An organization receives a legal hold notice regarding a pending lawsuit. The IT department is instructed to preserve all relevant electronically stored information (ESI). Which of the following actions must be taken FIRST?
This ensures that no relevant data is automatically purged.
Why this answer
When a legal hold notice is issued, the first priority is to preserve all potentially relevant ESI by immediately suspending any automated data deletion policies (e.g., retention schedules, auto-archiving, or purge scripts). This prevents spoliation of evidence before any collection or analysis begins. Failure to do so could result in sanctions for destroying discoverable data.
Exam trap
EC-Council often tests the misconception that forensic analysis or data collection should be the immediate step, when in fact the legal hold requires first stopping any automated destruction mechanisms to preserve the current state of ESI.
How to eliminate wrong answers
Option A is wrong because a full forensic analysis is a later step in the e-discovery process, not the first action; performing it prematurely could alter data or waste resources before the scope of preservation is defined. Option B is wrong because notifying employees to delete personal files contradicts the legal hold's purpose and could be construed as intentional spoliation; employees should be instructed to preserve all potentially relevant data, not delete anything. Option D is wrong because deleting emails older than 30 days would destroy potentially relevant evidence and directly violate the duty to preserve ESI under the legal hold.