Orchestrating Data Holdings

Microsoft 365 | Through the Lens of Legal Disputes

Anyone can bang a key on a piano or blow into a saxophone, but it takes training, practice, and expertise to make beautiful music. The same goes for technology: anyone can use it, however, to truly orchestrate its features effectively, you need the right training and expertise. But striking the wrong notes, whether inadvertently or deliberately, can create a rather unpleasant cacophony for an organisation.

Technology inherently carries the potential for both positive and negative uses. For example, the proliferation of personal mobile devices used in the workplace and widespread adoption of cloud and collaboration platforms, such as Microsoft 365, Slack and Google Workspace have simultaneously improved productivity and efficiency, while exacerbating data-related challenges.

At the same time, corporations are operating in an environment of rapid technological and legislative change. Leaders and operational teams are expected to quickly assess and adopt emerging and evolving technologies, including collaboration tools and generative artificial intelligence solutions.

This guide explores how corporations can reduce the risks of technology misuse, identify and remediate non-conformities that could lead to an adverse event, investigation, or dispute, and effectively respond to data incidents within Microsoft 365.

It includes tips from experts across FTI Consulting’s Digital Insights and Risk Management teams. These advisors work closely with clients to appropriately balance the high-pitch urgent crisis requirement, with the low-bass rumblings of non-compliance.

Proactive Advice and Considerations To Safeguard Against Microsoft 365 Misuse

Audit Logs
Detailed audit logs track user activities, including logins, file accesses, and download events. They can be invaluable during investigations to understand who did what and when. Audit logs should be enabled and retained for a suitable period.

Expert Tip: “An investigation can arise many months after the relevant activity occurred. Consider if the Microsoft 180-day default is sufficient for your business.”

Access Control
Access control can be strategically employed to ensure a "need-to-know" access paradigm. This involves implementing permissions and restrictions to limit users' access to only the information and resources necessary for their roles or tasks, and restricting users from allowing third-party access to SharePoint data.

Expert Tip: “During IP theft investigations, we often see rogue employees downloading large volumes of data they should never have had access to. Lock that down!”

Expert Tip: “Corporations often allow the sharing of SharePoint data to external users, which can cause significant compliance violations. It is essential to regularly audit internal and external sharing.”

Data Retention
Retention policies and labels can be configured to retain and dispose of corporate data aligned with a legally-approved retention schedule. Policies can apply a retention baseline to various types of content, such as emails, documents, and chats, ensuring consistent data management across the organisation. Retention labels allow administrators to specify how long certain types of data should be retained and the necessary action when the retention period expires.

Expert Tip: “Carefully consider retention on data such as Teams chat. This data can be equally helpful and harmful during a dispute.”

Expert Tip: “The data retention rules assigned to emails can be applied to both live and deleted emails. Deleted emails that have been retained by Microsoft 365 are accessible to investigators. The IT team may refer to this as the ‘dumpster’.”

Data Loss Prevention (‘DLP’)
DLP policies help prevent sensitive information from being shared or leaked, either inadvertently or with intent, with unauthorised people. These policies can be configured to enforce compliance regulations and protect sensitive corporate data.

Expert Tip: “There should be very few reasons to duplicate or extract highly confidential data from your network. Setting DLP restrictions and alerts can help to prevent harmful events.”

Insider Risk Management (‘IRM’)
The IRM functionality enables the detection, investigation and resolution of adverse events. This can include using machine learning analytics across audit logs to identify troubling patterns for high-risk individuals such as leavers.

Expert Tip: “While default Microsoft 365 IRM policies are useful, to really maximise value from this feature, custom policies should be created with intention and tailored to the business.”

Data Classification
An entity that hosts commercially-sensitive or personal information should uplift and continually assess its information governance and compliance maturity. In Microsoft 365, data classification is known as ‘Sensitivity Labels’. Not only do these labels enable compliance, monitoring, and enforcement, they also equip legal teams with the evidence to demonstrate content was clearly labelled as commercially-sensitive prior to any issue.

Expert Tip: “Consider how an employee can adhere to the acceptable use of restricted business data when the data is not readily identifiable.”

Expert Tip: “Security matters. External threats can be the trigger for an investigation or dispute such as business email compromise. Protect against unauthorised access by enabling multi-factor authentication, using complex passwords, and generating alerts or restrictions on the creation of email rules.”

