1 / 43

Federal E-Discovery Rules – Hindrance or Opportunity?

M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC. AIPG. Federal E-Discovery Rules – Hindrance or Opportunity?. EDUCAUSE LIVE! January 9, 2007. Agenda.

halia
Download Presentation

Federal E-Discovery Rules – Hindrance or Opportunity?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. M. Peter Adler JD, LLM, CISSP, CIPP Adler InfoSec & Privacy Group LLC AIPG Federal E-Discovery Rules – Hindrance or Opportunity? EDUCAUSE LIVE! January 9, 2007

  2. Agenda • Overview of the 12/1/06 Amendments to the Federal Rules of Civil Procedure concerning Discovery of Electronically Stored Information (ESI). • ESI Retention and Destruction Program • Key Elements • Overlap with Privacy and Security Programs • Relationship with Litigation/Litigation Adler InfoSec & Privacy Group LLC

  3. The Federal Rules of Civil Procedure provides the following discovery tools: Depositions Upon Written or Oral Written Questions (Rules 30, 31 and 32) Written Interrogatories (Rule 33) Production of Document or Things (Rule 34) Permission to Enter Upon Land for Inspection and Other Purposes (Rule 34) Physical and Mental Examinations (Rule 35) Requests for Admission (Rule 36) And the following tools to ensure or excuse discovery: Motion to Compel (Rule 37(a)) Protective Orders (Rule 26(c)) Sanctions (Rule 37 (b),(c)&(d)) Discovery “The pretrial devices that can be used by one party to obtain facts and information about another party in order to assist the party’s preparation for trial.” - Blacks Law Dictionary Adler InfoSec & Privacy Group LLC

  4. Configuration of computers workstations and file servers Mirror disks Swap files Removable media (diskettes, fobs, tapes, etc.) Metadata Temporary files and fragments Histories Embedded comments Audit trails and log files Access control lists (ACL) EDI and VAN Legacy Systems Internet information Corporate intranets Email Home Computers and laptops PDAs Backup tapes and facilities “Deleted” files Peripherals Non-textual electronic devices See also, Chapters I and IV of the Federal Guidelines for Searching and Seizing Computers for additional sources of Electronic Evidence http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm Potential Sources of ESI Adler InfoSec & Privacy Group LLC

  5. Overview of Federal Rules of Civil Procedure Relating to ESI • New and amended rules of civil procedure governing the treatment of electronically stored information (ESI) were effective December 1, 2006. • These Rules are broken into the following categories: • Early attention to ESI discovery issues: Rules 26(a) and (f) and 16 (b) • Better management of discovery of ESI that is not reasonably accessible: Rule 26(b)(2) • Procedure for assertions of privilege after production: Rule 26(b)(5) • Interrogatories and Requests for Production of ESI: Rules 33(d) and 34(a) and (b) • Sanctions pertaining to ESI: Rule 37(f) • Note: As always, the Amended Rules may be subject to Local rules that impose more specific obligations on the parties. Adler InfoSec & Privacy Group LLC

  6. Early Attention to ESI Discovery Issues • Rules 26(f) and 16(b) • Require that parties to a federal case consider, at the start of the case, the manner in which ESI will be preserved, maintained and provided. • Rule 26(a) • As part of their automatic initial disclosures, the Rule has been amended to include copies or descriptions of the categories or locations of ESI that the disclosing party may use to support its claims or defenses. Adler InfoSec & Privacy Group LLC

  7. Rule 26(f) Amendments • “(f)…discuss any issues relating to preserving discoverable information and to develop a proposed discovery plan…concerning: • (3) any issues relating to disclosure or discovery of electronically stored information, including the form or forms in which it should be produced; • (4) any issues relating to claims of privilege or protection as trial-preparation material, including – if the parties agree on a procedure to assert such claims after production – whether to ask the court to include their agreement in an order;” Adler InfoSec & Privacy Group LLC

  8. Rule 26(f) ESI Issues to be Discussed • Topics for discovery and time period • Sources within the parties control that should be searched for ESI • Whether the information is reasonably accessible to the party that has it (including burden and cost of retrieval) Rule 26(b)(2)(B) • Form or forms in which the information may be produced (See Rule 34(b)) • Issues relating to preservation of discoverable information • Balance between competing needs to preserve relevant evident and continued operations. (Rule 37) • See discussion on ESI retention program • Assertions of privilege or of protection as trial preparation materials (Rule 26(b)(5)) • Can parties through agreement prepare procedures for asserting such claims and avoiding waiver of privilege? Adler InfoSec & Privacy Group LLC

