Admissibility Minefields:  How Improper Preservation Invites Judicial Rejection

Contributed by Kris Carlson, COO, Former ICAC Commander, and Digital Forensics Investigator/Testifying Expert

Introduction

Welcome back to our multi-part series, “When IT Tools Meet the Courthouse: The Hidden Dangers of DIY Digital Evidence Preservation.” This installment—Part 4—picks up the outline’s cautionary theme and amplifies it. Until now, we have focused on why self-collections pose business, legal, and ethical risks.  Today, we expose the legal tripwires that determine whether electronically stored information (ESI) ever comes under the scrutiny of a courtroom projector. In today’s legal landscape, courts require proof: hash values, validated workflows, and human testimony, demonstrating that your data journey from computer, cell phone, or other data repository to the exhibit is trustworthy at every step.

Authenticity After the 2017 Amendments to Rule 902

Rule 901 still sets the baseline: An item must be what its proponent claims it to be. But two 2017 additions to Rule 902—subsections (13) and (14) supercharged self-authentication for digital materials. Certified logs pulled from SIEM platforms and bit-for-bit forensic images (as examples) can be used in lieu of live testimony if a qualified person provides a signed certification explaining the process and attaches the hash values that prove integrity (law.cornell.edu).  That shortcut fails, however, when an “in-house” IT administrator runs a basic copy command that overwrites file system metadata or when they disregard the chain of custody. Without demonstrable process reliability, the Rule 902 certificate is without merit.

Judge Grimm’s Four Gateways—Still a Blueprint in 2025

Judge Paul Grimm’s 101-page opinion in Lorraine v. Markel (D. Md. 2007) remains the treatise on ESI admissibility. He identified four “gateways”: relevance (Rule 401), authenticity (901/902), hearsay (801-803), and best-evidence (1001-1008), and warned that Rule 403’s prejudice analysis overlays them all. In Lorraine, both sides attached emails to summary-judgment briefs but offered no foundation for the email evidence.  In response, Judge Grimm excluded every exhibit. That opinion has since been cited more than 1,300 times and undergirds modern rulings that strike similar “evidence” that lacks a proper authenticity foundation.

Daubert, Rule 702, and the Post-2023 Reliability Amendments

The December 1, 2023, amendments to Rule 702 of the Federal Rules of Evidence instruct judges to admit expert testimony only if the proponent proves, by a preponderance of the evidence, that the opinion is the product of reliable principles and a trustworthy application. One year later, we see the fallout in Safelite Group v. Lockridge (S.D. Ohio Sept. 30, 2024). There, a technician’s phone auto-deleted texts after 30 days; no forensic image existed. The court held that failure to suspend the setting undermined any expert testimony about “what must have been there,” granted sanctions. It signaled that mere “good intentions” cannot resurrect missing bytes (natlawreview.com) and do not substitute for proper, validated, and tested processes.

Courts also scrutinize software error rates. Washington judges rejected a proprietary AI video-enhancement tool because the vendor refused to disclose its training data; without a known error rate or peer review, Rule 702 reliability was dead on arrival (natlawreview.com).  It seems the days of “We ran the industry-standard tool” are over, where experts may be required to maintain vendor validation summaries, document parameter settings, and provide an expert report consistent with Rule 26(a)(2)(B):

(B) Witnesses Who Must Provide a Written Report. Unless otherwise stipulated or ordered by the court, this disclosure must be accompanied by a written report prepared and signed by the witness if the witness is one retained or specially employed to provide expert testimony in the case or one whose duties as the party’s employee regularly involve giving expert testimony. The report must contain:

(i) a complete statement of all opinions the witness will express and the basis and reasons for them;

(ii) the facts or data considered by the witness in forming them;

(iii) any exhibits that will be used to summarize or support them;

(iv) the witness’s qualifications, including a list of all publications authored in the previous 10 years;

(v) a list of all other cases in which, during the previous 4 years, the witness testified as an expert at trial or by deposition; and

(vi) a statement of the compensation to be paid for the study and testimony in the case

Rule 37(e) Sanctions—The Expensive Endgame of “Good Enough”

