Microsoft Office 365 ()
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
IT departments are typically in the driver’s seat of an organization’s migration to Microsoft Office 365 or other cloud solutions. Some organizations have faced major data breaches, regulatory investigations or large-scale litigation that serve as catalysts for auditing and updating existing processes and technology. Other organizations may not have the same pressures, but are looking to shift to cloud solutions to address budget strains or make incremental changes to systems and IT overhead. But regardless of the drivers, IT is often leading the charge.
As Office 365 adoption becomes increasingly widespread (Microsoft reports its traction among 80% of the Fortune 500), other departments, including legal and compliance, are gaining increasing exposure to migration initiatives. Legal and compliance groups have a lot to gain from features within Office 365, and equal or greater risk if the process is not conducted in the context of strong legal and regulatory guidelines. With this, many attorneys are beginning to recognize the opportunities a cloud migration brings to solving their needs and challenges, and therefore, an increasing number are showing interest in leading the charge, or partnering closely with IT for these types of projects.
Understanding the benefits is an important first step toward driving or at least getting a seat at the table for a migration effort. Some of the inherent benefits and opportunities that arise during cloud migration and should be on the legal team’s radar include the following:
1. Reduce e-Discovery Costs and Streamline Processes
There is a significant monetary benefit to the e-discovery process when the organization’s data has been migrated to a single cloud environment that also provides important discovery and security fundamentals. Office 365 enables a much easier and more cost-effective approach for preserving, collecting and even reviewing data that is needed during litigation or an investigation. It removes the task of relying on outside hosting providers and the cumbersome work of collecting and moving data from numerous, disparate sources and vendors.
With all of an organization’s data in a central repository in the Microsoft ecosystem, it also becomes much more straightforward to establish sustainable retention parameters. Without a single pane of glass through which to view the data, legal and IT teams are dealing with dozens of different locations — such as file servers, Skype, email, Dropbox, etc. — where data might be stored and managed. In Office 365, that data can still fit into its different locations from a user’s viewpoint, but be managed centrally and according to retention policies that are distributed across all workflows. The ability to search, preserve, retain and dispose of data are automatically applied across the various places where data may live.
2. Privacy for Sensitive Data
Microsoft has made data protection a primary focus for the products within Office 365. It offers the capability to search for personally-identifiable information (PII) and other expressions of sensitive data such as credit card information and Social Security numbers. The ability to easily identify and locate PII is critical in ensuring privacy obligations are met, and administrators can then take the necessary remediation steps, by securing, encrypting and/or deleting sensitive data. In most environments today, users are exposing data across a wide range of channels, all of which are areas where information can be leaked or stolen.
Office 365 offers encryption technology to protect data, and opens a new set of compliance standards and requirements to help legal and compliance essentially put a wall around sensitive information. This is a huge win for the legal team, because it ensures obligations are met, but does not hinder day-to-day data sharing, business use and communications among employees.
3. Security and DLP
Data security is now an enterprise-wide endeavor, and is equally important to legal as it is to IT and information security teams. External data breaches are rapidly evolving, and recent research from Forrester indicates that 35% of data breaches are caused (accidentally or intentionally) by internal employees. Organizations must conduct a detailed analysis, or work with outside experts to identify the security weaknesses and gaps. Office 365 makes this process much more manageable and accessible to legal teams, as it provides a single pane of glass through which to view and proactively monitor locations where sensitive or business critical data is located and loss is likely to occur, and subsequently put DLP protections in place.
4. Opportunity for Broader IG Discussions
Beginning an information governance program is daunting for many organizations. Questions around where to begin, who should be involved, how much will it cost and how to maintain momentum often cause projects to stall out before they even begin. A migration project serves as a compelling event or forcing function and is the prime time to leverage the executive and cross-departmental attention to data issues and raise the flag for governance with an already captive audience. The ROI can be substantial when attaching at this stage. We find this is the perfect opportunity for the legal team to make a business case for broader IG needs that may not have otherwise been given budget approval.
Similarly, Office 365 migration provides the ability to establish retention and governance over the organization’s primary unstructured data environments before or while the migration occurs. The additional effort to put these capabilities in place during the migration is insignificant when compared to what may have been required for an independent initiative.
5. Stronger Legal Hold
Office 365 affords new efficiencies around preserve in place and legal hold strategies. In a typical environment, when a new matter arises, the legal team is tasked with determining the details of the case, who is involved and where within the organization relevant data may reside. For a large company, that may mean locating data across hundreds of different applications. Counsel must take affirmative steps to preserve that content, but the effort and time required to do so is burdensome, and the complexity can multiply exponentially as the case evolves and more custodians and data sources come into play. Most legal teams will cast a wide net at the outset and potentially collect all a custodian’s data for preservation, which involves a lot of redundancy, storage and movement of content with little value. In other cases, the legal team will simply ask the custodian to stop deleting data and hope that the individual complies.
Office 365 is architected in a way that allows the legal team to place any individual on preservation hold simply by flipping a switch. From that point on, everything the user does in Office 365 will be preserved, without any disruption to the user experience. With everything preserved in a single repository, although care must be given if the organization has other non-Office 365 data sources, the legal team can easily search for date ranges, keywords and data types to find only the information relevant to their matter. The technology ensures from the backend that nothing is deleted until that user is taken off legal hold, at which point the user returns to the standard retention and deletion schedule.
Given the complexities within corporate environments, there isn’t a silver bullet technology or process that can solve the immense problem of efficiently and cost-effectively managing data. But with a proactive and strategic approach to Office 365 or other cloud repositories, the legal team has an immense opportunity to build programs that strengthen security, privacy, compliance and e-discovery processes. Taking the effort to obtain a seat at the table during the decision-making process will help ensure that the new systems and policies meet the broad needs of the organization as well as the nuanced needs of legal and other groups and functions across the organization. This proactive mindset can save considerable cost and mitigate many risks.