What is the Legal Recommended Email Archiving Retention Period?

Virtually all businesses, non-profits, and educational institutions are required to retain email data, but what is the legal recommended email archiving retention period? In this post we will explain how long you should be arching your emails and how this differs based on email content.

Why Do I Need to Retain Copies of Emails?

Emails can contain important data that may be relevant for litigation. As with other forms of electronic data, emails must be retained and provided if requested by the courts. Federal laws demand the retention of email and there are also email retention laws in all 50 states in the U.S. Regulated industries also have their own laws regarding the retention of data, such as the Sarbanes-Oxley Act and HIPAA.

In the event of a legal dispute, compliance audit, or employment tribunal, emails will need to be produced. The failure to produce emails when required by regulators can result in several financial penalties and the consequences of not producing email data when required to do so by the courts can be devastating.

Email Archives and Email Backups for Email Retention

Many laws do not specifically state the format for retained email data, but an email archive is the best choice for data retention. Email archives are designed for long-term data storage and easy data retrieval. When an email is sent to the archive for long term storage, it is indexed and tagged to allow searches to be performed. When an email or set of emails need to be found, a search can be performed and the emails can be retrieved in seconds or minutes.

Email backups serve a different purpose.  In the event of disaster such as a ransomware attack, mailboxes can be restored from backups. Backups will restore data to a set point in time, but they are not suitable for recovering specific emails as backups cannot be searched. Recovering emails from backups for eDiscovery could take weeks, as opposed to minutes if you have an email archive.

The Legal Recommended Email Archiving Retention Period Differs Based on the Type of Data

Email retention periods vary considerably for different data types. Most federal and state email retention laws require email data to be retained for between 3 and 7 years, although there are exceptions and certain types of data may have do be retained for much longer, even indefinitely.

To give you an idea about email retention times we have compiled the table below. Please bear in mind that the email retention periods included in this post do not constitute legal advice. When setting your email retention policies, it is important to seek legal advice to determine exactly how long email data must be retained.

Minimum Email Archiving Retention Periods

LegislationRegulations Cover…Minimum Email Retention Period
Internal Revenue Service (IRS) RegulationsAll companies7 Years
Sarbanes Oxley Act (SOX)All public companies7 Years
Gramm-Leach-Bliley ActBanks and Financial Institutions7 Years
Health Insurance Portability and Accountability Act (HIPAA)Healthcare providers, health insurers, healthcare clearinghouses, and business associates of HIPAA-covered entities7 Years
Securities and Exchange Commission (SEC) RegulationsInvestment banks, investment advisors, brokers, dealers, insurance agents & securities companiesMinimum of 7 years up to a lifetime
Federal Deposit Insurance Corporation (FDIC) RegulationsBanks5 Years
Food and Drug Administration (FDA) RegulationsPharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products5 Years – 35 Years
U.S. State Laws (financial records)All companiesVariable, but mostly 3 Years
Freedom of Information Act (FOIA)Federal, state, and local agencies3 Years
Department of Defense (DOD) RegulationsDOD contractors3 Years
Federal Communications Commission (FCC) RegulationsTelecommunications companies2 Years
Payment Card Industry Data Security Standard (PCI DSS)Credit card businesses and credit card processing groups1 Year

Author: NetSec Editor