Logo
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forensic Discoveries Newsletter

July 2009
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Welcome to Forensic Discoveries' eDiscovery and Digital Forensics Newsletter. Keeping you and your practice informed of the ever-changing realm and value of Electronic Discovery and Digital Forensics is the purpose of this newsletter. If you have a colleague that may be interested in subscribing, follow the instructions at the bottom of this newsletter to be added to the distribution. If you choose not to continue receiving this newsletter, follow the directions at the bottom of this newsletter and accept our apologies for intruding.
in this issue
When Employees Depart
Placing Former Employees On Legal Hold
Computer Forensics Has Taken On Increasing Importance in Civil Litigation
Data Theft Common By Departing Employees
Chattanooga Attorneys Sued On Alleged Use Of Email Obtained by Spyware
Deleting May Be Easy, But Your Hard Drive Still Tells Al
Governor Schwarzenegger Signs California's Electronic Discovery Act
Upcoming Speaking Engagements
EDiscovery Case Law
Previous Newsletters
 
We hope you enjoyed last month's article, "Two Weeks Until the New Rules". Due to a steady increase in new subscribers, Forensics Discoveries will continue to list previous newsletters. As others have done, please let us know of a specific topic you would like to see covered.

We have added a new newsletter archive section to our website. The improved archive interface provides the same interaction with the newsletter as the distributed newsletter. View the new newsletter archive here.
 
Below is a review of our previous newsletters:
 

August 2007 - "What is Computer Forensics?"

September 2007 - "Preparing Your Clients for EDiscovery - Part 1"
October 2007 - "Preparing Your Clients for EDiscovery - Part 2"
November 2007 - "Preparing for Your Clients' EDiscovery"
December 2007 - "Why Does My Case Need Electronic Discovery?"
February 2008 - "Computer Forensics Proves Intelletual Property Theft"
March 2008 - "In Search of the Holy Grail"
May 2008 - "When to Preserve"
June 2008 - "Electronic Discovery in Workplace Litigation"
July 2008 - "Proving Spoliation with Computer Forensics"
August 2008 - "Proposed Updated TN Rules of Civil Procedure"





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

When Employees Depart

Nearly 60 percent of employees who quit a job or who are asked to leave are stealing company data, according to the Washington Post. Couple that with a nearly 9.5 percent unemployment rate and these statistics could be bad news for company owners and managers who find their intellectual property is being used by former employers for new opportunities.
 
The reason for data theft is simple: a competitive edge against their former employer. Why start a client list from scratch when you can simply use one that has been very successful for the prior employer? How much value is there in price lists, product designs, and the launch date of the newest product line? With most business intelligence of a company stored in computer systems, examples of how valuable data can be stolen are infinite.
 
The second threat with departing employees is the possibility of malicious actions. What would be the impact to the company if critical digital files were destroyed or information systems were disabled? To demonstrate the extent and expense of intellectual property theft, fraud, and damage of corporate networks, U.S. corporations lost $59 billion in proprietary information and intellectual property during the past year, according to a report released by the American Society for Industrial Security (ASIS). Another study, Unsecured Economies, states that 46 percent of the American companies surveyed stated, "laid-off employees are the biggest threat caused by the economic downturn". To complicate matters, the increase in employee mobility has a significant adverse impact on the ability to protect confidential information.
 
Companies have typically taken the appropriate steps to protect themselves from employment litigation, but it is just as important to protect their own assets.  Surveys show that one of the greatest fears of companies today is the "insider threat", those employees that have access to business sensitive information or the ability to cause disruption to a company's operation. With proper preparation, not only can computer forensics determine the theft, fraud, espionage, sabotage, etc, it can also be used to provide critical evidence against the perpetrator.

As the recession's depth and duration cannot be predicted, it is certain that businesses are laying off experienced employees whose jobs gave them broad access to company intelligence: research and development information, customer lists and related information, financial information, strategic plans and road maps. With all of this information stored digitally, data theft and destruction are easier than ever to execute. With digital forensics, the capability is available to prove these acts if they occur. But to be successful at proving wrongdoing, the proper measures must be taken. In matters involving intellectual property theft, computer forensics can determine digital information copied to USB drives, emailed to personal accounts, transferred to Internet servers, and printed onto hard copies, just to name a few. In dealing with matters of sabotage, computer forensics can demonstrate the malicious actions taken against the computer system(s), methods used, and a precise timeline of the events.
 
