Mastering Microsoft Teams Archiving & Compliance
Microsoft Teams has become a staple for organizations everywhere, offering them a fast and convenient way to communicate, whether it’s over chat, phone call or video conferencing. According to Microsoft, Teams surpassed 280 million daily active users in Q2 2023 — a 3.7% increase from 2022 figures, and a nearly 50% increase from 2021.
But with popularity comes risk. Microsoft Teams houses untold quantities of sensitive data, much of which is subject to compliance requirements. This article is intended to help businesses secure their communications and ensure Microsoft Teams compliance with various regulations.
What Is Microsoft Teams?
Microsoft Teams is an enterprise communications and collaboration platform included in Microsoft 365. Teams offers a unified suite of tools designed to help remote employees stay connected and to promote productivity, including instant messaging, audio and video conferencing, calling, document sharing and more. Teams is highly integrated with other products in the Microsoft suite, including Word, PowerPoint and Excel, making it a truly collaborative platform.
Teams enables users to record audio calls, video calls and presentations, as well as store chat logs. All of this data is stored in either OneDrive or SharePoint, both of which are cloud-based storage solutions run by Microsoft. Microsoft Teams has a variety of built-in security capabilities to safeguard organizational data, including two-factor authentication, single sign-on through Active Directory and encryption both at rest and in transit.
From a compliance perspective, Microsoft Teams is Tier D-compliant, which means that it meets the requirements set forth by the following standards and regulations:
- Health Insurance Portability and Accountability Act (HIPAA)
- ISO 27001
- ISO 27018
- Statement on Standards for Attestation Engagements (SSAE) 16
- System and Organization Controls (SOC) 1
- SOC 2
- EU Model Clauses (EUMC)
While Microsoft Teams was designed with compliance in mind, it isn’t the most effective tool for eDiscovery, and its recording compliance might not be secure enough for highly regulated industries.
The Need for Microsoft Teams Compliance
The popularity of Microsoft Teams really can’t be overstated. For many organizations, it’s become an essential collaboration tool in a work-from-anywhere world, enabling teams to connect, share ideas and make business-critical decisions, all in real time. From onboarding and training to corporate communications, Teams plays a vital role in business operations.
Any information an organization shares over Teams is considered business communications and, therefore, needs to be archived. This serves two purposes: one, it ensures that information is accessible at a later date, and two, it supports data security and regulatory compliance. The latter is especially important for organizations in the government sector or the healthcare or financial industries, all of which are heavily regulated.
Let’s take a closer look at Microsoft Teams security and compliance requirements.
Microsoft Teams and HIPAA Compliance
Although Microsoft states that Teams is Tier D-compliant and, therefore, meets HIPAA requirements, whether Teams is HIPAA-compliant actually depends on how an organization uses the platform.
Any message sent, call made or document shared through Teams that contains protected health information (PHI) is subject to HIPAA regulation. According to the HIPAA Security Rule, any covered entity — that is, any healthcare organization that transmits PHI — that fails to restrict access to or protect the integrity of the PHI contained in Microsoft Teams communications could be on the receiving end of a HIPAA violation. So, for example, if an employee were to share a Teams message containing a patient’s PHI to a family member or friend, their employer could be found to be non-compliant.
Microsoft Teams HIPAA compliance also depends on which version of the platform an organization uses.
HIPAA stipulates that covered entities must enter into a business associate agreement (BAA) with any business associate — that is, any third-party provider — they work with. A BAA essentially states that the business associate in question agrees to only use any provided PHI in a secure, established manner. Microsoft will only agree to enter into a BAA with a covered entity that has paid for the premium Microsoft 365 or Teams plans; as a result, the free version of Teams is, technically, not HIPAA-compliant.
In order to comply with both HIPAA’s Security Rule and its BAA requirement, a covered entity must implement safeguards on Teams data, regardless of whether that data is currently in use or has been archived. Although Microsoft Teams does have a default Data Loss Prevention (DLP) policy in place, covered entities will want to take additional measures to secure PHI and keep it out of the wrong hands.
Microsoft Teams and SEC Compliance
Founded in 1934, the Securities and Exchange Commission (SEC) enforces record-keeping rules on broker-dealers in the financial services industry, all in the interest of protecting investors from fraudulent or misleading claims. SEC Rule 17a-4, in particular, establishes standards for preserving transaction records and general business records — including those shared over Microsoft Teams.
Specifically, 17a-4 requires broker-dealers to store all transaction or general business records created or shared through Teams on non-rewritable, non-erasable media for a period of no less than six years. The best way to meet this requirement is to archive all Teams records and create a custom, six-year data retention policy.
Microsoft Teams and FOIA Compliance
The Freedom of Information Act (FOIA) is intended to promote transparency in government by giving citizens the right to request access to public records. In accordance with the FOIA, federal agencies have an obligation to retain and make readily available electronic records, including Microsoft Teams communications.
Under the law, agencies have just 20 business days to respond to requests. Although Teams has a built-in archiving function, which enables agencies to archive teams — including any team-specific private channels, files and chats — its content search capability can be challenging to use, making it difficult to track down specific records. The harder it is for federal agencies to pull and prepare records for disclosure, the greater the risk that they will not meet the FOIA’s tight response deadline. Additionally, Teams does not have a built-in system for classifying sensitive information within public records, which is essential for partial disclosures.
Given these factors, government agencies that use Microsoft Teams would also do well to invest in an archiving platform specifically designed to support FOIA management.
How Microsoft Teams Compliance Archiving Makes eDiscovery Easy
Compliance is only one piece of the Microsoft Teams puzzle. Even organizations that aren’t subject to strict regulatory requirements may face litigation and eDiscovery requests. For context, eDiscovery refers to the process by which electronically stored information (ESI) is located, procured, reviewed and exchanged for the purpose of using as evidence in civil or criminal legal proceedings. Teams messages or recordings may be included within the scope of an eDiscovery request, so it’s essential that organizations be able to procure and prepare this information as quickly as possible.
Again, this is an area where dedicated archiving platforms excel. Compared to Teams’ built-in archiving capabilities, archiving platforms not only provide secure storage for Teams content, but also powerful search functionality, tagging and redaction tools, legal holds and custom access permissions. Taken as a whole, these capabilities not only help organizations maintain Microsoft Teams compliance, but also make it easy to track down specific content and respond to eDiscovery requests in a timely manner.
Intradyn Supports Microsoft Teams Compliance
If your organization uses Microsoft 365, it’s essential that you have an enterprise information archiving platform in place to support Microsoft Teams compliance. Intradyn’s all-in-one archiving solution makes it easy to capture Teams communications in real time and in their original context, store them in a highly secure vault and track down specific conversations or recordings in a matter of minutes.
Our platform — which is compliant with all major industry regulations, including HIPAA, SEC 17a-4 and FOIA — offers:
- Automated data capture
- Robust search functionality
- End-to-end security
- Custom data retention policies
- Permission-based sharing
- Support for native and standard non-native formats
- Flexible deployment options
- And more
Microsoft Teams Compliance You Can Count On
Empower collaboration within your organization without introducing risk — Intradyn is here to help.