Explaining Microsoft Team Compliance: GDPR, FINRA, Encryption and Security
WORM: there are certainly sexier acronyms. But when it comes to data storage, we’re not talking about those muddy little bugs. In fact, WORM compliant storage exists to prevent hacking and bugging, and protect the integrity of your customer, staff and third-party data. Keep reading to find out exactly what WORM compliance requires, and how to go above and beyond to safeguard your data.
Microsoft Teams (also abbreviated to MS Teams or simply “Teams”) is a team collaboration platform developed by Microsoft as part of the Microsoft 365 suite of products. There are over 320 million active Teams users worldwide, and the application is used by over one million organizations. There are multiple benefits of Microsoft Teams for business users, including Microsoft Teams chats, video calls and meetings, file sharing and real-time collaboration. Because MS Teams is a Microsoft application, it integrates seamlessly with the wider Microsoft Office product suite, meaning business users can organize Teams meetings and calls using their Outlook calendar, share and collaborate on Microsoft Word, Excel, and PowerPoint files, and access a consistent experience across multiple devices, including mobile devices.
Microsoft Teams benefits for business include enhanced collaboration and connectivity, with staff able to chat and video call wherever they might be based in the world and work on shared documents together in real time. Teams also presents organizations with opportunities to streamline their business solutions and reduce costs by providing a single platform for chats, collaboration, video calling, calendar management, and file sharing. Chats within Microsoft Teams, including one-to-one chats and group chats, have their message history stored or backed up in the MS Teams app itself, and within a hidden folder in a Microsoft Exchange Online mailbox through Microsoft Azure. However, these chat histories can be difficult to locate and navigate through system files and folders, and can be liable to message loss or corruption when being downloaded, moved, or accessed from these file locations. For organizations operating within industries where their communications can be subject to review by regulators or auditors, a more comprehensive solution to archive Microsoft Teams data is required.
Is Microsoft Teams secure and encrypted?
Microsoft Teams offers organizations a secure platform for connecting and collaborating. Teams communications, like chats and calls is, by default, encrypted using industry-standard technologies such as Transport Layer Security (TLS) and Secure Real-Time Transport Protocol (SRTP). This means that data is encrypted “in transit and at rest”.
However, Microsoft Teams does not offer end-to-end encryption of communications by default, at least at present. End-to-end encryption (E2EE) is where data is encrypted between a sender and recipient, so cannot be accessed by third parties – even the platform provider that the conversation took place on. Microsoft Teams does provide support for E2EE during one-to-one video calls, encrypting the audio, video, and screen sharing data from these meetings. However, advanced features are disabled during these calls, and a series of admin processes and policy configurations need to be undertaken before E2EE can be used.
Is Microsoft Teams Compliant?
While establishing whether the benefits of Microsoft Teams for business make it a good fit for your organization, questions must be asked around Microsoft Teams compliance. Across industries like financial services, there is an expectation that all communications platforms used meet high regulatory standards of recordkeeping and communications capture, and this extends to expectations around Microsoft Teams compliance.
We see regular regulatory enforcement actions around non-compliant communications and recordkeeping lapses that result in large fines and reputational damages for the firms involved. In order to avoid falling foul of fines and to remain compliant with recordkeeping regulation, firms must ensure they compliantly capture and archive all of their business communications channels. This includes ensuring that Microsoft Teams compliance practices and procedures are established, such as employing solutions such as a Microsoft Teams archive to archive Microsoft Teams Chat, and compliance recording for Microsoft Teams calls.
Is Microsoft Teams GDPR Compliant?
As with onboarding any software solution or new application, firms will need to answer the question “is Microsoft Teams GDPR compliant” before deploying it. The EU General Data Protection Regulation (GDPR) is intended to harmonize data privacy legislation across all member territories of the EU, and requires that organizations manage personal data in compliance with GDPR rules – or delete the data if requested by the individuals it pertains to.
Microsoft Teams falls under Microsoft’s overarching commitments to ensuring security and data privacy: “Microsoft values the importance to ensuring the privacy and security of your data … we also respect local legislation, such as the General Data Protection Regulation (GDPR).” Security features built into Microsoft Teams enable organizations to use the platform in a way that satisfies GDPR compliance requirements, however being compliant with GDPR requires an organization take steps beyond deploying a specific solution, such as appointing Data Protection Officers and issuing data privacy notices and attestations.
Is Microsoft Teams FINRA Compliant?
The Financial Industry Regulatory Authority (FINRA) oversees several regulations that organizations must be mindful of when using Microsoft Teams for business communication and collaboration.
FINRA Rule 4511 relates to regulated firms being required to keep records to all business communications sent internally or externally, which encompasses third-party platforms like Microsoft Teams. Firms utilizing Microsoft Teams must also be aware of FINRA Rule 4530, which requires firms disclose and report on specific events including written customer complaints, and Rule 3110, which requires firms establish and maintain systems to properly supervise activities in order to prevent issues such as fraud and money laundering. Organizations will need to ensure that their Microsoft Teams compliance efforts capture communications data and secure it in a compliant archive to have ready access to this data and evidence their conduct is in line with these rules as required by the regulator.
Microsoft Teams Best Practices for Compliance
Microsoft Teams gives business users a huge amount of flexibility to work, collaborate, and connect in the way that works best for their teams. While it delivers a stable experience with a built-in level of security and compliance, there are steps needed to ensure it can be used in regulated industries, where the standards of compliance are higher.
