An organization receives a legal hold notice regarding pending litigation. The IT department is instructed to preserve all relevant electronically stored information. What is the primary action the IT department should take?
This preserves the data as required by the legal hold.
Why this answer
The primary action is to place a legal hold on relevant data and suspend routine deletion policies. This ensures that all potentially relevant electronically stored information (ESI) is preserved in its current state, preventing spoliation and compliance with the legal hold notice. Suspending deletion policies stops automated processes like email purge jobs or document retention schedules from destroying evidence, which is a foundational step in the e-discovery process.
Exam trap
EC-Council often tests the misconception that the immediate response to a legal hold is to create forensic images of all systems, but the correct first step is to suspend deletion policies to prevent data loss before any imaging or collection occurs.
How to eliminate wrong answers
Option B is wrong because ignoring the notice and continuing normal operations would constitute spoliation of evidence, violating the legal hold and potentially leading to severe legal sanctions, including adverse inference instructions or monetary penalties. Option C is wrong because creating a forensic image of all servers immediately is an overreaction and not the first step; imaging is a preservation technique but should be targeted and performed after identifying the scope of relevant data, not indiscriminately across all servers, which is disruptive and unnecessary. Option D is wrong because permanently deleting all emails older than 30 days is the exact opposite of preservation; it would destroy potentially relevant ESI and directly violate the legal hold, risking spoliation charges.