When a litigation or investigation is on the horizon, potentially relevant data cannot be deleted.  While utilizing technology to retain data systematically can prevent spoliation and the potentially severe consequences that come with it—such as monetary fines, adverse inferences, or forfeit of the case—improper application of data preservation technologies as it relates to departed employees’ accounts is the number one mistake made by IT and legal departments after an employee leaves an organization.

New realities due to employment mobility

Preserving data in its native location is not a new concept, but it is now top of mind among the unfortunate realities in today’s world.  Amongst typical churn of staffing, the business interruptions from the global pandemic and increased employment mobility have caused an unprecedented increase in change of employment.  Many who leave their employer may be subject to legal holds, an investigation, or they may own data subject to regulatory requirements.  While these holds may not be the first consideration in this situation, they cannot be overlooked. The data still needs to be retained, especially as data is deleted per a human resource, IT, or other existing protocol.

Today’s most popular productivity application is Microsoft 365. The application has out-of-the-box preservation technology for these scenarios built-in but many organizations are uncertain or unaware of how to use these capabilities, especially for employees that leave the organization.

Built-in solutions and considerations within Microsoft 365

There are three preservation capabilities that exist that allow you to retain employees email within Exchange Online, the platform within Microsoft 365 which enables access to email through Microsoft Outlook. One of the options, Litigation Hold is managed through Exchange Online, the other two options, eDiscovery Case Hold policies and Retention policies are managed through the Microsoft Compliance Center.

A major benefit to eDiscovery Hold in a Core or Advanced eDiscovery case is the ability to manage by matter instead of by custodian which allows for cases and holds to be dispositioned through the normal lifecycle of a case without needing to reference if a custodian’s mailbox should be on hold for other matters. If any of these preservation functionalities above are used, any content that is deleted or edited by user action or altered by a systematic retention policy remains stored in a dedicated folder invisible to the end user titled “Recoverable Items.” Items subject to Litigation Hold are then placed in a subfolder, “Purges”, with items that are subject to eDiscovery Hold or a Retention policy placed into a subfolder named “DiscoveryHolds.”  The content is retained within these folders until the expiration period of any retention policies have been met and all holds have been removed and a system process runs to purge that content. If either the Litigation Hold or eDiscovery Hold methodologies are utilized, it will ensure that data which was put on hold is not destroyed even if a retention policy was in place and the content is expired. A graphic depiction can be found below:

If a mailbox has one of these preservation types applied, an employee’s account data will be retained even after an employee’s account is disabled or deleted.  However, there are some caveats to note.  In Microsoft 365, there is a function called “Inactive Mailboxes” which is essentially a mailbox that has a hold on it, but already has its associated account disabled or deleted.  When a user’s account is disabled or deleted, the mailbox is “SoftDeleted” in accordance with its associated retention period and the mailbox is put into a 30-day (depending on settings) retention queue where it can be recovered.  After 30 days, the mailbox is purged permanently, unless it has a hold (or retention policy) applied to it.  If it does have a hold (or retention policy), it is made inactive. Mailboxes in an inactive state are available to search and place on future holds. In the user interface of the built in eDiscovery tools, the mailbox will clearly state it is an Inactive Mailbox and the email address will have a prefix of a period.

Once an account has been deleted the license for that account will be released, however the inactive mailbox will remain in place as long as the hold or a retention policy applies to the content within the mailbox.

It is important to understand that a mailbox that has an eDiscovery Hold applied to it cannot simply be unlicensed when an employee departs.  If that occurs, the mailbox will be “tombstoned”, which means it will be unable to be found in the Microsoft 365 Security and Compliance interface or with command line queries. Ensuring the steps are taken in the right order is prudent to avoid data loss.

The minimum license requirement to use hold functionality on a mailbox is Exchange Plan 2 or an E3/G3 license. A process diagram can be found below:

There are similar functions for Yammer, OneDrive, SharePoint, and Teams content which allows data to be preserved for the duration of a legal hold or through a retention policy, even if the user that created the data is no longer employed at the organization.  If this technology is used properly, it can significantly reduce risk of inadvertent spoliation by preventing users actively using their email from accidentally purging potentially relevant material. The technology can ensure that automatic retention policies do not purge data that is on hold and can prevent entire mailboxes from being deleted.

Strengthening capabilities

Legal and IT teams need to effectively collaborate to examine current technology-based hold requirements and settings to ensure all necessary data is kept and is being retained. Routine data preservation requirements checks are paramount to a sound process and are especially important as employees leave an organization.  While this technology may already be available within your infrastructure, having a third-party expert work with you to create policies and procedures to guarantee the tools are working correctly—and to the satisfaction of your legal team’s eDiscovery needs—can help you avoid this top data preservation mistake as well as save a lot of time, aggravation, and potential sanctions down the road. 

By Jon Kessler, who is senior director of information governance services for Epiq, leads service delivery, project management, and product development within the North American information governance practice.