This is the sixth in a series revisiting Ball in Your Court columns and posts from the primordial past of e-discovery–updating and critiquing in places, and hopefully restarting a few conversations. As always, your comments are gratefully solicited.
The Path to E-Mail Production
(Part I of IV)
[Originally published in Law Technology News, October 2005]
Asked, “Is sex dirty,” Woody Allen quipped, “Only if it’s done right.” That’s electronic discovery: if it’s ridiculously expensive, enormously complicated and everyone’s lost sight of the merits of the case, you’re probably doing it right.
But it doesn’t have to be that way. Over the next four days, we’ll walk a path to production of e-mail — perhaps the trickiest undertaking in EDD. The course we take may not be the shortest or easiest, but that’s not the point. We’re trying to avoid stepping off a cliff. Not every point is suited to every production effort, but all deserve consideration.
EDD missteps are painfully expensive, or even unredeemable, if data is lost. Establish expectations at the outset.
Will the data produced:
- Integrate paper and electronic evidence?
- Be electronically searchable?
- Preserve all relevant metadata from the host environment?
- Be viewable and searchable using a single application, such as a web browser?
- Lend itself to Bates numbering?
- Be easily authenticable for admission into evidence?
Meeting these expectations hinges on what you collect along the way through identification, preservation, harvest and population.
“Where’s the e-mail?” It’s a simple question, but one answered too simply—and erroneously— by, “It’s on the e-mail server” or “The last 60 days of mail is on the server and the rest is purged.” Certainly, some e-mail will reside on the server, but most e-mail is elsewhere, and it’s never all gone, notwithstanding retention policies. The true location and extent of e-mail depends on systems configuration, user habits, back up procedures and other hardware, software and behavioral factors. This is true for mom-and-pop shops, for large enterprises and for everything in-between.
Consider a recent case where I was asked to assess whether a departing associate stole files and diverted cases. The firm used a Microsoft Exchange e-mail server, so I could have collected or searched the associate’s e-mail there. Had I looked only at the server, I would’ve missed the Hotmail traffic in the temporary internet files folder and the short message service (SMS) exchanges in the PDA synchronization files. Or the Microsoft Outlook archive file (.pst) and offline synchronization file (.ost), both stored on a laptop hard drive, and holding thousands more e-mails.
Just looking at the server wouldn’t have revealed the stolen data or the diverted business—searching elsewhere uncovered a treasure trove of damning evidence.
E-mail resides in some or all of the following venues, grouped according to relative accessibility:
- Online e-mail residing in active files on enterprise servers: MS Exchange e.g., (.edb, .stm, .log files), Lotus Notes (.nsf files), Novell GroupWise (.db files)
- E-mail stored in active files on local or external hard drives and network shares: User workstation hard drives (e.g., .pst, .ost files for Outlook and .nsf for Lotus Notes), laptops, “local” e-mail data files stored on networked file servers, mobile devices, and home systems, particularly those with remote access to networks.
- Nearline e-mail: Optical “juke box” devices, backups of user e-mail folders.
- Offline e-mail stored in networked repositories: e.g., Zantaz EAS, EMC EmailXtender, Waterford MailMeter Forensic, etc.
Accessible, but Often Overlooked:
- E-mail residing on remote servers: ISPs (IMAP, POP, HTTP servers), Gmail, Yahoo Mail, Hotmail, etc.
- E-mail forwarded and cc’d to third-party systems: Employee forwards e-mail to self at personal e-mail account.
- E-mail threaded behind subsequent exchanges: Contents diverge from earlier exchanges lodged in body of e-mail.
- Offline local e-mail stored on removable media: External hard drives, thumb drives and memory cards, optical media: CD-R/RW, DVD-R/RW, floppy drives, zip drives.
- Archived e-mail: Auto-archived or saved under user-selected filename.
- Common user “flubs”: Users experimenting with export features unwittingly create e-mail archives.
- Legacy e-mail: Users migrate from e-mail clients “abandoning” former e-mail stores.
- E-mail saved to other formats: PDF, .tiff, .txt, .eml, etc.
- E-mail contained in review sets assembled for other litigation/compliance purposes.
- E-mail retained by vendors or third- parties (e.g., former service provider.)
- Print outs to paper.
More Difficult to Access:
- Offline e-mail on server back up media: Back up tapes (e.g., DLT, AIT)
- E-mail in forensically accessible areas of local hard drives: Deleted e-mail, internet cache, unallocated clusters.
The issues in the case, key players, relevant times, agreements between the parties and orders of the court determine the extent to which locations must be examined; however, the failure to identify all relevant e-mail carries such peril that caution should be the watchword. Isn’t it wiser to invest more to know exactly what the client has than concede at the sanctions hearing the client failed to preserve and produce evidence it didn’t know it had because no one bothered to look for it?
Electronic evidence is fragile and ever changing, so once you’ve found the e-mail evidence, you must guard against its loss or corruption.
Tomorrow, we’ll walk through preservation thicket.
Ten years later, the panoply of e-mail sources hasn’t changed much. We need to consider virtually all the sources I mentioned a decade ago, and lately, several more of considerable importance. Cloud-based e-mail has spread from the home to the enterprise, and had I written this today, I’d have mentioned Office 365 and hosted Exchange. I’d talk more about Gmail and Google’s business tools.
I’d also underscore phones and tablets; but, I’d be hard-pressed to assign those sources the rubric, “easily accessible.” While it’s a piece of cake for a user to get to mail stored within mobile apps, it’s surprisingly difficult to collect and preserve e-mail content from these devices. Mail stored on iPhones and iPads will be giving e-discovery service providers fits for quite a while. I’ll add that it’s a serious error to assume that mail content stored on mobile devices replicates that available from servers. A local mail app on your phone or pad is as likely to maintain its own unique and persistent e-mail collection as your personal computer running Outlook.
Today, I’d mention e-mail journaling, using that term-of-art instead of the rather vague, “networked repositories.” I wouldn’t mention floppy and Zip drives!
So, how important is e-mail in e-discovery circa 2015? E-mail endures as a rich source of revealing evidence in business litigation and remains at the heart of spoliation claims long after Zubulake. but, e-mail has also come to be regarded as as a gray-haired medium. Texting has replaced e-mail as the go-to for freewheeling immediacy and candor; yet, we do nowhere near as well in our handling of texts in e-discovery as we do with e-mail.
Too, the most surprising development is just how little progress we’ve made in collecting, culling and reviewing e-mail evidence over the last ten years. Personal and business messages are still routinely commingled, subject lines remain unreliable and e-mail management is still resolutely idiosyncratic by user. Even now, WAY too many lawyers deal with e-mail evidence by printing it out or loading it into their own desktop copy of Outlook.
E-mail’s not going away soon; but, it’s likely to lodge in fewer unique locales as local and network storage continue to give ground to the Cloud.