Modern Attachments in M365 eDiscovery: How Much Do They Really Matter? A Practical Assessment of the Significance of Modern Attachments in M365 eDiscovery from HaystackID®

EDRM - Electronic Discovery Reference Model

EDRM - Electronic Discovery Reference Model

[Editor’s Note: EDRM is proud to amplify the educational material of our Trusted Partners.]

Modern attachments by Jason Covey Image: HaystackID


eDiscovery has seen substantial transformation recently, characterized by the introduction of complex and continuously evolving data types. This shift has been primarily driven by rapid innovations in technology and the widespread adoption of a new generation of business applications. In the current eDiscovery landscape, no more influential or problematic data source exists than Microsoft Teams and its emergence as “the new email.”

In addition to the messaging features, Teams unleashed the widespread usage of so-called “modern attachments” (also referred to as “cloud attachments” in certain areas of Microsoft’s documentation and UIs). Rather than providing the actual attachment, such as a Word or PDF file directly attached to a legacy email, the modern attachment exists as a hyperlink to the source file in OneDrive or SharePoint to which granular controls can be applied.

Jason Covey has shared a One Drive Doc with you

Example – Modern Attachment Icon

A central purpose of modern attachments (as with Google Drive document hyperlinks familiar to Gmail users) is to provide enhanced security access controls down to the document level to better address data security, privacy, loss prevention, etc. Although an essential pursuit in the age of data breaches and expanding privacy legislation, the net results collide with the long-established obligations of eDiscovery – disclosure, completeness, process transparency, and defensibility.

Further, modern attachments are not limited to Microsoft Teams and can also appear in the context of Microsoft email.

In that way, and as part of the “new normal” in eDiscovery, it can be said that modern email is becoming more like Teams and not the other way around.

The Standard vs. Premium Dilemma

An important distinction for practitioners to consider with collecting data types that include modern attachments involves applicable Microsoft licensing and the divergent technical capabilities between the resulting eDiscovery tools – Microsoft Purview eDiscovery Standard or Premium.

Setting aside Content Search (which mirrors Standard’s functionality for this discussion), the distinction is simple: Premium eDiscovery automatically collects modern/cloud attachments and maintains their family relationships according to the long-accepted eDiscovery paradigm. On the other hand, Standard leaves modern attachment content behind, with only a reference to their existence. As such, the official Microsoft solution to the modern attachment dilemma is to apply the Premium eDiscovery toolset, which was carefully engineered to address these modern data types effectively and continually evolve with future data types as part of the M365 ecosystem.

What Could Go Wrong?

Imagine a scenario where, at the time of collection, experienced in-house personnel who routinely perform data collection in support of their organization’s law department, with expertise in a broad range of data types that include email, PCs, mobile devices, and numerous other IT systems, follow their carefully written SOPs from mid-2019. These SOPs outline the usage of M365’s straightforward Content Search capability to export user mailboxes from Microsoft Exchange. As the team is fully aware that compliance copies of Teams message data is stored in Exchange mailboxes, they proceed with confidence that their collections are thorough and complete. Export of 500 GB of PST results across 35 custodians is performed familiar eDiscovery Export Tool for upload to their processing provider.

The provider, with deep expertise in technologies like Nuix and Relativity, handles the large data volume with ease via their streamlined processes and quickly makes 335 GB of deduplicated data available in Relativity, where an associate attorney with outside counsel is given access and begins to familiarize themself with the dataset.

A plan emerges for broad keyword searching, negotiated by the parties, to become the basis for review by a team of contract reviewers, who dutifully commence review of the 185K documents at breakneck speed. With weeks having passed, discovery nearing a close after multiple extensions, and L1 and L2 reviews complete, the associate re-engages to perform final QC. He then reports back to the partner after seeing some curious “links” in certain email and Teams message items that seem to refer to files, but do not appear to be present in the database when attempting to view document families. Probably just a quick fix by the technical team.

An 11th-hour production is scheduled for Friday, and it’s late Tuesday afternoon. Of the 27K documents slated for production, additional research determined that about 1100 such issues exist, where the newly defined “modern attachment content” is missing. The ESI production protocol is frantically reviewed, and the root cause of using the familiar Content Search tool, way back at the time of collection, is fully revealed.

What would it take for the in-house collection team to re-collect only the missing modern attachment documents, transfer them to the provider for processing, accurately overlay them with their parent documents in Relativity, review, and code, then resume the processes required to arrive at an accurate production deliverable by the Friday deadline?

Impossible? Well, no, but much closer to yes than no, if we’re honest.

Impractical? Boatloads of that, please!

And this is to say nothing of the damaged confidence in the accuracy or effectiveness of either the original collection or the keyword searching across a far more extensive set of also-unknowingly-uncollected modern attachments from the entire dataset.

Tips and Best Practices for Avoiding Collection Issues with Modern Attachment Content

  1. Understand the Enterprise Application Usage Across the User Population

In multiple engagements, during the process of aligning both legal and IT personnel on the ground-level application usage within their organization and properly scoping collection parameters, the existence of modern attachment technology and their potential widespread usage is entirely new information. This new information underscores the rapid proliferation of new features when they become available and the need for eDiscovery practitioners to stay abreast of the steady river of change across the broader M365 ecosystem.

