IT Tech’s Fast-Talk Had Zero Persuasive Value with Judge

Totally Wiped A district court judge in Connecticut recently rejected defendant’s explanation as to why the hard drives of key employees contained only zeros, and imposed sanctions for spoliation.  Jane Doe v. Norwalk Community College, 2007 WL 2066496, 2007 LEXIS 51084 (D. Conn. July 16, 2007).  

First some background of this “Jane Doe” case. The main defendant here is a state community college.  The plaintiff is a student alleging her college was negligent in its retention and supervision of a professor who sexually assaulted her.  The now “former professor” is also a defendant, but with no legal representation.  The student was permitted to file suit as “Jane Doe” to protect her privacy. 

After two years of litigation, Jane Doe persuaded the court that the college was withholding electronic evidence.  The school was ordered to produce the computers of key witnesses for inspection by Doe’s computer forensic expert, Dorran Delay of DataTrack Resources.  The expert inspected the college computers over a two day period. Here is where the case gets interesting. Delay’s inspection showed that several of the computers had no data: they were literally all zeros.

Jane Doe’s next move was to file a motion for sanctions based on spoliation of evidence.  She alleged that “the hard drives of key witnesses in this case were scrubbed” or “completely ‘wiped’ of data.” This led to a flurry of affidavits by Doe’s expert, Delay, and the counter-expert used by the college, its own in-house Information Technology Technician, Wyatt Bissell. Of course, the experts did not agree. Bissell came up with a laundry list of excuses for why two computers were “full of nothing.” He tried saying it was the wrong computer, then that it was not wiped at all, just imaged. Then, as a last resort, he settled on the best excuse of many an IT Tech, that the “all zeros” problem was simply the result of “computer failure.”

The judge responded by scheduling two evidentiary hearings.  At these hearings, Delay, Bissell, and other witnesses testified and were cross-examined about the many suspicious circumstances surrounding the missing ESI.  Further, at one of the hearings, the college offered the expert testimony of another of its employees, Mr. Olsen, the Information Technology Systems Manager.  It did not help much.  Among other things, both Bissell and Olsen testified that they did not think the state’s two-year document retention policy applied to them or “normal computer usage,” directly contradicting the hearing testimony of their boss, the Dean.  The testimony of the defense experts was rejected by the court as not credible, and overall, they only served to make a bad situation worse.

District Court Judge Janet Hall not only rejected the defense expert testimony, she rejected the legal arguments of defense counsel as well.  One of the more clever arguments they made, to no avail, was that they could not put an effective hold in place without revealing the true name of Jane Doe. Judge Hall said they should have contacted plaintiff’s counsel and tried to work that out.  Defense counsel’s arguments as to when the duty to preserve commenced were also given zero value.  It seems as if the attorneys’ credibility was completely nullified by the specious testimony of their experts. 

In the end, Judge Hall granted Jane Doe’s motion, and awarded an adverse jury instruction based on the grossly negligent failure of the college to preserve ESI.  She also awarded Doe her expert witness’s costs, which, I suspect, will be quite large. 

In a case like this an adverse inference instruction is almost always fatal to the defense.  For all practical purposes, even though the case has not yet been tried, it has already been lost because of e-discovery. The only real question still remaining has to do, once again, with zeros.  How many will be added to the judgment or settlement?

Although this is all well and good, to me the most interesting aspects of this case are its computer forensic, geek-type technicalities.  First of all, the forensic expert, Delay, and the college IT technician, Bissell, could not agree on whether the computers had been “wiped.”  Delay opined that the “all zeros” condition of the hard drives showed that they had been intentionally wiped or scrubbed of all data.  Footnote 3 of the opinion explains that:

According to Delay, wiping is a “process that overwrites existing data on the hard drive, making this information unrecoverable.”

 Bissell’s counter explanation is set forth in footnote 6: 

At the Hearing, Wyatt Bissell indicated that he disagreed with the term “scrubbed,” which overwrites a hard drive, completely eliminating all data from it. Instead, Bissell testified the correct word to use is “imaged”–that is, NCC’s [the college] technology modifies the structure of the hard drive, without scrubbing it.

Bissell also testified:

. . . that Delay’s results, i.e., that it appeared that this particular hard drive had been “scrubbed” were because Schmidt’s hard drive was in the process of failing, which can produce inconsistent or corrupt results.

The court did not believe Bissell and found that the computers had been “scrubbed’ or “wiped.”  Judge Hall explained what she meant by these terms in footnote 11:

By “scrubbed” or “wiped” the court means more than overwriting or “reimaging;” it means eliminating all data from the hard drive, such that none of the old data can be read or still remains on it.

