Virtually all businesses, non-profits, and educational institutions are required to retain email data, but what is the legal recommended email archiving retention period? In this post we will explain how long you should be arching your emails and how this differs based on email content.
Why Do I Need to Retain Copies of Emails?
Emails can contain important data that may be relevant for litigation. As with other forms of electronic data, emails must be retained and provided if requested by the courts. Federal laws demand the retention of email and there are also email retention laws in all 50 states in the U.S. Regulated industries also have their own laws regarding the retention of data, such as the Sarbanes-Oxley Act and HIPAA.
In the event of a legal dispute, compliance audit, or employment tribunal, emails will need to be produced. The failure to produce emails when required by regulators can result in several financial penalties and the consequences of not producing email data when required to do so by the courts can be devastating.
Email Archives and Email Backups for Email Retention
Many laws do not specifically state the format for retained email data, but an email archive is the best choice for data retention. Email archives are designed for long-term data storage and easy data retrieval. When an email is sent to the archive for long term storage, it is indexed and tagged to allow searches to be performed. When an email or set of emails need to be found, a search can be performed and the emails can be retrieved in seconds or minutes.
Email backups serve a different purpose. In the event of disaster such as a ransomware attack, mailboxes can be restored from backups. Backups will restore data to a set point in time, but they are not suitable for recovering specific emails as backups cannot be searched. Recovering emails from backups for eDiscovery could take weeks, as opposed to minutes if you have an email archive.
The Legal Recommended Email Archiving Retention Period Differs Based on the Type of Data
Email retention periods vary considerably for different data types. Most federal and state email retention laws require email data to be retained for between 3 and 7 years, although there are exceptions and certain types of data may have do be retained for much longer, even indefinitely.
To give you an idea about email retention times we have compiled the table below. Please bear in mind that the email retention periods included in this post do not constitute legal advice. When setting your email retention policies, it is important to seek legal advice to determine exactly how long email data must be retained.
Minimum Email Archiving Retention Periods
|Legislation||Regulations Cover…||Minimum Email Retention Period|
|Internal Revenue Service (IRS) Regulations||All companies||7 Years|
|Sarbanes Oxley Act (SOX)||All public companies||7 Years|
|Gramm-Leach-Bliley Act||Banks and Financial Institutions||7 Years|
|Health Insurance Portability and Accountability Act (HIPAA)||Healthcare providers, health insurers, healthcare clearinghouses, and business associates of HIPAA-covered entities||7 Years|
|Securities and Exchange Commission (SEC) Regulations||Investment banks, investment advisors, brokers, dealers, insurance agents & securities companies||Minimum of 7 years up to a lifetime|
|Federal Deposit Insurance Corporation (FDIC) Regulations||Banks||5 Years|
|Food and Drug Administration (FDA) Regulations||Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products||5 Years – 35 Years|
|U.S. State Laws (financial records)||All companies||Variable, but mostly 3 Years|
|Freedom of Information Act (FOIA)||Federal, state, and local agencies||3 Years|
|Department of Defense (DOD) Regulations||DOD contractors||3 Years|
|Federal Communications Commission (FCC) Regulations||Telecommunications companies||2 Years|
|Payment Card Industry Data Security Standard (PCI DSS)||Credit card businesses and credit card processing groups||1 Year|
How long do I need to archive emails?
The email archiving period is variable and typically ranges from 1 year to 7 years, although some email data may need to be kept indefinitely. For instance, the Payment Card Industry Data Security Standard (PCI DSS) requires email data to be kept for 1 year, whereas HIPAA, SOX, and the Gramm-Leach-Bliley Act require certain types of email data to be retained for 7 years.
Will any email archiving solution ensure compliance?
Not all email archiving solutions will ensure compliance with industry regulations. Typically, to be compliant, an email archiving solution must archive emails in an unchanged form, store emails in a tamper proof repository, encrypt emails in transit to the archive, encrypt email data at rest, and allow emails to be restored in their original form.
What is the difference between a backup and an email archive?
The main difference between an email backup and an email archive is an email archive is used for long term email storage and an email backup is used for short to medium-term storage for disaster recovery. Backups cannot be easily searched and are best suited to restoring entire mailboxes. Email archives can be searched, and individual emails can be quickly found and restored.
What are the main benefits of email archiving?
An email archive reduces storage space, eliminates the need for mailbox quotas, and will improve the performance of your email server. Email archives allow individuals to clear their inboxes without deleting emails and creates a tamper-proof, repository for emails to meet compliance requirements.
Why do businesses need to archive emails?
A large amount of data is stored in email accounts and often nowhere else. An email archive protects against data loss and will ensure that all important emails can quickly and easily be recovered on demand. This is essential in the event of litigation or an audit and will help to ensure compliance with the data retention requirements of many legislative acts.