E-Discovery in Microsoft Exchange 2010: Part 5

The following post is part five of a nine part video/blog series on e-discovery in Microsoft Exchange 2010. In the previous segment, Paul and Marta discussed role-based access control and data retention policies. This week, they’ll look at litigation hold policies and some of the litigation hold features in Exchange 2010. Enjoy!

Paul: Let’s talk about litigation hold policies. We probably can’t describe them as being a “super retention policies” or a subset of retention policies, but normally, litigation hold has a specific meaning in the broader context of discovery. It means that when you are notified that you’re under litigation, or once you’ve become aware that you’re party to it, there are certain things that you’re not allowed to do. The legal term is ‘spoliation of evidence’. So, essentially, it means that you aren’t allowed to modify or delete records that would ordinarily be included in the discovery.

There have been multiple well-documented cases that involved spoliation of evidence. Take Oliver North and the Iran-Contra affair, for instance – he and his secretaries stuffing all of these paper records into the shredder. And the same thing happens for electronic records. Litigation hold is designed to keep people from doing that. Is that fair?

Marta: Yeah, actually, it’s designed so that you have a repository of data, be it in the same place or separate, where that data cannot be touched. Litigation hold, in a very basic form, is alerting everyone (all of your custodians, or whoever has access in your plan) that these certain people are under litigation hold. All data needs to be secured and preserved.

The technical term is ‘preservation’. You’re either going to preserve it by making a copy of it and storing it somewhere or preserving it in place, which Microsoft has made possible in the Exchange 2010 implementation. The key is that there needs to be a given process. You can’t just go up to everybody, tap their shoulders, and say, “You need to hold this data.” Although people have done it, it’s becoming far less defensible now. People do make mistakes. They forget and delete stuff. You’ve seen a lot of recent litigation judgments that have really come to frown upon that process. They want something that’s far more straightforward and defined.

Paul: What about if you’re using a version of Exchange or Lotus Notes, or something like that? Do litigation hold policies apply? I mean, what are you supposed to do? As soon as you become aware, do you take a backup of your data and lock it in a safe?

Marta: Essentially. In electronic terms, what many people do is create a PST, for example, of the person’s mailbox, on a secure drive. In many cases, people actually create backups of their secure drives to hedge against media failure. If your media fails, and the information on your drive isn’t accessible, you have no excuse. So naturally, it’s not a bad idea to have a backup.

There was actually a recent case where someone had taken a thumb drive, placed the evidence on it, and figured that everything was taken care of. Well, when they came to get the evidence, they couldn’t extract the data from the thumb drive (even forensically). Consequently, adverse judgment was set against them for spoliation of data. This type of thing can happen. So, not only do you want to backup your data, but you might even consider backing up your backup.

Paul: That’s interesting in the context of ‘safe harbor’ requirements we talked about earlier, because safe harbor requires not only that you make a good faith effort, but also that you apply a reasonable standard of care. If you have some critical data, putting it on a thumb drive and stashing it in your desk drawer doesn’t necessarily meet a reasonable security standard.

Marta: The judge certainly doesn’t think so.

Paul: So, in Exchange 2010, Microsoft has implemented litigation hold features. The recoverable items folder is similar to the ‘dumpster’, or the deleted item retention folder that we had earlier. When a normal user deletes an item, that item will go into the recoverable items folder, where it is recoverable by the user. What happens for a user under litigation hold, though?

Well, when litigation hold is enabled for a user’s mailbox, every item that they try to delete is not just going into the deleted items folder. Instead, each deleted item is safeguarded in a recoverable items folder – a folder that the user does not have access to under litigation hold. Essentially, they can’t see that everything they delete is being backed up, and they don’t have access to it, either.

Now, this also applies to modifications. Microsoft has implemented what they call ‘copy on write’, and what this means is that for every item that is edited or modified, a copy of the altered version will be stored in recoverable items. So basically, if you need to be able to prove that someone did or did not make a change, did or did not delete something at a particular point in time, this litigation hold feature gives you that ability. From a legal standpoint, it sounds like it’s fairly important to be able to show that you’re safeguarding what you were supposed to preserve.

Marta: Absolutely. Even in implementing litigation hold policies and showing signs of good faith. These things are all very important features of Exchange 2010, and a big step forward for Microsoft.

Have the new litigation hold features in Microsoft Exchange 2010 made for more feasible policy implementation? What features would you like to see added? Let us know in the comments below!

Check back soon for part six, in which Paul and Marta will continue their discussion on the legal e-discovery features in Microsoft Exchange 2010!

Leave a Reply

Your email address will not be published. Required fields are marked *