The Case Against Native Application Review of e-Mail

Cost conscious lawyers and clients sometimes choose to conduct pre-production review of client e-mail in a native e-mail application. They use an installed application like Microsoft Outlook or an internet e-mail program like Gmail. Their goal is to cut e-discovery costs by avoiding the data processing and data hosting fees associated with using a dedicated EDD database review tool. Unfortunately, native application review brings with it risks of spoliation and malware infection. Second and equally important, EDD review tools offer substantial advantages in review efficiency, searching, privilege review, and e-discovery process documentation. This article gives 10 reasons to use an EDD review tool instead of native application review.

A Little Technical Background

Depending on the type of e-mail program at issue, an e-mail account can be reviewed natively by accessing the account directly on the client's PC or by using the client's Web log-in credentials, as appropriate. More often however e-mail is first copied as part of e-discovery data collection. For purposes of this discussion, there's no pertinent difference between e-mail data collected from installed applications like Outlook versus Internet e-mail accounts. The e-mail mailbox ' messages and attachments, calendar, contacts, etc. ' is exported or downloaded and then saved in an e-mail container file. (To provide a reference point, it's similar to creating a .ZIP file to bundle multiple Microsoft Office documents.) In this scenario, the reviewer opens the container file using the e-mail software, usually Microsoft Outlook that is installed on his or her PC or firm network.

1. Avoid Spoliation

Just as opening a document on a client's PC can change metadata like last accessed date, native review of a client's mailbox can change metadata specific to e-mail. For example, opening a message in the Inbox changes its status from “read” to “unread.” Read/unread status is frequently relevant, such as in employment matters where a former employee's knowledge or usage of the contents of a specific e-mail is at issue in the case. Opening a message can also send an auto-reply if the sender requested a read receipt. Moving a message to a different folder, such as from the Inbox to a “Production” folder created specifically for the review, likewise alters the original state of the account.

Assuming a preservation copy of the e-mail account is maintained separately from the working review copy, collecting the e-mail account prior to review limits, but does not eliminate the spoliation problem. The principal defensibility issue here is that Outlook will not open a read-only copy of an e-mail container file; in other words, it's impossible to write-protect e-mail data in native application review. Consequently, any document production that is made from the review copy is made from spoliated data.

2. Save Review Time

EDD review tools save time and aggravation in linear (i.e., document-by-document) review through superior handling of attachments. The preview feature in e-mail programs has several drawbacks in document review. First, not all e-mail programs have a preview feature. Instead each attachment must be opened natively (e.g., opening a .PDF in Adobe Reader), which can slow the review considerably. With Internet e-mail, the attachment file may have to be downloaded to the reviewer's PC before it can be opened. Second, the preview feature may not support all file types. Third, a preview window can be inadequate for reviewing content-rich files like Excel spreadsheets and PowerPoint presentations.

When e-mail is loaded into an EDD review tool, each message and attachment is assigned a unique document identifier number and displayed as a separate record in the review database. A “parent” (message) and “child” (attachment) are linked inside the database such that each e-mail family is grouped together for linear review. Both messages and attachments are displayed in a rendered native view similar in appearance to the preview display. The most important difference between this process and native application review is that all attachments are rendered as part of EDD data processing. (Any files that can't be processed for technical reasons, usually a very small percentage of the whole, are reported as exceptions.) Furthermore, files for which the rendered view is inadequate can be opened in native view within the EDD database and are never downloaded to the local PC. Although the time savings from these features might seem insignificant for a single e-mail family, they really add up over the thousands upon thousands of messages and attachments in a typical e-mail account.

3. Files Are Fully Searchable

Keyword searches are queries of a word index that has been created for the files that are being searched. As a threshold matter, the word index for a native e-mail account may or may not be complete and reliable. Two serious, and frequently encountered, issues are indexing that isn't up to date, and non-indexed attachments.

A good EDD review tool uses validated indexing programs as part of data processing. For example, non-searchable .PDF attachments are a major problem in native application searching. However, it's standard protocol in EDD processing to create searchable text files for .PDF files and other non-searchable file types. Another common example of non-indexed files is .ZIP files. Documents inside a .ZIP file are essentially hidden from the native application's indexing program, even if they are file types that would otherwise be searchable. It's likewise standard in EDD processing to extract the documents inside a .ZIP file, after which they're treated in the review database as distinct, searchable attachments.