  9. Meeting of Parties: Timing • The parties should meet to address ESI issues as soon as possible under Rule 26(f) • Rule 26(f) provides that the parties are to confer 21 days before the Rule 16(b) scheduling conference. • The Rule 16(b) scheduling conference is to be held 120 days after the complaint is filed. • That leaves 99 days to get the ESI issues worked out. Adler InfoSec & Privacy Group LLC

  10. Early Attention to Electronic Discovery: Rule 16(b) Pretrial Conference • Form 35, is appendix to the Rules intended to serve as a model for a joint report of the parties to the court on the outcome of the Rule 26(f) conference; and the basis for the Rule 16(b) pretrial conference with the judge • The Rule 16(b) pretrial conference will result in a scheduling order delimiting time for discovery, filing motions and other pretrial activities. • Amended Rule 16(b) provides that the scheduling order may include: • provisions for disclosure or discovery of ESI • any agreements the parties reach for asserting claims of privilege or protection as trial-preparation material after production Adler InfoSec & Privacy Group LLC

  11. Early Attention to Electronic Discovery: Automatic Initial Discovery Rule 26(a) • Rule 26(a) provides that litigants must include, as part of their automatic initial disclosures, the following information (except when it is used solely for impeachment): • The name, and if known, the address and telephone number of each individual likely to have discoverable information that the disclosing party may use to support its claim or defenses, identifying the subjects of the information; and • A copy of or a description by category and location of ESI that that are in the possession, custody or control of the party and that the disclosing party may use to support its claims or defenses. Adler InfoSec & Privacy Group LLC

  12. Discovery of ESI that is “Not Reasonably Accessible” Rule 26(b)(2)(B) • Under Rule 26(b) a responding party should produce ESI that is relevant, not privileged and reasonably accessible • Rule 26(b)(2)(B) provides that a party need not provide discovery of ESI from sources that the party identifies as not reasonably accessible because of undue burden or cost • Initially, the producing party makes the call on what reasonably accessible ESI it will produce Adler InfoSec & Privacy Group LLC

  13. Reasonably Accessible ESI • No hard rule, but will be ultimately determined on a case-by-case basis. • “Accessible information is electronically-stored information that is easily retrievable in the ordinary course of business without undue cost and burden.” State Trial Court Guidelines, 1.B. • “ESI is reasonably accessible when it is stored in a readily usable format that “does not need to be restored or otherwise manipulated to be usable.” Quinby v. WestLB, 2006 WL 2597900 at *7 (S.D.N.Y., September 2006 (quoting Zubulake v. USB Warburg, LLC, 217 F.R.D. 309, 320 (S.D.N.Y. 2003) (Zubulake I)) Adler InfoSec & Privacy Group LLC

  14. Not Reasonably Accessible ESI • Although a decision on whether ESI is not reasonably accessible is made on a case-by-case basis, the Advisory Committee to the Rules identified the following as potential sources of ESI that is not readily accessible: • Back up tapes intended for disaster recovery purposes that are not indexed, organized or susceptible to electronic searching; • Legacy data from obsolete systems that is unintelligible on current systems; • “deleted data that remains in fragmented form but would require forensics specialists for reconstruction; or • Databases designed to create information only in certain ways not easily amenable to production. • Backup tapes were considered not reasonably accessiblein Zubulake v. USB Warburg, LLC 217 F.R.D. 309 (S.D.N.Y. 2003) (Zubulake III), Adler InfoSec & Privacy Group LLC

  15. Challenging a Claim that ESI is Not Reasonably Accessible • The Rules include a two-step procedure when dealing with ESI that is not reasonably accessible: • On motion to compel discovery (Rule 37) by requesting party or for a protective order (Rule 26(c)) by producing party, the party from whom the information is sought must show that the information not reasonably accessible because of undue burden or cost • If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause Adler InfoSec & Privacy Group LLC

  16. “Good Cause” • Even if a source of ESI is not reasonably accessible, the requesting party may still obtain discovery by showing good cause by balancing the costs and potential benefits, looking at: (1) the specificity of the discovery request; (2) the quantity of information available from other and more easily accessed sources; (3) the failure to produce relevant information that seems likely to have existed but is no longer available on more easily accessed sources; (4) the likelihood of finding relevant, responsive information that cannot be obtained from other, more easily accessed sources; (5) predictions as to the importance and usefulness of the further information; and (6) the importance of the issues at stake in the litigation; and the parties' resources. Adler InfoSec & Privacy Group LLC

