Leonard DeutchmanCertified Digital Records and Data: New Rules May Leave Practitioners in the Dark
The differences between digital and paper records and data may make application of the rules difficult, if not impossible.
March 28, 2019 at 12:52 PM
10 minute read
Pennsylvania looks like it is on its way to adopting rules of evidence allowing “certified records generated by an electronic process or system” and “certified data copied form an electronic device, storage, medium or file” that are identical to Federal Rules of Evidence 902(13) and 902(14). The purpose of those rules, as is the purpose of those rules when they pertain to paper documents, is to allow into evidence digital evidence easily and at low cost, i.e., without having to bring in experts to authenticate that evidence. A review of the rules, however, suggests that inherent issues with regard to digital evidence may make it difficult, if not impossible, to apply the rules written for paper documents to digital evidence. This problem would suggest that the federal rules, already in place and of which Pennsylvania's new rules will simply be copies, are plagued by the same problems.
|The Rules
Pennsylvania wishes to introduce the following two rules as exceptions against hearsay:
- Rule 902(13): Certified records generated by an electronic process or system.
A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).
- Rule 902(14): Certified data copied from an electronic device, storage medium or file.
Data copied from an electronic device, storage medium or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent also must meet the notice requirements of Rule 902(11).
Proposed Rule 902(13) establishes a procedure by which records generated by an electronic process or system that produces an accurate result may be authenticated by use of a certification rather than through the live testimony of a foundation witness, and proposed Rule 902(14) establishes a procedure by which data copied from an electronic device, storage medium or file may be authenticated by use of a certification rather than through the live testimony of a foundation witness. Both rules have already been adopted in the Federal Rules of Evidence, for the obvious purpose of allowing digital evidence to be authenticated by “certification of a qualified person,” as was already the case with regard to paper records.
The new rules require that the records may be admissible only if “a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12)” is provided, and the “proponent” of the records “must meet the notice requirements of Rule 902(11).” Under Rule 902 (11), “certified domestic records of a regularly conducted activity” are admissible if the “original or a copy” of “a domestic record” meets the “requirements of Rule 803(6)(A)-(C), as shown by a certification of the custodian or another qualified person that complies with a federal statute or a rule prescribed by the Supreme Court,” and the records' “must give an adverse party reasonable written notice of the intent to offer the record—and must make the record and certification available for inspection—so that the party has a fair opportunity to challenge them.” Under Rule 902 (12), in a civil matter, “the original or a copy of a foreign record” must meet “the requirements of Rule 902(11),” with Rule 902(11) modified so that the certification, “must be signed in a manner that, if falsely made, would subject the maker to a criminal penalty in the country where the certification is signed.”
The notes to the federal rules (which were amended in 2017 to allow for certifications of digital evidence) provides the scientific explanation for allowing digital copies to be offered into evidence with accompanying certifications. “Today,” the notes explain, “data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by 'hash value'.” The notes continue: “A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file. If the hash values for the original and copy are different, then the copy is not identical to the original. If the hash values for the original and copy are the same, it is highly improbable that the original and copy are not identical. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates. This amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.”
|Analysis
The logic in the federal rules and the proposed Pennsylvania rules is that certain types of evidence are routinely offered by parties, everyone recognizes such records, it costs a lot to have someone come to court to testify that the copies offered into evidence are identical to the originals, no one really disputes that the copies are authentic, and so the parties could save a lot of money, and they and the court a lot of time, if certifications were offered in place of live, expert witnesses. The logic is strong, but it skips over some issues not addressed in the new rules and ones hard to reconcile with those rules.
