Anyone who reads about digital investigations is bound to run into the term ESI. Electronically Stored Information is often used interchangeably with ‘data’. For the most part, this is done with the goal of being more inclusive. As broad as the potential definition of data is most people who hear the word think of numbers and spreadsheets. ESI is meant to emphasize just how commonplace the data we talk about when we’re discussing digital investigations is. 

The amount of ESI stored by organizations has been growing ever since computers were introduced. Now, with the advent of big data, the propagation of the internet, and smart devices, that growth is speeding up. For organizations that find themselves having to, on occasion, investigate its ESI, this is a growing challenge. 

That challenge continues to grow as the number of applications in use by organizations does: from an average of 16 apps in 2017 to 80 in 2020. In 2021, the average company used 110 applications. Understanding and mapping this complex environment is key to conducting successful investigations. This is becoming more difficult as IT departments seem to be losing grip on the digital environment: one key finding of a 2017 survey was that the average worker uses 9.4 apps every day, and 48% of those applications are not provided by IT. 

To address these issues, organizations must familiarize themselves with their ESI and digital environment. In this article, we’ll discuss what ESI is, and how to ensure all of it is available to be investigated when needed. 

What is electronically stored information (ESI)? 

In the recent past, growing digitization has seen an explosion in ESI. The amount, formats and sources of electronically stored information that needs to be recorded is becoming more diverse.

What does electronically stored information include? 

Nowadays, ESI is far more than company emails and PDF documents. The way collaboration and information sharing occur in the workplace today continue to change. Today, these activities incorporate a wide range of platforms. If an investigation is necessary, any/all of this ESI could be relevant. 

This shift has been exacerbated by the advent of COVID-19. The pandemic necessitated a shift to remote working. As a result, companies need to be increasingly aware of the expanding number of ESI sources they have to cover. 

As working from home is increasingly commonplace, the line between work and private life will begin to blur. Organizations have to be mindful of this fact and adapt their policies and definitions to accommodate this. The blurring lines may lead to an increase in the number of professional interactions being conducted on unsanctioned platforms. As mentioned, a 2017 survey already found nearly half the apps in use being outside of the IT department's purview. By expanding and adapting the protocols and relevant policies to include these apps, businesses can be sure not to miss potentially relevant ESI because it was generated in WhatsApp, for example. 

What are Some Forms of Electronically Stored Information? 

One of the big challenges when discussing ESI, in general, is that ESI is very broad. Just about anything digital counts as ESI. ESI encompasses any digital record and covers everything related to digital investigations. As such, providing a shopping list of what is and isn’t ESI is impossible. For one, the list would be outdated the second it is published. However, to provide some idea of what to consider (and what types of things to consider), a very general list of items may include:

• Electronic communications (emails, text messages, instant messages, etc.) including the attachments sent;
• Stored documents (word processing documents, text files, spreadsheets, slide decks, PDFs, etc.);
• Database information (all of it);
• Social media (all profiles, posts, messages, etc. from company sources)
• Application Data (mobile, tablet, and desktop);
• Any stored Images, photos, and videos
• Any audio recordings (podcasts, voicemails, memos, audio-only meeting recordings, etc.);
• Smart device data. 

This is just the tip of the iceberg. Any emerging technology that comes up is added to this list. What’s important is that when push comes to shove, an organization that needs to investigate its ESI has to be able to account for all of it. 

Creating an ESI inventory 

As we’ve pointed out before, the IT department is not the only one to consult when mapping ESI. They are, of course, a great first step. Even if 48% of applications in use fall aren’t sanctioned by the, 52% are. 

Once the IT-sanctioned applications are noted down, the remaining applications in use need to be sussed out. It’s important to realize that simply because their use is unsanctioned does not mean it is a secret. By and large, subterfuge will not be required to complete the inventory. The most obvious way is to make use of surveys, these can be sent to department heads, managers, and/or individual employees. If for whatever reason there is reason to suspect the surveys are not filled out completely, interviews can be scheduled as well. 

Keeping an ESI inventory 

Once an inventory is made, efforts should be undertaken to ensure it remains up to date. As with the creation of inventory, there are many ways of doing this. The most obvious, and simplest, is to ensure that the knowledge gap between what apps are in use and what IT knows about is resolved. For the most part, this can be done through policy: one that makes it part of managerial responsibilities to keep the list of used apps up-to-date for their department. By communicating the what and why of this policy to all levels of the organization, compliance can be assured. 

For reasons that should be obvious, both IT and the business side of the organization will want to go through the list of in-use applications - if for no other reason than to reduce inefficiencies. Though tracking and addressing obsolescence and redundancy can be done, it is important to remember this is not the goal of the inventory. Compliance relies on all the relevant parties participating in good faith. At all costs, avoid the perception that reporting app use may have negative consequences, as this will disincentivize transparency. 

How to ensure proper collection and investigation of ESI 

Prepare strategies and policies. Generally speaking, it is a question of when not if an organization will have to perform a digital investigation. This is especially true for organizations in heavily regulated environments but applies universally to some degree. Between privacy law, regulatory investigations, and data protection obligations, no company should be clueless in terms of how to handle an investigation into its ESI. 

Train investigators. Depending on the size of your organization, some amount of training will have to be provided. Investigators are a set of employees to ensure that data is collected, handled, searched, and reviewed properly during an investigation. How many employees need to be trained and how much time should be dedicated to their investigative role should be decided by the size, scope, and frequency of investigations. 

Make sure the right tools are used: as we’ve established, ESI can be complex and multi-layered. Make sure the tools you plan to use are up to the task. They must be able to ingest large amounts of data, process it, and search it. At each step, things such as metadata need to be kept in mind. Furthermore, as the amount of ESI grows, AI-assisted search options could be useful. Such tools help keep investigations from getting bogged down in endless evidence review. eDiscovery tools are frequently used to perform such tasks during digital investigations.

[View source.]