SharePoint eDiscovery: eDiscovery Center, Discovery and Hold

When faced with a legal action, organizations need to find and preserve documents and other data that might be relevant, not matter where it might be buried in the IT infrastructure business. When SharePoint is one of your information repositories, you need a way of discovering relevant information that lives in your SharePoint farms and sites. This document explores the basic eDiscovery and legal compliance tools that Microsoft has built into SharePoint.

Overview

The eDiscovery Center is a central portal used to create and manage eDiscovery requests. There you can define the data sources for a case and conduct searches for relevant information. You can also place in-place holds — essentially, this takes snapshots of one or more entire SharePoint sites to preserve the data for discovery. Any additions or modifications to the content after the snapshot is taken are also recorded.

eDiscovery Center

The eDiscovery Center is actually a special site collection designed to help you manage the preservation, search and export of Exchange and SharePoint content stored across SharePoint farms and Exchange servers. When your legal team alerts you to the need to perform e-discovery and production tasks, the eDiscovery Center should be one of your first stops.

In the center, you can create eDiscovery cases, search for content, apply holds to content, export content, and view the status of holds and exports that are associated with a case. When you run a search query, you can see what documents, emails and other data have been returned. When you export content, SharePoint formats the data according to the Electronic Data Reference Model (EDRM) specification so that it can be imported into a review tool for further analysis and decision-making.

Discovery

The process of discovering information is much like entering a search query into Google or another search engine. Simple queries involve specific keywords. If you need to look for more complex patterns, you’ll want to take advantage of the “NEAR” filter, which enables you to specify words that should be near each other. For instance, a search for 737 MAX NEAR MCAS will find results in which the word MCAS appears in close proximity to the phrase 737 MAX.

SharePoint eDiscovery uses search service applications (SSAs) to crawl (systematically read and catalog) and index farms of SharePoint sites to prepare for eDiscovery case queries. The SSAs connect over a service application proxy.  Depending on the size of your SharePoint deployment, you might choose to use multiple SSAs to catalog different types of sites — for example, one SSA to catalog U.S. sites and another SSA to catalog Asian sites. If you have a smaller deployment, one SSA might suffice.

In-place holds

Putting an in-place hold on a SharePoint site takes a snapshot of the documents, pages and list items at the time the hold is placed. Users can continue working with the content; all additions, changes and deletions are preserved in a document library called the Preservation Hold Library. Therefore, any new content that’s added to the site after the hold is placed will be discoverable, and even if a user deletes information, SharePoint Server retains a copy of it as it was originally stored. Access to the Preservation Hold Library requires site collection administrator permissions or web application permissions.

To configure  an in-place hold on a SharePoint site, go to the eDiscovery Center and create a case. A case is essentially a project that has all of the search terms, hold settings, and anything else associated with a given legal matter. Then use the eDiscovery Center to create an eDiscovery Set by specifying the sources to be searched, a filter that defines what you are searching for, and choose the option to apply an in-place hold to the sources that contain content that matches the filter. Note the sources can include Exchange Online mailboxes as well as SharePoint sites in SharePoint Online.

Where SharePoint eDiscovery falls short

While SharePoint eDiscovery is pretty good at collecting information, it leaves a lot to be desired during the two later phases of eDiscovery: the review phase (when lawyers and other staff go through the results of the discovery search and find what’s relevant) and the production stage (when the relevant results are prepared to be submitted to the other party in the dispute). Because these stages often involve billable hours for legal teams, you don’t want to provide more information than required. Native tools make it hard to eliminate excess data, so your organization can end up paying more than it needs to in legal fees.

Optimizing SharePoint eDiscovery

These limitations of native tools make quality third-party products a wise investment. Netwrix Data Classification improves the entire eDiscovery search, production and response process. In particular, it can:

  • Identify potential sources of relevant data by mapping content across your entire IT infrastructure, including not just documents in SharePoint sites in the cloud, but also content in your on-premises SharePoint, in the file shares on your file servers, and even in your SQL Server databases.
  • Collect data for litigation support, make sure files are duly preserved, and enable you to manage everything in one place.
  • Optimize document review and processing. You can easily fine-tune your classification levels to filter out irrelevant documents, thus increasing the relevance of electronic evidence you hand over for review and minimizing the time and expense involved in review and production.