E-Discovery

Davi Schmidt:
Hi everyone. And welcome to our Watch It Work series. I'm joined by Scott Ferguson, Senior Manager of our Solutions Engineering team.

Scott Ferguson:
Hello everyone. Thanks for joining us today.

Davi Schmidt:
We are here to show you what's possible with a modern Cloud-based software, which takes a comprehensive approach to your electronic communications. I'm going to go over our agenda so you know what to expect from us First I'm going to switch things over to our expert, Scott, and he's going to go over how Smarsh can fit into your e-discovery strategy. Then he'll give a brief platform tour. This will provide you a foundation for what you see when you first log in with Smarsh, a sort of under the hood, if you will. And then following that, we'll dive into what you all came here for. Scott's going to take us into the connected archive and show it in action. While he's in there, he'll go over a couple of real world scenarios.

Davi Schmidt:
And with that, I will shoot it over to you, Scott.

Scott Ferguson:
Awesome. The first piece that I'm going to head off to is that context is number one there. Putting a little context to the demonstration here, and stay in slides and I know everybody wants to see the live thing, but I think it would make some sense to just take a step back, take a higher level look at what we're talking about here. Smarsh is comprehensive archiving provider, so on the left hand side here, you can see categories that the over 80 message channels that Smarsh can capture kind of standing at the left. And we're going to move from left to right through an industry accepted framework called the e-discovery reference model. And this is basically a model that explains the life cycle of records that could be responsive in an e-discovery workflow.

Scott Ferguson:
Kind of running in the background of this framework is over time as you move from a record being created to it ending up as a responsive record in an investigation. Over time, you have a lot of records and the volume decreases, make sense? And the relevance that any one record or any group of records have to the matter at hand, the legal matter, internal investigation, what have you, the relevance increases over time, so that's kind of running in the background and we're going to run through some categories here. And so we'll take a brief pause real quick. I may use the term records as a general term, may use the term messages as a general term. All of the activity for the message channels in the categories to the left there, are going to count as quote messages and records from here on out, so that may be social media posts, and comments, and profile updates, that may be mobile text messages, or a voice call for example, so I'm using the general term of messages but it is referring to posts and comments of all the platforms that we support.

Scott Ferguson:
With that, the first category that I would like to cover are Information Governance and Identification, so these categories really are getting you prepared to handle your records properly. Thinking, acceptable use prop policies. How are we advising our employees to use these communication channels properly, to make sure that they are handling these records as they're supposed to. Making sure that we have a retention strategy in place for these records so that we can bring them back, and kind of a subpoint to all this and a real key value proposition from Smarsh is the value of metadata associated with the records themselves. Metadata is a powerful piece to this entire framework because it empowers your search, it helps you get a quicker and deeper understanding of again, that relevance to the matter at hand, so this is where you're setting the policies on which message channels your employees can and should use, how you're going to retain those, and even getting down in categories such as metadata. From there, we're making decisions on how to preserve and then collect records.

Scott Ferguson:
And in the framework of Smarsh with electronic communications, we are basically trying to help you prevent the inappropriate destruction of data, make sure that the right people have the right access to the data that they are allowed to see, and that you can retrieve it quickly. Again, pulling in these message channels in their native format so that you can leverage the metadata in order to search through these things quickly and easily. Again, very important in these Preservation and Collection areas. Is the place that you're storing these things, do they provide an easy way to view the metadata? Smarsh you do, we keep the message channels in their native format, which basically means that when you look at it in the archive, it looks like, say a Slack message or a Microsoft Teams post or comment. The full context of that conversation is there. And it's easy to understand quickly and easily.

Scott Ferguson:
Since all of that metadata is preserved properly, we're bringing all the relevant information to the archive in the first place. Now we're getting into the nitty gritty of Processing, Review, and Analysis. The whole point here is to reduce the volume of the data that would be deemed responsive to any sort of investigation. And again, quick and easy searching to make sure that when it comes time to actually hand this off, hand this data off that you are not handing over too much or too little data as it relates to the investigation at hand. And those handoff steps are generally known as Production producing. We are going to be using the term exporting in the context of Smarsh here today. How do we export out of the system and are you able to present that in an easy to use format? And through this whole life cycle, do you have a full chain of custody on that data? Was the data altered in any way? Did people that were not supposed to see this data, were they able to see it?

