There is a long Labor Day weekend coming up, so here is another summer rerun and update for your reading pleasure. It is a spoliation sanctions case involving disk-wiping software. The hard drives of defendant’s key employees contained zeros, all zeros, nothing but zeros. The plaintiff made much ado about nothing, exposed the zero-credibility of the defendant college IT “experts,” and attained case-ending sanctions. Jane Doe v. Norwalk Community College, 2007 WL 2066496, 2007 LEXIS 51084 (D. Conn. July 16, 2007).
Case of the Evil Professor and Fast-Talking Techs
First some background of this “Jane Doe” case. The main defendant here is a state community college. The plaintiff is a student alleging her college was negligent in its retention and supervision of a professor who sexually assaulted her. The now “former professor” is also a defendant, but with no legal representation. The student was permitted to file suit as “Jane Doe” to protect her privacy.
This opinion exposes the defendant’s IT techs who tried too hard to protect their employer and themselves with their bogus tech-talk. The case shows once again that the cover-up is always worse than the crime. It also shows that lawyers are fools not to hire outside experts when their client’s own techs’ veracity and expertise are challenged in court.
Zero Sum Game
After two years of litigation, Jane Doe persuaded the court that the college was withholding electronic evidence. The school was ordered to produce the computers of key witnesses for inspection by Doe’s computer forensic expert, Dorran Delay of DataTrack Resources. He inspected the college computers over a two-day period and found something very interesting. He found nothing, but in an enlightening Zen sort of way. Dorran Delay found that the hard drives were full of zeros. That is a whole lot of nothing.
Jane Doe’s next move was to file a motion for sanctions based on spoliation of evidence. She alleged that “the hard drives of key witnesses in this case were scrubbed” or “completely ‘wiped’ of data.” This led to a flurry of affidavits by Doe’s expert, Delay, and the counter-expert used by the college, its own in-house Information Technology Technician, Wyatt Bissell.
Of course, the experts did not agree. Bissell came up with a laundry list of excuses for why two computers were “full of nothing.” He tried saying that it was the wrong computer, then that it was not wiped at all, just imaged. Then, as a last resort, he settled on the best excuse of many an IT Tech, that the “all zeros” problem was simply the result of “computer failure.” Oh yeah, sure Mr. Bissell. The hard drive suddenly filled itself with all-zeros as a kind of spontaneous combustion. Remarkable that he learned how to say that under oath with a straight face. Some IT people think lawyers are sooooo dumb. (And, alas, they are sometimes right.)
The Judge Orders the IT Experts to Testify Under Oath So That She Could Evaluate Their Credibility for Herself
District Court Judge Janet Hall (shown right) was not amused by this conflict in expert opinions. She responded by scheduling two evidentiary hearings where the experts were required to give testimony before her so that she could decide who was telling the truth, and who was not. At these hearings, Delay, Bissell, and other witnesses testified and were cross-examined about the many suspicious circumstances surrounding the missing ESI.
Further, at one of the hearings, the college offered the expert testimony of another of its employees, Mr. Olsen, the Information Technology Systems Manager. It did not help much. Among other things, both Bissell and Olsen testified that they did not think the state’s two-year document retention policy applied to them or “normal computer usage,” directly contradicting the hearing testimony of their boss, the Dean. The testimony of the defense experts was rejected by the court as not credible, and overall, they only served to make a bad situation worse.
Judge Decides the Defense is B.S. and Imposes Severe Sanctions
Judge Hall not only rejected the defense expert testimony, she rejected the legal arguments of defense counsel as well. One of the more clever arguments they made, to no avail, was that they could not put an effective hold in place without revealing the true name of Jane Doe. Judge Hall said they should have contacted plaintiff’s counsel and tried to work that out. Defense counsel’s arguments as to when the duty to preserve commenced were also given zero value. It seems as if the attorneys’ credibility was completely nullified by the specious testimony of their experts.
In the end, Judge Hall granted Jane Doe’s motion, and awarded an adverse jury instruction based on the grossly negligent failure of the college to preserve ESI. She also awarded Doe her expert witness’s costs, which, I suspect, were quite large.
In a case like this an adverse inference instruction is almost always fatal to the defense. For all practical purposes, even though the case has not yet been tried, it has already been lost because of e-discovery. The only real question still remaining has to do, once again, with zeros. How many will be added to the judgment or settlement?
Being and Nothingness:
The Computer Semantics of Zeros and Ones
Although the ruling is all well and good, to me the most interesting aspects of this case are its computer forensic, geek-type technicalities. First of all, the forensic expert, Delay, and the college IT technician, Bissell, could not agree on whether the computers had been “wiped.” Delay opined that the “all zeros” condition of the hard drives showed that they had been intentionally wiped or scrubbed of all data. Footnote 3 of the opinion explains that:
According to Delay, wiping is a “process that overwrites existing data on the hard drive, making this information unrecoverable.”
