Monday, March 23, 2009

2009-03-23 Digital Evidence Management (and Litigation) Practice Management Tip

Antivirus, Search, and Data Leak Prevention Products and Preservation

It appears that at least one (and perhaps many) deep anti-virus scans change "last access" time and date stamps. In the link appearing below, Symantec notifies (or is it "warns") that the use of a full system scan will cause changes to "last access" dates. The only work-around (at least insofar as Symantec) is concerned, is to disable deep-scanning.

This raises some interesting ESI preservation issues.

First, an argument could be made that failing to disable this feature after the trigger of a duty to preserve constitutes some degree of ESI spoliation.

In this argument stance, the safe harbor provisions of Fed. R. Civ. P. Rule37(e) would be unavailing to a party who failed to cease activity in connection with what is arguably a "routine good faith operation of an electronic information system." In "ordinary negligence" jurisdictions (among others, the Second, Seventh, and Ninth Circuits), and depending on the surrounding circumstances, this might result in a court's finding a failure to preserve, negligent document destruction, or outright spoliation.

Second, an argument (or defense) might be made that disabling a deep scanning anti-virus feature would be overly burdensome, and expose the producing entity to immense operational, financial, and other security risks.

A third approach, of course, might be to temporarily suspend deep scans pending a copy of pertinent information set(s). A fairly coherent argument might in turn be made that this, too, would be overly burdensome, costly, and risky.

The link to the Symantec site is here:

Data Leak Prevention and Search Tools

Some DLP products can be used as anti-forensics tools, and some search tools may inadvertently do so (comforting thought, to be sure). Of course, none are certified (or even claimed) not to, because, until now, we haven't asked the questions. And if we don't know the questions to ask, we remain eyebrow deep in...vendor promotional material.

So, the first question out of the gate in a protocol setting session is:"Do any of the protocols effect metadata changes? Better yet, do any proposed methodologies flip evidentiary bits (and here, we assume evidence is, broadly, relevant [or which could lead to relevant] metadata as well as data)?

Two scenarios, both with unpleasant prospects for counsel. (1) Counsel becomes aware of flaw only after otherwise well conducted eDiscovery is completed, necessitating motion practice, testing, experts, evidentiary hearing, and a decisional dice throw. (2) Counsel makes inquiry prior to use of particular technology, and either before or during eDiscovery period, moves to object to use of particular technology (and perhaps offers an alternate), necessitating expert testimony, testing, evidentiary hearing, and another throw of the decisional dice.

The unpleasant prospect here is the burden counsel will bear in convincing a court that without testability, there can be no reliability of a particular methodology, no matter how ubiquitous, and no matter how self-serving, no matter how nicely printed the collateral promotional or technical material, and no matter how reassuring mere human testimony might be.