The correct answer is B because a legal hold requires the organization to preserve potentially relevant information. The first practical step is to notify the departments, custodians, IT staff, and records personnel who may control or possess relevant emails so they do not delete, alter, or overwrite them.
Exact supporting extract: the Secbay CySA+ guide defines legal hold as a process used to preserve relevant information associated with legal proceedings, investigations, or disputes. It states that once a legal hold is in effect, it is crucial to communicate it to relevant personnel who may have custody or control over the information, including IT staff, records management personnel, and employees with pertinent data.
The Sybex CySA+ Study Guide also states that legal holds require organizations to preserve all potentially relevant data and information related to pending or active litigation. It specifically notes that legal holds may involve data such as logs, email, or transactional information that would otherwise be destroyed under normal retention procedures.
Why the other options are incorrect:
A is incorrect because disclosing the request to unrelated vendors could create confidentiality and legal issues.
C is incorrect because chain of custody is important when evidence is collected and transferred, but the first legal-hold step is preservation notification.
D is incorrect because producing mailbox copies to the attorney is premature. The organization must first preserve the relevant data and follow legal/eDiscovery procedures.