4. Better Search Tools

Searching in Outlook is adequate for running simple keyword searches; however, the advanced search functions are cumbersome to use and few Outlook users are proficient with them. Search functionality is generally even more limited in internet e-mail programs.

In marked contrast, EDD review tools offer the powerful search tools needed for legal review. Search capabilities may include many to all of:

• Complex keyword strings;
• Field-limited searching, e.g., from, to, subject, body, attachment text;
• Stemming and wildcards;
• Fuzzy search;
• Boolean connectors;
• Natural language;
• Proximity searches, i.e., w/paragraph, w/sentence, w/x number of words;
• Nested searches (searching within search results);
• Thesaurus; and
• Concept search.

Ease of use is typically good for the search functions of an EDD review tool; searching is an important feature to the lawyers and paralegals who drive software purchasing decisions. Finally, EDD review tools offer reporting options for search results that aid reviewers in refining search terms and constructing iterative searches.

5. Eliminate Malware Exposure

e-Mail is infested with malware: viruses, adware, spyware, worms, phishing programs, and more. Not all malware is caught by a Spam filter or is obvious on its face; every IT department can relate cautionary tales of people who unwittingly clicked on the wrong link in an e-mail message. Native application review of e-mail inevitably exposes the reviewer's PC and/or firm network to malware. The fifth advantage of using an EDD review tool is that malware is quarantined during pre-review data processing. Even if a malware message was to slip through processing, it would be isolated within the review tool, thus eliminating any risk to the reviewer's computer system.

6. Tag Documents for Relevance and Issues

A fundamental drawback of native application review of e-mail is that there is no good way to tag messages or attachments for relevance, issues, or other review categories. Assuming less than the entire mailbox is to be produced, which is normally the case, the reviewer must at a minimum mark responsive, non-privileged messages for production. The usual method of “tagging” in native application review is to drag and drop a message into a “Production” folder created by the reviewer for that purpose. This raises several problems. It's a cumbersome process in practice. Changing the original folder structure and message foldering is spoliation. A message can only be “tagged” once; for instance, for production as in the above example, by issue, as privileged, or by another singular category. Lastly, a message and its attachments can't be tagged separately.

Using an EDD review tool sidesteps all of these problems. A “tag” in a review tool is a checkbox or its functional equivalent. Review tool tags are both quick and easy to use. They don't alter the original folder structure, since it is captured as a metadata field during pre-review data processing. A single record may be tagged with multiple categories, for example:

• Responsive/non-responsive;
• Privileged;
• Privilege basis;
• Issues pick list;
• Confidentiality designation;
• “Hot doc”;
• Needs further review; and
• Witness.

Tags are often customizable, though this varies by review tool. Finally, because messages and attachments are loaded into an EDD review tool as separate records, they can be tagged separately.

Tags are especially useful in creating production sets; for example, by searching for all documents tagged responsive, tagged non-privileged, and not tagged for further review. Similarly, a reviewer can use tags to quickly organize documents later in discovery, such as retrieving documents tagged by witness name for deposition preparation.

7. Expedite Privilege Review And Logging

Separate tagging of messages and attachments is also useful in privilege review since it's not uncommon for an e-mail family to include both privileged and non-privileged files and for messages and attachments to have different privilege claims. Additionally, partially privileged documents can be redacted electronically in an EDD review tool whereas in native application review, a partially privileged document must either be withheld in its entirety or printed and redacted in hard copy format.

However, the greatest advantage of using an EDD review tool for privilege review is that it can be used to substantially automate privilege log creation by generating reports of tagged-privileged records. In native application review, the privilege log must be created the old-fashioned way by manually keying in: 1) the objective fields from the face of the document (from, to, date, etc.); 2) the subject matter description; and 3) the privilege basis. An EDD review tool shortcuts each step. First, data processing extracts the objective field information from metadata. That information is loaded into the review database and can be listed on the privilege log report. Second, each privileged record can be annotated in the review database with a subject matter description and tagged with the appropriate privilege basis during privilege review.

The report should always include a column for the unique document identifier number. This allows for easy cross-reference between the log entries and the corresponding records in the review database. Reports are typically generated as an .XLS file or .CSV file (the latter easily converted to .XLS), which can be edited and supplemented as needed before disclosure to the other side.

