A large corporation was named as a defendant in a product liability lawsuit. The corporation has preserved a massive amount of electronically stored information (ESI) in response to the suit and is now considering how much of the ESI, and which portions, to collect in order to review and produce it.

Collecting ESI — Who, What, Where, When and How

While preservation may prevent spoliation of ESI, before such ESI can be reviewed and produced, it must actually be collected. The collection of ESI can be both a technically and legally complex endeavor. In order to manage the risks and costs of collecting ESI, a litigant is well advised to design and document an ESI collection plan which considers the following five questions: Who, What, Where, When and How.

  • WHO Should Collect the ESI?

One of the first decisions a collecting party faces is whether to handle the collection internally or to outsource the process to a specialized vendor. The appropriate choice will depend on the specific organization and the nature of the particular litigation and data at issue, as well as on such factors as the frequency with which the party finds itself in litigation, the capability and availability of internal IT resources to perform the collection, the financial stakes of the litigation, and the sensitivity of the data to be collected. Outsourcing the collection process is not an all-or-nothing decision, because parties may outsource some portions of the collection process while retaining direct control over others. Using a vendor to collect data can be more expensive than using internal staff. However, one must also consider whether internal staff persons have the appropriate time, sophistication and tools to collect the data properly and completely.

  • WHAT (and How Much) to Collect?

A producing party has no obligation to collect or produce “every shred of paper, every e-mail or electronic document, and every backup tape” it possesses. Collection need only be reasonable – not perfect – and proportionate to the needs of the case. The producing party should focus its effort on a reasonable and proportionate number of employees. The producing party also should adopt a collection protocol that minimizes over-collection. For example, the producing party might use inclusive or exclusive filters when collecting from desktop and laptop hard drives, or copies of those drives, to avoid paying to collect and process system files and executables, Internet “cookies” and temporary Internet files, “deleted” data that is only recoverable from fragmented or slack space using forensic tools and techniques, and other types of data that generally are not important enough to warrant the expense associated with collection and processing. The producing party might rely on employees to identify their relevant email folders and/or run targeted searches for relevant email. What is reasonable and proportionate will vary depending on the nature of the case. The point is that there are many methods to keep the collection within a reasonable scope and producing parties should not simply assume they must perform a massive collection.

Where agreement on a collection protocol can be reached, that is desirable. Where agreement cannot be reached, producing parties can minimize their risks by being transparent about the limitations that they believe are reasonable and proportionate. This allows disagreements about those limitations to be aired and decided by the court at an early stage, before sanctions are likely to be an issue. It must be recalled that significant costs and risks also arise from over-collection.

  • WHERE (and from Whom) to Look?

The specifics of the lawsuit will determine where to look for ESI and who are the key players. In many cases, a significant portion of ESI that must be collected is retained or managed by the “key players” in that case. The collection team should interview these key players and their assistants, along with any IT professionals with knowledge of such persons’ files to ascertain where relevant information is located. Examples of such systems and media include email and instant message (IM) servers; enterprise archival systems; hard drives in notebook and desktop computers; personal digital assistants (PDAs) such as BlackBerries; removable media; personal network storage locations; shared network storage locations; software applications with their associated databases; and telephone and voicemail systems. In some cases, collecting a ‘mirror image’ of a key player’s hard drive is an important part of a forensically sound collection. However, it is often unnecessary, particularly when the circumstances of the case, the cost of collection and the cost of culling through irrelevant data do not justify taking mirror images. As with other aspects of collection described earlier, the identities of the individuals from whom data are collected can, in appropriate cases, be a topic of negotiation with the other parties to the litigation. Often agreement can be reached that there is no need to collect data from individuals at the relative periphery of the litigation.

In addition to looking for ESI possessed or managed by key players, a reasonable and good faith effort must be made to identify and collect the relevant and potentially discoverable ESI that may reside in a party’s databases, website servers, and intranet servers, or with third parties in possession of data under the party’s control. Note that collecting data from a complex, relational database is often not possible since the ”file” is constantly changing; however, it may be sufficient to generate a report encapsulating all potentially relevant points and to collect that report instead.

  • WHEN Should Collection Occur?

It is no longer safe for producing parties to wait for discovery requests to begin looking for relevant evidence. The 2006 amendments to the Federal Rules of Civil Procedure require parties to take affirmative steps to reasonably ensure that relevant evidence is preserved. One approach to compliance is to “collect to preserve” at the outset of pending or threatened litigation. This comes at a cost, however, and other protocols may be put in place to comply with the duty to take affirmative steps to preserve relevant evidence.

  • HOW to Collect?

The actual collection methods can be as varied as the ESI to be collected. One option is to use specialized tools that collect ESI in a “forensically sound” manner. A forensically sound collection of ESI maintains the integrity of the collected files and their associated metadata and often assigns a hash code that can be used to detect subsequent iterations of the file. These tools range from systems that require the relevant custodians to identify relevant files themselves (which may be done under the supervision of a lawyer or paralegal) to systems that reach directly into ESI storage locations, (e.g., email servers, file servers, hard drives) and collect all files matching the established criteria. If the company lacks such tools then the company may hire a vendor that is capable of forensically sound collection of ESI.

Forensically sound collection may not always be necessary, reasonable or proportionate to the needs of the case. It is still common in many cases, particularly smaller cases, to collect and produce printed versions of ESI. There are also degrees of forensic soundness. For example, many collection methods exist that affect only limited metadata, such as the metadata which tracks the date a file was last opened. This type of metadata usually is not critical, or even useful. Adopting a collection method that affects such inconsequential metadata may be appropriate where there is no substantial reason to believe that it will turn out to be important to the case.

For inquiries related to this Tip of the Month, please contact the authors A. Leffert at

Learn more about Mayer Brown's Electronic Discovery & Records Management practice or contact Anthony J. Diana at, Michael E. Lackey at, or Edmund Sautter at