Chapter 16. Discovery of Digital Evidence in Civil Cases
Information in this chapter:
• Rules governing civil discovery
• Electronic discovery in particular
• Time is of the essence
• Getting to the particulars
• Getting the electronic evidence
Methods for getting the evidence in civil cases are different than those in criminal cases because civil cases are governed by different rules. In this chapter we briefly discuss the rules governing civil discovery. We also begin laying out the process for determining what to ask for and where it might be and take a walk-through approach of the method by using a case scenario. Also included are simple examples of civil discovery orders for electronic evidence.
Keywords
Rule 26, Rule 29, Rule 34, Rule 45, Discovery Rules, Federal Rules of Civil Procedure
Introduction
Discovery in civil cases can be challenging for many reasons: If you are the plaintiff, you will be faced with trying to figure out what evidence might exist in your case, where it might reside, and who has control of it.
The chance of evidence being lost or destroyed in a civil case is actually much higher than in a criminal case. The reason is that the person or persons involved may know well in advance that you will be seeking electronic evidence and may take steps to dispose of anything incriminating, whereas in a criminal case, evidence is typically seized with no forewarning of the persons in possession of the evidence.
Litigation holds, spoliation, cost shifting, undue burden, and sanctions against parties for failing to abide by discovery orders can occur in a criminal proceeding, but they are more commonly addressed in civil actions.
A civil case required that a personal computer be produced and then forensically imaged (copied) for preservation and later forensic examination. At the beginning of the collection process, when completing the chain of custody form, it was noticed that the computer appeared to be new. When the manufacture date on the back of the computer was checked, it was determined that the computer had a build date of only two weeks prior to the computer being made available for copying. The defendant in the case claimed that the computer was not working properly and had returned the computer to the manufacturer for repair, and the manufacturer had simply replaced the unit with a new computer. Whatever evidence had been on the computer was now lost.
16.1. Rules governing civil discovery
The general rules governing civil discovery in federal cases are provided in the Federal Rules of Civil Procedure (FRCP). Each state will also have its own rules for civil practice that set out rules for civil discovery.
The Federal Rules of Civil Procedure that govern civil discovery are Rules 26, 29, 34, and 45.
• Rule 26 sets out the duty to disclose, required disclosures, disclosure of expert witnesses, discovery timing, and prediscovery conferences. Rule 26 is very important to understand as it defines the rules for required disclosure prior to any discovery requests being made by either party. 1
• Rule 29 defines the stipulations about the discovery procedures, including depositions and that other procedures governing or omitting discovery may be modified. 2
• Rule 34 specifically addresses electronic evidence, its form, and production.
You must also bear in mind that other rules govern certain entities such as an Internet service provider that can limit or prevent you from obtaining evidence in a civil proceeding, most notably the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA). It is codified as 18 United States Code, Subsections 2701 to 2712. The SCA addresses voluntary and compelled disclosure of stored wire and communications and transactional records held by third parties, specifically dealing with Internet service providers and other online services.
In denying subpoenas in civil cases, Facebook has routinely cited the SCA as its reason for failing to provide requested information, specifically any messages or wall posts in a user’s account. The problem is that 18 U.S.C. § 2703(a) speaks of release of stored electronic communications to “a governmental entity” and doesn’t mention private parties in civil cases.
An excellent resource for understanding the Stored Communications Act is Orin S. Kerr’s article, “A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It”, published in the George Washington Law Review, 2004. 3
• Rule 45 covers subpoena requirements. 4
16.2. Electronic discovery in particular
Rule 34(a) of the Federal Rules of Civil Procedure states
A party may serve on any other party a request within the scope of Rule 26(b):
(1) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control:
(A) any designated documents or electronically stored information—including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form; or
(B) any designated tangible things; or
(2) to permit entry onto designated land or other property possessed or controlled by the responding party, so that the requesting party may inspect, measure, survey, photograph, test, or sample the property or any designated object or operation on it.5
While the rule implies that you can go after pretty much anything in electronic form, defining what that “anything” is, is an important step, primarily because the FRCP also states in Rule 34(b) under contents of the request that you “(A) must describe with reasonable particularity each item or category of items to be inspected.”
In other words, the bucket approach isn’t allowed. You must describe in your discovery motion such items as computer hard drives, cell phones, e-mail, documents, pictures, diagrams, databases, drawings, and so forth specifically enough to satisfy the judge that you are being reasonable in your request and not opening yourself to a claim of undue burden being placed on the producing party.
