Electronic Data Discovery of Electronic Data Discovery of Electronically Stored Information: Electronically Stored Information:

the Public Policy of CyberForensicsthe Public Policy of CyberForensics

A Uniquely American “Game”A Uniquely American “Game”

How EDD is Intended to Achieve Justice How EDD is Intended to Achieve Justice

Implicates Electronic Records Implicates Electronic Records ManagementManagement

What is EDD?What is EDD? Electronic Data Discovery, electronic discovery, e-Electronic Data Discovery, electronic discovery, e-

discovery discovery Process seeking electronic data, location, securing, search Process seeking electronic data, location, securing, search

intending its use as evidence in various tribunals: intending its use as evidence in various tribunals: E.g., internal investigations, regulatory enforcement, civil E.g., internal investigations, regulatory enforcement, civil

litigation, criminal prosecutionlitigation, criminal prosecution An evolving field much beyond the technology An evolving field much beyond the technology

raising legal, constitutional, political, security & raising legal, constitutional, political, security & privacy issuesprivacy issues Many such issues remain unresolvedMany such issues remain unresolved

EDD subfields: Computer, network & cyberforensics EDD subfields: Computer, network & cyberforensics Focusing on logs & files maintained on devices Focusing on logs & files maintained on devices

e.g., HD, server, routers, switches, flash drives, PDAs, phonese.g., HD, server, routers, switches, flash drives, PDAs, phones Files & logs include eMail, TM, IM, VM, files: text, images, Files & logs include eMail, TM, IM, VM, files: text, images,

calendar, databases, spreadsheets, audio, video, animation, calendar, databases, spreadsheets, audio, video, animation, Web sites, application programs, lists of sender, recipient, Web sites, application programs, lists of sender, recipient, routing, metadata, malware (e.g., viruses, Trojans, spyware) routing, metadata, malware (e.g., viruses, Trojans, spyware)

EDD Growth FactsEDD Growth Facts Proliferation of electronic dataProliferation of electronic data

Over 90% of business docs are created & stored Over 90% of business docs are created & stored electronicallelectronicall

Lyman, Peter and Hal R. Varian, Lyman, Peter and Hal R. Varian, How Much How Much InformationInformation, 2003 , 2003 http://www.sims.berkeley.edu/how-much-info-2003http://www.sims.berkeley.edu/how-much-info-2003

Cohasset Study: Cohasset Study: ““the majority of organizations are not prepared the majority of organizations are not prepared

to meet many of their current or future to meet many of their current or future compliance and legal responsibilities.”compliance and legal responsibilities.”

46% of surveyed firms have no formal 46% of surveyed firms have no formal recordkeeping procedures recordkeeping procedures

65% of firms do not include e-Docs among 65% of firms do not include e-Docs among documents systematically retaineddocuments systematically retained

Are Govt. Agencies, NGOs & Not-for-Profits Are Govt. Agencies, NGOs & Not-for-Profits worse?worse?

Under-served EDD opportunities are Under-served EDD opportunities are considerableconsiderable

EDD Importance of eMailEDD Importance of eMail Est. 500K eMail msgs per secondEst. 500K eMail msgs per second Replacing official correspondence Replacing official correspondence Contracts enforceable in emailContracts enforceable in email

Valid as offer or acceptance Valid as offer or acceptance Can be validated, authenticated & attributed Can be validated, authenticated & attributed

using electronic signatures, certificates, etc.using electronic signatures, certificates, etc. Broad public expectations that email utility Broad public expectations that email utility

depends on freedom of expression, depends on freedom of expression, particularly in fast changing environments, particularly in fast changing environments, despite async despite async e.g., commodities or financial market price e.g., commodities or financial market price

changeschanges Replaces phone or F2F conversationsReplaces phone or F2F conversations

Some High Visibility EDD CasesSome High Visibility EDD Cases

MS, Gates’ IE Bundling impact on NetscapeMS, Gates’ IE Bundling impact on Netscape Zubulake v. UBSZubulake v. UBS Warburg Warburg employment employment Morgan Stanley Perelman litigationMorgan Stanley Perelman litigation Martha Stewart insider trading caseMartha Stewart insider trading case Jack Grubman Jack Grubman

CitigroupCitigroup//Salomon Smith Barney telecom Salomon Smith Barney telecom analystanalyst

