Sarah Vouga- Waterford Technologies
Recently, I saw a post on an IT network site that I felt was important to share and blog on:
“I know this can vary greatly by state, but does anyone know of a source that details email retention policies for businesses? Things like: who has to archive all mail vs who doesn’t at all, how many years the data has to be kept? I am looking for more of a legal standing than for tax reasons; a colleague of our owner was recently sued, and as part of the discovery phase the lawyers had to review every bit of data they had saved. Almost 10 years’ worth. Charged him by the hour of course and the fees were GINORMOUS. So the question was raised as to how long we actually need to keep data. Can’t seem to find a resource on it though so I am looking for any documentation or information that can help.” – A. Stacey
What is an Email Retention Policy?
The first thing everyone needs to comprehend is that there is a difference between archiving and retention. Email Archiving allows an organization to keep email messages for an indefinite period, capturing and pre-indexing every email in real time to provide a complete, unalterable and secure email archive. In December of 2006, the Federal Rules of Civil Procedures (FRCP) was amended to say that communications, (emails, texts, instant messages etc.) files, directives and requests that may be relevant to a current or future litigation cannot simply be deleted or overwritten. Due to this amendment, most businesses choose to archive their emails to comply with industry or government regulations. However, an email retention policy is list of parameters created by an organization to determine what e-mail and other communication records need to be kept for compliance or other business reasons. The policy should also have a timetable for when records that have been retained can be moved to off-site storage archives or be destroyed. This determination on retention policies, in many cases, is influenced by laws and regulations such as: Sarbanes-Oxley, FINRA, HIPAA, BASEL II, etc.
There are two HUGE reasons a business should have an email retention policy in place:
- Laws and regulations
- Legal concerns
If your business is controlled by government or industry standards, email retention is particularly important, and laws regarding this can change/differ on a local, national, and industry level. Likewise, retained emails can be a strong element in any legal recourse your business may be involved in.
Every business and every industry is different, of course, but in general, emails that should be retained include:
- Decisions, directives, policies, or disciplinary actions communicated to employees by management via email
- Emails to customers for the purpose of conducting business
- Emails communicating financial information to investors, partners, agents, or others who may make decisions based on this information
- Communications that comply to government or industry regulations (such as HIPAA)
Once you’ve established what should be retained, the next step is to determine how long it should be kept. Again, industry standards and government regulations can play a role here. Keep in mind that emails that have been placed on legal hold cannot be deleted. Whatever schedule you adopt for the deletion of retained emails, be sure it complies with the particular criteria of your industry.