- February 24, 2021
- Bill Tolson|
- Records Management|
- Data archiving|
- Cloud archiving|
- Information Management|
Update: 5/19/2020: Table 2 below, representing content types that can be located through eDiscovery, has been updated to reflect an update which was published by Microsoft on April 29th. We appreciate Microsoft updating the reference material on the original Microsoft web page to clarify which data objects in Teams are discoverable. The original topic of the blog remains the same: companies should be aware of the full ramifications of archiving and discovering Teams content and plan accordingly to ensure full compliance with regulatory as well as eDiscovery requirements.
With the onset of the COVID-19 pandemic, many workers have been faced with working from home for the first time. A March 2020 survey from leading industry analysts, Gartner Group, showed that 88% of organizations had required or encouraged employees to work from home. As many remote workers have found out, staying in touch with fellow employees and work groups – as well as staying in touch with customers - can be difficult. As a result, organizations are aggressively adopting collaboration apps such as Zoom, Slack, Meet, GoToMeeting, WebEx, Jabber, and Microsoft Teams to help their suddenly remote workforce keep in touch and remain productive. For example, Microsoft announced that the number of Teams users grew from 32 million to 44 million in one single week.
Because many companies actively rely on Microsoft's Office 365 platform in their daily business, it’s a no-brainer that Microsoft shops are turning to Teams to help keep their employees effectively communicating while working from home.
While the immediate focus is the safety and productivity of their workforce, organizations still need to be thinking about what the sudden increase in new application adoption means to their regulatory, compliance, and litigation obligations for data retention and management.
One basic but important fact that many IT professionals aren’t aware of is that all data – including data generated by Teams - is potentially discoverable in litigation. Organizations subject to government regulatory data retention requirements such as SEC Rule 17, FINRA, and MiFID II, must address how to archive Teams content in a compliant fashion. Similarly, organizations regulated by HIPAA must put appropriate policies in place to protect confidential patient information communicated via Teams. Bottom line: if your organization is regulated by any regulatory data retention or privacy requirements, or you have internal data governance policies, you must put appropriate measures in place that extend to Teams use.
The need to Backup Teams vs the need to Archive…
Historically, organizations have treated backup and archiving as separate processes. The backup process was originally created for disaster recovery. Backing up is the process of making a copy of operating systems and data resident on servers and storage repositories for the purpose of restoring the entire system (OS and data) to the affected server in the event of system issues. For example, an email server becomes corrupted, and the server OS, email application, and messages store needs to be restored as soon as possible. The biggest problem with backups is that data that can be lost between backup cycles (usually 24 hours). In the email server example, the email sent and received between backups is permanently lost when the email server is restored using the last backup data set– also referred to as the recovery point objective (RPO). The backup is usually performed utilizing a backup application that creates its own custom-formatted data container – meaning it is very difficult to search for and act on specific files in a backup file. In reality, the backup must be fully restored to the server to search and act on specific files.
On the other hand, the archiving process stores a single copy of individual files for long-term storage and management for legal, regulatory, and business reasons. A key distinction here is that individually archived data, if stored in its native format, is easier to search for and act on.
Even today, some organizations continue to rely on backups as a substitute for low-cost archives. While the cost of backup storage has continued to fall, finding and restoring these individual files can be extremely slow and expensive. For example, the estimated cost to restore, search, delete PI, and create a new backup tape can range between $1,000 and $3,000 per tape. Imagine how many of your organization’s backup tapes contain a particular data subject's PI…
To learn more read this article: A Backup is not an Archive … but a Cloud Archive can be an Effective Backup
One of the complicating factors in extending data retention policies to Teams is that Teams creates many different data objects from its various top-level capabilities. For example, simple chat content can be divided up into three different capabilities:
Other data types within Teams include group conversations, calendar invites, voice and video calls, meeting recordings, contacts, voicemail, transcripts, and wikis.
The underlying challenge with archiving Teams data is that Teams does not have its own single storage repository within Office 365 but instead stores Teams data in several other services within Office 365.
One issue: to ensure compliant records retention, all regulated data must be captured and retained for specific periods of time. However, Teams does not allow you to apply a universal retention policy on an entire Team but instead forces you to create and apply retention policies on each data type within each separate repository. This requirement is an obvious compliance issue, especially for industries with changing regulatory requirements. To illustrate the retention policy problem, table 1 below shows where each Teams data type is stored within Office 365.
Table 1: Teams data is stored in different repositories depending on the content type. (Table taken from Microsoft article: "Location of data in Microsoft Teams")
This dispersed Teams data storage schema can become a real challenge for the Financial Services (FinServ) industry. For example, SEC Rule 17 requires that all broker/dealer-related data (communications and related files) be captured in a way that guarantees the file is a complete copy of the original and has not been altered, is serialized, is stored in two different geographic locations, and is stored on immutable storage – WORM.
As you can imagine, FinServ compliance and IT departments have been scrambling to ensure their use of the Teams application is compliant.
When a Team is no longer needed, a Team owner can delete it. When a Team is deleted, it disappears from the Teams client and is no longer available to end users. When a team is deleted, the various data objects in the deleted Team are automatically deleted at the same time, and retained on the backend of Office 365 for 30 days and recoverable any time before the 30-day period ends. After 30 days, the Team and its associated data are permanently deleted. A safer practice is to archive the Team instead.
