As we discussed in a previous post focused on Microsoft, Office 365 has fundamentally changed the way that many organizations communicate and collaborate. With rich, dynamic, multi-modal features encompassing messaging, telephony, online file sharing and storage, and social media, O365 has found great success appealing to organizations of all shapes and sizes. End-users can easily access features across the Office 365 stack, as well as search and retrieve their own historical content. However, the deployment of collaborative features in new products such as Microsoft Teams, for example, have raised a new set of questions for those focused on regulatory compliance, e-discovery, and information security. Microsoft’s capabilities in these areas are quickly evolving, often leaving firms in lengthy and expensive proof-of-concept exercises to determine if Office365’s native capabilities can address their specific requirements, or if third-party solutions are needed to meet regulatory, security, and legal obligations.
In fact, this topic has been the focus of several research papers from leading industry analysts, including a recent research report, Why Your Company Needs Third-Party Solutions for Office 365. Our perspective on this topic has been shaped by working strategically with Microsoft technologies for over a decade in support of the world’s largest and most complex firms in efforts to meet these demands. Regulated firms exceeding 50,000 employees have long depended on Smarsh (and the merged Actiance organization) — from the successful deployment of Microsoft Teams, to earlier deployments of Skype for Business, to even earlier deployments of Lync and OCS and MCS. We believe this provides a unique vantage point into the decision-making processes that firms go through as they conduct their due diligence on how to best leverage their investments in Microsoft technologies.
This experience can be useful to any firm asking the question, “Will Office 365’s native archiving meet our company’s regulatory and e-discovery needs?” Answering this question is not always simple, as Microsoft continues to enhance Office 365’s capabilities, and the volume, variety, and nature of e-discovery and regulatory compliance tasks tends to vary significantly from organization to organization. As a best practice, we encourage any firm to consider the following four dimensions:
The first set of questions attempts to uncover what content sources are in use by the organization, and what standards do they need to address to meet their compliance obligations. With many firms now supporting more than 30 to 40 different content types, including non-Exchange-based email, encrypted mobile messaging, and custom-built apps, how these content sources can be accounted for in Office 365 is a key consideration. Each of these communications sources is unique, and many contain non-messaging metadata (for example, in Microsoft Teams, users can exchange files, participate in persistent chats, and use video and audio recording features) that can contain information of relevance to regulators or litigation, and that can be lost during the capture process. Similarly, as most firms are consolidating multiple legacy content sources while migrating to Office365, content sources such as non-Microsoft email formats should be considered.
Additionally, many firms are deploying Office 365 seeking to implement the same policy controls they depend on with their on-premises deployments. Capabilities include monitoring for restricted words and phrases, feature controls, ethical walls, and protections against data loss. While many of these capabilities are established for email, files, and documents, they continue to evolve for social and collaborative platforms — in particular those that are delivered via the cloud. For each new communications modality implemented, firms should be examining what native capabilities exist and where third-party policy controls can be successfully executed.
Risk can manifest in many forms — compliance, security, discovery, or data privacy. Most commonly, large organizations require proven, robust features to address the early stages of e-discovery and supervisory review for regulatory compliance. What determines whether product features are adequate is entirely a function of the volume, frequency, and complexity of risks that firms encounter most frequently. For organizations that are FINRA- or SEC-regulated and require an appropriate supervision program for electronic communications, it’s imperative to partner with a third-party provider for a solution to implement, configure, automate, and report on its supervisory procedures. Sophisticated keyword and logic-based searches across content spanning multiple channels, policy review, and the flagging and escalation of potentially problematic content are capabilities that need to be sourced from third-parties and integrated with O365.
Delivering Timely Response
Organizations in regulated industries and government entities need to capture, search, review, and produce their electronic communications for e-discovery, investigations, and litigation preparedness. Oftentimes, they are under tremendous pressure to process large volumes of content from multiple channels in a short period of time. These capabilities need to be available whenever the regulator or court order appears — not in the next product release — and with proven capabilities of delivering data in minutes, not hours or days. You also need the ability to export selected data in meaningful formats, all while preserving any relevant original context and metadata for each message to preserve the chain of custody — critical details that are lost when converting all captured content to a consolidated email transcript.
While every organization’s compliance and productivity needs are different, an effective approach to answer these questions is to perform a “side-by-side” comparison of Office 365 against third-party solutions to determine which solution best meets their requirements. Specialized compliance solutions from Smarsh, for example, provide the strongest third-party solution for archiving and e-discovery compliance, enhancing the existing functionality of O365 and eliminating numerous potential compliance gaps through which risk might otherwise threaten your firm, leaving you fully prepared to respond to any litigation event or records request that might come your way.
We plan to discuss each of these dimensions — content capture, policy controls, revealing risk, and delivering timely response — in upcoming posts.
Latest posts by Robert Cruz (see all)
- Smarsh Cautions FINRA on Work-From-Home Challenges & Compliance Best Practices - June 2, 2020
- Protecting Your Organization from Communications Risk - May 1, 2020
- Stay-at-Home Workforce: The Practitioner Perspective - April 9, 2020