For most employee exits, human resource departments have the adequate steps in place to prevent or prepare for employment litigation. These procedures are designed as a defensive mechanism. When the information that facilitates the success and competitive edge of a company is at stake, offensive steps also need to be taken as necessary.  When key employees that have access to key company information leave the company, their computers and cell phones should be properly preserved immediately. Any delay in proper preservation of the digital information may destroy critical information needed. In most instances, the actions of the departing employee are not immediately obvious. The timeline could be weeks, months, even years before foul play is suspected when the employee's new company is suddenly being awarded contracts that your company should have received or when the new product line of their new company closely resembles what your engineers have been working on for years. The examples are limitless. When proper and timely preservation of digital evidence occurs, this information may provide all of the information needed to prove the act of intellectual property theft or malicious activity.
 
The act of preservation can be as simple as preserving the original hard drive used by the employee and deploying the computer with a fresh installation onto a new hard drive or consulting with a company that provides digital forensic services to create forensic images of the computers and cell phones used by the employee. A paramount point to be made is that the integrity of the information is just as important as the timeliness of the preservation. Only properly trained and experienced computer forensic professionals should access digital information that needs to be investigated. Any attempts to review the information by anyone other than qualified professionals could render the evidence useless. The simple act of powering a computer on changes the access times on hundreds of files. Searching the hard drives for specific information, when not performed properly, will also change access and modification times of the files opened. These modifications could render the needed evidence useless, as the integrity of the information will be questioned.
 
In summary the threats are:
·      Theft of data, and/or
·      Destruction of data
And your most Important actions are:
·      Plan ahead - put an action plan into your employee exit procedures
·      Preserve the hard drives and other equipment
·      Don't allow unqualified personnel to corrupt the evidence



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Placing Former Employees On Legal Hold

 

Information published a good article addressing the need to preserve the electronic information of former employees. However, the litigation and forensic specialists here at Forensic Discoveries suggests full forensic images of the laptops used by the employees. Preserving a forensic image will  ensure that both active and deleted information is preserved.

the article can be read in it's entirety by clicking here

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Computer Forensics Has Taken On Increasing
Importance In a Complex World

Intellectual property theft occurs and most every industry and most often involves technology. Below is a good story of leveraging computer forensics to prove he theft by departing employees.

"The battle between the two local newspaper giants a couple years ago is a prime ex-
ample of the increasing importance of computer forensics in civil litigation.
In March 2007, shortly after Par Ridder left his job as publisher of the Pioneer Press to go across the river and become the publisher and CEO of the Star Tribune, allegations arose that he had taken confidential financial data with him to his new job.".

Read the entire article by clicking here
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Data Theft Common By Departing Employees

 "Nearly 60 percent of employees who quit a job or are asked to leave are stealing company data, according to report by the Ponemon Institute, a Tucson based research group. The survey was based on interviews with 945 adults who were laid off, fired or changed jobs in the last year."

Read the entire article by clicking here
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Chattanooga Attorneys Sued On Alleged Use Of Email Obtained From Spyware

The use of commercial "spyware" to monitor computer usage is growing in popularity in divorce matters. Speaking from experience, this software is very difficult to detect by trained computer forensic investigators and will not be detected by any of the protection tools installed on computers (anti-spyware, anti-virus, etc).

The use of this software has spawned two different lawsuits in East Tennessee. The first is a law firm in Chattanooga, "$2 million Circuit Court lawsuit has been filed against the law firm of Berke, Berke and Berke over the alleged use of email spyware". Read the entire article by clicking here.

The second is an instance in which the "spyware" was discovered to exist after a forensic analysis of both business and personal machines in a divorce matter. After the divorce matter settled, the plaintiff filed a Federal Lawsuit under the Federal Communications and Privacy Act. More information can be found by clicking here. Accessing the complaint via PACER link is worth the fee for 10 pages in my opinion as it provides a very good explanation of the capabilities of this "spyware"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting May Be Easy, But Your Hard Drive Still Tells All

"It was only a single digit in a 20-page Microsoft Word contract between two partners, but Scott Cooper earned his fee several years ago when he found it.

