Microsoft’s Office for Education Neglects Expectations for Regulatory Compliance in ESI
Generally speaking, free things are the best things.
The appeal of Microsoft’s Office 365 for Education suite is its availability and cost to users with a valid school email address. It provides students, faculty, and staff a basic level, cloud-based productivity suite. This suite offers a wide variety of applications that are immensely beneficial to the end-user, and are expected to help achieve and maintain the array of industry standards.
Amongst other apps, this package contains Microsoft Exchange, a cloud-based email server, which uses a built-in archiving solution for electronic communications sent by users across the server. Communications done via email and social media are now considered official records, which means they are subject to investigation and can be used as evidence in a court of law.
The retention of this information falls under the blanket of regulatory compliance, which can be one of the more rigorous standards to uphold. It could be presumed that the communications features offered from the O-365 for Education are sufficient in regards to upholding these standards. In reality, the archiving features within the suite can leave your entire organization vulnerable to irrecoverable ramifications.
What kinds of regulatory requirements exist for Educational entities?
The retention and preservation of this Electronically Stored Information (ESI) is increasingly important; federal regulations such as the Freedom of Information Act (FOIA), State Open Records laws, and E-Discovery policies have made it a near-mandatory practice. In fact, the Federal Rules of Civil Procedure (FRCP) stipulate that all organizations, “…manage their data in such a way that this data can be produced in a timely and concise manner when necessary, such as during legal discovery proceedings.”
While the tools offered by Microsoft Exchange can be incredibly useful, it is not designed to sufficiently achieve regulatory compliance standards. The belief regarding the preservation of ESI is that by simply employing archiving solution, full regulatory compliance can be guaranteed. This is, unfortunately, not the case, and can be reflected in deficiencies found in Microsoft Exchange.
What you expect from an email archiving system designed for Education
What you get in Office 365 for Education
According to the standard industry definition, email archiving is the process of preserving and making searchable all email to and from an individual, with no user choice as to what is saved and what is discarded. This means that every communication should be stored and retained for at least the minimum amount of time outlined in an organizational retention policy.
To fully meet regulatory compliance standards, all records and other pertinent data must be kept in a manner that allows for it to be recalled at any time, and quickly. All records should be classified as immutable, original content, not replications, so that the integrity of the information within can be ensured. Simply put, it should be guaranteed that all of the ESI from an organization contains only original records and communications, and that no user has the capability to access and compromise the stored files.
It could be assumed that these features would be standard, offered on every competitive product available on the market. However, there is something very important to keep in mind about the “archiving solution” from O365: it does not truly archive any of your data, leaving you vulnerable to a litany of problems.
Here is a brief overview of necessary tools for attaining regulatory compliance in electronic communications, which do not come standard in the Microsoft O365 suite for Education:
|Full Search Capabilities||
|Retention of authentic, original copies of email communications||
|Compliance with company and industry retention policies||
Major Areas of Concern with Microsoft Office 365 for Education
Archived information is vulnerable, not safe from alteration or deletion
Microsoft Exchange allows for end-user access to stored information. The archiver offered in the Education suite does not account for the end-user’s ability to designate which information is retained, and by default, does not protect items in the archive from tampering or alteration.
O365 & Exchange only archives the metadata which an individual chooses to keep. If an organization suspected employee misconduct (harassment, fraud, criminal behavior), there is no certainty that all pertinent information could be located within the archive. If a faculty or staff member of a school district, or potentially a student, sends something electronically that is deemed inappropriate due to the content of the message, the individual has the full ability within the O365 archiving system to permanently delete the record in question, and the evidence of any wrongdoing is lost forever.
Inability to efficiently comply with Open Records requests and other litigation
Another significant shortcoming of the archiving product released under the Microsoft O365 Education suite is the lack of advanced search capabilities.
In the event of any Open Records requests, litigation or other legal issues, an inability to find information promptly is extremely difficult to manage. Without the ability to search on a detailed level, across all desired mailboxes at one time, your organization is prohibited from being able to meet compliance standards for promptness of disclosure.
If an administrator is faced with finding sensitive metadata from within their organizations O365 archive, they must know exactly what to look for, where to look for it, and who might have sent it. There is no way to perform a general search across the mailboxes in order to yield responses which are applicable and pertinent. Without the ability to do a targeted, specific search of the data that is relevant, the amount of information to be processed increases. Unsurprisingly, this simultaneously causes the time invested in and amount of money spent on an audit or investigation grow exponentially.
Avoid potential financial, legal, and personal ramifications of Non-Compliance
The aforementioned deficiencies are problematic for several reasons. Organizations rely on the archiving capabilities of Exchange to adhere to legal obligations for retention, without first considering whether they are truly covered. It is even possible that some administrations lack the basic understanding of what their obligations for retention encompass. They are therefore leaving themselves open to potential regulatory litigation and subsequent penalties, which can be equally crippling to organizational reputation and individual careers alike. The consequences for these kinds of shortcomings can range from lengthy legal proceedings to reputational risk to an individual or an organization.
