"eDiscovery best practices" used to describe a stable set of habits: custodian interviews, legal holds, ...
"eDiscovery best practices" used to describe a stable set of habits: custodian interviews, legal holds, preserve-in-place, targeted collection from file shares and Exchange, and review in a hosted platform. These habits still apply, but the assumptions under them do not.
What changed is where work lives and how it leaves a trail. A modern matter unfolds across Microsoft 365, Slack, Teams, SharePoint, OneDrive, and other integrated tools. Evidence is no longer the document. It’s the document, version chain, link, channel, reaction, access pattern, and the identity behind each touch. Best practices have changed because the core record has changed. Practitioners who get this right have rebuilt their playbooks around it.
This blog walks through the parts of eDiscovery that look the same on paper but operate differently in practice: identification, scoping, preservation, collection, chain of custody, proportionality, and what each requires now.
A matter that is scoped well almost never produces sanction headlines. A matter that is scoped badly almost always does. The data behind that pattern points to a single stage: identification. Every assumption you make early in a program can cause problems later. It can create preservation gaps, lead to collecting too much data, increase review costs, and result in testimony that no general counsel wants to give.
Identification in 2026 means naming the right custodians, data sources, and time window with enough precision that preservation can be defensible and collection can be proportional. The trouble is that all three of those inputs have become harder to fix. Custodians collaborate in shared spaces with people outside their team. Data sources include cloud apps that did not exist at the last refresh. The relevant time window often extends past the moment a custodian left the organization, because their messages and files live on in shared channels and inherited workspaces.
Practitioners who treat identification as a clerical step (pull names from the org chart, list a few systems, set a date range) inherit the consequences at every later stage. Identification carries the matter. When it is loose, everything downstream gets expensive.
The org chart tells you who was supposed to be involved. The system logs tell you who actually was. The gap between those two answers is where most identification mistakes live, and it is where opposing counsel learns to look.
Consider a procurement dispute. The custodian list assembled from job titles will name the procurement director, the category manager, and the relevant business owner. The behavioral evidence may show that a junior analyst on a different team had edit access to the negotiation deck, was the last person to modify the financial model, and posted the disputed figure in a shared Slack channel where the contract terms were debated. The org chart would not have surfaced that analyst. The access logs and message history would.
Behavioral evidence, meaning observed access, edits, shares, comments, reactions, and message activity, is the trustworthy signal in cloud collaboration. Role is a useful starting point. It is not a defensible stopping point. Identification grounded in behavioral evidence produces narrower, more accurate custodian lists, which produces less overcollection, which produces lower review cost and better defensibility. The economics of the program follow the precision of the identification.
Preserve-in-place was a sensible model when the data lived in systems that the legal team's preservation hold could meaningfully control. Microsoft 365 retention, Slack workspace settings, third-party app retention, and overlapping user-level permissions have changed that calculus. A preservation hold is now a directive layered on top of platforms whose default behaviors continue to operate around it.
Collect-to-Preserve is the response. The practice is to pull the relevant evidence into a defensible repository at the time the obligation attaches, rather than relying on the source system to hold it indefinitely in its original location. The collection itself becomes the preservation artifact. Chain of custody starts at the point of collection, not at the point of a hold notice that may or may not survive a retention setting nobody documented.
This is not a rejection of preserve-in-place. For some sources and some matters it remains the right approach. The shift is that Collect-to-Preserve has become the default posture for the dynamic, multi-tenant, fast-changing surfaces where modern collaboration happens, and the burden of proof now sits with the program that chose to rely on in-place mechanisms alone.
Chain of custody used to mean a documented trail of physical or logical possession from collection to production. The principle has not changed. The artifacts that make it defensible have.
In a cloud collaboration record, the document is not the only thing that needs a custody trail. The as-sent version of a message, the link target at the moment a recipient clicked it, the permissions in effect when the file was opened, and the identity over time of the user who took each action all carry evidentiary weight. A custody record that captures the file but not the surrounding context leaves a gap that opposing counsel will name. That gap, between artifact and surrounding reality, is the context gap, and it widens with every collaboration tool added to the stack.
Defensible chain of custody in 2026 means capturing the evidence and the context that frames it, with cryptographic integrity, time-stamped acquisition, and an evidence graph that links each artifact to the identities, permissions, and behaviors around it. Anything less invites the kind of cross-examination that ends in a motion.
Proportionality remains the legal anchor. The producing party is not required to turn over every artifact that touched a custodian's account. The party is required to make reasonable, proportional efforts. The hard part is that proportionality is judged against the matter, and modern matters do not present clean boundaries.
A negotiation that happened across email, Teams chat, a SharePoint workspace, three Slack channels, and a shared OneDrive folder does not fit neatly into a custodian-and-keyword search. The proportional response is to scope tightly using behavioral evidence, collect what falls inside that scope to a deterministic end state, and document the reasoning behind every inclusion and exclusion. Proportionality is no longer a defense raised at production. It is a discipline applied at identification, and the record of that discipline becomes the argument.