Cooper, a computer forensics expert, learned that the numeral "1" had been scrubbed in some later versions of this digital document. This gave his client, a partner in a software firm that had recently been sold, just a 5 per cent rather than a 15 per cent share in the company. If the change had gone undetected, the partner would have received $32-million (U.S.) rather than his rightful $96-million payout."
 
Read the entire article by clicking here

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Governor Schwarzenegger Signs California's Electronic Discovery Act, to be Effective Immediately

Tennessee was not the only state that adopted updated Civil Rules for eDiscovery. "After previously vetoing a prior version of the bill for budgetary reasons, Governor Schwarzenegger signed California's Electronic Discovery Act last night, to be effective immediately. Closely tracking the 2006 amendments to the Federal Rules of Civil Procedure, the act institutes procedures to guide the discovery of electronically stored information in California."

To read the full text of the Electronic Discovery Act click here
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Upcoming Speaking Engagements

eDiscovery Seminars

U.S. Magistrate Judge Cliff Shirley, Chuck Young from Kramer Rayson, and I conducted a half day seminar last month for the Tennessee Bar Association. The seminar, in contrast to conventional eDiscovery presentations, presented five interactive modules based on hypothetical situations. The scenarios0 were drawn from actual cases, with some adjustments, and were by no means "far-fetched." As we asked our participants to work through the problems, we provided legal, technical, and judicial perspectives on how each situation can be best handled - and what traps can be avoided.  The TBA held other eDiscovery seminars at about the same time as ours, and our seminar earned higher ratings from attendees than the others did.   In view of the success of the seminar, we are approaching bar associations in East Tennessee to determine their interest in our conducting the seminar for them.  If you, or someone you know, would be interested in this seminar, please contact your local bar association and request this seminar.

ETLAW

Bill Dean will be providing an eDiscovery presentation covering the new TN laws of Civil Procedure August 19th at 11:30am. The location will be Regas restaurant here in Knoxville, TN.


ILTA '09

Bill Dean will be speaking at ILTA '09 (International Legal Technology Association) August 23-27 in Washington D.C. The topic will be data destruction.


Keeping Up with E-Discovery - Full Day Seminar

Take the Guess Work Out of Your E-Discovery Practice

In today's digital universe, evidence resides in an alarming number of electronic cracks and crevices. Not only do you need special skills to locate the relevant electronic data, you must also take steps to pristinely preserve the information. Don't risk unintentional loss of vital evidence through ignorance - find out how FRCP rules have been interpreted, so you can request, collect, produce and analyze electronic evidence properly to preserve its admissibility and avoid sanctions. This seminar provides 6 hours of CLE Credit

More information and registration information can be found here


2009 CyberSecurity Summit

The fifth East Tennessee CyberSecurity Summit will be co-hosted by the Federal Bureau of Investigations (FBI), University of Tennessee, Fountainhead College of Technology, and the Tennessee Valley Authority (TVA). For the third consecutive year, Bill Dean has the honor of being asked to speak. On August 20th, Bill Dean will address growing epidemic of intellectual property theft. On August 21st, Bill Dean will be providing a forensics break out session on low and no cost solutions for performing digital forensic investigations and security incident response.

More information can be found  by clicking here

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
EDiscovery Case Law



Court Orders Search of Server Data Contingent on Possibility of Keyword Search

Feig v. Apple Org., Inc., 2009 WL 1515506 (S.D.Fla. May 29, 2009)

In this wrongful termination litigation, the plaintiff sought production of the defendant's communications, including e-mails to and from the plaintiff. The defendant claimed that production of employee e-mails referencing the plaintiff was burdensome and would produce irrelevant documents. The defendant also argued that its server was shut down when it went out of business and that if the employee e-mail accounts were recreated, they would be impossible to search by keyword. Rejecting the defendant's irrelevancy argument, the court found that e-mails sent by the plaintiff's co-workers could be reasonably calculated to lead to admissible evidence. Thus, the court ordered an electronic search of the defendant's server data. The court noted that if a keyword search proved impossible, the defendant could seek a protective order provided it had support from a computer forensic expert.