Many IT departments believe an email retention period of 30-60 days is defensible because it “matches industry norms.” Courts, however, disagree as once a litigation hold is reasonably anticipated (not ordered), any routine or other deletion or destruction of data is presumptively unreasonable. When ESI “that should have been preserved” is lost (spoliation), courts now follow a bright-line path under Rule 37(e) (law.cornell.edu). Judges may (1) cure prejudice or (2) infer intent and impose severe measures, adverse inference, dismissal, or default judgment. Recent case law shows the danger:

• Maziar v. City of Atlanta (N.D. Ga. June 10, 2024) imposed monetary sanctions and denied summary judgment after city officials lost text messages; the court found prejudice even without bad faith (ediscoverytoday.com).
• Safelite v. Lockridge imposed spoliation sanctions when the auto-delete setting permanently erased texts (natlawreview.com).

A 2024 Exterro survey of top e-discovery rulings notes that intentional spoliation now “regularly results in dismissal” and that courts are “more willing to presume prejudice” under the 2015 amendment to Rule 37(e)(2) (exterro.com).

Insurance Carriers Join the Discussion

Cyber-insurance underwriters are now increasingly tying policies and coverage to forensic-grade evidence handling (which has been discussed in these articles extensively). Trend Micro’s 2024 predictions highlight that insurance carriers “favor organizations with managed security services” and tools that supply granular log retention because claims skyrocket when evidence gaps exist (trendmicro.com).  Consequently, cyber-insurance policies may require:

1. Immutable log storage for at least one year.
2. Written incident-response plans referencing NIST IR 8387 or other preservation guidance (nvlpubs.nist.gov).
3. Third-party forensic images are used when litigation is anticipated.

Failure to meet these prerequisites can result in the denial of defense costs, effectively shifting six-figure discovery expenses back to the insured.

The Costs of DIY Preservation

Time-to-production. Courts rarely grant extensions for “tool learning curve” excuses. When collections are delegated to overburdened IT staff, data often remains in a CSV or PST file that still requires parsing, resulting in missed production deadlines and, in some cases, evidentiary preclusion.

Privilege landmines. DIY exports often fail to distinguish between legal holds and everyday communication, increasing the likelihood of inadvertently producing privileged communications. Claw-back demands, Rule 502(d) orders, and re-review cycles all inflate costs.

Indefensible Process.  IT or other “good with computers” personnel, in most cases, do not have the training or experience in electronic evidence collection, preservation, and analysis, using the appropriate/validated tools, or producing the result in a manner accepted by the courts.  As a result, WHEN they are deposed, the flood gates are opened for opposing counsel, and even if the data produced was accurate, the foundation of that data collection is flawed, which in most cases will result in the evidence being excluded or a finding of spoliation when anticipated evidence is missing from the productions.

Settlement leverage. Once a judge finds spoliation, the evidentiary balance shifts. Opponents may wield an adverse inference instruction as leverage, pushing settlements far beyond actuarial value.

Key Takeaways

1. Self-authenticating digital records live or die based on the validity of the process. Hashes without workflow logs are paper shields.
2. Rule 702’s 2023 tweaks give judges sharper knives. Unreliable software or under-qualified experts face exclusion.
3. Rule 37(e) punishments escalate quickly. Auto-delete toggles and “oops” data deletions can result in sanctions, adverse inferences, and fee awards.
4. Cyber-insurance can deny coverage for sloppy preservation. Align workflows with policy language and NIST standards.
5. DIY is a false economy. Up-front savings evaporate when data gaps hand your opponent the moral and legal high ground.

Final Thought

Defensible preservation is not a reactive cost center; it is a proactive investment in litigation readiness and corporate reputation. As Part 4 of “When IT Tools Meet the Courthouse: The Hidden Dangers of DIY Digital Evidence Preservation” makes clear, the courtroom minefield is expanding, including new science, stricter rules, and impatient insurers. Master the gateways now, and you transform potential tripping points into well-marked paths that carry your evidence and your case safely to the verdict.

Stay tuned for Part 5, where we shift our focus from risk to resilience and outline an enterprise-wide maturity model for digital evidence governance.