Electronic Discovery Reference Model
Standards for the identification of electronically stored information in discovery
http://www.edrm.net/resources/standards/identification
A. Early Case Assessment
Once a triggering event occurs, begin by assessing the case. This information serves as a foundation for
developing overall case strategies as well as early data assessment. Below is a checklist of items to
consider during early case assessment.
Type of triggering event
Facts of case
Case value
Outside counsel
Case strategy
Date range
Key words
Key departments/custodians including former employees
Case merit, risk analysis
Legal hold requirements
B. Early Data Assessment
Early data assessment should provide counsel with the information necessary to understand the types of
relevant data and where it is located. Additionally it should cover any policies related to the retention or
destruction of relevant data so appropriate steps can be taken to preserve relevant data and avoid
spoliation. There are 3 key areas of focus to consider. They include records management personnel,
potential custodians and information management personnel. Below are basic guidelines for conducting
an investigation of each.
1. Records Management Interviews
This summary assumes the records manager understands the case background, the legal hold and their
role in this litigation.
Topic
Sample Questions
Commentary
Roles and responsibilities of the records manager
1. What is this role within the organization? 2. Is this position involved with electronic
discovery?
3. How does this role interact with the Legal & IT? 4. Does this position have any documentation re:
to the roles and responsibilities as records manager?
Indicates the level of involvement records manager may have in the identification of potentially relevant data sources. Also helps sort out who knows what with respect to the location of information.
Records management
1. Does the company have a records management
program/policy policy originate? Are there different versions? 2. What types of information does the records
management program/policy cover? Are there types of information or areas in the company that are not covered?
3. Is the records management program/policy enforced? If so, is all of it enforced or just certain parts?
4. Is the records management program/policy in writing? If so, how long has it been in writing? 5. Is there a litigation readiness plan? If so, when
did plan originate?
6. Have changes been made to any aspect of the records management program/policy during the relevant time frame?
7. Are any audits conducted of the records management program/policy? If so how frequently? By who? What happens with results?
8. Does the records management program/policy cover what happens when an employee leaves the company? If so what is the policy?
9. If employee leaving the company is a custodian in an active case/matter how is their data handled? When an employee is not a custodian in any case/matter how is their data handled? 10. How is the employee’s employment status
identified? Is there an integration with HR system/process to correctly identify the employee termination date?
11. What are the retention policies for back-ups? 12. Do you have any documentation related to the
records management program/policy?
policy(s) exist that may impact electronic discovery and whether they are enforced. May identify types of information relevant to the litigation. Identifies if company has a litigation readiness plan in place. Addresses changes and audits of records management program/policy. Helps identify what policies are needed or are in place if a custodian leaves the company.
Retention schedule
1. Does a retention schedule exist? If so, since when?
2. What types of information does the retention schedule cover? Are there types of information or areas in the company that are not covered? 3. Is the retention schedule enforced? If so, since
when?
4. Is the retention schedule in writing? If so, since when?
5. Do you have in-place retention or a collect-and-preserve model?
6. Do you use any software or systems for retention purposes (i.e. archives, etc.)?
7. Is there a plan to suspend disposition for a legal hold? Are there any obstacles to doing so? If so, what are they?
These questions identify what
retention/destruction policies are and have been in place during the relevant time period. The legal team may need to suspend or identify a work around for some of these policies to prevent the destruction of
potentially relevant data. The history of these schedules provides insight into what
information may or may not exist at the time of the triggering event. Audit of retention schedules may be used to demonstrate how well the plan is enforced.
8. Have changes been made to any aspect of the retention schedule during the relevant time period?
9. Are any audits conducted on records retention? If so how frequently? By who? What happens with results?
10. Do you have any documentation related to the records retention schedule?
Possible locations of relevant data
1. Are there paper documents or objects in employee’s offices that may be relevant? 2. Are potentially relevant paper documents or
objects stored centrally? (libraries, file cabinets, warehouses, etc.)
3. How is electronic information stored? 4. Who is the person most familiar with the
following computer systems and electronically stored information? (Please provide contact info. if known)(if records manager is most
knowledgeable ask questions under IT interview) o Email servers o Voice mail o File servers or DMS o Archives o Back-ups o Portable devices
o Intranet, extranet, social networking o Databases
o Legacy systems
o Network shares, home drives o Desktops, laptops
o SharePoint, matter management, etc. o Applications, structured data 5. Do you have any pertinent documentation
related to the location of data? (data maps, diagrams, lists, etc.)
These questions help to determine what relevant information exists and where it is located from the record manager’s
perspective. They also can help determine if files are indexed or searchable in any way. If the records manager is the most
knowledgeable regarding the storage of any electronically stored information the IT interview questions should be asked. Gathering any documentation relating to the location of data will be helpful in assessing all data sources.
