Exchange Online "In-Place Hold" and "Litigation Hold"

Litigation Hold
A Litigation Hold is also called a Legal Hold or a preservation order. It specifically refers to the process by which a business informs its employees (sometimes called custodians) not to delete information relevant to an impending (or ongoing) litigation. This information could be digital (also referred to as ESI) or hard copy data (paper records). Legal notifications requesting Litigation Hold result in implementing, enforcing, modifying, monitoring, and removing the hold.

Exchange Online Litigation Hold
"Exchange Online Litigation Hold was first introduced in Exchange 2010 and is designed to preserve all items in a mailbox indefinitely for the purposes of e-discovery. Litigation Hold can be applied to mailboxes or distribution groups. When a user’s mailbox is put on Litigation Hold, they are still able to delete items, but Exchange retains the deleted items indefinitely. For example, if the user changes an item, it will remain preserved in its original form."

Litigation Hold is designed specifically for e-discovery purposes. The ability to define a hold period was added to Exchange Online in the form of the " LitigationHoldDurationparameter", which allows you to set a retention period. This ability was later added to Exchange 2013. - NOTE: How to create a Litigation Hold

What is the difference between "In-Place Hold" and "Litigation Hold"?

  • "Litigation Hold uses the "LitigationHoldEnabled" property of a mailbox to place mailbox content on hold."

  • "In-Place Hold provides granular hold capability based on query parameters and the ability to place multiple holds, Litigation Hold only allows you to place all items on hold.

"You can also specify a duration period to hold items when a mailbox is placed on Litigation Hold. The duration is calculated from the date a mailbox item is received or created. If a duration isn't set, items are held indefinitely or until the hold is removed." (Source)

"An Office 365 litigation hold suspends any retention policy or automatic deletion for a given mailbox so that no ESI can be removed from the mailbox. When their retention period expires, mailbox items are moved to the Deletions subfolder automatically by the deletion policy."

Why "Litigation Hold" is NOT a backup...

  1. Backup Copies are ONLY Backups if they are outside of the scope of the primary data controller. "In-Place Holds" and "Litigation Holds" are both dependent on the same production services running the primary email system. (If the provider can pull the floor from underneath you, your data is not protected.) Backups should never be on the same storage as the production data.

  2. A backup should be insulated from all changes that are made to the original. Litigation Hold doesn’t create a second copy of data. Instead it will preserve the existing copy. A Litigation Hold is only as safe as the existing primary copy is.

  3. Litigation Hold keeps a copy of user data but does not restore lost data. With Litigation Hold all data would be discoverable in legal proceedings not just data needed for the legal process.

  4. Without the ability to archive users, if you need to maintain user data, you must continue to pay licensing fees to Microsoft.

  5. Litigation Hold data is available only via eDiscovery searches. Any folder hierarchy that was present is lost in Litigation Hold. It is a flat set of emails that become visible based only on search parameters you provide.

  6. Litigation Hold offers no direct restore option. It is not designed to restore user account data. Users would have to go through a manual recovery process after exporting their data. And, restoring mail from Litigation Hold does not preserve the folder structure. Restores from Litigation Hold can be very time consuming.

What about Ransomware?

Should you get hit with Ransomware, backup solutions will let you restore to a point-in-time previous to the attack and recover all your email. With a Litigation Hold, you risk all your email being impacted since all of that data is exposed to the attack. (Please review VBO)

Note from Microsoft...

“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.” (Source - 6)