Modern Attachments – An eDiscovery Quagmire?

COVID-19 and the new normal for business communication

Business communications have reached a new era as emerging communications and collaboration applications have exploded over the last two years. The COVID-19 pandemic and the shift to a primarily remote workforce have forever changed not just where we work, but how we work. Our virtual teams require fast, easy, and dependable communications capabilities to keep in touch with co-workers, communicate with current customers, reach out to new clients, and work with business partners.

However, not surprisingly, the reliance on email continues to rise across all industries, mainly because email is still the fastest and most straightforward way to send and receive information, including data such as presentations, spreadsheets, memos, and other types of files. Because of its ongoing popularity, email systems have continued to innovate and adapt to address emerging customer requirements.

Email attachments: their growing size can cause problems

Most Microsoft 365 and Google G-Suite users are familiar with attaching files to an email. However, sometimes the attachment is too large to send through the email system due to IT imposed limitations. Due to the popularity of using email systems for file transfer, email system providers have had to find a better way to forward large files without bogging the system down with huge attachments.

Note: this discussion will focus on the Microsoft 365 platform but keep in mind, Google G-Suite also incorporates the creation and use of "Modern Attachments."

With the introduction of Outlook 2016, Microsoft partially addressed this challenge by including the ability to attach "Modern Attachments" (hyperlinks to files) in either your OneDrive account or SharePoint system so that the actual file would not need to be sent. The receiving employee could simply click on the hyperlink inside the email and access the specific file in the OneDrive or SharePoint system.

Note that modern attachments are designed to only work for emails sent and received within an organization's firewall because of security concerns. Hence my caveat that this is a “partial” solution. Allowing a direct external link to files stored within an enterprise would provide cyber thieves an unsecured onramp to a company's sensitive data stores. (Before some technology "pundit" (you know who you are) pipes up and says they have already set up the ability to link back to modern attachments from external locations, sure I suppose it could be done. Still, as a day-to-day business practice, a CISO would never allow it!)

The modern attachment capability can be problematic for both regulatory data retention requirements and in litigation hold/eDiscovery. For the remainder of this blog, I will focus on the litigation preparedness issues when dealing with modern attachments.

Third-party email archiving, modern attachments, and litigation hold

Many organizations have adopted a strategy of utilizing external third-party archiving solutions to capture and manage email/attachments to ensure compliant retention, the ability to place litigation holds, and "copy of record" status. All modern email archiving solutions will copy/move/index targeted content, including files attached to email messages. But keep in mind that when responding to an eDiscovery request or are anticipating a future lawsuit, companies have the responsibility to find and secure all potentially relevant content until the eDiscovery process has been completed. This includes all email attachments - but does it include all hyperlinked content, such as hyperlinks to external web pages? For example, what if a responsive email includes a hyperlink to the U.S. Post Office website? Are you required to capture the entirety of the USPS website because its hyperlink was included in a responsive email message? Of course not.

But what if, instead of an actual file attached to the email, a hyperlink pointing to a file/document in the custodian's OneDrive account, a SharePoint repository, or a Teams file is embedded within the email? Is that hyperlinked file also potentially responsive to the case? And if yes, does it need to be placed on a litigation hold at the same time as the email message? What if the hyper-linked attachment is later inadvertently deleted because it was not secured under a hold? And most importantly, did the third-party migration or archiving solution copy and index the entire hyper-linked attachment when the email message was moved/copied – as it would with an attachment?

The critical point to remember is when an attachment is placed inside an email, a static copy of that document is placed in the email, ensuring that the attached file has not changed. However, when a modern attachment link is placed in the email, the linked file residing in SharePoint, OneDrive, or Teams can still be edited (or deleted), meaning that there is no way to guarantee that the linked file is an exact copy of the original file. If the third-party archiving solution does not fully capture the modern attachment, incomplete discovery or spoliation could be raised in a lawsuit.

Let's look at current precedent on discovery of modern attachments.

Nichols v. Noom Inc.

In a 2021 lawsuit, the court addressed some of these questions. In Nichols v. Noom, Inc., No. 20-CV-3677 (LGS) (KHP) (S.D.N.Y. Mar. 11, 2021), the Judge denied the plaintiff's motion for reconsideration of the Judge's opinion that hyper-linked files within email messages are not the same as attachments and not subject to litigation hold, collection, or production. The Judge's opinion also stated that the inclusion and protection of hyperlinked documents would, in fact, be disproportional to this specific case because of the estimated cost of $180,000 to retrieve them. However, the Judge did not differentiate between local hyperlinked documents and hyperlinks to general internet destinations (a website) viewable by anyone on the internet.

The Judge's opinion was an issue for the plaintiffs because they would not have access to "family" designations as they would for traditional email attachments, i.e., metadata that would associate specific hyperlinked documents with the emails referring to them.

Note: There's a long history of including attachments in eDiscovery requests. A family relationship would consist of which document was considered the "parent" or original document and which were related, i.e., "children" - the attached/embedded document dependent on the "parent." These document relationships can be crucial in the discovery process. In essence, internal document hyperlinks are in effect electronically stored information (ESI) in the producing party's possession, custody, or control, just like any other attachment.

In the Nichols case, the Judge concluded that family designations were inconsequential because hyperlinked documents were not the same as attachments. The Judge did rule that the existing process - where the plaintiffs could later request any hyperlinked documents that they could not locate in the corpus—would be appropriate for any disputes that may arise. However, this opinion leaves open the question of what would happen if a hyperlinked document was deleted (or changed) before the plaintiff could conclude it was needed for the case.

