Data Activity Monitoring for Legal Cases

When the Evidence Trail Goes Cold Before the Case Even Starts

By the time most organizations formally open an internal investigation, the most critical window for data preservation has already passed. Files have been deleted. Messages have been cleared. Cloud storage has been reorganized. According to the ACFE’s Occupational Fraud 2024: A Report to the Nations, organizations lose an estimated 5% of annual revenues to fraud, and a typical scheme goes undetected for a full 12 months before it is discovered. The ACFE also found that active approaches such as automated data monitoring cut that detection window to six months, compared to detection times as long as 24 months for organizations relying on passive methods.

Data activity monitoring closes that gap. It is the practice of continuously tracking, logging, and analyzing how data moves, who accesses it, and when changes occur across collaboration platforms, file systems, and cloud environments. When applied to legal and compliance workflows, it functions as an early warning system, giving teams the visibility to act before evidence degrades, before legal holds are missed, and before a defensible collection becomes impossible.

Unlike traditional auditing, which is retrospective and often manual, data activity monitoring operates continuously and in near real-time. It captures not just what data exists, but what is happening to that data at any given moment.

For legal operations, compliance officers, and IT teams, this distinction is significant. Auditing tells you what happened after the fact. Data activity monitoring tells you what is happening now, which is the difference between reactive response and proactive risk management.

Three Ways Data Activity Monitoring Functions as an Early Warning System

1. Detecting Anomalous Behavior Before It Becomes a Litigation Event

Not every data risk announces itself. Employees departing with sensitive files, unusual after-hours access to restricted repositories, or bulk downloads from a collaboration platform rarely trigger automatic alerts under standard IT configurations. Yet these behaviors are consistently cited as precursors to intellectual property theft and regulatory violations.

IBM’s Cost of a Data Breach Report 2024 found that malicious insider attacks averaged $4.99 million per incident, the highest cost of any attack vector studied. Early detection is the most direct lever for reducing that exposure: breaches identified and contained within 200 days averaged $1.26 million less in total cost than those that exceeded that threshold.

A data activity monitoring layer establishes a behavioral baseline for how users typically interact with data. Deviations from that baseline, such as a finance employee accessing HR repositories they have never touched before, or a departing contractor sharing project folders externally in their final week, generate signals that legal and compliance teams can act on immediately.

Detecting risks early through data activity monitoring does not require legal teams to monitor every interaction in detail. It requires surfacing the right signals at the right time so that investigations can be scoped accurately from the start.

2. Preserving Evidence Integrity from the Moment a Risk Is Identified

One of the most persistent challenges in eDiscovery is the reliability of evidence collected weeks or months after a triggering event. Courts have increasingly scrutinized the integrity of late-stage collections, and the consequences of delayed preservation are significant. In Donofrio v. IKEA US Retail (E.D. Pa. 2024), the court imposed sanctions after relevant emails from four key custodians were deleted because neither in-house nor outside counsel followed up to confirm those mailboxes were on hold. The spoliation went undisclosed for 11 months.

These outcomes are preventable. The Sedona Conference Commentary on Legal Holds, Second Edition establishes that preservation obligations attach once litigation is “reasonably anticipated,” not when it is certain. The standard is objective: whether a reasonable party in the same circumstances would have foreseen litigation. Data activity monitoring operationalizes that standard by converting behavioral anomalies into documented, timestamped signals that demonstrate reasonable anticipation was recognized and acted upon.

When monitoring is connected to a broader collaboration data platform, legal holds can be triggered automatically as soon as a risk signal is flagged, creating a defensible chain of custody from the earliest possible moment.

3. Scoping Internal Investigations with Precision

One of the most significant cost drivers in any internal investigation is scope creep. Without visibility into what data was accessed or changed in the period preceding a triggering event, legal and IT teams frequently over-collect. Entire custodian mailboxes, full workspace exports, and broad file system snapshots are pulled when only a narrow set of activity is relevant.

Document review alone accounted for approximately 64% of all discovery spending in 2024, reaching nearly $10.8 billion globally, according to ComplexDiscovery’s Winter 2026 eDiscovery Pricing Survey, conducted in partnership with EDRM. Anything that reduces unnecessary review volume has a direct and measurable impact on legal spend.

Data activity monitoring provides the forensic specificity needed to scope for investigations accurately from the outset. When legal teams can see precisely which files a custodian accessed, which were modified, and which were shared externally during a defined window, they collect what is relevant rather than what is available. This is the discipline that data readiness and governance audits consistently identify as the highest-leverage opportunity in legal operations.

The Infrastructure Requirements for This to Work

Data activity monitoring is only effective when the underlying data infrastructure supports it.

• Centralized visibility across platforms.  Most enterprise environments span email, messaging platforms, cloud storage, and project management tools. A collaboration data platform that normalizes and indexes activity across all sources is foundational. Monitoring that covers only one platform creates blind spots.

• Audit trail integrity.  Logs need to be tamper-evident and reliably timestamped. In litigation, the chain of custody for any digital evidence will be scrutinized. Logs accessible to the custodians being investigated will not withstand legal challenge.

• Integration with legal hold workflows.  Monitoring that generates signals without connecting to hold and collection workflows adds work rather than reducing it. The value of early warning is realized only when the signal is acted on immediately and evidence preserved automatically.

• Defined retention and governance policies.  Retention schedules determine what data is available to monitor and for how long. Without them, monitoring produces incomplete records and gaps that complicate both investigation and defense.

What This Means for Legal Operations, Compliance, and IT Leaders

Legal operations leaders: Investigation readiness is no longer a capability built after a matter opens. It must be embedded in how the organization manages data on an ongoing basis.

Compliance officers: Data activity monitoring provides the documentation trail needed to demonstrate to regulators that governance controls are not only in place but actively operating. In enforcement proceedings, continuous monitoring carries more weight than point-in-time audits.

IT and information governance leaders:  The challenge is connecting monitoring infrastructure to legal workflows without requiring manual intervention at every step. The organizations that have done this effectively treat monitoring as a legal readiness function, with IT as the enabling layer.

Start With Visibility, Then Build from There

The most common obstacle to using data activity monitoring as a legal early warning system is not the technology. It is the absence of a clear picture of where enterprise data lives, who has access to it, and what governance controls are currently in place. Before monitoring can be meaningful, organizations need to understand what they are monitoring and why.

Onna helps legal, compliance, and IT teams build the data infrastructure that makes early warning systems operational. From centralized data collection across collaboration platforms to defensible hold and preservation workflows, Onna connects monitoring capability to legal outcomes.

Talk to the Onna team about building data activity monitoring into your legal and compliance infrastructure.