Updated October 22, 2011
The purpose of this document is to outline standards for the identification of electronically stored information in discovery. The intent is for these standards to provide counsel with a guide for identification. This guide is not all inclusive but is designed to provide a baseline for the investigation. Depending on the information discovered, some areas may require a more in depth investigation. There are 2 main components in the identification process, the first is Early Case Assessment and the second is Early Data Assessment (see details below). One important point, documenting the findings during the identification process is as important as discovering the information. Click here for information on Identification.
A. Early Case Assessment
Once a triggering event occurs, begin by assessing the case. This information serves as a foundation for developing overall case strategies as well as early data assessment. Below is a checklist of items to consider during early case assessment.
- Type of triggering event
- Facts of case
- Case value
- Outside counsel
- Case strategy
- Date range
- Key words
- Key departments/custodians including former employees
- Case merit, risk analysis
- Legal hold requirements
B. Early Data Assessment
Early data assessment should provide counsel with the information necessary to understand the types of relevant data and where it is located. Additionally it should cover any policies related to the retention or destruction of relevant data so appropriate steps can be taken to preserve relevant data and avoid spoliation. There are 3 key areas of focus to consider. They include records management personnel, potential custodians and information management personnel. Below are basic guidelines for conducting an investigation of each.
1. Records Management Interviews
This summary assumes the records manager understands the case background, the legal hold and their role in this litigation.
Roles and responsibilities of the records manager – Indicates the level of involvement records manager may have in the identification of potentially relevant data sources. Also helps sort out who knows what with respect to the location of information.
Sample questions:
- What is this role within the organization?
- Is this position involved with electronic discovery?
- How does this role interact with the Legal and IT departments?
- Do this position have any documentation related to the roles and responsibilities as records manager?
Records management program/policy – Indicates if records management plan(s) or policy(s) exist that may impact electronic discovery and whether they are enforced. May identify types of information relevant to the litigation. Identifies if company has a litigation readiness plan in place. Addresses changes and audits of records management program/policy. Helps identify what policies are needed or are in place if a custodian leaves the company.
Sample questions:
- Does the company have a records management program/policy? If so, when did program or policy originate? Are there different versions?
- What types of information does the records management program/policy cover? Are there types of information or areas in the company that are not covered?
- Is the records management program/policy enforced? If so, is all of it enforced or just certain parts?
- Is the records management program/policy in writing? If so, how long has it been in writing?
- Is there a litigation readiness plan? If so, when did plan originate?
- Have changes been made to any aspect of the records management program/policy during the relevant time frame?
- Are any audits conducted of the records management program/policy? If so how frequently? By who? What happens with results?
- Does the records management program/policy cover what happens when an employee leaves the company? If so what is the policy?
- If employee leaving the company is a custodian in an active case/matter how is their data handled? When an employee is not a custodian in any case/matter how is their data handled?
- How is the employee’s employment status identified? Is there an integration with HR system/process to correctly identify the employee termination date?
- What are the retention policies for back-ups?
- Do you have any documentation related to the records management program/policy?
Retention schedule – These questions identify what retention/destruction policies are and have been in place during the relevant time period. The legal team may need to suspend or identify a work around for some of these policies to prevent the destruction of potentially relevant data. The history of these schedules provides insight into what information may or may not exist at the time of the triggering event. Audit of retention schedules may be used to demonstrate how well the plan is enforced.
Sample questions:
- Does a retention schedule exist? If so, since when?
- What types of information does the retention schedule cover? Are there types of information or areas in the company that are not covered?
- Is the retention schedule enforced? If so, since when?
- Is the retention schedule in writing? If so, since when?
- Do you have in-place retention or a collect-and-preserve model?
- Do you use any software or systems for retention purposes (i.e. archives, etc.)?
- Is there a plan to suspend disposition for a legal hold? Are there any obstacles to doing so? If so, what are they?
- Have changes been made to any aspect of the retention schedule during the relevant time period?
- Are any audits conducted on records retention? If so how frequently? By who? What happens with results?
- Do you have any documentation related to the records retention schedule?
Possible locations of relevant data – These questions help to determine what relevant information exists and where it is located from the record manager’s perspective. They also can help determine if files are indexed or searchable in any way. If the records manager is the most knowledgeable regarding the storage of any electronically stored information the IT interview questions should be asked. Gathering any documentation relating to the location of data will be helpful in assessing all data sources.
Sample questions:
- Are there paper documents or objects in employee’s offices that may be relevant?
- Are potentially relevant paper documents or objects stored centrally? (libraries, file cabinets, warehouses, etc.)
- How is electronic information stored?
- Who is the person most familiar with the following computer systems and electronically stored information? (Please provide contact info. if known)(if records manager is most knowledgeable ask questions under IT interview)
- Email servers
- Voice mail
- File servers or DMS
- Archives
- Back-ups
- Portable devices
- Intranet, extranet, social networking
- Databases
- Legacy systems
- Network shares, home drives
- Desktops, laptops
- SharePoint, matter management, etc.
