Virtually all businesses, non-profits, and educational institutions are required to retain email data, but what is the legal recommended email archiving retention period? In this post we will explain how long you should be arching your emails and how this differs based on email content.
Why Do I Need to Retain Copies of Emails?
Emails can contain important data that may be relevant for litigation. As with other forms of electronic data, emails must be retained and provided if requested by the courts. Federal laws demand the retention of email and there are also email retention laws in all 50 states in the U.S. Regulated industries also have their own laws regarding the retention of data, such as the Sarbanes-Oxley Act and HIPAA.
In the event of a legal dispute, compliance audit, or employment tribunal, emails will need to be produced. The failure to produce emails when required by regulators can result in several financial penalties and the consequences of not producing email data when required to do so by the courts can be devastating.
Email Archives and Email Backups for Email Retention
Many laws do not specifically state the format for retained email data, but an email archive is the best choice for data retention. Email archives are designed for long-term data storage and easy data retrieval. When an email is sent to the archive for long term storage, it is indexed and tagged to allow searches to be performed. When an email or set of emails need to be found, a search can be performed and the emails can be retrieved in seconds or minutes.
Email backups serve a different purpose. In the event of disaster such as a ransomware attack, mailboxes can be restored from backups. Backups will restore data to a set point in time, but they are not suitable for recovering specific emails as backups cannot be searched. Recovering emails from backups for eDiscovery could take weeks, as opposed to minutes if you have an email archive.
The Legal Recommended Email Archiving Retention Period Differs Based on the Type of Data
Email retention periods vary considerably for different data types. Most federal and state email retention laws require email data to be retained for between 3 and 7 years, although there are exceptions and certain types of data may have do be retained for much longer, even indefinitely.
To give you an idea about email retention times we have compiled the table below. Please bear in mind that the email retention periods included in this post do not constitute legal advice. When setting your email retention policies, it is important to seek legal advice to determine exactly how long email data must be retained.
Minimum Email Archiving Retention Periods
|Legislation||Regulations Cover…||Minimum Email Retention Period|
|Internal Revenue Service (IRS) Regulations||All companies||7 Years|
|Sarbanes Oxley Act (SOX)||All public companies||7 Years|
|Gramm-Leach-Bliley Act||Banks and Financial Institutions||7 Years|
|Health Insurance Portability and Accountability Act (HIPAA)||Healthcare providers, health insurers, healthcare clearinghouses, and business associates of HIPAA-covered entities||7 Years|
|Securities and Exchange Commission (SEC) Regulations||Investment banks, investment advisors, brokers, dealers, insurance agents & securities companies||Minimum of 7 years up to a lifetime|
|Federal Deposit Insurance Corporation (FDIC) Regulations||Banks||5 Years|
|Food and Drug Administration (FDA) Regulations||Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products||5 Years – 35 Years|
|U.S. State Laws (financial records)||All companies||Variable, but mostly 3 Years|
|Freedom of Information Act (FOIA)||Federal, state, and local agencies||3 Years|
|Department of Defense (DOD) Regulations||DOD contractors||3 Years|
|Federal Communications Commission (FCC) Regulations||Telecommunications companies||2 Years|
|Payment Card Industry Data Security Standard (PCI DSS)||Credit card businesses and credit card processing groups||1 Year|