How NOT to use Litigation Hold with Office 365

Do not turn ON Litigation Hold on all your email and documents without involving your legal team and thinking through the consequences.

After we launched our Cloud-Cloud Backup solution for Office 365, I’ve been having conversations with several customers about the importance of protecting cloud data – and how they shouldn’t assume that having data in the cloud relieves them of their responsibility to keep data backups.

Most customers understand how data protection is still their responsibility and why it is important to keep secondary data copies even for their data in the cloud.  These needs are driven, not by fears that the SaaS vendor’s infrastructure will fail, but by regulatory compliance requirements and also their desire to protect against malicious data destruction by insiders.

However, a couple of customer conversations I had recently concerned me because they were adopting a strategy that could prove quite problematic in the long term.  These customers had several MS O365 E3 licenses and their strategy to protect against malicious insider deletion was to turn on the Litigation Hold feature for all mailboxes.   Their position was – “why should we spend money on a backup solution, when I can simply turn ON Litigation Hold for all my email?”.

That gave me pause – because turning ON Litigation Hold en masse on all data wasn’t something I expected anybody to actually do, especially in lieu of making a backup.  There are many reasons why a Litigation Hold and a Backup are different and cannot be used to substitute for each other.  And it is so important not to get these confused – from all standpoints – legal, business and technical, that I thought it was important to write this down.

What is Litigation Hold?

A Litigation Hold is a business process.  It is sometimes also called a Legal Hold or a preservation order.  It specifically refers to the process by which a business informs its employees (sometimes called custodians) not to delete information relevant to an impending (or ongoing) litigation.   This information could be digital (also referred to as ESI  or Electronically Stored information) or hard copy data (paper records).

A Litigation Hold process usually goes through a lifecycle such as the below:

  1. A Trigger event (like a court order or a notification from the internal legal team)
  2. Analzye the duty to preserve
  3. Define the scope of the hold – the custodians, the type of data, etc.
  4. Implement the Hold
  5. Enforce the Hold
  6. Modify the Hold (as needed)
  7. Frequently Monitor the Hold
  8. Remove the Hold

The Litigation Hold feature in Office 365 is designed to preserve user data for eDiscovery, but not as a means to backup or restore lost data.

How Litigation Hold can increase risk

Placing all O365 data in litigation hold can create a significant problem when the business is actually subject to an eDiscovery request. All of the data would be deemed discoverable – not just the data related to the legal action.  This could introduce potential liability that the business’ legal team didn’t anticipate.

Most business have well defined retention policies for all their data (including email) for this very reason.  Having a documented retention rule could help limit business liability in the case of a legal action.  To illustrate this with an example, if you’re unable to produce evidence (let’s say) from before 3 years ago because your documented retention policy was to keep emails for 3 years – the judge will understand that.  But if you have held all email under legal hold, you may not at that point refuse to produce emails older than 3 years – everything that is preserved becomes fair game from an evidentiary standpoint.

Also, preserving data forever using Litigation Hold means that the legal team’s job of sifting through and eDiscovering data in the case of an actual litigation now that becomes that much harder because of the amount of irrelevant data they’ll have to work through and cull out.

Before turning on Litigation Hold, it is important to make sure your legal team weighs in and is in the loop.  In fact, the legal team should typically be what triggers the litigation hold request.

Why Litigation Hold is not a backup

Here are a few things to remember about Litigation Hold and why it can’t replace a backup:

  1. A backup should be a secondary copy of the data that is made and kept as an immutable version that is insulated from all changes that are made to the original. Litigation Hold doesn’t create a second copy of data – it merely says it will preserve the existing copy.  A Litigation Hold is therefore only as safe as the existing primary copy is.  All the reasons to have a second backup copy are therefore immediately defeated.
  2. Litigation Hold data is available only via eDiscovery searches. Any folder hierarchy that was present is lost in Litigation Hold.  It is a flat set of emails that become visible based only on search parameters you provide.
  3. Restores take time. A restore of a mailbox requires that you first search for all email belonging to the user, and take the resulting data packaged into PSTs and then re-imported back to the original mailbox – but without any memory of a folder structure.  There are several documented cases where restoring only a handful of emails has taken administrators several hours.
  4. Should you get hit with a ransomware attack, backup solutions will let you ‘dial back’ the clock to a point-in-time previous to the attack and recover all your email. With a litigation hold, you risk all your email being impacted since all of that data is exposed to the attack (remember it isn’t a secondary, insulated copy).
  5. Many businesses are required by regulations to not only keep a secondary copy but, but a copy is that offline and offsite. Therefore, most businesses that invest in an email backup are also looking to save that copy of data in an alternate location – different than a MS data center.  Another situation where Litigation Hold doesn’t measure up.

Even Microsoft Agrees

The following has been taken verbatim from the Office 365 Service agreement text

“We strive to keep the Services up and running; however, all online services suffer occasional disruptions and outages, and Microsoft is not liable for any disruption or loss you may suffer as a result. In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

So “Hold” on before you make that call

So, before you make the decision to simply turn ON Litigation Hold, ask yourself these questions:

  1. Is your legal team bought in? Would this be the right thing to do by the legal team and by the business?
  2. What does your Risk and Compliance team say. If you have specified requirements around keeping a secondary backup copy that is offline/offsite – think again.  A Litigation Hold just won’t cut it.
  3. Think about the time it would take for you to restore and the quality of the restored data from the user’s perspective.

You’ve made the investment in Office 365 and successfully moved your email to the cloud.   Now, make the right investment to also protect your email data.  Make an informed decision.  Make the right choice.