Illustration of a network of nodes Filing cabinet
Back to guide list

Chapter 2 Data Preservation and Legal Hold

This chapter will help you understand the technology environment that must be navigated in the context of preserving information potentially relevant to litigation, investigations or other disputes, as well as the steps practitioners must take to ensure that data maintains its evidentiary integrity.

What is Data Preservation?

Data preservation is defined as the processes that must occur to ensure that information potentially relevant to anticipated, pending or active litigation, investigations or other legal disputes retains its evidentiary integrity. In U.S. courts, legal precedent requires that potentially relevant information must be preserved at the instant a party “reasonably anticipates” litigation or another type of formal dispute. The event or occurrence that precipitates the party to begin preserving information is referred to as the “trigger” or “triggering event.”

The goal of preserving information is to ensure that the information’s evidentiary integrity is maintained for potential use in the case. This means that the information should not be altered from its original form or the form in which it exists at the time of the triggering event. Not only does this apply to the appearance of the information, such as the way a document looks, but to the hidden metadata as well. The slightest modification -- such as opening an email that is potentially relevant -- can alter the information’s metadata, and thus compromise its evidentiary integrity and potentially draw penalties.

Generally, the first step to preserving data involves the application of a legal hold. Immediately after a triggering event, it is also imperative that the party take steps to suspend activities that could potentially alter information that must be preserved, including those that occur in the normal course of business. For example, companies should to halt deletion of email archives according to automated retention schedules.  

Below, we will dive more thoroughly into perhaps the most important step of preserving information: the legal hold.

What is a Litigation Hold?

A legal hold, also known as a litigation hold, is an essential early step in the e-discovery process, and crucial to showing defensible and good faith efforts to preserve evidence. It is the mechanism by which parties that must preserve information potentially relevant to a dispute tell “custodians” of that data it must be preserved, and ensure compliance until the obligation no longer applies. The initial document outlining the scope of the preservation requirement is called the legal hold notification or notice.

The legal hold notice is where the rubber hits the road: the point at which all parties are aware of pending litigation and the need to preserve ESI for that litigation. It is also the point at which you need to have identified the potential sources of information, the custodians of that information, and the technical and practical challenges to be faced in the coming dispute.

Legal Holds in Practice

Legal holds are a relatively recent phenomenon. In Zubulake v. UBS Warburg, which we discussed in Chapter 1, Judge Shira Scheindlin made it clear that parties have an obligation to preserve relevant information as soon as litigation is imminent. But when is litigation imminent? And what is potentially relevant information?

A litigation hold notice is designed to answer those questions and eliminate confusion. The best definition for legal hold is that it is a way to communicate to a party or custodian that a) litigation is imminent, or reasonably anticipated, b) potentially relevant information must be preserved, and c) that electronically stored information (ESI) and paper documents that may be relevant to this pending litigation must not be deleted or altered.

Unfortunately, this third part of the litigation hold process is often the most problematic, either because parties continue with the routine destruction of data -- such as deleting emails after a set period of time – or, carelessly spoil data because they don’t know better, or, less often, through deliberate efforts to thwart justice.

But as Judge Scheindlin wrote in Zubulake, “...once a party reasonably anticipates litigation, it must suspend its routine document retention/ destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”

If the requesting party fails to offer a prompt, detailed, and understandable litigation hold notice to its adversary, it may not receive the information necessary to conduct litigation. On the other hand, when a producing party fails to take a litigation hold letter seriously, sanctions, adverse inferences or even worse penalties may be imposed. Ultimately, the party that possesses potentially relevant ESI is under an obligation to preserve that information when litigation becomes reasonably anticipated, regardless of whether its adversary has alerted it of its preservation obligations.

Defining the Legal Hold Process in E-Discovery

A legal hold notice is usually sent to an organization and distributed to legal counsel, custodians, and IT staff. It is also common for an organization that anticipates litigation to draft and circulate its own legal hold. The notice must be broad enough to ensure that all potentially relevant information is preserved, but narrow enough so as not to be overburdensome for the party that possesses the information.

