Electronic Security Information (ESI) and Legal Hold Best Practices

Legally binding instructions to preserve ESI are typically communicated in what is known as a “legal hold letter.” The letter states that the company presently or reasonably anticipates litigation and requires that all ESI, whether in paper or digital form, be preserved until further notice.

Clear procedures should be in place to avoid the destruction of relevant evidence before any need to issue a legal hold. These procedures should include identifying and evaluating trigger events, establishing a reasonable scope, issuing notices, and monitoring compliance.

Establish a Chain of Custody

For digital evidence to be admissible in court, it must have a transparent chain of custody. It involves documenting every person touching the media and digital data chronologically. It also includes details of how the evidence was transported, such as in a sealed static-free bag or a secure storage container.

A transparent chain of custody allows the forensic examiner to prove that the data is authentic and has not been tampered with or altered. In a court of law, this is a critical factor in the admissibility of digital evidence and is even more important than tangible evidence.

A robust and detailed chain of custody can reduce the chances that a judge will throw out the evidence due to a weak link. A good chain of custody is handy with an expert analysis of the media and digital data to show that the timeline is accurate and contains no gaps.

Create a Digital Log

To properly preserve digital evidence, a precise log must be maintained of its whereabouts throughout the identification, collection, acquisition, preservation, and analysis process. This log must also include who accessed the data and how. Any errors in this process can render the evidence inadmissible in court.

For example, suppose a digital log shows a mudlog sand and shale percentage that should be recorded in track 4. In that case, the logger will likely change the data to track 5 to record the correct percentages accurately. However, the logging system must be easy for the driver and not require them to change the data to make it work correctly manually.

An electronic logbook enables truck drivers to keep track of service hours while on the road and automatically transmits the data to an online system. It must be user-friendly so the driver will be encouraged to use it properly, as this can save time and help them increase productivity. It should also be free of hidden costs like extra charges for using the device or additional maintenance fees.

Prevent Tampering

As an organization, processes are critical to prevent tampering with any evidence collected in an investigation. It means not deleting or altering files but ensuring employees are not accessing or editing the originals. It is also essential to have redundancies, such as producing the hard copies of the ESI you are seeking and the mirror image of a computer’s hard drive, in case the originals are destroyed or deleted.

Legal teams must be able to identify the triggering event and decide when it is appropriate to issue a legal hold. They must also be able to accurately scope their collection efforts since under-collection can result in sanctions for spoliation, and over-collection wastes time and resources.

Good information governance requires a legal team to work closely with IT, business units, and other departments, including risk, compliance, audit, records management, and others, to create a policy that the entire company can implement. In addition, it is essential to have a system for distributing legal holds, tracking acknowledgments and reminders, and communicating with custodians to ensure compliance.

Only Work on Copies

The duty to preserve ESI extends not just to avoiding the destruction of evidence but also to intervening when sources of ESI are in danger of being altered or erased by routine operation. For example, simply booting a source of ESI can cause its contents to be irretrievably erased or corrupted. As such, it is best to only work on copies of ESI and avoid the manipulation of original data files themselves or their attached metadata.

The ESI needs to be stored on cloud servers managed by third parties. The case of Brown v Tellermate illustrates the dangers in this area.

As you prepare for the possibility of litigation, it is a good idea to establish procedures requiring all employees to immediately cease deleting any emails or other ESI relevant to an anticipated matter. It includes email servers, backup tapes, and even the metadata that may be preserved with those files. It is consistent with the ubiquitous Zubulake v UBS Warburg federal pre-litigation preservation standard that states that the duty to preserve ESI begins when a party has notice of the likelihood of litigation or should have known that litigation might reasonably be anticipated.

Monitor Compliance

Monitoring compliance is essential after you recognize the trigger, identify the relevant custodians, and distribute a legal hold notice. It can take the form of regular reminders or even leveraging in-place preservation technology that locks down data securely, keeping it out of harm’s way and preventing unintentional spoliation.

The university’s obligation to preserve ESI and information arises when the university reasonably anticipates litigation or when credible facts and circumstances indicate a lawsuit is highly probable or imminent. In addition, the university’s duty to preserve ESI and information arises whenever there is a reasonable possibility that the university will be compelled by a court to produce evidence in a lawsuit or administrative investigation.

Generally, it would help if you preserved all potentially relevant ESI and evidence in the same forms in which they are typically maintained (including logs, control sheets, specifications, indices, file lists, naming protocols, user ID and password rosters, and installation disks). You should not select methods of preservation that would reduce your ability to search the ESI effectively or make it difficult or burdensome for you to access and interpret the ESI.