Post-Incident Activities That Corporations Should Follow To Preserve Case-Critical Data and Conduct Investigations or Discovery

Litigation Hold
Microsoft 365 allows organisations to place content (including email and SharePoint files) on litigation hold. This ensures the content cannot be modified or deleted, even by the user, until the hold is removed. This is essential for preserving data relevant to an investigation or dispute.

Expert Tip: “In the event of an investigation or dispute, act quickly to apply litigation hold to all potentially relevant data for the current investigative scope and to accommodate possible future scope change.”

E-Discovery
E-discovery capabilities in Microsoft 365 allow organisations to search for and preserve content across Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams. This is particularly important in legal or regulatory investigations where electronic records must be collected and analysed.

Expert Tip: “The intricacies of the e-discovery features can lead to inadequate outputs, such as unreadable encrypted email content, and attachments to group Teams conversations. Always seek expert advice to achieve completeness and maintain proportionality.”

Expert Tip: “Always consider the downstream use of extracted Microsoft 365 data, as the format and extraction options can hinder e-discovery.”

Custodian Assessment
There can be a blurring of data custodian lines in Microsoft 365 due to multiple document contributors, delegated access, folder shares, and ad-hoc collaboration sites.

Expert Tip: “Initially cast your net wide on custodian identification, and then narrow as additional information or intelligence becomes available.”

Conversation Breaks
The use of Microsoft Teams for instant messaging at work has seen water cooler conversations around corporate Australia become digital evidence. Consider when a conversation starts and ends for the purpose of legal review. Conversation length is important to reduce the exposure of irrelevant data, while ensuring the preservation of relevant content.

Expert Tip: “Bespoke data engineering solutions developed by FTI Consulting’s emerging data sources experts enable conversation parsing by content and context within messages rather than time periods. This helps reduce irrelevant noise within message threads and can help narrow the focus of conversation threads that span across multiple time zones.”

Expert Tip: “Apply caution when assessing activity logs, as entries can be easily misinterpreted. For example, log file entries that detail a possible data synchronisation to a local device may only be a reference to empty placeholders, not actual file content.”

Experts Tip: “When preserving and reviewing document content, consider the availability of document revisions, and which version is most applicable to the event in question.”

Expert Tip: “Privacy is a consideration too. When extracting dispute-related data within an international entity, carefully consider privacy legislation and any restrictions on the cross-border transfer of personal or sensitive information.”

Future-Proofing With the Support of AI

With the increasing interest in AI solutions, corporations are under pressure to quickly adapt and adopt. In the case of Microsoft 365, many organisations are considering the use of Copilot. It is essential to understand the generative AI features of Copilot will return data that is available to the model. If access controls are absent or lacking, highly confidential material may be returned to standard user accounts.

Expert Tip: “Pursue progress, but do not rush. The adoption of AI solutions must be appropriately risk assessed, a policy should be in place, and only clean trusted data sources should be made available to the model.”

In Summary, Microsoft 365 Offers Invaluable Features During Investigations and Disputes

By using features noted in this guide, corporations can more harmoniously and successfully manage and mitigate risks associated with ongoing custody of commercially sensitive and personal information and be better prepared during an investigation, dispute, or data breach incident.

Become the Maestros in Emerging and Evolving Data
Microsoft 365 is an example of an emerging and evolving data source that is prolific across corporate Australia. But it is simply one example. The proactive, responsive, and future-proofing considerations detailed in this guide should be applied to all technologies within a corporate environment.

Applying a methodical and risk-based approach when adopting, implementing, configuring, and using data systems with a sense of orchestration and precision, will dramatically enhance their value while minimising risks and impacts of adverse events.

Related Insights

Published

October 17, 2024

temp Key Contacts

Christopher Hatfield

Managing Director

Michael Khoury

Senior Managing Director, Head of Australia Technology

Tim de Sousa

Managing Director

Most Popular Insights

  1. What Directors Think Report
  2. Know Your Risk: Terrorist Designation of Cartels on Business Interests in Mexico
  3. Four Predictions for Private Equity in 2025
  4. Global CFO Survey 2025
  5. Current Power Trends and Implications for the Data Center Industry

Sign up to get access to FTI Consulting Insights

Subscribe