Key Compliance & Information Governance Considerations As You Adopt Microsoft Teams

In the reality of today’s transformed world, there’s no predicting what the future holds, not only for how we go about our daily lives, but also for how businesses conform to the dramatic workplace shift. As COVID-19 leaves cities empty and physical offices inoperable, collaborative technology, such as Microsoft Teams, provides businesses with a unique opportunity to adapt to modern communications and continue business as usual.

In a recent Lighthouse webinar focused on compliance and information governance considerations for organizations adopting Microsoft Teams, our panelists outlined ways to ensure this new way of doing business continues to be compliant, secure, and legally defensible. The group discussed critical information governance pain points that come with transitioning to collaboration tools like Teams and best practices for overcoming these challenges.

Setting the Stage

Now that Microsoft has added 12 million new daily Teams users and that number will surely expand even post-pandemic, organizations need to understand how to manage Teams data from an ediscovery and compliance standpoint. Teams is an easy-to-use and robust modern application in which you can conduct business, but it can easily turn into a repository filled with raw, unstructured data causing concern for Legal departments looking to mitigate risk and maintain compliance for their organizations. The dynamic communication method that employees are embracing of sharing information in Teams creates new avenues for Legal to navigate to properly govern the organization’s data, as it is being stored in multiple areas and for varying durations depending on internal data retention methods.

Key Considerations

The panelists discussed a few key considerations to keep in mind when adopting/using Teams.

1. Know that information governance and data defensibility continues to be a headache for organizations. In Teams, you can share modern attachments, GIFs, stickers, and emojis and all of this data has unique identifiers within Teams Exchange, SharePoint, or OneDrive that can have serious implications if not governed compliantly.
2. Look at the difference between E3 and E5 licensing as it relates to Teams. Two very important differences between Standard eDiscovery (E3) and Advanced eDiscovery (E5) in regards to Teams defensibility is that E5 can thread Teams posts and chats as well as provide Team membership identification. The reason these two features are important is that they allow you to streamline internal investigations and allow Legal to efficiently identify risk without having to export inordinate amounts of data.
3. Review the basic architecture of Teams data. Teams data can be structured differently depending on internal methods. The data can be stored on SharePoint, OneDrive, and Teams Exchange if there’s no data classification, increasing the risk of over retaining data and mismanaging ediscovery policies.
4. Utilize audit logs. There are over 450 auditable events in the Compliance Center alone. Multiple audit logs in the Compliance Center allow monitoring of relevant changes within M365. Take advantage of the detailed log of modification, deleted data, and accessed material for your eDiscovery investigations to ensure defensibility.
5. Understand your deployment options. There are compliance implications to consider regarding different deployment methods. Features must be managed according to internal policies and procedures, especially for ediscovery investigations. Proactively managing features like the ability to classify data, label accordingly, and filter throughout OneDrive, SharePoint, and Teams Exchange provides a defensible procedure to be compliant in a Teams rollout and should be considered during and after deployment.

Best Practices

The panelists also outlined some best practices to help initiate change and jumpstart internal compliance methodologies and governance policies in Teams.

1. Partner with IT. Make sure to engage IT in the discussion and when developing your ediscovery strategy. Partnering internally is a great way to ensure everyone is educated and on the same page when defining Teams requirements and policies.
2. Plan your future state. Your newly developed policies turn into a new operating model to implement in your future-state plan, thus ensuring a tested governance framework is defensible throughout all departments. Keep in mind all departments need to adapt during this implementation.
3. Implement quickly and thoroughly. Thorough planning should yield faster implementation and allow you to ensure the proper configuration, system integration, and automation. Be sure to document everything.
4. Ensure maintenance of your program – Identify any changes, assess the impact of those changes, operationalize the changes, and repeat.

Microsoft Teams is a powerful and convenient tool to leverage, especially as workforces increasingly become remote, but there are compliance and information governance considerations around this new approach to communication. To immediately tackle and get ahead of these new challenges, consider partnering with IT, planning your future state, implementing quickly and thoroughly, and creating a way to continually maintain your program.

Learn more about the modernization of M365, or to discuss this topic further, feel free to reach out to me at wking@lighthouseglobal.com.