If they have not already moved some of their information footprint to the cloud, most companies will soon enough. The cloud market is growing because the cloud provides “infinite” storage space for a company’s rapidly expanding information trove, but there are many compelling economic reasons as well. What is clear, however, is that migrating to the cloud—be it AWS, Google Cloud, or Microsoft Office 365—is replete with issues on which lawyers must weigh. Failure to engage the legal eagles upfront will result in unnecessary risk and exposure.
Microsoft Office 365 (Office 365) cloud is used by many companies the world over, but a company contemplating migrating its data to any cloud storage provider will do well to seek input from its lawyers (and other key stakeholders). Of note is that IT folks generally have two primary issues that make them not want to engage with lawyers. First, they do not like “it depends” type of answers, and second, they do not like to wait for legal advice. IT projects, including migrating to new environments, are generally on tight timeframes, and waiting for legal advice tends to delay implementation. However, migrating to Office 365 presents an organization with some unique opportunities, including cleaning up the current data debris as well as reducing privacy and information security risks associated with retaining unnecessary information. Further, the migration process will allow new policy and data governance rules to be applied to information that could address legal, compliance, regulatory, and privacy issues.
Although Office 365 offers organizations rich features and functionality to better manage its data from a security, discovery, access, and retention standpoint, getting it set up correctly will be hugely valuable during normal business operations as well as when litigation strikes. In addition, getting policies and rules decided upfront will help make the migration process more manageable and valuable.
Here are a few questions lawyers and risk and compliance professionals can answer:
What data should be migrated to Office 365? Most companies have decades of unstructured data and e-mail messages that have minimal value to the business. Such content may not need to be retained for legal or regulatory purposes and could pose an unnecessary risk and cost to the organization if it remains. There are simple rules that can be agreed upon to determine what information should be migrated and what information should be purged. Bringing the necessary stakeholders together with the lawyers can help the organization determine what type of diligence is needed before the content can be legally and defensibly purged. If the information is not needed, there is no good reason to migrate it to the new clean environment.
What happens with stored data from employees who have left the company and that are not on a litigation or preservation hold? Companies often do not have policy or practices that address data created or stored by employees who depart the company, either voluntarily or involuntarily. This lack of policy or practice leaves abandoned data sitting (sometimes forever) and likely unproperly managed. If the data are not on a legal or regulatory hold, then the lawyers can help IT determine what, if any, data should be migrated.
What policies should be developed or augmented to automate information management? Certain cloud providers like Office 365 allow an organization’s information to be managed automatically by pre-established rules. Most organizations probably do not have much, if any, management controls that govern unstructured content (like e-mail message, Word documents, etc.) stored in shared drives, personal drives, hard drives, e-mail, etc. This new functionality will remove the burden on today’s employees while promoting compliance, given that technology is usually better than individual employees at classifying information. Getting this issue right will require lawyers’ involvement. If lawyers understand the available functionality in Office 365, they can assist the organization in modifying policy that can be implemented by the technology. As an example, privacy labels (classification rule) can be put on content that includes personal information. This can limit who gets access to that type of content and can also require that a higher level of security be applied—all automatically.
How will discovery and litigation response be managed? Some of the cloud platforms offer tools that can help with discovery. In that regard, lawyers should also be involved in the technology-vetting process to ensure the organization is buying technology that satisfies its needs. In the case of Office 365, a rich set of tools is available for performing e-discovery, which can conduct searches across Exchange, SharePoint, OneDrive, Teams, etc. Prior to migrating to Office 365, lawyers must understand the new environment’s functionality in order to address issues regarding end user versus system preservation, or how long data will be retained after the end user deletes it, among other things.
How can an organization proactively establish records retention rules to support defensible disposal? Retention policies can be applied in Office 365 that can ensure records are retained for a specified duration and/or purged automatically when the retention period expires. This helps ensure compliance, mitigates risk, and minimizes the expense of storing unnecessary content longer than necessary. Policies can be set up to force labels to be applied to content by end users or can be automatically applied. Retention policies can be created based on the company’s retention schedule or a more simplified and defensible set of rules (i.e., three years for nonrecords). Retention can further be refined automatically for specific sets of data such as sensitive data types (credit-card, Social Security, and passport numbers).
How will event-based retention be managed? Event-based retention (a retention period that begins after some future event happens, such as a contract expiration date, for example) has been and continues to be a major headache for most organizations. If a retention rule for life insurance policies is tied to the death of a person in the future, managing that future event and retention can be a cottage industry for most companies. Similarly, if employees’ personnel records retention is tied to their termination, which is an unknown future date, retention of those records for all employees can be a challenge. Rules within Office 365 can be set up to address these complicated event-based retention periods (like contract expiration, employee termination, etc.).
Which information and e-mails should be encrypted? Cloud environments like Office 365 can tag and therefore protect e-mail by allowing users to select templates such as Encrypt and Do Not Forward when composing or replying to e-mail. Further, system administrators can also set up custom rules to automatically encrypt outgoing messages based on specific business criteria. Lawyers should help determine if automated rules to address content types (trade secret, intellectual property, PII, etc.) are needed and what those rules should be.
What can the company do to automatically protect its information assets? Cloud applications increasingly provide greater tools to help protect company information. Companies are turning to Data Loss Prevention (DLP) technology to automate the protection of information. Office 365 allows for the creation of policies that can alert, encrypt, or even block the transmission of sensitive data as identified based on predefined data types. As with encryption rules, lawyers should provide guidance on what content must be blocked based on the risk it poses to the company. Data theft by employees or outsiders is a real issue today, and lawyers must help define the parameters that would help sniff out and minimize this risk.
When is data removed from the old environment(s) after successful migration? Most business and IT professionals like to keep data “just in case” someone needs it down the road. Lawyers, on the other hand, may want information gone quickly if it does not have business, legal, or regulatory value. Discussing the real business, legal, and regulatory needs with lawyers and other key stakeholders is imperative to delete the data in its original storage location once it is validated that the information in the new environment is accessible and complete.
What other regulatory compliance rules must be proactively managed (GDPR or CCPA)? Lawyers can provide guidance to ensure regulatory compliance is automated as much as possible with the functionality available in Office 365. As regulations are passed, lawyers should work with IT to modify the rules applicable to the company’s data.
Flipping the switches, buttons, and toggles can be done by IT, but getting information management and governance right will require guidance and input from lawyers, compliance and privacy professionals, and business folks. Anything less will result in information not being there when needed or being there forever and creating liability and risk.
The cloud makes great business and technical sense for many companies. It can also be a boon to better information security and privacy management if companies choose wisely. The fact remains that not all clouds are created equal, but the good ones are valuable and even more so when lawyers play their part in making them come to life.