Video
Microsoft 365: Maximizing the Opportunity for Legal & Regulatory Compliance
Related topics:
Transcript:
[00:00] [Intro music]
Host: [00:36] Hello, and welcome to today's Bloomberg BNA webinar titled "Microsoft Office 365 -- Maximizing the Opportunity For Legal and Regulatory Compliance." I have just a couple of announcements before we begin.
[00:47] First of all, thank you for attending today's presentation. You have multiple options for audio today. If you select the dial-in option, please make sure your phone is on mute. If you select the listen-only option, please make sure the volume on your speakers are turned up.
[01:03] Questions will now be submitted by telephone. Questions may be submitted at any time via the Q&A pod at the lower right of your screen. Simply type your question and click the icon to the right to submit. Questions will be allowed to accumulate, and will be addressed towards the end of the presentation or when our speakers deem appropriate.
[01:16] You are currently seeing sections on how to earn credit for attending today's webinar. If you have any questions about continuing education credit, please see Melissa at credit@bna.com. Instructions for downloading your certificate can be found in the files pod.
[01:33] In order to obtain daily credit for attending today's presentation, you must answer all polling questions that are presented throughout the webinar. There is no submit button for multiple choice questions.
[01:42] If you would like to receive daily credit for attending today's presentation, please make sure to answer the following question at the end of the program accurately, which will ask for the jurisdiction where you wish to receive credit and your corresponding bar number.
[01:53] Your certificate will be ready to be download in your classroom at learning.bna.com in the "My certificate" tab, generally within one business day of the presentation.
[02:01] A copy of the presentation you're about to see, as well as an additional handout, are both free to download from the files pod to the right of your screen in order to provide you with take-away reference material and details on obtaining CE credit.
[02:13] We will like to thank FTI Consulting for sponsoring today's program. FTI Technology is a practice of FTI Consulting that is dedicated to helping organizations protect and enhance enterprise value in an increasingly complex legal, regulatory, and economic environment.
[02:30] FTI's clients rely on their software, services, and expertise for matters ranging from internal investigations to large-scale litigation with global eDiscovery requirement.
[02:44] I would now like to turn the presentation over to Angela Navarro.
Angela Navarro: [02:48] Thank you, and welcome to today's webcast Microsoft Office 365, maximizing the opportunity for legal and regulatory compliance.
[02:58] In terms of agenda, we will first meet our speakers and then discuss some of the adoption trends we're seeing with Microsoft Office 365. From there we'll discuss the impacts that this migration is having on legal and compliance teams.
[03:14] Our experts will take us through some of the eDiscovery and IG features within the tool, and then discuss what to expect in the future in terms of making your voice heard with a seat at the table, addressing preservation issues, and data remediation.
[03:28] We will conclude by answering questions submitted from you, our audience. Additionally, throughout the presentation you'll notice several pop-up pull questions. We invite you to participate and answer those pulls as they come through.
[03:43] Now let's meet today's speakers. Rachi Messing is a Senior Program Manager at Microsoft, with the Office 365 Information Product group. His career has focused on compliance and eDiscovery for the past 15 years, and he is a frequent speaker on these topics. Welcome, Rachi Messing.
[04:06] Next, we have Sean Kelly, Senior Director in the Information Governance and Compliance Services Practice of FTI technology. He leverages more than a decade of experience in both legal technology and litigation support to advise clients on evolving technologies.
[04:22] Prior to FTI, Sean worked for Johnson & Johnson where he was responsible for eDiscovery issues across business sectors. Welcome, Sean Kelly.
Sean Kelly: [04:32] Thank you, Angela.
Angela: [04:33] Finally, we have Jake Frazier, Senior Managing Director with FTI technology. Jake leads FTI Technologies Information Governance and Compliance Practice. Jake focuses on assisting corporations and governmental organizations with IG and compliance initiatives as well as the corresponding costs and risks. Welcome, Jake.
Jake Frazier: [04:57] Thanks, Angela. Happy to be here.
Angela: [04:59] Now, before we move on to the topic, we have our first pull-in question for the audience. This is pull-in question reads, "Where are you in the process of migrating to Office 365?"
[05:13] Selections include, A, we are in the early stages of determining whether to adopt Office 365. B, we have decided to migrate but have yet to begin. C, we are currently in the process of migrating to Office 365. D, we've already completed the migration.
[05:31] We'll give the poll just a few more seconds to populate. Please make your selection. Then we will see the results here in just a few seconds. Rachi Messing will be our first speaker from Microsoft. Rachi, I know you probably are interested to see what these results look like, and also speak of some of the trends that you're seeing with adoption.
Rachi Messing: [05:52] Yeah, absolutely. It's interesting to know, we've got them on screen right now, some statistics. It's great to see that we've got already, on the current poll, about 50 percent of the people looks like are either in the process of or already completed migration. The polling is still going on.
