—Winston Churchill

How can you prepare your organization for legal or regulatory cases? Your strategy might demand a quick and comprehensive disclosure response, and you can achieve this using the eDiscovery feature in SharePoint 2013. In this chapter, I provide an overview of eDiscovery in general and its capability within SharePoint 2013. I also walk you through how to configure the feature and add content sources to make organizational content available for eDiscovery. Finally, I share the steps and techniques to manage and configure individual discovery cases.

After reading this chapter, you will know how to

• Describe the eDiscovery capability in SharePoint.
• Configure eDiscovery in SharePoint.
• Manage and configure discovery cases.
• Perform a content audit.

Overview of eDiscovery

What is eDiscovery? The term eDiscovery stands for electronic discovery, and quite simply, it is a means of discovering electronic or digital assets and artifacts existing within an organization. It is more formal and inclusive than an end user’s search seeking to discover content on a particular subject. Instead, it involves locating every instance related to a specific case, usually a case of a legal or regulatory compliance nature. An organization uses eDiscovery to identify each unit of information, packaged together for discovery and even disclosure.

Before I get too far into the theory and features, let’s consider the problem eDiscovery tries to solve. Imagine, if you will, an organization filled with structured and unstructured data, most pertaining to some aspect of the organization’s operations. Now imagine one of several things happening that would require that organization to comb through its data and account for every instance of information relating to a particular topic. Some things that can happen include:

• A lawsuit against the organization requiring full disclosure
• An internal incident a team wants to investigate and determine its root cause
• A regulatory compliance audit against the organization
• An antitrust case related to a Competition Act

All of these incidents typically include a subpoena or court order legally requiring the organization to provide full disclosure of information to the other party. Without an effective system in place, the organization may face contempt of court charges for burdening the other party with too much irrelevant information or for unknowingly withholding information.

For example, what if a maker of one product felt that another firm was acting in an anticompetitive manner? The first firm might bring about an antitrust investigation through its local government. The government would require copies of any information related to the antitrust investigation in a timely manner, including formal records and transitory content such as collaborative documents and any e-mail messages that still exist.

An organization with a good eDiscovery strategy and system in place can respond quickly, feeling confident that it has disclosed all the required information. The organization can also efficiently determine what its risk exposure is and how motivated it should be to settle or fight the case, all by having a global view of any relevant enterprise content.

Electronic discovery involves two aspects for an effective case management system: a business process and the underlying technology to support the case management implementation details. The technical side consists of the implementation and configuration of system features (in this case, SharePoint product features). Your business processes include any policies and procedures you have related to legal or regulatory discovery, as well as the roles and responsibilities related to each. This can include a variety of processes, such as:

• Who has the authority to manage an eDiscovery case?
• What triggers an eDiscovery case?
• How is disclosure packaged and transmitted?
• What repositories does an eDiscovery system access?

These are not easy questions, although they might sound reasonably straightforward. In my experience, it is best to work through the different scenarios and potential exceptions ahead of time, defining the different business processes with the case management policies and procedures before you need them. That way when an incident occurs or a case otherwise arises, you will have the systems and processes in place to respond quickly and efficiently. The alternative could catch you unprepared, potentially interrupting your regular operations and possibly even putting the organization at risk.

Another characteristic of eDiscovery involves working alongside the ongoing operations of the organization—rarely does a case completely shut down an organization before allegations are proven and due diligence exhausted. This means that an eDiscovery process needs to work without impairing the day-to-day operations of an organization, and without an effective system in place, the discovery process and case management could consume too much manual effort and interfere with conducting business.

By setting up an effective system, you mitigate your organization’s risk exposure. Legal and regulatory compliance issues will usually catch you by surprise, and an eDiscovery system will not make you immune to that, but an effective system with predefined processes will leave you prepared and enable you to respond with the best available information and in a timely manner.

The manual eDiscovery option is overly cumbersome mostly because a typical organization has too many repositories of content. Figure 11-1 illustrates some of the different repositories of information in an organization that an eDiscovery case will involve. As you can see, for a case manager to check each repository individually would be time consuming, and exponentially more so in repositories without a search capability available. What a case manager needs is an enterprise solution, one that spans and indexes all enterprise systems and content repositories so that when an eDiscovery case occurs, he or she can efficiently identify any related content.

When an incident occurs or something else initiates the need for electronic discovery in your organization, you can conceptually group the discovery requirements and needed actions together as an eDiscovery case. Each case can relate to a regulatory or legal case. It provides a case manager with a useful way to map and track cases with external discovery requests. A case manager role can include legal counsel, information or records managers, or auditors.

Case management includes the tools as well as the processes for effectively managing and processing discovery cases. This can include things such as specifying the discovery criteria, identifying the content sources, and packaging the content for disclosure. SharePoint 2013 introduces the eDiscovery feature, which it implements through a combination of sites and its search engine. In the next section, I provide an overview of the different characteristics and features of eDiscovery in SharePoint.

SharePoint 2013 eDiscovery Features

The new eDiscovery feature is one of those key features I find moves organizations to upgrade to SharePoint 2013. In the past, an organization might consider delaying an upgrade or skipping a version for a variety of reasons, such as those relating to costs or standardization. Often in these cases, one could justify deferring an upgrade because other workaround solutions existed. A solution may involve a compromise on the available functionality or user experience vs. a newer version, or it may involve higher development costs to fill a gap, but usually a reasonable alternative was available. With eDiscovery, the alternative (typically manual) solutions are much less desirable, so the need for eDiscovery continues to increase.

SharePoint 2013 introduces the eDiscovery Center site template, a specialized site with features to support discovery case management. Figure 11-2 shows the default welcome page of a site created using the eDiscovery site template.

The eDiscovery site template contains features to create and manage a discovery case itself, such as the discovery query and any content holds. These site features provide the user experience for case management. The site does not contain features to crawl the actual content; eDiscovery utilizes the SharePoint search index to query and discover content.

By using SharePoint search, an eDiscovery case can take advantage of the powerful enterprise search engine for querying content. It also standardizes and simplifies how SharePoint accesses, crawls, and indexes content. Figure 11-3 illustrates the logical architecture of an eDiscovery site utilizing the SharePoint search service, which in turn crawls and indexes the content.

As you are planning your eDiscovery solution, keep in mind that with this search component in the eDiscovery architecture, you can include practically any unit of information on your organization’s network as part of your eDiscovery solution’s scope. The content sources that your SharePoint search engine can crawl also serve as an eDiscovery content source. This is significant because it allows you to include much more than documents.

The following lists some ideas about the different content sources you can include by taking advantage of the search service:

• SharePoint sites
• Exchange mailboxes and public folders
• Network file shares
• Web sites and wiki pages
• Third-party content repositories and records centers using SharePoint connectors

If the search engine can reach the content source on the network and you have configured it to access and crawl the content, then your eDiscovery solution will include that content source as well. I am excited by the possibilities this brings because it enables a case manager to have a global view of all electronic content, anywhere on the organization’s network.

Another important feature of SharePoint eDiscovery is the concept of in-place holds for SharePoint and Exchange content. This allows a case manager to discover content without interfering with the ongoing operations of teams working with the content. When a case manager applies an in-place hold to content, the content remains in its original location and users can continue to work with it in context. If a user edits content with a hold applied, SharePoint captures a copy of the content at the time the hold was placed and stores the copy in the Preservation Hold library.

The Information Management Retention timer job runs periodically and cleans up the Preservation Hold library by comparing the library’s contents with eDiscovery filters. Unless content matches at least one of the filters, the timer job deletes the content from the preservation hold library.

Creating and Configuring an eDiscovery Portal

You can create an eDiscovery portal the same way as any other site collection. On the Create Site Collection page, select the eDiscovery Center template in the Template Selection section, as shown in Figure 11-4.

The eDiscovery Center hosts all the discovery cases, with each case contained in a sub site. When you create a new eDiscovery Center, SharePoint provisions the default site groups—Owners, Members, and Visitors. I like to create an additional group to manage the case manager membership and permissions.

1. To add a new group, navigate to the Site Settings page and click the People and Groups link.
2. Click the Groups link in the left navigation menu to navigate to the People and Groups page, as shown in Figure 11-5.

   

   Figure 11-5. The People and Groups page

3. Click the New button to create a new group.
4. Enter a Name for the group, such as Case Managers, and check to grant the group Full Control, as shown in Figure 11-6. Specify any other settings you wish, and then click Create.

   

   Figure 11-6. The Create Group page

I recommend that you use an Active Directory security group to centrally manage the group membership from a single location. You can create a new group using the Active Directory Users and Computers tool. Figure 11-7 provides an example of creating such a security group.

Once you have a domain security group, you can add it to the Case Managers SharePoint site group, as shown in Figure 11-8.

You can reuse this group to grant full read access permissions to all site content by granting a User Policy to any of the source web applications. To grant a User Policy on a web application, follow these steps:

1. Navigate to the Application Management page in SharePoint Central Administration and click Manage Web Applications.
2. Select the desired web application and click the User Policy button in the ribbon.
3. Click Add Users and add the eDiscovery Case Managers security group you created previously in Active Directory, as shown in Figure 11-9.

Because this security group has such wide and elevated access to content, it is best to plan your security using a principle of least privilege. One option is to create an administrative account for your case managers to use when they create a discovery case, and you can add this account to the eDiscovery Case Managers security group. Alternatively, you can grant membership to the security group only when a case manager has an active discovery case to manage. This will help to prevent accidental disclosure of information by minimizing the amount of time a case manager’s account has elevated read permissions.

Once you have your eDiscovery Center configured, you can begin to create discovery cases. In the next section, I step through how to create a discovery case and the different settings you can use to query and filter content.

Creating and Managing Discovery Cases

You can create a discovery case by clicking the Create New Case button on the eDiscovery Center welcome page. This creates a new SharePoint site within the eDiscovery Center site collection and it uses the eDiscovery Case site template, as shown in Figure 11-10.

Figure 11-11 shows the welcome page for a new discovery case site. You have two main options to discover content: you can create an eDiscovery Set or a Query.

• eDiscovery Sets find and preserve content located in Exchange mailboxes, SharePoint sites, and file shares. You can optionally apply an in-place hold to the SharePoint and Exchange sources.
• Queries find and export content based on a filter defining your search criteria from sources that include Exchange mailboxes, SharePoint sites, file shares, and eDiscovery Sets. You can use a query to export and download a copy of the matching content.

To create a new eDiscovery Set, click the New Item button in the Identify and Hold section on the discovery case site welcome page.

1. Specify a descriptive Name for the eDiscovery Set.
2. Click the Add & Manage Sources link to add any applicable sources, as shown in Figure 11-12. Add the applicable sources and click OK.

   

   Figure 11-12. The Add & Manage Sources modal window

    Note  For eDiscovery integration with Exchange, you first need to install the Microsoft Exchange Web Services Managed API 2.0 on the SharePoint servers. Please see the TechNet site at www.microsoft.com/download/details.aspx?id=35371 for information on these components.

3. If desired, enter a search query in the Filter field.
4. Enter the other filter parameters, such as the Start and End Date, Author, or Sender.
5. Click Apply Filter.
6. Select to Enable or Disable In-Place Hold.
7. Click Save.

Figure 11-13 shows an example creating a new eDiscovery Set. In this example, I set the filter parameters to find content authored by Steve Goodyear during the month of July. For simplicity, I also entered an advanced Filter query to search for content titled Sample.

After you create an eDiscovery Set, the In-Place Hold Status dashboard on the case site welcome page will display the number of affected content items and their respective hold statuses, similar to the example in Figure 11-14.

Using eDiscovery Sets provides a means to discover content and place it on hold. However, compliance or legal requirements may require you to provide disclosure of the content involved in the discovery case. Lucky for you, SharePoint 2013 eDiscovery also enables you to export content.

Wrapping Up

You can prepare your organization for legal and regulatory cases by planning your search index and creating an eDiscovery Center to manage discovery cases. This involves creating a site collection based on the eDiscovery Center site template, and then granting the required permissions to case managers to discover content. In this chapter, I described eDiscovery and how to configure it in SharePoint 2013. I also walked you through how to create and configure discovery cases, including the options for querying and filtering content. Finally, I explained how to export content for disclosure.

Setting up an effective eDiscovery solution will help you save time and respond quickly to any legal or regulatory discovery and disclosure requirements. Content discovery is useful in a variety of ways, as I have shown in the past few chapters, including connecting users with information and helping them to be productive. There are times, however, when you want to prevent discovery of content to protect its information. In the next chapter, I provide an overview of the different security aspects available in SharePoint and I share some guidance on how to protect secrets as part of your enterprise content management solution.