There was an amazing amount of writing and analysis about last year’s changes to the FRCP that took place in December 2016 regarding eDiscovery, but much less attention has been paid to proposed changes to the Rules of Federal Evidence (FRE) which are due to take place in December 2017. Rule 902, subsection 14 of the FRE will change the way that litigants can perform eDiscovery collections. The language provides a simplified process for authenticating Electronically Stored Information (ESI). The committee note on the subsection states:
“The amendment sets forth a procedure by which parties can authenticate data copied from an electronic device, storage medium, or an electronic file, other than through the testimony of a foundation witness. As with the provisions on business records in Rules 902(11) and (12), the Committee has found that the expense and inconvenience of producing an authenticating witness for this evidence is often unnecessary. It is often the case that a party goes to the expense of producing an authentication witness, and then the adversary either stipulates authenticity before the witness is called or fails to challenge the authentication testimony once it is presented. The amendment provides a procedure in which the parties can determine in advance of trial whether a real challenge to authenticity will be made, and can then plan accordingly.
Today, data copied from electronic devices, storage media, and electronic files are ordinarily authenticated by “hash value.” A hash value is a unique alpha-numeric sequence of approximately 30 characters that an algorithm determines based upon the digital contents of a drive, media, or file. Thus, identical hash values for the original and copy reliably attest to the fact that they are exact duplicates. This amendment allows self-authentication by a certification of a qualified person that she checked the hash value of the proffered item and that it was identical to the original. The rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.“
What Does This Language Mean?
If litigants can provide a certification from a “qualified person” that the ESI was collected through a reliable “process of digital identification,” the litigants will no longer be required to authenticate ESI through trial testimony of a forensic expert, which de-facto means that the ESI becomes self-authenticating. Pursuant to Rule 902(11) or (12), a “qualified person” must be an individual able to certify the ESI such as to establish the authenticity of the ESI had he/she been required to testify at trial as a forensic or IT professional. Although the committee is implementing a “qualified person” requirement, it is clear that they are encouraging the use of best practices.
The advisory committee notes further describe that what they consider to be a reliable “process of digital identification” is through the collection and verification of a document’s “hash value.” A “hash value” is a number that is calculated by an algorithm and used to identify an electronic file. When a copy of an electronic document is made, a comparison of its hash value to the hash value of the original document will reveal whether or not they are identical duplicates. If they are identical, their hash value numbers will be the same. The committee states that a verification of hash values post-collection is a reliable process of digital identification, which will necessarily involve a forensic or IT professional (i.e., qualified person).
If adopted, the amendment will make it much easier to authenticate ESI at trial which should result in both time and cost savings. A second and perhaps more important impact is that the amendment could prompt significant and costly discovery disputes for clients and attorneys who “self-collect” ESI. Although the standard only applies to self-authentication of ESI under Rule 902, opposing counsel could use the same standard to challenge the collection of ESI in general if the process did not lend itself to a reliable “process of digital identification” or was not performed with the assistance of a forensic or IT professional or other “qualified person.” Avoiding these types of disputes should be as easy as conforming to the new amendment.