I am in the digital forensics business. That means that when something related to eMail or computer evidence is in the news, my friends and family ask me questions, like: “are Tom Brady’s destroyed “DeflateGate” text messages recoverable?”, and “could you recover data from the submerged mobile phones from missing Malaysian Airlines Flight 370 if it was ever recovered?” So, I get used to these questions. It’s kind of fun.
The Hillary Clinton eMail drama is the newest high-profile “in the news” story that has fueled a flood of questions from friends, family, and even clients. Questions like; “Come on…is it really possible that thousands of her eMails can not be recovered from her wiped server?” I have been addressing similar questions for weeks. While I will avoid the politics of this subject, the Hillary Clinton eMail “scandal” does offer a few take-aways for our clients.
Followers of this story may recall that Mrs. Clinton and her staffers have provided various answers to questions related to her use of a private eMail server, the nature of the eMails contained on that server, and what has happened to those eMails over a period of time. Some of the answers related to those eMail questions now appear to have not been completely accurate, or have changed over time. A new set of eMails have recently surfaced, for example, after certain assertions were made that the relevant and responsive eMails had already been produced.
This situation in not unlike other cases, (except for the notoriety, of course) that my firm handles daily. We are often asked to provide professional advice to lawyers that are seeking answers to questions related to Electronically Stored Information (ESI) that has gone missing or has been intentionally deleted. Often the value of our input is in helping lawyers ask their questions properly. Perhaps a few examples would be useful:
Attorney questioning an opposing company witness in a 30(b)(6) deposition…
Question: Are you able to produce the defendant’s eMails for the year 2012?” Answer: “Our company policy is that we do not retain any active eMails after three years, so those eMails are no longer accessible”. The real story: In fact, even though the “active” eMails on the server have been removed, it is still likely that some or all of the relevant eMails are contained on the defendant’s laptop or on a remote archived storage device.
Question: We are interested in recovering data from the file server for the 2012 time period. Is that data available? Answer: “We took that server out of commission in 2013 and began using a new server. The data contained on the old server was not transferred to the new server because it was no longer needed. The old server was recycled.” The real story: In fact, before the old server was “recycled” a forward- thinking IT person archived the old legacy data to a series of back up tapes. The IT department is storing the tapes as a part of their “disaster recovery” policy.
Question: We have heard testimony that you routinely used texting to communicate with your staff. Can you to produce your mobile phone so that our experts can perform an analysis of text messages for the relevant period?” Answer: “Ooops. Sorry. I got a new phone last week and I destroyed my old phone so no one could steal my private personal information.” The real story: The defendant had an Apple iCloud / iTunes account, and so his data was automatically backed-up to the cloud daily, and would have automatically transferred to his new phone during the set-up process. Thus, relevant data was likely preserved, even though he allegedly physically destroyed his old phone.
Was the witness lying? Not necessarily. Did the attorney press forward with appropriate follow-up questions and was the attorney fully prepared? Perhaps not.
- Ask the question again, a different way. If a witness tells you that they do not routinely “back up” their company’s eMail server after a period of time, that does not mean that the data is not located in other places. Individual eMail custodians, for example, may have copies of their eMail files on their individual computers. Ask again.
- Be prepared. ESI is an intimidating subject for some lawyers. Do your homework. Get advice. Try to collect as much information about your opponent’s IT systems as you can in advance of witness interviews. Have a trusted electronic discovery advisor participate in your meet and confer meetings, for example. Then, if at a later date, a witness tells you a half-truth, you will be prepared to rebut the answer or dive deeper.
- Depose the right person. Lawyers will often depose a firm’s senior-level IT professional when involved in complex eDiscovery issues. This may be a mistake, as the most senior person may not have intimate knowledge of their company’s day-to-day practices. Try to depose a director or manager level staffer with intimate knowledge of actual IT practices…not necessarily the Senior VP of IT that can only speak to high-level company policy.
Yes, engaging in the questioning of certain witnesses can sometimes resemble having a conversation with a 6 year old child. Eg., “James, did you eat the cookies that were on the kitchen table?” Answer: “No”. (James fed the cookies to the dog) The old investigator’s axiom of tying to know the answer to the question before you ask the question is a good rule of thumb. Be prepared.
As for Mrs. Clinton, I guess we will just have to see if a special prosecutor will have an opportunity to “ask the questions again…a different way.”