Preserving Electronic Evidence

June 30, 2006

The Practice Direction to Civil Procedure Rule 31 was amended in October 2005 to include metadata in the definition of an electronic document. The revisions, which are among the most noteworthy developments affecting electronic evidence within UK cases, now explicitly require lawyers to preserve, review and produce metadata during electronic disclosure.


The practicality of handling metadata during an investigation or litigation is still a new experience for many lawyers.  In order to develop an effective plan for addressing metadata, lawyers need to become more knowledgeable about the nuances surrounding metadata and the potential impact it can have on a case.



What is metadata and how is it relevant in the litigation context?

Metadata, defined as ‘data about data in Williams v Sprint/United Mgmt Co., 230 F.R.D. 640 (D. Kan. 2005), includes information about who created a document, the date it was created, when it was last modified, and much more.  For example, in an e-mail, metadata header information would be likely to include an e-mail’s author, the list of the addressees, and the date it was sent.


The availability of metadata depends on the properties of the file type. Depending on the type of application, a single document has the potential to have hundreds of metadata fields. In a case requiring metadata production, two primary types of file metadata are important:


·        System metadata: data created by the operating system that stores a file and is independent of the file itself.  System metadata contains information about the file (eg file names, dates, path locations, sizes, etc.). This is the type of information that can be seen when a file is accessed through Windows Explorer, for example.


·        Application metadata: data embedded within the file itself. For example, tracked changes, document author, version, Macros, e-mail “to,” “from,” “subject,” etc.  This type of metadata is created by the application associated with the file type. Word files, for instance, have Word-related metadata.  Application metadata moves with a file when copied and varies depending upon the file type.


Like other forms of electronic evidence, metadata can be easily altered if proper preservation precautions are not taken. In addition, every file and application will have its own set of metadata information unique to that file type. Lawyers will need to understand that defining what metadata fields they need to preserve and eventually produce is an important first step in establishing the scope of the electronic disclosure exercise. In some cases this may mean seeking the assistance of the opposing party or the court in clarifying what metadata fields are relevant in the case.


While the Practice Direction to CPR Rule 31 makes it clear that metadata is subject to disclosure, lawyers typically need to preserve and produce only a handful of metadata fields out of the hundreds that are potentially available for each particular file.  Metadata fields commonly sought during electronic disclosure include: date sent, created or received, subject, from, to, cc, bcc, custodian, and whether the document was in a parent-child relationship (attachment).  Ultimately, the preservation and production scope for metadata varies depending upon the type of information at issue in the case, and what the parties and court have agreed as appropriate.


How can metadata assist?

Knowing how metadata evidence can support or damage a case can give lawyers a significant advantage.  From bolstering key pieces of relevant evidence to narrowing down the document set, metadata can prove useful during electronic disclosure in a variety of ways.


Establishing or discounting elements of a claim or defence

At the outset of a case, lawyers should identify which metadata fields may strengthen or weaken a claim or defence in the case.  Creating an inventory of fields available for each document type is a beneficial starting point for narrowing down this information.  Lawyers can then analyse how those fields relate to the issues in the case and determine which fields actually require preservation.  After this preliminary assessment, lawyers should work with the opposing side and/or seek the court’s assistance in clarifying which metadata fields will be required for production.  During this stage, the parties should also consider how they will access, review and produce metadata deemed relevant.


Filtering a large volume of data down to a more manageable review set

Filtering by metadata fields can be a valuable method for decreasing the volume of data requiring review.  Common filtering fields include:


  • File type: Two primary methods for identifying file types exist – file extension metadata field (convenient but potentially inaccurate) and binary content analysis (highly accurate but requires technical skills).

  • File dates: Most documents have created, modified and accessed dates; e-mails usually provide sent and received dates.  For sorting purposes, modified and sent dates tend to provide the most accurate information.

  • File size:  Large electronic files like databases or spreadsheets can translate into thousands of pages for review.  To reduce review burdens, these documents may be sorted and set aside for native file review.

  • File path or location: This filtering method can identify the place where a file was located.  Lawyers should consider file path or location filtering by custodian or shared drive location.


Aid internal investigations and provide evidence of a computer user’s actions.

In most cases, computer users are not aware of the computer’s metadata “log” which documents the dates and times files are created, accessed and modified.  This trail of evidence can help tell the story about a computer user’s conduct or the history of a particular file.  Even if the data itself has been deleted, directory entries, pointers or other metadata relating to the file may remain on the computer.


Authenticate evidence at trial and assist in ensuring the admissibility of a document.

Metadata can help authenticate and interpret evidence by providing date/time stamps, network access logs, evidence of simultaneous user activity, version control information and more.  Without this documentation an electronic document is incomplete, and courts may refuse to admit a key piece of evidence if they find the data unreliable. 



Planning ahead: Key questions to ask about metadata.

As indicated by the Practice Direction to CPR Rule 31, metadata must now be considered as a matter of course during disclosure.  As technology continues to evolve, lawyers must be prepared to identify relevant metadata types and understand the considerations and realities associated with handling this information during electronic disclosure. More advanced issues that lawyers face relating to metadata include:


– how do you properly preserve metadata and avoid sanctions?

– how do you search metadata information when reviewing documents for relevance?

– what are the concerns associated with handling metadata when producing tiff images, native files, or printed documents?


In conclusion, having a thorough understanding of the complex issues surrounding metadata is likely to provide technically savvy lawyers with a competitive advantage as they effectively use metadata to their clients’ benefit.


Andrew Szczech is an electronic evidence consultant at Kroll Ontrack.