Interesting article and some U.S. case law on some of the perils of self-collection. Self-collection is a process whereby the custodians and / or the companies collect the data themselves in anticipation of litigation. There are some obvious risks associated with this, as Kathryn Cole highlights. There are also several technical and 'human' risks that can sometimes cause problems, for example:

  • The use of email archives can sometimes be overlooked, especially if they are controlled by the user rather than being an enterprise-wide solution;
  • If searches are performed using email clients so that only emails containing keywords are collected, then the limitations of such searches need to be fully understood - some of which can be technical (e.g. are attachments searched? what about non-text PDF files?).  And some can be more related to the case (e.g. what happens if the keywords change or are challenged?);
  • If only certain folders are collected, what assurances can be obtained to ensure that nothing has been missed - this can be especially relevant to sent emails, as although (some) people can be good at filing received messages, not many, in my experience, are equally diligent with sent messages; and
  • The process tends to be less fool-proof, non-repeatable, prone to error and can be challenged, especially if the data in question becomes contentious.

Having said all that, there are many companies out there that have internal forensic capabilities and established processes, in which case, as long as these are agreed upon, the risks would be greatly reduced. Otherwise, a reputable and qualified forensic consultant should be used to undertake the data collection exercises to remove these risks.

Now, I can also imagine people thinking: “he would say that wouldn't he,” given that I am one of those forensic consultants. But where the completeness, validity and integrity of documents and emails seems to be being challenged on a more regular basis, it seems a sensible and prudent course of action to follow.