The common theme in technology is that the only consistency is change. For one, quarterly and bi-annual software updates have given way to dynamic release schedules. Similarly, how data preservation worked yesterday may be different than how it works today. With rapid changes occurring in the tech sector, including contingency options based upon technological evolution is an important element of crafting an ESI protocol that may protect you from what you don’t know that you don’t know. Here are five hypothetical examples of how inadvertent preservation and/or production blunders may result from unanticipated tech change:
1. Standard practice for collecting business communication in LinkedIn messages starts with the understanding that when a user has a Free LinkedIn or LinkedIn Premium account, LinkedIn maintains messages in the user’s profile under the export option for all communications. There are actually nine different types of LinkedIn accounts as of this writing. However, if the user upgrades their account to LinkedIn Sales Navigator or LinkedIn Recruiter and the various add-on variations, following the upgrade date, the user’s profile will contain only outbound messages exchanged with a 1st degree connection. After the migration, any messages with anyone beyond the 1st degree of connection will not be exported, and there is no warning that the export is not complete. These unexported messages are available only from LinkedIn via subpoena or potentially paying LinkedIn an additional fee for this capability as it is not available to the Administrator or account owner as of this writing. Many collaborative software platforms are similar in offering more than one account option in the attempt to optimize revenue, and the exports may contain different data over time, so testing is important to ensure messages aren’t missed.
2. During an urgent imaging of a new Samsung phone which has stored text messages, the forensics examiner is instructed specifically to not look at the image. Using the latest version of the forensics software tool, the text messages are not captured due to interoperability issues. The forensics software provider does not list the phone as a supported phone or operating system version; and, because the forensics examiner was not informed of the make and model of the phone until on premise, they could not verify the tool’s compatibility in advance. If the litigation support department does not communicate to the case team that the phone was imaged but the messages are not there due to technical limitations before the close of the discovery window, text messages will not be preserved or produced.
3. An organization regularly uses Google Workspace internally amongst their employees and document links (also known as linked files, hyperlinked documents, pointers or modern attachments) to collaborate in the ordinary course of business. When preserving they engage an external provider who uses Metaspike’s FEC to access the API to grab emails and corresponding linked files of a file that predates the email transmission date (an eDiscovery practitioner also has the option of grabbing all versions or the latest version of the file corresponding to a link). However, the company uses the archiving function regularly, which was not contemplated in the preservation through how linked files were grabbed, and thus the archived emails are only available in Google Vault or by preserving the All Mail Folder. Without the knowledge of where all the emails reside, emails were missed, creating an incomplete production. Metaspike’s FEC recently introduced the ability to more cleanly capture the linked files (only most recent version) that go with archived emails within the Vault export, requiring additional work by the practitioner and increased costs. Also, if you are trying to preserve the folder path that corresponds to emails and how they are stored in the ordinary course of business, grabbing the All Mail Folder can produce redundancies with email in other folders except for the archived emails.
4. Preserving Slack data can be nuanced. Like many collaboration suites, export options vary depending on the license held by the organization. If the organization holds a Slack Enterprise Grid plan, the collection can be “custodian driven,” as Slack allows for the export of all data for a unique user. Without the Enterprise Grid license, locating all the data for a single user requires first locating all the channels in which the user participated over the course of the relevant period. However, if a Slack user opts out of a Slack channel prior to the date of preservation, this methodology of looking for participants within channels may not capture all relevant communications because the user is not a member of that channel on collection day. The “snapshot” exported is as of the day of preservation; if the user left the channel three days before preservation, they will not be included in the data exported when collection takes place on day four. To rectify that, the history of all channels needs to be reviewed for all relevant custodians, and that could potentially be quite burdensome. The best practice is to check the license plan before proceeding.
5. WYSIWYG (What You See Is What You Get) issues can pose a major issue in eDiscovery. For example, there is a known example where a recipient on an earlier Samsung device saw a revolver emoji while the sender, using a later version of a Samsung phone and Android operating system, sent an emoji of a squirt gun stating, “Let’s play at the park.” The message sent and the message received can be subject to differing interpretations easily and with serious consequences. If you were searching for a revolver, you wouldn’t find the squirt gun. These issues occur due to the same Unicode characters being rendered differently depending on the font sets translating the input and other variances across operating systems, browsers, and devices.
eDiscovery should not be used as a weapon to punish litigants or data custodians. eDiscovery, like discovery in general, is designed to facilitate fact-finding and evidence collection. There is no doubt that eDiscovery competency should be required, however, the world of technology is complex and dynamic. “Oopsies” happen for a variety of reasons, often as simple as the evolution of technology. Allowing for good faith omissions by those that truly attempt to do the right thing and allowing for interoperability or technical glitches that happen and can be potentially rectified when revealed, allows eDiscovery to support the aim of getting the facts into courts where they can be adjudicated.