Scott Ferguson:
Do you have a defensible process for collecting all of this data? And this is what Smarsh is here to help you with, so before we head on into the live demonstration, I do like to go through what we call a brief platform tour. We're going to head across the top menu bar. This is just so that when we get into the live version, we're not spending too much time looking around the interface, wondering what all those other buttons that I'm not going to click through actually do, and how they may relate to where we go. First the home button, if you get lost, if you get homesick, hit the home button, it's going to take you to your main dashboard that you can see through the gray area there now. Next, Search. This is to the main place where you kick off a discovery process. I need to run an investigation. I need to search across the messages, the posts, the comments, so on and so forth in my archive.

Scott Ferguson:
And I need to get to the heart of a particular investigation as quickly and as thoroughly as possible, you do that via Search. Sometimes multiple searches are necessary in order to find all of the responsive messages or records, and that's what Cases are for. Cases are there as sort of a static bucket that is just a place off to the side for that particular case, or legal matter, or investigation, whichever term you want to use at hand. I can run a search on Scott's data, or let's say someone can run a search on my data and then they can run a search on Davi's data as separate searches and place them into a case separately. And the case is an area basically where you have a collection of data that may or may not be ready to produce and then for presentation, but you are going to be whittling that information down just to what's most responsive, so it is a dedicated workflow.

Scott Ferguson:
The Cases are a dedicated workflow for e-discovery, lots of collaboration functionality in there. And so we're going to be spending most of our time in Search and Cases. Policies, this is an automated tagging and flagging engine, so as data is ingested into the archive, the policies are there as basically if then statements, if the sender or recipient on this message is a member of the executive staff. Well, according to our retention schedule, those should be kept longer. Okay, so the policy engines will tag that message as such. You can also use the policy's engine to look for potentially risky communication, so your looking for language that may lead to workplace harassment type of issues. We have the policies area to basically automatically tag and flag those items for you and bring them to your attention.

Scott Ferguson:
Reports, reports are there to basically provide a look on the activity that is going on within the archive, so sometimes folks think, oh, I'm going to log in to Smarsh, run a report, so I can look at my messages. Nope, that's what a search is for. Reports are basically a collection of all the audited actions that are being taken by users. In this case, Anthony and collecting those, so did Anthony go and change the retention schedule when he shouldn't have, when was the last time Anthony logged in anyway, things like that. And each of the messages has their own audit history as well, so any changes, or tags, or flags, or notes that you leave on a particular message that is also audited over time, so even if you change it, there is a record of that attached to the messages.

Scott Ferguson:
Smarsh metadata, metadata added by Smarsh can be added to messages and can be added to the administrative users. Also, you have a full audit trail and again, a defensible process for producing these records. Lastly settings, this is where you configure your archive and we obviously help you configure your archive to make the most of it for your particular business initiatives, so things like making sure that Anthony, again here has the proper data permissions. He's not seeing data that he shouldn't and he's actually able to, or that Anthony as a user is set up with a role where he is only taking the actions that he should or shouldn't, so in that example, where I said that, there was a report that showed Anthony changed the retention schedule. Well, what should have happened was his role would be set to where he is not allowed to do that, so it's those types of actions that are taken in the settings area and of course, connecting to new data sources and whatnot, so that is background.

Scott Ferguson:
Let's get into the actual business case of what you wanted to come here and see, which is the live demonstration, those two scenarios. How to search for messages in the archive and how to export them? I'm going to run through a really quick example, because this covers most of the investigations that people need to run, so in my seat right now in the scenario that I'm going to run through right now, I am an administrator that caught word that there was an inappropriate conversation, an inappropriate comment from Ryan in a public Slack forum, so whoops, just going to open up those dates up and I want to go ahead and take a quick look at what Ryan had said and grab that conversation and quickly produce it. Again, I put in Ryan as an individual was a wild card, as you can see that we have a couple public messages, so like posts into Slack, direct messages that we've captured here.