[06:17] That's about what we're seeing in general that some people are referring to Office 365 as new technology or just coming out on the market, but it's already here. It's already pretty well accepted. Between the percentage of users in Fortune 100 and 500 companies that already have multiple workloads within Office 365 to the consumer users. It's a global reach of Office 365.
[06:55] With that reach, comes a lot of questions. We're seeing a lot of companies that are moving so quickly that it's a change in adoption from what they are used to or what might have happened five years ago in looking at adopting new technology. The adoption has been happening very, very quickly.
[07:18] We're excited to be able to provide solutions around it to help the legal community and help compliance teams in making sure that they are able to do what they need to do. Jake, why don't you address a couple of things that you're seeing in the market?
Jake: [07:40] Sure. Thanks, Rachi. I guess I was a little bit surprised to look at some of the adoption rates. Maybe a little bit ahead of what I thought, although that thought back in the client engagements, the conversation that I'm having, I guess it makes a lot of sense.
[07:57] This is from Gardener in July. Essentially, they do polling, one of the largest analyst firms for IT organizations especially within big companies. Essentially, they found, you can see it on the pie chart here, that you've got over three quarters of corporate respondents that either have Office 365, are moving to it in one year's time or in two years' time.
[08:23] What's interesting is, and we'll talk a little bit later about some survey evidence for legal. Often if you poll the same companies but their legal departments, you'd get a little bit lower adoption rates simply because they often aren't really in a loop or maybe know of it on the periphery.
[08:44] What we found is often CIO and CFO, COO, our offices get together, and it'll move towards Office 365 for some really tangible and nontrivial cost savings. Certainly, that's outstanding. The efficiency gain there is great.
[09:02] We've often found that legal and compliance sometimes aren't really involved in that project early enough where there is some opportunities to fix some processes and make some progress from an information governance standpoint by using some of the immense tools that we'll talk a little bit about more today.
[09:24] I thought that this was interesting. There's another dimension of it, I guess. We can look, maybe, in the future to see if we get some survey evidence on this particular chat with another lens.
[09:37] Which is to say, if it's just for, what we call, the basic functionality of Office 365 moving exchange, and share point, and files shares through the cloud or what's this adoption with regard to some of the more advance features we'll talk about that can help with advanced third detection, automate discovery, adopting and retention.
[10:01] Interesting stuff to look at and I'm sure we all want to see them grow in the future.
Angela: [10:10] Thank you, Jake. As we move on with our presentation, we have another poll before we [inaudible] do, here. The poll reads -- and it should be open on your screen now -- which tools within Office 365 are you using?
[10:23] The selections include A, Exchange/Outlook. B, One Drive for Business. C, Skype. D, Yammer. E, SharePoint. We'll wait for that poll to populate just a second, and then Rachi, let's have you talk a little bit about what we're seeing in terms of these kind of results and compliance solutions that are already in place with Office 365.
Rachi: [10:45] It's very interesting that right now what we're seeing is that it's really a mix of the tools that people start with when they look at adopting Office 365. A lot of companies look at it from the perspective of, "I've got my email. It's the lifeblood of my company, and I'm going to keep all of that in place, on-premises, for as long as possible."
[11:13] Then there are others who take the approach of email is actually, I can get some of the most benefit out of moving that to the cloud and into Office 365, and that's one of the first things that I'm going to push there.
[11:28] Other people take that same exact approach when it comes to their file and One Drive and putting things like Skype and other tools out there that they can really look at taking advantage of the features in Office 365.
[11:44] When they start really digging into these features, one of the first things that we find is that legal pops up. A lot of times legal wasn't necessarily involved in the initial push. Jason's going to talk a little bit about where legal comes into the whole decision-making process, but what we find is that once they get in, then a lot of times they don't even realize work tools are available to them, specifically around compliance.
[12:19] What we wanted to do today was do a quick little overview of what are some of the compliance solutions within Office 365. It's important to note we're going to go through these pretty quickly. There's a lot there, and it's ever-growing.
[12:37] That's part of the promise and part of what you get when you move to the cloud. It can be a challenge as well, but one of the major advantages is you're always up-to-date and you're always getting the newest features that are coming out.
[12:59] I'm going to address a couple of things that are either there right now or in the middle of being released, but if we were to do the same webinar six months from now, we would have a whole new set of things that we could talk about that are already in the product and that people are already using.
[13:18] When we release these things, we find that people jump in and start using them as soon as they can if they know about them. Part of the challenge is knowing about them.
[13:30] Within Office 365, we look at compliance in general as described on the screen right now, where you have the overall need to keep data, you have the overall need to identify and find that data, and then you have the need to actually know what's going on with that data.
[13:55] All of these different things come under what we call the Security & Compliance Center, which is a one-stop shop within Office 365 that allows you to have access based on your role and your permissions to the various different tools that will allow you to access and accomplish these different tasks.