Rule 37(e) sanctions for failure to preserve ESI hinge on whether the party took reasonable steps. Reasonableness is not measured in the abstract. It is measured against what reasonable practitioners do under the circumstances, and the circumstances in 2026 are Microsoft 365, Slack, Teams, and a collaboration record that does not preserve itself.
A program that issued a hold notice, configured a basic retention policy, and assumed preservation was complete will find that the standard has moved. Reasonable steps now include identifying the custodians whose behavioral evidence indicates involvement, capturing the relevant data into a defensible repository where its integrity can be proven, and documenting the chain of decisions that led to each choice.
Spoliation findings increasingly turn on whether the party engaged with the actual mechanics of the platforms in question or treated them as black boxes. Epic Games v. Google (March 2023) found that reliance on default Hangouts auto-deletion, without affirmative steps to suspend it once preservation duties attached, met the standard for intent under Rule 37(e)(2).
Maziar v. City of Atlanta (2024) made clear the lower tier has teeth as well, granting Rule 37(e)(1) curative measures and fees without an intent finding. In re Carvana (D. Ariz., 2026) extended the trajectory by ordering a bounded forensic capability test rather than accepting blanket infeasibility claims. Judges are getting more sophisticated about how M365 and Slack actually work, and so is opposing counsel.
The header on the program has not changed, the work under it has. A best practice eDiscovery operation in 2026 looks, on the surface, like the EDRM diagram everyone has been working from for fifteen years. Underneath, every stage rests on different assumptions: that identification is the moment defensibility is won or lost, that behavioral evidence beats role-based guesses, that Collect-to-Preserve produces a stronger record than relying on the platform, and that chain of custody must include context, not just the artifact.
The programs that internalize that shift spend less, get sanctioned less, and find themselves arguing about the merits of the matter rather than the integrity of their record. The programs that do not are building a backlog of motions they will eventually have to answer.
Cloudficient helps enterprise legal teams apply Context-Aware eDiscovery™ across Microsoft 365, Slack, Teams, SharePoint, and other modern collaboration platforms, improving defensibility while reducing overcollection and downstream review cost.
The practices that matter most are tight identification grounded in behavioral evidence, a Collect-to-Preserve posture for cloud collaboration sources, defensible chain of custody that includes context not just artifacts, and proportional scoping documented as it happens. Every one of those decisions made early reduces downstream cost and sanction risk.
Identification used to mean assembling a custodian list from the org chart, listing email and file share locations, and setting a date range. Now it means using observed access, edit history, and message activity to find the people and data that were actually involved, because cloud collaboration routinely puts evidence in the hands of people the org chart would not have named.
Collect-to-Preserve is the practice of pulling relevant evidence into a defensible repository at the moment a preservation obligation attaches, rather than relying on in-place retention controls in the source platform. It produces a deterministic end state where the integrity of the evidence can be proven, and it starts the chain of custody at collection rather than at the issuance of a hold notice.
Capture the artifact and the surrounding context, including the as-sent version of a message, the link target, the permissions in effect, and the identity behind each action, with cryptographic integrity and time-stamped acquisition. Build an evidence graph that links each artifact to its surrounding reality so the custody record stands up to cross-examination about what the recipient actually saw and when.
Proportionality starts at identification, not at production. Use behavioral evidence to scope tightly, collect what falls inside that scope to a deterministic end state, and document the reasoning for what was included and excluded. The proportional response to a modern matter is a defensible record of the choices that shaped its scope.
Courts are increasingly evaluating whether the producing party engaged with how M365, Teams, and Slack actually retain and surface data, rather than treating those platforms as opaque. Epic Games v. Google (2023) ruled that relying on default auto-deletion without affirmative steps to suspend it can meet the intent threshold under Rule 37(e)(2).
Maziar v. City of Atlanta (2024) showed Rule 37(e)(1) curative measures can attach without intent. In re Carvana (D. Ariz., 2026) ordered a forensic capability test rather than accepting infeasibility claims. Reasonable steps now include identifying behaviorally involved custodians, capturing data into a controlled repository, and documenting the decisions made.
Effective identification is crucial in eDiscovery to prevent spoliation and over-collection, ensuring defensibility and reducing review volume.
The EDRM collection stage is a key part of your eDiscovery collection technique. Learn more in Cloudficient’s guide to this process.
Legal proceedings have expanded to include legal eDiscovery prior to trial. Understanding how to navitate this process is key for collecting relevant...
-3.png?width=250&height=33&name=Untitled%20design%20(18)-3.png "Cloudficident Logo")
-3.png?width=527&height=69&name=Untitled%20design%20(18)-3.png "Untitled design (18)-3")
.png?width=200&height=26&name=Untitled%20design%20(18).png "Cloudficient"){kind=small}
.png?width=600&height=79&name=Untitled%20design%20(18).png "cloudficient logo")