You might be tempted to seek direct access to opponents’ devices in cases where you suspect they have stolen data. Craig Ball says don’t do it – at least initially.

I’ll be honest, when I first read the title of Craig’s latest post Don’t Seek Direct Access to Opponents’ Devices in his excellent Ball in Your Court blog (available here), I thought “hmmm…”. But once I read it, it made sense.

Craig illustrates his point in the first paragraph when he says: “In a case where I’d identified evidence of a departing employee’s data theft, plaintiff’s counsel sought an affidavit in support of a motion to gain direct access to the new employer’s data storage to see how the stolen data was distributed and used.  I replied that I could supply the testimony but offered that the wiser strategy was not to move for direct access but instead seek an agreement or order that the other side’s forensic expert hew to an agreed-upon examination protocol.  That would afford opposing counsel a proper opportunity to withhold and log content deemed privileged or otherwise outside the scope of discovery.”

As Craig discusses, the key is the agreed-upon examination protocol. He notes that “a well-crafted forensic examination protocol ensures that the right evidence is scrutinized in the right ways, and material legitimately withheld is protected… By setting out what devices and sources need to be examined, what artifacts must be assessed and reported upon and how much oversight and transparency is allowed, the opposing expert serves as proxy for my hands and eyes.  Keyword searches and hash matching alone don’t cut it; a good examination protocol encompasses the singular signs of data theft and makes it difficult to suppress indicia of bad behavior.”

Craig even provides a link to a guide for Drafting Digital Forensic Examination Protocols (while noting that “proper protocols are tailored to the issues and evidence in the case, and constructed to promote integrity of process.”).

Having covered several cases containing “indicia of bad behavior” (including this one, this one, this one and this one), I can understand the temptation to jump straight to seek direct access to opponents’ devices in cases like those, but it should be a last resort. Just ask Craig Ball. Better yet, read his latest post here.

So, what do you think? How do you establish protocols for forensic examinations in your cases? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.