[14:19] Now in some organizations, you might have one person or two people who are responsible for all of these things, and in larger organizations you'll have people who need to -- are much more granular and siloed -- and they might only be responsible for one piece of eDiscovery or one piece of data governance.
[14:39] The security and compliance center allows them to do that. It allows them to go ahead and get granular or have access to everything in one location. Overall, the way that we look at compliance is that Office 365 is not being bought as an eDiscovery solution. It's not being bought as a compliance solution. It's not being bought as a security solution.
[15:10] Office 365 is a productivity solution. Everything that we do in regards to security, compliance, data governance always is done with the idea of productivity first. Don't get in the way of the information worker. Don't get in the way of the people who are trying to get the work done and actually just want to do their job and make money for the company.
[15:39] We need to provide these tools that allow them to continue to work while remaining compliant. There's always a balance that has to be made between compliance and productivity. Productivity is the goal here, but with that said, we still need to make sure that they are being safe and that they are secure and that you, the legal teams, know that you are able to enable them to be safe and secure.
[16:09] The second thing, in terms of how we look at Office 365 and compliance, is that everything that can be done in place should be done in place, meaning we don't want to have to make the users or the administrators move data around.
[16:26] Any tools that we can enable that allow them to go ahead and put the -- let's say something like retention tags. Don't go ahead and move that data into an archive. Do that in place as much as possible.
[16:44] Lastly is do everything suite-wide, meaning wherever we can, let's enable these tools to be able to be run once and to be able to allow them to be used in the same exact way whether it's against Exchange, One Drive, Skype, Yammer, SharePoint, Sway, Planner, any of these various different Office 365 tools, where we can enable them -- a single tool to be run once.
[17:13] Now that's not always possible, and some of them, it's the matter of time until they get to the point where we are able to do that suite-wide, but overall, that is the approach that we take when we're designing these tools.
[17:28] The Security & Compliance Center, it allows you single-person access or multiple people access to be able to get in and do what you need to do, but it's not just a dashboard that is the place to go that is the launching pad for going in and actually accessing these various different compliance tools.
[17:48] It's actually smarter than that. It has machine running behind it and it gathers insights into what you're doing and what others are doing in order to surf these suggestions and ideas that will help your company be more secure and also to enable greater compliance.
[18:11] For example, it may suggest that it sees that a manufacturing company that has between 10 and 20,000 people that on average those types of companies will put in the following types of DLP or data loss prevention policies to impact their sales force.
[18:34] It might see that a pharmaceutical company, with over 50,000 users, they will typically turn on the archives with the retention policy that says keep data for three years. As it's going ahead and it's identifying these things, it will actually service them, obviously, with privacy and actual individuals' information safeguarded.
[19:00] It'll service things that it can in order to be able to allow you to gain more insight and help you along in what you're trying to do. Let's go ahead and take a look at how we do some of these things. The first thing is that...I mentioned that in place strategy. One of the things that we do is when we enable retention or legal hold, everything is done in place.
[19:31] Traditionally, these tools or these things, compliance, holds and retention were done via outsourcing the actual data pointed out into various other tools. Archive tools that were designed in order to be massive storage locations for data to live. There were a number of issues that exist when you pulling that data out.
[20:00] First of all, you don't have the same fidelity of the data. The data isn't necessarily captured exactly how it lived within the system. It typically, most of these systems, only would address emails that were sent and received. It doesn't address things like drafts, or counter items necessarily, or tasks, or contacts.
[20:26] The ability to get more from your journaling is something that wasn't necessarily there. There was a time and a cost aspect to it as well. Through Office 365, we take the in-place approach to enable you to go ahead and keep that data where it lives, and not just for exchange, but to apply single policies that will address Share Point, One Drive, Skype, Exchange.
[21:01] We're growing those to touch other workloads like Yammer, and Swayy, and Planner. All of these different things are being built in that allow you to keep the data where it is, apply policies, whether that be based off of the location, based on keyword queries, based on metadata and to do retention in place.
[21:27] The bottom line is, again, per activity first, we don't want to impact the users. All of these things are being done with no impact to the user. The user can continue to work as they are used to working. They don't have to worry about, should I have tagged this specific document and put it on hold or put the retention flag on it?
[21:48] They don't have to worry about, what folder am I putting it into in order to make sure that it's kept. Am I allowed to empty my recycling bin? They can continue to work exactly how they want to work.
[21:59] On the back-end, we're going to make sure that all of that data is preserved and that we're going to help you, the compliance team, understand what is being preserved, what is potentially being deleted. A lot of times retention and compliance is not just about keeping the data. It's also about properly getting rid of the data at the right time.
[22:24] Applying these things in place is really, really important. It allows us to do things that weren't available before. Let's take a look at what the overall life cycle looks like for Office 365. You can see on the top left, our locations that you may have data today where you potentially want to migrate your exchange servers, or your file shares, or data that's on laptops.
