Yes, it’s an eDiscovery case law post, but with a twist! This time, I’m covering a post by Forensic Discovery which discusses the case Delta T, LLC v. Williams, No. 1:20-cv-559 (S.D. Ohio Jan. 12, 2021), where Ohio District Judge Matthew W. McFarland granted the plaintiff’s motion to compel in large part, granting their motion as to all interrogatories and document requests in dispute, as well as a limited third-party forensic inspection of the defendants’ electronic devices, denying only the plaintiff’s request to compel Defendants to direct their mobile phone and internet carriers to provide the independent forensic examiner access to stored records of Defendants’ communications.
Forensic Discovery’s cleverly titled post – We’re Big Fans of This Case Law Ruling – discusses three terrific lessons learned as to how the plaintiff made and justified the forensic inspection request. It also mentions the Court Defined Procedure for conducting the forensic inspection, which Judge McFarland laid out in a terrific manner, with specific responsibilities and timelines for each party to follow (below). Check out their post here, the case ruling (via the link above) and also Kelly Twigger’s coverage of the case a few weeks ago for the ACEDS #caseoftheweek broadcast!
Here is Judge McFarland’s instructed procedure for the forensic inspection:
- Counsel for BAF, Williams, and Vortikul shall meet and confer regarding the designation of an independent forensic examiner (“Examiner”). They shall designate an Examiner within 30 days of this Order. If the parties cannot agree on an Examiner, each party shall submit its recommendation for an Examiner to the Court with a 1-page memorandum, and the Court shall decide.
- The Examiner, and any supporting staff, shall sign a confidentiality order. To the extent the Examiner and any additional staff have direct or indirect access to information protected by attorney-client privilege, such disclosure shall not result in any waiver of that privilege.
- Defendants Williams and Vortikul shall make all responsive computer equipment available, including applicable personal devices, to the Examiner for inspection, copying, and imaging at a mutually agreeable and non-disruptive time, but no later than February 26, 2021. Defendants shall provide to BAF a detailed report of all equipment produced for imaging by the same date.
- The Examiner shall then retrieve responsive documents and material by performing a search limited to the specified search terms found at ECF Document 36-15 at Page ID 1564-69 (Exhibit 14 to BAF’s motion to compel, Doc. 36).
- BAF shall pay for the Examiner’s time and services.
- Defendants Williams and Vortikul shall review the responsive files for privilege, create a privilege log, and produce the non-privileged files and the privilege log to BAF. The deadline to produce shall be within 28 days after the examination or March 26, 2021, whichever is sooner. If BAF objects to Defendants’ withholding of any document as privileged or otherwise, the parties shall meet and confer in good faith to resolve their differences. If they fail to resolve the matter between themselves, they shall follow the procedures outlined in the undersigned district judge’s standing order regarding discovery disputes.
- Defendants are not required, at this time, to authorize their mobile phone or internet carriers to provide the Examiner with access to Defendants’ stored records.
So, what do you think of the proposed forensic inspection procedure above? Please share any comments you might have or if you’d like to know more about a particular topic.
Case opinion link courtesy of eDiscovery Assistant, an Affinity partner of eDiscovery Today.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.
Since you asked, I’m nonplussed by the favorable coverage of this decision. For a forensic examination and production protocol, it’s pretty lame. None of the coverage I saw reports on whether the examiner can assess and report on the integrity of the evidence. Did the user of the device delete evidence of seek to cover tracks? Neither does it enable analysis and reporting on the most important, forensically-significant artifacts attendant to data theft and non-compete actions. I’ve done more of these cases than any other in my career and I can tell you from long experience that keyword searches alone aren’t likely to reveal where the bodies are buried. Instead, I prefer to track what the user has done in terms of attaching storage devices, accessing cloud repositories and otherwise acting consistently with patterns of improper behavior. These revelations are typically gleaned from forensic analysis of artifacts, not lexical search.
I’ve seen this before in cases, where e-discovery analysts celebrate keyword search in forensics because they understand keyword even as they often don’t understand how often it’s unavailing in digital forensics.
Another flaw I see is the mistaken assumption that the data under scrutiny is, essentially, documents and files, mistakenly assuming it will be straightforward for defense counsel to mount a privilege review of keyword hits. In fact, many of the keyword hits will occur in areas of the media that know no bounds in terms of any character as a defined document or file. How do the parties propose to exchange and review hits in unallocated clusters? What form will be used? Once more, digital forensic analysis is different than e-discovery and requires recognition of quite different data structures. Too often, protocols elide over these differences and forensic examiners are left holding the bag.
Maybe this might have helped: http://www.craigball.com/Drafting_Forensic_Examination_Protocols_2018.pdf
[…] Scoping of Forensic Inspection Requests […]
[…] Scoping of Forensic Inspection Requests […]