Many in the legal industry believe the Judge's opinion that hyperlinks to other (internal) files are not the same as attachments that are actually embedded is outdated because hyperlinks are already beginning to replace actual file attachments. In fact, there's no functional difference between modern attachments and genuine attachments - therefore no legal difference. Many legal experts believe the Nichols opinion will be revisited quickly.

Another situation that could quickly arise would be around Microsoft Teams discovery – a very popular topic in the eDiscovery industry. What if a Teams Group Chat was requested in eDiscovery; would any attached files be relevant? Would any sentiment or emojis also be responsive? Should all content/actions surrounding a Team's meeting/chat be considered potentially relevant and therefore be placed on legal hold?

Most eDiscovery experts would say “of course…”.

Microsoft 365 and discovery of Modern Attachments

For those that utilize the Microsoft 365 cloud platform, indexing and discovering modern attachments can be accomplished utilizing the Advanced eDiscovery capability. An Advanced eDiscovery search will find and collect all cloud-based content shared with users by using links or modern attachments in email messages and Teams chats.

However, to access Advanced eDiscovery capabilities and the ability to discover modern attachments in the Microsoft 365 compliance center, at the time of writing this blog your organization must have subscribed to one of the following:

• Microsoft 365 E5 or Office 365 E5 subscription
• Microsoft 365 E3 subscription with E5 Compliance add-on
• Microsoft 365 E3 subscription with E5 eDiscovery and Audit add-on
• Microsoft 365 Education A5 or Office 365 Education A5 subscription

How do modern attachments fit into 3^rd-party archiving and eDiscovery?

Over the last 15 years, many organizations have chosen to archive their email in a third-party archiving application for various reasons, including ensuring regulatory compliance, litigation preparedness, and off-loading their live email systems of static content to increase performance.

As organizations began their movement to the cloud, the need to migrate existing on-premises email from both live email systems as well as legacy email archiving platforms became an important step in ensuring both regulatory and legal defensibility. Additionally, many of those same companies were required to continue journaling their live email from Office 365 to a third-party cloud-based email archiving solution, again to ensure regulatory compliance and eDiscovery preparedness.

Note: The email journaling process ensures that email and attachments are captured, copied, and immediately placed into another location to ensure "copy of record" status, i.e., the email/attachment is an exact copy of the original without any deletions/changes/edits, etc.

The third-party archiving issue revolves around capturing all modern attachments via the embedded hyperlink during both pre-existing email archiving migrations as well as the journaling process. For both processes, the entire hyperlinked modern attachment should be captured, moved to the third-party archive, and indexed for easy search and litigation hold later (of the whole modern attachment – not just the hyperlink.)

Modern Attachments and Archive Migration

Unfortunately, most third-party archive migration solutions do not recognize modern attachment hyperlinks and therefore cannot access and capture the hyper-linked document in SharePoint, OneDrive, or Teams. To make matters worse, many of the third-party journaling solutions also do not capture and move the modern attachment to the third-party archive. For those organizations that have already migrated email to a third-party cloud archive or are currently journaling to a third-party cloud archive, you should verify that the migration solution or journaling solution used does completely capture and move all modern attachments.

To reiterate, there is no legal responsibility to capture and migrate modern attachments if there is no ongoing or anticipated litigation (litigation hold placement). But, if a modern attachment could be relevant to a case, ignoring the linked document would not be legally defensible and would put the company at risk of incomplete eDiscovery response, or worse, spoliation. Again, this will depend on the Judge and any new precedents.

Additionally, for those companies in industries that require an email journaling-like capability (such as organization in the financial services sector), leaving a modern attachment uncollected and unindexed would put the company at risk of non-compliance with data retention laws such as SEC Rule 17 and MiFID II.

Modern attachments and litigation hold

In a standard litigation hold process, the responding organization searches all their data stores with a list of custodians, email addresses, date ranges, and possible keywords to find and secure all documents that meet the eDiscovery search criteria. Most third-party archiving solutions will capture email/attachments, documents, etc., and move them into the archive where they are indexed to enable fast and accurate search during eDiscovery processing.

As I stated earlier, there is no legal requirement to capture and migrate/journal modern attachments if there is no ongoing or anticipated litigation. However, the risk surfaces when an email migration or journaling process is performed. Specifically, when there is ongoing eDiscovery processing (collection), early case assessment, and litigation hold placement, or there is an anticipation of future litigation that could include modern attachments in processed email. If that situation exists, then not capturing, migrating/journaling, and indexing those modern attachments could put the responding organization at risk of incomplete eDiscovery or destruction of evidence - if the hyperlinked attachment is later edited or deleted from OneDrive, SharePoint, or Teams.

Modern Attachments best practices

For organizations using Microsoft 365 or Google's G-Suite, your legal department should assume that some employees use modern attachment hyperlinks. With that in mind, there are several ways to protect yourself during email migrations or journaling to a third-party archive:

1. Remove the ability to utilize modern attachments within your email for ongoing journal archiving.
2. Refrain from migrating any legacy email or custodian mailboxes that are or could be involved in anticipated litigation because most email migration solutions do not capture and migrate modern attachments – or...
3. Talk to your email archiving solution/vendor about capturing and migrating all email message modern attachments.

The migration of existing legacy email archives should not be an issue even if they do contain modern attachments due to the fact that legal hold requirements only apply to potentially responsive data as of the day notice of litigation or anticipation was recognized. Any changes or data loss prior to placement of the legal hold would be considered day to day business practices and legally defensible. So, if a modern attachment was not captured as part of the standard archiving business practice (prior to litigation hold), destruction of evidence would not be considered.

The safest bet is to ask your email migration or email journaling provider about their ability to address modern attachments.

For more information on the migration and journaling of modern attachments or to talk to an expert, please email info@archive360.com or call 212.731.2438.