Access to relevant data
Paper
1. Are there indices? Are they accurate? Are they searchable?
2. Is potentially relevant paper scheduled for destruction?
Electronic
1. Is the potentially relevant data text searchable?
These questions help to determine how accessible the data is, any potential issues with preservation and whether or not any relevant data is currently scheduled for destruction.
2. Using what tools?
3. Who is the most knowledgeable about search capabilities and limitations?
4. Is any potentially relevant data difficult to preserve, find and/or retrieve? How so? 5. What departments are likely to have relevant
data?
6. Is potentially relevant electronic information scheduled for destruction?
7. Do you have any pertinent documentation regarding accessibility of relevant data?
2. Custodial Interviews
This summary assumes the custodian understands the case background, the legal hold and their role in
this investigation. Early data assessment may involve interviews of the potential custodians or for some
custodians surveys may be used.
Topic
Sample Questions
Commentary
General employee information
1. What is your name? (consider gathering username, email address, employee ID, etc.)
2. What is your current position? What department do you work in? For how long have you worked in department X? 3. Did you have any previous positions? If
so, what was your title, what
departments and what dates were you employed while you held that position? 4. Have you ever had a secretary or
administrative assistant? If so, when and what were their names?
5. Who were your managers in each position you held?
6. Who formerly held your position?
This general information provides insight into what the individual’s role has been at the company and identifies others that might have potentially relevant information.
General computer information
1. Do you have any data or documents that may be relevant to this litigation? 2. Is your work computer a laptop or
desktop?
3. Does your secretary/assistant store your documents on his/her computer? 4. Have you been issued a new computer
recently? If yes, when? Were all files transferred to your new computer? Do you know what happened to the old computer?
5. Are you supposed to receive a new computer in the next several months?
This information is used to determine general information about the custodian’s computer usage. Data is more likely to be stored locally on a laptop although it could also be stored on a desktop computer. The custodian’s document could be stored on other company computers. Files may or may not be transferred to new computers and old computers may not be destroyed.
Relevant data
1. What type of files or software do you have or use that may contain relevant data? (e.g. email, word processing, spreadsheets, databases, text messages, voice mail messages, websites, etc.) 2. Do you know where these files are
stored? (e.g. network server, local pc, external media, mobile device, intranet/extranet/SharePoint or other web-based system, databases, home computer, etc.)
3. If you do not know where it is stored, who would know?
4. Do you know of others that may have relevant data?
These questions are used to determine what type of files the user has and where they are located. It is important to follow-up with IT to determine additional locations where files may be stored that the custodian is not aware of.
Legal hold 1. Do you understand what the legal hold requires? 2. Do you know who to contact with
questions regarding the legal hold? 3. Does the company have infrastructure
software to manage legal holds? 4. Do you foresee any issues in preserving
the relevant information you have identified? If so, have you contacted the IT department for their input?
These questions confirm acknowledgment of legal hold and may be important if the adequacy of the legal hold comes into question.
3. IT Interviews
This summary assumes the IT staff understands the case background, the legal hold and their role in this
investigation. Depending on the size of the corporation and the roles of IT you may have to interview
multiple individuals within the IT department. Below are the basic topics and questions to consider for an
IT Interview. There are numerous questions that could be asked in follow-up during an IT interview.
Topic
Sample Questions
Commentary
Email servers 1. Is email managed in-house or in the cloud? (if in the cloud see “Cloud Computing” section below)
2. What type of email system is used?
3. What version is installed? 4. How many email servers
globally?
5. Where are the email servers located?
6. Do you have different domains for email?
7. Are retention and archiving policies the same among all
These questions are used to determine what type of email system is utilized as well as specific details about the email system. It is important to gather and document as much information as possible about the email system to enable identification and collection of potentially relevant data. Do not forget to find out what happens to terminated employees email.
domains?
8. Are emails able to be stored locally on individual’s
computers (PSTs, NSFs)? Is this encouraged?
9. Do you retain deleted messages on the email server?
10. What are your Dumpster settings?
11. Is there an auto-delete system? If so, can it be turned off for preservation purposes? If not, what is the work around? 12. Is there a limit imposed on
individual mailboxes? If so, what is that limit and what happens when it is reached? 13. What software is used to back
up email servers?
14. Are email backups brick level or individual mailboxes?
15. Do you use an archive? If so, please describe.
16. What type of back-up system do you use? Tape or digital? Local or remote?
17. If tape, what tapes do you use? By location?
18. How often are backups performed?
19. What is your rotation schedule? 20. What is your retention policy? 21. How are your tapes cataloged
and inventoried?
22. Are tapes sets clearly identified? 23. What do you do with an email
account when employment is terminated?
File servers 1. Do all users have home directories on the network? 2. Is this their default storage
directory?
3. Do you have group directories and/or public shares?
4. Are there specific shares that may contain relevant data for this case?
5. Is there a standard naming
These questions are used to determine whether or not employees have the ability to store electronic data on the company network and details on their storage practices. It is important to gather and document as much information as possible about the file servers to enable identification and collection of potentially relevant data.
