What Electronically Stored Evidence Should My Lawyer Seek During My Divorce?

When my associate attorneys and I handle a divorce here in New Jersey, we immediately inquire as to any evidence that may exist on a home computer, cell phone and the like.  Then, if we determine that the other spouse may be inclined to destroy this evidence, my law firm moves immediately.  Although the “discovery period” of a divorce in New Jersey is usually established during a Case Management Conference, as an aggressive lawyer my team and I strike fast. 

On that note, very early in the divorce process my law firm will generate is a comprehensive letter demanding that all electronically stored evidence is to be preserved.  We further demand that the other spouse (or their attorney) that they confirm that all evidence has been maintained by a date certain. 

Some may feel it is "overkill," but myself and my associate lawyers would always rather be safe than sorry.  Below, please find a draft letter that, as you will see, is extremely specific:

Dear Mr. Jones:

If you have not done so already, please take all necessary measures to preserve all hard copy documents, tangible evidence, and electronically stored information (“ESI”) on any computer systems, storage media or devices, including but not limited to tablets, personal digital assistants, smart phones, voice messaging systems and the like, that is potentially relevant to this matter. If you destroy or fail to preserve any such evidence or information, you would be subject to a claim of spoliation of evidence in any litigation that ensues.

ESI should be given the broadest possible meaning and includes by way of example, and not as an exclusive list, potentially relevant information electronically, magnetically, optically or otherwise stored as:

  • Digital communications such as emails, emails about emails, voice mail, and instant messaging; this includes deleted files and file fragments
  • Email server stores
  • Word processed documents, including all drafts and revisions
  • Spreadsheets and tables such as Excel documents, including all drafts and revisions
  • Accounting application data
  • Sound and video recordings
  • Databases
  • Contact and relationship management data such as Outlook
  • Calendar and diary application data
  • All data created using PDA’s, smart phones, cell phones or the like, including text messages and instant messages
  • Online access data such as temporary internet files, history and cookies
  • Presentations such as Power Point presentations
  • Network access and server activity logs
  • Backup and archival files
  • The software necessary to reconstruct the data on backup and archival files
  • Images contained in hard drives retained by defendants but no longer in use

Your duty to preserve extends not only to ESI that is reasonably accessible but also to areas you may deem not reasonably accessible.

You should preserve and produce all relevant ESI with the earlier of a created or last modified date on or after January 1, 2014. Potentially relevant ESI includes all information relating to this divorce action.

Adequate preservation of ESI requires more than simply refraining from efforts to destroy or dispose of such evidence. You must act to prevent loss due to routine operations or malfeasance and employ proper techniques and protocols to preserve ESI. Booting a drive, examining its contents, or running any application may irretrievably alter the evidence it contains and constitute unlawful spoliation of evidence. Preservation requires action.

You should identify and modify or suspend features of your computers or and devices that, in routine operation, operate to cause the loss of potentially relevant ESI. Thus, unless a true and accurate copy has been made you should:

  • Purge the contents of e-mail repositories by age, capacity or other criteria
  • Use data or media wiping, disposal, erasure or encryption utilities or devices
  • Modify or delete electronic data files, “deleted” files and file fragments
  • Overwrite, erase, rotating, destroy or discard backup media
  • Reassign, reimage or dispose of systems, servers, devices or media
  • Run antivirus or other programs effecting wholesale metadata alteration
  • Release or purge online storage repositories
  • Use metadata stripper utilities
  • Disable server, packet or local instant messaging logging
  • Execute drive or file defragmentation or compression programs

You are not to have a third-party destroy any potentially relevant ESI. You must act to prevent and guard against such actions. Especially where machines were used for Internet access or personal communications, you should anticipate that users may seek to delete or destroy information they regard as personal, confidential or embarrassing, and in so doing, they may delete or destroy potentially relevant ESI.

You should take affirmative steps to prevent anyone with access to data, systems and archives from seeking to modify, destroy or hide ESI on network or local hard drives and on other media or devices (such as deleting or overwriting files, using data shredding and overwriting applications, defragmentation, re-imaging, damaging or replacing media, encryption, compression, stenography or the like).

As an appropriate and cost-effective means of preservation, you should remove from service and sequester the systems, media and devices housing potentially relevant ESI. In the event you deem it impractical to sequester systems, media and devices, then a forensically sound imaging of the systems, media and devices of those named should be performed.

Forensically sound imaging entails duplication of all data stored on the evidence media while employing a proper chain of custody and using tools and methods that make no changes to the evidence and support authentication of the duplicate as a true and complete bit-for-bit image of the original. Failure to use such method poses a significant threat of spoliation and data loss.

Be advised that a conventional copy, backup or “ghosting” of a hard device does not produce a forensically sound image because it only captures active, unlocked data files and fails to preserve forensically significant data, including “deleted” files and metadata residing in unallocated clusters and slack space.

I further request that you preserve the hard drives in any computer system, including portable and home computers, used by any person who may have had access to this information. Once obtained, each forensically sound image should be labeled to identify the date of acquisition, the person or entity acquiring the image and the system and medium from which it was obtained. Each such image should be preserved without adulteration.

In addition, the contents of any portable thumb drives, CD-R/DVD-R disks, PDS’s, smart phones, voice mailbox or other forms of ESI storage should be preserved, as should the contents of any on-line or browser based email accounts or services (such as gmail, AOL, Yahoo mail or the like), including Sent, Deleted and Archived Message folders.

All responsive or relevant ESI should be preserved and produced in native format on a CD-ROM with the syntax and semantics necessary to render the information accessible and usable. You should not employ any methods to preserve or produce ESI that remove or degrade the ability to search the ESI by electronic means or that make it difficult or burdensome to search the ESI by electronic means.

You should also act to preserve metadata. System metadata is information describing the history and characteristics of other ESI, such as a file’s names, size, custodian, location and last dates of creation and modification or access. Application metadata is information automatically included or embedded in electronic files, but which may not be apparent to a user, including deleted content, draft language, commentary, collaboration and distribution data and dates of creation and printing. For electronic mail, metadata includes all header routing data and Base 64 encoded attachment data, in addition to the To, From, Subject, Received Date, cc and bcc fields. Metadata may be overwritten or corrupted by careless handling or improper preservation, including by moving, copying or examining the contents of files.

With respect to servers used to manage email and network storage, the complete contents of each user’s network share and email account should be preserved. You should also preserve documents and other tangible items that may be required to access, interpret or search potentially relevant ESI, passwords, keys and other authenticators needed to access encrypted files or run applications, and installation disks, user manuals and license keys for applications required to access the ESI. You should also preserve all cabling drivers and hardware needed to access or interpret ESI.

As hard copies do not preserve electronic searchability or metadata, they are not an adequate substitute for, or cumulative of, electronically stored versions. If information exists in both forms, you client should preserve both.

Please confirm by November 18, 2015 that you have taken the steps outlined in this letter to preserve ESI and tangible documents relevant to this matter. If you have not taken the steps outlined above, or has taken other actions, please describe what you have done to preserve potentially relevant evidence.

I look forward to hearing from you.

Very truly yours,

Edward R. Weinstein, Esq.

If you fear that your spouse may be destroying evidence in an attempt to hide assets from you, please contact my office today.