For those well-versed in forensic collection and eDiscovery, the thought of a custodian self-collecting sends up immediate red flags. Often times the nuances of collection and the value behind running collections in a defensible and forensically sound manner can be overlooked in a self-collection. Not only that, an improper collection hurts a case in many ways, from counsel losing confidence in their data to even spoliations and being asked to re-collect. As a result, it’s important for counsel to understand the “why” behind being avoiding custodian self-collection.
There are various misconceptions when it comes to data collection that leads to a custodian thinking they are equipped to run a self-collection. One common rational for self-collection is budget, counsel doesn’t want to spend money on a full collection if they know they are only targeting a few documents. However, it’s not preferable to run a targeted collection as you aren’t getting the full picture.
The same goes for search terms, best practice is to collect the data before any search terms are run. When you do that, you run the risk of not collecting all relevant ESI. Another thought is that they already have a “tool” such as Microsoft 365 and they want to use that for collection and eDiscovery.
The downside to using Microsoft 365 as a eDiscovery and collection tool is that it’s not forensically sound for collection. M365 commonly misses attachments when you export emails or run search term reports. You may have noticed this before when you know there’s a document in your inbox you’re looking for but no matter what you search you can’t find it. The same goes for eDiscovery within M365, making it non-preferred during the process. With that said M365 is a good tool for legal hold, but if being used for search terms to identify the scope of a collection it should be avoided.
Another issue with other non-premium eDiscovery tools is a lack of technology such as Optimal Character Recognition (OCR). When OCR capabilities are missing, flat files tend to slip under the radar.
Here are some reoccurring reasons why legal teams should avoid self-collection.
Risks of Self-Collection:
- A change in or complete loss of MD5 hash & metadata
- Can open you up to sanctions and the need to recollect the data
- The collected data is unauthenticated
- Data can be brought into question adding an element of doubt
- Opens the data and collection process up to forensic investigation
- Lack of credibility due to the absence of certified forensic personnel
- Counsel’s loss of negotiating power and leverage within the case
- Loss of ability for expert testimony on the collection
Risks can be tracked back to:
- Low level or outdated software
- Lack of forensically sound process, protocol, or certified forensic examiner
- Data collected from a poisoned well (compromised source)
- Missing flat and non-responsive files (file attachments, non-searchable documents, hyperlinked documents)
- Outdated or incomplete search term indexes
- Careless/honest mistakes
- Inherent bias
It is always best to conduct collections in a forensically sound manner, preferably run by a certified forensic examiner. This way not only will your data be complete and authenticated, but the process will be thoroughly documented and has the ability to be audited and testified on.
TERIS has full service and assisted forensic data collection services including both on-site and remote forensic collection solutions. Our certified forensic experts are able to identify, collect, image, and preserve data from both physical and cloud data sources across the nation and overseas.