A litigant, who was subject to an order to produce his hard drive, argued in mitigation of spoliation of evidence by reason that he was a novice computer user who was having problems with his computer because it was severely infected with viruses, spyware and adware and that he sought professional help in correcting those problems. The Oklahoma Supreme Court reversed an order declining to impose sanctions. The following is adapted from that court's November 10, 2008 opinion.
Specifically, AbsoluteShield File Shredder was used and a file named "cable.doc" was removed; later the programs CyberScrub 3.5 and Window Washer were installed and the Window Washer program ran several times thereafter. The record reflects that the CyberScrub 3.5 program was last accessed on the same date that a motion to compel was granted by the trial judge.
The record further reveals that, after the motion to compel was granted, the litigant contacted a computer security company, Jarvis Incorporated, and asked about hiring a computer expert to work on his computer. On Jarvis's recommendation, the plaintiff hired another technician to work on his computer. The litigant told neither Jarvis nor the technician that the computer was the subject of a court order and/or that certain files needed to be preserved before it was worked on. The technician testified that he could have preserved the hard drive before working on it by making a "clone" of it if he had known it was needed. Indeed, the technician had removed the hard drive and worked on it for approximately one week and used a "drive wiper" program called Terminus 6 on the hard drive.
The litigant admitted that the technician used the Terminus program and admitted targeted destruction of specific files by the technician due to the desire to retain settings on his computer. Barnett says that it was the technician's decision to use the wiping software.
A neutral court-appointed expert found no evidence that files associated with viruses had been destroyed with the Terminus program and further noted that a log identifying the files deleted by the Terminus program had itself been deleted. The expert's report stated that there were six documents with links in the Recent Documents folder of plaintiff's computer that had no matching document on the hard drive, indicating that those files had been deleted.
A concern that I have is that wiping utilities are becoming more and more commonplace, even being packaged with ordinary utilities that ship with new computers or come with ISP services (e.g., MSN, which makes SpySweeper, McAffee and a number of wiping & anti-forensic utilities available). The popularity of these utilities, as well as encryption, has increased because of the growing awareness of identity theft, among other reasons. Even disk defragmenting tools, such as DiskKeeper, create a nightmare for forensic analysists attempting to located deleted files on a target system.
Whereas, in the past, such utilities required a knowing use (mens rea), the use of such utilities today may not be an indication of intent to spoliate. This means that the standard may shift more and more --as the case above illustrates-- from scienter to negligence. Therefore, counsel will increasingly need to observe strict data preservation protocols when litigation becomes reasonably forseeable and to communicate these obligations to clients promptly.
Some obvious questions that are often raised include:
- Must clients be instructed to immediately cease using a computer --at the first hint of reasonably forseeable litigation-- until the hard-drive can be forensically imaged? If so, what about the accumulating data that is created after the imaging date?
- If a client takes reasonable steps to preserve extant potentially-responsive data, must the client disable the use defragmenting utilities and other anti-forensic utilities that arguably are necessary for maintaining the optimum efficiency of a computer (especially considering that litigation may last several years)?
- Assuming the h.d.d. wasn't imaged, If a client has taken reasonable steps to preserve the obvious potentially-responsive data, should the client also have been expected to identify and preserve files that have been deleted but are still recoverable (given that further use of the computer will overwrite these files)?
For counsel seeking to discover ESI, the availability of that evidence may decrease as a result of the widespread use of anti-forensic utilities, but the shifting jurisprudence may allow for adverse jury instructions based on the missing evidence, which instructions possibly could be more damaging than the destroyed evidence, itself.