Teams is already compliant with a range of regulatory standards for cyber security, including ISO 27001, SIO 27018, and HIPAA Business. There are, however, recommended steps organizations can take to elevate their compliance and security posture when using Microsoft Teams:
- Enabling two-factor (or multi-factor) authentication to increase security around users, passwords, and logins (thereby minimizing the risks of issues like the hack of the Securities and Exchange Commission’s (SEC) X account hack)
- Policies to control file downloads for unmanaged devices. This is essential for organizations with a large number of remote employees using personal devices to access Teams – with personal devices often having endpoints that are more vulnerable to breaches or hacking
- Enforcing least-privilege access, so that users can only access the files that are ‘must haves’ for their role and seniority level, restricting the amount of potentially sensitive data an account can access in the event of a breach
Microsoft Teams encrypts all data in transit and at rest, and all files that are stored in OneNote or SharePoint are secured by the encryption protocols from those two apps. Every piece of data shared in Microsoft teams, from messages to shared files, is stored and backed up in Azure. Microsoft delivers Azure data through localized data centers in 54 regions, which means Microsoft Teams data is stored in compliance with regional regulations for data security.
However, while Microsoft Teams data is backed up to Azure, it is also backed up to other areas within an organization’s wider Microsoft Office 365 environment. Office 365 only protects data for 30 – 90 days on average – which is hugely problematic for regulated organizations that need to retain data for much longer periods of time should regulators need to access it as part of an investigation. A solution to this is to employ an end-to-end compliance solution consisting of a data Connector to comprehensively capture all Microsoft Teams data, and a compliant archive to transfer data to. This ensures your data is securely held for the entire duration required to meet regulations, and adds options for powerful eDiscovery and surveillance.
Are all of Microsoft Teams calls and chats recorded?
Microsoft Teams chat compliance features are available, but are not activated as standard, and are dependent on the Microsoft Teams license your business operates. Designated IT administrators can turn on Microsoft Teams compliance features and enact policies that allow compliance functions to monitor and review Teams chats data. However, it is a lengthy multi-stage process to initialize communications compliance steps within Microsoft Teams that can take up a lot of resource. While chats are recorded by default, as discussed previously the chat data is often saved in hard to access areas and in a format that does not support fast searches and easy reviewing.
Compliance recording for Microsoft Teams calls is not enabled automatically within the platform. The capability is again dependent on the license that an organization has, but firms can establish policies that automatically record certain calls or meetings. However, these policies can be challenging to set up within the Microsoft Teams platform, and – as with chat data – files are saved in Office 365 locations that can be difficult to navigate or may not protect the data for as long as is required by regulators.
Alternatives to Microsoft Teams
Microsoft Teams has established itself as a widely used platform because of its flexibility, with functionality including calendar and meeting management, video and audio calls, chats, and file sharing meaning it combines the benefits of a range of individual applications. This provides businesses with opportunities to streamline and combine solutions. However, when considering Microsoft Teams compliance challenges, some firms may be open to considering an alternative to Microsoft Teams. When establishing whether it is the right fit for your business, there are several Microsoft Teams alternatives that can be considered.
Slack
Slack is a cloud-based communications and collaboration platform. It allows teams to collaborate and communicate through direct messaging and messaging channels, file sharing, and integrations with other solutions including Microsoft Outlook calendars, DropBox storage, and the Google program suite.
Salesforce
Salesforce Chatter is an ‘enterprise social network’ that allows teams to chat one-on-one and as part of group chats. It also allows file sharing across mobile and desktop devices, and to establish workflows and approvals such as approving expense reports and sharing and updating sales opportunities and Salesforce cases from within the application.
Telegram
Telegram is a cloud-based, cross-platform instant messaging service. It enables users to share media and files as part of one-to-one or group conversations, including private voice and video calls. While primarily mobile based, Telegram does include a desktop client – however, the end-to-end encryption and disappearing message functionality Telegram offers can introduce compliance concerns.
Global Relay App
Global Relay App is a solution that empowers users to connect and collaborate compliantly, with internal teams and external contacts, across mobile and desktop. It features direct and group instant messaging, SMS and voice calls, and allows file sharing and WhatsApp integration. By automatically archiving all messages and data into a fully secure, compliant archive, it allows users to communicate with confidence, providing a fully compliant solution to business communications.
Microsoft Teams API integration
While Microsoft Teams includes features that can help organizations in a compliant manner, there are a range of services that provide complete Microsoft Teams compliance. The Global Relay data connector for Microsoft Teams directly integrates with Microsoft APIs, which means that the data you capture and transfer to a compliant archive for Microsoft Teams chat is the data your teams have sent. This direct integration means all data and metadata is captured from source, minimizing the risk of data loss or corruption. By seamlessly capturing channels, chats, recorded meetings, and files with our Microsoft Teams API, and storing this in a compliant archive, you ensure the highest level of Microsoft Teams compliance. Your Teams chat and meeting data is stored securely in one centralized, easy to navigate location that enables enhanced surveillance and eDiscovery to be performed. So, your data is readily available and accessible should regulators request it, and your compliance teams can leverage this data picture to perform advanced surveillance and eDiscovery to anticipate – and act on – signs of potential risk. Utilizing Microsoft Teams for business compliantly has never been simpler.