45 minute breakout session from Microsoft Ignite 2019. Practical session covering 3 must-have skills for business teams to "self-serve" on their own eDiscovery requests.
8. The Electronic Discovery Reference Model1
Information
Governance
Identification
Preservation
& Collection
Processing
Review Production Presentation
Analysis
https://www.edrm.net/resources/frameworks-and-standards/edrm-model/
9. Integrated tools leveraging intelligence to reduce risk
Simplify assessment of
compliance risk and posture
with actionable insights
Integrated protection and
governance of sensitive data
across devices, apps and cloud
services
Intelligently respond to data
discovery requests
Compliance Manager
Service Trust Portal
Information
Protection &
Governance
Encryption
Access Control
Search &
Discovery
Auditing
11. Do you have a
strategy for
protecting and
managing sensitive
and business
critical data?
Where is your sensitive data?
Do you have control of it?
How are you managing it?
12. eDiscovery
Information
Governance
DISPOSE
Eliminate what you
don’t need
RETAIN
Retain what you are
obligated to keep
PROTECT
Protect your sensitive
information
FASTER RESPONSE
Quicker turnaround time
on requests
REDUCED EXPENSE
Less resource effort to
analyze/prepare results
REDUCED RISK
Less risk exposure due to
over-retaining content
A good balance to strike
13. Partnerships
200+ updates per day from 750 regulatory
bodies¹
Get your electronic house in order!
¹ Thomson Reuters, "Cost of Compliance 2018 Report: Your biggest challenges revealed," 2018
• Leverage the shared responsibility model
• Coordinated effort of 3 groups
21. WRITE YOUR SUBTITLE HERE
If I search a user’s
mailbox, what do I
get back?
1.
. . .
2. How do I search
everything in a
Microsoft Teams?
3. Are in-app chats
discoverable?
4.
Are document
comments
discoverable?
5.
How do I search
against Yammer
messages?
6. Are Planner tasks
discoverable?
7.
Are Microsoft Teams
meeting recordings
discoverable?
Real questions from the field…
Is the recycle bin
discoverable?
8.
29. When a mailbox is on hold…
End-user has no indication its on hold
End-user can still delete email messages
Retained in “Recoverable Items Partition”
30. When a SharePoint or ODFB site
is on hold…
End-user has no indication its on hold
Retained in “Preservation Hold Library”
End-user can add/change/delete content
33. For each eDiscovery request…
To answer this… eDiscovery teams need to…
What are we looking for? Have common understanding of the request
Define the custodians and SMEs
Define the locations to search against
How do we get it? Define the query to find it
Who has it?
Where do we look for it?
34. For simple queries
Use as a starting point
For learning KQL
For complex queries
Compound conditions
Can validate in regular search
GUI Method KQL Method
WRITE YOUR SUBTITLE HEREKeyword Query Language (KQL)
36. For each eDiscovery request…
To answer this… eDiscovery teams need to…
What are we looking for? Have common understanding of the request
Define the custodians and SMEs
Define the locations to search against
How do we get it? Define the query to find it
Who has it?
Where do we look for it?
What does it look like? Review, reduce, export the results
37. Advanced
eDiscovery
Core
eDiscovery
Export to review and
analyze
Review | Reduce | Export the results…
Email de-duplication
Review and analyze
with tool
Email threading,
Theming, Tagging,
Machine learning,
Annotation, Redaction
Save records of
interest for review
Save records of
interest for review
39. “FBI has issued a
subpoena for all
communications of
employee Debra
Berger from start of
her employment to
present day”
How do we define
“communications” and
how do we protect the
integrity of the records?
Example 1
External Litigation
40. Export Yammer messages for a user
Work with partner to archive third-party data
How do we define “communications”?
