In a recent webinar, we had the privilege of sitting down with three industry experts to explore the topic of modern attachments in eDiscovery. Our panel included Kelly Twigger, Founder of eDiscovery Assistant and Principal of ESI Attorneys; Jennifer Knox, Director of Discovery Consulting at Consilio; and Michelle Kovitch, our Strategic Solutions expert at Onna.

    During the Q&A session, attendees asked some great questions: How do you defensibly preserve and collect modern attachments? Should we consider them as attachments or pointers? Are there any recommended language and ESI protocols to follow?

    We wanted to take the opportunity to answer them in more detail, so we went back to the experts to get their take. Here's what they had to say:

    Question 1: Is there any argument for considering Electronically Stored Information (ESI) from pointers as "attachments" instead of references, particularly when an organization is using pointers as attachments?

    Kelly Twigger

    I agree that users are treating data shared with them as attachments. However, from a technological standpoint, collecting and preserving those attachments, which are actually provided through pointers and not physically attached to the email, is very difficult. This complexity makes it crucial for us to adjust our language when explaining these challenges to courts and lawyers.

    So, while users may use them as attachments, they're no longer physically attached like traditional emails with documents, which have a clear parent/child relationship. There's a metadata field associated with attached documents, indicating that they're attached, but that metadata field doesn't exist with pointers.

    Although users view them as attachments, from a technological perspective, they're not physically attached, and we can't provide them as attachments in eDiscovery in the same way. That's why it makes sense for us to adopt a different naming convention to account for these technological differences.

    Question 2: Isn't a linked/modern attachment similar to sending a cover letter that references a separately sent box of records? While they may not be physically attached, they are logically – and potentially legally – closely connected, and thus should be collected together.

    Jennifer Knox

    I think it makes sense logically. However, I'm not entirely sure if there's a one-size-fits-all technological solution for every situation. The thing is, we're not dealing with physical materials here; it's a massive amount of information, with thousands, even millions of pages, as opposed to just a box containing 2,500 pages.

    I can't help but wonder if we can effectively handle this at scale, especially for larger organizations with complex IT infrastructure and numerous employees exchanging content. Is there a technical capability that can manage such a huge volume of data efficiently?

    Michelle Kovitch

    In my view, even though we're not exactly talking about parent/child relationships anymore, I still believe they could be relevant. I have a feeling this issue will come up again soon – the question of whether we can retrieve all those linked documents is a whole other matter to explore. But the thing is, if you're referencing something in a written document and you want others to find it, it's bound to be relevant. So, even if the courts aren't explicitly stating that we must do this right now, it ultimately boils down to what the parties agreed upon in the beginning.

    Question 3: How can I preserve dynamic data?


    Many of these collaboration tools have in-place preservation as part of their functionality. Of course, it all depends on the licensing of these applications. For instance, in free versions, there's often no capability to preserve content in-place. However, if you're using paid versions of tools like Slack, Google Workspace, Microsoft 365, etc., there is generally the ability to preserve in-place.

    The way this works may vary across these tools. For example, in the Microsoft environment, you can preserve someone's mailbox, including non-email content like calendars, journals, tasks, and so on, as well as their personally identified content from custodial interviews or personal shared locations (OneDrive, Teams). Of course, the ease of finding these locations will also vary depending on the licenses.


    I would also like to add that many times, you have to choose a specific point in time for preservation, and the information that exists at that agreed-upon time almost acts as a snapshot of dynamic content. In most cases, even though content continues to be created and affects a matter, it's often in the past, and what exists at that point is what you have to work with.

    So it's crucial to consider the dynamic nature of the content early in the discovery conversation and set parameters for what you're going to do. You need to communicate these parameters to the other party and get an agreement on their reasonableness.

    Question 4: Is it possible to identify or isolate emails that contain modern attachments or pointer files within Office 365 or other email systems?


    Specific features within eDiscovery tools can help identify or isolate emails that contain modern attachments/pointer files. In Office 365, for instance, you can use advanced search and filter options in the Security & Compliance Center.

    In the case of Microsoft, you'll find these emails after the data has been processed. As for other data sources, different workflows apply, and some applications provide reporting on emails containing links. So, depending on the system you're working with, you can utilize these tools to spot those attachments.

    Question 5: When you retrieve a modern attachment (document) from a Slack or Microsoft Teams conversation, and there have been multiple changes made to the document since its original posting, which version of the document would you need to collect?


    The version you need to collect is one of the things you need to discuss at the outset because different tools allow you to do different things. While some Microsoft 365 licenses will allow you to collect either the current version of the document or the version that existed at the time the pointer was created, that is not the case for Google or Slack.


