Office 365 Data Protection: Part 2 – Litigation Hold

by Matt McDermott on November 7, 2018

In Part 1 of this two-part series, we discussed how you need to rely on more than the default retention times for Office 365 to fully protect your data from accidental deletion. In Part 2, we’ll discuss if Exchange Online Litigation Hold and In-Place Hold are good-enough data protection solutions for Office 365, or if your organization may need something purpose-built for Office 365 backup and restore.

Does Microsoft protect against human error or malicious acts?

We know that users will accidentally or maliciously delete data from their Office 365 Mailboxes. In the TechNet article, Microsoft clearly states that “point in time restoration of mailbox items is out of the scope of the Exchange service.” The same risks for data loss due to accidental or malicious deletions apply to SharePoint content associated in Sites, OneDrive, Groups, and Teams, and we will cover those risks in Part 3 of this series.

What does Microsoft recommend?

You might choose to follow Microsoft’s recommendation and implement their built-in preservation or time-based In-Place Holds or Litigation Hold for email data protection (Litigation Hold introduced in Exchange 2010, In-Place Hold introduced in 2013). Litigation Hold preserves all email, and In-Place Holds preserve data based on specific parameters set by an admin. But using these preservation holds for data recovery might not be the best approach, and In-Place Hold is not currently available for Office 365.

Sponsorships Available

What should you consider when evaluating whether to use those built-in tools?

When making a decision whether or not to use Litigation Hold as a backup plan, there are basic data protection principles you should keep in mind:

Litigation Hold is a business process. The business, with input from the legal team, should define the policy for legal holds. IT is responsible for implementing that vision with a technical solution like Litigation Hold. IT should not make the decision to put all users on Litigation Hold without the input of the organization’s legal team. If every email for every user is on hold, retention policies will not properly dispose of content on the schedules defined by the business. This could introduce a liability to your organization because content that should have been destroyed on schedule will be discoverable in legal proceedings. Further, putting every user on Litigation Hold may make it harder for your legal team to search for mail items needed to answer a true legal request for information.

In-Place Holds aren’t supported for Office 365 as of July 2018. Microsoft recommends using eDiscovery cases or retention policies in the Office 365 Security & Compliance Center for legal holds and eDiscovery. Although you can use these features to preserve your organization’s data, will you be able to rapidly and efficiently restore your data?

Use the correct tool for the job
Backup software has a different purpose than Litigation Hold or archive software. Backup software makes a copy of production data and keeps it available so that the copy can be rapidly returned to production if it is needed. Litigation Hold is a business process, and using it for an entire organization will add overexposure and legal discovery risk. Archive software provides long-term data retention for data that is no longer actively used.

Microsoft’s Security and Compliance Center is designed for organizations to meet the demands of litigation and legal compliance. While it may be what your organization needs to meet legal compliance, if you need to rapidly restore data that is lost due to accident or intention, choose the right tool for the job — third-party backup and recovery software.

Consider the time needed for restore.
It’s not easy to restore data from Litigation Hold. Watch below where we try to recover email from Litigation Hold following Microsoft’s instructions. In the video, we only restore a few emails and it took us over 15 minutes. How long would it take if you had to restore an entire user’s account?

Consider the loss of folder structure, and its impact on your users.
Restoring mail from Litigation Hold doesn’t preserve folder structure. Can you deal with the user pushback when you restore all of their mail into their inbox without any of their organization?

Consider your RTO, your SLA to the organization, and audits.
What is your current RTO for restoring critical emails and documents? Are you sure this restore process will allow you to meet your current SLA? Will the processes you follow to restore lost data to a user stand up under an auditor’s scrutiny? Does your team regularly practice the steps necessary to respond to end user data restoration requests?

Consider, and never underestimate, insider threats.
The wrong person with the right credentials can wreak havoc in your Office 365 tenant. Legal hold can be turned-off, retention periods can be set to zero days, and your email can be erased at compute speed. This is the biggest threat to your data.

Don’t suffer from using the wrong tool for the job when you need to rapidly restore Mail or documents back into production. Check out how quickly you can restore data with Spanning Backup for Office 365.