There are important considerations corporate IT, legal and compliance teams need to address before the move to the cloud occurs.
Over the last five years, Microsoft has evolved its offerings around data governance, including e-discovery and retention capabilities, to enable users to more efficiently handle regulatory requirements and litigation matters.
This effort began in 2011, when Microsoft launched Office 365 (O365) as a cloud-based communication and collaboration platform, and the successor product of Microsoft’s BPOS, which was released in late 2008.
Many organizations are currently in the process of moving to O365, or preparing to do so, and analysts have indicated the process has arisen as an acute pain point from an information governance and e-discovery perspective.
To fully benefit from these developments and Microsoft’s latest suite of tools, there are important considerations corporate IT, legal and compliance teams need to address before the move to the cloud occurs.
These considerations range across email archiving issues, data preservation requirements, cross-border regulations, data security and e-discovery processes. The most pressing are outlined below.
- Planning and Design Considerations: Many organizations have existing email archive solutions that may be on-premise or hosted by a third party. Most on-premise legacy archiving solutions won’t work out of the box with O365. Moving the mailbox to the cloud can break the stubs, leaving users unable to access archived email. Further, costly and slow email archive vendor API limitations can result in a lot of unnecessary retained data. Companies with large data volumes should conduct a thorough, and compliant cleanup of the archive before migrating to O365. To be done right, this process involves taking a complete inventory of preservation obligations and regulatory requirements on email stores that will serve as the retention and deletion criteria during pre-migration cleanup.
- Journal Archiving: Some industries have regulatory requirements to retain an immutable copy of all emails for certain types of communication, or specific users, in a secure archive that is separate from the end user’s access. Highly regulated industries such as financial services, insurance and healthcare must be particularly vigilant in maintaining compliance with these requirements. While O365 does support journaling, the migration process should involve an audit of these processes, involving the company’s internal journal archive manager or the responsible third party, to fully understand compliance needs.
- Retention Considerations: There are capabilities in O365 that enable organizations to apply retention settings to an entire mailbox to determine how long messages should be retained. There is also the option to specify folder-specific retention periods within a mailbox; companies often apply a short retention period to an inbox, while a longer retention period, up to indefinite retention, is applied for mailbox folders used for long-term storage. Additionally, O365 storage solutions OneDrive for Business (ODB) and SharePoint, offer comparable retention functionality. While O365 offers controls to ensure deletion after the retention period expires, it does not ensure that messages are actually kept for the specified period. Employees can still delete messages from their mailbox, SharePoint site or ODB drive before the retention period is reached.
On top of the retention period functionality, O365 also offers a legal hold functionality to ensure preservation of items after deletion. Such preserved items can be stored on the back end, invisible to the user. Regardless of whether or not a secondary archive is being used, it is important to align the varying retention periods across different types of O365 content to avoid a resulting legacy data problem and ensure comprehensive legal hold.
- Regional Requirements: Many global corporations maintain separate email archives or other data repositories by country or region to maintain compliance with jurisdictional regulations. Organizations that have strict requirements about data being transferred out of a particular country or geography should consult with local legal counsel to determine each region’s specific laws. Common issues include blocking statutes, state secrecy provisions and data privacy laws, particularly when transferring data across borders between countries with differing levels of protection. Many countries will challenge the transfer of certain data across borders, and it is key to understand if the terms that Microsoft supports are sufficient, or if exceptions need to be made for certain jurisdictions. There are also limitations on searching data across geographies, making the involvement of legal and technical teams that understand these nuances imperative when designing cloud architecture.
- Streamlining Process: Companies with large volumes of legal holds can take advantage of Microsoft PowerShell, which enables IT to develop back-end scripting to bulk apply preservation guidelines to sets of mailboxes. When finer grain criteria are necessary, the e-discovery center can be used to apply filters, such as specific timeframes or search terms. Each company takes a different approach when it comes to their preservation and collection processes, so understanding the capabilities and constraints within O365, and working strategically with them will help save time and cost.
Legal and compliance need to be involved in the process from the design stage to ensure data is appropriately preserved and governed through its lifecycle, and address potential compliance gaps. Leveraging involvement of third party experts in partnership with stakeholders from IT, legal and compliance will enable a pragmatic and cost effective process that mitigates risk and ensures a compliant migration to the cloud.
As Senior Director at FTI Consulting, Sonia leads Information Governance initiatives for FTI’s Technology practice group, helping corporations deal with the challenges associated exploding data volumes and complying with complex global regulations. Sonia has deep experience in transformation and change across related disciplines in e-discovery, Records Management, Archiving and Storage Optimization.
Alain Pelluch (MLAW, CIPP) has several years experience in the field of eDiscovery and since recently Data Privacy/Data Protection in the Corporate Legal department of Novartis, a global healthcare company based in Switzerland.