Types of leading cases & industry impact:Types of leading cases & industry impact: Financial services, antitrust, securities law, Financial services, antitrust, securities law,

employment, Pharmasemployment, Pharmas

Discovery Begets JusticeDiscovery Begets Justice Most foreigners amazed at U.S. style Most foreigners amazed at U.S. style

litigiousness litigiousness US defines individual rights broadlyUS defines individual rights broadly US justice system allows broad vindication US justice system allows broad vindication

Role of civil procedures to force transparencyRole of civil procedures to force transparency Discovery of embarrassing, exposing or Discovery of embarrassing, exposing or

incriminating evid incriminating evid Is US strength derived from transparencyIs US strength derived from transparency

Simplistic: political & economic freedoms, cultural, Simplistic: political & economic freedoms, cultural, historical, diversity, access to natural resources historical, diversity, access to natural resources

Are others nations future strength drawn from Are others nations future strength drawn from their lack of transparencytheir lack of transparency EX: EU Data Retention Directive only ISP & TelCo EX: EU Data Retention Directive only ISP & TelCo

data & only for Criminal, Counter-Terrorismdata & only for Criminal, Counter-Terrorism

A Litigator’s Vision of Discovery A Litigator’s Vision of Discovery ““As a litigator, I will tell you documents are As a litigator, I will tell you documents are

just the bane of our existence. Never write just the bane of our existence. Never write when you can speak. Never speak when when you can speak. Never speak when you can wink.”you can wink.” Statement of Jordan Eth, Statement of Jordan Eth, Sarbanes-Oxley: The Sarbanes-Oxley: The

Good, The Bad, The UglyGood, The Bad, The Ugly, Nov.10, 2005 on , Nov.10, 2005 on panel hostedby the National Law Journal and panel hostedby the National Law Journal and Stanford Law School’s Center on Ethics, Stanford Law School’s Center on Ethics, reprinted in reprinted in Nat.L.J. at p.18 (Dec.12, 2005).Nat.L.J. at p.18 (Dec.12, 2005).

Modern update:Modern update: ““Never type when you can write, Never speak Never type when you can write, Never speak

when you can whisper, never communicate when you can whisper, never communicate when its understood…”when its understood…”

EDD is a GameEDD is a Game More EDD & ERM costs than if Target More EDD & ERM costs than if Target

cheaply found the smoking guncheaply found the smoking gun But perceived costs if admissions avoided and But perceived costs if admissions avoided and

this was undetected this was undetected Natural reaction to hide misbehavior despite Natural reaction to hide misbehavior despite

some evidence of leniency if forthrightsome evidence of leniency if forthright Less social costs of litigation if discovery Less social costs of litigation if discovery

could become more efficient could become more efficient Reduced societal pressure for reforms that Reduced societal pressure for reforms that

eviscerate rights eviscerate rights EDD requires Strategic Planning & cross-EDD requires Strategic Planning & cross-

functional teamsfunctional teams

Technology Advantages in Technology Advantages in LitigationLitigation

Time saving Time saving Reduced cost Reduced cost

EX: photocopying, review, codingEX: photocopying, review, coding Automated production of required Automated production of required

docs docs Mechanizes Review:Mechanizes Review:

Quickly sift or manipulate info to discover Quickly sift or manipulate info to discover patterns, inconsistencies & hidden issuespatterns, inconsistencies & hidden issues

Imposes planning & structure to Imposes planning & structure to manage information & case manage information & case preparationpreparation

Non-Responsiveness is PunishedNon-Responsiveness is Punished

Discovery Sanctions ordered against:Discovery Sanctions ordered against: Arthur Andersen, UBS Warburg, Morgan Arthur Andersen, UBS Warburg, Morgan

Stanley, Martha StewartStanley, Martha Stewart Legal Counsel sanctioned for encouraging Legal Counsel sanctioned for encouraging

non-responsivenessnon-responsiveness E.g., Rambus discovery sanctions- privilege lost E.g., Rambus discovery sanctions- privilege lost

Significant experience with hair-splittingSignificant experience with hair-splitting Response to broaden requests & include Response to broaden requests & include

excessive granularity in detail excessive granularity in detail Give us every document, letter, memo, email…Give us every document, letter, memo, email…

Ignoring a Smoking Gun Is FailureIgnoring a Smoking Gun Is Failure Litigating parties have incentive to do EDD Litigating parties have incentive to do EDD