Take for example the following incident, which took place across two states, involving the disclosure of email communications which were found on the archiving system of the Des Moines Public Schools system.
Des Moines/Omaha Public School Districts Scandal
Nancy Sebring is the former superintendent of Des Moines Public Schools. In 2012, she decided to accept a position as the head of Omaha Public Schools in Nebraska, and planned on leaving her position in Iowa at the end of June that year. Everything seemed very cordial, because this sort of job advancement is expected in the administrative field. However, the abrupt resignation of Ms. Sebring at the beginning of May in 2012 caused reporters to question in both cities what truly had taken place.
An open records request was submitted by Jonathon Braden of the Omaha World Reporter on May 7, 2012. It was made to look into rumors that Sebring had received unsolicited advice from Omaha community leaders. This storyline interested the newspaper because of perceived authority issues between the school board and Sebring’s predecessor, and it was believed these communications would serve as a barometer on her upcoming tenure.
It was while fulfilling this records request, which turned up over 600 applicable returns, district officials came across “at least 40” emails exchanged between Sebring and a man she was having a romantic relationship with. Of those 40, about a quarter of the communications between the two were deemed “sexually explicit.” All of them had been sent from her district issued account, some even during school days. Officials with the Des Moines district confronted Sebring regarding the emails after their discovery, and she promptly resigned her position. She then contacted Braden, the Omaha reporter, and asked if the paper’s request could be narrowed to not capture unnecessary personal emails.
Given the sudden nature of the transition in Des Moines, questions emerged regarding the departure/arrival of a prominent local governmental official. Subsequently, Kathy Bolten of the Des Moines Register submitted an Open Records requests to the School District, intended to investigate “routine suspicions surrounding charter schools,” and specified communications sent between Feb. 1 and May 10 of that year, containing the words “Omaha” and “charter school.” This return yielded the same field of scandalous emails involving Sebring and her partner, and it was the Register who first broke the true story of Sebring’s departure.
Both the Des Moines Register and the Omaha World-Herald ran reports throughout the beginning of June 2012, detailing the emails between the two lovers, revealing the correct reasons behind her sudden resignation, while also pointing out a potential cover-up attempt. The World-Herald ran articles assessing that Sebring was unfit for the position, claiming she had “proved a weakling against her own passions.” School board officials in Omaha confronted Sebring via conference call, and she submitted her resignation to them not long after that.
Almost three years after the botched job switch, Sebring filed an invasion of privacy lawsuit against the district, claiming her correspondence with her lover was “purely personal and private emails disclosing intimate details about her personal life.” She also sued three of the district’s top officials: Teree Caldwell-Johnson, the former President of the School Board; Phil Roeder, a former spokesperson for the district; and Patricia Lantz, the former District Attorney. In her lawsuit, Sebring alleged that the school board members had released the emails, “either individually or working in concert, wrongfully undertook steps to ensure the purely personal and private emails would come to the attention of the Des Moines Register and to the public…with malicious intent to cause severe emotional distress, mental anguish, pain and suffering, embarrassment, humiliation, reduced earning capacity and lost past and future wages and benefits.”
The lawsuit brought to light questions regarding the scope of Iowa state laws regulating public records. However, the insurance company for Des Moines Public Schools settled with Sebring out of court, agreeing to a payout of $350,000. The school district and their insurer came to this decision in order to avoid the additional expenses of litigation, including anticipated appeals, a possibility some district officials believed, “…would have continued for years.” Sebring’s attorneys said they were satisfied with the settlement, but said it, “…le(ft) many important issues regarding scope and the application of Iowa’s Open Records laws unanswered.”
An inability to adequately search the archived communications led to the sensitive information being disclosed, and the scandal involving this disclosure material may have been prevented if the request had been filled in a more timely manner. The absence of detailed search within the archiving system prevented them from performing a specific records request, which led to the scandalous communications being included within the larger scope of search returns. This left the individuals and the districts involved vulnerable to lengthy legal ramifications, and the resulting scandal took up valuable time and money, muddling the names of all the administrators involved. A situation such as this could have been avoided entirely if the proper archiving technology had been utilized.
How to Choose an Email Archiving Solution That Will Protect Your Educational Entity
Clearly, not all archiving solutions are created equal. There are a number of options which can be employed in conjunction with your current email servers, however there are several factors to consider when looking in to the various possibilities.
When you begin your search for an archiving solution, it is best to:
- Determine the requirements needed to achieve compliance with the applicable federal and state regulations, in regards to the retention of electronically stored information.
- Based on your organizational needs, decide what format of archiving would be the best to use.
- Evaluate how implementing a third-party archiving system could benefit your entire organization.
- Look into the ROI of prioritizing compliance throughout your organization.
Contact us at Intradyn for information on an email archiving solution to get instant access to enormous volumes of emails and electronic documents for eDiscovery regulations.