A critical, early part of the eDiscovery process is the “litigation hold” or preservation phase, which mandates that data which is relevant to a case must be preserved. In a typical case, after data has been held, it is collected for further processing, review and other activities. The hold process is a critical step – when data is not properly preserved, spoliation claims and sanctions can result.
There are many ways to create a litigation hold on electronic data. One of the most common is to combine the hold and collection phases – relevant data is collected by making a copy of it, and then setting it aside in a safe repository. But recently, there has been a lot of discussion about creating holds by maintaining data “in place”. This means that data which has been identified as being relevant to a case is somehow maintained or locked down, in its original location, without making a copy. It’s an interesting concept, one that has both benefits and substantial risks.
What are some of the potential benefits of trying to hold data in place? The most popular is to avoid making another copy of the data. Another benefit is speed and efficiency – that it’s faster and easier to “lock” the data in place than it is to create an entirely new copy. While these can both be true, the actual benefits can be limited in reality. In most cases, a copy of the data will need to be created early in the case anyway, so that it can be taken out of production, and for further processing, review and distribution to counsel and other parties. Also, even when terabytes of data are involved, the costs of storage remain inexpensive, making this benefit fairly nominal in practice for most cases.
On the other side of the analysis, there are many potential risks of attempting to hold data in place. These risks must be fully understood and weighed against the risk and complexity of a case. When the targeted data resides in an advanced repository, such as a records management repository or an email archive, hold in place is usually very straightforward and safe – those specialty repositories generally have built-in functionality for litigation holds. But for other data, such as information stored on laptops, desktops and fileshares, the technology enabling hold in place generally relies upon the security of the underlying operating system. In those cases, the hold is initiated by modifying the security permissions of the affected files. Unfortunately, in most enterprises, the IT infrastructure provides individual employees with sufficient privileges enabling the security of that file to be changed back, allowing its modification or even deletion. In addition, hold in place does not work for many types of repositories – for example, there is no hold in place counterpart for email messages maintained on a server.
So it’s complicated – what’s the best practice? Understand the details of your hold mechanisms, whether via copying or hold in place, and deploy them as risk and efficiency dictate. In low-risk cases, where spoliation is not a significant concern, it may be efficient to merely hold the data in place. Even in cases of broader collection criteria where a vast amount of information is subject to hold, and it’s not practical to immediately copy all of the data, a combination of hold in place, potential changes to IT systems and end-user education can be a good starting point. However, in most cases where spoliation claims would be critical, or where early collection of data is likely (thus eliminating much of the benefit for holding data in place), collection of the data as the hold process is prudent.