Scott Ferguson:
And it looks like here is the one, here's the thread that I wanted to zero in on. I knew that it took place in October. Okay, this was the end of this conversation, so let's go ahead and open up the thread here. And what I'm doing is actually leveraging that metadata, I was beating the drum on early, which is a thread ID. And so because we pull in the thread ID, that allows us to look farther and farther into the conversation as far as what led to the inappropriate comment that we are looking at here, so we see Sandeep saying that compliance will never figure it out. Okay, well we did. You can also see that we are capturing edits and deletes, so how does that work? I'm going to open up the thread a little bit further here because you want to see what this edit was associated with. Open up the thread, let's come back down, I go to hover over this edit. I can see it changed so I clicked on that, it flagged, it kind of opened up this one too, so Alex took this comment edited it to this.

Scott Ferguson:
This one was actually subsequently deleted, so here's the conversation that I want to produce. I don't need to run multiple searches, I found the one conversation right away. And I want to go ahead and just present that conversation to HR real quickly or add it to a file. You can print directly from the platform here, so you see we are prepared to print, you print the page, I have it saving down as a PDF. Now the conversation will look just as it does in the archive, so you print those pages, basically saving it down onto your local machine there, so that is, I need to find this one conversation, I found it very quickly, so that's a use case there. But what if you need to run a deeper investigation? Now let's go ahead and run through that, so I'm going to head back to a new search. I'm going to start a fresh search here. Although you can see the searches I ran a couple minutes ago is right there as well.

Scott Ferguson:
And a quick overview of what's possible in the search pane here, so content that's referring to all of the message channels that you have connected into Smarsh, so if you only have a couple, then those are the only ones that will show. People are the senders and recipients on messages. Again, messages can be posts, comments, so on and so forth. Keywords is referring to keywords and phrases that occur in any number of places, so the subject line of emails for example, body of these messages, just going to cover about 95% of the messages we're talking about. File name and file texts are referring to attachments, so if we are pulling in attachments and the attachment is like a PDF where you can perform a control find on, then we're going to be indexing those and those are searchable in the archive, and you can even get down into the nitty gritty of like proximity sets, so one word within so many words of a second keyword there.

Scott Ferguson:
There are other sort of deeper functionality in the search page, so at a high level, this review tab allows you to search on Smarsh metadata. Again, what do I mean by that? I mean, these are the tags and flags that have been added once the message entered the archive, it didn't take place on Microsoft Teams, or Slack, or on the mobile text message in their native applications. These were tags and flags that were added by Smarsh either automatically by the policies, that automated tagging and flagging or through someone adding them manually within the archive here, so you can search on that. And then lastly actually the Advanced tab, again, pulling in these modern commun-ication types in their native format allows us to do some pretty interesting things.

Scott Ferguson:
Like I just want to focus on comments and administering social media pages, and I just want to see what's people are saying about us, for example, you can focus on comments there. But in the search that I want to run, I understand that there was an issue with, again, another employee, not Ryan this time, but rather Doug Henderson, you can go ahead and wildcard him out as a individual. I want to see what he says across all communication channels, for example. Go ahead and see how many messages we have. Okay. We have 27 from Doug let's go ahead and take a closer look here. And we have a mix of communication types now showing in our results, so you can see that we have email, Microsoft Teams, more email and Teams, and mobile text message BYOD application called CellTrust, and more email. And the conversation that I'm looking for is the one between Doug and Gary.

Scott Ferguson:
Teams to Gary Tulier, it seems to start here with this email here. Okay, we got some images, it came across. Okay, so part of his signature. Oka,. We'll go up in time then on the next day, April 15th, 16th. Okay. Then all these are on the 16th, so it looks like things kind of pick up here. I'm look looking at the first message between these two. And what's nice about having these threads are, even though I'm selected on this one message, I can see everything that came afterward and again, we're getting pictures, and gifs, and all of the attached media is going to show here as well. And so it looks like you have a conversation between Doug and Gary. And yeah, so here's the conversation that I'm looking for. Ends at 4:43, and it picks up again on CellTrust, So we're kind of hopping from channel to channel, which is pretty common. That we see, okay, here's the full message trail there. And then we have the email conversation here as well.

