- Creating an eDiscovery Case
- Assigning Archive Searches to an eDiscovery Case
- Export an eDiscovery Case
- Canceling an eDiscovery Case Export
- Linking an eDiscovery Case to a Smart Tag
- Managing an eDiscovery Case
eDiscovery cases allow administrators to group multiple Archive Searches together in a single case. They can be used in a number of ways as outlined below:
|Export||Messages can be exported from the Administration Console in .ZIP files containing messages in .EML format.|
|Retention Adjustment||Messages can be made subject to a retention adjustment, to increase or decrease the length of time that they are stored in the Mimecast archive.|
|Litigation Hold||Messages can be placed in Litigation Hold, where they will not be expired from the Mimecast archive for a time period defined by an Administrator. This is regardless of the message's actual expiry date.|
|Link to Smart Tag||Messages can be linked to a Smart Tag. This allows individual users or groups or users to view archived messages, where they are not the sender or recipient.|
Creating an eDiscovery Case
To create and work with eDiscovery cases, you must be an administrator and have one of the following roles:
- Super Administrator
- Full Administrator
- Discovery Officer
To create an eDiscovery case:
- Log on to the Administration Console.
- Click on the Administration toolbar button. A menu drop down is displayed.
- Click on the Archive | Discovery Cases menu item.eDiscovery cases are stored in folders. Cases cannot be created in the "Root" folder. See the Administration Console: Managing Folders page for details of how to create a folder.
- Click on the New Discovery Case button.
- Complete the Discovery Properties dialog as follows:
Field / Option Description Description Enter in a description for your case. This will be displayed in the Discovery Case Definitions list. Notes Enter the case details. This helps you and other administrators identify the case at a later date.
- Click on the Save and Exit button.
Assigning Archive Searches to an eDiscovery Case
To start assigning archive searches to your eDiscovery case:
- Open the Discovery Case.
- Select the Build Discovery Case drop-down menu.
Quick Basic Search
- Click on the Build Discovery Case | Quick Basic Search menu item.
- Complete your Search parameters as required:
|Search Description||A name to identify the search.|
|Search Text||The text you would like to search for.|
|Mailbox||The Mailbox you would like to limit the search to. Use the Lookup button to locate the correct mailbox.|
|From Date||The earliest message sent date to be included in the search. The default is Eternal to ensure all past messages are considered in the search.|
|To Date||The latest message sent date to be included in the search. The default is Eternal to ensure all future messages are considered in the search.|
For more granular options, the Advanced Search function can be used:
- Click on the Build Discovery Case | Advanced Search menu item.
- Complete your Search parameters as required:
Field Description Search Text The text you would like to search for. View the guidance on screen for using search operators. Message Components Select which message components to be considered in the search. Include Litigation Hold Messages Select whether to messages that have passed their natural expiry date but are still available due to Litigation Hold. Search within a Smart Tag When used, the search will be limited to messages that have been assigned to the selected Smart Tag. Sender and recipient filters
Either the full email address(s) or domain name of the sender and / or recipient you want to filter the search on:
- Use spaces to enact an "OR" when including multiple addresses or domains.
- If you are unsure of the full address use a wildcard (*) for the domain part of the address.
- A wildcard (*) cannot be used at the start of an email address.
- To exclude an address from the search use the "NOT" operator. This must be used after an address or domain to include, for example:
mimecast.com NOT email@example.com
Date Range The date range to filter the search on based on message sent date. Route Filter Specify the route of the messages to search for, for example, inbound, outbound, or internal. Result sort order The order in which you would like to see the results.
- To view the results of the search, click the Search button on the top toolbar.
- Once reviewed, click on the Back button to return to the Advanced Search screen.
- To save the search to the Case, click on the Save and Exit button on the top toolbar.
Add a Saved Search
If there are searches that have previously been saved, these can be linked to an eDiscovery case. To add the Saved Search to the case, click on the Save and Exit button on the top toolbar.
Once a saved search is assigned to an eDiscovery case, it will no longer display within the Archive | Saved Searches section to prevent an accidental update or deletion of the Saved Search.
Export an eDiscovery Case
To export an eDiscovery case:
- Log on to the Administration Console.
- Click on the Administration menu item.
- Click on the Archive | Discovery Cases menu item.
- Select the required Discovery Case.
- Click on the Export Case button.
- Complete the Export Details dialog as required:
Field / Option Description Discovery Description Specify a description for the download. Export Type Specify the file type to use for the exported file. Download Filename Specify a file name for the exported file.
- Click on the Save button. The export is visible in the Case Exports section of the Discovery Case page.
Canceling an eDiscovery Case Export
While an export is either Pending or In Progress, it's possible to cancel it using the Cancel Exports button in the toolbar.
Linking an eDiscovery Case to a Smart Tag
Results from an eDiscovery case can be linked to a previously created Smart Tag. This allows specific users to view messages in a secure manner.
To link an eDiscovery case to a Smart Tag:
- Click on the Build Discovery Case | Link to Smart Tag menu item.
- Complete the Link Properties settings as required:
|Select Smart Tag||Use the Lookup button next to the Select Smart Tag field to select from a list of existing Smart Tags.|
Select whether messages will be linked to the Smart Tag or removed from the Smart Tag.
Check the Perpetual Link option to include all future messages as well as existing ones. If not selected, only those emails that matched the criteria when the search was created will be displayed. Additionally, no future messages will be included.
Once the search options have been created, click on the Save and Exit button on the top toolbar to add them to the Case.
Managing an eDiscovery Case
eDiscovery cases are managed from the Administration Console in the Administration | Archive | Discovery Cases menu. The cases are displayed by folder, with high-level information about each case is available at a glance.
eDiscovery Case Status
eDiscovery cases can have a status of either Editable or Locked. A case will be locked when it:
- Has been assigned to a Litigation Hold.
- Has been assigned to a Retention Adjustment.
- Has been linked to a Smart Tag.
- Is being exported.
Mimecast will automatically unlock a case if:
- An associated Litigation Hold expires.
- There are no Retention Adjustments linked to the case.
- All linked Smart Tags have been unlinked.
- It is not being exported. This is automatically checked once per day during nightly housekeeping routines.
When a case is unlocked, an entry of type Unlock Discovery Case is added to the Account Access Event log. This is viewed in the Administration | Account | Audit Logs menu in the Administration Console.
- Who created the search.
- Whether it was saved.
- The search time and date.
- Basic search parameters.
Right-clicking on the search allows the Administrator to amend the search criteria, unlink or delete the saved search. As long as it's editable, you can remove a saved search from an eDiscovery case (the Unlink Saved Search menu item). However, you cannot delete a case once it has been created.
Once the case has been Locked, a View Saved Searches option is available. The same information is displayed, however no changes can be made to the search. Right clicking on the Saved searches provides the view menu options. A Saved Searches Summary is also provided, listing all searches assigned to the case.
eDiscovery case auditing is linked to the Search Audit logs and the Message View logs. To view the logs, open the case, click on the View Audit logs drop down menu and select a log.
eDiscovery Search Audit
Shows a log of all searches performed as part of this case, along with the search parameters. This also includes any searches that were not saved to the case.
Details such as who created the search, whether it was saved, the time and date of the search, and the basic search parameters are included. Right clicking on a search gives you the option to View Search Parameters or View Search Result. The ability to remove any entries from the list is not available.
eDiscovery Email View Audit
Shows a log of all viewed emails associated with this case. A list of all messages that have been viewed is provided, as well as whether the content or metadata has been viewed, who viewed the message, and the date and time the message was viewed.