- Applications, structured data
- Do you have any pertinent documentation related to the location of data? (data maps, diagrams, lists, etc.)
Access to relevant data – These questions help to determine how accessible the data is, any potential issues with preservation and whether or not any relevant data is currently scheduled for destruction.
Sample questions:
Paper:
- Are there indices? Are they accurate? Are they searchable?
- Is potentially relevant paper scheduled for destruction?
Electronic:
- Is the potentially relevant data text searchable?
- Using what tools?
- Who is the most knowledgeable about search capabilities and limitations?
- Is any potentially relevant data difficult to preserve, find and/or retrieve? How so?
- What departments are likely to have relevant data?
- Is potentially relevant electronic information scheduled for destruction?
- Do you have any pertinent documentation regarding accessibility of relevant data?
2. Custodial Interviews
This summary assumes the custodian understands the case background, the legal hold and their role in this investigation. Early data assessment may involve interviews of the potential custodians or for some custodians surveys may be used.
General employee information – This general information provides insight into what the individual’s role has been at the company and identifies others that might have potentially relevant information.
Sample questions:
- What is your name? (consider gathering username, email address, employee ID, etc.)
- What is your current position? What department do you work in? For how long have you worked in department XXXX?
- Did you have any previous positions? If so, what was your title, what departments and what dates were you employed while you held that position?
- Have you ever had a secretary or administrative assistant? If so, when and what were their names?
- Who were your managers in each position you held?
- Who formerly held your position?
General computer information – This information is used to determine general information about the custodian’s computer usage. Data is more likely to be stored locally on a laptop although it could also be stored on a desktop computer. The custodian’s document could be stored on other company computers. Files may or may not be transferred to new computers and old computers may not be destroyed.
Sample questions:
- Do you have any data or documents that may be relevant to this litigation?
- Is your work computer a laptop or desktop?
- Does your secretary/assistant store your documents on his/her computer?
- Have you been issued a new computer recently? If yes, when? Were all files transferred to your new computer? Do you know what happened to the old computer?
- Are you supposed to receive a new computer in the next several months?
Relevant data – These questions are used to determine what type of files the user has and where they are located. It is important to follow-up with IT to determine additional locations where files may be stored that the custodian is not aware of.
Sample questions:
- What type of files or software do you have or use that may contain relevant data? (e.g. email, word processing, spreadsheets, databases, text messages, voice mail messages, websites, etc.)
- Do you know where these files are stored? (e.g. network server, local pc, external media, mobile device, intranet/extranet/SharePoint or other web-based system, databases, home computer, etc.)
- If you do not know where it is stored, who would know?
- Do you know of others that may have relevant data?
Legal hold – These questions confirm acknowledgment of legal hold and may be important if the adequacy of the legal hold comes into question.
Sample questions:
- Do you understand what the legal hold requires?
- Do you know who to contact with questions regarding the legal hold?
- Does the company have infrastructure software to manage legal holds?
- Do you foresee any issues in preserving the relevant information you have identified? If so, have you contacted the IT department for their input?
3. IT Interviews
This summary assumes the IT staff understands the case background, the legal hold and their role in this investigation. Depending on the size of the corporation and the roles of IT you may have to interview multiple individuals within the IT department. Below are the basic topics and questions to consider for an IT Interview. There are numerous questions that could be asked in follow-up during an IT interview.
Email servers – These questions are used to determine what type of email system is utilized as well as specific details about the email system. It is important to gather and document as much information as possible about the email system to enable identification and collection of potentially relevant data. Do not forget to find out what happens to terminated employees email.
Sample questions:
- Is email managed in-house or in the cloud? (if in the cloud see “Cloud Computing” section below)
- What type of email system is used?
- What version is installed?
- How many email servers globally?
- Where are the email servers located?
- Do you have different domains for email?
- Are retention and archiving policies the same among all domains?
- Are emails able to be stored locally on individual’s computers (PSTs, NSFs)? Is this encouraged?
- Do you retain deleted messages on the email server?
- What are your Dumpster settings?
- Is there an auto-delete system? If so, can it be turned off for preservation purposes? If not, what is the work around?
- Is there a limit imposed on individual mailboxes? If so, what is that limit and what happens when it is reached?
- What software is used to back up email servers?
- Are email backups brick level or individual mailboxes?
- Do you use an archive? If so, please describe.
- What type of back-up system do you use? Tape or digital? Local or remote?
- If tape, what tapes do you use? By location?
- How often are backups performed?
- What is your rotation schedule?
- What is your retention policy?
- How are your tapes cataloged and inventoried?
- Are tapes sets clearly identified?
- What do you do with an email account when employment is terminated?
File servers – These questions are used to determine whether or not employees have the ability to store electronic data on the company network and details on their storage practices. It is important to gather and document as much information as possible about the file servers to enable identification and collection of potentially relevant data. Do not forget to differentiate between custodial and non-custodial data sources.
