Many organizations involved in litigation, investigations, or audits struggle to meet deadlines for collecting and producing electronically stored information (ESI) from employees without breaking the budget. The biggest challenges are typically faced by large organizations with multiple offices and large numbers of employees.
However, even smaller organizations with few offices face challenges if they have remote employees or employees who travel frequently, aka road warriors. In this first of a two-part series, I’ll discuss when and why organizations should choose a manual collection process. Part two will discuss the advantages and disadvantages of two automated data collection approaches.
In each situation, the organization is faced with a request for ESI and some portion of the potentially relevant ESI is located in remote offices or on laptops used by road warriors. Preserving and collecting ESI across multiple systems such as email and file servers, archival systems, Microsoft SharePoint, and personal computers can be challenging whether these systems are located centrally or in the cloud. Common challenges include:
- Pressing deadlines
- Risk of data loss or deletion
- Failure to produce responsive data without legal justification
- Lack of information technology (IT) department resources
- Miscommunication between the IT and legal departments
These challenges are compounded for organizations with remote offices or road warriors because more coordination and effort is inevitably required, thereby increasing expenses and the risk of failure. The key to success is determining which data collection approach is best for your organization. First, let’s discuss the traditional manual approach.
The Traditional Manual Approach
There are two different manual data collection approaches that organizations utilize with varying degrees of success. Employee self-collection and IT assisted collection.
The various data collection approaches often begin as part of an investigation, litigation, or audit that requires the identification of employees likely to have data relevant to a particular matter. Those employees, or data custodians as they’re called, are asked to forward or copy any relevant ESI they possess to a centralized location or storage device where the data is stored for later analysis and review by the legal team. One problem with this approach is that copying files could result in metadata information such as document dates being altered.
Another problem with this approach is that custodian’s memories fade over time and they may forget to produce relevant ESI. Even worse, a custodian with a personal stake in the investigation may intentionally delete the very files being requested in an effort to thwart the investigation. These scenarios could result in the organization facing sanctions or penalties, making employee self-collection a potentially risky and costly approach in almost any situation involving multiple custodians, offices, or large amounts of data.
IT Assisted Collections
The IT assisted collection approach is another manual approach that eliminates some of the risks associated with the employee self-collection method, but this approach often presents different challenges and often leads to “over collection” of ESI. Typically one or more employees in the IT or IT Security Department are instructed to collect data from employees believed to have information relevant to a particular case. To avoid overlooking or losing data, the IT resources collect data from numerous locations using computers loaded with specialized collection software.
Data to be collected from each relevant employee often resides on numerous devices including laptops, desktops, file servers, email servers, and other sources. Once all the data for each custodian is collected from each data source, the data is copied and consolidated to a removable hard drive or drives where it awaits future processing, analysis, and review by the legal department. Unfortunately for the IT department, this entire process is repeated for every new case and often results in a significant loss of productivity.
IT assisted collections were once the norm because this process was thought to represent the most efficient and effective way to avoid the risk of sanctions posed by the employee self-collection approach. However, this approach is quickly falling out of vogue for two reasons:
First, IT assisted collections can increase the time, cost, and risk associated with data collection because the use of different technology tools can be challenging. Organizations applying the IT assisted collection approach typically rely on off-the-shelf software such as Guidance Encase, Robocopy, ExMerge, Access Data’s Forensic Toolkit (FTK) or other tools to collect data from each relevant custodian. Frequently, different tools are utilized to collect data from different data sources.
For example, it is not uncommon for the IT department to use ExMerge to collect from Microsoft Exchange, Robocopy to collect from file servers, Encase to collect from laptops and desktops, and even other proprietary tools to collect data found in commonly used archives. In addition to being time consuming, utilizing multiple tools to collect and consolidate data results in licensing, training, and maintenance costs for each product and the risk of data loss or alteration is heightened since data collected from multiple tools must eventually be exported and consolidated for further processing, analysis, and review.
Lastly, using multiple IT staff with varying levels of expertise to collect data arguably increases the risk of metadata being altered and complicates the ability to maintain accurate chain of custody logs. In practice, many organizations using multiple collection tools spend countless hours trying to manually maintain chain of custody reports using Excel spreadsheets while other organizations simply neglect or ignore chain of custody requirements. Each of these situations virtually invites evidentiary attacks by savvy opponents.
The second reason IT assisted collections are falling into disfavor is because the approach often results in the over collection of data. To avoid the risk of sanctions or penalties resulting from data loss or deletion, sometimes entire laptop and desktop hard drives are copied or “imaged” (frequently called a “forensic image”). Similarly, IT resources are often incentivized to “copy everything” simply to avoid being forced to revisit data sources from which data has already been partially collected in response to a new request for information.
The IT assisted approach of forensically imaging drives can be effective in limited situations including criminal investigations and intellectual property theft cases since these matters sometimes require the recovery and analysis of deleted files, internet browsing history, and other non-user generated files for a discreet number of custodians. However, since most large matters do not require this degree of data recovery for most data sources, unnecessarily collecting data by making forensic images often results in a significant waste of time and money.
Which Approach is Right for Your Organization?
The risks and expenses associated with both manual approaches described above are often so high that organizations sometimes decide it is economically more efficient to settle lawsuits even when the lawsuit lacks merit. This untenable position has led many organizations to seek more efficient and repeatable methods to manage data collection that are automated. These automated approaches will be explored in my next post.