Email Retention Best Practices

What do you do with email mailboxes associated with prior or terminated employees? There’s often critical data in them, and depending on your industry, you may be required by law to retain the data for some period of time. Some regulations that may apply include:

• Internal Revenue Service (US IRS): seven (7) years
• Payment Card (PCI DSS): one (1) year
• California Franchise Tax Board (CA FTB): four (4) years
• DISA Security Technical Implementation Guides (STIG): one (1) year
• Many State Revenue Departments: three (3) years
• HIPAA Section 164: six (6) years

Even if not required by law, it’s important to retain communications that may be subject to eDiscovery in the event of a legal case, because if the required data has been deleted, your organization may be subject to fines or other penalties.

We recommend all clients have an email retention policy on file, and coordinate with GreenLoop to make sure your termination procedures are aligned with your document retention, immutability, and chain of custody requirements.

There are many different ways to meet most retention requirements, and while not a one-size-fits-all solution, this article provides an overview of GreenLoop’s best-practice recommendations for Office 365 email retention that are a good fit for many clients.

Recommended email retention termination process:

• We ask that notification be submitted 48 hours in advance (if possible)
• Please use the online form found in the GreenLoop Client Portal

1. Restrict access to their mailbox
   1. Once the employee leaves, it’s essential to block sign-in and force a sign-out of any devices that they may be logged into.
   2. See here for instructions of how to accomplish this with Microsoft 365 if you have access to do this yourself; otherwise GreenLoop will handle this for you.
2. Set an out-of office reply
   1. We recommend setting up an auto-responder message explaining that the employee is no longer with the company and who would be the best point of contact onwards. Just let us know what out-of-office message you would like.
3. Forward or provide access to their email for an appropriate employee / manager
   1. Let us know whether you would like the mailbox forwarded to another user, OR access granted to other user(s).
4. Hold period (recommend 30 days for most users)
   1. Leave the account active and licensed while an appropriate employee or manager reviews the content of the account and intercepts any critical communication received in the meantime.
   2. While keeping the mailbox licensed during this hold period continues to incur the monthly licensing cost, it ensures that we can retain any contents in the interim and after it’s deleted (see below). Be aware that you will be billed accordingly for usage during this hold period. Note: we will remove any licenses that are unnecessary for retention to minimize ongoing costs.
   3. After 30 days, GreenLoop will reach out to you to to ask whether a mailbox may be removed or converted to Inactive (see below).
   4. If you’d like the hold period to be something other than 30 days, no problem; just let us know.
5. Configure retention and convert the mailbox to an Inactive Mailbox.
   1. A Retention Policy ensures we can retain the contents of designated users’ mailboxes and OneDrive accounts indefinitely, including deleted items. We recommend that a retention policy be in place organization-wide meeting your organizational requirements as outlined above. .
   2. In order for retention to be applied:
      • The user account being deleted must still have an appropriate 365 license. 365 Business Premium, 365 E3 and higher and Exchange Online Plan 2 all support Retention Policies.
      • A Retention Policy must be applied. For many clients this may already be in place; if you’re not sure whether your organization has or needs a Retention Policy, GreenLoop is happy to help determine your needs and configure a Policy accordingly.
   3. Once those pre-requisites are in place, the mailbox may be safely deleted. This converts it to an Inactive Mailbox, and retains it as long as the retention policy stays in effect. The Office 365 license will be freed up after the mailbox is deleted.
   4. Retained E-mail/OneDrive/SharePoint content will remain searchable and exportable via the Microsoft 365 portal as long as the retention policy remains in place.

High-level Recommendation: Use a third-party email backup solution

1. GreenLoop recommends setting up a 365 backup solution that will simplify the recovery process, and may be required depending on your industry requirements.
2. The recommended backup solution will replicate all data found within 365, including SharePoint and personal OneDrive content.
3. An email backup solution will allow us to retrieve deleted emails from staff mailboxes either 1 year or unlimited days from the day the service is turned on.
4. Other advantages:
   • This does not require specific Microsoft 365 licensing
   • Does not require steps to be performed in a specific order for contents to be retained
   • Desired contents can be restored back to a specific point in time
   • Shared mailboxes can be backed up

Common scenarios to avoid:

1. Shared Mailboxes. It is common to convert terminated employees’ accounts to Shared Mailboxes in order to avoid billing for a license. However GreenLoop recommends against this course of action. There are a number of significant pitfalls to be aware of:
   1. 365 email retention policies no longer apply if no license is applied. This risks irretrievable data loss, since anyone with access to the mailbox will be able to permanently modify or delete contents. Deleted items will be permanently removed after the retention period (typically 30 days) expires.
   2. Shared Mailboxes are limited to 50 GB, if a user’s Exchange Online mailbox is over 50 GB, converting it to Shared will result in it immediately being over quota and unable to send/receive email.
   3. If the user has an associated Exchange Online Archive, the contents will be lost when their mailbox is converted to Shared.
   4. OneDrive data will be deleted (after a grace period) once the license is removed.
   5. Email will continue to be delivered to shared mailboxes for as long as the shared mailbox stays active. While this can be desirable temporarily, it is rarely desirable long-term.
   6. Using Shared mailboxes for retention of old accounts complicates management and can be difficult to audit, monitor, and remove.

2. Create local PST archives: A PST archive is a database file that contains the email, calendar and contacts of a user’s mailbox. GreenLoop recommends against exporting users’ email to a PST archive for retention:
   1. PST archives are subject to potential corruption and data loss; it’s very common for PST archives to become corrupt over time or to get lost during staff transitions.
   2. PST archives contain sensitive information and correspondence and are inherently insecure. Anyone with access to the location they are stored in will, by default, have access to the entire contents of the archive.
   3. Discovery and analysis of PST archives can add significant cost and complication to discovery efforts in the case of eDiscovery litigation.