“fishing expeditions”“fishing expeditions” Huge discovery burdens incentivize EDD targets to Huge discovery burdens incentivize EDD targets to

settlesettle Arguably lawyer malpractice not to pursue Arguably lawyer malpractice not to pursue

aggressive EDDaggressive EDD Smoking guns are increasingly decisive Smoking guns are increasingly decisive Defendants have been successful with Defendants have been successful with

litigation & tort reforms focused on early litigation & tort reforms focused on early case dismissal before incurring these huge case dismissal before incurring these huge discovery costsdiscovery costs EX: ’95 PSLRA’s Automatic Stay of Discovery EX: ’95 PSLRA’s Automatic Stay of Discovery

The Cost of EDD in Court Cases (US)The Cost of EDD in Court Cases (US)

0

50

100

150

200

250

300

1999 2000 2001 2002

EDD

US Millions

12.1.06: new FRCP are 12.1.06: new FRCP are CyberForensics WatershedCyberForensics Watershed

Recognition of EDD, ESI, ERM Recognition of EDD, ESI, ERM New Processes still NeededNew Processes still Needed FRCP is Model for all ESI Processes in Range of FRCP is Model for all ESI Processes in Range of

TribunalsTribunals CriminalCriminal CivilCivil RegulatoryRegulatory Congressional Watchdog CommitteesCongressional Watchdog Committees Internal InvestigationsInternal Investigations SROsSROs ADRADR Counter-Terrorism, eSurveillance, IntelligenceCounter-Terrorism, eSurveillance, Intelligence

Electronically Stored Information (ESI)Electronically Stored Information (ESI)

Undefined explicitlyUndefined explicitly Nevertheless generally understood as:Nevertheless generally understood as:

information created, manipulated, communicated, information created, manipulated, communicated, stored, & optimally used in digital formstored, & optimally used in digital form

Requires use of computer & softwareRequires use of computer & software ESI distinguishable from “conventional” or ESI distinguishable from “conventional” or

analog records analog records E.g., writing/typing/printing stored on paper, E.g., writing/typing/printing stored on paper,

images printed on paper, analog photographic images printed on paper, analog photographic images, analog sound or video recordings, images, analog sound or video recordings, microfilm …microfilm …

Electronic EvidenceElectronic Evidence

Computer actions – electronic traces from email, Computer actions – electronic traces from email, invoices, viruses, hacker attacks, web activity, invoices, viruses, hacker attacks, web activity, communicationscommunications

Network Log dataNetwork Log data Personal device log data Personal device log data Includes Actual Content, Attachments &/or Meta Includes Actual Content, Attachments &/or Meta

Data Data Meta Data can provide audit trail contained in log files, Meta Data can provide audit trail contained in log files,

meta data (descriptions or properties of data-files or meta data (descriptions or properties of data-files or emailemail) )

Business records open to pre-trial discoveryBusiness records open to pre-trial discovery U.S. adversary system permits preparation for trial by U.S. adversary system permits preparation for trial by

accessing facts relevant to case, if held by opponent or accessing facts relevant to case, if held by opponent or 3d parties 3d parties

Pre-Trial Investigation Pre-Trial Investigation

Conducted both pre/post filingConducted both pre/post filing Private InvestigatorsPrivate Investigators

Traditional & electronic sleuthing constrained Traditional & electronic sleuthing constrained by privacy, eavesdropping, wiretap, etc.by privacy, eavesdropping, wiretap, etc.

Factual & witness (informal) discoveryFactual & witness (informal) discovery Consensual interviewsConsensual interviews Search expertsSearch experts Internal investigationsInternal investigations Game theoretic & strategic considerationsGame theoretic & strategic considerations

Pre-Trial DiscoveryPre-Trial Discovery

Act or process of finding or learning Act or process of finding or learning something that was previously unknown something that was previously unknown

Right of all litigants in the U.S.Right of all litigants in the U.S. Compulsory disclosure, at any opposing party's Compulsory disclosure, at any opposing party's

request, of information that relates to the litigation request, of information that relates to the litigation Limits:Limits:

Limits imposed given long history of intentional & Limits imposed given long history of intentional & harassing burden imposed on opposing partiesharassing burden imposed on opposing parties

But, such limits not intended to assist discovery But, such limits not intended to assist discovery target in hiding relevant informationtarget in hiding relevant information

Discovery ProcessDiscovery Process

Litigants request information from Litigants request information from the opposing party relevant to issues the opposing party relevant to issues raised in claims and defenses raised in claims and defenses

Traditionally: Traditionally: InterrogatoriesInterrogatories DepositionsDepositions Examination Examination Production of Documents Production of Documents

