Encrypted Data in M365

Encrypted Data in M365 Can Cause Problems in Discovery: eDiscovery Best Practices

Microsoft 365 (M365) has a lot of great capabilities and, as you probably know, it even has its own eDiscovery tools. It also has data encryption capabilities, which can be useful to protect data against cyberattacks. However, if you’re not careful, encrypted data in M365 can cause problems downstream in discovery and compliance workflows.

The article in Legaltech® News (How to Manage Encrypted Data in Microsoft 365 Discovery, written by Ryan Hemmel of ProSearch) discusses how the ability to encrypt sensitive data in M365 generally falls under the umbrella of Microsoft Information Protection. Encryption can be applied via sensitivity labels, the Azure Information Protection client, Office 365 Message Encryption (OME) and SharePoint Information Rights Management (IRM), among other options.

M365 also provides multiple methods for managing the encryption keys required to decrypt protected content. These options include Microsoft Managed Key (MMK) in which Microsoft creates and fully manages your encryption keys, Bring Your Own Key (BYOK) with the customer generating its own key and responsible for securing that key, and Double Key Encryption (DKE) where two keys are used to protect content, with Microsoft storing one in Azure and the customer holding the second. The latter two options, BYOK and DKE, are compatible with Hardware Security Modules (HSMs) and enable organizations to meet more stringent regulatory and compliance requirements. A detailed breakdown of these encryption key types can be found here.

That’s all great, but it’s important to be able to be able to decrypt encrypted data in M365 and to do so in a manner that supports your discovery and compliance workflows. For example, M365’s Core eDiscovery (available with an E3 license or equivalent) can decrypt email messages as well as their attachments. However, to decrypt Rights Management Services (RMS) protected emails on export, the data must be exported as individual messages rather than PSTs. Other challenges include the fact that files that are encrypted locally and then uploaded to SharePoint or OneDrive cannot be decrypted, and decryption in either Core or Advanced eDiscovery is not supported for organizations using DKE. Hemmel provides a link to additional limitations to decrypt encrypted data in M365 via official Microsoft documentation here.

What can you do about it? Hemmel (who is also a 4-time Jeopardy champion!) provides some alternative decryption options in the article here, as well as some recommendations. Encrypted data in M365 is great, but only if you can decrypt it when you need it! You don’t want to put your evidence for discovery in jeopardy! See what I did there? 😉

So, what do you think?  Do you use M365’s Core or Advanced Discovery capabilities?   Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply