Published on Feb 5, 2024 
Jeff Dunning, Director of Corporate Cloud Services, recently engaged in a conversation with us, delving into the distinctive complexities of eDiscovery within Microsoft Teams. Jeff underscores the critical need for uniform processes and workflows, advocating for a defensible approach in eDiscovery.
The conversation highlights the ever-changing landscape of Teams, prompting organizations to stay informed about technological advancements and adopt disciplined approaches for effective eDiscovery outcomes.
This article is a shortened version of the discussion.
It starts with the fact that we got good at doing email. We’re good at finding the needed content, preserving it, and producing it – it works a certain way. Everybody will want to follow the same path to get data out of Teams. The problem is that Teams is not a repository. There’s no central place to get that data. You need to understand the ecosystem of all that data and where to find what you’re looking for to make it easier. Teams is not just any application. It’s an application that brings data together from various repositories. Do you want chat messages? Go look in a participant’s mailbox, look in Exchange. Do you want a channel post? That’s a group mailbox, so you need to look at the group mailbox. It makes it hard to find what you want. So, it changes the game. What is it that I’m looking to get? Are they personal chat messages? Are they posts? Legal professionals and litigation people need to understand how the technology works and how Microsoft handles all that data that Teams brings together.
Yes. One of the big things Microsoft talks about is Purview and retention management and adding these capabilities into a system. Depending on what version of retention management you have, for example, am I dealing with E3? Do I have E5? Do I get automation? You think you’re holding data, but Microsoft’s deleting it. The day for discovery arrives, and you’re wondering, where did it go? So, it’s understanding your organization’s tenant capabilities and what is deployed at any given time because all those capabilities could be there. You might not be using any of it, but if you are, how’s it affecting what you’re looking for?
That’s a huge topic. Again, it gets to the technology and understanding how it works. Take the example of an email. It has an attachment. I know that this person received this attachment on this day. It’s all good. I get a chain of custody. All that works.
Look at a modern attachment, an embedded file, or a hyperlink. It doesn’t matter what you call it, but there are significant challenges and how that works in eDiscovery. I attach a link to a chat message. What version of the file was that link pointing to? I’ll change that over the next three months, and that file now has an entirely different tone and information. We don’t know, so how do we track back to who saw what and when they saw it? I can send the link to a file that could be in my OneDrive, and then delete the file. The chat message may still be there, but the file it pointed to may be gone. There are challenges with the versions. Do they still exist? Who saw it? All those types of things.
So what do you do? Do you produce all your versions? Some organizations try to do that. The volume of data is so great. It’s unmanageable at that point. You must understand and have processes and workflows to manage. The most significant message here is that you need to do things the same way, every time you do discovery. That’s the only way you can say this is how we did it, and it works for these reasons. It needs to be defensible.
A playbook is an excellent tool to help. The playbook is advantageous across the entire Microsoft stack, especially with Teams. Microsoft is doing some genuinely good things. They provide tools, but it’s how you use those tools and build those processes. Emails we can defend. Those processes are so tried and true. We get to teams, even SharePoint or OneDrive; we need a playbook to say how I got from A to B. I do it the same way every time, and these are my results. That’s defensible. That’s what organizations have to do. But again, that starting point is understanding the tech to build that process. Until you know the tech, you can’t make those processes.
Chat data is the data of what email was a long time ago. Nowadays, you think twice when you write an email. Chat has become like text messaging where you say things you probably shouldn’t have said, good or bad. It could be the smoking gun. It could be the piece that protects you. That’s the place people want to go for the information, but that’s the hard stuff to get out, especially the context. The words are easy to find. It’s the context. How do you rebuild the data and find a needle in a haystack when we’ve increased the amount of data we’re collecting by such large volumes?
The way we use teams, interact, and collaborate, the speed at which it’s changing is rapid. There are new capabilities every time you look, and it’s all more data. We’re really getting people to collaborate, and now we’re infusing AI. Think about all the data generated from AI with Copilot and Microsoft. People generate content they may never use, but the data stays. All the changes add to the proliferation of data across all those repositories that feed into Teams.
When you look at their roadmaps, Microsoft is rebranding applications to work inside teams. They want teams to be the place I go to every day. I start my day in Teams and end it in Teams. That creates even more data in Teams. You can’t bash Microsoft or even Google. They’re giving people a way to optimize their time at work to be more productive. And that will keep evolving. If you’re a firm or corporation, you’re just trying to run your firm or corporation. The time spent trying to learn the ediscovery process as it keeps evolving is nearly impossible without somebody to help that along.
