To achieve accurate retention and eDiscovery in Office 365, legacy ‘single-instanced‘ email journals (either from on-prem Exchange or cloud platforms such as Mimecast) should ideally be mapped into into the new, multi-instanced Microsoft model.
The process of ‘exploding’ a single-instanced email into all the respective custodians’ mailboxes (which will include many leavers), can, however, take some while to achieve. Especially if you have very large journals.
One simpler approach to moving journals into Office 365 is to migrate their contents into multiple shared mailboxes.
You can do this, as long as you bear in mind the following caveats:
IT COULD BE BREAKING MICROSOFT’S LICENCING RULES
At the time of writing, Microsoft’s stance on using shared mailboxes as a way to retain journals is unclear. See https://technet.microsoft.com/en-GB/library/exchange-online-limits.aspx
In the Notes on this page, Microsoft states that “an IT administrator can’t create a shared mailbox and have users copy it (through the Cc or Bcc field, or through a transport rule) for the explicit purpose of archiving.“ They also state that “using an In-Place Archive as a means to store mail from multiple users or entities is prohibited”.
We therefore suggest you seek explicit permission from Microsoft if you take this approach.
YOU RISK INCOMPLETE & COMPLEX eDISCOVERY
The best-practice approach to eDiscovery is to start by quickly gathering all potentially responsive content. In Office 365 this would typically involve selecting the mailboxes that relate to the individual(s) under investigation, and putting these on hold (if not already) for further investigation.
Searches might then be refined based on metadata such as date, TO, FROM etc, before drilling into actual content. This approach has the advantage of saving significant time in comparison to conducting a full content search from the outset.
- Bearing in mind that searches may be carried out by Compliance Officers, HR personnel, etc., that may not be aware of this ‘workaround, it’s easy to see how legacy ‘shared’ journal mailboxes may be inadvertently excluded from an investigation. This risks massively incomplete results.
- It’s likely you’ll have no way of knowing whose emails are stored in which shared mailboxes. At best you may have a rough idea of ‘date range’. You may therefore need to include all shared folders in the relevant stages of your eDiscovery process, which will increase search times.
- If BCC and DL metadata is not properly preserved and is only available via a content-level search, vital evidence may be excluded from the initial search phase (see above).
YOUR EMAIL RECORDS WILL BE DIFFICULT TO GOVERN
If data has not been stored according to each individual custodian (which the new Office 365 model allows), it becomes difficult to apply policies for records management on anything other than date. This means you may need to apply a blanket ‘longest retention date’ policy to shared folders – regardless of user role or department. This risks retaining data longer than you need to.
We are seeing organisations experience other problems as a consequence of using the shared mailbox approach. For example, in the event of a divestiture, it is not uncommon for users’ data to be separated according to present (and past) employees as different operational units break away.
Using shared mailboxes makes this challenging to say the least!
Whichever route you take when migrating your journals to Office 365, there’re two over-arching factors to consider owing to their sensitive nature and their size, namely: journals must be moved with care and speed.
For more information on using Office 365 as a one-stop-shop for compliance, download our whitepaper.