Continuing Role of Traditional Continuing Role of Traditional DiscoveryDiscovery

Interrogatories may still be useful:Interrogatories may still be useful: Requesters may query about:Requesters may query about:

Repositories of printed docsRepositories of printed docs ESI existence, custodians, formats & locationsESI existence, custodians, formats & locations

Interrogatories must be answered accurately & Interrogatories must be answered accurately & completely completely

Potential challenge to inventory exhaustivelyPotential challenge to inventory exhaustively EX: portable storage devices, PDAs, laptop EX: portable storage devices, PDAs, laptop

computers, cellphones, iPods,flash memory devices computers, cellphones, iPods,flash memory devices (thumbdrives)(thumbdrives)

But, more cooperation now requiredBut, more cooperation now required

Definitions of Computer ForensicsDefinitions of Computer Forensics

““The application of computer investigation The application of computer investigation and analysis techniques in the interests of and analysis techniques in the interests of determining potential legal evidence.”determining potential legal evidence.”

““The The sciencescience of acquiring, preserving, of acquiring, preserving, retrieving, and presenting data that has retrieving, and presenting data that has been processed electronically and stored been processed electronically and stored on computer media.” (FBI) on computer media.” (FBI)

The discovery, recovery, preservation The discovery, recovery, preservation & control of digital data or documents & control of digital data or documents

Analysis, verification and presentation of Analysis, verification and presentation of eVidence in court & internal investigations eVidence in court & internal investigations

Computer/Network ForensicsComputer/Network Forensics

Forensics - search for eVidence by file Forensics - search for eVidence by file content analysis, meta-data, logs & content analysis, meta-data, logs & expensive erasure recovery techniquesexpensive erasure recovery techniques EX: post-erasure shadow may remain of un-erased EX: post-erasure shadow may remain of un-erased

magnetic filings, even after repeated overwritesmagnetic filings, even after repeated overwrites

Targeting electronic devices: Targeting electronic devices: computers, cell phones, PDAs, voice-mail, servers, computers, cell phones, PDAs, voice-mail, servers,

disks, zip drives, backup tapesdisks, zip drives, backup tapes

Targeting communications: Targeting communications: email, Internet transmissions, IM, chat rooms, email, Internet transmissions, IM, chat rooms,

listservs, usenet groupslistservs, usenet groups

Locations for the Recovery of eVidence: Locations for the Recovery of eVidence: Data RepositoriesData Repositories

Network Workstations and LaptopsNetwork Workstations and Laptops File Servers, Shared DrivesFile Servers, Shared Drives Application Servers, Enterprise ApplicationsApplication Servers, Enterprise Applications

EX: Peoplesoft, SAPEX: Peoplesoft, SAP Home or Offsite ComputingHome or Offsite Computing Paper Documents, Current office long term Paper Documents, Current office long term

storagestorage Diskettes, DVDs, CDs, Portable Storage Diskettes, DVDs, CDs, Portable Storage

DevicesDevices Backup media tapeBackup media tape Network Email serversNetwork Email servers Mobile Devices, Blackberry, Palm, Pocket PCMobile Devices, Blackberry, Palm, Pocket PC Instant MessageInstant Message

Locations for the Recovery of eVidenceLocations for the Recovery of eVidence

Computer files & meta dataComputer files & meta data Recycle Bins, including dates of deletionsRecycle Bins, including dates of deletions Backup tapes & other archivesBackup tapes & other archives Logs & cache filesLogs & cache files Slack & unallocated spaceSlack & unallocated space Email, copies to self, forwarded messages, Email, copies to self, forwarded messages,

and deleted messages foldersand deleted messages folders SWAP files – This is a memory expanding SWAP files – This is a memory expanding

feature that downloads data from main feature that downloads data from main memory to a temporary storage area on PCmemory to a temporary storage area on PC

33rdrd Party Providers, ie ISPs Party Providers, ie ISPs

What Forensics can FindWhat Forensics can Find Computer forensics can reveal what users Computer forensics can reveal what users

have done on the network:have done on the network: Theft of trade secrets, intellectual property, and Theft of trade secrets, intellectual property, and

confidential dataconfidential data Defamatory or revealing statements in chat Defamatory or revealing statements in chat

rooms, use net groups, or IMrooms, use net groups, or IM Sending of harassing, hateful, objectionable Sending of harassing, hateful, objectionable

emailemail Downloading criminally pornographic materialDownloading criminally pornographic material Downloading & installation unlicensed softwareDownloading & installation unlicensed software Online gambling, Insider trading, solicitation, Online gambling, Insider trading, solicitation,

drug traffickingdrug trafficking Which files accessed, altered, or savedWhich files accessed, altered, or saved

