Microsoft Teams has an astonishingly steep take-up/adoption curve with the current remote workers situation. Teams is referred to a “The Hub of Office 365” by Microsoft – bringing many different services, content, repositories, and applications into one single modern application.
Teams fits neatly into the Office 365 ecosystem and enables a rich, powerful, collaboration experience – both inside your organization and outside with vendors and other organizations – as you can see below:
So, what happens when you get served a Subpoena which includes a Document Request? Lawyers are getting savvy. It used to be a Document Request for emails. We have such a rich diverse range of collaboration tools at our fingertips, these Document Requests demand ALL content that John Doe has access to or worked on/with across your whole organization.
Teams Data
This can cause anxiety for CSO’s and Legal departments. If our fictious John Doe was a Microsoft Teams user, what do we need to retain and hold his data? Where is that data? How long do we need to keep it for? How do we keep it and how do we retrieve it?
Let us look at where the data is stored for the various systems that feed into Teams:
| SharePoint Site | OneDrive for Business site | Exchange Group mailbox | Exchange User mailbox | Exchange Phantom Group mailbox | Azure Chat service |
| Files Stored across all Teams libraries Files shared in Group conversations Wiki and OneNote | Files shared in a 1:1 or Group chat | Teams channel conversations | Teams 1:1 and Group chats Call participation summary Meeting participation summary | Team 1:1 and Group chats between guest users | Teams 1:1 and Group chats |
As you can see above, if our fictitious colleague John Doe used Teams, how do we get a grasp around the data and what sort of policies do we need to create at a minimum to retain it?
You may also like: Learn how to proactively identify and protect your sensitive information
Retention Policies
Firstly, let us do a little background on “Retention Policies” – there are two kinds:
⦁ Retain data: Use a retention policy to ensure that your data is retained for a specified period, regardless of what happens in the user application. Data is retained for compliance reasons and is available for eDiscovery until the retention period expires, after which your policy indicates whether to do nothing or delete the data.
⦁ Delete data: Use a retention policy to delete data to ensure that it is not a liability for your organization. With a Teams retention policy, when you delete data, it is permanently deleted from all storage locations on the Teams service.
So legal requests aside for a moment, having Retention Policies in place at any organization has a lot of excellent side effects, such as:
⦁ Comply with industry regulations and internal policies that require you to retain content for a minimum period of time—for example, the Sarbanes-Oxley Act might require you to retain certain types of content for seven years.
⦁ Mitigate risk in the event of litigation or a security breach by permanently deleting old content that you are no longer required to keep.
⦁ Help your organization to share knowledge effectively and be more agile by ensuring that your users work only with content that is current and relevant to them.
Once you have determined the longest amount of time a governing body requires you to keep data, we can start to plan which policies are needed in which environment and also what (if anything) do we want to happen after the policy expires – keep or delete?
Teams requires a retention policy that is separate from other workloads – you must create specific retention policies for Teams chats and/or channel messages. For this reason, you cannot include Teams in org-wide retention policies.
As you can see above, as well as creating Retention Policies for Teams, we also need to for Exchange, SharePoint, and OneDrive for Business and soon Yammer (in preview).
Let us put together a full list of the policies that we’d need to Retain John Does data:
Retention Policy for SharePoint
Needed to cover:
- Files in Teams
Retention Policy for OneDrive for Business
Needed to cover:
- Chat files
Retention Policy for Teams
Needed to cover:
⦁ Teams Chats
⦁ Channel Messages
Download the Datasheet to learn more about Netwoven’s Information Protection and Compliance service.
Download the Solution Brief to learn how Netwoven’s solution proactively identifies and protects your sensitive data.
In Part 2, we will go through the creation and deployment of these policies together.
