Understanding Legal Hold

Topic Last Modified: 2010-01-25

When a reasonable expectation of litigation exists, organizations are required to preserve electronically stored information (including e-mail) that's relevant to the case. This expectation can occur before the specifics of the case are known, and preservation is often broad. Organizations may preserve all e-mail related to a specific topic, or all e-mail for certain individuals. Depending on the organization's electronic discovery (eDiscovery) practices, some of the measures adopted by organizations to preserve e-mail include the following:

  • End users may be asked to preserve e-mail by not deleting any messages. However, users may still delete e-mail knowingly or inadvertently.
  • Automated deletion mechanisms such as messaging records management (MRM) may be suspended. This could result in large volumes of e-mail cluttering the user mailbox, and thus impacting user productivity. Suspending automated deletion also doesn't prevent users from manually deleting e-mail.
  • Some organizations copy or move e-mail to an archive to make sure it isn't deleted, altered, or tampered with. This increases costs due to manual efforts required to copy or move messages to an archive, or third-party products used to collect and store e-mail outside Microsoft Exchange.

Failure to preserve e-mail may expose an organization to legal and financial risks such as scrutiny of the organization's records retention and discovery processes, adverse legal judgments, sanctions, or fines.

In Exchange Server 2010, you can use legal hold to accomplish the following goals:

  • Enable users to be placed on hold and keep mailbox items in an unaltered state
  • Preserve mailbox items that may have been deleted by users
  • Preserve mailbox items automatically deleted by MRM
  • Keep the legal hold transparent from the user by not having to suspend MRM
  • Enable discovery searches of items placed on hold

Legal hold uses a new Exchange 2010 feature called the Recoverable Items folder. This folder replaces the feature informally known as the dumpster in previous versions of Exchange. The Recoverable Items folder is hidden from the default view of Microsoft Outlook, Microsoft Office Outlook Web App, and other e-mail clients. To learn more about the Recoverable Items folder, see Understanding Recoverable Items.

By default, when a user deletes a message from a folder other than the Deleted Items folder, the message is moved to the Deleted Items folder. This is known as a soft delete. When a user hard deletes an item (accomplished by pressing the SHIFT and DELETE keys) or deletes an item from the Deleted Items folder, or empties the Deleted Items folder, the message is moved to the Recoverable Items folder, thereby disappearing from the user's view.

Items in the Recoverable Items folder are retained for the deleted item retention period configured on the user's mailbox database. By default, the deleted item retention period is set to 14 days for mailbox databases. In Exchange 2010, you can also configure a storage quota for the Recoverable Items folder. This protects the organization from a potential denial of service (DoS) attack due to rapid growth of the Recoverable Items folder and therefore the mailbox database. Items are purged permanently from the Recoverable Items folder on a first in, first out (FIFO) basis when the Recoverable Items folder storage quota is exceeded, or if the item has resided in the folder for a longer time than the deleted item retention period.

The Recoverable Items folder has the following three subfolders used to store deleted items in various states and facilitate legal hold:

  1. Deletions   Items removed from the Deleted Items folder or hard deleted from other folders are moved to the Deletions subfolder and are visible to the user when using the Recover Deleted Items tool in Outlook. By default, items reside in this folder until the deleted item retention period configured for the mailbox expires.
  2. Purges   When a user deletes an item from the Recoverable Items folder (by using the Recover Deleted Items tool in Outlook or Outlook Web App), the item is moved to the Purges folder. Items that exceed the deleted item retention period configured on the mailbox database or the mailbox are also moved to the Purges folder. Items in this folder aren't visible to users if they use the Recover Deleted Items tool. When the mailbox assistant processes the mailbox, items in the Purges folder are purged from the mailbox database. When you place the mailbox user on legal hold, the mailbox assistant doesn't purge items in this folder.
  3. Versions   In Exchange 2010, when a user who is placed on legal hold changes specific properties of a mailbox item, the original item is preserved to meet discovery obligations. A copy of the original mailbox item is created before the changed item is written. The original copy is saved in the Versions folder. This process is known as copy on write. Copy on write applies to items residing in any mailbox folder. The Versions folder isn't visible to users.
    The following table lists the message properties that trigger copy on write.

    Properties that trigger copy on write

    Item type Properties that trigger copy on write

    Messages (IPM.Note*)

    Posts (IPM.Post*)

    • Subject
    • Body
    • Attachments
    • Senders/Recipients
    • Sent/Received Dates

    Items other than messages and posts

    Any change to a visible property, except the following:

    • Item location (when an item is moved between folders)
    • Item status change (read or unread)
    • Changes to retention tag applied to an item

    Items in the default folder Drafts

    None (items in the Drafts folder exempt from copy on write)

Although the Purges and Versions folders aren't visible to the user, all items in the Recoverable Items folder are indexed by Exchange Search, and are discoverable using Multi-Mailbox Search.

When a mailbox user is removed from legal hold, items in the Purges and Versions folders are purged by the mailbox assistant.

Items in the Recoverable Items folder aren't calculated toward the user's mailbox quota. In Exchange 2010, the Recoverable Items folder has its own quota. When a user's Recoverable Items folder exceeds the warning quota for recoverable items (as specified by the RecoverableItemsWarningQuota parameter), an event is logged in the Application event log of the Mailbox server. When the folder exceeds the quota for recoverable items (as specified by the RecoverableItemsQuota parameter), users won't be able to empty the Deleted Items folder or permanently delete mailbox items. Also Copy on Write won't be able to create copies of modified items. Therefore, it's critical that you monitor the Recoverable Items quotas for mailbox users placed on legal hold.

For mailbox databases, the default RecoverableItemsWarningQuota and RecoverableItemsQuota values are set to 20 Gb and 30 Gb respectively. These settings are usually sufficient for storing several years of mailbox data when on legal hold. To modify these values for a mailbox database, use the Set-MailboxDatabase cmdlet. To modify them for individual mailboxes, use the Set-Mailbox cmdlet.

Authorized users that have been added to the Discovery Management role-based access control (RBAC) role group or assigned the legal hold management role can place mailbox users on legal hold. You can delegate the task to records managers, compliance officers, or attorneys in your organization's legal department, while assigning the least privileges. To learn more about assigning the Discovery Management role group, see Add a User to the Discovery Management Role Group.

In Exchange 2010 RTM, you must use the Set-Mailbox cmdlet to place a mailbox on legal hold. To learn more about placing a mailbox on legal hold, see Place a Mailbox on Legal Hold.

Many organizations require that users be informed when they're placed on legal hold. Additionally, when a mailbox is on legal hold, any retention policies applicable to the mailbox user don't need to be suspended. Because messages continue to be deleted as expected, users may not notice they're on legal hold. If your organization requires that users on legal hold be informed, you can add a notification message to the mailbox user's Retention Comment property. Outlook 2010 displays the notification in the backstage area. The Retention Comment property can be added using the Exchange Management Console (EMC) or the Exchange Management Shell.

In Exchange 2010, the Retention Comment property is used to display a notification for both retention hold and legal hold.
If any applicable regulations or organizational policies require that users acknowledge the legal hold notification, displaying the legal hold notification may not suffice. Many organizations use e-mail or printed notifications. These can be used in addition to the notification displayed in Outlook 2010.