The collection of electronically stored information (ESI) is a critical task in the e-discovery process, as it dictates the scope of your data universe. The amount of data collected for an e-discovery case has a direct impact on an organization’s network, as well as downstream e-discovery expenses for the processing, review, analysis, and production of the data.
To help you take a more strategic approach to collection, we’ve provided the following answers and insights to a few common questions.
When is a forensic image appropriate over a targeted collection of data?
If there is an investigatory component to the case or a need to recover deleted files, creating a forensic image of a custodian’s hard drive can provide insight into some of the custodian’s actions over time. A forensic image also collects unallocated space on the hard drive where deleted files—or parts of deleted files—may be recovered.
In most civil litigations, it isn’t necessary to collect a custodian’s entire hard drive. The real need is to collect the user-created data of the custodian relevant to the case. Performing a targeted collection is a smarter, more precise way to collect data for most e-discovery cases.
What is the difference between “self-selection” and “self-collection”?
These refer to two different stages of ESI collection. First you need to select what to collect, and then you need to actually collect it.
There is some benefit to including the custodian in the selection stage, because he or she typically knows their data the best. But the whole burden of selection shouldn’t rest with the custodian. The legal team should be involved, as they will also have insight into what data is relevant to the case and potentially responsive to production requests. The IT team can help collect relevant data from your network.
Unguided self-collection is rarely a good idea. Even if the custodian is trustworthy and fully aware of his or her legal obligations, there are too many opportunities for spoliation if the collection process isn’t performed correctly. For example, if a custodian tried dragging-and-dropping files onto an external hard drive or emailing them to the case team, some metadata fields on those files would change. That could make a collection not defensible, and even open the door to sanctions.
Is targeted collection defensible?
Absolutely. Ultimately, you need to make sure that your collection is complete, and that you didn’t change any data. Collaboration with the custodian, members of the custodian’s IT team, and the attorneys handling the case can help ensure the completeness of a collection. Collecting the targeted data in a forensically sound manner with a systematic, repeatable approach can help guard against spoliation.
Documenting the collection and providing transparency into your methods will also strengthen your defense. For example, Relativity Collection provides backup documentation that compares the unique hash values of the files when they existed on the custodian’s computer to identical hash values of the files after collection. Evidence like that should quash any claims of spoliation.
What makes an efficient collection?
When you collect only what you need, you reduce the volume and increase the relevancy of your data at the beginning of the e-discovery process. Therefore, the processing, review, and analysis phases become less time-consuming and expensive.
Collection methods that require direct, physical access to custodians’ computers can be inefficient, because they often add time and travel expenses to the collection process. The ability to collect data remotely, while still adhering to a systematic and defensible process, can greatly reduce the time, money, and effort needed for collections.
We hope these thoughts will help guide you in developing a collection strategy that is complete, forensically sound, and efficient for the task at hand. Remember, you can always reach out to the advice@Relativity team for workflow guidance or feedback.