If your firm needs to comply with regulatory standards for retaining your data, the Office 365 Security & Compliance Center provides features to manage the lifecycle of your data in Exchange Online. This includes the ability to retain, audit, search, and export your data. These capabilities are sufficient to meet the needs of most firms.
However, some firms in highly regulated industries are subject to more stringent regulatory requirements. For example, firms that deal with financial institutions such as banks or broker dealers may be subject to Rule 17a-4 issued by the Securities and Exchange Commission (SEC). Rule 17a-4 has specific requirements for electronic data storage, including many aspects of record management, such as the duration, format, quality, availability, and accountability of records retention.
To help these firms better understand how the Security & Compliance Center can be leveraged to meet their regulatory obligations for Exchange Online, specifically in relation to Rule 17a-4 requirements, Microsoft has released an assessment in partnership with Cohasset Associates.
Cohasset validated that when Exchange Online and the Security & Compliance Center are configured as recommended, they meet the relevant storage requirements of CFTC Rule 1.31(c)-(d), FINRA Rule 4511, and SEC Rule 17a-4.
Click below to download the report by Cohasset.
Office 365 Exchange Online Cohasset SEC 17a-4(f) Assessment
Using Preservation Lock is key to the recommended configuration
Highly regulated industries are often required to store electronic communications to meet the WORM (write once, read many) requirement. The WORM requirement dictates a storage solution in which a record must be:
- Retained for a required retention period that cannot be shortened, only increased.
- Immutable, meaning that the record cannot be overwritten, erased, or altered during the required retention period.
In Exchange Online, when a retention policy is applied to a user’s mailbox, all of the user’s content will be retained based on the criteria of the policy. In fact, if a user attempts to delete or modify an email, a copy of the email before the change is made will be preserved in a secure, hidden location in the user’s mailbox. Retention polices can ensure that an organization retains electronic communications, but those policies can be modified.
By placing a Preservation Lock on a retention policy, an organization ensures that the policy cannot be modified. In fact, after a Preservation Lock is applied to a retention policy, the following actions are restricted:
- The retention period of the policy can only be increased, not shortened.
- Users can be added to the policy, but no user can be removed.
- The retention policy cannot be deleted by an administrator.
For more information on how the Security & Compliance Center can be leveraged to meet your regulatory obligations for email with Office 365 Exchange Online, Contact Legal Computer Consultants at (800) 646-9199.