E-Discovery Support

by Jon Lober | NOC Technology

What Your IT Provider Should Offer

A discovery request lands on your desk. Opposing counsel wants all emails from January to June 2024, all documents mentioning a specific project, and all Teams messages from five employees. You have 30 days to produce it.


You call your IT provider. Can they actually pull all of that together, emails with metadata intact, chat logs from Teams, documents scattered across SharePoint and OneDrive, without missing anything or accidentally destroying evidence in the process?


E-discovery isn't just a legal problem. It's an IT problem. And if your IT provider can't support preservation, collection, and production of electronic evidence, your firm is carrying risk it doesn't need to.


Here's what your IT provider should actually be doing to support your firm's e-discovery needs, and what to look for if they're not.


What E-Discovery Means for Your IT Infrastructure

E-discovery (electronic discovery) is the process of identifying, preserving, collecting, processing, reviewing, and producing electronically stored information (ESI) for litigation or investigations. Under the Federal Rules of Civil Procedure and similar state rules, you have a legal obligation to preserve relevant evidence once litigation is reasonably anticipated.


That evidence lives in your IT systems. Emails, documents, databases, Teams chats, text messages, voicemails, calendar entries, metadata - all of it is potentially discoverable. The Electronic Discovery Reference Model (EDRM) outlines nine stages of this process: information governance, identification, preservation, collection, processing, review, analysis, production, and presentation.


Your IT provider touches almost every one of these stages. Without proper IT support, you risk missing evidence, producing incomplete data, or worse - accidentally destroying information you were legally required to preserve.


The Critical First 48 Hours: Legal Holds

When litigation becomes reasonably foreseeable, you need to implement a legal hold immediately. This suspends your normal document retention and deletion policies to preserve potentially relevant evidence.


What your IT provider should do:

  • Stop automated deletions: Disable email auto-archive, Teams retention policies, and any scheduled data purges for affected custodians
  • Preserve backups: Ensure backup systems retain data from the relevant time period - don't let backup rotation overwrite evidence
  • Document the hold: Create written records of exactly what preservation steps were taken and when
  • Communicate clearly: Work with your legal team to understand the scope and execute technical preservation without legalese confusion


A good IT provider can execute a legal hold within hours of receiving notice. If yours needs days or weeks, that's a red flag. Courts don't accept "we were waiting on IT" as an excuse for spoliation.


Data Mapping: Knowing Where Everything Lives

You can't preserve what you can't find. E-discovery readiness starts with understanding your firm's data.


Your IT provider should maintain documentation of:

  • All email systems and their retention settings
  • Cloud storage locations (OneDrive, SharePoint, Google Drive, Dropbox)
  • On-premises file servers and their backup schedules
  • Messaging platforms (Teams, Slack, text messages on firm devices)
  • Practice management software databases
  • Legacy systems that might contain older records
  • Personal devices used for firm business (BYOD policies)


This data map should be current, not something you discover is two years out of date when opposing counsel requests production. Ask your IT provider when they last updated your data inventory. If they can't tell you, that's a problem.


Forensically Sound Collection

Collecting electronic evidence isn't the same as copying files. For e-discovery, collection must be forensically sound - meaning the evidence is collected in a way that preserves its integrity and can withstand legal scrutiny.


What this looks like in practice:

  • Metadata preservation: Collecting not just the document content but when it was created, modified, accessed, and by whom
  • Chain of custody documentation: Recording exactly how data was collected, who handled it, and how it was stored
  • Hash verification: Using cryptographic hashes to prove data hasn't been altered since collection
  • Proper imaging: Creating exact copies of hard drives or systems rather than just copying individual files


Your IT provider doesn't need to be a certified forensic examiner, but they should know when to bring in a forensic examiner and how to avoid contaminating evidence before the experts arrive. Dragging a folder to a USB drive is not a forensic collection.


Email: The E-Discovery Heavyweight

Email remains the most requested data type in discovery. Your IT provider should make email collection straightforward, not a nightmare.


