5 Best Practices for Digital Evidence Collection and Preservation for Internal Investigations and eDiscovery

The rise of electronically stored information (ESI) is both a blessing and a curse for eDiscovery professionals. On one hand, it can be easier to manage and handle digital data than to find yourself buried in paper records—provided you have the right tools, of course. But by the same token, you have to know what the right tools are and how to use them in order to effectively manage ESI.

Even if you have fully embraced the digital era, the sheer volume of ESI can make evidence preservation and collection feel daunting, especially when organizations are conducting an internal investigation. In this post, we’ll discuss how to efficiently preserve and collect digital evidence in response to a triggering incident.

This topic is more important now than ever before because an increasing amount of the digital evidence organizations have is stored across a variety of different locations, which makes it difficult to manage and protect. When an incident occurs, you want to be able to preserve and collect that evidence quickly and efficiently.

In this blog, we’ll review some background and consider some of the common mistakes you should avoid when preserving and collecting ESI. We’ll then set out five best practices that will help you manage digital evidence during an internal investigation.

Contents:

Why digital evidence is becoming more important

What does evidence preservation mean when it comes to ESI?

What does evidence collection mean when it comes to ESI?

Common mistakes to avoid when preserving and collecting ESI

5 best practices for preserving and collecting digital evidence

How technology can streamline and simplify your evidence preservation and collection processes

Why digital evidence is becoming more important

Digital evidence (or electronic evidence) is any digital information which is received from computers, audio files, video recordings, digital images etc, that may be relied on in court.

Digital evidence is increasingly becoming a central part of internal investigations. With more workers clocking in remotely since the beginning of the coronavirus pandemic, conversations between employees have moved to online messaging and collaboration apps. As the volume of potentially relevant ESI continues to grow, more and more issues pertaining to managing and handling digital evidence plague the organizations handling these investigations.

Moreover, the digital forensics market is expected to surge in the coming years, due in part to rising fraud and identity theft worldwide. This rise in fraud and identity theft calls for even more effective and efficient evidence preservation and collection practices to avoid spoliation during an investigation.

What does evidence preservation mean when it comes to ESI?

Evidence preservation is the act of keeping potentially relevant ESI intact and preventing it from being lost, deleted, destroyed, or altered. A party has a duty to preserve relevant ESI as soon as it can reasonably anticipate that litigation will occur. Because investigations can in some cases lead to litigation, it’s important to think about preserving evidence as soon as you start an investigation.

Proper preservation is imperative because mistakes in this area can be irreversible—if evidence that isn’t properly preserved is altered or deleted, it may be lost forever. In litigation, this loss of evidence is called spoliation, and it can result in court sanctions. In serious instances, those sanctions can include an adverse inference jury instruction or judgment against the spoliating party.

Your organization can do several things to ensure the preservation of necessary evidence. For example, you can implement and comply with a comprehensive records retention policy in the long term, issue a clear and concise legal hold in the short term, and keep original data intact by only working on copies during the investigation and discovery process.

What does evidence collection mean when it comes to ESI?

In terms of ESI specifically, evidence collection is the process of gathering potentially relevant data from wherever it is stored.

Evidence collection is an important part of conducting internal investigations and eDiscovery. Accuracy in scoping a collection effort is imperative. Under-collection can lead to ineffective discovery because important evidence isn’t available. If that evidence isn’t preserved, it could even result in sanctions for spoliation, as discussed above. On the other end of the spectrum, over-collection wastes time and resources and can cause your legal team to miss discovery deadlines because they’re attempting to grapple with too much data.

How do you collect ESI? You may work with your information technology (IT) department, a third-party vendor, or self-service technology that enables remote collection. Regardless of the method or methods you choose, there are three steps you should take before collecting ESI:

  1. Establish a project leader. The project leader will likely be someone belonging to your organization’s legal department or—if applicable—outside counsel.

  2. Outline a general collection strategy. This strategy should be well-documented and instruct all persons and departments involved on how to gather and submit relevant data.

  3. Outline specific collection strategies for different data locations. These data locations include email inboxes, hard drives, and cloud-based services.

