Certified Digital Records and Data: New Rules May Leave Practitioners in the Dark
The differences between digital and paper records and data may make application of the rules difficult, if not impossible.
March 28, 2019 at 12:52 PM
10 minute read
Leonard DeutchmanPennsylvania looks like it is on its way to adopting rules of evidence allowing “certified records generated by an electronic process or system” and “certified data copied form an electronic device, storage, medium or file” that are identical to Federal Rules of Evidence 902(13) and 902(14). The purpose of those rules, as is the purpose of those rules when they pertain to paper documents, is to allow into evidence digital evidence easily and at low cost, i.e., without having to bring in experts to authenticate that evidence. A review of the rules, however, suggests that inherent issues with regard to digital evidence may make it difficult, if not impossible, to apply the rules written for paper documents to digital evidence. This problem would suggest that the federal rules, already in place and of which Pennsylvania's new rules will simply be copies, are plagued by the same problems.
The Rules
Pennsylvania wishes to introduce the following two rules as exceptions against hearsay:
- Rule 902(13): Certified records generated by an electronic process or system.
A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent must also meet the notice requirements of Rule 902(11).
- Rule 902(14): Certified data copied from an electronic device, storage medium or file.
Data copied from an electronic device, storage medium or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12). The proponent also must meet the notice requirements of Rule 902(11).
Proposed Rule 902(13) establishes a procedure by which records generated by an electronic process or system that produces an accurate result may be authenticated by use of a certification rather than through the live testimony of a foundation witness, and proposed Rule 902(14) establishes a procedure by which data copied from an electronic device, storage medium or file may be authenticated by use of a certification rather than through the live testimony of a foundation witness. Both rules have already been adopted in the Federal Rules of Evidence, for the obvious purpose of allowing digital evidence to be authenticated by “certification of a qualified person,” as was already the case with regard to paper records.
The new rules require that the records may be admissible only if “a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12)” is provided, and the “proponent” of the records “must meet the notice requirements of Rule 902(11).” Under Rule 902 (11), “certified domestic records of a regularly conducted activity” are admissible if the “original or a copy” of “a domestic record” meets the “requirements of Rule 803(6)(A)-(C), as shown by a certification of the custodian or another qualified person that complies with a federal statute or a rule prescribed by the Supreme Court,” and the records' “must give an adverse party reasonable written notice of the intent to offer the record—and must make the record and certification available for inspection—so that the party has a fair opportunity to challenge them.” Under Rule 902 (12), in a civil matter, “the original or a copy of a foreign record” must meet “the requirements of Rule 902(11),” with Rule 902(11) modified so that the certification, “must be signed in a manner that, if falsely made, would subject the maker to a criminal penalty in the country where the certification is signed.”
The notes to the federal rules (which were amended in 2017 to allow for certifications of digital evidence) provides the scientific explanation for allowing digital copies to be offered into evidence with accompanying certifications. “Today,” the notes explain, “data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by 'hash value'.” The notes continue: “A hash value is a number that is often represented as a sequence of characters and is produced by an algorithm based upon the digital contents of a drive, medium, or file. If the hash values for the original and copy are different, then the copy is not identical to the original. If the hash values for the original and copy are the same, it is highly improbable that the original and copy are not identical. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates. This amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.”
Analysis
The logic in the federal rules and the proposed Pennsylvania rules is that certain types of evidence are routinely offered by parties, everyone recognizes such records, it costs a lot to have someone come to court to testify that the copies offered into evidence are identical to the originals, no one really disputes that the copies are authentic, and so the parties could save a lot of money, and they and the court a lot of time, if certifications were offered in place of live, expert witnesses. The logic is strong, but it skips over some issues not addressed in the new rules and ones hard to reconcile with those rules.
