Why Don’t You Have a Retention Policy In Place Yet?Alex Fields
Most SMBs I consult with have never configured a retention policy, or indeed, they are not even aware of the retention capabilities in Microsoft 365. In general, Information Governance is one of those areas that simply does not get the attention that it deserves, especially in the small business market.
But this is not something which should be ignored. In fact, I can name three big reasons why you should care about information governance and implementing a proper retention strategy:
- You may be required to comply with laws related to certain types of information (e.g., PII, ePHI, PCI, etc.). If not today, probably someday soon.
- You may want to reduce your overall risk in the event of litigation or a security breach by permanently deleting content that you are no longer required to keep.
- By removing data that no longer serves the business, you can reduce clutter and improve search results, making it easier to find the most current and relevant information.
Therefore, every business can benefit from some basic information governance.
If you are like most of my customers, then even once you acknowledge the need for a retention strategy, you still have no idea where to start. And unfortunately, there is no simple script or best practices guidance which is universally applicable to every business; it depends on the laws and regulations to which the organization is subject, plus there may be internal considerations as well.
To begin, I suggest that you narrow down your focus to answering just one question for your organization: How long should we keep email data?
Addressing Compliance Concerns
Many businesses these days are required to preserve at least some email records. Here in the U.S., requirements vary greatly depending on your industry. For example, orgs regulated by the Financial Industry Regulatory Authority (FINRA) have to comply with many different rules and requirements, including SEC rule 17a-4(f) as well as FINRA rule 4511(c). If your business falls under this umbrella, then you may be keeping email records for up to six years!
While larger sized Enterprises can have extremely complicated compliance requirements across different business units and various record types, in the Small Business the story is quite different. In this case you may run a slight risk of “over-protecting” some record types even as you comply with the laws regulating those types which are most important. But it is not usually possible to get super granular and manage every individual piece of data in this market segment: the SMB simply does not have the resources or budget to attend to that level of detail. Therefore, we normally create a single blanket policy for the organization as a whole which matches their broadest criteria or requirement for compliance.
The legal liability angle
But even if you are not subject to specific compliance requirements by law, many organizations will choose to implement a minimum retention period anyway. If for no other reason than to gain the benefit of features like Inactive mailboxes (which will allow you to either restore or recover deleted mailboxes within the retention period), and also to limit liability in the case of a breach event or litigation.
In fact, email records are probably the number one type of electronic record that is regularly subpoenaed for litigation today. Speak with any attorney on this subject, and they will likely agree: historical email data is toxic to an organization. Not because organizations necessarily have things to hide, but simply because there is so much information in email which could potentially become damaging in a litigation scenario (plus it is more expensive to pay attorneys to pour over larger volumes of email records).
Small business owners will often say stuff to me like: “Well, I run my business 100% above board, so why wouldn’t I preserve all my information so that I can prove myself innocent in court if necessary?”
No offense to you if something like the above was your first instinct, but this is a very naïve position. Generally speaking, this isn’t how lawyers think. When you get sued, the plaintiff’s attorney is not interested in finding out if you’re one of the “good guys.” Their goal is to get money for their client. And they do not care if they have to take words out of context or twist and manipulate the facts to tell their own version of a story in order to sway a judge or a jury.
Consult with your own legal counsel, of course, but usually I find they will advise you to keep as little email data as possible (just to be clear, do not let this statement stand in for getting your own legal advice). I am just reporting from my experience the path many others have taken: after you determine how long your business is required to keep email data, then generally you will eliminate everything else.
Limitations and supplements
A retention policy is very simple; we can use it to do one or both of the following (based on date created or last modified):
- We can choose to retain information (which means it cannot be permanently deleted during the retention timeframe) and/or
- We can choose to permanently delete information after the specified time period
When it comes to email, we are usually aiming to accomplish both goals: retain items for a desired period of time (as required by law for example), and then automatically delete those items at the end of that period. This gives us assurances that any items deleted (even accidentally) can be recovered during the retention period using eDiscovery or a simple Content search. And it works in the other direction too: we have assurances that items which have passed the retention period can no longer be discovered or restored.
When you target Exchange Online mailboxes, we are talking about the power to preserve and/or delete the following mailbox items:
- Mail messages with any attachments
- Tasks when they have an end date
- Calendar items that have an end date
On the other hand, retention policies targeting mailboxes will not cover:
- Tasks that don’t have an end date
- Calendar items that don’t have an end date
- Other items stored in a mailbox, such as Skype/Teams messages (which can be targeted with their own retention policy)
In case it is not already obvious from what we have discussed thus far, a retention policy is not a backup. While recovery or eDiscovery is possible during the retention period for stuff like email messages (useful for subpoena requests or individual item restore), it would not be possible to restore an entire mailbox back to a specific point in time, for example. So be careful not to think about this as a backup. It’s not; it is for regulatory and compliance purposes only (and it enables the Inactive mailboxes feature too).
Now, for those of you who are already familiar with the “legacy” retention policies available in Exchange Server and Exchange Online (a.k.a. MRM policies), you will notice that we have a few missing capabilities here. For example, the ability to move items to archive (if you have that feature enabled). I encourage you to read this article by Tony Redmond for more details about that. Basically, you can still maintain an MRM policy to fill these gaps if your organization has those kinds of requirements, and still replace most of the older retention tags with the newer Microsoft 365 retention labels and policies. But in my experience, most small businesses aren’t really leveraging retention to begin with, so they are better off moving right to the newer retention capabilities via the Microsoft 365 compliance center.
One more note: retention policies are also similar to but different than litigation hold. In the event of litigation, you may still want to place certain mailboxes on litigation hold (or deploy a secondary policy scoped to the mailboxes of interest), even if they are already covered by a general company-wide policy. For example, if the litigation lasts for several months or even years, a policy will continue to enforce permanent deletions during that period each and every day, whereas litigation holds placed against a specific mailbox or mailboxes will override the more general policy and prevent those deletions from being processed for the duration of the hold. Therefore, the two are not mutually exclusive, and can still be used together.
Too often I see one of two scenarios in the small business space, and both of them are what I call very bad ideas:
- Ignoring email retention completely
- Implementing an infinite retention or litigation hold against all mailboxes
Both of these approaches will leave your organization open to unnecessary risk. Instead, take my advice: consult with your legal counsel and design a simple email retention policy to meet your needs. It does not take long to get this done. At the same time, you may still want to consider a third-party backup solution that sits beyond Microsoft’s retention capabilities, and even enable litigation hold when a particular situation calls for it. Hopefully this article cleared up some of the confusion I often see around these various technologies.
Now, dealing with documents and other datasets is another story for another day. But if I could ask every organization out there to solve just one piece of this larger puzzle right away, it would be this. And remember: even if there are no explicit regulations or requirements you have to meet, then you should still plan to write your own internal policy to cover general data protection and liability concerns.
For more specific guidance on creating retention policies, as well as other data protection measures that you should be considering in the small and mid-sized business space, see my Data Protection Toolkit, as well as my courses on Data Retention and Sensitivity labels in Microsoft 365.