Consequences for Failure to Consequences for Failure to Comply with DiscoveryComply with Discovery

Cannot destroy what is expected to Cannot destroy what is expected to be subpoenaed be subpoenaed

Procedural law in federal & state cts Procedural law in federal & state cts require compliance with discovery require compliance with discovery requests requests

Risks of non-complianceRisks of non-compliance Spoliation Spoliation Obstruction of JusticeObstruction of Justice

Spoliation Spoliation

Tort - interference with or destruction of Tort - interference with or destruction of evidenceevidence

Defense to tort Defense to tort Adverse Evidentiary Interference or Adverse Evidentiary Interference or

Presumption - unable to prove case Presumption - unable to prove case because of destruction because of destruction

Discovery SanctionDiscovery Sanction P&G sanctioned $10,000 for not saving email P&G sanctioned $10,000 for not saving email

communications of 5 key employees P&G ID’dcommunications of 5 key employees P&G ID’d Default Judgment Default Judgment

Employees knowingly destroyed documents Employees knowingly destroyed documents

Obstruction of JusticeObstruction of Justice Definition: crime of offering Definition: crime of offering

interference of any sort to the work interference of any sort to the work of police, investigators, regulatory of police, investigators, regulatory agencies, prosecutors, or other agencies, prosecutors, or other (usually government) officials (usually government) officials

Often, no actual investigation or Often, no actual investigation or substantiated suspicion of a specific substantiated suspicion of a specific incident need exist to support an incident need exist to support an obstruction charge obstruction charge

EX: Arthur Anderson, Enron, MarthaEX: Arthur Anderson, Enron, Martha

Admissibility of EvidenceAdmissibility of Evidence

Relevance, materiality & Relevance, materiality & (in)Competence(in)Competence

Authentication (proof justifying proof)Authentication (proof justifying proof) Chain of Custody Chain of Custody

HearsayHearsay Business RecordsBusiness Records

PrivilegesPrivileges Expert witnesses & scientific evidence Expert witnesses & scientific evidence

Exemptions for Privileged InfoExemptions for Privileged Info Privileges Intended to Encourage free flow of Privileges Intended to Encourage free flow of

info within certain preferred relationships info within certain preferred relationships Frank disclosure needed for service adequacy Frank disclosure needed for service adequacy

would not be forthcoming or deterred in futurewould not be forthcoming or deterred in future Protects privacy of client or beneficiary of Protects privacy of client or beneficiary of

relationshiprelationship Some Privileges: Some Privileges:

Primary: Attorney-Client & Work ProductPrimary: Attorney-Client & Work Product Others: Spousal; Professional Privileges (Doctor Others: Spousal; Professional Privileges (Doctor

Patient; PsychoTherapist-Patient; Clergy-Penitent); Patient; PsychoTherapist-Patient; Clergy-Penitent); News Reporter & Source; State Secrets (military, News Reporter & Source; State Secrets (military, diplomatic); Executive; Agency; Law Enforcement; diplomatic); Executive; Agency; Law Enforcement; Required Reports (Pentagon Papers, Watergate, Required Reports (Pentagon Papers, Watergate, Ollie North); Confidential Informant; Self-Ollie North); Confidential Informant; Self-Incrimination; Self-Evaluation Incrimination; Self-Evaluation

Challenge of Deleting eMails Challenge of Deleting eMails

As with most files in typical OSAs with most files in typical OS Deleting marks for possible overwriting later Deleting marks for possible overwriting later eMail & oter files remain un-erased in eMail & oter files remain un-erased in

various repositoriesvarious repositories EX: recycle bin, trash, server of client, network or EX: recycle bin, trash, server of client, network or

recipient(s), recipient(s) PCs, backups of all the recipient(s), recipient(s) PCs, backups of all the above, printouts, & forwarded recipients & above, printouts, & forwarded recipients & serversservers

Law recognizes NO higher expectation of Law recognizes NO higher expectation of privacy for eMail privacy for eMail

Recovering Deleted eMailRecovering Deleted eMail

Recoverable deleted files are discoverable Recoverable deleted files are discoverable Must show factual basis that email existedMust show factual basis that email existed Must show feasibility of un-deletingMust show feasibility of un-deleting Experts affidavit may be required Experts affidavit may be required

Recovery often ordered after discovery Recovery often ordered after discovery target fails to produce eMail printoutstarget fails to produce eMail printouts

Metadata discoverable if printouts omit Metadata discoverable if printouts omit dates, editing, or tampering apparent dates, editing, or tampering apparent Must demonstrate reasonable basis of Must demonstrate reasonable basis of

suspicion suspicion Mere conjecture insufficient, some evid reqdMere conjecture insufficient, some evid reqd

Who Conducts Deleted eMail Who Conducts Deleted eMail Retrieval?Retrieval?