Common mistakes to avoid when preserving and collecting ESI

There are a number of common mistakes involving evidence preservation and collection that you can avoid entirely. When it comes to preservation, these mistakes include:

  •  neglecting to create a records retention plan to explain your routine destruction of outdated information;
  • failing to respond to a complaint by initiating an investigation or failure to recognize a triggering event that would reasonably make one aware that litigation could occur, such as firing an employee, receiving a third-party complaint or demand letter, or becoming subject to an enforcement investigation by an outside entity;
  •  issuing dense and incomprehensible legal hold letters that data custodians cannot readily understand;
  •  failing to periodically update custodians and remind them of ongoing legal holds;
  • and  allowing spoliation to occur due to poor cybersecurity, lack of adequate policies and procedures, or alteration of data.

On the collection side, common mistakes include:

  • collecting too little evidence, such that necessary evidence is not available;
  • collecting too much evidence and thereby overwhelming review teams;
  • attempting to manually cull through ESI for potentially relevant data instead  of leveraging technology; and
  • failing to employ and record defensible collection tactics.

How can you avoid making mistakes like these? We’ve outlined five best practices that can help.

5 best practices for preserving and collecting digital evidence

Here are five best practices that your organization can implement to master preservation and collection of digital evidence.

  1. Recognize triggering events when they occur.

To prevent loss of evidence, your organization must be able to identify events that trigger the duty to preserve. A triggering event may occur long before a complaint is followed, particularly in a situation where litigation follows an internal investigation. The factors determining whether an incident would reasonably lead to litigation vary by organization and circumstance. Therefore, your organization must be mindful of investigations and other incidents that could result in the filing of a complaint. Give particular consideration to conduct that sparks an internal investigation, such as a complaint about workplace harassment or discrimination, as this could later lead to litigation or a regulatory investigation.

  1. Distribute a clear legal hold notice and keep custodians updated.

Once you’re aware of a triggering event, you need to advise the custodians of potentially relevant data of their obligation to preserve that evidence. This is generally done through a clear and concise legal hold notice that outlines the gist of the matter and the scope of the evidence that must be preserved. A legal hold notice should tell custodians exactly what they must do and explain why they are doing it and how long they will have to continue doing so.

Your legal hold process should also include a way to verify that custodians have received the notice and acknowledged their intent to comply. From there, you should keep your custodians updated on how the situation unfolds, periodically reminding them of the legal hold and their preservation obligations. Your legal hold process should also include a means to release the hold when the matter is concluded, signaling a return to normalcy.

  1. Document the chain of custody.

If litigation follows an investigation, you’ll need your evidence to be forensically sound. That requires being able to account for its whereabouts throughout the course of the investigation and eDiscovery.

Create a digital log to track the chain of custody and document the location and handling of each type of evidence. This log should demonstrate where evidence has traveled since its identification and which people and departments have accessed it, including staff and attorneys. Such details can become important if litigation occurs and you are called to defend your preservation and collection processes.

  1. Only work on copies of data.

When dealing with ESI, it is important to leave the original file intact and only work on copies of that data. This prevents inadvertently altering or damaging the data itself or its attached metadata.

  1. Use technology to manage data identification and collection.

An end-to-end eDiscovery solution can help your organization efficiently identify and gather relevant information during an investigation or subsequent litigation. Such tools can also prevent your organization from overlooking and failing to preserve relevant information.

How technology can streamline and simplify your evidence preservation and collection processes

Technology can help you preserve and collect evidence quickly and effectively. For example, eDiscovery technology can simplify the process of identifying and locating all relevant evidence, including evidence that has been misplaced or deliberately hidden.

Live Early Data Assessment (Live EDA) is particularly useful. With Live EDA, you can identify and locate the most relevant information before collection even begins, resulting in a lower volume of data that must be collected, reviewed, and analyzed. Live EDA also allows you to add new custodians or data sources to expand your inquiry at any time without having to start back at the beginning of the search process.

Technological solutions like Live EDA can help your organization more efficiently preserve and collect evidence, saving you time, money, and unnecessary stress.

Want to learn more about Live EDA or other eDiscovery solutions? Contact us for more information or to schedule a demonstration.