Unfortunately, too many lawyers rely on checklists or boilerplate language when issuing a legal hold. However, an effective hold notice can only be drafted if a legal team takes the time to consider the relevant issues of a case, the potential sources of evidence, and the questions that must be answered via discovery.

Drafting a Legal Hold Notice

How do lawyers avoid sending formulaic, boilerplate notices? A litigation hold must be a thoughtful document tailored to the needs of the case. Certainly, there are elements of the legal hold process that can be repurposed over and over again, but there must also be an attention to detail in each new case as well. It’s a balancing act: minimizing cost, complexity and business disruption while ensuring that all potentially discoverable information related to the matter at hand is preserved. A sample notice can be found here.

How to Ensure Receipt and Compliance with the Legal Hold

It is important that once the initial notice is issued, reminders are issued early and often to ensure compliance. Cloud-based Legal Intelligence software, like Logikcull, automates notices and reminders, and keeps track of which custodians confirm receipt of the notice and when.

Key custodians must receive email and messaging hold notices, and IT and HR must receive notices to preserve specific machines, devices, and backend systems. While issuing a legal hold notice that demands backup drives and media be preserved will help ensure you can recover evidence even if the original records are lost, it is important to be aware that courts have said that, often, producing legacy media such as tapes can be overly burdensome to the producing party. Parties should seek further counsel if they are unsure of how far their preservation efforts should extend or where original sources of evidence reside. At a minimum, a sound legal hold notice will instruct parties to suspend data destruction efforts if appropriate so that evidence will be easier to find later.

How Do I Make My Legal Hold Defensible?

In the context of litigation holds, defensibility means understanding how your opposition, judge, jury, or regulator will view your legal hold process in light of applicable legal requirements. While perfection is not required, your actions will need to be reasonable given the information available at the time of the action.  

In other words, acquire as much information as possible once litigation is anticipated and build it into a legal hold notice. As the process continues and you learn more about the opposing party’s processes, data collections and/or the information it seeks, update and refresh the notice accordingly.

Though a litigation can apply to nearly everyone in an organization, it is a good idea to limit and refine its scope. Interview people identified as key players and ask them who else is likely to have potentially relevant ESI. You should also interview both the personnel who manage the content, and those who manage the electronic implementation environment or network infrastructure.

How Do You Work With Document Retention Policies?

As noted above, email systems can be set to automatically delete messages after a certain elapsed time according to the organization’s email retention policy. When preserving and collecting data from a company's’ communication systems (email, phone, messaging, etc.), consider the company’s ESI retention policy and whether it must be suspended.

Two groups to consider interviewing and involving are the users of the data and the IT department. The IT department may have to modify their practices in order to comply with the company’s preservation obligation. So be sure to interview users and custodians who can help identify data you need, but also the IT group, which can help you to preserve and collect it.

Trust But Verify

Courts have criticized the practice of allowing individuals who are stakeholders in the outcome of the case to identify, preserve or collect their own data, since they arguably lack the necessary objectivity to collect all of what is relevant and responsive. This practice of “self-collection” is often described as the “fox guarding the hen house.” Moreover, custodians simply cannot be expected to identify and preserve all the ESI that could be relevant to a case.

Judge Scheindlin touched upon the risk of relying solely on custodial holds in her decision in the Nat'l Day Laborer Org. Network v. U.S. Immigration & Customs Enforcement Agency (S.D.N.Y. July 13, 2012). Judge Scheindlin made it clear that if custodial holds fail, it is the party and/or counsel’s fault for not enforcing the hold notice, not the custodian who fails to preserve evidence. So it is important for legal teams to ensure that the legal hold is received and that its instructions are followed.

How Do You Distribute a Legal Hold Notice?

Legal teams must take the following steps to help ensure a sound legal hold.

  1. Build a defensible, current and relevant list of the people and departments who will be receiving a notice. Distributing the notice to overly broad groups (e.g., the entire organization) can lead to non-compliance or misunderstanding since many employees may ignore a notice.

  2. Once a notice is distributed, require recipients to confirm receipt and understanding of the message. This can be a written email confirmation or legal software that allows the recipient to fill out an acknowledgement that they understand and will comply with the message.

