Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2009-12-09
Microsoft Exchange Server 2010 is designed to help users meet compliance requirements. Exchange 2010 offers you several features that help you capture, protect, modify, retain, and discover e-mail messages in a user mailbox as the messages flow in, through, and out of your organization.
The following list provides several examples of the areas where compliance features in Exchange 2010 can help you become compliant or respond to future discovery requirements:
- Data retention policies Many
organizations are required to keep data for a specific time and
then remove that data to protect privacy. To learn more, see
Understanding
Messaging Records Management.
- Privacy and confidentiality
requirements Every day organizations transmit
sensitive and confidential information through e-mail, both to and
from individuals and the organization itself. These organizations
have to protect the privacy of individuals and the confidentiality
of communications. To learn more, see Understanding
Information Rights Management.
- Ethical walls Organizations that work
with securities and other financial information are frequently
required to prohibit communication between specific groups in their
own organization. To learn more, see Understanding Ethical
Walls.
- Discovery requests Organizations are
sometimes subject to litigation. As part of this process, litigants
can request information from each other. Because most business
communication occurs over e-mail, complying with discovery requests
requires the ability to search mailbox content, including e-mail
messages and attachments. To learn more, see Understanding
Multi-Mailbox Search.
Why is Compliance Important?
Every organization should consider compliance. Every day organizations are required to produce evidence for litigation or to provide documentation to regulatory agencies to prove they're complying with regulations.
Organizations that consider compliance when they plan their information technology infrastructures, including their e-mail infrastructures, can supply the required documentation on demand with less effort. They can also comply with other regulatory requirements more easily.
On the other hand, organizations that don't consider compliance up-front may find themselves sorting through millions of e-mail messages manually, wasting time and money. Organizations can also be held legally responsible for not complying with laws or regulatory requirements.
Although your organization may have never been subject to litigation or may not be required to follow regulatory requirements, there's a good chance that you handle private and confidential information that may be regulated by laws or regulations in your country or region. It's important that you understand the laws and regulations that apply to your organization and take proactive steps to make sure that you comply with them.
For a list of some of the laws and regulations that may apply to your organization, see Understanding Journaling.
Discussing Compliance in Your Organization
It's important to understand the requirements and obligations that may apply to your organization. If you haven't discussed compliance in your organization, the deployment of Exchange 2010 can be a catalyst for these conversations. Speak with your organization's management and legal representatives to understand the answers to the following questions:
- Do we handle customer data?
- Do we have established policies that protect customer data?
- Do we transmit confidential organizational information through
e-mail?
- Do we control who can view confidential information and where
it can be sent?
- Have we established policies and procedures that help us
respond to legal requests for information?
- Are there laws or regulations that prohibit communication
between specific groups in our organization?
- Are there laws or regulations that require us to remove data
after a specific time?
This list presents some of the questions that many organizations must answer. The list isn't definitive. It provides examples to help you consider some of the issues that may apply to your organization. Your organization may have other issues to consider.
If you already have a solid compliance policy in your organization, talk with your compliance officers and management to help them understand how your organization can use Exchange 2010 as a compliance tool.