Office 365 Journaling to Create a Comprehensive eDiscovery Archive

Blog02212019_ Warehouse.pngDoes your organization utilize Office 365 for email? Is your organization required to journal email for compliance, legal, or business requirements? Do your Attorneys complain about the time it takes to find information for an eDiscovery request? If the answer is yes to any of these questions, then keep reading.

A journal ensures “Golden Copy” status

For those readers that aren’t sure of what a journal is, it refers to the capture and retention of all incoming and outgoing email in a way that guarantees the content is an immutable and an exact copy of the original message including all metadata and conversation threads. Microsoft invented the “Journal Mailbox” back in the 90s for their on-premise Exchange email solution for a new (at the time) SEC requirement aimed at Financial Services organizations. The journaling process captures an email message (and its metadata) as soon as it is sent or received ensuring it has not been deleted or edited. This method creates a “copy of record” or “golden copy” which can be used in the eDiscovery process.

As I mentioned above, journaling was originally developed for capturing email from brokers and traders and is still an important SEC requirement. But, as companies have moved from on-premise email systems to Office 365, Journaling became more difficult. Now, because Office 365 does not provide journaling capability, companies have been forced to adopted 3rd-party cloud solutions to act as the journaling folder – more on this later.

Isn’t journaling just for financial services compliance?

In fact, no, journaling is used extensively for litigation preparedness and eDiscovery. To capture and immutably store custodian email, some companies still utilize the email journaling feature in their on-premise Microsoft Exchange server. However, for many companies, the 3rd-party journaling cloud option is too complex, too expensive, has potential security issues, and introduces the vendor lock-in/data prison problem (more on this later).

Other companies using the Office 365 cloud employ a 3rd-party cloud archive to journal from Office 365 to their 3rd-party cloud archive – costly due to the high cost of 3rd-party cloud email archives as well as the vendor lock-in issues.

Be careful about relying on journaling for eDiscovery without fully understanding the technical complexities. Journals can be configured in several ways, some of them not capturing all message data. For example, some configurations don’t capture the Bcc recipient, a potential issue for eDiscovery response.  A best practice is to make sure you document what your journaling capabilities are (the specific method used) for your “meet and confer” meeting and inform legal counsel of its use for preservation and collection purposes.Blog02212019_ Figure 1

Many organizations employ full-time journaling for specific employees such as the CEO and C-level staff because they are the usual targets of eDiscovery requests (as well as for regulatory requirements like Sarbanes-Oxley – SOX). In today’s legal environment, many companies have moved toward journaling all employee email (for some period of time) to lower the cost of eDiscovery as well as reduce the time for early case assessment (ECA) activities.

Journaling email from Office 365 helps the eDiscovery process. But eDiscovery requests do not only focus on email.

The main premise of eDiscovery is that the plaintiff has the right to any relevant data the defendant may possess. The defendant has the responsibility to search for and produce all data, not just email, that may be relevant to the lawsuit. This collection process can become costly and time-consuming because all potential data repositories (including all target custodian computers etc.) must be searched to show the opposing counsel and Judge your good faith in the collection process.

Data consolidation – It’s a good thing

Consolidating as much of your organization’s data as possible will save huge amounts of time, reduce risk, and lower eDiscoveryBlog02212019_cabinet costs.

Data consolidation is not as straightforward as it sounds. First, you must define the consolidation repository. It used to be that some custodian files were stored on company file servers in custodian folders. None of this data was indexed, managed, nor regularly reviewed so searching for specific content was not only time-consuming but also a legal risk in that your attorneys could not be sure that all potentially responsive content was found and produced.

A complicating factor is that the company’s internal and external counsel must represent to the court that the eDiscovery process was conducted responsibly and in good faith. If later, the defendant’s eDiscovery collection process is called into question, the attorneys are at risk of penalties and professional actions.

The harder issue is that of consolidating data in a corporate atmosphere verses that of data ownership. Most companies still, do not put policies or processes in place ensure all data generated by individual employees is stored centrally so that it can be indexed for faster search (for eDiscovery), managed per retention/disposition policies, secured against external hackers or internal theft, and audited.

Still today, employees control their work data locally making it almost invisible to attorneys and dramatically rising collection costs. Corporate employee culture is still that their data is theirs and they want to retain control over it. Changing this culture is a difficult proposition and will take time to implement fully. In fact, taking human nature into account, a large percentage of employees, given the directive to consolidate all their data in a central repository, will not follow through.

The only process I’ve seen work is to automatically sync employee workstations with the central repository/archive, leaving the data locally but also ensuring golden copies are stored centrally for easier search as well as acting as a backup copy. File consolidation combined with journaling from Office 365 will produce a complete central “golden copy” legal repository.

Blog02212019_ Figure 2

Avoid data prisons and utilize your own Azure tenancy

As I mentioned earlier in this blog, 3rd-party vendor lock-in is a real concern for many companies that have experienced this very real issue. Vendor lock-in is when data is migrated into a 3rd-party cloud where the vendor either converts the data to “save costs” or limits the customer’s ability to move data out of the archive. For example, I have talked to customers that have told me stories about wanting to move their TBs or PBs of data to another cloud vendor and being told that they would be charged a “re-conversion fee” to make the data usable again outside of the vendor archive. I have seen these re-conversion fees amount to the total annual cost of the 3rd-party archive contract. Other 3rd-party cloud vendors will throttle the speed at which data can be exported to some ridiculously low data rate ensuring it will take months or years to completely move out of the cloud archive. Of course, they will offer to increase the export speed for an additional (huge) fee. Some customers have referred to these 3rd-party clouds as data prisons – once you’re in, you can’t get back out.

Many organizations today have Microsoft Azure subscriptions where they store backups, run applications on VMs, and perform analytics on data sets. Wouldn’t it be great to utilize your company’s own Azure tenancy as an archive where all data (including Office 365 email) could be consolidated, indexed, and managed for easier and faster eDiscovery?

Click here to read the entire blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s