Capabilities to look for:

  • Search across all mailboxes: Quickly identify emails matching date ranges, senders, recipients, or keywords
  • Export in standard formats: Produce email in formats attorneys and e-discovery platforms can actually use (PST, EML, MBOX)
  • Include attachments and threading: Ensure email families stay together and conversation threads remain intact
  • Capture deleted items: Recover emails from deleted items folders, archive systems, or backup retention
  • Journaling and archiving: If you have compliance archiving (like a Microsoft 365 journal rule or third-party archive), your IT provider should know how to search and export from it


If your IT provider's answer to "can you pull all emails from the last six months for these five people" is "we'll try our best," you need a better answer.


Microsoft 365 E-Discovery Features

Most law firms now use Microsoft 365, which includes built-in e-discovery tools. Your IT provider should understand these capabilities and their limitations.


Standard E-Discovery (E3 licenses):

  • Content Search across Exchange, SharePoint, OneDrive, and Teams
  • Basic search queries and export
  • Legal holds on mailboxes and sites


Advanced E-Discovery (E5 or add-on):

  • Case management with custodian workflows
  • Intelligent document review with AI-assisted relevance
  • Near-duplicate detection and email threading
  • Review sets with tagging and annotation
  • Advanced analytics and predictive coding


Many firms don't realize they already have some e-discovery capability in their licensing. A knowledgeable IT provider should help you understand what tools you have and whether you need upgrades for more complex matters.


Spoliation: The Risk That Keeps Partners Awake

Spoliation - the destruction or significant alteration of evidence - carries serious consequences. Courts can impose sanctions ranging from monetary penalties to adverse inference instructions (telling the jury they can assume the destroyed evidence was bad for you) to case dismissal or default judgment.


Under Federal Rule 37(e), if you fail to preserve ESI that should have been preserved, and it cannot be restored or replaced, courts can impose measures to cure the prejudice. If you acted with intent to deprive another party of the information, the court can presume it was unfavorable, instruct the jury they may presume it was unfavorable, or dismiss the action or enter default judgment.


IT actions that trigger spoliation risk:

  • Continuing automated email deletions after a hold is implemented
  • Running disk cleanup or defragmentation on systems under preservation
  • Migrating to new systems without preserving old data
  • Allowing backup tapes to be overwritten
  • Failing to preserve chat messages or text communications
  • Wiping employee devices upon termination without checking for holds


Your IT provider should understand that routine IT maintenance activities can become spoliation once litigation is anticipated. They need to check with your legal team before making changes that could affect preserved data.


Questions to Ask Your IT Provider

If you're evaluating whether your current IT provider can support e-discovery, start with these questions:

  1. How quickly can you implement a legal hold across our systems?
    Acceptable answer: "Same day, usually within a few hours."
  2. Do you have documentation of where all our data is stored?
    Acceptable answer: "Yes, here's our current data map, last updated [recent date]."
  3. Can you export email with metadata intact in standard formats?
    Acceptable answer: "Yes, we can produce PST, EML, or other formats as needed."
  4. What's your process for preserving data during a legal hold?
    Acceptable answer: A documented process that includes stopping deletions, preserving backups, and coordinating with legal counsel.
  5. Have you handled e-discovery requests before?
    Acceptable answer: Experience matters. Ask for examples (without confidential details).
  6. Do you coordinate with outside e-discovery vendors when needed?
    Acceptable answer: "Yes, we work with forensic specialists and e-discovery platforms when matters require it."


What Your IT Provider Should NOT Do

E-discovery support has limits. Your IT provider is there to preserve, collect, and produce data - not practice law.


Leave these to your legal team or e-discovery specialists:

  • Deciding what data is relevant or privileged
  • Conducting document review
  • Making production decisions
  • Negotiating with opposing counsel about scope
  • Selecting e-discovery software platforms


Your IT provider executes the technical requirements. Your attorneys make the legal decisions. Those lines shouldn't blur.


Building E-Discovery Readiness

The best time to think about e-discovery is before you need it. Proactive steps your IT provider should help with:

  • Document retention policies: Establish clear policies for how long different data types are retained
  • Regular data inventories: Update your data map annually at minimum
  • Staff training: Ensure IT staff understand legal hold procedures
  • Backup strategy review: Confirm backup retention periods support potential litigation needs
  • Cloud application auditing: Know what cloud services your firm uses and where that data resides
  • Mobile device management: Have a plan for preserving data on firm-owned and BYOD devices


These preparations reduce panic when litigation arrives. You'll know where your data is, how to preserve it, and who's responsible for each step.


The Bottom Line

E-discovery is increasingly a technical challenge, not just a legal one. The data volumes keep growing, the number of potential evidence sources keeps expanding, and courts keep expecting faster, more complete responses.


Your IT provider is either an asset or a liability in this process. An IT provider who understands legal holds, forensic collection, and data preservation makes litigation more manageable. One who doesn't creates risk every time a lawsuit lands on your desk.


If your current provider shrugs when you mention e-discovery, it might be time for a conversation - or a change. Need IT support that understands your firm's legal obligations? Contact us for an assessment of your e-discovery readiness.

Frequently Asked Questions

What is e-discovery, and why does it matter for law firms? +
E-discovery is the process of identifying, preserving, collecting, and producing electronic evidence for litigation or investigations. It matters because nearly all business communications now exist electronically, and courts require parties to preserve and produce this data. Failure to do so can result in sanctions, adverse inferences, or case dismissal.
How quickly should a legal hold be implemented? +
Legal holds should be implemented immediately once litigation is reasonably anticipated - typically within 24 to 48 hours. Your IT provider should be able to stop automated deletions, preserve backups, and document preservation steps within the same business day of receiving notice. Delays create spoliation risk.
What data types are typically included in e-discovery? +
E-discovery covers all electronically stored information (ESI): emails, documents, spreadsheets, databases, calendar entries, Microsoft Teams or Slack messages, text messages, voicemails, social media posts, metadata, and any other digital records. Cloud storage, backup systems, and mobile devices are all potential data sources.
What happens if evidence is accidentally destroyed during a legal hold? +
Destroying evidence during a legal hold (spoliation) can result in serious sanctions under Federal Rule 37(e). Courts may order measures to cure prejudice, allow adverse inferences against the spoliating party, instruct juries they may presume the lost evidence was unfavorable, or in severe cases, dismiss claims or enter default judgment.
Does my IT provider need to be a forensic specialist for e-discovery? +
Not necessarily. Your IT provider should understand forensically sound collection principles (preserving metadata, chain of custody, hash verification) and know when to bring in certified forensic specialists. For routine matters, a knowledgeable IT provider can handle preservation and collection. Complex cases may require dedicated forensic experts.
What Microsoft 365 e-discovery features should my firm be using? +
At minimum, firms should use Content Search (included with E3) to search across Exchange, SharePoint, OneDrive, and Teams. Larger firms or those with frequent litigation should consider Advanced E-Discovery (E5 or add-on) for case management, custodian workflows, AI-assisted review, and advanced analytics.
How often should we update our data inventory for e-discovery readiness? +
Your data map should be updated at least annually, and whenever significant changes occur (new systems, cloud migrations, office relocations, new practice areas). An outdated data inventory creates risk during litigation because you may miss relevant evidence sources or waste time searching systems that no longer contain current data.

HIPAA Compliance Checklist for St. Louis Medical Practices

By Jon Lober March 18, 2026
Getting ready for a HIPAA Audit?

Business Associate Agreements: IT Provider Checklist

By Jon Lober March 18, 2026
Learn what belongs in a Business Associate Agreement with your IT provider. Use this BAA checklist to verify HIPAA compliance before signing any contract.
meeting IT regulatory compliance

5 Signs Your Business Has a Compliance Gap

By Jon Lober March 17, 2026
Think your business is compliant? These 5 hidden gaps put St. Louis companies at risk of fines, downtime, and lost trust. Learn where to look before it’s too late.
More Articles