Email retention and eDiscovery
Table of Contents
- Email retention
- Does your organization require an email retention
- Enabling eDiscovery
- Using eDiscovery portal
- Customizing eDiscovery settings
- User accounts
- Customizing retention policy
Email retention is the process of retaining emails in an organization for a specific period in an organized manner based on the policies of the organization. This is done for compliance or other such purposes, based on the organizational policies.
The main purpose of retention policy are the following:
- Retention of email content for a specific period, so that it cannot be permanently deleted before the retention period.
- Deleting the email content permanently after the defined retention period.
Email retention policy helps in compliance for legal purposes:
- Compliance of industry regulations and internal policies to retain content for a minimum period of time.
- Reduce the risk, in case of any event of security breach or litigation caused due to deletion of content by employees.
Yes, if your company falls under Sarbanes-Oxley, SEC 17a-3/4, NASD 3010, HIPAA or other such regulations, then you will need to have an email retention policy. Moreover, email is the standard, universal and reliable communication mode for businesses - crucial and sometimes confidential too. They are often needed as substantial evidence. So a copy of the communication must be retained to ensure that the organization follows the compliance standards and can respond to any legal issues that arise related to such communications. This ensures that there is no data loss due to the deletion of data by the employees.
eDiscovery (electronic discovery) refers to a legal process of “discovering” electronic data by identifying, processing, reviewing and producing retained emails which is potentially relevant to litigation. The advanced eDiscovery portal in Zoho Mail provides a complete solution to retain, review, export the emails related to your organization's internal, external or legal investigations. It empowers the legal teams to manage the holds and investigations.
Overall, it assures that the legal team can gather and access the required information in a simple interface, without technical dependency or complexity.
- Log in to your Admin account at https://ediscovery.zoho.com
- The eDiscovery portal welcomes you with a small intro to email retention and eDiscovery.
- Click the Enable eDiscovery button to enable eDiscovery for your organization.
Almost every governmental regulations require "records" to be captured, managed, retained for specific periods of time, and made available to the governmental agency when asked. These records can include hard copy content, email, voicemail, instant messages, and social media.
The considerations for establishing and maintaining your organization’s email retention policy remain the same; they are: business needs, legal requirements, organizational culture, approaches to retention policies, litigation holds, automation, and implementation.
- Once you enable eDiscovery, the next step to choose the Default retention period. The default retention policy determines the period for which the emails of all users in the organization would be retained.
- By default, the retention period is 365 days. You can either define a specific number of days as the retention period or choose Retain forever, based on your requirements.
Default Retention Period can be overwritten by Custom Retention Policies which allow for certain mails of specific users or a certain type of email to be retained for a different retention period for a specific need. Refer Customizing retention policy for more details.
The retention rule acts as an ingestion filter for emails to be allowed into the eDiscovery service for archival. It provides you the option to choose the types of emails that you want to retain in the eDiscovery portal such as sent emails or received emails or retain only specific sub-set of sent/ received emails and so on.
Define appropriate Retention Rule to ensure you retain the required emails while not filling up your user's storage with unnecessary emails.
- Once you define the retention period, you can go ahead and define the Default retention rule.
- Choose from the granular options available and set the ingestion rule for the eDiscovery portal.
- Retain all emails
- Retain based on the conditions such as:
- Retain all sent emails Retain all sent emails - outside the organization
- Retain emails sent - only within the organization
- Alternatively, you can specify selected domains and choose to retain the emails that are sent only to those domains.
- Retain all received emails
- Retain all received emails - from external organization accounts
- Retain emails received - only within the organization
- Alternatively, you can specify selected domains and choose to retain the emails that are received from those domains.
- Retain all deleted and/or spam emails.
The allocated user storage is used by the User's mailbox + eDiscovery + Backup. Therefore it is recommended to refine what you retain and for how long depending on your organization's needs.
Once you define the retention period and retention rule, you will now select the users for whom the Retention should begin.
- Use the search option to search for specific users to enable retention for specific accounts
- Click on the checkbox on the header and click on Select all users to enable retention for all the user accounts.
- Click Enable Retention to start the retention process for the selected set of users.
- Once you enable the retention, the emails that get delivered to these user accounts will be retained in the eDiscovery portal, based on the retention rules. The retention period will be based on the default retention rule applied to the accounts. The sync to the eDiscovery portal may take a while, after which you will be able to search/ view/ export the retained emails from the portal.
Once you are done on-boarding the eDiscovery portal, you will be able to access all the features that the portal provides to manage your organization's data. Additionally, you can now also customize the portal settings apart from enabling/disabling users and creating new retention policies.
An Investigation or a case is a legal probe against certain email communications or documents. When there is a legal case or a probe or an investigation pertaining to email communication, the organization needs to retain all the related emails until that investigation is completed/ closed.
The eDiscovery administrator creates a new Investigation to manage the entire investigation cycle. Sometimes the Investigation can be required for the purpose of internal investigation also.
Steps to create an Investigation in Zoho Mail:
- In the eDiscovery portal, go to Investigations tab to view or create Investigations.