It is hard to see how you can reach any other conclusion when presented with a computer hard drive filled with all zeros. That is what most (but not all) data scrubbing programs are designed to do. (For an example of one such program, GhostSurfer, see my blog of June 7, 2007, GhostSurfer Wipe Out Leads to Jail Order Sanction in Bankruptcy Court.)  Most data erasure software physically writes zeros (or ones, or random combinations) to all sectors of a hard drive and thereby completely writes over and erases everything, even residual data existing outside of any organized file structures.  This process is also known as “shredding,” and among Mac users is called “zeroing all data.”  Supposedly there is expensive equipment available that allows for the recovery of segments of a hard drive even after it has been zeroed out.  For that reason, many data shredding programs provide for multiple wipes with various types of random patterns of data filling.  This will defeat even the spy agencies who own such equipment, and so meets the Department of Defense specifications for destruction of sensitive data.  (The really top secret stuff is physically destroyed, cut up into tiny bits (no pun intended), and then dumped into multiple land fills.)

To better understand how this kind of disk wiping works, you need to recall that all computers operate and store information in bits of either one or zero, electrically on or off.  This is the binary code.  Recall also that eight of the on-or-off bits together comprise a byte.  A typical hard drive today has hundreds of billions of bytes.  Thus if a hard drive, or any other ESI device, contains all zeros, or all ones for that matter, it contains absolutely no information at all.   Information can only be stored when both ones and zeros are used in the almost innumerable possible permutations.  This all-zero condition does, however, tell you that the disk has been intentionally wiped.  Contrary to Bissell’s testimony, a computer which has been imaged, or is subject to failures of some kind, would not contain all zeros.  Some information, some combinations of ones and zeros among the billions of bits on a hard drive would remain.  Judge Hall explains how this applies to the case as follows:

Delay found that it contained all 0’s, indicating that every sector had been overwritten. Delay testified that, if the drive had data on it but was failing, as Bissell testified, then data would be seen on it with Delay’s forensic software, which instead recognized that the hard drive was unpartitioned and contained no data. Moreover, Seaborn’s new computer had traces of other users’ information on it, thus showing an inconsistent result in NCC’s process of re-imaging hard drives. Even if it was consistent with NCC’s policy, the fact that Seaborn’s new computer showed other users’ information indicates that “imaging” does not eliminate everything from a hard drive, but leaves some data from old users on it, prompting the question why Seaborn’s old computer–or Schmidt’s computer–did not have any evidence of other users on it. The answers provided by the defendants–a failing drive or “re-imaging”–are rejected by the court as not credible. 

The irregularities in PST files that Delay uncovered are another factor worth mentioning that led Judge Hall to suspect that relevant evidence had been intentionally destroyed by several of the college employees.

Additionally, Delay found the Microsoft Outlook PST files, which house electronic mailboxes, of four individuals had inconsistencies “that indicate [ ] that data has been altered, destroyed or filtered.” Id. at ¶ 6. For example, Professor Skeeter’s PST file contained no Deleted Items and only one Sent Item and the Inbox and Sent Items contained data starting August 2004, “even though other activity is present starting in 2002.” Id. at ¶ 8.

Bottom line, if you are an IT Tech, or expert of any kind, do not try to fast-talk a federal judge with “computerese” and specious theories.  It may fool your boss, and many attorneys, and make you look good for a while, but it will not work in court, and could get you in serious trouble.  If mistakes were made, then admit it. Don’t try to cover it up with technical jargon.  The best advice is to tell the truth and play it straight.  Also, be careful what you say in an affidavit or expert report.  You never know when you may be required to testify at trial to back it up.  You will then be subject to cross-examination, sometimes by a very skilled and knowledgeable attorney, and contradicted by a well-credentialed expert. Finally, from the attorney’s perspective, it is rarely a good idea to do what defense counsel did in this case, and go into an evidentiary hearing on complex IT issues without an impartial outside expert.  It is too dangerous to rely solely on the client’s own IT staff.  As this Jane Doe opinion shows, they can zero out your case real fast.

3 Responses to IT Tech’s Fast-Talk Had Zero Persuasive Value with Judge

  1. Alexis says:

    Excellent summary of the case. Very interesting.

  2. […] Once again, the court responded by scheduling another hearing for February 2, 2007. This time both sides were ordered to bring their IT witnesses with them to answer the court’s questions. At this hearing the county came up with a new excuse for the great expense, claiming that a water pipe had burst in 2004 where the backup tapes were stored. This accident supposedly made 3 out of 4 of the tapes unrecoverable. Apparently the county’s IT department waited quite some time to tell the lawyers about their little accident, and then, as we will see, greatly exaggerated the consequences of the water damage. Id. at *4 and FN3. This is a good example of the failure of IT and Law to communicate. It is also a good example of the common false assumption by IT professionals, that they can bluff their way in court with wild unsubstantiated claims, so long as they dress them up in technical jargon. This may work back in the office, but it will not fly in most federal courts. See: IT Tech’s Fast Talk Had Zero Persuasive Value With Judge. […]

  3. […] software programs. I have written about this several times before in prior blogs, including IT Tech’s Fast-Talk Had Zero Persuasive Value with Judge, and GhostSurfer Wipe Out Leads to Jail Order Sanction in Bankruptcy Court. These other attempts […]

Leave a Reply

Discover more from e-Discovery Team

Subscribe now to keep reading and get access to the full archive.

Continue reading