[22:56] You want to bring that data into Office 365. You also may have other types of data, such as social network information, or sales force charter, or Bloomberg messaging. All of those different types of information that you very well may want to bring in to Office 365 in order to enable you to apply your compliance tools in one place.
[23:22] I don't want to have to go and apply the same query to four or five different locations if I can do it all at once. What we do is we allow you to bring that data into Office 365 into the archives or into the users mailboxes if it's data that the user may want to interact with, or into their SharePoint, or into their One Drives. Then within there, we enable the full compliance life cycle.
[23:51] We're able to preserve that data. We're able to then search that data. We're able to apply advanced analytics to that data. Then when it comes time to actually look at data, I can go ahead and place it into a review tool using one of our partners that allow you to review the data as quickly and as efficiently as possible.
[24:15] All of this is done with auditing throughout the entire process. All of the data is audited throughout, who touched it, when it was touched, when it was searched, when it was preserved, who may have run the analytics against it. All of those different pieces are part of the process and are fully defensible throughout the entire process.
[24:46] Because you know in its track exactly what happened throughout the entire data set. One thing that is not showing up on here, but was recently announced is that teams, which is the new workflow for teams working together combines chats, and file sharing, and all other types of applications that help a team to work in conjunction with one another, that data is all automatically within this compliance boundary.
[25:19] That is one thing that I had not updated the slides yet for. It was just recently announced publicly that it's being supported with the full GA release of [inaudible] . The overall Office 365 compliance data life cycle allows you to go everywhere from the creation of the data all the way through the analytics and review of that data to make sure that that data is always...
[25:48] We know what it is. We know what needs to happen to it and it's able to be dealt with in its appropriate way. Within the data governing side, we have the ability to bring the data in, to apply retention policies, whether that be to keep the data, whether that be to remove the data after certain amounts of times.
[26:09] We have various different weapons, management tools within the various different class forms themselves that allow you to go ahead and apply tags or to do it from the admin side and automatically apply tags to various different sets of data.
[26:26] All of this is done with compliance in mind from the regulatory side making sure that we're able to do things like maintain warm storage and make sure that the data is never going to be deleted. It's all done from a central dashboard that allows you to move through this data and make sure that you're able to understand it. That is the data governance today.
[26:59] What we've recently announced in the last two weeks is the advanced data governance, which is, in what we call, preview right now. It's going to go to initial availability worldwide at the end of its quarter. Those are things that include automatic classification of data, so having automatic analysis on data and data types to be able to apply retention tags to it.
[27:30] Intelligent policies and the ability to take action on those policies in order to make sure that that data is always protected. These are tools that we're just beginning to, as I said, to roll out. Where is the beginning of this? It's an ever-evolving system where you're just going to see more and more improvements throughout this entire process.
[27:54] On the eDiscovery side, we have the ability to go ahead and, as I said, preserve, searching and analyze through review the data whether it be for the litigation, internal investigations, regulatory requests or any other needs that you may have to get in and find and understand what the data is.
[28:21] We have the ability to do various different searches that cannot just find data, but can identify and help you to understand that data better, understand who has certain data, understand who touched certain data, who accessed data and enable you to really dig in while the data is still in place.
[28:46] That's the important piece here is that you now have the tools that let you go in and understand and identify this data much, much earlier than you ever had it. You don't have to wait for that data to come out and be indexed within another system. You're able to go in and dig deep into your data sets very, very quickly.
[29:11] Within here, when the data is in Office 365 in any of the different workloads, that data is always indexed. The index does not have to be built by an admin or a user. The data is automatically indexed. It's automatically searchable. You're able to go ahead and search and perform enterprise wide searches really, really fast.
[29:37] Just to give you an example, Microsoft is an enterprise. We use all of our own tools. We have about 400,000 mailboxes in our main Office 365 environment. We do searches against all 400,000 mailboxes every day. Those searches, we're able to do them whether they be complex bullion searches, searching with ands, ors, wild cards, building out complex two page long searches.
[30:13] Those searches are able to be done against 400,000 mailboxes and live mailboxes in about 10 minutes. That ability to get in and identify data no matter where it lives is really, really important and is really, really powerful.
[30:32] The ability to understand the statistics and understand, not just who had the data, but even when I'm running keywords being able to get granular and understand which keywords are hitting on which data and do I need to revise those keywords?
[30:48] I need to maybe understand why no one was referring to a specific product in the way that I think that product was referred to. Understanding more about the data earlier in the process is all part of the Office 365 eDiscovery searching technology. Some of you may know that in the beginning of 2015, Microsoft acquired a company called Equivio.
[31:19] Equivio is the source of the advanced eDiscovery analytics, which is an add-on to the Office 365 standard eDiscovery tools that allow me to go ahead and run advanced analytics within the system itself. I'm able to do things like [inaudible] an email threading to help me to identify similar data or to reduce the volume of data that has to be reviewed even before I ever do an export.