Microsoft has made Teams archiving available to individual Team owners. But unlike a live archiving capability such as a live journaling feed from an email box to an email archive, the archived Team is a snapshot in time meaning when archived, all activity in that specific Team is frozen and made "read-only," including all uploaded/shared files. This makes sense in that the Team owner is designating the Team as no longer needed they may still want to retain the data for regulatory, legal, or business purposes. As I mentioned in the previous section, archived Teams groups can have retention policies applied to them but because Teams utilizes several Office 365 applications, Teams retention policies will need to be set in each of the separate Office 365 apps.
Although the archived Team is discoverable through the Office 365 Compliance Center search and could be used in an eDiscovery case, content within the Team is not guaranteed to be retained for a specific period of time since the Team can technically be restored or deleted at any point by the Team owner – an obvious litigation hold issue.
eDiscovery is the process in which electronically stored information (ESI) is sought, secured (legal hold), reviewed, and turned over to opposing counsel with the intent of using it as evidence in a civil or criminal legal case. In the U.S., the eDiscovery process is represented by the Electronic Discovery Reference Model (EDRM) and the Federal Rules of Civil Procedure (FRCP). Responding to an eDiscovery request fully and in a timely manner is an absolute responsibility for any organization, under the U.S. legal system. Failure to respond in the appropriate manner can result in loss of case, fines, having to pay the cost of opposing counsel, loss of professional designation (J.D.), and in limited circumstances, jail time. As I mentioned in the opening of this blog, all relevant data is potentially discoverable no matter where it is stored, including all metadata.
Obviously, this means Teams data (and all metadata) is not exempt from an eDiscovery request which means that companies across all industries that have incorporated Teams into their remote workforce must be able to capture and secure all Teams data in a legally defensible manner when litigation is anticipated.
How would your organization find and secure potentially responsive Teams data of select custodians if needed? The obvious answer is "with difficulty." And could you guarantee that all relevant Teams data would be found and placed on a litigation hold? The truthful answer: maybe not.
In fact, Teams has a somewhat complicated persona when dealing with litigation hold and eDiscovery. To begin with, not all Teams content is discoverable from within Office 365. All Teams 1:1 or group chats are saved (journaled) through to the respective users' mailboxes and are therefore discoverable. All standard channel messages are journaled through to the group mailbox representing the Team. Files uploaded in standard channels are covered under the eDiscovery functionality for SharePoint Online and OneDrive for Business. eDiscovery of messages and files in private channels works differently than in standard channels. Additionally, placing a user on hold does not automatically place a group on hold or vice-versa.
Teams chat messages
|Private channel messages||
|Emojis, GIFs, stickers||Timestamp showing when a message was read by each user|
(likes, hearts, and so on)
|Edited messages||If the user is on hold, previous versions of edited messages are preserved.|
|Quoted content is searchable. However, search results don't indicate that the content was quoted.|
Name of channel
When eDiscovery is run from the Microsoft Compliance Center, Teams data will appear as IM or Conversations in the Excel eDiscovery export output. Administrators can use an eDiscovery case to create holds to preserve content that might be relevant to a given case. You can place a hold on the mailboxes and sites that are associated with Microsoft Teams or Yammer Groups. When you place content locations on hold, content is held until you remove the hold from the content location or until you delete the hold.
One issue to be aware of after you place a content location on hold, it can take up to 24 hours for the hold to take effect - enabling inadvertent data spoliation.
So, what is the answer to these Teams' regulatory and eDiscovery challenges?
Because Teams stores data across several applications in Office 365, placing a litigation hold and reviewing data across Teams repositories can be complex, risky, and time-consuming because it involves manual processes. To simplify the process and ensure compliance with regulatory and eDiscovery requirements, companies should look to consolidate their journaled Teams data streams into a central archive ensuring data management, search, placement of litigation hold, review, and production can be quick and compliant.
Moreover, an essential capability for compliant Teams regulatory response and eDiscovery review is the ability to capture Teams content in context. Specifically, the ability to capture and review not just an individual chat conversation or uploaded piece of content, but entire conversation threads, with all data objects, within complete timelines. Only this form of Teams archiving will ensure that the true meaning of the conversation and any Teams object posts can be accurately viewed, and the meaning easily determined. For organizations looking to implement a third-party Teams archiving solution, beware that some Teams archiving applications are unable to capture and manage all Teams data and only capture the chat function.
Again, in litigation, all data is potentially subject to litigation hold and eDiscovery, so the data objects in table 1 that are not discoverable pose a liability for the organization responding to an eDiscovery requirement. In the case of standard Teams discovery, a technologically savvy attorney could zero in on those Teams data objects they know would not show up in a discovery search and file a complaint with the Judge for incomplete eDiscovery.
A consolidated Teams archive ensures that instead of needing to search six or seven different Office 365 storage locations, the Teams archive application will provide a single dashboard for searching, securing, and reviewing Teams content for regulatory compliance and eDiscovery.
As you can see from the current discussion, Microsoft Teams is an extremely productive collaboration tool but introduces a high level of complexity to those organizations that are subject to regulatory retention requirements or litigation.
To ease Teams archiving while reducing risk around compliance and eDiscovery processes, employing a complete, stand-alone Teams archiving application - that can archive and manage all Teams data - is the only way to go.
For more information on how Archive360 can help solve your Microsoft Teams archiving needs: Click Here
In this whitepaper by Osterman Research, learn under what circumstances organizations may need to reach out to third parties to provide additional archiving support.
This whitepaper discusses the future risks associated with the rapid adoption of Teams for compliance and legal teams.
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.