Planning for eDiscovery (SharePoint Server 2010)
Published: May 12, 2010
Electronic discovery, or eDiscovery, is locating and producing electronic information to support events such as litigation, audits, or investigations. If you use Microsoft SharePoint Server 2010 to manage any electronic information, you should consider eDiscovery when you plan your SharePoint Server solution. Auditing, expiration policies, and search are considerations that you should evaluate. Your planning decisions in these areas should be completed in advance of the possibility of any need arising for using eDiscovery.
In this section:
How SharePoint Server 2010 supports eDiscovery
There are two parts to eDiscovery in SharePoint Server: finding relevant documents, and restricting what users can do with the documents after they have been identified.
A hold is a set of documents that might be produced as part of an eDiscovery request. Within SharePoint Server, you enable or disable the Hold and eDiscovery feature at the level of an individual site. This feature is enabled by default in a Records Center site, and is disabled by default in all other kinds of sites. The Hold and eDiscovery feature enables you to create and manage holds, to add items to a hold, and to use search to discover content and copy the content to another location, or lock the content down so that it cannot be modified or deleted.
When you perform an eDiscovery search, you can do one of two things. You can copy all documents that are retrieved to a content organizer, that routes documents to their correct location based on the documents’ metadata. Or you can leave the documents in place, but lock them down. Locking down a document prevents users from modifying or deleting the document.
To support eDiscovery in SharePoint Server, you enable the Hold and eDiscovery feature in every site collection in which relevant information might exist. Then you configure the search service to crawl the sites for which eDiscovery is enabled.
When circumstances occur that require your organization to produce relevant documents, an eDiscovery process can be initiated. A records manager, an attorney, or another individual may take the following actions to produce the required documents.
Create a hold to contain the relevant documents.
Initiate an eDiscovery search for relevant documents.
The eDiscovery search runs at a time that is controlled by the Search and Process timer job. By default this is 10:30 PM every day. Search results are added to the hold automatically.
Review the items in the hold and create additional eDiscovery searches.
Locate documents manually, and add them to the hold.
Run reports against the hold.
Hold reports are run at a time that is controlled by the Hold Processing and Reporting timer job. By default this is 11:30 PM every day.
Review the documents in the hold and remove irrelevant documents.
Identify specific documents in the hold for which more information is needed, and review the audit log for these documents.
Deliver all documents that are associated with the hold.
When you send a document to a content organizer, the document’s version history is erased. To keep a history of who changed a document and when each change was made, you will need an audit log. We recommend that you enable the auditing policy in all site collections that contain active document libraries. For more information about the auditing policy, see Governance overview (SharePoint Server 2010).
Any information that an organization stores is subject to discovery. In addition, electronic documents consume disk space. Consider implementing an expiration policy to delete documents automatically when they are no longer needed. For more information about the expiration policy, see Governance overview (SharePoint Server 2010).
When an organization has to produce documents in a litigation scenario, it must often produce them quickly or pay a fine. Make sure that Search is configured correctly before the first time that you have to use eDiscovery. In particular, ensure that Search is configured to crawl all sites in which you may have to discover content.
Search engines are usually optimized to return only a few highly relevant results. In eDiscovery, the goal of search is to return all results that match a query, not just the few most relevant results. Search in SharePoint Server 2010 was improved to better meet the needs of eDiscovery.
To help protect against common malicious attacks, SharePoint Server 2010 searches that run for more than a specific time are stopped. If your eDiscovery search might run for a long time, consider the following options:
Create a more tightly scoped search. If you are searching for documents related to a potential partnership with Contoso, Ltd., for example, consider searching for documents that contain the word “Contoso” and that were created in a specific date range, instead of only searching for the word “Contoso”.
Run multiple, narrower searches. For example, assume that you are searching for documents related to recruiting a new CEO from Fabrikam, Inc. Instead of doing one search for “Fabrikam (CEO, “Anders Riis”, recruit)”, do three separate searches for “Fabrikam CEO”, “Fabrikam “Anders Riis””, and “Fabrikam recruit”.