Microsoft recently changed the default email retention policy for deleted email in Office 365 Exchange Online....
The length of time when items remain in the Deleted Items folder will be extended indefinitely or changed to a new duration an administrator sets, according to a recent Microsoft blog post. This means that email messages will stick around forever, unless someone makes a change dictating another length of time – instead of going away after 30 days.
Why should Exchange admins care about this email retention policy change? In a world where some people go to great lengths to delete email, retention is front and center. Whether it's to prevent malfeasance or to minimize liabilities, the ways in which organizations retain email can either work for or against admins and their business.
Complex legal requirements, information systems and politics can all contribute to weak data retention processes, especially around email. Admins can't afford to take these new developments lightly.
Cloud service providers often call the shots, so admins have to pay attention to these types of changes to make sure they're aligned with their business requirements. With this Exchange Online change, Microsoft appears to be generalizing the default action to simplify compliance with the numerous regulations around the world and perhaps even minimize their own risks. But just because Microsoft now retains email indefinitely doesn't mean that indefinite retention is what every organization needs. In fact, many people protecting the greater interests of their business might see this indefinite email retention period as a liability. Some legal cases and discovery requests have shown that if organizations keep everything -- in this case all email -- it could come back and be used against them in the future.
This email retention policy change should not affect a litigation hold, which is good. But there is a gray area in which changes or improvements may be needed.
Admins should consult with their organization's legal counsel and executive management to determine what, if anything, needs to be updated to better align with the organization's internal policies and any other regulations that the business must adhere to. If an organization doesn't currently have a data retention policy, now would be a great time to create one. Whether the policy is for all data or if it just addresses email, admins will want to make sure that everyone -- management, legal, HR and compliance officers -- is on board working toward the same goals. The last thing Exchange admins need is a policy, especially one for data retention, that no one follows.
One final note: If admins discuss this new policy with their higher-ups and decide they want to opt out of this new Exchange Online setting, they can either change the name of the Default Messaging Records Management Policy or create a new policy with a different retention policy specified. This blog post offers a good outline on how to do this.
About the author:
Kevin Beaver is an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic, LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at principlelogic.com and you can follow him on Twitter, watch him on YouTube and connect with him on LinkedIn.
Best practices for Exchange email archiving
Exchange email compliance checklist
Exchange archiving and e-discovery best practices
Office 365 retention policy and archive mailbox setup