One issue is whether any of the data copied is authentic. It is impossible to pay any attention to computers now, or for that matter, to pay attention to any events in the world now, without reading about internet security and the problems of outsiders hacking into data meant for only a few to access. Since hacking is a very large problem today, there should be attention paid in the creation of a certification to reviewing the IT security where the copied data resided and certifying that it had not been hacked into by any outside source. Remember that, in the paper world, the typical data source was a locked file cabinet in a locked office in a locked office building, and so unwanted access to the paper at issue was rarely an issue. Add to these facts that a break-in would be pretty obvious, and the paper world was so much smaller than the digital world copied now for discovery purposes that it was common for people who worked with the paper at issue to know their files, and so to be able to verify whether anything was missing from them, changed or added to them. It is considerably less likely in today's world for anyone to be able to do the same for digital data. Thus, a key step is simply missing from the certification.
A second issue is how to authenticate digital data. Typically, data is authenticated through the use of the above-described hash values. The slightest change in a file will result in a completely different hash value. Hash values take into account what are known as “MAC” dates and times, standing for when the file was last modified or last accessed, or when it was created. Many steps in a client's IT as well as in the copying of the data can result in changed MAC times. For example, we all know that today most data is backed up, to another source within the same physical location as the computer creating or receiving the data, to a source in a different location but owned by the same user (person or business), or to a source maintained in a different location by a different party—the “Cloud.” If the data is copied from one source to any of the others, the file create date and time will reflect the time of the copy, and not when the original was created. On the same topic, if the file is copied by someone opening it and then copying it to another source (a user may open such files to make sure they are the ones to be copied), the copy will be thought of as a “logical” and not a “forensic” copy, and the method of copying the file will change the last accessed time; as well, the creation of the copy will result in a new file create date and time. Throughout all of this accessing of files, some applications will also change the last modified date and time, raising the issue of whether the contents of the file were modified, since file modification in a MAC time can refer to contents plus all sorts of metadata of which users are not usually even aware. Thus, while it is relatively easy to imagine a qualified digital forensics and IT security analyst testifying regarding these issues, it is hard to see how a certification could address them.
Certifications do have a place in litigation. There will be many matters when, due to the substantive issues in the matter or because counsel simply does not understand how to challenge digital evidence, the authenticity of digital evidence simply will not be an issue. However, there will be a large population of challenges if, conversely, counsel does understand how to challenge digital evidence (especially when offering counsel does not understand how to defend that evidence), when a party's argument on the merits is weak but the party can break the matter open by challenging the digital evidence, when, as discussed above, the way data is stored gives rise to the possibility that it has been altered by hackers and MAC times and other key data has been changed, and so on. Since those conditions for challenges are likely more prevalent than not, it would not be surprising to see certifications objected to or simply ignored by all parties.
Conclusion
There is nothing per se wrong with the wording of the federal rules and the proposed Pennsylvania state rules of evidence pertaining to certifications that establish the chain of custody for digital evidence. It is crucial, however, in understanding those rules to recognize that digital evidence presents many issues not present with paper evidence and the understanding of those issues by counsel varies greatly, such that whether the rules are followed without challenge or challenged deeply will also vary greatly from matter to matter. Unless and until all counsel become familiar with the issues of digital evidence and solutions for some of the problems working with such evidence are put into place, such variance will be the rule and not the exception.
Leonard Deutchman is a legal consultant recently retired from one of the nation's largest e-discovery providers, KLDiscovery, where he was vice president, Legal. Before joining KLDiscovery, he was a chief assistant district attorney at the Philadelphia District Attorney's Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Pa. Federal District Courts Reach Full Complement Following Latest Confirmation
The Defense Bar Is Feeling the Strain: Busy Med Mal Trial Schedules Might Be Phila.'s 'New Normal'
7 minute read
Federal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute read
Judge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute readTrending Stories
- 1The Benefits of E-Filing for Affordable, Effortless and Equal Access to Justice
- 2AI and Social Media Fakes: Are You Protecting Your Brand?
- 3A Primer on Using Third-Party Depositions To Prove Your Case at Trial
- 4‘Catholic Charities v. Wisconsin Labor and Industry Review Commission’: Another Consequence of 'Hobby Lobby'?
- 5With DEI Rollbacks, Employment Lawyers See Potential For Targeting Corporate Commitment to Equality
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