- Click the + symbol to create a new Investigation.
- Provide the investigation name and a detailed description, for the particular investigation.
You can create single or multiple holds based on different conditions, as required for the investigation. The emails that are placed on a hold via investigations will not be deleted even after the expiry of the retention period defined by default or custom retention policy.
Before you create a Hold, list down the criteria required for the particular investigation. Based on the various criteria, create different search conditions. You can save each of these search conditions as a 'Saved search'. In case you need to get this reviewed by legal or compliance or admin teams, you can get it reviewed before you create a 'Hold'. Saved search helps you try various searches on the data, preview results and validate these searches before creating the Holds.
To create a search, select the condition with which you'd like to perform the search and enter the search key respective to the condition. You can perform a search with multiple conditions, in which case the results returned will match all of the conditions that you have set for the search. In other words, an AND search will be performed.
For example, if you choose the To condition and enter the search key times.com, then choose the Cc condition and enter the search key technews.com, and finally pick the Has attachment condition, the results returned will be emails that have attachments and have been sent to times.com, Cc'd to technews.com. The emails that match all three of the entered conditions will be returned as results for this search.
• To search for an exact phrase, enter the search key in double-quotes. For example, if you choose the condition Contains and enter the search key as "media information", only the emails that contain the exact words 'media information', in that exact sequence will be returned as results. In case there are emails with the words 'information media', those will not be returned as results.
• If you want to search for emails that have words beginning with specific terms, add an * (asterisk) to the end of those terms. For example, if you want to search for emails that contain words beginning with the term gat, choose the parameter and enter the search key as gat*.
Administrators can Export the data matching this search criteria by clicking on Export search results. The Export & Delete allows users to export the email and permanently delete the emails from the archive.
Export & Delete will permanently and irrevocably remove the data from eDiscovery portal. This action will delete even mails which are on hold or whose retention period is not yet expired, hence this option needs to be used with caution.
Now, in order to view or download the content of the emails listed in the Search result, follow the steps given below:
- In the Search details page, provide the Conditional query to filter the emails and click on Preview results to view all the emails that matches the query.
- Click on the email you want to view from the list.
To Download an email in EML format:
- Click on Show Original on the right top corner to view the original message.
- Options to Download Content or Show only headers / Show full content are available on top of the message.
- Click on Download Content to export an email in .eml format.
Each Investigation will retain emails based on one or more holds as needed for the Investigation. A Hold retains the email that is required for the investigation, based on a specific set of conditions. Since a single investigation or case may require to retain different sets of emails based on various conditions like the subject, received time, sender, attachments, custodians and so on, there may be multiple Holds created for each Investigation.
Once a Hold is created, the emails retained by the 'Hold' will be retained until the Hold exists.
Administrators can Export the data under hold by clicking on Export hold results. The Export & Delete allows users to export the email and permanently delete the emails from the archive.
Export & Delete will permanently and irrevocable remove the data from eDiscovery portal. This action will delete even mails which are on hold or whose retention period is not yet expired, hence this option needs to be used with caution.
The results of a 'Hold' or a Saved Search can be exported by the administrator, whenever required. These exports will be scheduled and the administrators can download the exported files from the eDiscovery portal from the Exports tab of the respective investigation.
In a specific investigation, you can choose to tag emails from the search preview or the hold preview.
To create a tag and apply it to an email, follow the instructions below:
- Go to the Investigations section, and select the relevant investigation.
- Navigate to the Tags tab.
- Select the Create Tag option, enter a tag name, pick a color, and click Save.
- Now, select a saved search or a hold from the Searches or Holds tab.
- Click the Preview Results option.
- Select the checkboxes across the emails that you want to tag.
- Select the Tag as option and choose the relevant tag.
- These tagged emails can also be viewed from the Tags section. Click on a particular tag and all the emails associated with that tag will be listed.
Once you have created an investigation, you can also view all the related activity in the Audit Logs section, inside that particular investigation.
Steps to view the audit logs related to a particular investigation:
- Go to the Investigations section, and select the relevant investigation.
- Navigate to the Audit Logs tab.
- Enter the dates within which you would like to view the activity.
- Select the checkboxes across the actions that you would like to retain. You can choose to narrow down your search by unchecking the irrelevant checkboxes.
- Select the Preview Audit option to view the activity or click the Download Audit option to download the activity onto your machine.
Email Recovery is a feature by which an administrator can restore a lost or accidently deleted emails back to the user's mailbox from the archival. As an administrator, you can choose either 'all user accounts' or 'specific user accounts' to recover and restore the archived emails back to the mailbox, when required.
Steps to recover an email from eDiscovery:
- Insert a name by providing the appropriate search criteria.
- Select either all user accounts or specific user accounts. In case you choose specific user account, then specify the user accounts under user mail boxes.
- Select the checkboxes i.e. include spam emails and only deleted email, whichever required.
- Enter the start and end dates and insert relevant search criteria under condition query.
- Choose Preview Results, if you wish to ensure the search conditions are matched.
- Click Recover to restore the emails back to the user mailbox.
On recovering a mail from eDiscovery, the mail will be restored back to the user mailbox while retaining a copy of the same in the archives. However, the copy of the mail will be deleted from backup.
All the recovery actions along with the details, are listed chronologically in the recovery stats list.
Expunge is a feature which allows an administrator to delete a particular email from the user's mailbox. As an administrator, you can either delete a mail with or without any user request (in case of any virus or phishing emails).
Steps to expunge an email from eDiscovery:
- Perform conditional search to filter out an email from the user’s archive.
- Select either all user accounts or specific user accounts. Mention the user accounts, in case you choose specific user accounts.
- Include spam emails, if applicable. This will include spam emails as well in the search.
- Specify the start and the end dates for the search and mention the search criteria.
- Click on the Preview Results to view the filtered emails.
- If the results match, click on Expunge to delete the mail from the user's mailbox.
On Expunge, the mail will be deleted from the user's mailbox. However, a copy of the mail will be retained in the Archive.
All the expunge actions along with the details, are listed chronologically in the expunge stats list.
All the actions of the administrators in this portal will be recorded in the Audit logs section. Instead of viewing the activity specific to an investigation, you can view all the activity in the eDiscovery portal here.
As an administrator, you can customize your eDiscovery portal by clicking on the Settings tab. This section allows you to enable or disable eDiscovery for your organization. In case, you have already enabled eDiscovery and later, due to some unforeseen reason, wishes to disable the service, then the emails that gets delivered to your organization's user account will no longer be archived, while the older emails will be retained as per the existing retention policy.
Here, you also have the option to enable Auto-enable for new users. When Auto-enable for new users is checked, emails will be archived as per the default retention policy for every new user joining the organization. In case, auto enable for new user is disabled, administrator will still have an option to enable eDiscovery for the new user under the Users tab, whenever required, but manually.
The default Retention Rule configured during onboarding is listed here as "EDISCOVERY_RULE". In case you would like to create custom retention rules for certain user accounts so as to filter the emails ingested by the eDiscovery portal for these accounts, then custom retention rules can be created.
Steps to create custom retention rules:
- Click on Add Rules.
- Provide a Rule Name.
- Select the type of email (sent mails, received mail, external mails, organization mails, etc.) or a conditional criteria for filtering emails.
- Select Retain deleted emails if you wish to retain an email that is deleted from the mailbox.
- Select Exclude spam mails if you wish to exclude emails that are classifies as spam from being retained in eDiscovery portal.
- Select the user accounts to which this custom rule needs to be applied.
- Click Save.
The created custom rule is listed in the list view. Click on the Rule name to view its details and click on the Associated users tab to view the users for whom this custom rule is applied.
The "Users" tab gives you an overall view of the organization's users and their eDiscovery status (enabled / disabled). Additionally, it will also show you which retention rule is associated with each user. As an administrator, you can also manually enable or disable eDiscovery service for users joined newly or for whom the service was already enabled.
Each user is associated with the default Retention Rule "EDISCOVERY_RULE" configured at the time of onboarding. You can associate a custom retention rule for a user by selecting the required rule from the "Rule Name" drop down. For defining a new rule, refer Custom retention rules.
One more additional feature here is that you can view how much of the storage allotted to each user is consumed for eDiscovery.
By clicking on the Retention tab, you will be able to view all the set default retention policies and the list of custom retention policies. Note that when an email is expired beyond the set retention period, it will be automatically cleaned up or purged, once every 10 days. Just below the default retention policy, you will find an option to create a new custom retention policy. In case there are any special or custom requirements that need certain emails, based on custodians or certain conditional criteria, to be retained for a different period of time, the administrators can define custom retention policies. Custom retention policies can be defined based on various parameters.
To define new custom policies, follow the below steps:
- Click the button create Custom retention policy button and provide a name for the custom policy.
- Select the custodian by either checking all user accounts or specific user accounts. In case you select specific user accounts, mention the account names under user mail boxes.
- Select whether you want to retain the emails marked as spam also.
- Select the period for which you want to retain the emails that match the requirements of the custom policy.
- In the Condition query, provide the conditions based on which you want to define the custom policy for email retention from the granular options provided:
- Contains - contains text/ email address in the entire email
- Subject - subject contains the selected term
- Content - email content contains
- From - from email address contains
- To - To email address contains
- Cc - Cc email address contains
- Bcc - Bcc email address contains
- Reply To - Reply to email address contains
- Has attachment - Only the emails with attachment
- Attachment name - Attachment content contains
- Attachment content - Attachment content contains
- Only outgoing emails - Include only outgoing emails
- Select the period for which you want the emails to be retained under the custom policy. Either you can retain it for specific period of time or you can ‘retain forever’.
- You can use 'Preview Results' to check whether the condition query provides the expected results.
- You can 'Save' the retention policy if the search results match the conditions needed for the custom retention policy.
You can create and save multiple retention policies for different purposes. Mostly each custom retention policy will differ based on periods of retention and the conditions required for retention.
When an email matches multiple custom retention policies, emails are always retained as required by the retention policy with the longest retention period. Email that are on hold are retained till the hold is removed.