digital key

This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

Generally speaking, the Federal Rules of Evidence require evidence to be authenticated before it can be admitted. Typically evidence is authenticated by some form of extrinsic proof sufficient to support a finding that the evidence is what the proponent claims it is. Often that proof comes in the form of a witness who can verify the evidence through testimony.

Federal Rule of Evidence 902 sets out various types of evidence that are “self-authenticating”—evidence that needs no extrinsic proof of authenticity to be admitted. Examples of self-authenticating evidence include: public documents and records that are sealed, signed or otherwise certified; official publications; newspapers and periodicals; and certain types of certified business records.

On Dec. 1, 2017, amendments to F.R.E. 902 became effective. The new provisions of F.R.E. 902 bring the rule into the digital age, streamlining the process of authenticating electronically stored information and admitting it into evidence. The amendments add two categories of self-authenticating evidence:

(13) Certified Records Generated by an Electronic Process or System. A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).

(14) Certified Data Copied from an Electronic Device, Storage Medium, or File. Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent also must meet the notice requirements of Rule 902(11).

Under these new sections of Rule 902, instead of using witness testimony to authenticate records generated by an electronic system or data copied from electronic devices or files, the party offering the evidence may provide a certification from a person with knowledge that the evidence is authentic. The proponent of the evidence must present the certification in advance of trial, with reasonable written notice, so the opposing party can decide if legitimate grounds exist to challenge to the authenticity of the evidence.

Examples of the types of evidence that fall under Rule 902(13)—records generated by an “electronic process or system that produces an accurate result”—include operating system logs and registries, system-generated metadata and automated geolocation data. As an example of how the new Rule 902(13) might be used, consider the following hypothetical:

BigTech company filed a lawsuit claiming that a former employee stole certain trade secrets. BigTech has reason to believe that, just prior to his resignation, the employee downloaded files containing schematics for a new product in development from his computer to a portable USB drive. The employee's computer—a Windows desktop—automatically logs information about USB devices connected to the computer in a database referred to as the “Windows registry.” BigTech engaged a forensic expert to examine the computer. The expert generated a report from the Windows registry which indicated that a USB drive was connected to the computer the day before the employee resigned. The registry also showed that the employee had accessed several schematics files stored on the desktop shortly before the USB drive was connected.

Prior to the enactment of Rule 902(13), for this evidence to be admissible, the company would need to present witness testimony from the forensic expert who created the report. But with the new rule, the company can instead present a written certification from the expert that explains the process by which the operating system automatically creates the Windows registry and how the registry generates an accurate record of a user's activity on the computer. Assuming that the required written notice was provided to the other side, BigTech can authenticate the registry report and offer it into evidence without having to call the expert to give testimony.

To rely on Rule 902(14) to introduce copies of data authenticated by a process of “digital identification,” parties typically will use certification of hash values. As the comments to the rule explain:

Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by “hash value.” A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file. If the hash values for the original and copy are different, then the copy is not identical to the original. If the hash values for the original and copy are the same, it is highly improbable that the original and copy are not identical. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates. This amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original.

To illustrate how Rule 902(14) can be used in practice, let's add some facts to our hypothetical. The expert hired by BigTech made a complete forensic copy of the desktop, including the schematic files, prior to his examination. He worked from this forensic copy, rather than the original, to avoid accidentally altering or deleting information on the computer. Prior to Rule 902(14), BigTech would have had to call the expert as a witness to testify about the accuracy of the forensic copy as compared to the original before any evidence about the copy could be introduced. But with the new rule, BigTech can instead offer a written certification from the expert stating that the hash values of the copy and the original are the same, thereby authenticating the copy.

Although hash value is the most common method used today for verifying the authenticity of a copy, the rule's commentary recognizes that changes in technology may give rise to other methodologies. The rule is therefore flexible enough to allow certifications through other reliable means of identification that become available with future technology.

So, what can litigants do to take advantage of these new rule provisions? Here are a few suggestions:

Plan early

Federal Rule 26(f) “meet and confer” sessions are a great opportunity for parties to discuss the sources of electronic information they expect to introduce into evidence and the anticipated use of Rule 902 for self-authentication. By discussing these issues early in the litigation, litigants can better prepare for submission of the necessary written certifications and perhaps avoid—or resolve—disputes over authenticity down the road.

Think ahead

Before collecting (or even preserving) ESI that may be subject to Rule 902, think about the certification necessary to authenticate the evidence using Rule 902. Who should be involved in the effort as the “qualified person”? What steps should be taken to ensure that the appropriate information is gathered to prepare an adequate certification? And how should the litigation team document the process so it's easily available when the time comes to authenticate and introduce the evidence?

Be creative

As the litigation team develops the case strategy and considers what electronic information will be critical to introduce into evidence, get creative about the sources of ESI that are amenable to Rule 902. Some examples are set out above, but in our vast digital world, the categories of information that fall under 902(13) and (14) are potentially endless.

The amendments to Rule 902 are intended to save litigants time and money—and preserve valuable court resources—by creating a more efficient method of introducing electronic evidence when there is no genuine dispute about its authenticity.

Maureen O'Neill is senior vice president, Discovery Strategy & Data Privacy/Security, DiscoverReady. She collaborates with clients and operations teams to develop innovative information strategies for legal discovery, compliance and sensitive data protection. Maureen participates actively in the Sedona Conference Working Groups on Electronic Document Retention and Production and Data Privacy and Security.