8. Create and Share Annotations

Annotating a document in native application review means writing notes on a legal pad or its electronic version. With an EDD review tool a reviewer can create annotations directly in the database using a Notes (or similarly named) text field that is electronically appended to the record. Notes are searchable, they can be as expansive or succinct as needed, and there's never any confusion about what e-mail message or attachment the annotation refers to. In many review tools, notes can be printed or exported to a spreadsheet. Finally, review teams can use annotations to share comments and questions.

9. Dataset Integration

An e-mail account is reviewed in isolation from the rest of the clients' ESI (electronically stored information) in native review, including the e-mail account owner's other documents and other e-mail collected in the case. When e-mail data is loaded into a review tool, however, it is integrated into the full document collection dataset. There are three primary benefits of dataset integration:

• De-duplication. De-duplication is especially important for corporate clients, as there is always a great deal of duplication among co-workers' e-mail accounts.
• Global search. Running searches across the entire dataset, and optionally the other side's production as well, is important for putting communications into context and mapping who knew what and when.
• e-Mail threading. e-Mail threading is an advanced review tool feature available in some EDD review tools that identifies all messages belonging to a single e-mail string and groups them together for review. It can be run within a single e-mail account or across multiple accounts. More and more, even small e-discovery cases involve a large volume of e-mail data. e-Mail threading, in combination with de-duplication, is an invaluable tool for expediting review in such matters.

10. Automate Process Documentation

In native application review, process documentation is whatever notes were made by the reviewer or, further complicating the picture, reviewers. Manually documenting a review is onerous. Moreover, different reviewers may use inconsistent terminology or follow conflicting practices as to what needs to be documented. Creating process documentation is also not the best use of a lawyer or paralegal's time. The tenth advantage of using an EDD review tool ' in conjunction with complementary EDD processing and production tools ' is process documentation that is comprehensive, substantially automated, and consistent across projects.

Conclusion

Native application review of e-mail is a penny wise, pound foolish decision. Using an EDD review tool is ultimately both more cost-effective and more defensible than native application review.

Helen Geib is a practice support consultant for Qdiscovery. She brings extensive law firm experience and perspective to her work as an e-discovery consultant where she also provides trial consulting services in civil and criminal cases.

Cost conscious lawyers and clients sometimes choose to conduct pre-production review of client e-mail in a native e-mail application. They use an installed application like Microsoft Outlook or an internet e-mail program like Gmail. Their goal is to cut e-discovery costs by avoiding the data processing and data hosting fees associated with using a dedicated EDD database review tool. Unfortunately, native application review brings with it risks of spoliation and malware infection. Second and equally important, EDD review tools offer substantial advantages in review efficiency, searching, privilege review, and e-discovery process documentation. This article gives 10 reasons to use an EDD review tool instead of native application review.

A Little Technical Background

Depending on the type of e-mail program at issue, an e-mail account can be reviewed natively by accessing the account directly on the client's PC or by using the client's Web log-in credentials, as appropriate. More often however e-mail is first copied as part of e-discovery data collection. For purposes of this discussion, there's no pertinent difference between e-mail data collected from installed applications like Outlook versus Internet e-mail accounts. The e-mail mailbox ' messages and attachments, calendar, contacts, etc. ' is exported or downloaded and then saved in an e-mail container file. (To provide a reference point, it's similar to creating a .ZIP file to bundle multiple Microsoft Office documents.) In this scenario, the reviewer opens the container file using the e-mail software, usually Microsoft Outlook that is installed on his or her PC or firm network.

1. Avoid Spoliation

Just as opening a document on a client's PC can change metadata like last accessed date, native review of a client's mailbox can change metadata specific to e-mail. For example, opening a message in the Inbox changes its status from “read” to “unread.” Read/unread status is frequently relevant, such as in employment matters where a former employee's knowledge or usage of the contents of a specific e-mail is at issue in the case. Opening a message can also send an auto-reply if the sender requested a read receipt. Moving a message to a different folder, such as from the Inbox to a “Production” folder created specifically for the review, likewise alters the original state of the account.

Assuming a preservation copy of the e-mail account is maintained separately from the working review copy, collecting the e-mail account prior to review limits, but does not eliminate the spoliation problem. The principal defensibility issue here is that Outlook will not open a read-only copy of an e-mail container file; in other words, it's impossible to write-protect e-mail data in native application review. Consequently, any document production that is made from the review copy is made from spoliated data.

