What is the Legal Recommended Email Archiving Retention Period?

Legal recommended email archiving retention periods differ considerably depending on the nature of a business’s operations and the regulations it is required to comply with.

Why Do I Need to Retain Copies of Emails?

Emails can contain important data that may be relevant for litigation. As with other forms of electronic data, emails must be retained and provided if requested by the courts. Federal laws demand the retention of email and there are also email retention laws in all 50 states in the U.S. Regulated industries also have their own laws regarding the retention of data, such as the Sarbanes-Oxley Act and HIPAA.

In the event of a legal dispute, compliance audit, or employment tribunal, emails will need to be produced. The failure to produce emails when required by regulators can result in several financial penalties and the consequences of not producing email data when required to do so by the courts can be devastating.

Email Archives and Email Backups for Email Retention

Many laws do not specifically state the format for retained email data, but an email archive is the best choice for data retention. Email archives are designed for long-term data storage and easy data retrieval. When an email is sent to the archive for long term storage, it is indexed and tagged to allow searches to be performed. When an email or set of emails need to be found, a search can be performed and the emails can be retrieved in seconds or minutes.

Email backups serve a different purpose. In the event of disaster such as a ransomware attack, mailboxes can be restored from backups. Backups will restore data to a set point in time, but they are not suitable for recovering specific emails as backups cannot be searched. Recovering emails from backups for eDiscovery could take weeks, as opposed to minutes if you have an email archive.

The Legal Recommended Email Archiving Retention Period Differs Based on the Type of Data

Email retention periods vary considerably for different data types. Most federal and state email retention laws require email data to be retained for between 3 and 7 years, although there are exceptions and certain types of data may have do be retained for much longer, even indefinitely.

To give you an idea about email retention times we have compiled the table below. Please bear in mind that the email retention periods included in this post do not constitute legal advice. When setting your email retention policies, it is important to seek legal advice to determine exactly how long email data must be retained.

Minimum Email Archiving Retention Periods

Legislation Regulations Cover… Email Retention Period
Internal Revenue Service (IRS) Regulations All companies 7 Years
Sarbanes Oxley Act (SOX) All public companies 7 Years
Gramm-Leach-Bliley Act Banks and Financial Institutions 7 Years
Health Insurance Portability and Accountability Act (HIPAA) Healthcare providers, health insurers, healthcare clearinghouses, and business associates of HIPAA-covered entities 6 Years
Securities and Exchange Commission (SEC) Regulations Investment banks, investment advisors, brokers, dealers, insurance agents & securities companies Minimum of 7 years up to a lifetime
Federal Deposit Insurance Corporation (FDIC) Regulations Banks 5 Years
Food and Drug Administration (FDA) Regulations Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products 5 Years – 35 Years
U.S. State Laws (financial records) All companies Variable, but mostly 3 Years
Freedom of Information Act (FOIA) Federal, state, and local agencies 3 Years
Department of Defense (DOD) Regulations DOD contractors 3 Years
Federal Communications Commission (FCC) Regulations Telecommunications companies 2 Years
Payment Card Industry Data Security Standard (PCI DSS) Credit card businesses and credit card processing groups 1 Year

2022 Update

There have been several changes to the recommended email retention periods listed above – demonstrating how quickly regulations can change. The IRS recently issued revised guidance on recommended email retention periods for tax-related data, while changes to the Gramm-Leach-Bliley Act in 2021 means that customer data should now only be retained for a maximum of two years after the last date the information is used in connection with the provision of a product or service to the customer.

There have also been changes to the recommended PCI DSS data retention requirements in v4 of the standard (account data storage to be kept to a minimum – no retention period specified), while it is important to note that while the HIPAA email retention requirements only apply to HIPAA-related documentation (i.e., not medical records), CMS enforces email retention requirements for Medicare cost reports as required by the HITECH Act.

Email Retention Laws and Purpose Limitations

One important consideration when developing email retention policies is how long to retain emails when they are not legally required to be retained. Many states have introduced data privacy laws that follow the lead set by the EU´s General Data Protection Regulation which requires data to be deleted when it has served the purpose for which it was collected.

While businesses in some industries are exempt from complying with many state data privacy laws (i.e., HIPAA Covered Entities), other businesses have to balance compliance with email retention laws and compliance with laws that require emails to be deleted. In theory, it is possible for an email conversation to include emails that have to be retained and emails that have to be deleted.

It is no longer an option to retain or archive every email until storage space becomes an issue and those beyond their legal email archiving retention period are deleted. For this reason, it is a best practice to implement an archiving solution that enables users to apply tags to emails so they can be automatically deleted (or reviewed for deletion) when a mandated retention period expires.

FAQs

How long do I need to archive emails?

How long you need to archive emails varies depending on which state and federal regulations your business is required to comply with. Typically required email retention periods range from 1 year to 7 years, although some email data may need to be kept indefinitely and some deleted as soon as it has served the purpose for which it was collected.

Will any email archiving solution ensure compliance?

No email archiving solution will ensure compliance with legal recommended email archiving retention periods because it is not the technology that ensures compliance, but rather how the technology is configured and used. For this reason, it is important to see an email archiving solution in action before implementing it to establish its ease of use.

What is the difference between a backup and an email archive?

The main difference between a backup and an email archive is an email archive is used for long term email storage and an email backup is used for short to medium-term storage for disaster recovery. Backups cannot be easily searched and are best suited to restoring entire mailboxes. Email archives can be searched, and individual emails can be quickly found and restored.

What are the main benefits of email archiving?

The main benefits of email archiving is that it reduces storage space, eliminates the need for mailbox quotas, and will improve the performance of your email server. Email archives allow individuals to clear their inboxes without deleting emails and creates a tamper-proof, repository for emails to meet compliance requirements.

Why do businesses need to archive emails?

Businesses need to archive emails because a large amount of data is stored in email accounts and often nowhere else. An email archive protects against data loss and will ensure that important emails can quickly and easily be recovered on demand. This is essential in the event of litigation or an audit and will help to ensure compliance with the data retention requirements of many legislative acts.

What are regulatory email archiving requirements?

Regulatory email archiving requirements vary from regulation to regulation. However, to generally enable compliance with regulatory email archiving requirements, an email archiving solution must archive emails in an unchanged form, store emails in a tamper proof repository, encrypt emails in transit to the archive, encrypt data at rest, and allow emails to be restored in their original form.

Which state email retention laws have purpose limitations?

State email retention laws that have purpose limitations include California’s Consumer Privacy and Privacy Rights Acts, Colorado´s Privacy Act, Connecticut´s Data Privacy Act, Virginia´s Consumer Data protection Act, and Utah´s Consumer privacy Act. A number of other states are in the process of introducing similar legislation, and businesses are advised to use resources such as the IAPP’s State Privacy Legislation Tracker to identify when changes may be required to email retention policies.

Should businesses have a separate email retention policy for terminated employees?

Business do not need to have a separate email retention policy for terminated employees because it is the nature of the email´s content rather than the recipient/sender that is subject to email retention requirements. However, it is a best practice to change the login credentials for terminated employees’ accounts (and any other accounts they may have has access to) in order to prevent them connecting remotely and altering or deleting emails.

How can businesses best comply with different email retention regulations?

Businesses can best comply with different email retention regulations by implementing an email archiving solution with indexing and automated deletion capabilities. Each email can then be indexed as it archived, and automatically deleted when the required retention period expires. This process can also be used to flag emails for review to comply with purpose limitation requirements.

What is email archiving compliance?

Email archiving compliance means implementing technologies and policies to ensure emails are archived in compliance with whatever laws a business is subject to. For example, most email archiving compliance laws require end-to-end encryption, safeguards against tampering, and access controls. It is important that technologies implemented to comply with email archiving regulations not only have the necessary capabilities, but are also configured correctly.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news