4 MSP Compliance and Legal Considerations Around Archiving

4 MSP Compliance and Legal Considerations Around Archiving

Estimated Reading Time: 5 Minutes

Archiving is an enterprise-grade technology that is now more commonly needed in small and medium business (SMB) deployments. For MSPs, this should be a subject of interest!

Before diving into the value of archiving and the related compliance considerations, it is useful to explore the differences between data backups and archiving.

What is Data Backup?

Backups – whether image-based, file-level, or email – are copies of data or system images that can be copied locally or in the cloud and are often needed quickly in the event of data loss or downtime. Users and organizations will turn to backups in the event of accidental data deletion, cybersecurity incidents (such as ransomware infections), or due to system downtime due to hardware failures, software issues, or site-wide disasters. MSPs will often employ various forms of data backup, including email backup, file-level backups, or image-based backups of critical servers or workstations. Data being backed up can come from on-premises file servers, user endpoints, cloud-based platforms or SaaS applications.

What is Data Archiving?

Archiving is different. Traditionally, archiving was used to archive email from production email systems to preserve storage space, especially in on-premises email deployments. In these use cases, older email was moved and offloaded from production systems onto the email archive to minimize storage utilization and mailbox sizes in production email systems. Today, cloud-based email services such as Microsoft 365 and Google Workspace come with generous mailbox size limits and cloud storage that is cheaper and more abundant. Nevertheless, the value of archiving today extends well beyond the benefit of preserving production storage space.

Archiving is now part of an organization’s comprehensive data governance strategy and is central to legal compliance. What’s more, SMB clients now also face a range of new privacy laws and compliance regulations, legal considerations, and audit expectations that were previously only the concerns of larger organizations. These usually result in a need for archiving’s advanced capabilities such as journaling, e-discovery, customized retention periods, audit logs, review process and tamper-proof record keeping.

As trusted advisors to SMB clients, MSPs should approach backup and archiving with a compliance mindset.

Here are four key compliance and legal considerations for MSPs around archiving.

1. Regulatory Compliance

Many industries have strict regulations requiring the archiving of user and company communications. These requirements extend to organizations of all sizes. For example, Registered Investment Advisors (RIAs) in the United States are regulated by the Securities and Exchange Commission (SEC). RIA firms can be as small as one person or as large as an enterprise. The SEC requires RIAs to comply with a wide range of administrative and technology standards.

Laws requiring investment advisers to keep “books and records” have been around for decades. However, with the explosion in messaging platforms, cloud-based communications, and mobile devices, it is more difficult than ever for RIAs to keep thorough records of all client and internal communications across a range of platforms. This is where robust archiving comes in.

SEC regulations require that all adviser communications are archived, no matter the communication platform or medium, including social media posts, text messages, instant messaging, email or messaging apps. The archive needs to be tamper-proof and authoritative. It also needs to be easily searchable for audit and compliance investigations. Laws and regulations also specify the length of retention periods for books and records. Therefore, the archiving solution should allow for customized retention periods.

Other broad-based privacy laws are driving the need for archiving. For example, Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) safeguard consumer privacy by giving individuals “the right to be forgotten.” In other words, consumers can ask companies to delete every last piece of information about the consumer, if the consumer requests it. With various backup and archiving systems in many organizations, aligning these systems with the requirements of GDPR and CCPA is difficult. MSPs should help organizations leverage the power of backup and archiving while ensuring that these tools help with their compliance mandates. Archived data must be searchable and provide tools for authorized users to fully purge consumer records when needed.

2. Legal Holds

Archiving can help organizations comply with court orders requiring the retention of communications, documents, and other work-related materials. A legal hold, sometimes referred to as a litigation hold, is a process whereby an organization must preserve key communications and documents, which may be relevant to pending litigation. Plaintiffs are often worried that defendants may destroy documents that are unfavorable prior to the start of discovery and litigation. Under U.S. federal law, there are strict rules for companies to comply with discovery and document retention guidelines laid out in the Federal Rules of Civil Procedure. When there is a triggering event, such as a newly filed lawsuit, organizations need to take immediate action to initiate legal holds.

With the explosion in digital communications, implementing legal holds can be daunting. Archiving technology must include robust legal hold features which identify users, communication streams, and key document types for ongoing retention. Litigation can commonly last years, so legal holds can easily extend for long periods of time and will often overlap as companies have several legal matters going at any given time. Companies need comprehensive tools to manage and automate the legal holds process.

3. eDiscovery

Electronic discovery (or “e-discovery”) involves the search, retrieval, review and production of electronic material and documents which may be responsive to a discovery request in litigation. E-discovery is closely related to legal holds, since a hold is usually put in place so that later e-discovery can be conducted in a lawful and efficient manner. Once again, MSPs and their clients should employ robust archiving systems which cover internal communication platforms and file-based communications to aid in the process of e-discovery.

The discovery process is potentially one of the most costly and time-consuming parts of civil litigation. Companies, both large and small, face a range of lawsuits and legal challenges. It is important to think strategically about how to control legal costs, especially in the discovery process. For defendants, it is mandatory to cooperate with discovery requests. Defendants are legally obligated to produce responsive communications and documents, without providing unnecessary or unrequested materials. With the explosion in electronic communications of all kinds, the volume of overall communication data is a challenge. Lawyers are expensive and it is vital to make the discovery process as efficient as possible. Enterprise-grade archiving solutions help companies efficiently search and pinpoint responsive communications for review by internal and external legal counsel. Document review costs by legal counsel can easily add up in litigation, so efficiency is at a premium. Archiving solutions are critical to enabling organizations to control costs and boost efficiency, while fully complying with legal obligations.

4. Knowledge Management

While there are many legal and compliance considerations driving the need for archiving solutions from MSPs, knowledge management is another priority for companies today. Employee turnover has accelerated throughout the COVID-19 pandemic. Industry analysts and pundits have described the turmoil in the labor market in 2021 as the “Big Quit,” since the number of employee resignations have dramatically increased.

In a fully digitally transformed workplace with high levels of employee turnover, knowledge management can be difficult. Organizations should have concrete plans for data governance and knowledge management and archiving has a significant role to play. When employee turnover increases, new staff can often struggle to find and access internal documents that may only be three to five years old. If organizations are sloppy with employee offboarding and knowledge management, vital work products, plans, or contracts can be lost forever if employee documents and communications are not properly archived. On the other hand, if companies take a proactive approach and leverage enterprise-grade archiving, vital work communications will be preserved for future employees to easily and quickly search and access. Institutional memory and efficient and productive work can be preserved by effectively leveraging archiving technology.

Conclusion

Too many MSPs regard archiving as a “big business” concern. As we have explored in this blog, small businesses face many of the same compliance, legal, and knowledge management challenges as larger companies. MSPs should embrace this business opportunity and help their clients adopt archiving as a key element in their data governance and compliance solutions.

Learn More About Dropsuite’s Archiving Solution

References