Anton Pillers and Preservation by Consent – Lessons from the coal face

Forensic IT

Image of thumbprint on keyboard

Where there is an urgent need to preserve electronic evidence, pending commencement (or continuation) of proceedings, Anton Piller and ex parte orders are one of the more interesting tools available to lawyers. Such Orders are not easy to obtain – and convincing the Judge to make the Order is merely the first challenge in the process. Less contentious, but bearing different risks, is data preservation by consent. Rather than merely considering the legal issues for parties considering making an application, here’s a practical overview of the benefits and challenges, along with lessons learnt.

Anton Piller – setting the scene

In simple terms, an Anton Piller Order, is an Order made by the Court in extenuating circumstances permitting appointed persons to enter into the premises of another party and to search for and seize, or copy documents (including printed material), computers and electronic storage devices without prior notice to that party. Let’s call the party seeking the order ‘the Client’, and the party to be searched ‘the Target’. The burden of proof on the Client is high, and is usually made in circumstances where there is a real and significant concern that evidence is at risk of being deleted or destroyed, so the application is heard ex-parte without the Target being present.

The execution of an Anton Piller Order is usually assisted by an Independent Computer Expert, under the supervision of an Independent Solicitor. The Solicitor representing the Client also usually attends, so carrying out a search requires at least three parties, and can be an expensive exercise, not to be undertaken lightly.

The focus of an Anton Piller is on preserving the evidence, which is typically achieved through forensic data capture of electronic devices. Data imaged and all things removed from the premises must be made available to be produced to the Court by the appointed Independent Solicitor for the hearing of the application on the return date, to allow the parties (including the respondent) an opportunity to argue their respective positions as to what may be discoverable now that the risk that crucial evidence might be destroyed has been removed.

Anton Pillers – one shot, make it count!

Obtaining the Order – burden of proof

An applicant must firstly prove that there is a serious question to be tried, and secondly that such evidence might be destroyed or otherwise made unavailable for use in evidence before the Court, unless the order is made. An Anton Piller may be triggered in many different scenarios, such as where the Target is in possession of commercially sensitive or confidential documents, or intellectual property owned by the Client. In such a case, the first element might typically be achieved through carrying out a preliminary forensic analysis, which often identifies, for example, one or more of these findings:

  • The laptop used by the Target when they were employed by the Client has identified material being sent by email, copied to external USB storage devices or uploaded to cloud based storage accounts such as Dropbox and Google Drive.
  • Metadata embedded within commercial documents such as templates, precedents and client lists being published by the Target might identify that it had originally been created by the Client, and therefore constitutes the confidential information of the Client.
  • Access to personal online email accounts such as Gmail or Yahoo were used by the Target to inappropriately solicit clients of the Client prior to the employee’s departure.
  • An analysis of textual similarity between the Target’s document and the Client’s document may establish that it is essentially the same document.

Cast a wide net

You will be limited by the wording of the Order, which will be overseen by the Independent Solicitor who is acting as an Officer of the Court – so make sure that you have adequately defined what electronic data may consist of. For example, this could include any combination of servers, laptop or desktop computers, tablets or mobile telephones, external hard drive storage, USB devices, optical media or data in cloud storage in an account that the Target controls or has access to.

Get the passwords and access codes

Where data may be stored in the cloud or on mobile telephones, the Target must be compelled to provide access to that storage – whether by providing passwords, pin codes, swipe gestures or even biometrics (finger print, or even iris scanners as featured on the short-lived Samsung Note7) as this technology becomes more prominent.

Allow devices to be removed for imaging

The wording needs to be flexible enough that a computer or storage device can be removed and imaged offsite where it is not practical to complete the imaging onsite. This may require the Independent Computer Expert to have at least triaged the device to identify that it contains ‘Listed Things’ as defined in the Order. It is also worth allowing for devices to be removed for offsite imaging with the consent of the Target, to minimise disruption to the Target’s business if they so prefer.

Start early, and plan for delays

While the Federal Court’s Practice Note CM11 recommends 9:00am to 2:00pm for service of the Order, our experience is that an earlier commencement can be demonstrated to be reasonable, depending on the industry and usual business hours of the location to be searched. The Independent Solicitor must first serve the Order, explain what it means and provide the Target with a reasonable period (usually two hours) to seek their own legal advice. We have found that in practice, it is not uncommon for the Independent Computer Expert to not get access to the computer environment until late morning or noon, with most of the allotted day already gone! 

Don’t forget about vehicles

If an Order is specific to a place of business, that’s all you get to search. If you haven’t worded your application correctly, it won’t matter that the crucial laptop may be sitting in the front seat of the directors’ vehicle parked out the front! An application should include a reference to vehicles in the Target’s control or on or around the premises (as suggested in CM11), and ‘premises’ may include place of residence as well as business premises. 

Synchronise for multiple locations

 An obvious point, but if there are multiple locations with a risk of data destruction, plan to arrive at each location simultaneously. This will require multiple Independent Solicitors and Independent Computer Experts on hand (increasing the cost). The Client will need to determine whether the cost outweighs the risk of data or devices at alternate locations being wiped or hidden (notwithstanding the Target will be breaching Court Orders if they do so).

Plan for the number and type of devices

An experienced forensic practitioner will be able to provide an estimate of probable drive sizes in laptops or desktops and calculate the likely time required onsite. Unless the search is specifically targeted on only one or two computers, it is often prudent to take the best estimate of known data and double it when determining time required, as time delays often occur or additional devices are located. In particular, be mindful that:

  • The Order will impose a time limit for imaging to be completed by, but it is not uncommon for the Order to allow for two business days.
  • Cloud storage often takes a lot longer to forensically image than a hard drive or USB storage. It is best to do this offsite.
  • Mobile telephones or tablets should immediately be set to flight mode when secured to avoid risk of remote wiping.
  • Data may be in the control of third parties and only accessed by the Target, for example, where servers are hosted offsite or at a data centre.

Preservation by Consent – less contentious, equally effective?

The aim of ‘Preservation by Consent’ or ‘Delivery Up’ type orders is essentially the same as an Anton Piller, that is, to preserve the data so that it can be made available for discovery at a future point without the risk of it being deleted or tampered with.

The key difference is that these searches are performed with the consent of both parties, usually once proceedings are on foot but at an early stage. Many of the general recommendations apply here, as for Anton Piller Orders, however as the forensic preservation is being undertaken with the consent and knowledge of both parties:

  • There is no requirement for an Independent Solicitor (although the Target may require that one be present as an independent witness).
  • It is generally possible to better plan the exercise, as the number of computers, devices or accounts etc. are usually disclosed and agreed between the parties prior to commencement.
  • Accordingly, the cost is usually lower.
  • Typically, data captured in this scenario must also be produced to the Court and cannot be inspected until or unless further Orders are made.

The downside of these is that firstly, it requires the consent of the Target – which may take time to obtain (if at all) – and secondly, it provides advance notice to the Target that its data is about to be examined. Again, notwithstanding the obligations of the parties, this may be where crucial laptops go missing or mobile telephones are lost.

How can we help?

Our team of forensic experts can assist you in conducting preliminary analysis to maximise your chances of obtaining the necessary Orders, and with the wording of Orders to ensure that all relevant electronic evidence can be inspected and avoid any common pitfalls.

We hold various police and government clearances, and are available to be deployed nationally, across multiple locations (if required), to ensure that you and your clients get the maximum benefit from the execution of any search orders.