Requesting party usually prohibited direct Requesting party usually prohibited direct accessaccess Confidentiality & privilege barriers to examination of Confidentiality & privilege barriers to examination of

irrelevant matters irrelevant matters Requesting party representative sometimes present Requesting party representative sometimes present

& may help design search method & may help design search method Safeguards: Mirror image of HD madeSafeguards: Mirror image of HD made

Target’s atty searches imaged HD, filters confidential Target’s atty searches imaged HD, filters confidential info then produces only responsive infoinfo then produces only responsive info

Increasingly, Neutral Third Party service Increasingly, Neutral Third Party service provider used if production is complex or provider used if production is complex or extensive extensive

Hard Disk Drive StorageHard Disk Drive Storage

Contiguous File #1Contiguous File #1

Contiguous File - Additional File #2Contiguous File - Additional File #2

Addit’l Contiguous Files #3, 4 & 5Addit’l Contiguous Files #3, 4 & 5

Addition to Existing File #3Addition to Existing File #3

Addition to Existing File #1Addition to Existing File #1

Deleted File #2Deleted File #2

New File #6 AddedNew File #6 Added

Where is Potentially Over-Where is Potentially Over-writable Slackspace?writable Slackspace?

Electronic Records Management (ERM)Electronic Records Management (ERM)

ERM is the "systemic review, retention, ERM is the "systemic review, retention, & destruction of documents received & destruction of documents received or created in the course of business" or created in the course of business"

Broad range of policies, procedures & Broad range of policies, procedures & classification schemesclassification schemes Doc retention – really destruction Doc retention – really destruction

schedules schedules ERM policies can reduce EDD costs ERM policies can reduce EDD costs

Can reduce costs to supply information requests Can reduce costs to supply information requests if promptly found, preserved & protected against if promptly found, preserved & protected against accidental deletion accidental deletion

Disruptions avoidedDisruptions avoided

Regulated ERM by Indus SectorRegulated ERM by Indus Sector

IRSIRS SEC, CFTCSEC, CFTC EPAEPA EEOCEEOC DODDOD BankingBanking HealthcareHealthcare GovernmentGovernment

ESI Discovery Team

In-House Counsel

Outside Legal

Counsel

Outside ESI

Vendors

CIO General Counsel

EnterpriseFunctional Units Engaged in the

Litigation

IT Managers

ESI Discovery TeamESI Discovery Team

2006: Outsourcing ERM, EDD, etc.2006: Outsourcing ERM, EDD, etc. 71% of corps had litigation costs over $1 mil/yr 71% of corps had litigation costs over $1 mil/yr

Excludes settlements or judgmentsExcludes settlements or judgments 40% had litigation costs over $5 mil/yr.40% had litigation costs over $5 mil/yr.

Excludes settlements or judgmentsExcludes settlements or judgments Half of U.S. firms surveyed use 3d P EDD vendors Half of U.S. firms surveyed use 3d P EDD vendors

Assist in collection, identification, verification, recovery Assist in collection, identification, verification, recovery & production & production

30% of U.S. firms use outside legal counsel with 30% of U.S. firms use outside legal counsel with special technical EDD/CyberForensics expertisespecial technical EDD/CyberForensics expertise

EDD vendors had revenues nearly $2 bill. 50% EDD vendors had revenues nearly $2 bill. 50% higher than 2005 higher than 2005

$130 mil. Was spent on forensic software, data $130 mil. Was spent on forensic software, data recovery & production recovery & production

Service Level Commitments (SLC) are key Service Level Commitments (SLC) are key Source: Socha-Gelbmann Electronic Discovery Source: Socha-Gelbmann Electronic Discovery

Survey: Survey: http://www.sochaconsulting.com/2007/survey.htmhttp://www.sochaconsulting.com/2007/survey.htm