Court Imposes Sanctions for "Wasteful Wild Goose Chase"

Beard Research, Inc. v. Kates, 2009 WL 1515625 (Del.Ch. May 29, 2009)

In this tortious interference with business relations litigation, the plaintiffs sought spoliation sanctions claiming a computer was irretrievably altered after the defendants' preservation duty arose. Specifically, the plaintiffs alleged the repeated reformatting of a personal computer and the loss of a hard drive caused the destruction of relevant incriminating e-mails and a presentation. The defendants argued there was no obligation to preserve one of the defendant's computers since there was no request for it. Finding this "mistaken view" let the defendants "off the hook too easily," the court determined the defendants were responsible for the evidence destruction. The court also found the defendants liable for the loss of an original hard drive. Based on these discovery abuses that led the plaintiffs and their IT expert on a "wasteful wild goose chase," the court granted an adverse inference sanction with regard to the presentation but declined to sanction the loss of e-mails as the plaintiffs did not adequately prove their existence. The court also awarded attorneys' fees and expenses associated with the sanctions motion.



Court Rules Data on Backup Tapes Is Not Necessarily Not Reasonably Accessible
 
Omnicare, Inc. v. Mariner Health Care Mgmt. Co., 2009 WL 1515609
(Del.Ch. May 29, 2009)

In this breach of contract litigation, the plaintiff moved to compel restoration and production of e-mails contained on backup tapes at the defendant's expense and to comply with the terms of a non-executed e-discovery stipulation regarding search terms. The defendant's e-mails were stored on backup tapes pursuant to an internal data retention policy. The court denied the plaintiff's motion to compel backup tape restoration and to shift costs to the defendant, finding that data stored on backup tapes are not necessarily non-reasonably accessible and that the defendant had not adequately demonstrated that the e-mails were not reasonably accessible. However, the court was not convinced that relevant data would be retrieved from restoration of the backup tapes. Accordingly, the court ordered production from the defendant's active data stores in order to assess the likelihood of finding relevant data on the backup tapes, noting that it found no impropriety in the defendant's data retention policy. Turning to the search term dispute, the court declined to resolve the issue as it had not been adequately informed about the dispute and lacked a sufficient basis to resolve the parties' impasse. The court noted the search term dispute may best be resolved by "a neutral third party with recognized expertise in searching complex databases." 



Court Orders Forensic Imaging and Searching of Database and E-Mail Servers

Covad Commc'ns. Co. v. Revonet Inc., 2009 WL 1472345
(D.D.C. May 27, 2009)


In this ongoing trade secrets misappropriation litigation, the plaintiff sought forensic images of the defendant's drives and computers as well as forensic searches of its database and e-mail servers. The defendant argued that its servers were too fragile for forensic images and that imaging constituted an undue burden. The defendant also objected to the forensic search of its servers, claiming it may reveal information that the defendant is obliged by contract to keep confidential. Disregarding the defendant's arguments, the court granted the plaintiff's request for forensic imaging, finding the imaging would not stress the servers any more than day-to-day use. The court also ordered the forensic search of the defendant's servers, stating that no alternative way existed and that any confidential material could be safeguarded by a protective order. Regarding the e-mail servers, the court determined insufficient authority existed to conclude ESI deficiency allegations automatically warranted forensic searches. The court reserved decision on whether forensic examination was appropriate until the plaintiff's expert's report was submitted. The court also ordered a comparison between servers to determine what data existed on non-operational servers that did not exist on the remaining operational one.