  • Identify Potential Usage of Third-Party Technologies That Could Impact the Collection Process and Accuracy

The widespread interoperability of M365, with “bolt-on,” adjacent technologies operating via its extensive API frameworks, can add an invisible yet significant additional layer of technical complexity to eDiscovery collections. For example, privacy, compliance, and archival technology exist that can alter the default storage location of modern attachment content to other than OneDrive, such that even Purview Premium eDiscovery can no longer automatically collect them.

  • Realistically Assess the Expertise of Your Practitioners and Frequently Update Training and Documentation

Although frustrating for practitioners at all career stages, the reality of evergreen technology like M365 is another “new normal” of constant change. As such, it’s no longer optional for practitioners to maintain a cursory understanding of cloud computing technologies, as data is now commonly overlooked in once-routine collection scenarios.

To combat this reality and its associated risk, investment in training and up-to-date documentation can no longer perpetually exist as a back-burner item.

  • Consider the Range of Use Cases and Applicable Distinctions

In the case of modern attachments and the Standard or Premium eDiscovery question, common sense and judgment still play an essential role. For example, in the context of an employment, or HR-centric investigation, wherein allegations of inappropriate communication in the form of Teams 1:1 communications have been brought, a broad collection of content, including modern attachments, may not be necessary. This is in contrast to a newly received complaint in federal court, alleging accounting irregularities and a conspiracy to defraud investors, seeking $350 million in damages.

In this way, experienced practitioners must still apply their valuable but fully informed judgment in assessing the needs of a specific project to fully realize their particular role in the broader context of reasonableness in eDiscovery.

  • Controversy Clouds the Field of View

The March 2021 decision from the Southern District of New York, Nichols v. Noom Inc., 2021 WL 948646 (SDNY 2021)reached the very unexpected conclusion that hyperlinks to documents stored in Google Drive locations, which appear in the body of the subject Gmail collection, did not constitute “attachments” in the traditional sense of eDiscovery.

Although inexpensive technology to automatically capture and preserve the “family relationships” of these items already existed, seemingly having fully anticipated the obvious issue that would otherwise arise, the court deemed otherwise and turned two decades of universally accepted eDiscovery orthodoxy on its head.

Enter Microsoft Teams, with its explosion in usage during the pandemic, along with its version of the same technology via the “modern attachment,” and we arrive at the current state of confusion.

The post-Noom discussion centers on (1) whether or not Microsoft’s “modern attachment,” despite its name, is itself just a “pointer” or hyperlink to cloud storage, should continue to be viewed as an attachment at all; and (2) whether the presence of a modern attachment link creates a “family relationship” in the sense that eDiscovery has recognized for 20 years.

Although this issue has not been definitively settled, advocacy has been brought forth that modern attachments are not, in fact, attachments (in line with the Noom decision) and that any assignment of a family relationship between a message and modern attachment is purely “artificial” in nature. It should also be noted that related issues exist regarding preservation obligations, which are beyond this paper’s scope.

One Size Does Not Fit All

Although the conclusions borne from Noom are correct in a purely technical sense, experience in real-world scenarios results in a very different take on the same situation.

“In the realm of regulatory investigations, regulators wield an iron fist, disregarding the niceties of eDiscovery such as reasonableness or proportionality. Regardless of the parties’ resources or the amount in dispute, they crush pushback with unwavering directives. As witnessed in our work with HaystackID clients, we’ve learned that regulators demand content without consideration for cost, alleged difficulty, or technical concerns.” – Michael Sarlo, Chief Innovation Officer and President, Global Investigations and Cyber Incident Response Services, HaystackID.

In another context, imagine a situation where either a Teams message (or Exchange-based email) is sent from one key custodian to another with the text, “As discussed,” “Here you go,” or “Let me know what you think,” or “For your review,” but with only a hyperlinked reference to a modern attachment file, which is not present in the review database as a result of the technical capabilities gaps cited previously.

The obvious question then becomes – what litigator would blindly accept the lack of availability of a document known to be in their client’s direct custody and control but proceed in their representation to the court that their client’s discovery obligations were fully upheld? Stated another way, what documents possessed by your client are you comfortable with concluding are non-responsive without having ever even collected, let alone reviewed?

HaystackID’s Perspective on the Modern Attachment Question

As a result of both observations and lessons learned in multiple, real-world eDiscovery and investigation scenarios, HaystackID has arrived at the following position on the issue of modern attachments and their proper collection and handling in eDiscovery:

  • In light of their potential to introduce a cascading series of failures at the worst possible time, M365 collections should be handled by trained practitioners who are fully versed in the latest developments regarding M365 workloads and data types.
  • Wherever possible, modern attachments should be collected from the outset in order to avoid potentially negative consequences that are very difficult to correct after the fact.
  • In most situations, the marginally higher costs and time needed to collect modern attachments from the outset are offset by the benefits of dramatically reduced risk and improved defensibility.
  • When Premium eDiscovery licensing is unavailable in a client’s M365 tenant environment, communicating the potential for incomplete collections to preempt potentially negative consequences is now imperative for practitioners.

Written by:

EDRM - Electronic Discovery Reference Model

EDRM - Electronic Discovery Reference Model on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide