Avoid this Data Preservation Mishap During COVID-19 Staff Reductions
When a litigation or investigation is on the horizon, potentially relevant data cannot be deleted. While utilizing technology to retain data systematically can prevent spoliation and the potentially severe consequences that come with it—such as monetary fines, adverse inferences, or forfeit of the case—improper application of data preservation technologies as it relates to departed employees’ accounts is the number one mistake made by IT and legal departments after an employee leaves an organization.
New realities due to layoffs and furloughs
Preserving data in its native location is not a new concept, but it is now top of mind among the unfortunate realities in today’s COVID-19 world. The business interruptions from the global pandemic have caused an unprecedented increase in layoffs and furloughs. Many who lose their employment may be subject to legal holds, an investigation, or they may own data subject to regulatory requirements. While these holds may not be the first consideration in this situation, they cannot be overlooked. The data still needs to be retained, especially as data is deleted per a human resource, IT, or other existing protocol.
Today’s most popular productivity application is Microsoft 365. The application has out-of-the-box preservation technology for these scenarios built in but many organizations are uncertain or unaware of how to use these capabilities, especially for employees that leave the organization.
Built-in solutions and considerations within Microsoft 365
In Exchange Online, the platform within Microsoft 365 which enables access to email through Microsoft Outlook, are two built-in preservation capabilities: Litigation Hold and eDiscovery Hold.
|Litigation Hold (LitigationHoldEnabled)
||eDiscovery Hold (InPlaceHolds)
|Created in Exchange Online (available in Exchange on premise since Exchange 2010)
||Created in Compliance Center (or legacy Security and Compliance Center)
|True or False, retains all content or no content only
||Allows for filter criteria by data range, keyword, etc.
|Custodian centric holds
||Allows for holds to be created per matter
A major benefit to eDiscovery Hold is the ability to manage by matter instead of by custodian which allows for cases and holds to be dispositioned through the normal lifecycle of a case without needing to reference if a custodian’s mailbox should be on hold for other matters. If either of these hold functionalities are used, any content that is deleted or edited by user action or altered by a systematic retention policy remains stored in a dedicated folder invisible to the end user titled “Recoverable Items.” Items subject to Litigation Hold are then placed in a subfolder, “Purges”, with items that are subject to eDiscovery Hold placed into a subfolder named “DiscoveryHolds.” The content is retained within these folders until the hold is removed and a system process runs to purge that content. If either of these hold methodologies are utilized, it will ensure that data which was put on hold is not destroyed. A graphic depiction can be found below:
If a mailbox has either of these hold types applied, an employee’s account data will be retained even after an employee’s account is disabled or deleted. However, there are some caveats to note. In Microsoft 365, there is a function called “Inactive Mailboxes” which is essentially a mailbox that has a hold on it, but already has its associated account disabled or deleted. When a user’s account is disabled or deleted, the mailbox is “SoftDeleted” in accordance with its associated retention period and the mailbox is put into a 30-day (depending on settings) retention queue where it can be recovered. After 30 days, the mailbox is purged permanently, unless it has a hold (or retention policy) applied to it. If it does have a hold, it is made inactive. Mailboxes in an inactive state, but still licensed, are available to search and place on future holds. In the user interface of the built in eDiscovery tools, the mailbox will clearly state it is an Inactive Mailbox and the email address will have a prefix of a period.
It is important to understand that a mailbox that has a Litigation Hold or eDiscovery Hold applied to it cannot simply be unlicensed when an employee departs. If that occurs, the mailbox will be “tombstoned”, which means it will be unable to be found in the Microsoft 365 Security and Compliance interface or with command line queries. While it is possible to retrieve the mailbox from a tombstoned state in some instances, this situation should be avoided. For this reason, user accounts on hold should never become completely unlicensed when on hold. The minimum license requirement to use hold functionality on a mailbox is Exchange Plan 2 or an E3/G3 license. A process diagram can be found below:
There are similar functions for Yammer, OneDrive, SharePoint, and Teams content which allows data to be preserved for the duration of a legal hold, even if the user that created the data is no longer employed at the organization. If this technology is used properly, it can significantly reduce risk of inadvertent spoliation by preventing users actively using their email from accidentally purging potentially relevant material. The technology can ensure that automatic retention policies do not purge data that is on hold and can prevent entire mailboxes from being deleted.
Legal and IT teams need to effectively collaborate to examine current technology-based hold requirements and settings to ensure all necessary data is kept and is being retained. Routine data preservation requirements checks are paramount to a sound process and are especially important as employees leave an organization. While this technology may already be available within your infrastructure, having a third-party expert work with you to create policies and procedures to guarantee the tools are working correctly—and to the satisfaction of your legal team’s eDiscovery needs—can help you avoid this top data preservation mistake as well as save a lot of time, aggravation, and potential sanctions down the road.
Jon Kessler is senior director of information governance services for Epiq, where he leads service delivery, project management, and product development within the North American information governance practice.