The Potential Risks of In-Place Legal Holds

By Johannes Scholtes posted 12-08-2010 08:24


You’ve conducted your legal hold interviews. You’ve identified the custodians and the potentially relevant data. So what’s the best way to preserve it? Do you make a copy of it or lock it down in place? According to the intermediate results of an eDiscovery Journal reader poll, almost 78% of participants do not believe that corporations can currently rely on in-place preservation. (See

The following is a quick comparison of the traits of the “Copy Approach” and “In-Place Legal Hold” that may explain that reader response.


The Copy Approach

As the name suggests, this involves making a copy of all relevant data and storing it in the defined legal hold location—which is usually a low cost server or NAS with sufficient disk space to accommodate the processing phase. The copied data often includes audit information, hash values, and chain of custody.

As new data is produced after the initial copy, some eDiscovery software tools provide automatic collection of incremental copies from the legal hold sources. This capability enables IT departments to maintain their typical rotation of backup tapes and thereby save a lot of time and money.

Many organizations do not realize it, but postponing the backup tape-rotation-process can become a multimillion dollar cost if the legal hold takes too long. In addition, the accumulation of all these backup tapes also exposes you to legal fishing expeditions and may harm your position in unrelated litigation. By having automatic incremental collections of new and changed files, there is no need to postpone the backup-tape rotation schedule because new and changed files can be collected directly from the file systems. There is no need to collect them from older backup tapes.


In-place Legal Hold

The in-place legal hold approach is more complicated: on all your email servers, databases, hard disks, and other repositories, data can no longer be changed, or removed, but new data can be added.

There are a few vendors that offer in-place legal hold for many different types of repositories. Market feedback indicates this process is often “oversold” and never actually implemented, or it can require years to implement correctly. I can’t say that I am surprised, simply because of the tremendous technical complexities involved. The following examples come to mind.  How do you keep track of different versions of the databases? How can you prevent virus and intrusion detection software from blocking an in-place legal hold? How can you remotely set security rights in a proprietary database that does not support any legal hold? Does the organization use single instance archiving—which would make in-place legal hold impossible without built-in functionality, or even better, developer API’s, to support in the storage or repository management?

Looking ahead, I think future releases of email and content management repositories will include standard functionality to receive a legal hold notification by API or Web service command. In fact, new versions of MS-Exchange and certain EMC devices reportedly have this type of functionality already, although I haven’t yet seen it in use. Once this functionality is standard and technically solid, then eDiscovery vendors can develop reliable and easy-to-implement enterprise wide in-place legal hold applications. But until that time, I’m one of the 78% I believe the technical risks, limitations, dangers and high implementation and maintenance costs make in-place legal holds unrealistic for companies facing litigation.

#ElectronicRecordsManagement #legalholds #legalhold #e-discovery