  3. Send regular reminders to recipients of legal holds reiterating that the hold and its instructions are still in place, and that potentially relevant information should not be altered.

Where Will You Find ESI?

It's always a good idea to instruct the recipient of a legal hold that the data to be preserved may be located in a wide variety of storage locations such as: email, desktop drives, portables devices, shared drives, home computers, tablets, smartphones, internet storage locations, and document management systems.

The most common source of ESI is a custodian. However, non-custodian ESI is a critical source of ESI as well. Examples of custodian data are: email, personal storage on hardware devices or cloud accounts, allocated storage, private data storage, data associated with social networking sites used by the custodian, tablets, smartphones or even private web-based email accounts.

Examples of non-custodian data include: databases, cloud storage databases hosted by third parties, and shared network storage locations.

Below we will go into more depth on each of these potential sources of evidence.


Users of corporate computers will have email stored on one or more email servers. These servers may be physical hardware managed by IT staff or virtual machines leased from a cloud provider, either running mail server software, most likely applications like Microsoft Exchange. A third potential source is a Software as a Service (SaaS) offering from a cloud provider, which are ubiquitous. Webmail may be as simple as a single user’s Gmail account or, like the Microsoft Office 365 product, a complete replication of an enterprise email environment.

Users often have a different, but overlapping complement of email stored on desktops, laptops and handheld devices they've regularly used. On desktops and laptops, email is found locally (on the user’s hard drive) in container files with the file extensions .pst and .ost for Microsoft Outlook users or .nsf for Lotus Notes users, for example. Finally, each user may be expected to have a substantial volume of archived email spread across several on- and offline sources.

Network Shares

Apart from email, custodians generate content in the form of productivity documents like Microsoft Word documents, Excel spreadsheets, PowerPoint presentations and the like. These may be stored locally, i.e., in a folder on the C: or D: drive of the user’s computer. But more often, corporate custodians store work product in an area reserved to them on a network file server and mapped to a drive letter on the user's local machine. The user sees a lettered drive indistinguishable from a local drive, except that all data resides on the server, where it can be regularly backed up. This is called the user's network share or file share.

Mobile Devices: Phones, Tablets, IoT

According to the U.S. Center for Disease Control, more than 41 percent of American households have no landline phone and instead rely solely on wireless service. For those between the ages of 25 and 29, two-thirds are wireless-only. A recent survey (sponsored by Facebook) found that four out of five people start using their smartphones within 15 minutes of waking up and, for most, it’s the very first thing they do.

The Apple App Store supplies over 1.5 million apps accounting for more than 100 billion downloads. All of them push, pull or store some data, and many of them surely contain data relevant to litigation. More people access the internet via phones than all other devices combined. The bottom line is if you’re not including the data on phones and tablets, you’re surely missing relevant, unique and often highly probative information.

Relatedly, the so-called internet of things (IoT) -- a vast, growing network of interconnected devices, applications, appliances and objects connected to the internet -- poses challenges for legal practitioners, who increasingly must glean data from it for discovery purposes.  

Local Storage

Organizations deploy network shares to ensure work is backed up routinely. Nevertheless, despite the best efforts of companies to try to keep all work in a single location, users will store data on local, physical media, including local laptop and desktop hard drives, external hard drives, thumb drives and other devices.

Social Networks

Given the prevalence and public nature of social media, today it is possible for anyone to draw a detailed profile and gain intimate personal information of an individual in just minutes. Needless to say, social media has become increasingly important in an evidentiary context.

It is a rich source of information for litigators in many types of matters, and can provide crucial context to employee investigations and other types of company disputes.

Recently, advisory notes to the updated Federal Rules of Civil Procedure put a fine point on this, stating, “It is important that counsel become familiar with their clients’ information systems and digital data — including social media — to address these issues.”

Databases (server, local and cloud)

From Microsoft Access databases on desktop machines to enterprise databases running multinational operations (think UPS or, databases of many kinds are embedded in company systems. Other databases are leased or subscribed to from third-parties via the cloud (like or Westlaw). Databases hold so-called structured data, meaning it is unreadable outside of the database in which it is created.