Court Stops Short of Default Judgment in "Textbook Case" of Discovery Abuse but Awards More Than One Million Dollars in Monetary Sanctions


Kipperman v. Onex Corp., 2009 WL 1473708 (N.D.Ga. May 27, 2009)

In this constructive transfer and fraud case, the plaintiff sought sanctions in the form of a default judgment against the defendant for discovery abuses. The plaintiff asserted that the defendant repeatedly defied court orders, unilaterally narrowed the scope of restoration and production of court-ordered backup tapes, unilaterally redacted court-ordered produced documents to the point that such documents became unusable and misrepresented to the court the likely relevance of e-mails sought. The defendants maintained that their redactions were in compliance with the court's orders and insisted that the broad discovery requested by the plaintiff would likely be fruitless. The court agreed with the plaintiffs that the defendant had blatantly disregarded court orders by making misrepresentations during discovery and stated it was deeply disturbed by the defendant's discovery conduct in what it regarded as "a textbook case of discovery abuse." However, the court declined to order default sanctions, citing novel issues of liability and noting that granting a default judgment in this case might be a grant of the largest default judgment sought in United States history. The court alternatively awarded $1,022,700 in monetary sanctions against the defendant to be paid to the plaintiff.    


 
Court Imposes Adverse Inference Citing Party's Failure to Preserve Relevant ESI


Plunk v. Village of Elwood, IL, 2009 WL 1444436 (N.D.Ill. May 20, 2009)

In this civil rights action, both parties filed a "slew of pretrial motions." The defendants argued the court should bar the plaintiffs' expert from testifying unless discovery was re-opened. The plaintiffs requested an examination of the defendants' computer system by their expert to determine if any deleted ESI was backed up. The plaintiffs also sought default judgment sanctions based on the defendants' destruction of an audio recording, failure to preserve data on computers and hard drives, and failure to back up relevant ESI. Addressing the defendants' motion, the court found the defendants' discovery failures and withdrawn expert statement that certain hard drives were not wiped clean necessitated testimony from the plaintiffs' expert, and thus allowed a short deposition from the plaintiffs' expert at cost to the defendants as a "fair discovery sanction for defendants' failure to follow the rules." Turning to the plaintiffs' motions, the court denied the examination request as expensive and futile. Regarding sanctions, the court rejected the defendants' arguments that evidence erasure was inadvertent and found the defendants breached their preservation obligations. The court determined an adverse inference sanction was appropriate, using the plaintiffs' expert's identification of e-mail chains suggesting relevant documents were destroyed accidentally or intentionally as partial justification. 


Court Orders Mirror-Imaging of Hard Drive in File Sharing Case

Capitol Records, Inc. v. Alaujan, 2009 WL 1292977 (D.Mass. May 6, 2009)

In this copyright infringement case, the defendant moved for a protective order to prevent the mirror imaging of two computers. The defendant argued the discovery was overbroad, an invasion of privacy and violated attorney-client privilege. The plaintiffs sought inspection of the computers to determine whether they were used for file sharing. The court granted the protective order and denied imaging with regard to one of the computers that was barely addressed by the plaintiffs in their response to the defendant's motion. The court allowed imaging of the second computer subject to a protective order whereby the plaintiffs would select a computer forensic expert to examine relevant, non-privileged data on the computer, citing the centrality of the second computer to the litigation alongside the defendant's substantial privacy concerns. The court ordered the expert would provide a report describing any relevant files to the defendant's counsel, who would have five days to lodge any objection before disclosing the report to the plaintiffs.
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Forensic Discoveries is available to provide onsite presentations or Q&A sessions on topics such as Electronic Discovery, Technical Implications of the updated Federal Rules of Civil Procedure, or Computer Forensics. Forensic Discoveries is also available to you, obligation free, to answer any specific questions pertaining to these topics. Simply give us a call and we will be glad to answer any questions pertaining to Electronic Discovery and Digital Forensics.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

a division of Sword & Shield

   Knoxville Office

   Phone:    (865)-244-3500

   Address:  1431 Centerpoint Blvd, Suite 150

                  Knoxville, TN 37932


   Washington D.C. Office

   Phone:    (410)-414-5580

   Address:  1425 K Street NW, Suite 350

                 Washington, DC 20005-3514


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

If you have a topic that you would like addressed in the newsletter, please let us know. Either visit http://www.forensicdiscoveries.com/newsletter.html and submit your suggestion there or reply to this e-mail with your suggestion. 

For previous versions of Forensic Discoveries EDiscovery newsletters, visit http://www.forensicdiscoveries.com/pastnewsletters.html  

 

This document does not provide legal or other professional advice and should not be relied upon as anything other than a starting point for research and information on the subject of electronic evidence and digital forensics.