In today’s organizations there is a high level of expectation from our users that they will always have access to our email even from year’s past. From the business there is a high level of expectation that we will retain email for the predetermined amount of time required from a legal and compliance perspective.
History has shown us that by not having proper retention policy, and the inability to recover email during litigation can lead to costly fines. So I strongly recommend that you work with YOUR legal and compliance teams to determine what your organization NEEDs to retain.
When you meet with these teams here is what you will need to take away as action items:
- Which emails and how long of a retention policy is required for the long-term?
- Which people on your team will be spending their time researching and setting up your Office 365 archiving retention policies? Also who will they work with on additional legal and compliance questions?
- Step back and determine if there are any other organizational challenges that could impact your ability to retain information.
- Repeat this process every 6 – 12 months. Strategies need to continually evolve and change in a way that ensures proper business alignment.
Regulatory Guidelines for Compliance Success
The government has put together the following regulatory programs that should be reviewed to determine if your business should be also considering any of these. I would also expect that legal and compliance guidance should consider these as they apply to your organization.
- Sarbanes Oxley Act of 2002 (SOX)
- Gramm-Leach-Bliley Act (Financial Modernization Act)
- Health Insurance Portability Act (HIPAA)
- There are more – do your homework!
Every legal team is different with their approach to these. I have dealt with organizations that keep everything, and I have dealt with organizations that only keep what follows their backup policy. Your organization will likely fall somewhere in the middle as these examples demonstrate both extremes.
Choosing an Archiving Solution
Your archiving solution should achieve two main goals for your business:
- Keep it Simple – choose a solution; either built-in or 3rd party, that will not complicate your environment design.
- The solution should protect organizational data through policy and proper configuration
A great option for ensuring that the general policies you set up will not remove any needed data for a lawsuit is to place a mailbox on litigation hold. If you are using Office 365, and your plan includes archiving this will be available for your use.
Here are some considerations with legal hold:
- If the user’s mailbox has an archive mailbox, and primary mailbox was put on legal hold. The data in both mailboxes will be retained.
- Deleted and Modified items will be kept in addition to the rest of the mailbox data for the time period determined by the litigation. Alternatively, you do not need to set a time period and can leave the legal hold in place until you are requested to remove the legal hold.
If your organizations legal and compliance team mandates that you are able to review every single email sent and received within the organization, then Journal archiving should be implemented.
Why you ask? Well here is some of the detail about journal archiving that further supports the value.
- When journal archiving is enabled the Office 365 Journaling agent it configured to journal all messages sent to and from mailboxes within your organization.
- When this is done you then have the ability to record all email communications for the organization.
Archiving is Necessary
If your organization requires any form of email retention, then archiving must be researched and implemented for your business. Do not make the decisions on which emails, and how long they need to be kept on your own. Be sure to work with your legal and compliance teams to guide your decisions for long-term success of the organization your work for.