The following post is part four of a nine part video/blog series on e-discovery in Microsoft Exchange 2010. Last time, Paul and Marta began to discuss some of the new features in Exchange 2010 – starting with multi-mailbox search. In this week’s edition, they’ll talk about role-based access control (RBAC) and data retention policies. Enjoy!
Paul: One of the areas where Microsoft has made a big leap forward is role-based access control (RBAC). This allows you to assign search permissions to individuals who have no other permissions within the Exchange organization. So, basically, I can give my organization’s general council or HR department (whom I don’t necessarily want touching my email server) a web-based method of doing the searches and viewing the results. In fact, you can actually break the two up, so that one group has the ability to do the searches, and a completely different group can see the results. This is really powerful, because one of the big objections to e-discovery implementation comes from those who are concerned with any one person being able to see their confidential or sensitive data.
Now, I won’t get into the complexity of how you make sure that your administrators are trustworthy, but being able to break things up in this way makes it much easier. The people who are supposed to be doing the searches can do the searches without dragging the administrators into the process. As an administrator, myself, I truly appreciate that. I don’t want to be searching through people’s mailboxes to find out who is sharing inappropriate material or stealing from the company. In fact, I would really prefer to be as far away from the situation as possible. It’s nice to have that degree of separation built into the product.
Pretty cool, huh? Learn more about role-based access control.
Anyways, another area that we should touch on is the ability to have retention policies. First off, what are retention policies used for? What do they do? And also, how do they play into e-discovery?
Marta: Retention policies have been used for quite a while and have traditionally pertained to system storage. As storage has become relatively cheap, though, the freezing of retention policies for storage reasons has really decreased in number. However, as this number has decreased, we’ve seen an increased raw number of retention policies. Why? Well, business processes, as far as we’re concerned with e-discovery, basically boil down to a retention policy. You have to define in writing how long you’re going to keep data, and you have to have an auditable way of actually doing that. You’re essentially saying, “Okay, I’m going to archive email after a year, and then we’re going to keep it for another year after that.” Something like that. Each organization has a different set of stipulations.
Some organizations, law firms, for instance, tend to keep their data a lot longer, because their business processes are very much tight. So, you see, business processes often dictate the rules set in the retention policy. No matter what, though, you really should have one. If you don’t, if you’re organization is absent of a retention policy, everything is discoverable, and you’re liable for all of that data.
Paul: That’s a really good point. I remember, a couple of years ago, there was some flap in the news concerning Andy Grove (who may or may not have just left Intel at the time) saying that Intel’s retention policy was going to be to basically retain nothing. They would hold data for a very short time and then delete everything, because if that’s the standard business process, only the data within that short window is discoverable. Now, obviously, if you do that, you’re really handcuffing yourself. There might be really good business reasons to keep data for however many months. If you have blanket rules that mandate that everything is deleted after four months, you may be throwing away some information that’s pretty valuable.
Marta: The irony is that on the other side of retention policy is litigation hold policy. Basically, once you even suspect that litigation is taking place (say you terminate an employee or something like that), you have to retain the data that you have; you can no longer delete it. You’re no longer in the ‘safe harbor’; you’re actually outside of it. And the FRCP is very clear that you cannot modify your data; you have to have it in a secure location. So, yeah, not only do you need a retention policy, but you also need to set it up so that it works hand in hand with certain custodians.
Has role-based access control in Exchange 2010 made managing your email discovery processes more feasible? What steps have you taken to formulate sound retention policies?
This concludes part four of our nine part series on E-discovery in Microsoft Exchange 2010. Check back in the coming weeks for part five, in which Paul and Marta will dive into more of the features that Exchange 2010 offers.
Not using Microsoft Exchange? Check out our e-discovery management software for Lotus Notes.