<strong>Craig</strong> <strong>Ball</strong> © 2007 In weighing requests to access hard drives, judges should distinguish between the broad duty of preservati<strong>on</strong> and the narrower <strong>on</strong>e of producti<strong>on</strong>. It's not expensive to preserve the c<strong>on</strong>tents of a drive by forensic imaging (comparable in cost to a half-day depositi<strong>on</strong> transcript), and it permits a computer to remain in service absent c<strong>on</strong>cerns that data will be lost to <strong>on</strong>going usage. A drive can be forensically imaged without the necessity of any<strong>on</strong>e viewing its c<strong>on</strong>tents; so, assuming the integrity of the technician, no privacy, c<strong>on</strong>fidentiality or privilege issues are at stake. Once a drive image is "fingerprinted" by calculating its hash value (See, <strong>Ball</strong> in Your Court, In Praise of Hash, LTN Nov. 2005), that value can be furnished to the Court and the other side, eliminating any potential for undetected alterati<strong>on</strong>. C<strong>on</strong>sidering the volatility of data <strong>on</strong> hard drives and the fact that imaging isn't particularly burdensome or costly, courts shouldn't hesitate to order forensically-qualified preservati<strong>on</strong> when forensic examinati<strong>on</strong> is foreseeable. In c<strong>on</strong>trast, such forensic examinati<strong>on</strong> and producti<strong>on</strong> is an expensive, intrusive, excepti<strong>on</strong>al situati<strong>on</strong>. Hard drives are like diaries in how they're laced with intimate and embarrassing c<strong>on</strong>tent al<strong>on</strong>gside discoverable informati<strong>on</strong>. Drives hold privileged spousal, attorney and health care communicati<strong>on</strong>s, not to menti<strong>on</strong> a mind-boggling incidence of sexually-explicit c<strong>on</strong>tent (even <strong>on</strong> "work" computers). Trade secrets, customer data, salary schedules, passwords and the like abound. So how does a court afford access to the n<strong>on</strong>-privileged evidence without inviting abuse or exploitati<strong>on</strong> of the rest? An in camera inspecti<strong>on</strong> might suffice for a diary, but what judge has the expertise and tools--let al<strong>on</strong>e the time--to c<strong>on</strong>duct an in camera computer forensic examinati<strong>on</strong>? With so much at stake, courts need to approach forensic examinati<strong>on</strong> cautiously. Granting access should hinge <strong>on</strong> dem<strong>on</strong>strated need and a showing of relevance, balanced against burden, cost or harm. It warrants proof that the opp<strong>on</strong>ent is either incapable of, or untrustworthy in, preserving and producing resp<strong>on</strong>sive informati<strong>on</strong>, or that the party seeking access has some proprietary right with respect to the drive or its c<strong>on</strong>tents. Showing that a party lost or destroyed ESI is a comm<strong>on</strong> basis for access, as are situati<strong>on</strong>s like sexual harassment or data theft where the computer was instrumental to the alleged misc<strong>on</strong>duct. Of course, parties often c<strong>on</strong>sent. Seeking to prove your client has “nothing to hide” by granting the other side unfettered access to computers is playing Russian roulette with a fully loaded gun. You w<strong>on</strong>’t know what’s there, and if it’s sufficiently embarrassing, your client w<strong>on</strong>’t tell you. Instead, the cornered client may wipe informati<strong>on</strong> and the case will turn <strong>on</strong> spoliati<strong>on</strong> and sancti<strong>on</strong>s. Orders granting examinati<strong>on</strong> of an opp<strong>on</strong>ent's drive should provide for handling of c<strong>on</strong>fidential and privileged data and narrow the scope of examinati<strong>on</strong> by targeting specific objectives. The examiner needs clear directi<strong>on</strong> in terms of relevant keywords and documents, as well as pertinent events, topics, pers<strong>on</strong>s and time intervals. A comm<strong>on</strong> mistake is to agree up<strong>on</strong> a search protocol or secure an order without c<strong>on</strong>sulting an expert to determine feasibility, complexity or cost. The court should encourage the parties to jointly select a qualified neutral examiner as this will not <strong>on</strong>ly keep costs down but will also help insure that the agreed-up<strong>on</strong> search protocol is respected. 124
<strong>Craig</strong> <strong>Ball</strong> © 2007 Getting to the drive isn’t easy, nor should it be. When forensics may come into play, e.g., cases of data theft, spoliati<strong>on</strong> and computer misuse, demand prompt, forensically-sound preservati<strong>on</strong>. When you want to look, be ready to show good cause and offer appropriate safeguards. <strong>Craig</strong> <strong>Ball</strong>, a member of the editorial advisory boards of both LTN and Law.com Legal Technology, is a trial lawyer and computer forensics/EDD special master, based in Austin, Texas. E-mail: craig@ball.net. 125