Lawyers Draft IT Security Professionals for Litigation Support Duty

The process of litigation discovery - where parties to a lawsuit seek documents, depositions and other information from their foes and third-party witnesses prior to trial - is seeing a dramatic transition with the advent of the 'paperless office.'

Traditional document discovery efforts in corporate lawsuits often generated so much paper that some blamed corporate lawyers for contributing to deforestation, global warming and other such environmental blights. Even more ferocious than the assault on the environment is the manner in which the discovery process in corporate mega-litigation drained the resources of the embroiled corporations. Traditionally, at least in the USA, paralegals working for companies or their outside law firms performed the daunting spadework in responding to document subpoenas by amassing the truckloads of paperwork responsive to those discovery requests.

However, with most information now stored electronically in the workplace, resident IT security professionals, especially those with computer forensic skills, are increasingly being drafted in for litigation support duty. At the onset of many cases these days, lawyers are directing the creation of bitstream drive image backups of at least some of their client's workstations and pertinent servers. These images are collected along with the boxes of files and other paper documentation. The current Enron/Anderson debacle is only one example where computer forensics is playing a crucial investigative role.

This trend toward computer-based discovery has materialized because most high-power litigators now fully grasp the critical importance of focusing on the electronic data stored on hard drives and other computer media throughout any given company. As a first step in seeking information from an adversary, most litigation experts now advise the dispatching of a terse letter demanding the preservation of all computer data containing information that may be relevant to the case. In some cases, litigants have successfully sought temporary restraining orders to preserve such information.

This is an important step because courts in the U.S. have recently ruled that companies cannot necessarily hide behind their ongoing electronic records retention policies when they have notice of a request to preserve such information, or otherwise have an independent legal duty to preserve those electronic records. In the recent case of Trigon Insurance Company vs. United States, 204 F.R.D. 277 (E.D.Va. 2001) the court ordered the appointment of independent computer forensics experts to recover emails and computer files deleted pursuant to a company's document retention and management policy. The court determined that the company had a duty to preserve any and all records that the expert witnesses either generated or relied upon in the course of formulating their opinions and written reports. The court also ordered the offending company to foot the computer forensics experts' bill and, with a ruling that would be a decisive factor in most cases, promised to instruct the jury regarding the adverse consequences of the destruction of the computer files and emails.

The Trigon decision is particularly important in light of the Enron/Anderson scandal. The directive by partners in Anderson's Houston office to delete computer files in the face of a U.S. Securities and Exchange Commission (SEC) investigation has focused even more attention upon computer forensics and internal company policies. Corporate counsel must have a better dialogue with their IT departments to ensure that documents are not destroyed when a legal duty to preserve them arises, notwithstanding any ongoing records retention policies or improper orders of a rogue manager.

Litigation experts also now advise that after issuing a demand letter for preservation of electronic records, the depositions of network administrators and others with detailed knowledge of network configurations, mirror sites and data backup procedures be taken. The rules of civil procedure allow litigants to request the deposition of an employee 'most knowledgeable' of a certain set of facts or company procedures. Thus, even though the adversary litigant is unaware of the specific identity of individuals who run the network or oversee the electronic backup and archival process, their employers have the responsibility to designate those employees when served with deposition notices for persons most knowledgeable of such information. Additionally, when taking a deposition of an adversary's network administrator to obtain the same information, many corporations and law firms bring along their own network administrators as a technical resource.

The courts now recognize the importance of observing proper computer forensics protocols when collecting and analyzing computer evidence in the course of discovery. The information being retrieved from the servers and workstations may ultimately have to be admitted into court as evidence, and preserving file date stamps, not overwriting or changing data, and maintaining an overall proper chain of custody is no longer the exception but the rule. In a notable high-profile intellectual property dispute, the court issued harsh evidentiary sanctions where a computer expert failed to employ proper computer forensics techniques. The court ruled that when processing evidence for judicial purposes, a party has "a duty to utilize the method which would yield the most complete and accurate results." Gates Rubber Co. v. Bando Chemical Indus., Ltd., 167 F.R.D. 90 (D.C. Col., 1996).

The impact of lawyers' and judges' new appreciation for computer evidence is clearly being felt in the information security field. While managed security and intrusion incident response practices are seeing difficult times, computer forensics consultants are busier than ever. Additionally, the newest generation of computer forensics tools (available in mid-2002) will enable examiners to conduct computer forensics investigations across wide area networks, thereby substantially increasing the feasibility and efficiency of institutional computer discovery, and enabling the further expansion of computer forensics as a standard practice in the corporate litigation process.

This trend is hardly bad news for IT security professionals. While few people enjoy dealing with lawyers on an ongoing basis, litigation support is already a multibillion dollar industry, and it is shaping up to be a whole lot friendlier to the environment.

John M. Patzakis is president and general counsel to Guidance Software, Inc. (, the developer of the computer forensic software tool, EnCase. He can be reached at [email protected].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.