you’d describe the group (Ann’s Team) that had access to the documents as the custodians. When you back up the file and send the tapes off-site, you are the custodian.

Understand what spoliation is. Although you should get a specific ruling from your legal department, it’s generally understood that spoliation is the deliberate or negligent destruction, withholding or hiding of evidence when an investigation or litigation is under way. At the risk of stating the obvious, it’s a big no-no.

It doesn’t matter whether you think certain data is important; once the e-discovery process has begun, your opinion has no weight. You can’t risk charges of spoliation by deleting potential evidence. In Arista Records Inc. v. Sakfield Holding Co., the court found that the “[d]estruction of evidence raises the presumption that disclosure of the materials would be damaging.”

In general, this means that whether or not the deleted material was indeed damaging to your company, the fact that you destroyed it means the law automatically assumes it was damaging. Furthermore, key to the claim of spoliation is the notion that the person had knowledge of the investigation or litigation. In some cases, the mere anticipation of an investigation or litigation is all that is needed.

Be ready to preserve all data, immediately. Now that you know what spoliation is, you know how important it is to be prepared when the e-discovery process starts or you receive a “hold” or preservation request — a petition asking that certain data never be deleted or changed. If you have automatic cleanup or purging processes, you should suspend or discontinue them. If you don’t know how much data is subject to the hold request, which is a typical scenario, you should stop all data destruction to be on the safe side.

You’ll certainly want to be in very close contact with your legal department when a hold request comes along. Prepare a plan for responding to such a request, and test it just like you test your restore procedures.

Know what you have. Do you know where your data is? Do you think you have a handle on your data? Think again. I can’t tell you how many times I’ve heard someone say, “They’ve found another server/drive/tape/flash drive.”

IT staffers do a great job of taking care of current data, but as soon as data is put on a removable drive, it’s out of your control. There’s a lot of content out there that isn’t managed, and every bit of it is potentially subject to discovery in a lawsuit.

Think about the last time you upgraded the hardware for an application server; what did you do with the old hardware? Is it sitting in a closet, or maybe still in the old rack just in case you have to fall back to it? The upgrade project is long over, but I bet the server still has data on it. Sure, the data is “out of date,” but in terms of e-discovery, it could be a hornets nest.

It’s absolutely critical to keep track of backups and archives. Make sure you know where the tapes are stored before they’re sent off-site, and have a process in place to get them back once they leave the premises. Companies have faced sanctions for misplacing hard drives and then finding them later in the e-discovery process. Even that “busted old drive” can be critical when viewed in a legal light.

While these tips may not reduce the volume of e-discovery requests you face, they should streamline the process and give you peace of mind when e-discovery does arise.

Lawn is manager of custom services in the Houston office of FTI Consulting Inc. Contact him at

Source: Computerworld

Share on LinkedIn Share with Google+