Ask the Expert: David Burg
This month’s featured expert:
David Burg, Partner
PricewaterhouseCoopers
Background:
David Burg is a director in PricewaterhouseCoopers’ Advisory Services Dispute analysis & investigations practice, specializing in forensic technology solutions. He has assisted clients in consulting capacities involving the deployment of information technology solutions and their use. Burg has assisted corporate clients and law firms in matters involving forensic accounting/computer forensic investigations, export control reviews/investigations including ITAR, the Foreign Corrupt Practices Act, cybercrime incident response investigations, and complex data analysis using relational databases in matters involving purchase price disputes, contract disputes, and damages modeling. He has worked on a number of the large, international investigative matters.
Interview Focus:
E-Discovery vs. Computer Forensics: What’s Needed When
Questions:
- What’s the difference between electronic discovery & computer forensics? While not mutually exclusive, there are important differences between electronic discovery and computer forensics. Electronic discovery is a process generally undertaken in connection with litigation or a regulatory investigation, and seeks to identify information that is specifically responsive to a defined issue. It is a process that is pursed to identify, collect, review, and ultimately produce electronically stored information that may be stored across the enterprise, and be either active on systems at the time the effort is undertaken, stored on system backups, or other systems. Increasingly, electronic discovery includes a step that involves what can be extensive efforts to assess voluminous bodies of information using on-line review applications to segment privilege or other protected information from that which is produced to the opposing party.
Computer forensics can be a component of electronic discovery, but involves deploying techniques that enable the recovery of information that may not be readily discernable or may not be readily or even reasonably accessible. It is a process that is pursed in response to a question to determine what happened in the past or to determine access to information in the past. This may include recovery of information that is an artifact of the operation of the system (such as fragments of files that were at one time stored on a media) or information that is actively stored on the system.
- How do the two disciplines work together in the process? Computer forensics may be a means to facilitate electronic discovery, with the qualification that computer forensics analysis may result in the recovery of information that is not “reasonably accessible,” such as files that were deleted but were not overwritten. This is an important distinction given the forthcoming amendments to the Federal Rules for Civil Procedure, which will likely include, among others, a provision affecting the necessity to recover information that is not reasonably accessible. In such cases, the Court would decide if efforts and costs associated with recovering such information should be undertaken and produced to the opposing party.
- In what type of cases will a computer forensics investigation be most likely? Computer forensics investigative techniques are applicable to all manners of inquiry given the ubiquity of electronically stored information. Forensic investigations are commonly undertaken in connection with regulatory or internal investigations, and in connection with civil or criminal litigation and can involve analysis of personal computers, servers, PDAs, BlackBerry devices, voice mail systems, ERP applications, and many other systems. Examples of cases where computer forensic techniques are used to examine the artifacts of historic activity range from large and prominent corporate frauds such as WorldCom, where deleted e-mails that were able to be recovered provided high value information associated with the accounting scandal, to cyber crime investigations post system hack/information compromise, to criminal investigations involving all manner of conduct.
- What are the best practices for planning an electronic discovery strategy that will require a computer forensics component?Best practices for planning an electronic discovery strategy in a litigation context are going to be increasingly guided by the provisions included in the forthcoming amendments to the Federal Rules for Civil Procedure. These include recommendations to help control the scope of the discovery efforts; one of the key aspects that affect strategy decisions and which may trigger the necessity to deploy computer forensic techniques, or not.
In the context of a regulatory investigation the strategy may be at the discretion of the regulatory body and will depend on the nature of the investigation. In many instances, the electronic discovery strategy will require extensive computer forensic efforts to be undertaken.
In either case, the policies and procedures surrounding electronic record retention will impact the electronic discovery strategy and the subsequent effort that will be undertaken, and should be considered part of a pre-litigation or pre-investigation risk assessment strategy. Another important factor that affects strategy are various international data privacy regulations that may require advance consent, and therefore, impact the surreptitious aspects of the strategy that would otherwise be available.
- Can one vendor do both? What selection criteria should a company consider when faced with the need for both services? Many vendors can deliver both solutions using a variety of technologies, tools and techniques. These efforts can be time consuming and very costly. Lack of experience or inattention to quality control can compound the cost. Many vendors are regional; many have strengths in certain areas but not in others. As the electronic discovery landscape evolves to include even complex systems than those in place today — more volume of information, more comprehensive service delivery requirements that include the spectrum from preservation to analysis to expensive hosting solutions that facilitate review — the importance of selecting a vendor that will deliver the services that are needed and with the highest level of quality is paramount. All of the aforementioned should be carefully considered when assessing which vendor to engage.
Filed under From the Experts.