Bissell’s counter explanation is set forth in footnote 6:
At the Hearing, Wyatt Bissell indicated that he disagreed with the term “scrubbed,” which overwrites a hard drive, completely eliminating all data from it. Instead, Bissell testified the correct word to use is “imaged”–that is, NCC’s [the college] technology modifies the structure of the hard drive, without scrubbing it.
Bissell also testified:
. . . that Delay’s results, i.e., that it appeared that this particular hard drive had been “scrubbed” were because Schmidt’s hard drive was in the process of failing, which can produce inconsistent or corrupt results.
The court did not believe Bissell and found that the computers had been “scrubbed’ or “wiped.” Judge Hall explained what she meant by these terms in footnote 11:
By “scrubbed” or “wiped” the court means more than overwriting or “reimaging;” it means eliminating all data from the hard drive, such that none of the old data can be read or still remains on it.
It is hard to see how you can reach any other conclusion when presented with a computer hard drive filled with all zeros. That is what most (but not all) data scrubbing programs are designed to do. Most data erasure software physically writes zeros (or ones, or random combinations) to all sectors of a hard drive and thereby completely writes over and erases everything, even residual data existing outside of any organized file structures. This process is also known as “shredding,” and among Mac users is called “zeroing all data.”
Supposedly there is expensive equipment available that allows for the recovery of segments of a hard drive even after it has been zeroed out. For that reason, many data shredding programs provide for multiple wipes with various types of random patterns of data filling. This will defeat even the spy agencies who own such equipment, and so meets the Department of Defense specifications for destruction of sensitive data. (The really top-secret stuff is physically destroyed, cut up into tiny bits (no pun intended), and then dumped into multiple land fills.) As mentioned before, many experts think this recovery after wiping, or zeroing out, is just a myth. That once the intelligible information patterns of zeros and ones are replaced with gibberish zeros and ones, that the information is gone forever. It either is or isn’t, and once its gone, its gone. There is no recovery, no reincarnation. What do you think?
Bits, Bytes and Binary Code
Some of you may need a bit if a refresher on data storage (and the rest of you can skip ahead) to better understand how this kind of disk wiping works. You need to recall that all computers operate and store information in bits of either one or zero, electrically on or off. This is the binary code. Recall also that eight of the on-or-off bits together comprise a byte. A typical hard drive today has hundreds of billions of bytes. Thus if a hard drive, or any other ESI device, contains all zeros, or all ones for that matter, it contains absolutely no information at all. Information can only be stored when both ones and zeros are used in the almost innumerable possible permutations. This all-zero condition does, however, tell you that the disk has been intentionally wiped. Contrary to Bissell’s testimony, a computer which has been imaged, or is subject to failures of some kind, would not contain all zeros. Some information, some combinations of ones and zeros among the billions of bits on a hard drive would remain.
Judge Hall explains how this applies to the case as follows:
Delay found that it contained all 0’s, indicating that every sector had been overwritten. Delay testified that, if the drive had data on it but was failing, as Bissell testified, then data would be seen on it with Delay’s forensic software, which instead recognized that the hard drive was unpartitioned and contained no data. Moreover, Seaborn’s new computer had traces of other users’ information on it, thus showing an inconsistent result in NCC’s process of re-imaging hard drives. Even if it was consistent with NCC’s policy, the fact that Seaborn’s new computer showed other users’ information indicates that “imaging” does not eliminate everything from a hard drive, but leaves some data from old users on it, prompting the question why Seaborn’s old computer–or Schmidt’s computer–did not have any evidence of other users on it. The answers provided by the defendants–a failing drive or “re-imaging”–are rejected by the court as not credible.
The PST File Irregularities
The irregularities in PST files that Delay uncovered are another factor worth mentioning that led Judge Hall to suspect that relevant evidence had been intentionally destroyed by several of the college employees.
Additionally, Delay found the Microsoft Outlook PST files, which house electronic mailboxes, of four individuals had inconsistencies “that indicate [ ] that data has been altered, destroyed or filtered.” Id. at ¶ 6. For example, Professor Skeeter’s PST file contained no Deleted Items and only one Sent Item and the Inbox and Sent Items contained data starting August 2004, “even though other activity is present starting in 2002.” Id. at ¶ 8.
Conclusion and Warning to Techs:
Don’t Try to B.S. a Judge
Bottom line, if you are an IT Tech, or expert of any kind, do not try to fast-talk a judge with “computerese” and specious theories. It may fool your boss, and many attorneys. It may make you look good for a while, but it will not work in court. It could even get you into serious trouble.
If mistakes were made, then admit it. Don’t try to cover it up with technical jargon. The best advice is to tell the truth and play it straight. Also, be careful what you say in an affidavit or expert report. You never know when you may be required to testify at trial to back it up. You will then be subject to cross-examination, sometimes by a very skilled and knowledgeable attorney, and contradicted by a well-credentialed expert.
Finally, from the attorney’s perspective, it is rarely a good idea to do what defense counsel did in this case, and go into an evidentiary hearing on complex IT issues without an impartial outside expert. It is too dangerous to rely solely on the client’s own IT staff. As this Jane Doe opinion shows, they can zero out your case real fast. Hire an outside expert. You need one.