Do not forget to differentiate between custodial and non-custodial data sources.
convention for the home drives for users?
6. Is there a universal drive letter assigned?
7. What are names of file server? 8. How many file servers do you
have globally?
9. How many locations do you have for file servers? 10. What type of files can users
store on file servers? Any proprietary? E-mail? What are the locations?
11. What type of back-up system do you use? Tape or digital? 12. What software is used to back
up file servers?
13. If tapes, what type of tapes do you use? By location? 14. How often are backups
performed?
15. What is your rotation schedule? 16. What is your retention policy? 17. How are tapes cataloged and
inventoried?
18. Are tape sets clearly identified? 19. Is there replication in place? 20. Where are the replication
servers/storage located? 21. How often does replication
occur?
22. What do you do with a user’s home drive when employment is terminated?
23. What do you do with a user’s files in public locations when employment is terminated? Laptops/desktops 1. What is your policy on users saving files on their assigned
PCs?
2. Do you have an encryption policy (full disk and/or individual file)?
3. Can users install applications on their assigned PCs?
4. By default, are emails stored in local PSTs/NSFs on employee computers? Is it different on
These questions are used to determine whether or not employees have the ability to store electronic data on their company computer and details on their storage practices. It is important to gather and document as much information as possible about the laptops/desktops to enable identification and collection of potentially relevant data.
laptops vs. desktops? 5. Is auto archive enabled by
default?
6. Are computers assigned to individual users, or are they shared?
7. What is your naming convention for usernames?
8. What is your policy for terminated employee? 9. In the case of re-imaging a
PC/laptop for a different user, what happens to the existing data?
10. If a PC/laptop is being re-imaged for the same user, how is the data preserved and
transferred back? Does the method preserve metadata for the files?
Transactional data 1. Do you have any transactional data servers/systems that may be relevant in this case?
2. What types of user have access to these systems?
3. How many servers are there globally? What are the locations of the servers?
4. Do you purge data from these systems? If so, why and can it be stopped?
5. What type of back-up system is used? Tape or Digital?
6. What software is used to back up transactional servers? 7. What type of tapes do you use,
by location?
8. How often are backups performed?
9. What is your rotation schedule? 10. What is your retention policy? 11. How are tapes cataloged and
inventoried?
12. Are tape sets clearly identified? 13. Is there a replication in place?
These questions are used to identify structured data systems. It is important to gather and document as much information as possible about the
transactional systems to enable identification and collection of potentially relevant data.
Do not forget to differentiate between custodial and non-custodial data sources.
Off-site media backup/storage
1. What is the name of the off-site storage vendor?
2. What is the address and telephone of the facility? 3. Who is the contact?
4. What type of data do they store? 5. Does the vendor have relevant
data that is not accessible from your current systems?
6. Is there any type of written agreement with the vendor regarding storage requirements and retention? If so please provide a copy.
7. Is there a current inventory of the material in storage?
These questions help to determine how accessible the data is, any potential issues with preservation and whether or not any relevant data is currently scheduled for destruction. It is important to gather and document as much information as possible about the backup media.
Web-based applications & cloud computing
1. What type of web-based systems do you use that may have relevant data? SharePoint? Intranet? Extranets? Social media? Collaboration sites? Software as a service? Management systems or databases?
2. Are these maintained by you behind your firewall? 3. Are they searchable?
4. Is there potentially relevant data that cannot be searched or collected?
5. Is the system locked down or can users create sites without your knowledge?
6. If systems are not maintained by you behind your firewall, where is this information stored? 7. Does your vendor have their
own servers or do they purchase space from server farms? 8. Does the vendor back-up this
information? If so, for how long?
9. Does the vendor purge any of this information?
10. Do you have any written agreements with these vendors? If so, please provide a copy. 11. Has this vendor been placed on a
12. What kind of Internet security is in place?
13. Are public blog sites allowed (Facebook, Twitter, etc.) Portable devices 1. What are the general types of PDAs/cell phones that
employees use? Blackberries? iPhones? Droids?
2. Are they issued by or owned by the company?
3. Is email synched to your server? 4. Are text messages captured by
your server?
5. Is voice-mail stored on your server?
6. What type of data may be stored on the device that is not on the server?
7. Is the security policy on smart phones the same as internet settings on the computers? 8. If not, could users access any
kind of site from the smart phone?
These questions help to determine what relevant information exists and where it is located. Do not forget text messages.
Instant messaging 1. Does the company use IM? If so, what type? 2. Are sessions logged? If so, any
proprietary storage solutions?
These questions help to determine what relevant information exists and where it is located.
Voice mail 1. Is voice mail stored on your systems? What is the retention? 2. Do you have unified messaging? 3. Are there any policies in place
regarding voice mail storage? Please provide a copy. 4. Are there any policies in place
regarding unified messaging? Please provide a copy.
