Compliance with Microsoft® Exchange Server 2010

Microsoft Exchange Server 2010 can help organizations better meet compliance requirements for email including data retention, discovery, policy management and security. The following sections provide an overview of compliance tools in Exchange 2010 and describes how they can help support common compliance scenarios. Note that Exchange 2010 is not designed to address all requirements of any specific regulation. Microsoft recommends that you work closely with your compliance subject matter experts, legal counsel, and auditors to confirm the complete set of businesses processes and technical controls suitable for your organization.

For a more in depth discussion of Compliance, Arhiving and the capabilities of Exchange 2010 to help manage its challenges, please see Microsoft’s white papers: Compliance and Email white paper, Archiving and Discovery white paper

Compliance and Email

Supporting Compliance with Exchange 2010

Let PlexHosted’s experts help you deploy an effective regulatory compliance solution with Exchange 2010.
With the bulk of business communications today being conducted electronically, email has come under increasing scrutiny by regulators. Much of this scrutiny is aimed at regulated businesses such as financial services and healthcare. But messaging compliance actually extends much further to practically every size and type of organization. This includes messaging requirements related to legal e-Discovery, internal governance, industry standards, and other regulations.

Is your company ready to comply with a regulatory request for electronic messaging?

Exchange 2010 supports the fundamental requirements of messaging compliance: preservation, discovery, control, protection, reporting, and availability. However, as with all messaging technology, it is important to note that no single technology can offer a turnkey “compliance solution”, as compliance requires internal procedural controls such as training and auditing that are beyond the scope of technology. That said Exchange 2010 can help reduce the cost and complexity of a wide range of compliance challenges.

Retention and Discovery

  • Personal Archive
  • Retention Tags
  • Legal Hold
  • Single Item Discovery
  • Multi-Mailbox Search
  • Journaling


  • Network Encryption
  • Message Encryption
  • Anti-Spam Filtering
  • Anti-Virus Support
  • Mobile Security

Inspection and Control

  • Transport Rules
  • MailTips
  • Message Classifications
  • Role-Based Access Control

Reporting and Availability

  • Administrative Auditing
  • Mailbox Access Auditing
  • Delivery Reports
  • Mailbox Resiliency

Exchange 2010 features advanced capabilities that can help automate and simplify fundamental compliance requirements.

Archiving and Discovery

Supporting Archiving with Exchange 2010

Many businesses, particularly healthcare and financial services companies, are subject to a legal order to produce documents as part of a discovery process. Although a very productive form of communications, email by its very nature has the potential to exist in many places: .PST files, back-ups, SharePoint, web mail, third party archives.

Will you be ready for a discovery request for your company’s email?

With Exchange 2010, Microsoft has taken a new approach to email archiving. Recognizing the importance of deploying an effective archiving and discovery solution, Microsoft has delivered new capabilities for integrated email archiving, retention, and discovery with the release of Exchange Server 2010. These built-in features were designed with an appreciation for the potential barriers that have previously limited wide scale adoption of email archiving. These capabilities can help you preserve and discover email without having to alter either the user or IT professional experience.

Personal Archive

  • Secondary mailbox with separate quota
  • Appers on Outlook and OWA
  • Managed through EMC

Move and Delete policies

  • Automated and time-based criteria
  • Set policies at item on folder level
  • Expiry date shown in e-mail message

Hold Policy

  • Capture deleted and edited e-mail messages
  • Offers single item restore
  • Notify user on hold

Multi-Mailbox search

  • Web-based UI
  • Search primary, archive, and recoverable items
  • Delegate through role-based admin

Supporting Compliance with Exchange 2010

Following is a sampling of regulations across a wide range of industries that typically apply to email. While many regulations outline strict requirements for the handling of data, few make direct reference to specific types of data such as email. For this reason, it is important to carefully monitor the data transmitted and stored by your organization via email. If the data is regulated, your email systems may be subject to that regulation.


Electronic Discovery (e-Discovery)

E-Discovery refers to the preservation, retrieval, and review of electronically stored information (ESI), for litigation purposes. Unlike other regulatory scenarios, e-Discovery requirements affect virtually all companies subject to litigation. In the United States, e-Discovery is the subject of amendments to the Federal Rules of Civil Procedure (FRCP). Specifically, the FRCP Amendments require organizations to be able to retrieve in a timely manner all ESI (including email) that may be relevant to a case. This is not to say that all email data must be preserved at all times. The ruling provides “safe harbor’ for companies that delete relevant data, as long as it is done based on "good faith" application and auditing of standard retention processes. Policies must be applied consistently before litigation is reasonably foreseeable in order to be eligible for "safe-harbor".

Sarbanes-Oxley Act (SOX)

This law, commonly referred to as SOX, was designed to bring greater accountability and transparency to the financial operations of all publicly traded companies. While SOX does not explicitly call out email, SOX mandates that public companies must control, protect, and retain financial data and related files that must be publicly disclosed. For example, SOX requires auditors to retain work papers and other information related to any audit report for a minimum of seven years. SOX also mandates that controls be put into place to prevent “unauthorized use” of or tampering with financial information both at rest and in transit and that these controls be documented for auditing purposes. Based on SOX, other countries have introduced similar legislation including Belgium, Canada, France, Japan, the Netherlands, and the United Kingdom.

The European Union (EU) Data Protection Directive

The EU Data Protection Directive (also known as Directive 95/46/EC) was designed to protect the privacy of personal data of EU citizens, including personal data contained in email. The directive extends to data that is passed outside the EU and also applies to foreign companies that have employees or customers in EU member states. Processing and collection of personal data can only be done with user consent. Once data is collected, the collecting organization must implement appropriate technical measures to prevent its destruction, loss, alteration, or unauthorized disclosure, storage, or access.

Financial Services

United States Securities and Exchange Commission (SEC) Rule 17a

The SEC originally enacted the Securities Exchange Act to protect investors from fraudulent or misleading claims by securities dealers. The Act required member firms to create and maintain transaction records which could be reviewed and audited. Rule 17a-4 of the Act was amended to provide procedures for storage of electronic records, including email and instant messages. The rule requires that archived messages must be stored for three years in duplicate and a second copy must be stored offline in permanent, tamperproof media. Archived messages must be date/time-stamped, serialized and indexed for easy retrieval.

National Association of Securities Dealers (NASD) Rule 3010

NASD Rule 3010 requires that broker-dealers and others implement specific capabilities for the sampling and review of messages sent out by broker-dealers. Other applicable NASD rules are Rules 3110 and 2210, which establish retention regulations similar to SEC Rule 17a-4.

Gramm-Leach-Bliley Act (GLBA)

GLBA requires financial institutions to safeguard clients’ private information. This includes encrypting messages that contain confidential information when transmitted over an unprotected link, controlling access to sensitive customer data, and protecting email servers and network drives where confidential information may be stored. GLBA also requires specific protection from phishing, since this form of traffic may increase the risk of unauthorized access and use and of confidential data.

Healthcare and Life Sciences

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA requires that health care organizations adopt medical information security, privacy, and data standards to protect patient information. It extends to other organizations that may store or transmit patient data, such as health insurance companies. Health data must be isolated and inaccessible to unauthorized access, and the transmission of health information by email must be secured to ensure the confidentiality of data. While HIPAA does not specifically mention the retention of email, there is a required preservation period of up to six years for security and privacy policies, procedures, documentation of complaints, and other medical records. Email containing these types of data may be subject to the retention period.

Rule 21 CFR Part 11 (21 CFR 11)

Primarily focused on pharmaceutical and other U.S. Food and Drug Administration (FDA)-controlled industries, 21 CFR 11 defines requirements for electronic records, electronic signatures, non-repudiation, authenticity, and other controls. If the text in an email supports activities such as change control approvals or failure investigations, then the email messages have to be managed in a compliant way. This includes the use of secure electronic signatures as well as an audit trail of additions, deletions, and changes that is computer-generated, operator-independent, time-stamped, and secure.