E-Discovery Basics: Preservation of ESI, Part 1 (Vol. 1, No. 5)

June 13, 2011

This is one in a series of brief introductory guides to practical issues in electronic discovery. If you would like to subscribe to future installments of E-Discovery Basics, please click here.

When litigation is pending or anticipated, a company should take reasonable steps to preserve relevant electronically stored information (“ESI”) and hard copy documents. This process is referred to as implementing a legal hold. In the last installment of E-Discovery Basics, we discussed implementing holds on relevant ESI once the duty to preserve attaches. Here, in Preservation of ESI, Part 1, we discuss general categories of data that companies should consider preserving pursuant to a legal hold (and for possible subsequent collection and review in response to document requests or a subpoena): active data, inactive and archived data, residual data, and legacy data. In Part 2, we will discuss specific sources of data and file types to consider preserving, collecting and searching.

In preserving and collecting documents, it is important to consider all potential sources and types of relevant information. In the federal courts, and in many state courts, a party may not be required to produce ESI from sources that are not reasonably accessible because of undue burden or cost. But it must nevertheless identify such sources to its opponents and preserve the ESI. Courts may condition the production of inaccessible data upon the requesting party bearing the costs.

Categories of ESI that should be considered for preservation (and for later collection, analysis and review) include the following:

Active data consists of ESI that "actively" resides on employees’ computer hard drives or other storage devices and in company servers, drives and databases. Active data generally can be accessed in a file manager or in the application in which it was created. Users can access it immediately without restoration or reconstruction. With the increasing popularity of cloud computing and Internet-based computing services, it may also reside on the storage devices of outside service providers. Most cases and investigations call primarily for the preservation and production of active files.

Examples of active data include email and standard business documents such as word processing files and spreadsheets, whether saved on the custodian’s hard drive (either at work or at home), on system shared drives, or on removable media (e.g., thumb drives, portable hard drives, CDs, DVDs) . Other examples include text messages, instant messages and chats, phone records and voicemail, whether saved on a computer hard drive, PDA, cell phone or the company’s system.

Active files may be relatively easy to access and collect, at least compared to inactive, archived, residual and legacy data. They can also be easily deleted or altered. Preservation challenges include identifying all the sources of relevant active data (particularly with the proliferation of different computing and communication devices), dealing with large volumes of data, and ensuring that relevant metadata fields are preserved.  The types of active data that are relevant and should be preserved will depend on the facts and circumstances of a particular case, and identifying such data will usually involve some investigation of how custodians communicated, what documents they created, and how they stored them.

Inactive and archived data consists of ESI related to closed, completed, or concluded activities, including ESI an organization maintains for long-term storage and record keeping purposes, but which is not immediately accessible to the user of a computer system. It may include many of the same sources of data described above in relation to active data.

For example, a company’s records management procedures may allow users to manually archive email and other documents, or automatically archive them, after a specified amount of time, or when certain size limits are reached. To comply with regulatory requirements, or for other reasons, some companies will save all the emails and instant messages of certain employees. Routine backups, usually for disaster recovery purposes, are also examples of inactive and archived data.

Inactive and archived data is often stored in a compressed format and may be maintained on system drives or off-line devices, including backup tapes or disks and optical media. Some systems allow users to retrieve archival data directly while other systems require the assistance of an IT professional. Challenges in preservation and collection include identifying relevant inactive and archived data, locating where and how it is stored, and restoring it from a compressed format. Additionally, as it is common for backup media to be rotated and overwritten, and for archived data to be automatically deleted after a specified time period, determining and suspending the applicable retention periods and rotation of backup media can be important.

Residual data consists of ESI that is hidden and cannot be viewed in applications (such as system files) or has been erased, fragmented, or damaged. Collecting this type of ESI usually requires a forensic copy—i.e., an exact, bit-by-bit copy of the entire physical storage media (e.g., hard drive, CD, DVD, tape), including all active and residual data and unallocated or slack space on the media.

Making a forensic copy and then extracting the residual data may require a forensics expert to operate special tools and can be time consuming and expensive. Making a bit-by-bit forensic copy may be unwarranted unless residual data is relevant and necessary in the matter. In some cases, however, companies may choose to image the hard drives of particularly important key custodians to ensure that all their data is preserved, including files that the custodian may have unintentionally, or intentionally, deleted or partially overwritten.

Legacy data consists of ESI created by software or hardware that is outmoded or has become obsolete (“legacy systems”). A legacy system may be one that the company still uses but that the hardware or software vendor no longer supports. Or, it may be a system that the company has decommissioned but retains in case its information is needed in the future.

The relevance of legacy data may be difficult to determine without restoration or reconstruction, and it may be costly to do so. In addition to preserving the legacy data itself, the company may need to retain the legacy hardware and software if there is no other way to view or use the data.

In the next installment of E-Discovery Basics, we will discuss common sources and types of ESI that may require preservation.

Other installments in our E-Discovery Basics series are available here.

If you would like to subscribe to future installments of E-Discovery Basics, please click here.

Gibson, Dunn & Crutcher LLP

Lawyers in Gibson Dunn’s Electronic Discovery and Information Law Practice Group can assist in implementing defensible and proportionate approaches at all stages of the e-discovery process. For further information, please contact the Gibson Dunn lawyer with whom you work or any of the following Chairs of the Electronic Discovery and Information Law Practice Group:

Gareth T. Evans – Practice Co-Chair, Los Angeles/Orange County (213-229-7734, [email protected])
Jennifer H. Rearden – Practice Co-Chair, New York (212-351-4057, [email protected])
G. Charles Nierlich – Practice Co-Chair, San Francisco (415-393-8239, [email protected])
Farrah L. Pepper – Practice Vice-Chair, New York (212-351-2426,
[email protected])

© 2011 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  These materials have been prepared for general informational purposes only and are not intended as legal advice.