- January 19, 2021
- Archive360 Team|
- Data Privacy|
- Microsoft 365|
- Regulatory Compliance|
- Cloud archiving|
- Information Security|
The following is a true story…really. The names have been changed to protect me.
Several years ago, I received a call from a friend I used to work with at another company. They were looking for an interactive Excel TCO/ROI/NPV/BET model I had developed while employed at the company. It was a massive model in which I had invested 2-3 months of work. It became a much-requested tool for sales to reference that showed how a cloud-based archive could dramatically lower the overall TCO of archiving while (in most cases) showing a positive return on investment (ROI), profitable net present value (NPV), and a really short breakeven time (BET).
The downside was that it was relatively complex (it combined hundreds of calculations across eight different Excel pages) and so was difficult for many in sales (and everyone else) to explain. Because I created it, I ended up being the designated presenter of the model at customer meetings and calls. This meant that I was the one that kept the master version and, over time, the only person that had a copy of the model.
Getting back to the call from my good friend and ex-coworker, he asked me if I still had a copy of the TCO/ROI model and, if so, whether I could send it to him. It turns out that they had a very large potential customer that wanted to see a detailed ROI calculation and description of their particular situation. It seems the salesperson had mentioned that the company had a TCO/ROI model (mine) that would provide a detailed TCO analysis of the customer’s current technology and create a detailed ROI/NPV/BET calculation if the customer replaced it with the new technology.
Wanting to close the sale, the company had spent a great deal of time looking for the actual model but couldn’t find it. The customer was pushing hard to get the TCO/ROI results or, if not, choose another vendor’s solution.
In fact, I did not have a copy of the model – I swear! Part of the company’s exit process for departing employees included being presented a legal form to sign to certify that I had deleted ALL data/files I had generated and received while employed at the company - under penalty of prosecution. I took that very seriously and actually did delete everything.
I mentioned to my friend that when I had turned in my laptop on the last day of work, I had written a long email to my managing VP giving him all of my passwords, share drive locations, etc. In fact, I believe I also noted to my manager that it would be stupid to reassign the laptop to another employee in the near-term because of the useful data the laptop contained. It turns out that they had wiped and reimaged my laptop within a couple of weeks, and all of the data on the laptop was irretrievably gone.
Also in that final email to my manager, I had pointed out that my Office 365 email and OneDrive account also contained data they would find useful (including the TCO/ROI model) and to not reassign the Office 365 license until my data had been copied to another repository that people in my group could access when needed. Of course, the company quickly reassigned the Office 365 license and lost all of my files.
Let's understand what it means to delete an Office 365 license holder and transfer that license to another. When you delete a user in the Microsoft 365 admin center, the company can choose what will happen with the departing employee’s product licenses, email, and OneDrive data.
One possibility many companies choose is to grant access to the departed employee’s accounts so they can review and download what they think will be needed in the future. That designated user will have 30 days by default to access and download any data they want to keep.
After the 30 days, the OneDrive Clean Up process is run, and all data in that Office 365 account will be deleted at the end of the 30 days. If a manager is specified for the deleted account, the manager will receive an email telling them they have access to the departed employee’s OneDrive, and that the OneDrive will be deleted at the end of the 30-day retention period. Seven days before the 30-day retention period expires, a second email will be sent to the manager or secondary owner as a reminder that the OneDrive will be deleted in 7 days.
I never asked my friend what happened with the potential deal but, for me, it highlighted an important missing process in many companies – that of treating departing employee data as valuable (also, in some cases, legally required).
At the end of the day, companies hire employees for their abilities, know-how, creativity, and experience. Blindly destroying the data they work with and create is a huge waste for the sake of freeing up an Office 365 license, especially when options exist to both store leaver data securely and reassign their licenses without risking legal or business disruption.
Some of our customers do think about the implications of reassigning the license of a departing employee. Many come to us with questions like: “We’re spending a fortune on Office 365 licenses for employees that have left the organization. We want to recycle them, but what should we do with all of the departed employee’s Office 365 data?” Believe it or not, this shows a great deal of progress in their thinking. Unfortunately, however, many companies, as in the example above, still reassign the Office 365 licenses of departed employees indiscriminately and, in doing so, delete all of their data.
As IT and corporate legal departments well know, inactive and departed employee data – including inactive Office 365 mailboxes, OneDrive accounts, Teams conversations and files, and Streams videos – can put a strain on the IT department, including the costly consumption of Office 365 licenses, rising privacy risk, and expensive eDiscovery response.
That said, an important part of the employee exit process, safeguarding employee data should be top of mind for HR, IT, and Corporate Legal, and when an employee gives notice or is RIF’d, an HR checklist should be followed, with a set of actions to perform before the employee departs.
However, in many cases (if the checklist even exists), it does not address what to do with the employee’s most valuable asset – their accumulated work data. In fact, valuable corporate data exists in all Office 365 mailboxes, OneDrive accounts, local workstation data, and SharePoint servers, but many HR processes don’t include the proactive collection of employee data before departure. The process should see IT alerted immediately to begin capturing and consolidating leaver data and migrating it into data repositories, such as those in a corporate cloud, where it can be secured, managed, and accessed by authorized employees. Your GC will probably want to keep all email and OneDrive data for an extended time in case lawsuits crop up during the statute of limitations, as well as keeping it available for use and reference for current employees.
It's hard to say definitively, but in my experience, most companies simply haven’t thought of it or haven’t developed a standardized process to collect employee data. Often, it’s because the IT department is over-worked and so instead chooses to keep the departed employee’s mailbox and Office 365 account “as is” until the time they have more data. Eventually, someone in IT notices the growing number of departed employee Office 365 mailboxes and wonders how much they cost the company.
