Originally published April 22, 2020 and updated 5/19/2020, This blog has been revised for 2023. The original topic of the blog remains the same: companies should be aware of the full ramifications of archiving and discovering Teams content and plan accordingly to ensure full compliance with regulatory as well as eDiscovery requirements.
With the onset of the global shift to remote work in 2020, many workers found themselves working from home for the first time. During this period, staying in touch with fellow employees and workgroups, as well as customers, proved to be challenging. Consequently, organizations aggressively adopted collaboration apps such as Zoom, Slack, Meet, GoToMeeting, WebEx, Jabber, and Microsoft Teams to help their newly remote workforce maintain communication and productivity.
For instance, in 2020, it was reported that Microsoft saw a surge in Teams users from 32 million to 44 million in a single week. As of mid-2023, Microsoft Teams has continued to grow and establish itself as one of the leading collaboration platforms, with over 250 million monthly active users.
Owing to the heavy reliance on Microsoft's Microsoft 365 platform by numerous companies for day-to-day operations, it was a logical step for Microsoft-centric organizations to adopt Teams for seamless communication and collaboration during the remote work era.
While the initial emphasis was on ensuring the safety and productivity of the workforce, organizations had to contend with the implications of rapid adoption of new applications on their regulatory, compliance, and litigation obligations concerning data retention and management. This concern is ever-present, particularly as hybrid work models have become a mainstay in the modern workspace.
It is essential to understand that all data – including data generated by Teams - is potentially discoverable in litigation. Organizations that are subject to government regulatory data retention requirements such as SEC Rule 17, FINRA, and MiFID II, need to strategize on archiving Teams content compliantly. Moreover, organizations governed by HIPAA must institute appropriate policies to safeguard confidential patient information shared via Teams. In essence, if your organization is subject to any regulatory data retention or privacy mandates, or if you have internal data governance policies, you must implement measures that encompass Teams usage. [Read the SEC's FAQs on Rule 17a-4 ]
The need to Backup Teams vs the need to Archive…Historically, organizations have treated backup and archiving as separate processes. The backup process was originally created for disaster recovery. Backing up is the process of making a copy of operating systems and data resident on servers and storage repositories for the purpose of restoring the entire system (OS and data) to the affected server in the event of system issues. For example, an email server becomes corrupted, and the server OS, email application, and messages store needs to be restored as soon as possible. The biggest problem with backups is that data that can be lost between backup cycles (usually 24 hours). In the email server example, the email sent and received between backups is permanently lost when the email server is restored using the last backup data set– also referred to as the recovery point objective (RPO). The backup is usually performed utilizing a backup application that creates its own custom-formatted data container – meaning it is very difficult to search for and act on specific files in a backup file. In reality, the backup must be fully restored to the server to search and act on specific files. On the other hand, the archiving process stores a single copy of individual files for long-term storage and management for legal, regulatory, and business reasons. A key distinction here is that individually archived data, if stored in its native format, is easier to search for and act on. Even today, some organizations continue to rely on backups as a substitute for low-cost archives. While the cost of backup storage has continued to fall, finding and restoring these individual files can be extremely slow and expensive. For example, the estimated cost to restore, search, delete PI, and create a new backup tape can range between $1,000 and $3,000 per tape. Imagine how many of your organization’s backup tapes contain a particular data subject's PI… To learn more read this article: A Backup is not an Archive … but a Cloud Archive can be an Effective Backup |
A notable challenge in extending data retention policies to Teams is that Teams generates a plethora of data objects through its various functionalities. For example, even simple chat content can be categorized into three distinct capabilities:
Additionally, Teams hosts a variety of data types including group conversations, calendar invites, voice and video calls, meeting recordings, contacts, voicemail, transcripts, and wikis. More recently, Teams has introduced new features such as task assignments, breakout rooms, and polls.
A critical aspect to consider is that Teams does not possess a singular storage repository within Microsoft 365. Instead, it saves data across multiple services within the platform. This multifaceted storage system can complicate data management.
As Microsoft Teams continues to evolve, it has brought forth new methods for managing and archiving data, streamlining processes for IT professionals. Nonetheless, staying informed of these changes and adjusting data management strategies accordingly is paramount.
One point of contention is that Teams does not facilitate the application of a universal retention policy across an entire Team. Instead, it necessitates the creation and application of retention policies for each data type within each separate repository. This stipulation posed a significant compliance challenge, particularly for sectors with fluctuating regulatory requirements. It is important to note that Microsoft has been actively working to improve and simplify compliance processes within Teams, and organizations are advised to regularly monitor updates and best practices in this area.
This dispersed Teams data storage schema can become a real challenge for the Financial Services (FinServ) industry. For example, SEC Rule 17 requires that all broker/dealer-related data (communications and related files) be captured in a way that guarantees the file is a complete copy of the original and has not been altered, is serialized, is stored in two different geographic locations, and is stored on immutable storage – WORM (Write Once, Read Many). [read our blog on Azure WORM storage here]
As you can imagine, FinServ compliance and IT departments have been scrambling to ensure their use of the Teams application is compliant.