16.3. Time is of the essence
It cannot be stressed strongly enough that the potential loss of electronically stored evidence is extremely high as time between the creation of the evidence and the time the evidence is collected increases. Computer hard drives crash, companies routinely delete data as part of their normal course of business, video surveillance systems overwrite their data storage on a short schedule, people buy new cell phones and discard the old ones. Technology changes and companies retire older systems for newer ones and may not preserve the data from the old system. Electronic data is volatile, and massive amounts of evidence can be destroyed at the click of a button.
16.4. Getting to the particulars
One method for figuring out what you want to collect in a civil case is to take the What, Who, How, Where, and Who approach. This is an investigative process from the standpoint that you must take many of the same steps that would be used in a criminal investigation. In this instance, the purpose of the “investigation” is to locate and collect electronic evidence.
To expand the thought: What happened? Who was involved? How would electronic evidence be involved? Where might that electronic evidence be? And who controls the electronic evidence? We will work through this process from the standpoint of locating and eventually collecting the electronic evidence.
16.4.1. What happened?
All litigation requires a “what happened?” that is the cause for litigation in the first place. Someone or something did or did not do something that has resulted in injury or harm to another party, whether that result is physical or financial harm. Was it a person or persons involved or was it an inanimate object? Ultimately, everything is the responsibility of a person, and getting to the people involved is paramount to locating electronic data.
16.4.2. Who was involved?
Since litigation always has some intent to establish liability or culpability, figuring out who did something is the first step. In other words, who are the parties that had some interaction with or instrumentality concerning the alleged subject of the litigation? Once these parties are identified, either by name or by area of responsibility, the discovery order or conference can be used to determine who to collect data from. While the other side in a civil matter may be required to disclose the identities of persons who may be in possession of electronic evidence, don’t be surprised if they fail to do so completely. This does not necessarily occur because of intent, while that may be a factor, but because they simply did not consider all of the possibilities.
16.4.3. How would electronic evidence be involved?
The multitude of ways in which an electronic record can be created should always be considered in reviewing any type of case. Everything from phones to automated parking systems can create an electronic record. Thinking about methods of doing things today as well as the physical surroundings and potential third-party connections to a case will lead to finding out how records were created that can be collected and analyzed. Are there records out there that were created directly by a person involved or by an automated process that was present in the physical space where the incident occurred? Consider all the electronic devices that can be present in a retail store at any moment in time: employee and customer cell phones, surveillance systems, alarm systems, computers, credit card processing machines, ATM machines with cameras, facsimile machines—all of these devices are capable of creating and preserving electronic data, even the DVD vending machine that customers use to rent movies and games requires the use of a credit or debit card.
16.4.4. Where might electronic evidence be stored?
Electronic evidence can be stored in so many places these days that it can be mind-boggling once you start to ponder how an electronic record might be created and subsequently stored in even seemingly mundane circumstances.
If you are dealing with a business, you can expect that the business will be using computers, perhaps a network and the Internet. This means that electronic evidence can be stored on the individual computers; network servers; remote office locations; on computers used by teleworkers; company and personal cell phones; on backup tapes, USB drives, portable hard drives, off-site mail servers, public mail servers, off-site backup services; in remote storage such as Google, Microsoft SkyDrive, DropBox, Carbonite remote backup; and other places as well. Do they have an internal or external voicemail system where messages might be stored?
16.4.5. Who has control of the electronic evidence you need to collect?
Lastly, once you have identified who was involved, how records might be created, and where those records might be stored, your next task is determining who has control of the electronic evidence. Chances are that it will be a combination of persons directly involved as well as third parties such as cell phone companies, Internet service providers, transcription services, and even cloud-based data backup companies.
In a sexual harassment case, it is often a matter of “he said, she said.” Getting verifiable evidence can be the deciding factor in supporting the claims of one side or the other by providing a record of what really happened. By walking through the process outlined in this chapter, you can see how the process would work in this type of case.
What happened?
An employee claims that her boss has been sexually harassing her on the job and even at home via her personal e-mail. She claims he has left her sexually explicit voice mails and even sent her sexual pictures via his cell phone to her cell phone in text messages.
Who is involved?
Directly involved are the employee making the claim and the employee being accused. However, who else might be indirectly involved that may have evidence in the matter?