  17. Options Available to Court: General Bases for Denial • Even with the showing of good cause, the court may deny discovery if it determines: • The discovery sought is unreasonably cumulative or duplicative or is otherwise obtainable from another source that is more convenient, less burdensome, or less expensive; • The party seeking discovery has had ample opportunity by discovery in the action to obtain the information sought; or • The burden or expense of the proposed discovery outweighs its likely benefit, taking into account the needs of the case, the amount in controversy, the parties’ resources, the importance of the issues at stake in the litigation, and the importance of the proposed discovery in resolving issues. Adler InfoSec & Privacy Group LLC

  18. Options Available to the Court: Sampling • The court may specify conditions for the discovery (Rule 22 (b)(2)(C)) • Sampling • Rule 34 permits testing or sampling of the ESI that is claimed to be not reasonably accessible. Forensic capabilities can be used to inspect ESI sources. • Byers v. Illinois State Police, 53 Fed. R. Serv. 3d 740 (N.D. Ill. 2002); Xpedior Creditor Trust v. Credit Suisse First Boston, 309 Fed. Supp. 2d 549 (S.D.N.Y. 2003). Adler InfoSec & Privacy Group LLC

  19. Options Available to the Court: Cost Shifting • There is a presumption that the responding party must bear the expense of complying with discovery requests. Oppenheimer Fund, Inc. v. Saunders, 437 U.S. 340, 358 (1978). • A court may issue an order protecting the responding party from undue burden or expense by “conditioning discovery on the requesting party’s payment of the cost of discovery.” Oppenheimer Fund, Inc. v. Saunders, 437 U.S. 340, 358 (1978); Zubulake v. USB Warburg LLC, 216 F.R.D. 280, 283 (S.D.N.Y. 2003) (Zubulake III) • The order may be granted only on a motion for a protective order brought by the responding party and only for good cause shown. Rule 26(c) • The responding party has the burden of proof on a motion for cost-shifting. Quinby v. WestLB, 2006 WL 2597900 at *7 (S.D.N.Y., September 2006) (quoting Zubulake v. UBS Warburg LLC, 216 F.R.D. 280, 283 (S.D.N.Y.2003) (Zubulake III)) Adler InfoSec & Privacy Group LLC

  20. Cost Shifting: Zubulake Seven-Factor Test • If the responding party is producing from inaccessible sources there is a seven factor test that must be considered: • The extent to which the request is specifically tailored to discover relevant information; • The availability of such information from other sources; • The total costs of production, compared to the amount in controversy; • The total costs of production, compared to the resources available to each party; • The relative ability of each party to control costs and its incentive to do so; • The importance of the issues at stake in the litigation; and • The relative benefits to the parties of obtaining the information. Zubulake v. UBS Warburg, LLC, 217 F.R.D. 309, 322 (S.D.N.Y.2003) (“Zubulake I” ) Adler InfoSec & Privacy Group LLC

  21. Production of ESI: Rule 34 • Rule 34(a) Adds ESI as a category subject to production in addition to “documents.” • Rule 34(b) adds procedures for requesting and objecting to the form for producing information and provides default forms of production. Adler InfoSec & Privacy Group LLC

  22. Production: Rule 34(a) • Production requests covers documents and ESI: • Including writings drawings, graphs, charts, photographs, sound recordings, images and other data or data compilations stored in any medium from which the information can be obtained. Adler InfoSec & Privacy Group LLC

  23. Form or Forms of ESI Production: Rule 34(b) • The form or form of the ESI can be agreed in the initial meeting described in Rule 26(f). • If the parties do not reach agreement, Rule 34(b) provides a default procedure for production of ESI. • A request may specify the form or forms of the ESI to be produced. • Responding party may object (in writing within 30 days after the request is served) to the requested form or forms of the ESI, stating the reasons for objection. • If a request does not specify the form or forms for producing ESI, a responding party must produce the ESI in a form or forms in which it is ordinarily maintained or in a form or forms that is readily usable. • If an objection is not received or no form is specified, the responding party must identify the form it has chosen in its Rule 34 response. • If the form or forms are disputed: • The requesting party then can move to compel production in a different form; or • The producing party may seek a protective order. Adler InfoSec & Privacy Group LLC