2. Save Review Time

EDD review tools save time and aggravation in linear (i.e., document-by-document) review through superior handling of attachments. The preview feature in e-mail programs has several drawbacks in document review. First, not all e-mail programs have a preview feature. Instead each attachment must be opened natively (e.g., opening a .PDF in Adobe Reader), which can slow the review considerably. With Internet e-mail, the attachment file may have to be downloaded to the reviewer's PC before it can be opened. Second, the preview feature may not support all file types. Third, a preview window can be inadequate for reviewing content-rich files like Excel spreadsheets and PowerPoint presentations.

When e-mail is loaded into an EDD review tool, each message and attachment is assigned a unique document identifier number and displayed as a separate record in the review database. A “parent” (message) and “child” (attachment) are linked inside the database such that each e-mail family is grouped together for linear review. Both messages and attachments are displayed in a rendered native view similar in appearance to the preview display. The most important difference between this process and native application review is that all attachments are rendered as part of EDD data processing. (Any files that can't be processed for technical reasons, usually a very small percentage of the whole, are reported as exceptions.) Furthermore, files for which the rendered view is inadequate can be opened in native view within the EDD database and are never downloaded to the local PC. Although the time savings from these features might seem insignificant for a single e-mail family, they really add up over the thousands upon thousands of messages and attachments in a typical e-mail account.

3. Files Are Fully Searchable

Keyword searches are queries of a word index that has been created for the files that are being searched. As a threshold matter, the word index for a native e-mail account may or may not be complete and reliable. Two serious, and frequently encountered, issues are indexing that isn't up to date, and non-indexed attachments.

A good EDD review tool uses validated indexing programs as part of data processing. For example, non-searchable .PDF attachments are a major problem in native application searching. However, it's standard protocol in EDD processing to create searchable text files for .PDF files and other non-searchable file types. Another common example of non-indexed files is .ZIP files. Documents inside a .ZIP file are essentially hidden from the native application's indexing program, even if they are file types that would otherwise be searchable. It's likewise standard in EDD processing to extract the documents inside a .ZIP file, after which they're treated in the review database as distinct, searchable attachments.

4. Better Search Tools

Searching in Outlook is adequate for running simple keyword searches; however, the advanced search functions are cumbersome to use and few Outlook users are proficient with them. Search functionality is generally even more limited in internet e-mail programs.

In marked contrast, EDD review tools offer the powerful search tools needed for legal review. Search capabilities may include many to all of:

• Complex keyword strings;
• Field-limited searching, e.g., from, to, subject, body, attachment text;
• Stemming and wildcards;
• Fuzzy search;
• Boolean connectors;
• Natural language;
• Proximity searches, i.e., w/paragraph, w/sentence, w/x number of words;
• Nested searches (searching within search results);
• Thesaurus; and
• Concept search.

Ease of use is typically good for the search functions of an EDD review tool; searching is an important feature to the lawyers and paralegals who drive software purchasing decisions. Finally, EDD review tools offer reporting options for search results that aid reviewers in refining search terms and constructing iterative searches.

5. Eliminate Malware Exposure

e-Mail is infested with malware: viruses, adware, spyware, worms, phishing programs, and more. Not all malware is caught by a Spam filter or is obvious on its face; every IT department can relate cautionary tales of people who unwittingly clicked on the wrong link in an e-mail message. Native application review of e-mail inevitably exposes the reviewer's PC and/or firm network to malware. The fifth advantage of using an EDD review tool is that malware is quarantined during pre-review data processing. Even if a malware message was to slip through processing, it would be isolated within the review tool, thus eliminating any risk to the reviewer's computer system.

6. Tag Documents for Relevance and Issues

A fundamental drawback of native application review of e-mail is that there is no good way to tag messages or attachments for relevance, issues, or other review categories. Assuming less than the entire mailbox is to be produced, which is normally the case, the reviewer must at a minimum mark responsive, non-privileged messages for production. The usual method of “tagging” in native application review is to drag and drop a message into a “Production” folder created by the reviewer for that purpose. This raises several problems. It's a cumbersome process in practice. Changing the original folder structure and message foldering is spoliation. A message can only be “tagged” once; for instance, for production as in the above example, by issue, as privileged, or by another singular category. Lastly, a message and its attachments can't be tagged separately.

