How to Manage Legal Holds in Google Vault

Google defines Google Vault as “an information governance and eDiscovery tool” for Google Workspace, but the solution offers much more than electronic discovery or mere data storage. 

Since 2012, Vault has completely changed the game for legal investigations and holds, empowering companies to safeguard their data during legal proceedings. By placing legal holds on data, organizations ensure their data cannot be tampered with or deleted—guaranteeing the retention and integrity of the information.

Companies may need to place data on a legal hold for various reasons. Legal holds can be crucial for meeting regulatory requirements across industries, including regulations like GDPR, HIPAA, and SOX. Or, data may be placed on hold due to a specific project, such as a merger or acquisition. In more extreme scenarios, holds may arise due to litigation. 

Google Vault acts as a powerful solution for organizations when placing legal holds, guaranteeing data preservation without disrupting normal business operations. It enables organizations to retain and search for data across various Google services, including Gmail, Drive, Chat, Groups, and Voice.

Understanding Vault’s capabilities when managing legal holds is a huge asset for IT, Legal, and even Compliance teams. In this post, we’ll cover how to place various types of data on a legal hold within Google Vault. We’ll also examine how to review all holds for an organization and how to delete a user with data on hold. 

What’s the difference between a hold and a retention rule?

In Vault, administrators have the option to enable retention rules as well as create legal holds. These terms may seem similar, but they are not to be confused or used interchangeably. 

Holds

  • Holds are usually created for a specific investigation or legal issue.
  • Holds apply to individual accounts, organizational units, or groups.
  • Holds preserve data for an indefinite period of time, up until the hold is deleted.
  • Holds take precedence over retention rules. 
  • When a hold is deleted, data immediately becomes subject to applicable retention rules.

Retention rules

  • Retention rules are more proactive; they control how long data is preserved.
  • Retention rules apply to the users in organizational units or groups. They can also apply to shared drives and Chat spaces. 
  • Unlike holds, retention rules cannot be applied to individual accounts. 
  • Retention rules preserve data for a specified period of time. This can be a certain number of days or even indefinitely. 
  • Retention rules will not work on data placed on hold. They will only be applied when the hold is removed.

Remember that legal holds always supersede retention rules. Data on a hold will not be purged until the hold is removed. 

What data is protected by a hold?

The following are all the services that can have data protected by a hold. We’ll go over how to place data on a legal hold within these services below. This will require administrators to create what Google calls a “matter,” which provides a container for the holds, searches, and exports related to a specific eDiscovery project.

Gmail: Messages and attachments in Gmail

Groups: Messages in Google Groups

Chat: On-the-record (history on) Google Chat messages

Drive: Items in users’ Drives (with the option of items in associated shared drives), Meet recordings, log files associated with the recordings, and new Google Sites sites 

Voice: Google Voice text messages, call logs, voicemails and their transcripts. 

How to place data on hold

  1. Sign in to vault.google.com.
  2. Click “Matters.”
  3. If the matter already exists, click to open it. Otherwise, create a matter:
  4. Click “Create.”
  5. Enter a name for the matter, and optionally, write a description.
  6. Click “Create.”
  7. Click “Holds” > “Create.”
  8. Enter a unique name for the hold.
  9. Click “Choose service” and then choose the service you want.
  10. Click “Continue.”
  11. Select the scope of the hold:
    • Specific accounts—Enter one or more account or group email addresses.
    • Organizational unit—Select an organizational unit.
    • Note: It is strongly recommended to not select the top organizational unit. If you do, you won’t be able to delete any Google Workspace accounts from your organization.

12. As an optional step for Gmail or Groups, you can set the conditions for the hold:

  • Sent date—Enter dates to limit the hold to messages sent within the start and end dates.
      • To hold messages sent on or after a specific date, enter only a start date.
      • To hold messages sent on or before a specific date, enter only an end date.
      • To hold messages no matter when they were sent, don’t enter a start or end date.
  • Terms—Enter search terms and operators to apply the hold to only messages that match the terms.

13. Click “Create and “Continue.”

How to review all holds for an organization

Within Vault, administrators have the ability to examine the organizational units, users, and groups that are placed on hold across all matters. This view is valuable as holds take priority over default and custom retention rules. 

By reviewing this information, administrators can gain insights into which data falls outside the scope of typical data governance policies. Please note that admins need the “Manage Audits” privilege to complete this task.

  1. Sign in to vault.google.com.
  2. Click “Reports.”
  3. Click the tab for the type of holds you want to review:
    1. Domain Holds—See a list of holds that apply to an organizational unit.
    2. User Holds—See a list of user accounts with data on hold.
    3. Group Holds—See a list of groups with data on hold.

How to delete a user with data on hold

  1. Sign in to vault.google.com.
  2. Click “Reports.”
  3. Release the user from any account-based holds:
    • Click “User Holds.”
    • Enter the account in the search bar.
    • Find the account.
    • Click the row with the account.
    • Click each hold and release the account from the scope of the hold.
  4. Identify holds on organizational units that the account belongs to, and move the account out of the organizational unit.
    • In the Admin console, go to “Menu” > “Directory” > “Users.”
    • Click the row with the user.
    • Find the user’s organizational unit and any parent organizational units.
    • In Vault, click “Domain Holds.”
    • Search the list of holds for the user’s organizational unit and any parent organizational units. If the organizational unit is on hold, move the account to an organizational unit that isn’t on hold. 
    • If the list includes holds with a scope of “All accounts,” the hold is set on the top-level organizational unit. You need to reorganize users into at least two child organizational units so that at least one organizational unit isn’t on hold.
  5. Wait 24 to 48 hours for the Directory and Vault settings to completely update.
  6. Delete the user.

Overall, Google Vault offers a comprehensive solution for managing legal holds for companies using Google Workspace. With Vault’s ability to facilitate holds, businesses can preserve critical data that may be crucial for potential legal proceedings. 

Using Vault, administrators can preserve the integrity of documents, emails, and more within a defined scope, as well as the integrity of future information within the scope. Administrators can also put holds on specific user accounts. For example, if an employee is suspected of leaking sensitive customer data, legal action might be taken. Using Vault, administrators can put a hold on the user’s account, create a matter, and then create and save a search query for the user’s name. 

By being strategic and placing legal holds, companies guarantee the retention and integrity of their information, reducing the risk of data loss or tampering that might undermine the outcome of legal actions. To learn more about how Legal, IT, and Security teams can work together to implement Vault in their organization, check out our complete guide to Google Vault

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira