Dramatically enlarged photographs, bits of cryptic evidence in plastic baggies, and interviews with shady characters make for great television detective shows. In real life, what is commonly referred to as the “discovery” can indeed include such items, but one discovers very quickly that it can include much more, and frequently, involves electronic and digital files.
Police reports, criminal history, formal complaints and affidavits, search warrants, arrest warrants, body camera footage, interviews with victims and witnesses, crumpled papers fished out of trash cans, and digital and electronic records can all be part of the discovery process. When faced with a district attorney with a box full of evidence, the most important thing to understand is that the discovery is not always accurate, and it is up to the defendant and his or her attorney to shed light on what may be wrong with that discovery, what is missing, and what information law enforcement may have misunderstood.
It’s also important to know that discovery can be updated throughout the case, and that in most cases, any discovery made on the part of the prosecutor must be handed over to the defendant and his/her attorney – although the defendant is not required to hand over all the evidence they may have discovered during their own investigation.
In the digital age, electronic discovery has become an important part of this process, and has become a highly specialized field which comes with its own challenges and protocols – and items like emails, text messages, and archived files may also become part of the discovery. As a result, how those digital records are recorded, archived, and backed up becomes very important. If for example, the prosecutor finds that a defendant or defendant’s company did not have a standard backup policy, or did not uniformly adhere to that policy, opposing counsel can argue that evidence is inadequate or incomplete.
Even small companies discover, often when it’s too late, that the ability to find and retrieve digital records quickly is essential to their defense. Larger companies find that e-discovery can be expensive – and planning for it requires the attention of both the IT and the Legal departments, it requires establishing data retention and backup policies ahead of time, and rigorously adhering to them. Even outside of the corporate world, individuals may also find themselves subject to discovery, and facing a requirement to produce electronic documents even in routine cases of DUI, domestic violence or sex offender cases. Discovery is also used sometimes in a child custody case. Defendants may need to produce cloud storage files, access to in-home desktops and laptops, and even personal emails.
Individuals may be tempted to delete files and browser histories, but those deletions can be discovered through electronic forensics techniques, and if it is discovered that data has been deleted, defense becomes much more difficult. Deleting a browser history is no guarantee that it’s gone – a system restore can easily recover that history, or a digital forensic auditor may be able to access which cookies are still present on the computer, which would indicate which websites have been visited. If it exists – or if it used to exist – chances are, the digital forensic auditor will find it.
While it’s never a good idea to try to hide evidence, a better practice is to rigorously adhere to a strict, written protocol for data storage and archiving. A data policy, whether it’s for a large corporation, a small business, or an individual, not only sets out standard storage and archival protocols, but also includes standardized rules for data retention periods, and a procedure for implementing a “legal hold” on any data which might otherwise be scheduled for deletion. Most companies do have some sort of backup and retrieval procedure in place, but that doesn’t mean they are ready for e-discovery. A company may find itself required to produce data that is not traditionally contained in the backup, such as data stored on individual work computers, including calendar applications, or even web browser histories. A protocol for accessing this type of information also needs to be part of the e-discovery policy. And lastly, meta-data about each file also must be preserved, to show when or if each file was opened or edited.
When you’re on the defense, adhering to a standardized backup, archiving, and data management policy is always going to work in your favor. Most importantly, if you have done so, it helps make a case that all data was produced when requested – remember that if the opposing counsel can find any flaw in how you have archived data, they may be able to argue that something is missing, and even an honest mistake in backup may work against you.