Using an EDD review tool sidesteps all of these problems. A “tag” in a review tool is a checkbox or its functional equivalent. Review tool tags are both quick and easy to use. They don't alter the original folder structure, since it is captured as a metadata field during pre-review data processing. A single record may be tagged with multiple categories, for example:

• Responsive/non-responsive;
• Privileged;
• Privilege basis;
• Issues pick list;
• Confidentiality designation;
• “Hot doc”;
• Needs further review; and
• Witness.

Tags are often customizable, though this varies by review tool. Finally, because messages and attachments are loaded into an EDD review tool as separate records, they can be tagged separately.

Tags are especially useful in creating production sets; for example, by searching for all documents tagged responsive, tagged non-privileged, and not tagged for further review. Similarly, a reviewer can use tags to quickly organize documents later in discovery, such as retrieving documents tagged by witness name for deposition preparation.

7. Expedite Privilege Review And Logging

Separate tagging of messages and attachments is also useful in privilege review since it's not uncommon for an e-mail family to include both privileged and non-privileged files and for messages and attachments to have different privilege claims. Additionally, partially privileged documents can be redacted electronically in an EDD review tool whereas in native application review, a partially privileged document must either be withheld in its entirety or printed and redacted in hard copy format.

However, the greatest advantage of using an EDD review tool for privilege review is that it can be used to substantially automate privilege log creation by generating reports of tagged-privileged records. In native application review, the privilege log must be created the old-fashioned way by manually keying in: 1) the objective fields from the face of the document (from, to, date, etc.); 2) the subject matter description; and 3) the privilege basis. An EDD review tool shortcuts each step. First, data processing extracts the objective field information from metadata. That information is loaded into the review database and can be listed on the privilege log report. Second, each privileged record can be annotated in the review database with a subject matter description and tagged with the appropriate privilege basis during privilege review.

The report should always include a column for the unique document identifier number. This allows for easy cross-reference between the log entries and the corresponding records in the review database. Reports are typically generated as an .XLS file or .CSV file (the latter easily converted to .XLS), which can be edited and supplemented as needed before disclosure to the other side.

8. Create and Share Annotations

Annotating a document in native application review means writing notes on a legal pad or its electronic version. With an EDD review tool a reviewer can create annotations directly in the database using a Notes (or similarly named) text field that is electronically appended to the record. Notes are searchable, they can be as expansive or succinct as needed, and there's never any confusion about what e-mail message or attachment the annotation refers to. In many review tools, notes can be printed or exported to a spreadsheet. Finally, review teams can use annotations to share comments and questions.

9. Dataset Integration

An e-mail account is reviewed in isolation from the rest of the clients' ESI (electronically stored information) in native review, including the e-mail account owner's other documents and other e-mail collected in the case. When e-mail data is loaded into a review tool, however, it is integrated into the full document collection dataset. There are three primary benefits of dataset integration:

• De-duplication. De-duplication is especially important for corporate clients, as there is always a great deal of duplication among co-workers' e-mail accounts.
• Global search. Running searches across the entire dataset, and optionally the other side's production as well, is important for putting communications into context and mapping who knew what and when.
• e-Mail threading. e-Mail threading is an advanced review tool feature available in some EDD review tools that identifies all messages belonging to a single e-mail string and groups them together for review. It can be run within a single e-mail account or across multiple accounts. More and more, even small e-discovery cases involve a large volume of e-mail data. e-Mail threading, in combination with de-duplication, is an invaluable tool for expediting review in such matters.

10. Automate Process Documentation

In native application review, process documentation is whatever notes were made by the reviewer or, further complicating the picture, reviewers. Manually documenting a review is onerous. Moreover, different reviewers may use inconsistent terminology or follow conflicting practices as to what needs to be documented. Creating process documentation is also not the best use of a lawyer or paralegal's time. The tenth advantage of using an EDD review tool ' in conjunction with complementary EDD processing and production tools ' is process documentation that is comprehensive, substantially automated, and consistent across projects.

Conclusion

Native application review of e-mail is a penny wise, pound foolish decision. Using an EDD review tool is ultimately both more cost-effective and more defensible than native application review.

Helen Geib is a practice support consultant for Qdiscovery. She brings extensive law firm experience and perspective to her work as an e-discovery consultant where she also provides trial consulting services in civil and criminal cases.