Scott Ferguson:
We'll go ahead and show those images. Okay, so we have more aggressive claims in stock picking, so I want to take, okay. And then these are not to or from Gary and Doug, so I'm going to take all the messages to and from Gary and Doug. Oops, a little bit far. Okay, and they're right there. I'm going to select those, I'm going to update them in the Action panel over here. Again, this is smart metadata that we're adding here. And I want to add them to the Doug Henderson matter that we have, that is a particular case here. I'll go ahead and update those messages. And when I go over to the Cases area and let's say, I have a couple different searches that I've run now and filled up this case with. I want to actually look at the contents of the case here for review. And now this case can be filled up with quite a few messages. And so now the decision isn't is this potentially part of our investigation, but rather it's getting down into the nitty gritty. Is this something that is responsive to this investigation or not?

Scott Ferguson:
And that's the decision that you're making here in the Cases area. And so you can use the filtering on this left hand panel to just filter within the 92 messages of this particular case, for example. If I were to open this Slack thread here. Again, you can see the channel that it took place in, the team here as well. And now my decision is this channel or excuse me, this message that I see from Ryan here does it actually belong in this case, if not, go ahead and remove it. Go from 92 total responsive records down to 91, and these are the actions that we're taking. Using the filtering on the left hand side to whittle it down just to what we need, and then we're getting ready to export, so now that we have all the records that we need again, quick detour can put a legal hold on these cases to trump any retention schedule that you have in place, keep notes on why the case exists for example, which administrative users have access to that case.

Scott Ferguson:
Again, who has access to login, is actually allowed to see this case. You can lock that down. You can even invite outside counsel in, give them a role where all they can do is see the Cases area, and only the cases that you want to make available for them, so there's a lot of flexibility here. When it comes time to export the 91 messages that are actually responsive, you can choose the format in which you will produce those. And then, a couple email formats, and then of course native. Here add a password if you want to pass the through an encrypted channel and select the delivery method, so an in app download would mean you're downloading it directly onto the local machine you're using at that time. For me, that would be the laptop I'm using right now, or I could actually send it to a third party through an SFTP destination folder, so lots of delivery options there. And so that's how you search for messages either very quickly or in bulk in a deeper investigation and then export them to whoever needs them.

Davi Schmidt:
Awesome. Thanks for walking us through all of that. I have a couple of questions. Can you import historical Slack data?

Scott Ferguson:
Yes, you can. All we need to know is how much data that you have. And that is something that your Slack account manager is able to help you with, so pass that information onto us, there's a one time cost to pull that data in, and then we're good to go.

Davi Schmidt:
Okay, what is the setup process like for IM and collaboration tools?

Scott Ferguson:
Yeah, so we've seen a lot of interest in things like Slack, Microsoft Teams, WebEx Teams, and the integration is really quite straightforward in this professional archive that we're looking at here. We basically pass an authorization token back and forth between Slack and Smarsh. And then once you pass that token back and forth and authorize the channel, then you're set. You can choose to archive just a couple channels for example, or you can, and this is what most folks do. They actually select that I want to capture all the channels within my Slack instance and then all the copies of those posts, comments, and messages will be sent onward, so really quite simple.

Davi Schmidt:
Great, thank you. I want to thank everybody for joining us today. if any of this has peaked your interest, and you'd like more information or a more in depth conversation about how Smarsh can accommodate your particular environment. We have a team of extremely knowledgeable folks that would love to walk you through that. Also feel email to us at advantage@smarsh.com with any additional questions or comments, so thanks again for attending this Watch It Work and thank you Scott for walking us through everything.

Scott Ferguson:
Yeah, absolutely. Thanks for having me.