Who is responsible for collecting ESI from third-party custodians or vendors that hold our data?
When data lives with a third party — a cloud provider, a payroll processor, an outside contractor, or another business partner — the question of who collects electronically stored information (ESI) for litigation or an investigation comes down to one core principle: control, not physical possession.
The Organization Usually Owns the Duty
In US civil litigation, a party’s discovery obligations generally extend to information within its possession, custody, or control. Courts have read “control” to include data a party has the legal right or practical ability to obtain — even when a vendor physically holds it. So if your organization can demand the data back under a contract or has the practical means to retrieve it, the duty to preserve and produce that ESI typically remains yours. You cannot outsource the obligation simply by outsourcing the storage.
Note that the precise scope of “control” varies by jurisdiction. Federal courts, individual state courts, and other countries apply different tests, so confirm the standard that governs your matter.
Who Actually Does the Work
Collection is a coordinated, cross-functional effort rather than a single owner:
- Legal / counsel defines scope, issues the litigation hold, and decides what must be preserved and collected.
- Records and information governance identifies where relevant data resides, including which vendors hold it and under what retention terms.
- IT and information security execute or oversee the technical retrieval and chain-of-custody.
- The third party or vendor is directed to preserve and deliver the data, but acts on your instructions — they are not independently responsible for your litigation duties.
Practical Steps
- Map your vendors early. Know which providers hold relevant ESI before a dispute arises.
- Build discovery terms into contracts. Require preservation cooperation, defined data-return rights, and reasonable retrieval timelines.
- Issue holds to vendors promptly when litigation is reasonably anticipated, and document the request.
- Verify and validate the collected data for completeness and defensible chain-of-custody.
When data genuinely sits outside your control — held by a true non-party with no contractual hook — the requesting party may need a subpoena or other compulsory process to reach it.
For broader context on the discovery lifecycle, see e-discovery.
Sources & further reading
Authoritative government and non-profit references.
- Federal Rules of Civil Procedure — U.S. Courts
- The Sedona Conference publications — The Sedona Conference
How to cite this page
APA
RM University Editorial. (2026). Who is responsible for collecting ESI from third-party custodians or vendors that hold our data?. Records Management University. https://www.recordsmgmt.org/questions/who-collects-esi-from-third-party-custodians/
MLA
RM University Editorial. "Who is responsible for collecting ESI from third-party custodians or vendors that hold our data?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/who-collects-esi-from-third-party-custodians/.
Related questions
- A key custodian left the company—how do we preserve and collect their email and files after they're gone?
- An employee admitted to deleting emails relevant to a lawsuit—what do we do now?
- Are curative measures or monetary fines available when lost data can be replaced through other sources?
- Can a company be sanctioned for spoliation when an employee auto-deleted text messages or ephemeral chats?
- Can a court order cost-shifting or limit search terms when keyword searches return an unmanageable hit count?