One issue is whether any of the data copied is authentic. It is impossible to pay any attention to computers now, or for that matter, to pay attention to any events in the world now, without reading about internet security and the problems of outsiders hacking into data meant for only a few to access. Since hacking is a very large problem today, there should be attention paid in the creation of a certification to reviewing the IT security where the copied data resided and certifying that it had not been hacked into by any outside source. Remember that, in the paper world, the typical data source was a locked file cabinet in a locked office in a locked office building, and so unwanted access to the paper at issue was rarely an issue. Add to these facts that a break-in would be pretty obvious, and the paper world was so much smaller than the digital world copied now for discovery purposes that it was common for people who worked with the paper at issue to know their files, and so to be able to verify whether anything was missing from them, changed or added to them. It is considerably less likely in today's world for anyone to be able to do the same for digital data. Thus, a key step is simply missing from the certification.
A second issue is how to authenticate digital data. Typically, data is authenticated through the use of the above-described hash values. The slightest change in a file will result in a completely different hash value. Hash values take into account what are known as “MAC” dates and times, standing for when the file was last modified or last accessed, or when it was created. Many steps in a client's IT as well as in the copying of the data can result in changed MAC times. For example, we all know that today most data is backed up, to another source within the same physical location as the computer creating or receiving the data, to a source in a different location but owned by the same user (person or business), or to a source maintained in a different location by a different party—the “Cloud.” If the data is copied from one source to any of the others, the file create date and time will reflect the time of the copy, and not when the original was created. On the same topic, if the file is copied by someone opening it and then copying it to another source (a user may open such files to make sure they are the ones to be copied), the copy will be thought of as a “logical” and not a “forensic” copy, and the method of copying the file will change the last accessed time; as well, the creation of the copy will result in a new file create date and time. Throughout all of this accessing of files, some applications will also change the last modified date and time, raising the issue of whether the contents of the file were modified, since file modification in a MAC time can refer to contents plus all sorts of metadata of which users are not usually even aware. Thus, while it is relatively easy to imagine a qualified digital forensics and IT security analyst testifying regarding these issues, it is hard to see how a certification could address them.
Certifications do have a place in litigation. There will be many matters when, due to the substantive issues in the matter or because counsel simply does not understand how to challenge digital evidence, the authenticity of digital evidence simply will not be an issue. However, there will be a large population of challenges if, conversely, counsel does understand how to challenge digital evidence (especially when offering counsel does not understand how to defend that evidence), when a party's argument on the merits is weak but the party can break the matter open by challenging the digital evidence, when, as discussed above, the way data is stored gives rise to the possibility that it has been altered by hackers and MAC times and other key data has been changed, and so on. Since those conditions for challenges are likely more prevalent than not, it would not be surprising to see certifications objected to or simply ignored by all parties.
|Conclusion
There is nothing per se wrong with the wording of the federal rules and the proposed Pennsylvania state rules of evidence pertaining to certifications that establish the chain of custody for digital evidence. It is crucial, however, in understanding those rules to recognize that digital evidence presents many issues not present with paper evidence and the understanding of those issues by counsel varies greatly, such that whether the rules are followed without challenge or challenged deeply will also vary greatly from matter to matter. Unless and until all counsel become familiar with the issues of digital evidence and solutions for some of the problems working with such evidence are put into place, such variance will be the rule and not the exception.
Leonard Deutchman is a legal consultant recently retired from one of the nation's largest e-discovery providers, KLDiscovery, where he was vice president, Legal. Before joining KLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney's Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses.
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Federal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute read
Judge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute read
Supreme Court's Ruling in 'Students for Fair Admissions' and Its Impact on DEI Initiatives in the Workplace
6 minute read
Membership Has Its Privileges: Bankruptcy Court Examines LLC's Authority to File Bankruptcy
8 minute readTrending Stories
- 1Litera Acquires Document Automation Startup Offices & Dragons
- 2Patent Trolls Come Under Increasing Fire in Federal Courts
- 3Transforming Dispute Processes in Law: The Impact of Large Language Models
- 4Daniel Habib to Serve as Next Attorney-in-Charge of NY Federal Defender Appeals Unit
- 5Protecting Attorney-Client Privilege in the Modern Age of Communications
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
