Month: October 2011

Exchange 2010 Message Search and eDiscovery

Bill Tolson eDiscovery, Technology , , , , ,

An important aspect of the eDiscovery process is finding all potentially responsive ESI. In other words the eDiscovery auditor must perform a search on all ESI repositories which could house responsive ESI.

Key to eDiscovery search in Exchange 2010 is to choose words, date ranges, attachment file names etc to help the auditor narrow the results set to be reviewed, but not to the point of overlooking responsive ESI. The eDiscovery keyword search in Exchange 2010 will only find exact matches of those terms input. Additionally, the eDiscovery multi-mailbox search in Exchange 2010 will not reproduce the history of the email, such as when it was opened, what folders it existed in and when, if it was deleted and when etc., something which can add a great deal of context to the ESI.

Another key in this process is the effectiveness of your system’s indexing capability. Does it index everything including metadata, the entire email message and all attachments so that when you perform a search, you find all instances of the content? And… is the index reliable?

The indexing and search functionality of Exchange 2010 is considered neither accurate nor reliable by eDiscovery industry experts. In testing by a 3rd party market research firm, it was found that:

  • Custodian display name and address searches missed more than 20% of custodian email compared to last name only searches.
  • Lists of search terms became corrupt without generating warning errors.
  • When items are placed on litigation hold, the preservation system did not preserve the critical location context or other metadata properties of content.

To the opposing counsel, these deficiencies are a prime target to call into question your eDiscovery process and maybe enough to have the Judge force you to perform the eDiscovery search again using very expensive third party services.

Although improved over the search capabilities of previous versions of Exchange, several major limitations to Exchange Search remain that should be fully understood. These limitations restrict how Exchange Search is used, and limit its ability to be a primary factor for upgrade for stand-alone eDiscovery support by most organiza­tions.

The biggest drawbacks to Exchange 2010 include:

  • Default search filters limited: Standard Microsoft Office formats can be indexed by Exchange 2010 so that eDiscovery searches can find and return these record types, but there is limited support for other common formats such as the popular PDF file format as well as audio or video file formats. By default, the content of email messages with PDF attachments are unsearchable. (see the iFilter section below)
  • No public folder search: Organizations with a significant investment in public folders will find that they cannot search across public folder data using the native Exchange Search functionality.
  • Localization and language limitations: Emails written in multiple languages are not indexed by Exchange Search. In addition, queries made in a specific language must match the locale of the local computer doing the search.
  • Encrypted messages not indexed: Messages encrypted with S/MIME encryption are not able to be indexed and are subsequently not searchable.
  • Exchange 2010 effectively has 2 indexes per mailbox: One index exists on the Exchange Server and one on the local Outlook machine. Any local PST files cannot be searched from the eDiscovery search interface. Local user search syntax and search results may differ from the network eDiscovery search.
  • Broad-brush legal holds: Legal Holds are a mailbox wide setting meaning that all content in a target mailbox is placed on legal hold. You cannot place individual objects on legal hold. Users can move, forward, reply, flag and categorize items under legal hold with no record. Metadata changes such as the email folder location are not tracked.
  • No case management: eDiscovery searches have no matter folders, audit or security for all eDiscovery group users. Searches for unrelated cases will all be thrown together with no ability to set security by matter.
  • Metadata can be changed on export: According to a report, email exported from the Exchange archive mailbox could have the Creator, Last Modified, PR_Creation_Time, Conversation Index and even message size changed

A question corporate General Counsels need to ask themselves and their IT departments is; can I respond to an email discovery request quickly enough and in a defensible manner to satisfy the opposing counsel and Judge?

To answer that question, you need to consider another question. Is Exchange 2010 indexing everything in my system so that when you conduct a search it will find all relevant content?

The answer is probably not. The question of completeness of the eDiscovery search capability in Exchange 2010 is a big issue many don’t even think to question.

Can you rely on the Exchange eDiscovery search to produce the results so that 1: all potentially responsive ESI can be found and placed on a litigation hold and 2: does the results you end up with contain all potentially responsive ESI?

Frictionless eDiscovery; social media addicts beware…

Bill Tolson eDiscovery, Technology , , , , , , , ,

eDiscovery just got a lot easier…for opposing counsel.