Sample questions:
- Do all users have home directories on the network?
- Is this their default storage directory?
- Do you have group directories and/or public shares?
- Are there specific shares that may contain relevant data for this case?
- Is there a standard naming convention for the home drives for users?
- Is there a universal drive letter assigned?
- What are names of file server?
- How many file servers do you have globally?
- How many locations do you have for file servers?
- What type of files can users store on file servers? Any proprietary? E-mail? What are the locations?
- What type of back-up system do you use? Tape or digital?
- What software is used to back up file servers?
- If tapes, what type of tapes do you use? By location?
- How often are backups performed?
- What is your rotation schedule?
- What is your retention policy?
- How are tapes cataloged and inventoried?
- Are tape sets clearly identified?
- Is there replication in place?
- Where are the replication servers/storage located?
- How often does replication occur?
- What do you do with a user’s home drive when employment is terminated?
- What do you do with a user’s files in public locations when employment is terminated?
Laptops/desktops – These questions are used to determine whether or not employees have the ability to store electronic data on their company computer and details on their storage practices. It is important to gather and document as much information as possible about the laptops/desktops to enable identification and collection of potentially relevant data.
Sample questions:
- What is your policy on users saving files on their assigned PCs?
- Do you have an encryption policy (full disk and/or individual file)?
- Can users install applications on their assigned PCs?
- By default, are emails stored in local PSTs/NSFs on employee computers? Is it different on laptops vs. desktops?
- Is auto archive enabled by default?
- Are computers assigned to individual users, or are they shared?
- What is your naming convention for usernames?
- What is your policy for terminated employee?
- In the case of re-imaging a PC/laptop for a different user, what happens to the existing data?
- If a PC/laptop is being re-imaged for the same user, how is the data preserved and transferred back? Does the method preserve metadata for the files?
Transactional data – These questions are used to identify structured data systems. It is important to gather and document as much information as possible about the transactional systems to enable identification and collection of potentially relevant data. Do not forget to differentiate between custodial and non-custodial data sources.Off-site media
Sample questions:
- Do you have any transactional data servers/systems that may be relevant in this case?
- What types of user have access to these systems?
- How many servers are there globally? What are the locations of the servers?
- Do you purge data from these systems? If so, why and can it be stopped?
- What type of back-up system is used? Tape or Digital?
- What software is used to back up transactional servers?
- What type of tapes do you use, by location?
- How often are backups performed?
- What is your rotation schedule?
- What is your retention policy?
- How are tapes cataloged and inventoried?
- Are tape sets clearly identified?
- Is there a replication in place?
Backup/storage – These questions help to determine how accessible the data is, any potential issues with preservation and whether or not any relevant data is currently scheduled for destruction. It is important to gather and document as much information as possible about the backup media.
Sample questions:
- What is the name of the off-site storage vendor?
- What is the address and telephone of the facility?
- Who is the contact?
- What type of data do they store?
- Does the vendor have relevant data that is not accessible from your current systems?
- Is there any type of written agreement with the vendor regarding storage requirements and retention? If so please provide a copy.
- Is there a current inventory of the material in storage?
Web-based applications & cloud computing
Sample questions:
- What type of web-based systems do you use that may have relevant data? SharePoint? Intranet? Extranets? Social media? Collaboration sites? Software as a service? Management systems or databases?
- Are these maintained by you behind your firewall?
- Are they searchable?
- Is there potentially relevant data that cannot be searched or collected?
- Is the system locked down or can users create sites without your knowledge?
- If systems are not maintained by you behind your firewall, where is this information stored?
- Does your vendor have their own servers or do they purchase space from server farms?
- Does the vendor back-up this information? If so, for how long?
- Does the vendor purge any of this information?
- Do you have any written agreements with these vendors? If so, please provide a copy.
- Has this vendor been placed on a legal hold?
- What kind of Internet security is in place?
- Are public blog sites allowed (Facebook, Twitter, etc.)
Portable devices – These questions help to determine what relevant information exists and where it is located. Do not forget text messages.
Sample questions:
- What are the general types of PDAs/cell phones that employees use? Blackberries? iPhones? Droids?
- Are they issued by or owned by the company?
- Is email synched to your server?
- Are text messages captured by your server?
- Is voice-mail stored on your server?
- What type of data may be stored on the device that is not on the server?
- Is the security policy on smart phones the same as internet settings on the computers?
- If not, could users access any kind of site from the smart phone?
Instant messaging – These questions help to determine what relevant information exists and where it is located.
Sample questions:
- Does the company use IM? If so, what type?
- Are sessions logged? If so, any proprietary storage solutions?
Voicemail
Sample questions:
- Is voice mail stored on your systems? What is the retention?
- Do you have unified messaging?
- Are there any policies in place regarding voice mail storage? Please provide a copy.
- Are there any policies in place regarding unified messaging? Please provide a copy.