[31:54] Before I'm taking the data out of the system, I'm able to unpredicted coding within the system. The ability to use advanced machine learnings to help me to understand what is relevant and what is not within any specific data set. Then only export out the set of data that really, really needs to be reviewed. All of the data is always going to be available. It's always there.
[32:21] If I need to go back, I can always go back. The key thing here is just keep the data in place. Don't take the data out until I absolutely have to. Make sure that whatever data I am taking out is only the data that actually needs to be reviewed. Typically, data that's hitting on searches for litigation regulatory matters, most of the times it's the most sensitive data that a company has.
[32:47] If I'm able to reduce the volume that has to come out of the system, your IT team has made a decision that Office 365 is a secure product that is a place where you're comfortable of keeping the data. Well, if you are comfortable with keeping the data there, why then pull it out in order to review it if you don't actually have to review it.
[33:13] If you're just going to apply search terms later on, apply them earlier make sure that only what has to come out is actually coming out. When the data does came out, I'm able to get that data out in a number of different ways. Whether it be for large scale review, whether it be for smaller analysis.
[33:37] I've got different options that help me to get the data out and to understand what the data is until we'll get the data, as well as, working with a number of different technology partners that help us to enable the seamless integration of their review tools with the data in Office 365, and allow you to use the tools that you are comfortable with to actually look at the data and make sure that that data gets reviewed as efficiently as possible.
[34:09] We've got various different export options that help me to...Once I actually pick the data that has to come out of the system. When it comes to the audit side of things, so we talked a little bit about keeping the data, preserving the data, finding the data, getting the data into the review side, but all of this cannot be done unless you have a solid audit trail behind it.
[34:35] Office 365 auditing allows you to audit every single action that's taking place and search against that data within the Office 365 itself. I'm able to see who accessed the CEO's mailbox. I'm able to see, did someone actually send out 10,000 emails in a single day for some reason?
[35:08] Am I able to see who went and shared the Excel spreadsheet via their One Drive and gave outside access to that when they shouldn't have. All of this is able to be done against all of the different workloads again.
[35:20] We've got set events, set tasks that you're able to setup queries to say, "OK, if something matches the phone query, it's got the word 'Highly Confidential' in it and the words 'Financial Budget' and it's shared externally, I want to be alerted about that right away." We've got the ability to set up a box that'll help you to monitor and keep that data secure.
[35:49] As I mentioned, it goes across the various different Office 365 workloads. It allows you to fill out those alerts through a simple interface that allows me to search and identify that data. The last thing that I wanted to talk about...Again, there's about 150 different features that we could have addressed here.
[36:15] We just wanted to give everyone on the webinar a quick overview of some of the top compliance features that exist within Office 365. The last one that I want to talk about is one that addresses the question that we hear pretty often, which is, "OK, the data is in the cloud, but who and when do people have access to the data?"
[36:44] We provide various different transparency tools to help you to understand exactly where the data is located? Who has accessed to it at any time? When is it being accessed? One of those tools that we have here is what is called customer knock box. Customer knock box actually puts you, whether that be the IT admin.
[37:06] We see a lot of times lots of compliance admin who's doing this is in control of when even the Microsoft engineers have access to customer content. It allows you to be part of the process that when there is a support call, you can actually go ahead and you'll get a notification that says that a Microsoft engineer has requested access to a specific set of data for a specific set of time.
[37:41] Before that engineer can actually get into your data to be able to fix the problem, they have to get Microsoft manager approval that says, yes, you have a valid reason for needing to get into that data. Even after their manager has approved it, it then goes back to you, the customer, to say do you approve this access?
[38:05] Microsoft engineers can never get access to your data or your content without you being part of that process that makes sure that they have the proper authorization to actually get into that data. That's an important part of the transparency of the overall process. There is a lot of other things that we could address such as data locations.
[38:35] There's a lot of work being done on the GDPR requirements. There's a lot of work that's being done today in terms of being able to secure who can actually search what data. There's a lot of different things that we can deep dive in.
[38:51] Hopefully, this quick overview gives you a sense that Office 365, while it's designed for productivity first, compliance and security are a very quick second in there in terms of making sure that we enable you to have the capability to do what you need to do within the system.
Angela: [39:15] Thanks, Rachi. I think this is a good time to get a feel for how our audience is feeling about these features. Let's go ahead and do our next poll before we move on to talking about the road ahead, and the challenges, and benefits, and how you get to sit at the table and all that. This next poll that is in front of you now.
[39:36] The poll question is, upon seeing these features I am A, happily surprised. There's more here than I thought. B, disappointed. I wish there were more eDiscovery features. C, I'm familiar with all of the features shown.
