The Perils of Data Collection in High Stakes Litigation: Which Approach Is Right For Your Organization?

Text-only Preview

E-Discovery Insights – Clearwell Systems, Inc.

The Perils of Data Collection in High Stakes Litigation:
Which Approach Is Right For Your Organization?
Many organizations involved in litigation, investigations, or audits struggle
to meet deadlines for collecting and producing electronically stored
information (ESI) from employees without breaking the budget. The
biggest challenges are typically faced by large organizations with multiple
offices and large numbers of employees. However, even smaller
organizations with few offices face challenges if they have remote
employees or employees who travel frequently, aka road warriors. In this
first of a two-part series, I’ll discuss when and why organizations should
choose a manual collection process. Part two will discuss the advantages
and disadvantages of two automated data collection approaches.
In each situation, the organization is faced with a request for ESI and some
portion of the potentially relevant ESI is located in remote offices or on
laptops used by road warriors. Preserving and collecting ESI across
multiple systems such as email and file servers, archival systems, Microsoft SharePoint, and personal computers can
be challenging whether these systems are located centrally or in the cloud. Common challenges include:
 Pressing deadlines
 Risk of data loss or deletion
 Failure to produce responsive data without legal justification
 Lack of information technology (IT) department resources
 Miscommunication between the IT and legal departments
These challenges are compounded for organizations with remote offices or road warriors because more coordination
and effort is inevitably required, thereby increasing expenses and the risk of failure. The key to success is
determining which data collection approach is best for your organization. First, let’s discuss the traditional manual
The Traditional Manual Approach
There are two different manual data collection approaches that organizations utilize with varying degrees of success.
Employee self-collection and IT assisted collection.
Employee Self-Collection
The various data collection approaches often begin as part of an investigation, litigation discovery, or audit that
requires the identification of employees likely to have data relevant to a particular matter. Those employees, or data
custodians as they’re called, are asked to forward or copy any relevant ESI they possess to a centralized location or
storage device where the data is stored for later analysis and review by the legal team. One problem with this
To read more visit

E-Discovery Insights – Clearwell Systems, Inc.

approach is that copying files could result in metadata information such as document dates being altered. Know
more on electronic document discovery.
Another problem with this approach is that custodian’s memories fade over time and they may forget to produce
relevant ESI. Even worse, a custodian with a personal stake in the investigation may intentionally delete the very
files being requested in an effort to thwart the investigation. These scenarios could result in the organization facing
sanctions or penalties, making employee self-collection a potentially risky and costly approach in almost any situation
involving multiple custodians, offices, or large amounts of data.
IT Assisted Collections
The IT assisted collection approach is another manual approach that eliminates some of the risks associated with the
employee self-col ection method, but this approach often presents different chal enges and often leads to “over
collection” of ESI. Typically one or more employees in the IT or IT Security Department are instructed to collect data
from employees believed to have information relevant to a particular case. To avoid overlooking or losing data, the IT
resources collect data from numerous locations using computers loaded with specialized collection software. Data to
be collected from each relevant employee often resides on numerous devices including laptops, desktops, file
servers, email servers, and other sources. Know more on email discovery. Once all the data for each custodian is
collected from each data source, the data is copied and consolidated to a removable hard drive or drives where it
awaits future processing, analysis, and review by the legal department. Unfortunately for the IT department, this
entire process is repeated for every new case and often results in a significant loss of productivity.
IT assisted collections were once the norm because this process was thought to represent the most efficient and
effective way to avoid the risk of sanctions posed by the employee self-collection approach. However, this approach
is quickly falling out of vogue for two reasons:
First, IT assisted collections can increase the time, cost, and risk associated with data collection because the use of
different technology tools can be challenging. Organizations applying the IT assisted collection approach typically
rely on off-the-shelf software such as Guidance Encase, Robocopy, ExMerge, Access Data’s Forensic Toolkit (FTK)
or other tools to collect data from each relevant custodian. Frequently, different tools are utilized to collect data from
different data sources. For example, it is not uncommon for the IT department to use ExMerge to collect from
Microsoft Exchange, Robocopy to collect from file servers, Encase to collect from laptops and desktops, and even
other proprietary tools to collect data found in commonly used archives. In addition to being time consuming, utilizing
multiple tools to collect and consolidate data results in licensing, training, and maintenance costs for each product
and the risk of data loss or alteration is heightened since data collected from multiple tools must eventually be
exported and consolidated for further processing, analysis, and review. Lastly, using multiple IT staff with varying
levels of expertise to collect data arguably increases the risk of metadata being altered and complicates the ability to
maintain accurate chain of custody logs. In practice, many organizations using multiple collection tools spend
countless hours trying to manually maintain chain of custody reports using Excel spreadsheets while other
organizations simply neglect or ignore chain of custody requirements. Each of these situations virtually invites
evidentiary attacks by savvy opponents.
The second reason IT assisted collections are falling into disfavor is because the approach often results in the over
collection of data. To avoid the risk of sanctions or penalties resulting from data loss or deletion, sometimes entire
laptop and desktop hard drives are copied or “imaged” (frequently called a “forensic image”). Similarly, IT resources
are often incentivized to “copy everything” simply to avoid being forced to revisit data sources from which data has
already been partially collected in response to a new request for information.
To read more visit

E-Discovery Insights – Clearwell Systems, Inc.

The IT assisted approach of forensically imaging drives can be effective in limited situations including criminal
investigations and intellectual property theft cases since these matters sometimes require the recovery and analysis
of deleted files, internet browsing history, and other non-user generated files for a discreet number of custodians.
However, since most large matters do not require this degree of data recovery for most data sources, unnecessarily
collecting data by making forensic images often results in a significant waste of time and money.
Which Approach is Right for Your Organization?
The risks and expenses associated with both manual approaches described above are often so high that
organizations sometimes decide it is economically more efficient to settle lawsuits even when the lawsuit lacks merit.
This untenable position has led many organizations to seek more efficient and repeatable methods to manage data
collection that are automated. These automated approaches will be explored in my next post.
Know more on:

Electronic evidence discovery.

Internal investigation.

To read more visit