Facebook’s new system to auto-share what you do around the web may catch many Facebook enthusiasts off guard. Even “power” users of Facebook will probably run into trouble with this “frictionless sharing” feature. Once it’s enabled on a site you won’t get any other warnings that you “tracks” are being broadcast to large numbers of people.  In fact, even those people who know exactly how this new feature works will need to be on guard against sharing some seriously embarrassing and or compromising updates.

For those not in the know, Facebook is making sharing even easier by automatically sharing what you’re doing on a growing community of Facebook-connected apps.

Huh? It could be the news articles you read online, the videos you watch, the photos you view, the music you listen to, or any other action within the site or app. In the future it could be the “stuff “you buy on-line or the profiles of people you view, or diseases you looked or the fact that you searched for information on the term “formaldehyde” on a specific day…

To be fair, currently,  you must explicitly authorize a site or app to share your information with Facebook. How this sharing mechanism works depends on the app. Authorizing the Washington Post or The Guardian Facebook apps allows you to read those news sites right within Facebook. The downside, however, is that everything you read is shared back to your friends via a timeline… This capability may also effect those news organizations which have jumped into this partnership opportunity. These news organizations may see a drop in views because potential readers will now have to first consider how viewing a particular story will affect their reputation; Do I really want to click on this story knowing my “friends” will know I viewed this?

A timeline… REALLY! Do your friends really need to know you viewed a website titled “BieberFever.Com” at 1:13 am last Thursday morning? Or that you read an article on setting up a Swiss bank account 57 minutes after you received notice of a pending lawsuit? Talk about making the opposing counsel’s job easier…every discovery request will automatically include Facebook accounts.

Another group that needs to be careful are employees. I can imagine an HR representative viewing an employee’s Facebook page to verify, via the employee’s timeline, they have been surfing the web for the last 17 days.

I have repeatedly warned friends that social media sites like Facebook are potentially dangerous in that what you (or an application) post to your social media site could be used against you by potential employers, current employers or attorneys. One question I suggest all social media addicts ask themselves before they post is; “Is this something I would feel comfortable showing up on the front page of the New York Times?”…Because someday it could.

Litigation Hold in Exchange 2010

Bill Tolson eDiscovery, Technology , , , , , ,

Litigation hold (also known as a preservation order and legal hold) all have the same legal meaning; a stipulation requiring an individual or organization to preserve all data that could relate to a anticipated or pending legal action involving the individual or organization. The litigation hold responsibility is one of the biggest liabilities individuals and organizations have in the civil litigation process. If a litigation hold is ignored or insufficiently applied, the Judge will not tolerate excuses and the outcome can be a spoliation or destruction of evidence ruling which in turn can cause an adverse inference order be issued and loss of the case. Several third party eDiscovery applications provide for litigation hold placement on individual items to reduce over saving of non-responsive ESI.

In Exchange 2010, Microsoft suggests placing a custodian’s entire mailbox on litigation hold. In other words specifically putting a custodian’s mailbox on litigation hold ensures an indefinite retention on all content, even the content not relevant to the case at hand, in the user’s mailbox until the mailbox is removed from Legal Hold. This shotgun tactic does ensure all potentially responsive ESI is retained at the time of placement but many attorneys are leery of blindly placing a litigation hold on all content due to the possibility of over retaining ESI that is not responsive to the current case but could be in a future case.

To put a custodian’s mailbox on litigation hold in Exchange 2010, the person making that decision needs to be part of the “Discovery Management” Role in Exchange.  By default there are no approved auditors in the organization, including the Exchange Administrator, which has the right to put a user’s mailbox on litigation hold.  The Exchange Administrator can go into the Exchange Control Panel and give themselves (and others) the right to enable litigation hold for mailboxes.

Another caveat for Exchange 2010 litigation hold is that it could take upwards of 1 hour before a litigation hold takes effect on a given custodian’s mailbox. This is because the policy needs to be enacted on all messages and folders in the mailbox and be replicated through Active Directory. With litigation hold enabled, all messages, regardless of the organization’s retention policy will be retained until released.

Another aspect of placing effective litigation holds in Exchange 2010 is the question of PST files. PSTs are a long running problem area for corporate legal as well as the IT department. The problem is this; PSTs include email, attachments and metadata no longer preset within the Exchange email system. So when an auditor searches a custodian’s mailbox from Exchange 2010 for relevant emails and attachments, they aren’t able to search for any PSTs the custodian has on their local workstation.