  24. Sampling, Inspections, Tests • Amended Rule 34(a)(1) provides that parties may request an opportunity to inspect, copy, test or sample ESI sought. • Burden and intrusiveness can be addressed under Rules 26(b)(2) and 26(c). • Issues of privacy, security, trade secrets, etc. • Does not include a routine right of access to a party’s information system, although access may be justified in some instances. Adler InfoSec & Privacy Group LLC

  25. Privilege and other Limits on Discoverability • Attorney-Client Privilege • Work Product Doctrine (Trial Preparation) • Trade Secrets and Proprietary Information • Copyright and License Restrictions Adler InfoSec & Privacy Group LLC

  26. Privilege and ESI: Rule 26(b)(5) • Guarding against privilege waiver is more difficult when discovery of ESI is sought. • The volume of the available information is enormous. • The forms in which ESI is stored make review and determination more difficult, expensive and time-consuming and less likely to detect all privileged information. • Inadvertent production and waiver may occur. • The failure to screen out even one privileged item may result in an argument that there has been a waiver as to all other privileged materials related to the same subject matter. Adler InfoSec & Privacy Group LLC

  27. Procedure: Asserting Party • A party asserting a claim of privileged must give notice to the receiving party: • In writing, unless circumstances preclude it (e.g., during deposition); • Specifically identifying the information and stating the basis for the claim; and • Detailed enough to enable the receiving party and the court to understand the claim basis and whether waiver has occurred. Adler InfoSec & Privacy Group LLC

  28. Procedure: Receiving Party • After receiving notice, each party that received the information must promptly return, sequester, or destroy the information, and: • May not use or disclose the information pending resolution of the privilege claim; and • Must retrieve all information disclosed to third parties prior to receiving notice. • The receiving party may present to the court questions whether the information is privileged or protection has been waived. • The party must provide the court and producing parties notice and serve all parties. Adler InfoSec & Privacy Group LLC

  29. Interrogatories: Rule 33(d) • Permits analysis of records, including ESI, to answer interrogatories when the cost is roughly the same for both parties • Cost analysis will be key: • Do costs include overhead costs of maintaining the necessary hardware and software and training personnel to use them? • May not be a good option considering potential business disruption, security compromise and privilege issues involved in having opponent access the system. • Better answer may be to produce the ESI Adler InfoSec & Privacy Group LLC

  30. Discovery of ESI from Non-Parties through Subpoena: Rule 45 • Applies to entities that operate computer networks for persons in litigation (e.g., ISPs, ASPs, employers, schools). • These non-parties are increasingly being asked to respond to subpoenas for ESI about a party’s computer use. • The amended Rule adds ESI and requires non-parties to face the same questions of preservation, cost, privilege, accessibility and form of production as parties. • Upon receipt of the subpoena, the non party to discuss with the requesting party about the scope of the request, protective measures and costs. • Court will relieve nonparties from “substantial costs” rather than “undue burden” which is a lower threshold Adler InfoSec & Privacy Group LLC

  31. ESI Retention Balanced Against Duty to Preserve • Legal Duty • e.g., Sarbanes–Oxley, HIPAA, FACTA and other document retention requirements • Lawyer’s duty to preserve evidence in discovery and litigation Continued Operations • Normal system Operations • Data Backup • Data Destruction Adler InfoSec & Privacy Group LLC

  32. Duty to Preserve • Duty attaches when a person knows or reasonably anticipates litigation involving identifiable parties and identifiable facts. • Encompasses potential evidence related to identifiable facts, which may shift as litigation proceeds.Stevenson v. Union Pac. R.R., 354 F.3d 739 (8th Cir. 2004) • Exists independent of any preservation demand letter, or court order. Wigington v. Ellis, 2003 WL 22439865 (N.D. Ill. 2003) (Wigington I); Treppel v. Biovail Corp., 233 F.R.D. 363 (S.D.N.Y 2006). • The fact that ESI is not reasonably accessible does not relieve a party from its duty to preserve the information if potentially relevant. Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2003) (“Zubulake IV”) Adler InfoSec & Privacy Group LLC

  33. Failure to Preserve: Sanctions for Spoliation • Duty to monitor preservation falls on inside and outside counsel. • Potential sanctions will vary on intent and behavior of producing party (bad faith, gross negligence, negligence) and degree of prejudice to the requesting party caused by spoliation. Possible sanctions include: • Fines; • Adverse inference jury instruction; • Striking of a pleading or defense; • Dismissal or default; and • Costs for supplemental discovery. Adler InfoSec & Privacy Group LLC

