Defensibility Pitfalls of Microsoft 365's Purview eDiscovery

Defensibility Pitfalls of Microsoft 365's Purview eDiscovery

For a more comprehensive overview of the main eDiscovery challenges presented by Microsoft 365 and how you can avoid them, check out Logikcull’s recent guide, “eDiscovery in Microsoft 365: A Compete Guide.”


Raise your hand if you love being sanctioned. Okay, maybe a blog isn’t the best format for a “raise your hand”-style Q&A, but I’m going to go ahead and assume nobody’s hand is up.  Discovery sanctions are probably something you’d like to avoid. And even though they’re trending down since the passage of the most recent revisions to the Federal Rules of Civil Procedure (which we wrote about at length), there’s still no shortage of court-ordered penalties for basic discovery failures -- or, for that matter, exasperated judges bemoaning lawyers’ fake-it-to-make approaches with delightfully colorful language. Hat tip to Judge Lain Johnson for “it’s no longer amateur hour.”  

But some potentially sanctionable behavior is less egregious. Not negligence. Not even ignorance. More “how would I have even known…?” 

Which brings us to Microsoft 365’s “Purview” eDiscovery tool. (You may know it as Microsoft Advanced eDiscovery or Purview eDiscovery (Premium). Branding aside, we’re talking specifically about the suite of eDiscovery tools available to enterprise Microsoft 365 and Office 365 users.)  We’ve already discussed some of the issues with using Purview for eDiscovery, like severe search limitations and the inability to handle large, complex productions. So today, let’s focus on some of the defensibility issues presented by the platform.

Sensitive Metadata Included in Productions

You know how everything that happened in Atonement could have been avoided if James McAvoy hadn’t accidentally sent Kiera Knightley the note telling her everything he was supposed to keep to himself? And how Saoirse Ronan reads it and then tells his private thoughts to other people? And then it gets him sent to prison for a crime he didn’t commit? (I realize the timeliness of this reference isn’t great, so if you need to take a brief pause to watch Atonement and have a cry, please do. I’ll wait.) 

It’s important to keep sensitive information private, especially when it can cause you to lose cases and clients, get sanctioned, or be forever separated from the love of your life. 

Spoiler alert: He doesn't.

Sensitive information doesn’t just exist in the text of your emails, files, chats, and other information you might hand over through eDiscovery (though Purview has some issues with that too, which we’ll discuss momentarily). It can also exist in the metadata you pass along in your production. And if you’re using Purview, Microsoft-specific metadata is often appended to your production by default. 

Briony! Bring back my load files!

Deduping, Indexing, and Searching (Or Lack Thereof)

You know how in Multiplicity, the more Michael Keaton clones are made, the more complicated and difficult the situation gets? (Yes, we can get more obscure than Atonement.) 

The more clones are running around, the harder it is for Michael Keaton to keep a handle on what’s going on and figure out what’s really important. The same can be said in discovery. If you can’t reliably deduplicate your data, you create extra work for yourself, increase the likelihood that you’ll miss something because of all the extra files (including near duplicates you might assume are the same), and of course cause nothing but confusion for poor Andie MacDowell. 

Purview’s deduping leaves much to be desired, and reliable deduping is not guaranteed. On top of this, Purview doesn’t index certain file types, like MP3s or files encrypted with non-Microsoft technology, or data that has attachments. This results in important data getting swept under the rug and missed, and makes it very difficult to search. Searches are over-inclusive while also missing important attachments and embedded files. And since deduplication isn’t effective, that means there are even more files that can get returned on an overly-inclusive search. 

All this means that it’s easier for sensitive data to slip through the cracks and be produced to or withheld from the opposing side when it shouldn’t be.


You know that episode of The Office where they’re reading Michael’s screenplay and he wrote Dwight as the inept character and then tried to replace his name using a search-and-replace but missed one because he spelled it “Dwigt?” Okay, I’ll admit this is the biggest reach, but we’re rolling with a theme here. 

Redactions are a key part of discovery, for obvious reasons. You don’t want your “Dwigt” to be the smoking gun the opposing side is looking for. Redacting thoroughly can take a lot of time to make sure nothing gets missed. Bulk redaction is supposed to take this extra time and work out of the process… But only if it works. And in Purview, the redaction tool is unreliable, and requires you to go back through to double-check all redactions, leaving room for more human error and risking a significant data breach when you produce.

But Seriously…

We’re having fun here, but sanctions are no joke. And legal professionals have an obligation to understand the nuances and limitations of the technology they’re using to perform a diligent search. As we’ve seen time and time again, “the vendor made me do it” is not an excuse that typically holds up in court. So if you’re using Microsoft Purview for discovery, make sure you can account for any potential gaps in the evidence. You just might be asked to defend them.

Want to see Logikcull in action? 

Let us show you how to make Logikcull can help you save thousands in discovery.

Want to see Logikcull in action? Let's chat.

Our team of product specialists will show you how to make Logikcull work for your specific needs and help you save thousands in records requests, subpoenas, and general discovery.