More than 4.1 billion meeting minutes were logged in a single day in April on Microsoft Teams, across roughly 200 million active users, according to Microsoft. One of the fastest growing workstream platforms available today, Teams has become a key source of enterprise productivity.
In the context of corporate governance, risk, and compliance, this means an explosion of new data—much of which may fall under or impact legal, regulatory, and privacy obligations.
Many organizations currently using Teams have had the platform with their Microsoft 365 subscription for some time, but more recently scaled it up to meet the needs of remote workers. This rapid response left little room for legal and compliance considerations or the development of governance controls over Teams. But now, the notion that Teams usage is creating a new, massive stream of data that needs its own unique governance and retention policies is beginning to set in.
Like any “team” effort, a strong defense (layering legal, privacy, and regulatory rules over Teams and other new tools) requires a good offense. Counsel need to be proactive, and establish foundational knowledge about the unique infrastructure of Teams and its built-in governance and compliance functionality.
Key Questions to Prevent Future Headaches
Are You Preparing to Rollout Teams, or Has It Been Rolled Out Already?
Whether or not employees are already using Teams will have a strong bearing on how governance is established.
If Teams has already been deployed, the focus will be on retroactively reining in and remediating data that has already been generated, and applying new controls going forward. If governance is being implemented alongside the roll-out, establishing rules and best practices will be more straightforward.
What Workloads and Capabilities are Enabled; Where Is Data Stored?
Understanding the scope of usage, across email, chat, video meetings, etc., is critical to informing governance. Essentially, Teams should be viewed as any other application or “container” of information within the organization. If a retention schedule is already in place, it needs to be turned on within Teams, which can often be done with the platform’s native tools.
However, things may become more complicated when adjacent workflows such as OneNote and OneDrive are in use, and additional retention procedures may need to be applied.
Has a Records Repository Been Established?
Teams should be used as a collaborative environment—where work gets done in a finite amount of time—rather than as a long-term retention platform.
In addition to setting policies and ensuring they are turned on within the right workflows, legal will need to identify the ways in which employees can move data from Teams to a permanent repository where important files are stored beyond the standard retention periods set for Teams data.
Have Employees Been Trained?
Everyone using Teams should have awareness of its retention and deletion policies, and any other governance rules that define appropriate and inappropriate use.
What Microsoft 365 Licensing Tier Does the Company Subscribe to?
The implications of what’s available will differ between the various options, and impact the governance controls that can be put in place (or how they are put in place). As an example, Microsoft’s E3 license is required for e-discovery capabilities.
Have Potential e-Discovery Gotchas Been Considered?
When an investigation or litigation arises and brings Teams data into scope for e-discovery, a new challenge begins. Counsel will be faced with identifying and collecting specific data across Teams chat, SharePoint and other functions. If governance has not been addressed, the e-discovery burden for Teams will be highly complex and exponentially more expensive than it would be if a sound governance program was in place.
Information governance is all about proactively reducing risk and bringing data under control so that it doesn’t create future legal or regulatory problems. Teams came onto the playing field so fast that legal departments are just starting to understand the implications. And because the platform is so widely used for so many unique work functions, the level of data risk it presents is unprecedented.
Without a strong, proactive approach, these risks will continue to increase in severity and complexity, diluting the inherent value Teams was ultimately designed to provide.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners
Tim Anderson is a managing director in the FTI Technology segment based in San Francisco. He has over 20 years’ experience in legal technology and specializes in developing strategies for the preservation, collection, analysis, review, and production of electronically stored information in enterprise data sources ranging from traditional repositories such as email and document management systems, to cloud-based systems like Slack, Box, and Google Apps.
Chris Zohlen is a managing director with FTI Consulting. As a senior member of the company’s technology information governance, privacy and security services practice, he helps legal, records, privacy, IT and information security departments identify, develop, evaluate and implement in-house e-discovery, privacy, and data governance processes and programs.