  34. Right to Destroy • Courts have acknowledged that organizations have the right to destroy - whether or not it is consciously deleted - electronic information that does not meet the internal criteria of information or records requiring retention. • “‘Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business …. It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances’ Arthur Andersen, LLP v. United States, 125 S. Ct. 2129, 2135 (2005). Adler InfoSec & Privacy Group LLC

  35. Safe Harbor: Rule 37(f) • The court will not impose sanctions parties who fail to produce ESI that was lost as a result of routine, good faith operation of an electronic information system, absent exceptional circumstances. Rule 37(f) • Good faith destruction of potentially relevant ESI will be difficult to establish when there is a claim pending or has received a credible threat of a claim. • A Committee Note to Rule 37 (f) states: “Good Faith in the routine operation of an information system may involve a party’s intervention to modify or suspend certain features of that routine operation to prevent the loss of information if that information is subject to a preservation obligation. Adler InfoSec & Privacy Group LLC

  36. ESI Production – Responding Party • Identifying ESI. • Locating ESI on media and information systems using state-of-the-art applications and forensic capabilities. • Retrieving ESI using specialized computer hardware and software and computer forensics methods. • Preserving ESI and providing notices to personnel and placing holds on destruction of the information. In this phase document retention procedures for preserving ESI are invoked. • Analyzing ESI to determine which is relevant and responsive. • Sorting through ESI and removing privileged electronic information and records from the production set and prepare logs in compliance with applicable law. • Producing ESI to the opposing party in an accessible or agreed to form. Adler InfoSec & Privacy Group LLC

  37. ESI Retention Risks • Spoliation and Sanction Risks. Because of retention duties, a party persuade the court that those documents that no longer exist were purged pursuant to a policy and were not willfully destroyed or spoliated. • Cost of Retrieval Risk. Knowing where information is stored or if it has been destroyed pursuant to document retention policies will avoid the high costs associated with e-discovery fishing expeditions. • Inability to Defend Risk. The loss of critical evidence potentially leads to the inability to properly defend a claim. Adler InfoSec & Privacy Group LLC

  38. ESI Retention Program • Compliance and Auditing Plan • Create or Amend Policy on ESI Retention and Destruction • Indexing and Document Naming System • Attorney-Client Privilege Procedures • Litigation Hold Procedures • Employee Training • Post-Implementation Compliance and Auditing Adler InfoSec & Privacy Group LLC

  39. Hindrance or Opportunity? • An ESI Management Program contains many of the elements found in security and privacy programs. • Removal of sensitive ESI on a regular basis will enhance an organization’s privacy and security. Adler InfoSec & Privacy Group LLC

  40. Examples of Overlap of elements of ESI, Security and Privacy Programs • Data classification • Map data flow • Identify systems • Evaluate IT function in creation, receipt transmission and processing of data • System Backup • Access rights • Third party contracts • Roles and responsibilities • Management of email • Procedures for storage of confidential, restricted access electronic records • Formal technology standards (ISO 17799, ISO 15489) • Auditing and review function Adler InfoSec & Privacy Group LLC

  41. ESI Retention • Review Written vs. Actual ESI Retention Practices • Creation • Use • Disposal • Are electronic records being kept as required by law and internal procedures? • Are electronic records being managed over their entire lifecycle? Adler InfoSec & Privacy Group LLC

  42. Litigation/Investigations • Procedures, roles and responsibilities for identifying and retrieving ESI. • Does offsite storage of ESI exist? If so, is it indexed or stored in a manner that adequately identifies them? • Litigation Hold • What is the process for determining when a claim arises? • Responsibility for determining necessity for litigation hold? • How is it authorized and communicated? • Scope? • What is the time frame? • Where are suspended electronic records kept? • How is the end of the litigation hold communicated, carried out and monitored? • What are the procedures for disposal of electronic records after a case closes? Adler InfoSec & Privacy Group LLC

  43. Contact Information M. Peter Adler AIPG Adler InfoSec & Privacy Group LLC 2103 Windsor Road Alexandria, VA 22307 Telephone: (202) 251-7600 Facsimile: (703) 997.5633 Email: adler@adleripg.com Adler InfoSec & Privacy Group LLC

More Related