Forensically Examining A Lawyer’s Computer

In a dispute over a will and deed transfer, a New York State Court ordered the examination of a lawyer’s computer.

The idea of an attorney’s computer being searched by third parties should scare lawyers to death.

The attorney objected on the grounds the examination would violate the attorney-client privilege and work-product doctrine for all of the attorney’s other clients.

The Court was also concerned about privilege issues and ordered the following examination:

The computer forensic examiner was directed to review the computer only for documents that refer to Rose Tilimbo and it must not examine files which would not likely lead to the discovery of evidence related to Rose Tilimbo.

In the event the forensic examiner inadvertently examined any information that was not related to Rose it is directed to immediately cease the examination of that file.

In the event that forensic examiner located documents that refer directly to Rose Tilimbo or appear to be related to the purported will or the alleged deed transfer, those documents shall be mailed to the parties’ attorneys.

The attorneys would have 14 days from the receipt of documents to object to disclosure to the movants by notifying counsel for the movants that he is objecting and sending the documents to the court for an in camera inspection together with the reasons for the objection.

In the event that no objections are made to the production of the documents or the court rules that the documents are to be disclosed the computer forensic examiner may thereafter submit the documents to movants’ counsel.

Matter of Tilimbo v. Posimato, 2012 N.Y. Misc. LEXIS 4027, at *13-14 (N.Y. Sur. Ct. Aug. 22, 2012) (Emphases added).

Bow Tie Thoughts

It is very good to see a state court judge address the privilege issues of how to examine a lawyer’s computer.

If you ask three different computer forensic examiners how they would comply with the Court Order, you would probably have three different answers. The right approach will depend on how data is stored and multiple other factors best left to the experts.

One option is to make a “mirror image” of the computer and then search for responsive data. This is likely the least desirable for the attorney, because the entire contents of his computer have now been copied and are in the hands of a third-party. Short of a protective order and the computer experts acting as court-appointed neutral examiners who return or destroy the mirror image at the end of the examination, this is least desirable from an attorney’s perspective.

There is software available where the attorney could effectively self-collect his client files. While this might provide the most piece of mind to the attorney, it likely causes the most stress for the requesting party. It also raises issues of how searches were conducted and can easily cast doubt on the adequacy of the collection.

Another option is for a targeted collection of the attorney’s hard drive. This might take more time then doing a mirror image of the hard drive, but provides more piece of mind to the attorney. The collection is based on search terms devised by the computer forensic expert and attorneys to specifically identify the relevant information. This conceptually is a good middle ground approach to both preserve the parties’ interests and the confidentiality of the attorney’s clients.

Instead of the computer forensic examiner “mailing” documents to the attorneys, a hosted repository is an option the parties and court should consider. The producing party could first review the responsive information for any privileged ESI, creating all the necessary information for a privilege log right in the database. The requesting party could then perform its own review and note any challenges to any asserted privileges. The Court itself could then review the information “in camera” and rule on any privilege issues without protracted motion practice.

About these ads

4 thoughts on “Forensically Examining A Lawyer’s Computer

  1. Mr. Gilliland,

    Enjoyed the blog as always. As a computer forensics expert I would suggest that collection without benefit of a “mirror copy” is always incomplete because it doesn’t incorporate deleted yet responsive files. Self collection or other searching methods performed on a “live” disk will usually recover most of the responsive files but will not recover deleted responsive files. Of course not every case requires recovery of deleted or temp files.

    Thanks for the excellent material.

    • Thank you for the comment and kind words.

      If the case involved issues of fraud by an attorney, I think a “mirror image” would be necessary, because there could be issues with deleted files. However, if deleted files or fraud are not at issue, I think a targeted collection would be a good plan, given the confidentiality issues of the other clients.

      If a mirror image was necessary, the Court appointing a neutral third party the computer examiner would be a good way to protect the confidentiality interests of the other clients. Once the relevant information has been identified, the hard drive could be destroyed.

      I appreciate your thoughts on collection.

  2. Pingback: Weekly Highlights: September 17, 2012 « INFO[rmation fo]RENSICS

  3. Pingback: Bow Tie Law’s Blog: Forensically Examining A Lawyer’s Computer - ADR Toolbox

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s