- April 23, 2021
- Bill Tolson|
- Data Privacy|
- Regulatory Compliance|
- Data archiving|
- Cloud archiving|
- Application Retirement|
- Information Security|
Read more about how you can archive Teams content to meet the most stringent regulatory requirements.
This whitepaper provides recommendations for Compliance executives to meet archiving challenges.
Changes in workplace communication and the rapid adoption of collaboration platforms, such as Microsoft Teams, call into question the long-term viability of standalone business email platforms. In the last couple of years, Microsoft has positioned its Office 365 Teams collaboration application as an eventual replacement for standalone Microsoft Exchange environments. However, the continuing challenge for FinServ companies is that the Teams application is architected very differently from Office 365 Exchange Online. Firstly, Teams is not a standalone product, rather bundles elements of Office 365 and other applications, complicating the SEC data retention requirements. Secondly, and most importantly, Teams does not have an equivalent Exchange journaling function to copy, move, and secure regulated Teams content to a consolidated location for easy SEC D3P access and search.
Instead, Teams data is spread across the organization's Office 365 platform. For example, chats are stored in the various Team members’ mailboxes; shared files are stored in Team members’ OneDrive accounts, group conversations in group mailboxes, Wikis and file tab content in SharePoint, meeting recordings in Stream, voice and video calls, contacts, voicemail/call history in the Exchange user's mailboxes, and private chats are stored in the posting user's mailbox. This dispersed Teams data storage (see figure 1 below) complicates the D3P accessibility requirements.
Figure 1: Teams data is stored differently depending on the content type –
Table from Microsoft website dated 07/13/2020
All of these storage locations are hidden from normal end-user access and only available to the administrator - making them somewhat equivalent in use to an on-premises Exchange journal. Remember, the SEC does not specify the use of a journal for email (or other communications) capture – only that FinServ companies must adopt a technological process that protects the broker/trader email and other communications from alteration or deletion, thereby guaranteeing an original copy of record.
It could be argued that Teams data capture and storage into hidden folders, inaccessible by the average employee, meets the copy of record SEC Rule 17 requirement. However, there are several issues associated with using the built-in Teams retention capabilities for SEC compliance. In fact, the SEC Rule D3P requirement is the toughest to overcome without a separate, consolidated archive.
Again, SEC Rule 17a-4(f) stipulates that in the event of discontinuance of business or a refusal to cooperate with an SEC information request, the D3P must have unfettered access to the FinServ company's regulated data, including emails/attachments and Teams communications for review and download.
This requirement is an important consideration when deciding how to set up a compliant SEC email/Teams archive. Without all communications (Exchange and Teams) consolidated into a single archive, how would a D3P search for and find all-SEC requested data? At the very least, the FinServ would need to provide broad access to the company's Office 365 tenancy through Microsoft Compliance Center. This is an obvious non-starter for FinServ Chief Information Security Officers (CISO). What CISO would accept a D3P searching through all their company's data?
Additionally, the SEC requirement specifies that regulated data must be stored in a way to allow SEC records to be indexed and be stored in an immutable manner with immediate accessibility for a period of two years. This means that relying on the standard Teams data retention capabilities would probably not meet the "availability/immediacy" requirement.
The Microsoft Teams collaboration application is an excellent tool for FinServ companies, especially in today's pandemic-inspired business models. However, companies need to fully understand the issues and complexities of remaining compliant for given industry data retention/management laws, such as SEC Rule 17a-4. First, Teams functionality offers a great deal more than simple chats. While FinServ organizations will no doubt utilize the one-to-one and one-to-many chat capabilities (which are saved as emails), their employees are communicating through Teams in more ways than just chat. Meeting recordings, video and audio calls, shared files, hyperlinks, wikis, file uploads, emojis, sentiments, and private channel chats are all potentially regulated data for SEC Rule 17 compliance. And, per diagram 1 above, are stored in different formats across multiple applications within Office 365.
Additionally, for a D3P to access and download a long chat string, they would need to manually search for and manually assemble a long series of individual chat emails to represent an entire conversation. Setting aside the complexity and potential for error, this manual process would also leave out other important data such as emoji placement and timing, the files that were shared during the conversation, and when during the chat those files were actually shared.
Most importantly, don't be fooled by cloud archiving vendors that say they are Teams SEC-compliant while including tiny footnotes listing all the Teams data objects they don't capture – an immediate disqualifier for SEC compliance.
In the last several months, I have written about the potential challenges for regulated companies in the adoption of the Teams application, including why Microsoft Teams Archiving is More than Capturing Chat and Adoption of Microsoft Teams Creates Tomorrow's Litigation and eDiscovery Issues.
Both blogs discuss the complex nature of Teams data retention architecture with regards to eDiscovery and regulatory compliance. Check them out to get a deeper understanding of Teams archiving.
To address Teams' archiving challenges while reducing compliance risk, check out Archive360 for Microsoft Teams – designed from the ground up to archive and manage all Teams data. And to do so in a way that provides the appropriate level of compliance required by Financial Services organizations regulated by SEC Rule 17.
For more information, check out our article on why Microsoft Teams is more than capturing chat.
|For more information on how Archive360 can help solve your Microsoft Teams archiving needs, Click Here|
Let’s discuss how to manage:
Your Data in Your Control with Your Security in Your Cloud.