[39:52] While we have our audience responding here, we're going to go ahead and show the results. I'd like to bring in Jake Frazier to the conversation to talk about the road ahead as we're thinking about these features and what the audience is feeling about them.
Jake: [40:10] Great. Thanks, Angela. It's interesting just to look at the results here. It looks like pretty strong, happily surprised. There's more here than I thought. It's not uncommon with legal and compliance and even IT folks.
[40:26] Privacy security, records managers, really anybody who has a seat at the table on the cross functional informational governance committee of an organization that they usually find there's something in here for me. This isn't just a move to the cloud or this could mean improvement of process. Angela, do we do to the next slide?
Angela: [40:53] Sure the, oh...go back. Here we go.
Jake: [40:58] Yeah, so essentially in everything Rachi talked about as a result from the poll, very exciting technology, a ton of technology that can be utilized for all sorts of different important information governance initiative to reduce cost and risk.
[41:16] Usually, when we see this kind of a jump in technology jump forward. Often times, there's concern that the technology jumps forward but you meet all three of people process and technology to get the business outcomes you're looking for. Let's say that's data leakage prevention, more efficient eDiscovery, applying document retention policy for defensible disposal, and so forth.
[41:44] As we saw the technology exists certainly to accomplish those things. I'd say where the anxiety comes in, [inaudible] Gardener quote here that talks a little bit about it, is really just how do we get the people in the process up to speed to make sure that it can match this velocity of the technology?
[42:01] Certainly, offered in the cloud that makes life a lot easier. There's certainly a lot of steps that might go away in the people and process as far as requisitioning servers. Often, we find that legal and compliance departments privacy security usually are not ready to take on these functions.
[42:28] In the Gardener quote, here he really talks about service provider partners that can help both determine which modules are right for a given organization, how to do the migration, plan out that migration.
[42:43] Are we migrating everything or should we do an intelligent migration? Maybe apply defensible disposal along the way. We're not just moving data [inaudible] has no value to us to the cloud. Then also performing the migration...Yeah, go ahead.
Rachi: [43:00] Yeah, I was just going to add. It's interesting because this is actually Microsoft's vision is that the service providers play a major role within the process. Because there's so much there, we cannot support and do it all on our own. Our clients can't even keep up and do it all on their own in many cases.
[43:24] Absolutely having the service providers playing a part, a major part within the process, it is absolutely part of the approach that Microsoft has taken in supplying these areas with different tools.
Jake: [43:42] That's what I think, Rachi. Much appreciate it, I think. From a technology company's standpoint as you and I have discussed before, the goal is really get everyone using this powerful functionality. Those people and process steps are really important to add in there. We've seen a few different models.
[44:00] We've seen clients come to us and say, "Hey, can you run this for us for a couple of months as a maintenance service? Then we'll look over your shoulder and be documenting our run books and play books and determining roles and responsibilities so that we can then take the baton from you." That's exciting to see that kind of a transition.
[44:19] Just wanted to make sure that we've got across the point that the people and process need to be beefed up a little bit just to match the technology. In the long run, we see even people on process being much more efficient with Office 365 in the cloud. There's a little bit of a transition there that probably shouldn't be ignored. Angela?
Angela: [44:47] In light of those challenges, I think it's time for our next poll. Then we'll bring Sean in to comment on a little bit about this in terms of his experience. For the audience, thinking about these challenges and building your team at the table, let's go ahead and look at the next poll. We invite you to answer.
[45:05] The question is, who is the executive sponsor driving your company's Office 365 adoption? The selections include A, IT. B, legal. C, compliance. D, line of business leadership. E, information security. F, record management.
[45:24] While we're waiting for those results, Sean let's bring you in here to talk a little bit about your experience in terms of building out that table and getting a seat at the table.
Sean: [45:32] Thanks, Angela. These results that we're seeing come in are all over the place a little bit. That's not surprising because there's different influence. There's that have different reasons for driving change or implementing change.
[45:52] The legal department might have, on their mind, defensibility and eDiscovery, whereas the IT team will be more concerned with reducing the amount of data that they're storing on servers. That being said, it's important that the eDiscovery group and the law department more broadly is involved regardless of who the executive sponsor is or who's owning the switch.
[46:24] Without that, it can really create some issues downstream. We've seen with some clients that legal doesn't get involve until the train's already left the station. At that point, they have to do a timeout and regroup so that they can ensure that they have that seat at the table to make sure that their concerns and expectations are being met as it relates to legal and regulatory requirements.
[46:56] How do you get there and what are the benefits? It's pretty clear from what Rachi has shown us that the benefits are enumerable with respect to data management. One thing that is important to point out is that there's also an opportunity for your organizations to update and keep your policies ever green during this process.
[47:29] You want to make sure that you have a well-defined DYOD policy if you're allowing users to bring their own device. You want to make sure that you have your legal hold policies updated and in place. Then you also want to address data remediation. This could be a really good time to clear out what you don't need and what's not on hold, and reduce the data.
