Data retention policies and litigation hold in Office 365
What’s the difference and why do we need both?
When it comes to preventing the unlawful or unauthorised deletion, alteration or loss of data, organisations using Microsoft Office 365 have two, native tools at their disposal: retention policies and litigation hold. These tools may seem similar on the surface, but fulfil very different roles within a data protection strategy. Understanding those differences, along with the interaction between retention policies and litigation hold, is essential for reducing risk in the event of litigation or security breaches and complying with regulations like GDPR.
To that end, let’s take a look at what data retention policies and litigation hold are designed to do, and how they can act as a one-two punch to minimise your organisation’s risk exposure.
What are data retention policies?
Data retention policies are rules within Microsoft Office 365 that are set in place to prevent accidental or malicious deletion or alteration of important data. These policies, which operate undetected in the background of daily operations, vary widely between organisations depending on their risk profiles, regulatory environments and internal company policies.
How do they work?
Essentially, retention policies protect data against erasure or alteration by storing a secure backup copy in a ‘safe space’ for a predefined period of time when the original is either deleted or amended. The latest content remains available in place to be edited or worked with as usual. The secure backup copy is simply preserved as it was the moment it was either deleted or amended.
Data retention policies must be legally justifiable and are facilitated by the following:
Identification, classification and labelling of data
Because different types of data need to be stored for different periods of time (or not at all) depending on where they fit into your business strategy, regulatory environment or risk profile, you’ll likely need more than one retention policy to cover your bases. This makes a well thought-out (and preferably automated) data identification, classification and labelling process essential to ensure the right policy is applied to the right data.
Without this in place, you could end up holding onto data longer than required (and exposing yourself to unnecessary risk) or deleting data before the end of its useful life (particularly problematic in the case of potential legal claims).
Unless a user attempts to edit or delete content protected by a retention policy, that content will remain in place, unchanged, for the specified retention period. The moment an amendment or deletion is attempted, however, the original will be set aside and secured in your Recoverable Items folder (for Exchange workloads) or the Preservation Hold library (for SharePoint, Teams and OneDrive). It’ll stay here until it ages out of the applicable retention period. This could be anything from a few months to several decades.
Disposition is a frequently overlooked part of data retention policies and refers to what happens after an item ages out of its applicable retention period. Options include:
- Automatic deletion: This deletes anything and everything that ages out of a retention policy.
- Flag data for review: This enables administrators to manually review aged-out data to assess whether it would be more prudent to delete or retain it further.
- Retain data without protection: This leaves the previously protected data in place and allows it to be deleted/edited/otherwise disposed of, naturally.
In our experience, there are significant risks involved in both the automatic deletion and indefinite retention options. The former leaves organisations potentially unprotected in the event of litigation, and the latter means greater risk exposure to claims from potential data breaches. As such, we generally recommend reviewing all data prior to disposition if possible. (This functionality does require an E5 license though.)
What is a litigation hold?
Unlike retention policies, litigation hold is not a general-purpose data protection or preservation tool. Rather, it’s designed to ‘freeze’ only very specific data relating to imminent, pending or current legal action, thereby preventing potential spoliation of evidence.
How does it work?
A litigation hold is typically only triggered when legal or disciplinary action is imminent, and tends to be limited to very specific users, data categories and/or keyword searches. It has to be actioned manually, but will trump any applicable retention policies, protecting relevant data even if that data would ordinarily be disposed of during the litigation hold window. Once the litigation hold is lifted, the retention policy will take precedence once again, and any actions (such as automatic deletion) that should have taken place previously will be actioned immediately.
It’s important to remember, however, that litigation hold cannot preserve data retroactively. Anything altered or deleted prior to the hold being implemented will not be protected unless it has already been preserved by a pre-existing retention policy.
When (and why) do you need a combination of retention policies and litigation hold?
Both data retention policies and litigation hold have their limitations. For example, relying on a retention policy to preserve information pertaining to a legal matter could easily see important data ‘ageing out’ and being automatically disposed of during litigation. Likewise, relying solely on litigation hold to preserve data when necessary means any files or mailbox items deleted before the hold was triggered may be forever out of reach.
Because of this, it’s always best to lay a solid data protection foundation using intelligent and justifiable retention policies and save litigation holds for circumstances requiring a more targeted, short-term approach. Separately, these tools are only pieces of the data protection puzzle. Together, they’re a powerful force against accidental and malicious data alteration and deletion.
Remember: retaining data comes with risks of its own – always ensure your access is secure, your classification and labelling appropriate and the right security protocols are in place to protect against breaches.
Need help defining and refining your retention policies and litigation hold requirements to comply with company policy and regulations like the GDPR? Get in touch with Cloud Essentials on firstname.lastname@example.org.