41. For this request, “communications” is defined as…
Debra’s mailbox
Group mailboxes Debra
is a member of
Debra’s colleagues’ and
managers’ mailboxes
42. How do we protect the integrity of the records?
An Electronic Hold
44. The results
Debra’s
Emails
Debra’s 1:1 and
Group Chats
Debra’s Skype
Messages
Outlook
conversations Debra
participated in
Channel
conversations
Debra
participated in
46. “Investigate an
allegation of asset
theft from within
your organization
by employee John
Doe to the buyer,
Mr. X”
We need to see if
there’s a story behind
the data
Example 2
Internal Investigation
47. Place ALL of John Doe’s business artifacts on Hold
Microsoft Teams John
Doe is a member of
John Doe’s mailbox
for emails and chats
John Doe’s OneDrive
site
49. The business artifacts come together to tell a story…
Emails with Mr. X
lining up sale of
stolen goods
Microsoft To Do Task
to create a fictitious
“sales invoice”
Calendar
invitation to have
coffee with Mr. X
Channel conversation
with an internal
person to facilitate
the fraud
Contact card
for Mr. X
51. “Find all records
relating to the
maintenance of ADA
curb ramps along
University Ave from
2017 to present
day”…
Who are the Subject
Matter Experts? Example 3
Statutory request
53. Subject Matter Experts (SMEs)
University Ave* AND
((Curbs OR Ramps) OR
(ADA OR "Americans with
Disabilities Act"))
AND
(date=2017-01-01..2019-11-04)
Translates into this KQL:1. University Ave
2. Curbs
3. Ramps
4. ADA
5. Americans with Disabilities Act
54. Search Query #1 (Facilities staff)
All Microsoft Team
members’ mailboxes
for chats
Group mailbox for
conversations
All Microsoft Team
members’ OneDrives
for files shared
Microsoft Teams
SharePoint sites for
files
55. Search Query #2 (All staff)
externalvendor1@gmail.com
externalvendor2@outlook.com
All tenant mailboxes for
external emails to vendors
57. The relevant business artifacts are exported
Emails sent to
external vendors
and internal staff
Microsoft To Do
Tasks for
maintenance
tasks
Maintenance
schedule
1:1 and Group
Chats, Meeting &
Call summaries
Channel
conversations
amongst Facilities
staff regarding
maintenance
Maintenance
Work orders
and contracts
59. “Find all records on
Carbon Tax between
January 1, 2018 and
December 31, 2018”
What are good
search terms to
find the records?
Example 4
Statutory Request
60. Defining locations to search against
1. All User’s mailboxes
2. All Group mailboxes
3. All Teams messages
4. All Tasks
5. All User’s OneDrives
6. All SharePoint sites
7. All Office 365 Group sites
8. All Team sites
61. The importance of defining search keywords
Original Search Terms
Carbon Tax
Price on pollution
Price on carbon
Carbon price
Federal backstop
Carbon
Pollution
Refined Search Terms
Carbon Tax
Price on pollution
Price on carbon
Carbon price
Federal backstop
62. The results
Emails Microsoft
To Do
Tasks
1:1 and Group
Chats, Meeting &
Call summaries
Sways Form
responses
MessagesCalendar
items
Channel
conversations
Outlook
conversations
Files shared in
Chat and Channels
Files List items &
attachments
SharePoint
Calendar
SharePoint
tasks
SharePoint pages
and Wikis
67. eDiscovery Licensing
Office 365 E5 license
eDiscovery feature
Office 365
Business
Essentials or
Business
Premium
Office 365 F1 or E1
or Office 365 US
Gov F1 or G1
Office 365 E3
or Office 365
US Gov G3
Office 365 E5
or Microsoft
365 E5
Advanced
eDiscovery
standalone
license
eDiscovery cases Yes Yes Yes Yes Yes
eDiscovery holds No No Yes Yes Yes
eDiscovery export No No Yes Yes Yes
Advanced eDiscovery No No No Yes Yes
68. To take back to the office
Office 365 Architecture for eDiscovery [Infographic]
Keyword Queries and Search Conditions
Discovering URLs for SharePoint and OneDrive sites