    It’s also worth mentioning that within Microsoft 365, the user generating and sharing content needs to have a premium license, and the organization must establish a very specific retention policy that won't be applied retroactively. So, once these policies are in place, and the users have those premium licenses, the version of the shared document will be retained and accessible through Microsoft Premium eDiscovery. However, it won't be accessible using standard eDiscovery, content search, or third-party tools.


    Another thing to consider is that certain platforms, like Onna, offer auto-sync and archiving capabilities, allowing you to capture data in real-time. But, as Jennifer pointed out, what you can do often depends on the license level you have. So, it's essential to understand these limitations when discussing your options.


    The other thing I would say is Microsoft structures their licenses in a way that you can't have just a few users on E5 with access to Purview and other discovery components; it's an all-or-nothing deal, covering the entire organization. And for many organizations, the cost/benefit analysis doesn't justify going for E5. They might not have enough eDiscovery needs or litigation to make it worth it. So, the question becomes, "Does the ability to do this exist in the software, but only if you pay for it?"

    Upgrading from E3 to E5 could cost tens or hundreds of thousands of dollars, which might not be reasonable to require from everyone. And if they can't make that upgrade, can we use other tools to handle this pointer issue? It raises several concerns. We work with a lot of clients in the manufacturing space, and many of them have E3 licenses, which means what we can do in Microsoft Teams is much different from what's possible with E5 licenses.

    Question 6: Are any legal groups or legislatures making efforts to draft a standard nomenclature for universal use among lawyers and judges?


    Some organizations, such as the Sedona Conference, are making efforts towards this goal. However, comprehensive standardization is still a work in progress as it is a collaborative task.

    Question 7: Do you have a glossary of your preferred eDiscovery nomenclature, along with any recommended language for ESI protocols?


    One important thing to do is to work closely with your providers and find a way to be proactive. During your early case assessment, it's essential to identify which files have linked sources, either through metadata or other means.

    To help with standardizing the language, users are encouraged to become familiar with the EDRM and its glossary, which contains 339 pages of valuable information. This will serve as a baseline to establish the agreed-upon nomenclature for your organization's EDRM.


    I don't think it's been perfected yet, but you can check out the Acetaminophen case, which has a specific ESI protocol outlined, or the StubHub decision, which includes the language they used. However, I'd say that neither of them is exactly what we need because there isn't a defined nomenclature in place just yet.

    Looking for more insights? Catch the full conversation on modern attachments, which includes recent case law surrounding this issue, in the on-demand webinar here.


    About Kelly

    Kelly Twigger is a practicing attorney, software developer, consultant, writer, and speaker on issues in electronic discovery, the development and implementation of legal technology, and how to effectively use data in planning for and during litigation.

    She is a co-author of Electronic Discovery and Records and Information Management, and host of Case of the Week at eDiscovery Assistant. As Principal at ESI Attorneys, Kelly manages the boutique eDiscovery and information law firm that acts as operational business partners with its clients to advise law firms, corporations, and municipalities on all areas of electronic information including eDiscovery, privacy, cybersecurity, and information governance.

    Kelly is also the CEO of eDiscovery Assistant — a SaaS-based practical resource for litigators handling eDiscovery — that curates discovery decisions, rules, and additional content. She is developing an online academy to provide on-demand education for lawyers and legal support professionals to stay abreast of changes in the law and technology that affect litigation and clients’ obligations to respond.

    About Jennifer

    Jennifer Knox is a Director in the Consilio Consulting Group. Jennifer’s broad data analytics and eDiscovery industry experience includes technical product and service delivery, largely in the Financial Services space. In these roles, Jennifer worked closely with Legal, Records Management, and Information Security teams to drive Legal and Information Governance technology strategy, while protecting critical enterprise information.

    In her current role, Jennifer works with Consilio’s enterprise clients on a variety of eDiscovery and data management issues including sensitive data analytics, document categorization, and Office365 cloud functionality. Jennifer frequently speaks on these topics to clients and at industry events.

    Jennifer previously managed the teams responsible for Consilio’s world-class operational and technology solutions, delivering fast, accurate, secure, and scalable data solutions for clients. Additionally, Jennifer managed Legal Technology application development teams tasked with the delivery of patented technology to Legal, Compliance, and Regulatory Audit divisions.

    About Michelle

    With 20+ years of litigation support management experience under her belt, in addition to years of managing legal solutions teams and programs, Michelle Kovitch has an unrivaled perspective on legal workflows and technology.

    As a certified eDiscovery Specialist, she is leading the way again, by dedicating the second half of her career to her colleagues in the trenches. Her mission: to be the advocate, impetus, and orchestrator of a collaborative shift toward technical competence and optimal legal workflows serving as a trusted advisor for Enterprise Solutions reducing spend, mitigating risk, and enhancing compliance. Michelle serves on the Strategic Solutions Team at Onna.

    Back to the top

    Other posts you might be interested in

    View all posts

    Stay connected

    Subscribe to receive the latest content from Onna.