[47:52] Do you want to go to the next slide, Angela? These slides, we could go on and on on this. How do you get there? Rachi was talking about having your seat at the table is important. Prior to that is having a executive sponsor, someone who is preferably at the C-suite level who is going to really embrace the project and help you get it there.
[48:26] Once you have that, then you can define the other stakeholders, who that team at your table is going to be and knowing who the executive sponsors is. For example, chief of litigation or chief information and security officer, that will help you understand what is going to be the drivers for your implementation.
[48:49] After that you want to build a migration that includes your eDiscovery and retention requirements. Make sure that nothing is being left out that your current work flow has or you may use it as an opportunity to enhance your work flow. You also want to, maybe, loop in outside counsel for advice on international issues, cross-border data.
[49:17] That's something you definitely do not want to leave out. GDPR is fast approaching. We all want to make sure we're being cognizant of that. Then making sure that you have a very good change management and training program in place is really, really critical. I think having a computer-based training module for all users is probably a good idea.
[49:46] This is another opportunity where the executive sponsor can be pretty helpful in ensuring that the training is mandatory and that everyone in the organization is participating and complying there. We're going to go back to Jake. He wants to talk to us a little bit about preservation and legal holds and what we're seeing.
Jake: [50:06] Sure. Thanks, Sean. I think that it's often where we get caught up with, what data needs to be classified, how do we need to treat it, where does it need to go, how do we protect it, how do we discover and produce it, how do we review it, and so forth.
[50:33] I think there's always a chance for us to take a step back and look at the fundamental driver of all of those constant risks that we talked about. There's a real role here, I think, [inaudible] Office 365 where we can take a fresh look at this.
[50:51] If you look at some of the stats here that are on the slide, there's a fundamental truth here that all of these constant risks will go down associate with data if we apply defensible disposal and get rid of what we are able to get rid of.
[51:12] Essentially, what is not on legal hold [inaudible] regulatory retention requirement, or doesn't have business value to someone who's doing their job and needs it for productivity.
[51:22] If you look at some of the survey evidence here, it's pretty shocking. The problem is all the data's sort of co-mingled. When we have co-mingle data, just a big ocean, we can't really separate out, "OK, let's get rid of this. Let's get rid of this and we're going to be safe."
[51:39] Often times, when you talk to associate general counsel ahead of litigation, they say, "Look, I'd love to engage in defensible disposal, but I can't be sure that what's on legal hold isn't going to be destroyed. That's where you get a lot of this over-preservation statistics that you see here.
[51:59] With the move to Office 365, there's a forcing function. If your organization is going through this or has recently gone through it, where you'll have the ability to have visibility into data that you really couldn't before.
[52:12] Let's just take file shares as an example. File shares is notoriously difficult to deal with from a risk standpoint, privacy, security, establishing roles and the right security, who can see what, eDiscovery. Often the custodian [inaudible] breaks down. It's hard to preserve. With some of the new machine learning tools, and search capabilities and hold in place, and things like that.
[52:42] It's worth taking a fresh look and saying, "Look, we threw our hands up in the air and gave up on this stuff a long time ago." Just said, "All right, let's just hold everything forever." A lot of companies find themselves in that position. Really time to take a fresh look. With the right tools, we can separate out these co-mingle data sets that you're looking at here on the slide. [inaudible] ?
Angela: [53:05] Thanks.
Jake: [53:05] Go ahead, Angela.
Angela: [53:07] We have, on this slide, another poling question. I'm happy to launch that right now. Since we're running a little on timing, just summarize and comment on the results as well. This poling question reads, please select all that apply in terms of data migration we're moving on to right now. We want to get the sentiment of our audience.
[53:36] A, I wish that my team was more involved in the migration. B, we are using an outside third party to manage technical migration. C, we are using an outside third party to help advise on the legal and regulatory implications of the migration. D, the entire process is being managed in-house. E, we have not yet decided how to manage the migration.
[53:57] Jake, as those results are coming in, I'd like to bring you back in to talk about your thoughts on these issues with data remediation.
Jake: [54:08] This really is it, as we pull back and look at all of our information in our organization from a 50,000-foot view. On the left is where we have this co-mingled, and we have no choice but to keep everything because we can't separate wheat from chaff.
[54:24] With the tools we've talked about, and with the right policies and processes and people to support it, we really can draw bright line circles around what's subject to legal hold, what has business utilities still, and isn't stale and out of date, and what is subject to regulatory record keeping requirements.
[54:43] If something is not in one of those circles, there's no reason to keep it. That's really the larger opportunity with Office 365 as a forcing function. If you're going to move all this data anyway, then we can apply these scalpel operations to it as it's moving.
Angela: [55:07] Thanks, Jake. I'd like to remind our audience, we do welcome your questions through this Q&A section. We're running a little bit low on time, but we would definitely like to answer your questions. If we are not able to get to your question with the time allotted here, you may receive an email response.