The coworkers and possibly friends and family members of the accuser to whom she may have sent copies of the harassing e-mails, text messages, and pictures. Also indirectly involved may be the system administrator of the company network, who can locate e-mails in the company e-mail system, and third parties such as cell phone companies.
How would electronic evidence be involved?
The basis for evidence in the claim is e-mail, text messages, pictures, and voice mails. So you know you need to gather e-mail evidence, text messages, and voice mail recordings.
You would also want to remember that many smart phones are backed up to computers and can contain information that may no longer be present on the phones themselves. And since this case involves company computers and e-mail, there may be evidence still present on the company’s backup system even if the e-mails were deleted or destroyed on the personal computers.
Where might electronic evidence be stored?
At this point, questioning the parties about what devices they use for electronic communication can lead to discovery of where this evidence may reside.
At this point you want to begin to create an inventory of devices and locations where the evidence may reside. This can be done through interviews with the parties.
What you will want to find out and catalog for discovery purposes are all of the devices used by the parties for communication:
• Computers (both home and company): Laptops, desktops, pad computers or tablets (like an Apple iPad)
• Cell phones (both company and personal)
Then you will want to attempt to identify other sources of electronic evidence storage:
• Voice mail recordings (on cell phones and the company voice mail system)
• E-mail accounts and storage (on the computers, cell phones, and any free e-mail accounts through third parties like Hotmail, Yahoo!, etc.)
• Cell phone records and internal company phone records
Who has control of the electronic evidence you need to collect?
The last part will be determining who has possession and control of the evidence items you need for the case and their names and contact information.
• The parties in the case for any devices they personally own or have permission to use at the company along with any online e-mail accounts they use that may be involved in the communication trail.
• System administrators for the company’s computers, network, mail servers, e-mail backups, and telephone networks.
• Any phone company or cellular carrier that may be able to provide phone logs, call records, or stored communications.
• Any friends, coworkers, or family members who may be in possession of copied e-mails, text messages, or voice mails.
Once you have collected all of the information by following the steps in the case scenario, you should be in a good position to start crafting your discovery motions to get as much evidence as possible in support of your party’s claims.
16.5. Getting the electronic evidence
Depending on the size of the business or number of people (custodians) you need to collect evidence from, your approach will vary.
In a small action involving a few computers or custodians, the Civil Order Example shown in Fig. 16.1 can be specific enough to suit your needs; however, this order assumes that you will have the forensic personnel to go into the business and collect the information and does not make an allowance for production by the other side in the litigation.
The order example in Fig. 16.1 specifies what is to be collected, who is going to do the collection, as well as where and when the collection will take place.
In a larger collection scenario or in one where the opposing party will be producing the electronic evidence using their own forensic personnel, a motion would be used that contains the following information:
• What is to be collected
• For the following persons named herein or
• Provide the list of custodians you want to collect from.
• That contain any information, records, or correspondence related to the specific matter described herein
• This relates to the specific case or complaint.
• When it will be collected
• Specify a date and time for the collections to occur. Make sure to allow yourself and the other side time to comply; however, keep in mind that time is of the essence to avoid loss of evidence by user deletions, company retention policies, and the normal operations of computers and cell phones that can destroy evidence.
• That said collection will be completed by MONTH, DAY, YEAR
• Specify an end date for the collection to be completed.
• How it will be collected
• Whether or not the evidence is to be collected by a forensic examiner.
• That proper forensic procedures will be followed in the collection of the electronic evidence.
• In the event that the party cannot perform the collection in a timely and forensically sound manner, petitioner shall be allowed to perform such collections or a neutral party shall be selected to perform the collections.
• Conditions of the collection
• That a chain of custody will be maintained and provided with the electronic evidence
• That all electronic evidence shall be delivered in its native form or in forensic images of the electronic evidence, the format to be agreed upon by both parties in advance.
In most cases, failing to get evidence is a result of taking too long to perform these steps to get to the actual collection or simple missing items that could have been collected if they were identified early in the process. Not getting a preservation order in place in a timely manner can be the difference between getting evidence and getting nothing of value because electronic evidence is in a constant state of being modified and perhaps even destroyed during the normal operation of electronic devices.
Summary
In this chapter we looked briefly at the rules governing civil discovery and how they can impact the discovery process. We also looked at a process that can be used to determine what to collect, from whom, and where. An example was provided to show how the process would work in a case scenario. Lastly, we covered a simple discovery order for electronic evidence and the additional steps for a large or more complex discovery scenario.
References
[1]
[2]
[3]
[4]
[5]
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.