We need to be more proactive in our processes and look at Information Governance activities up front where we can begin to manage data creation. That’s a big area that’s missing. Organizations are starting to have those conversations about becoming more proactive so that when they end up in litigation, their ediscovery is simpler. It could be the same amount of data to go through, but they can find it faster because they understand the landscape. Let’s say I used some naming conventions when I created teams, so I know this was a project team related to a product, and that’s part of this lawsuit. Finding the areas I need to collect my data will be easy. Most people are paying for the tools and not getting any value. Leverage the investment you’re paying for.
Companies also overlook retention management in departed employee protocol. You retain the employee data somewhere, but it’s a big challenge in Teams when they leave. If I’m the owner of that Team and I go away, should you delete that Team? How are we going to handle those types of things? A little bit of governance helps. It’s a challenge across 365. You take away someone’s license and account and lose some of that data. There needs to be a formal offboarding process. We spend a lot of time onboarding people with massive checklists; then, the offboarding process has a few items – remove from payroll, delete the account, and that’s all we do. We need to have more extensive procedures. At the least, put their account on hold before you delete their account. If you put their account on hold, it’s not going anywhere. You have time to make decisions. You have to have something in place to know what you’re doing. You can’t just say, “I’m giving Jeff’s OneDrive to his manager when he leaves.” Those decisions aren’t valid anymore and will get you in trouble.
It’s fuzzy across 365 except email. Do you want Jeff’s email? Go to Jeff’s mailbox. It’s straightforward. When you start talking about the other content, specifically Teams, let’s say Jeff’s the custodian. We want the data that Jeff owns. Do I go and get every site that Jeff’s a member of? He could be a member of 50 team sites he never used. How do we decide what gets included in a collection and what doesn’t? Where will I spend my time reviewing, and where am I not? Here is where upfront proactive work brings the understanding of a communication Team that won’t have anything. Is this a benefit site or company news about a Christmas party? We don’t ever have to worry about those. You can exclude them from every kind of discovery we have. If Jeff is the custodian, we want the things Jeff is participating in, not just what he’s just a member of. That’s a more complex conversation. We look at logs, attendance reports, and the like to understand where he contributes time. Where’s he having chats? Where did he make posts? Where is he creating files? He could be a member of a million things. But just because he’s part of a certain group, it doesn’t help us in our collection. So that’s what makes this super fuzzy. We have to look at the context as more than Jeff being a custodian.
We’ll always over-collect, at least in the foreseeable future. There’s so much data with the number of content types and data types out there. The search capabilities and the ability to find everything you’re looking for are still challenging in 365. When working on a discovery, if I want to get down to complex keyword searching, that still doesn’t exist in 365. You can’t get detailed enough into those searches you want to do and would typically do in some of the other tools we use. The Relativities of the world and the Nuixes have capabilities Microsoft 365 doesn’t. Getting an index that gives you all those massive search capabilities is hard. We joke about what happens when we reach the hologram stage in society or corporations. That will be fun collecting that one. The data will continue to get bigger. It will evolve. If you’re not changing with it, you’re already behind. That’s what makes this industry very exciting to me. I spend a lot of time with people doing ediscovery and 365 who need help understanding the ecosystem and recognizing the massive change coming. And the hard part is you’re playing catch-up in an area that continues to innovate. The ones that embrace it earlier are going to have greater success.
There are two things I talk to everybody about, and we touched on them earlier. It’s the education part and processes. Having processes and workflows, and sticking to them no matter what situation, whether it’s two custodians or 200. That helps with the defensibility at the far end of what you’re trying to accomplish. I encourage our customers to have those processes and workflows and stick to them every time.
With education, it’s not education on how to use the tool. Anybody who is doing ediscovery today will be able to use the Microsoft tools. They’ll be able to push the buttons and do a collection. That’s not the complicated part. The education of where am I supposed to look to find the things I’m looking for. That’s the education that everybody needs. That has always been the light bulb moment when I’ve talked to our clients. That’s when they engage and ask questions.
Education is necessary. It may not be super exciting. It’s not AI or Copilot, which everybody wants to jump on. That’s why education is more important right now. As more of these evolutions happen, Teams is not just relevant, but the basics of gathering information in Teams; you cannot keep your eye off it to look at something shiny.
