The following post is part eight of a nine part video/blog series on e-discovery in Microsoft Exchange 2010. In part seven, Paul and Marta discussed PDF indexation and Active Directory Rights Management. In this week’s segment, they’ll revisit litigation hold and retention policies, speaking specifically about some of the challenges of implementing these policies in the real world. We’re nearing the end of our series, but we’ve saved some of the best for last! Enjoy!
Litigation Hold Policy Implementation
Paul: Okay, so, we’re back to litigation hold policies. What do you need to be thinking about as far as implementation is concerned? It’s a feature when you need it, right? You turn it on when there are mailboxes that you need to protect.
Marta Well, you definitely need to have a process in place beforehand. Ask yourself these questions: What triggers a litigation hold? Are there certain personnel that should be in charge of issuing the policy? When litigation hold is implemented, what do you want to do with it? You get the idea. The list goes on. Now, with the functionality of Exchange 2010, that side of things is pretty straightforward. If you have clear notice, you can choose your custodians and enable the litigation hold.
The challenges of implementation are really outside of Exchange 2010. How far is the reach of the litigation hold? Is it on the file servers? Is it in SharePoint, if you have that? How about the local PSTs, if you haven’t imported them? Do you need access to someone’s laptop when the policy is put in place? These are all things that you’ll need to consider as you craft the processes for policy implementation. These are the kinds of steps that you need to take.
Paul: It seems like a lot of these things have nothing to do with Exchange, right? If you have to image an employee’s laptop, grab data from their mobile devices, or inventory their flash drives and other moveable media, you’re not working in Exchange. Clearly, there’s no magic button that you can push in Exchange 2010 that will do these things. It’s too bad… Maybe it’s something that we’ll see in the next version.
And they’re off! Let the sarcasm begin!
Paul: Actually, in Exchange 2015, I heard that there’s going to be a new “Do What I Mean” button.
Marta: I’m particularly excited for the telepathy feature.
Paul: That’s actually coming in Exchange 2015 SP1. So, yeah, I’m looking forward to that, as well.
Marta: Yes, exactly.
Okay, back to the policy stuff!
Retention Policy Implementation
Paul: Okay, so, litigation hold is much more of a process issue than it is an implementation issue on the Exchange side of things. Now, with retention policies, we could spend hours talking about the mechanics of putting those into place. I’m not sure I want to jump into that particular tar pit.
Marta: You know, there are many resources on the web these days that people can reference when creating and implementing a policy. I encourage people to take some time and do some research on it. Spend an afternoon or an evening looking at the various resources available online. Honestly, it’s not as scary as it seems. The thunderous voice – echoing, “You must have a retention policy!” – shouldn’t be so intimidating. It’s actually a pretty shaped process. Look at examples of your peers’ and other companies’ policies and work with those observations to form your own.
Learn about preparing a retention policy for your firm.
Paul: So, if I talk to my peers and come up with a policy based on what they tell me, how do I know that it’s a good policy? I mean, how do I know that it’s going to protect my company?
Marta: Practice. In all seriousness, I would run a drill. Run a drill with your attorneys (even if it costs you some of your hourly budget) in which you make sure that what you’re planning will actually work. You need to make sure that, when something happens, you are able to put your policy in place.
Paul: Alright, you know, I get the idea of practicing what you would do for disaster recovery, and I think that’s really sound advice, but is there anything that you can do ahead of time? Is there anything that you can do to make sure that your policy isn’t going to cause you trouble when you get in front of a judge? Should you have your policy reviewed?
Marta: I mean, it’s always a good idea to have your attorney go over your policy, because sometimes your attorneys don’t get it right away. From an IT administrator’s point of view, I think it all boils down to this: Are you confident that you can stand in front of a judge, go through your retention policy, and explain why you did something a particular way, how you did it, and where it is being implemented?
Essentially, with litigation hold, retention policies, and electronic discovery in general, you need to make sure that the data that you have is kept in a pristine state. You should be able to preserve the data before and after the implementation of litigation hold policy. So, when you’re running these drills, a best practice is to make sure that, when the procedures have run their course, none of the data is corrupted or lost in any way. In doing so, you can make sure that every file is retained in its previous form when it comes time for real implementation.
In a lot of ways, you don’t really know how sound your policy is until you’re actually in litigation. There are many different variables that play a role in these situations, and the best thing that you can do is to over prepare. Audit your retention policy. Audit your litigation hold policy. (One of the awesome features of Discovery Attender for MS Exchange 2010 is robust audit trail logging.) Realize that just about everything is subject to discovery, and make certain that you have a process in place that supports these policies.
We’re nearing the end of our series! Check back soon for the grand finale, or, if you’re just now joining us, start from the beginning!