Electronic Data as Legal Evidence

By Larry Seltzer  |  Posted 2008-03-11 Print this article Print

Opinion: Are you prepared for when your company sues, or is sued, and you're ordered to produce particular data in particular forms?

Business decisions are already dominated by legal considerations in many fields. This will come as no surprise to you, I'm sure, but things are getting worse, especially for corporate IT.

Big legal changes have been happening over the last few years with respect to the use of digital evidence in legal proceedings. Digital evidence is getting to be just about the only documentary evidence there is. Research at Berkeley in 2003 showed that more than 92 percent of all corporate information was generated in electronic form. Nowadays, virtually all source information used in legal and regulatory proceedings will have been generated electronically. A recent white paper from the Microsoft U.S. National Security Team (who knew they had such a team?), entitled "The Evolving landscape of Legal Discovery & the Expanding Role of the Chief Information Officer," delves into these issues.

The laws on admissibility of and procedures related to evidence, such as discoverability, often go back a very long way. But their relevance to electronic data is tenuous. Governments and the legal profession have recognized the problem and, in some cases, the rules have adapted. For instance, in December 2006, amendments to the FRCP (Federal Rules of Civil Procedure) greatly expanded the scope of discoverable information with respect to electronic data. Court decisions are also evolving to address the problems. The FRE, or Federal Rules of Evidence, have not been adapted to the deal with electronic data, even though courts have been complaining about this problem for decades.

To be admitted, evidence needs to be authenticated, which means that it is established by the court to be what it purports to be. The rules for authenticating documents are old and well-understood, and in the United States controlled by the Federal Rules of Evidence.

But the state of law for authentication of digital data is, to put it kindly, under development. That's right, this part of our legal system is in beta. The white paper cites a number of cases, including one involving American Express (In re Vee Vinhnee, 336 BR 437, 9th Cir. BAP 2005) in which the court excluded American Express' own corporate records for lack of sufficient authentication. As a result, Amex lost one of the two counts in the case.

What is the authenticity of the data based on? On everything that establishes the chain of custody to that data: the applications, the people, the business processes and procedures. All of these are part of the authentication of the data, and are relevant to the legal process.

The paper also cites a judgment in the case of Lorraine v. Markel American Insurance Company (241 F.R.D. 534 (D. Md. 2007))) in May 2007 by U.S. Magistrate Judge Paul Grimm, in which Grimm went on in detail about the issues involved in the admissibility of electronic evidence. Much of this opinion is what lawyers call "dicta," an on-point lecture on a subject, but not controlling law. In a vacuous legal environment like this, such dicta is likely to be influential.

At the same time, the FRCP amendments vastly expanded the scope of what could be required for production. Data may be required in original, native and searchable formats, meaning that you have to produce system and application metadata in order to satisfy requests. The exact substance and form of the data to be produced is a matter for the parties' attorneys to work out well in advance of any trial. But if you think about it. if you are requested to produce copies of all forms and stages of some data that exists in your enterprise, could you do it? The Microsoft white paper states that "virtually any instance of electronic information created in the normal course of business is discoverable."

If you're thinking that this could lead to the development of a new category of expensive software, the industry is way ahead of you. Products to help you preserve and manage evidence in the enterprise are in as much flux as the law, but they have to be on your big picture radar at this point. You may not be able to satisfy legal requirements that even the lawyers don't understand, but you have to prepare to deal with the issue. Don't be like Amex.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel