As of June 1, 2024, Vestige Digital Investigations is part of ArcherHall, a leading digital forensics, 
e-discovery, and cybersecurity service provider. The Vestige team that you know and trust will
continue to serve you at ArcherHall. Our expanded team, capabilities, and infrastructure will allow
us to serve you and your clients even better.

Responding to Litigation Holds with a Defensible Preservation Plan


Responding to Litigation Holds with a Defensible Preservation Plan

Author photo

Over the years we have been exposed to thousands of companies’ approaches to litigation holds and I’m often surprised by the wide variance in the approaches. One thing for certain is that the sensitivity and awareness to the need and legal requirement for litigation holds surrounding Electronically Stored Information is well entrenched with most organizations’ legal counsel. It has taken a while, but since the 2006 amendments to the Federal Rules of Civil Procedure organizations, large and small, are getting it. Is it all of them? Clearly not; but hey, baby steps, right? As an entity that lives and breathes ESI day-in and day-out, we sometimes lose sight of the fact that organizations that aren’t exposed to it all of the time have some differing opinions and points of view than perhaps what the industry views as best practices. One area where this holds true is the comprehensiveness of the hold. Too often stakeholders want to take the path of least resistance and end up woefully short of their duties. Not as often, but enough to make it an issue, we find organizations that go way overboard on their preservation duties. Clearly, there has to be a middle-ground, no? Read on as I explore the facets of a Defensible Preservation Plan.

The Abandonment of Perfection?

Too often we run into uninformed clients or overzealous counsel that improperly believe that anything and everything within a target’s organization needs to be preserved.  While it is true that your duty to preserve exceeds your duty to produce, by no means do the Rules require that all ESI be preserved.  The other aspect that we often see is counsel, without evaluating the nature of the risk, demands that the preservation efforts of the organization be perfect.  Similarly, the Rules do not talk about perfection.  What is perfection anyhow when the litigation at-hand is likely to be a moving target?  I would be hard-pressed to find a matter that we have been involved in that the organization, counsel for both sides and everyone involved came to the table at the beginning with all of the answers and that nothing changed throughout the matter; it just doesn’t happen. And so, the efforts for preservation of digital evidence need to accommodate that.

Identifying and Lowering the Risk

When it comes to ESI preservation, over-zealous legal counsel, uninformed IT staff and management’s level of cooperativeness all come together to form an interesting and potentially volatile mix that needs to be properly managed Unless sidled in litigation, the majority of organizations do not have an appreciation for the delicateness and importance of the electronically stored information discovery process. They’re typically not exposed to the tactics of opposing counsel as they try to unsettle the party opponent with accusations of inadequate productions, failure to adequately preserve and of course the feared claims of spoliation.  Management is concerned with keeping the business moving forward and can’t be mired with the minutiae of ensuring their ESI is preserved.  IT is even worse.  Not only does IT typically not understand, much less appreciate, the environment of litigation, but the workload on IT’s plate is often so exhaustive that to add yet another non-essential task to the mix prevents them from accomplishing what they truly view as their role.  And while this is a generality, in our experience, most IT professionals have a knack for efficiency – and sometimes the most efficient thing to do is nothing.  Whilst that may be a positive attribute for making your operations hum at peak performance, far too often that attitude allows laziness to creep in.  “If I say no, this will probably just go away” is definitely in the mindset.

The need for a methodical approach that properly addresses the concerns of each of these constituents has to be at the forefront.  It must, however, be a balancing act to ensure cooperation and free-flowing information that provides the best information at the time.  We’ll come back to this point.

Additional Challenges


There is a small cadre of attorneys that fancy themselves as technology gurus (probably most of our reading audience…so pat yourselves on the back); but for the vast majority out there, the level of knowledge about technical aspects is underwhelming.  We have had situations where counsel requested assistance with interrogatories or even in depositions by demanding a list of questions that they can ask—without recognizing that you can ask any question you like, but if you don’t understand the answer enough to formulate follow-on questions to lead to an opinion of what’s going on, you’re not much better off than having not asked the question at all.  We have read countless transcripts of depositions, hearing and trials where counsel asked all the right questions—initially, yet failed to issue-spot the most important implications of the answers, thereby glossing over the crux of the issue.

Further, being removed from “the way things work” in the corporate world, oftentimes there is an idealistic viewpoint of how technology is supposed to work within an organization; the kinds of ideas that one can garner from reading about technology, but not really having the foundation and real-world experiences.  This is similar to that corporate client that, having its first taste of litigation, reads as much about the process, comes to know the Rules inside and out and can discuss the idealistic manner in which things should proceed, but finds it incredulous that judges don’t always rule in favor of the party that is “right” or that this aspect didn’t work out the way that they had expected.

Information Technology

The organization’s IT infrastructure was well thought out and planned to a “t” and IT management has put controls in place to ensure that users activities are adequately limited and controlled – or perhaps not; maybe, like most organizations, the IT infrastructure grew up out of necessity.  The reality is that organizations’ IT environments are complex.  Combine multiple servers, different operating systems, virtualization, cloud-computing, desktops, laptops, tablets, printers and photocopiers, unification of e-mail, voicemail and faxing, the convergence of telecommunications, cellular voice and data and whatever the BYOD (Bring Your Own Devices) ‘soup du jour ‘ is this week and it’s a recipe for complexity.  Even well qualified IT professionals, within a well controlled environment will have difficulty understanding all of the moving parts of the organization’s IT.  Now layer in the nuances of litigation and it becomes clear why counsel is often shocked down-the-road when they discover that not all of the relevant systems have been clearly identified and preserved at the onset of the litigation hold.  Oh, and wait…that’s assuming that IT was brought into the picture at the onset of the litigation hold.  Far too often the inclusion of IT at the table is a mere after-thought.  I can’t count the times that our involvement (in the eleventh hour) reveals that the phone call that counsel made just prior to the call to us was to get IT involved – and yet the case has been around for months, if not years.

Document Custodians

Let’s assume that counsel is sharp, on-the-ball, timely and really recognizes the issues at-hand.  Stays involved and has full cooperation of the organization’s management, including IT.  Let’s also say that the organization has a top-notch IT staff and has implemented a controlled IT environment.  Enter the end-users!

End-users are by far the most unpredictable variable in this equation.  Regardless of the intent of the custodians, their technical savvy-ness or their level of cooperation, this is absolutely where a vast majority of the issues arise.  It is where the rubber meets the road.

What are the issues?  Well, in short, end-users will do whatever it takes to get their job done – regardless of the policies in place, the procedures that have been established and the overall culture.  They are crafty, creative and downright resourceful.  Some are ardent technologists themselves, some are tinkerers and some have received their Technology certificates from Google – having an amazing ability to search for any kind of workaround, loop-hole or bypass that they may need in order to complete their work.  And while IT may have a belief as to how the system is being used, their visibility into these issues is oftentimes non-existent.  In fact, I would go as far as to say they have blinders on as to the possibilities of these kinds of workarounds.  Case in point, we recently were assisting outside counsel interviewing the IT staff and early into the interview the IT Manager claimed that end-users were not permitted to store documents on their local system.  We inquired about the kinds of system controls that were in place to affect this; there were none.  But the IT Manager ensured us that by written policy (of which a violation of could result in termination) was enough to keep the end-user from saving data locally.  About 15 minutes into the interview, we arrived at the subject of e-mail quotas, to which the IT Manager responded that “without quotas on the e-mail, our staff would keep everything and we’d run out of storage space”.  So we inquired as to what end-users do.  He explained that they were instructed to create archive e-mail stores and save these to their local machine.  “But isn’t that a violation of the corporate policy?” I inquired.  “Well, now that you mention it, I guess it is.  Hmm, guess we’re going to need to rethink that” he said.  Of course, the bigger concern is what precedence does that set for the end-user?  Needless to say, a review of the organization’s local devices revealed that, just as suspected, end-users routinely saved data to their local systems.  Yet, I can assure you this IT Manager could have passed a lie detector – he had a false belief.  I wish I could say that this was an isolated event, but truth be told, I could extract this same story from scores of matters.

A Solution

Recognizing that ESI preservation exceeds the duty to preserve and understanding that preservation doesn’t have to be perfect, we are left with trying to strike that perfect balance between capturing the important stuff, leaving the non-essential stuff alone, meeting counsel’s obligations in Discovery, keeping management happy, dislodging IT’s ill-informed beliefs and identifying those habits of end-users that result in data being squirreled away in areas unknown to the organization.

Enter the Defensible ESI Preservation Plan. A Defensible Preservation Plan is a written document that is used by the Legal Team to document the Sources of Relevant ESI and how it will be preserved.  It also addresses the information that will NOT be preserved – but most importantly documents the rationale for those decisions.  When conducted at the onset (or even at the anticipation of litigation), the Defensible Preservation Plan documents the set of facts by which the Legal Team will base its decisions.  This has ultimately proven to be absolutely essential, when 9 months, 14 months, or 2 years later, as the facts in the matter change, it is discovered that some critical evidence wasn’t preserved.  The document can be consulted and the assumptions, facts and other evidence that existed AT THE TIME that lead to the decisions can be presented.  That’s part of the Defensibility equation, but it’s not all of it.

A Defensible Preservation Plan starts by identifying the Key Players.  Vestige’s version ranks the custodians based upon importance within the matter and follows a structured approach that we have developed.  This is essential as the level of care surrounding the different levels of custodians is adjusted to meet the demands and risk involved.  From there, a thorough understanding of the IT environment – from the perspective of the organization’s IT – is undertaken.  This provides efficiency in the process as much of what is learned in this phase can then be used in the latter stages to better understand where the Relevant Data Sources truly exist.  It is, however, recognized that at this stage much of the information is taken with a “grain of salt” to ensure that the blinders aren’t put on as to how data really moves through the organization.

Next, the Key Players are interviewed and initial information is collected from their devices (artifacts and things that allow one to validate the “story”).  These interviews are NOT intended to learn more about the litigation.  These interviews are designed to learn and understand the end-users’ “Computing Habits”.  It is designed to learn where they typically store data, what issues they have had in doing so, what their fallback methods are, etc.  In essence, it is designed to identify those things that are unknown to the organization’s IT – you know, the unofficial guide to how things actually get done in the organization.

Finally, all of this information is put together in written form that combines the Legal expertise, the organization’s IT expertise combined with the true-grit of the end-users’ expertise.  It must be a working document and as facts change throughout the litigation, is constantly referred to and updated accordingly.


While the document itself is important, the true value of a Defensible Preservation Plan comes from going through the process and doing so with open eyes surrounding the needs and tendencies of each of the four categories of stakeholders.

By Damon S. Hacker, MBA, CCE, CISA,
President & CEO at Vestige Digital Investigations
For more information CONTACT US.