[55:25] Once again, thank you to Rachi Messing from Microsoft, Sean Kelly and Jake Frazier from FTI. We're going to go ahead and start with our first question. Rachi, this question is for you. The question reads, "Is basic and advanced data governance covered by or included in E3, or are these different SKUs?"
Rachi: [55:47] That's a great question. The Advanced eDiscovery and the Advanced Data Governance are not included in E3.
[55:56] They are either included in E5, which has a lot more there, not just the rent around it, or we actually have a separate advanced compliance SKU that's an add-on to E3 or E1 that you can use to add on these capabilities without having to go all the way to E5.
Angela: [56:20] Thanks, Rachi. This next question is for Jake Frazier. Jake, this is one about privacy shields. The question reads, "How about compliance with the US data privacy shields for data to the EU?"
Jake: [56:38] Great question and sort of a difficult one to answer quickly, [laughs] but I'll try. Really when we're looking at the Privacy Shield now as a sort of a replacement for the FTC Safe Harbor we probably need to look a little bit larger at the upcoming general data protection regulation that goes into effect in May of next year that the EU passed.
[57:00] Essentially if we kind of net out the problem, the problem is EU citizen's private data, and really potentially anybody's private data, can't be viewed or shipped over to the United States from Europe...lots of court cases on this, lots of balls in the air right now, lots of regulations on litigations being bandied about.
[57:25] The GDPR does have a clause in it that says, really, for global multinational organizations you're putting up to four percent of your global revenue on the table from a fine standpoint. Not sure that that's actually going to happen but at least that's the teeth that's associated with the GDPR regulation.
[57:44] The short answer is, basically, if you can classify your data and ensure that you are able to find private information from EU citizens, really from anybody -- we have a lot of privacy laws in the US, as well, as people tend to forget -- and segregate that and make sure that only the right people have access to see it then you're going to be in good shape.
[58:06] That's really the thrust, and I'm not giving legal advice even though I'm an attorney. Forgot my little disclaimer, but it's really the thrust of what the spirit of the law is after, myriad ways to set that up, lots of tools in Office 365, as we talked about.
[58:22] Complete C change versus the tools we had for things like file sharers where file sharers tend to be the largest offender of commingled private data that's accessible by all kinds of people all over the world for a lot of organizations, especially the older stuff.
[58:37] That's kind of my best sort of short answer, but happy to maybe talk offline with the questioner a little bit more at another time.
Angela: [58:47] Thank you, Jake, that was a big one. We have time for one more question, and again, if we were not able to get to your question during this time you may receive an email response. Rachi, this question is for you. It's pretty specific. It reads, if a user deletes email and empties trash, where is the item saved if it's under a legal hold?
Rachi: [59:09] It's a great question. It's a technical one. The bottom line is that it's stored within the mailbox itself. All, whether it be retention or hold, the way that we do it is that you have the part of the mailbox that's visible to the end user and then you have a separate part of the mailbox. It's called the recoverable items area which is sometimes a lot of technical folks refer to it as the dumpster.
[59:42] Basically, it's a hidden area where data that has been deleted will live, even if they're not on hold data will live there for a certain period of time until there's an agent that goes and cleans up data that's expired, but it all will live within the mailbox.
[60:00] What that allows us to do is that when you say, for example, if I want to search Jake then all I have to do is search his mailbox.
[60:09] I will get any data that is current for him, meaning it's live, it's sitting in the folders that he sees, as well as automatically be able to search any of that data that's been deleted that's still existing because it's on hold or retention, or there's also areas within there that are archives that we can actually push data to keep it there for Jake himself, even if Jake doesn't know about that data.
[60:34] It gives us one place to be able to search and be able to find all of that data even if it's been deleted.
Angela: [60:42] Thank you, Rachi. We're now at the top of the hour so we'd like to thank our audience for joining us, and once again our speakers, Rachi Messing from Microsoft, Sean Kelly, and Jake Frazier from FTI Technology. This now concludes today's call. I'd like to turn it back over to Simone from Bloomberg.
Host: [61:03] Thank you so much, Angela. I would like to thank you all for your presentation. I do hope that everyone found today's discussion to be helpful and insightful. You can register for future Bloomberg BNA webinar by accessing our store at www.BNA.com/learning.
[61:15] You will currently see instructions on how to earn credit for attending today's webinar. Please go to learning.BNA.com to retrieve your certificate. Sealed certificates may take four to six weeks to appear depending on the jurisdiction requested.
[61:27] If you have any questions about continuing education credits, please email us at credits@bna.com. Finally, I once again thank our speakers for excellent presentations, FTI Consulting for sponsoring today's program, and all of you for your participation in today's webinar.
[61:41] Thanks to everyone, and enjoy the rest of your day.