It’s easy to confuse litigation hold with backup – both have something to do with ‘protecting’ data. However, backup and litigation hold differ in many ways, and any organization that fails to appreciate the differences between them (and the benefit of each) will eventually pay the price. Let’s look at the fundamental distinctions between litigation hold and backup.
The phrase ‘litigation hold’ is derived from US case law (2003,) in which the court decided that ‘once a party reasonably anticipates litigation, it must pause its usual document retention/destruction strategy and implement a ‘litigation hold’ to assure the preservation of pertinent records.’
To enable eDiscovery, Microsoft introduced a litigation hold (also known as legal hold) retention capability for Microsoft Exchange in 2010. The functionality was designed primarily to preserve data in the event of a legal requirement to maintain information for access and display during litigation. Consider it for documentation reasons rather than restoring data to operating platforms such as Microsoft 365.
Later, Microsoft added the ability to establish in-place holds, which are holds based on a query (for example, “find all messages containing the word ‘Project Starburst'”). The back-end implementation of litigation and in-place holds differs differently; you can learn more here.
Let me repeat it little differently: Litigation hold was never intended to be used as a backup service. Nonetheless, some people continue to rely on it as a backup option, particularly to make ends meet when they do not have a defined data protection strategy (including a third-party backup service), arguing that “any type of data preservation is better than none, right?”
However, there are several downsides and significant hazards involved with these sorts of configurations, which lead to a perilous, false impression of data security. Some of the drawbacks and hazards of using litigation hold as a backup are as follows:
The basic lesson is that you cannot rely on litigation holds or in-place holds as general-purpose recovery methods after mistakes or disasters. That’s not what they’re designed for, and if you try to use them for that, you risk losing data.
Backup, by definition, offers one or more extra copies of your data that are physically independent from your core dataset. Physical isolation is an important aspect of backup since putting backup data in the same area as main data creates a single point of failure. In these configurations, there is no data redundancy.
The physical separation rule in conventional on-premises backup meant having an off-premises backup kept in another building – so that a calamity, such as a fire in one building, would not destroy all of your data. When it comes to cloud backup, it’s reasonable to wonder, “What cloud does my backup data travel to?” Typically, the response is ‘Microsoft Azure’ or ‘Amazon Web Services.’
Ideally, you want that data to move to a cloud that isn’t controlled by your SaaS application vendor (thus putting your Microsoft 365 data in Azure wouldn’t be fair); otherwise, you’re breaking the physical-separation requirement.
Any service that does not offer this separation of copies is not and should not be called a service.
Keepit frequently discusses the ‘3 Ms’ that might cause data loss: human errors, mishaps at the SaaS application provider, and hostile acts from within or outside the company.
If anything happens to the primary (original) dataset, a properly executed backup scheme protects against all three Ms: malicious action in the form of a ransomware attack or a disgruntled employee; mistakes where someone with legitimate access accidentally deletes important data (or needs to back out changes they don’t want to keep); and mishaps where the service provider experiences an outage or data loss.
Litigation holds cannot protect you against all three Ms: there is no physical separation, there is little capacity to perform large-scale restorations, and there is no true idea of version control.
Aside from the essential aspects of data redundancy and availability, a reputable backup system will include a plethora of convenience and productivity-enhancing tools and services, further separating it from litigation hold. The first thing to look for is a cloud-only solution, not a refurbished or reskinned on-premises system. Rather, a competent third-party backup service.
Here are some of the most important advantages to look for in a dedicated third-party backup solution:
Get an in-depth look at data security in the cloud age with the e-guide on. Alternatively, if you’d like to learn more about Keepit backup and recovery services for Microsoft 365, Salesforce, Google Workspace, and others, Contact us.