14 November 2011
11 April 2013
21 January 2014
25 September 2013
27 January 2014
20 June 2013
With so many tools of communication now in use, identifying the locations of stored data and their various laws regarding disclosure is essential, say Phil Beckett and Tristan Jenkinson
In our increasingly digitised world the way people interact and communicate has changed and is indeed still changing. As a result, the analysis required of communications data prior to disclosure is evolving continually and becoming ever-more complex.
Once upon a time the written word was everything. The analysis of communications would have involved the review of printed letters and other written correspondence.
Since the rise of technology and its extended use within the workplace methods of communication have changed considerably. We now expect to consider voice-recorded data from telephone calls, email data and instant chat data as well as messages sent or received on mobile phones, as content to investigate for potential disclosure.
Once these multiple forms of communication data have been identified, two prominent questions remain: where is the data stored and which policies are in place regarding that data? These questions can be applied to a wide range of electronic documents and are not specific to only communications data.
Knowing the answers to these questions is half the battle. A sign of a company well-prepared for disclosure is the provision of a ’data map’ detailing what information is available for any given custodian, where that information is stored and a list of the policies involving those pieces of data.
Where data resides can be a problem in itself. For example, if a custodian of a US company works in Switzerland with their data stored on servers in France and email data stored in Germany, there is a plethora of questions that has to be discussed in order to identify which laws are applicable - not only to the data capture process,
but also to where the data can be transported, processed and reviewed.
There are numerous jobs where it is necessary for data collection, processing and review to be performed onsite due to the nature of the applicable data privacy laws, client-driven secrecy concerns and security laws. This must be a consideration for any cross-jurisdictional disclosure case. It may be possible for responsive data to be removed to a central repository, for example in the UK, and then reviewed further prior to disclosure, but this depends on the relevant laws.
On one such engagement, due to the sensitive nature of the underlying data, a process was implemented to ensure that the data provided for further review was linked specifically to a dispute and would not breach local legislation. This involved setting up a series of review environments where only filtered or ’cleared’ data could pass through to the next stage, while always maintaining a complete evidential trail to account for how the data was handled.
The question regarding which policies are in place can provide some interesting challenges. It may be that a source of data, such as instant chat messages or email, may be subject to an archiving or backup policy. Depending on the timeframe of the case, either source, current or backup, may need to be captured and reviewed. In many cases it could be necessary to capture both, thus deduplication needs to be implemented to ensure that overlap between the current and backup data sources is minimised.
lthough this sounds straightforward, it can become complex if the data is maintained in different formats in different environments.
Instant chat data can originate from multiple organisations’ systems, and each organisation might store their data in different formats. In order to both deduplicate this data and build a consistent and complete conversation trail, algorithms need to be devised that harmonise the two systems, deduplicate the data, rebuild conversations from their constituent parts and then present the output in a review-friendly environment. This allows them to be searched, analysed and reviewed efficiently.
The relevant policies may also assist identification of additional data that may need to be preserved but not yet reviewed. This can cover either additional custodians or additional timeframes. If the scope of the discovery shifts or expands, this not only ensures that the data has already been preserved and can be made available quickly for review, but also eliminates the possibility of data being lost due to the relevant data retention policies in place.
At the end of the day, it is essential that a flexible yet robust procedure is followed to ensure that all data is handled in an appropriate manner and that it is made available for review in a swift and comprehensive way, allowing for any legal or technological factors to be accommodated.
Phil Beckett is managing director and Tristan Jenkinson senior consultant of forensic technology at Navigant