In recent examples, a customer noticed they were paying for 8,000 inactive mailboxes in an Office 365 BPOS subscription and 7,000 inactive mailboxes in their standard Office 365 subscription – totaling 15,000 Office 365 E5 licenses. They had estimated that the 15,000 inactive mailboxes were costing them approximately $5 million annually in subscription costs. In another example, a mid-size U.S. city told me that over 55% of their current Office 365 mailboxes were from departed employees.
Currently, when an employee leaves a company, many organizations will quickly reassign the employee’s Office 365 account to pass the license to another employee. Alternatively, they’ll cancel it altogether to save on cost. The departed employee's mailbox data is retained for 30 days after the license is removed. During this period, the company can still recover the mailbox data by undeleting the account. However, after 30 days, the data is permanently deleted – raising the risk of destruction of evidence or spoliation claims if the data is potentially responsive in current or anticipated litigation.
A common method for preserving departed employee data is by converting an Office 365 mailbox to a “shared mailbox.” The main driver for the popularity of this strategy is that Office 365 shared mailboxes are free. However, there are several complicating issues with shared mailboxes:
Depending on access rights to the shared mailbox, approved employees can still delete or edit content in a shared mailbox – also a legal defensibility issue. To mitigate the risk of data loss due to delegates deleting shared mailbox content, the company should apply read-only access policies instead of the default full mailbox access. However, this does not apply immutability to the data and could cause the data to be called into question later by regulators, auditors, or opposing counsel in a litigation setting.
The immutability issue (#5 above) can catch many by surprise, especially corporate attorneys. If immutability is required for legal reasons, i.e., proof that evidence has not been altered, the shared mailbox should have an “In-Place Hold” applied, which requires costly Office 365 licenses – defeating the “no-cost” benefit.
Furthermore, the shared mailbox size limitation (#2 above), will force the creation of additional shared mailboxes. Looking at the previous example where the company had 68 TB of inactive mailboxes, it would take 1,360 shared mailboxes to hold 68 TB of departed employee mailbox data – a management and legal nightmare.
Alternatively, the Microsoft-recommended method for preserving departed employee mailbox data is through declaring (programmatically) the mailbox inactive. Declaring a mailbox inactive is also free and also allows the release of the corresponding Office 365 license. To make a mailbox inactive, you first need to apply an In-Place Hold on the entire mailbox; you can then delete the corresponding user object. Any licenses assigned to the user will be released for reuse at that stage. However, any non-mailbox data, such as OneDrive for Business data, will be lost. This also applies to the Office 365 archive mailbox.
Inactive mailbox data can only be accessed by performing an eDiscovery search, which guarantees that only people with eDiscovery access rights have access to it. If specific mailbox contents are needed in litigation or a regulatory information request, they can be located using an eDiscovery search and then copied to a Discovery mailbox where they can be accessed without impacting the immutability of the original content.
As mentioned above, if the departed employee’s data needs to be retained for legal or regulatory reasons, the data can be moved into a shared mailbox or converted into an inactive mailbox. But before the company chooses one of these paths, they should fully understand both the pros and cons of each strategy and how it will potentially affect their legal department.
The shared and inactive mailbox processes have been the go-to strategies for companies wishing to address their growing inactive mailbox challenge. However, both strategies have several issues associated with them, which we discussed earlier in this article.
Consolidating and managing inactive or departing employee data in a centralized and secure corporate cloud account is now a preferred strategy. It not only includes mailboxes, but also other data not addressed by using shared or inactive mailboxes, and ensures data immutability, security, copy of record status, and retention or disposition – which can be accomplished quickly and inexpensively.
I recently heard from a big pharma customer which maintained a low-tech and risky process for data retention for legal situations. The company was gathering and storing the physical devices from departed employees – including laptops, desktop workstations, and company-supplied smartphones – in a locked room and retaining them for three years (the local statute of limitations for wrongful termination lawsuits) in case the legal department needed the data in a future lawsuit or audit.
An obvious issue with this process is that it ties up expensive hardware for long periods of time while running the risk of equipment obsolescence and data loss the longer it is stored. Additionally, hard disks should be “spun-up” on occasion; otherwise, hard disk operation can be affected, potentially limiting or even prohibiting data recovery. This company sought a lower cost and compliant solution and now creates an image of the data on each piece of equipment and stores each image in a secure, IT-controlled cloud account for legal search when needed. Also, the data is now managed, so after the applicable retention period, the expired images are disposed of in a legally defensible manner.
Leaver data is a challenge that’s not going away but there is a straightforward approach to overcoming it. In order to achieve cost effective and legally sound outcomes, companies should create and follow an employee exit process that should include a collaboration of HR, IT, and the legal department, to capture all of the departing employee’s data (including all Office 365 account data before its lost) and securely store it in a controlled-access cloud account.
Archive360 works with clients to ensure departed employee Office 365 data is captured, migrated, stored, and managed in a legally defensible manner in your own cloud, ensuring those valuable assets are not lost. With automated retention and disposition, the data can be searched easily and analyzed using cutting-edge tools for legal, compliance and HR. Even better, such analysis applied company-wide could provide you with employee sentiment insight to prevent employees from leaving in the first place.
Contact us today to find out how we can help.
Archive360 offers Symantic / Veritas Enterprise Vault migration, among other major archiving platforms. Trusted by thousands of companies such as Netflix, 3M, Samsung, and McKesson
Your legal, compliance and security teams rely on having an immutable copy of all of your emails. Office 365 archiving does not support journaling. So what should we do?
This eBook provides actionable tips to empower IT to solve the problem.