The Cloud

Corporate applications and IT infrastructure increasingly operate in cloud environments like Amazon Web Services and Microsoft Azure while individuals increasingly store data in tools like Box, Dropbox, Google Drive, Microsoft OneDrive, Apple’s iCloud and others. The cloud must be considered alone as adjunct to the other sources when seeking to identify and preserve potentially responsive ESI.

Related reading: Debunking the Myths of Cloud with Esteban Kolsky

Now that we’ve addressed some of the most common types of information that must be preserved, we’ll revisit the legal hold itself, the individuals you should consider involving when it must be deployed, and considerations for maintaining the integrity of data that must be preserved and collected.

Who Can Help With Legal Holds?

In order to create a reliable and consistent legal holds process, you will need reliable human guides. Some custodians may know a lot about the data itself, such as fields in a database, what information may be relevant to the matter, and even how to create valuable reports. Find people in the IT department who understand the relationship of the data to the business. These people understand the mechanics and technology of the system and know where important information may be stored. However, they are not experts on the content of the system.

How Do You Make Sure People Don’t Ignore Your Legal Hold Notice?

It is important to perform regular follow-up interviews and send reminders to custodians and IT personnel subject to the hold. Remember, responding to litigation is not a usual function of most people’s jobs -- they are busy and will not necessarily prioritize preservation duties unless they are regularly reminded. Case law requires litigating attorneys to take affirmative action in monitoring the hold. Just as importantly, when a hold is no longer necessary, make sure to release the custodians from their obligations. This lets companies return to their normal document retention schedule, and allows individual parties to use the device or data without fear of spoliation.

Important Legal Hold Considerations

Courts are increasingly sensitive to the costs of e-discovery and the concept of proportionality, which should be taken into account when assessing the scope of the collection. In most cases, the use of software will aid in validating the collection of ESI. Failure to use commonly accepted methods and technologies may expose the client to additional risk.

What if Something Has Been Deleted?

Collecting ESI can be accomplished by the client, custodians, or a third-party gathering ESI for further use in the e-discovery process.

It is important to understand that it is possible to recover evidence that may have been deleted as well. In most computer systems, deleted files still live in the unallocated space on a hard drive, which is where many applications store temporary files while the application is in use. However, preserving data in unallocated space requires forensic collection using special software.

Metadata is the Key

For most data, there are two types of metadata, system and file metadata, and each have different jobs. System Metadata is data involving the architecture of a computer system, and offers information like timestamps of when file was last modified, accessed, and created as well as where the file is physically located in the volume.

File Metadata is data about a file and is stored within the file. File metadata includes printed date and time and other user-supplied data that can be altered. It also includes timestamps, author information, and edits. Metadata will help you authenticate documents and verify important information when conducting e-discovery. Unfortunately, many lawyers are unaware that metadata can be altered or corrupted if not properly handled.

What is a Forensic Collection?

In order to collect data without corrupting it, legal teams may need to engage in a forensic collection. Forensic collections are most useful if you suspect someone has altered or deleted data and you need to investigate the metadata and unallocated space from a computer or device. A forensic collection makes a forensic copy of a hard drive that includes every bit of data on that drive, including data in unallocated space. This collection type often uses a "write-blocker" to prevent alteration of the content when a device is attached to retrieve the data.

In addition to using specialized tools, legal teams need to keep documentation of the decisions and actions made during the collection process. This includes answering whether or not a computer should be forensically collected. More often than not, collecting the active data and relevant network shares is sufficient.

Defending Your Preservation

If an opposing party or presiding judge questions the preservation methods employed, you will need to defend and show your work. Here are some important steps that should be taken along the way, regardless of whether you expect a challenge:

  • Create documentation (the chain-of-custody log) or testimony by the ESI collector about the steps taken.
  • Always consider and take into account the cost, accessibility, and needs of the case.
  • Take steps to ensure that nothing about the data is altered or degraded.
  • A forensically sound collection will preserve all potentially relevant metadata that may be used by the trial team in its claims.
  • A collection by a third-party vendor or with appropriate Legal Intelligence software will often be the best method.