Everything to Know About Email Retention Laws

  • Email Archiving
  • Everything to Know About Email Retention Laws

    (Please note: The information presented in this article is not legal advice. It is meant for educational and planning purposes only. Please consult with your legal counsel for any issues related to email retention laws.)

    Archiving email, when done without advanced technology, requires a tremendous amount of time and resources for businesses. While archiving email is time-consuming, it’s absolutely necessary as a result of federal, state and industry email retention laws.

    Retention periods will vary dependent upon the laws and regulations that govern your specific business functions. Modern email retention laws require all organizations to quickly execute a legal hold on archived email and provide data in the case of litigation. Failure to comply often results in sanctions, fiscal penalties, and damage of your organizations’ reputation in the public eye.

    “Modern email retention laws require all organizations to quickly execute a legal hold on archived email and provide data in the case of litigation.”

    Origin of Email Retention Law

    These demanding email archiving regulations, in which essentially nothing electronic that might be relevant for litigation can be deleted, began further back than many realize.

    The need for email retention laws didn’t truly solidify until December 2006, when the Federal Rules of Civil Procedure were significantly revised. This revision marked the tenth-time changes were made to the laws since their establishment in 1938. (Cornell’s law school has an excellent index and explanation of the rules here.)

    The revisions meant that everything electronic (emails, directives, files, communication and requests) would now have to be retained — which means if the courts request any kind of electronically stored information and you don’t have it, you have a potentially devastating legal problem on your hands.

    Current Federal Laws for Archiving

    The laws that led to our current email archiving requirements began as early as 1950, and a survey of each major development provides a complete picture of what kind of documents must be maintained according to federal law.

    In 2006, the federal government expanded the definition of “document” to include all electronically stored information. From the perspective of the federal government, this means that electronically stored information must now be governed in the same way paper document retention was governed. As such, email archiving regulations now included these 20th century laws.

     

    Year Federal Law Legal Framework
    1950 Federal Laws for Handling Federal Documents The National Archives and Records Administration established that anyone handling federal records must keep all such records indefinitely unless NARA allows their destruction. 

    This now includes any kind of electronically stored information.

    1964 Federal Laws for Job Application Records to Prevent Discrimination The Civil Rights Act of 1964 – along with the Americans with Disabilities Act and Age Discrimination in Employment Act passed later — has rules requiring that specific employment-application files must be maintained. This would include:

    • Policy and procedures about the job selection process and job notices
    • Physical-examination checks
    • Applications
    • References
    1965 Federal Laws for Records Related to Workplace-Fairness Claims In 1965, Executive Order 11246 was issued. It requires that:

    • Any person, organization or company that has done the documentation of good faith compliance on issues related to workplace-fairness (i.e., doing their best to meet those requirements even when there are errors or shortcomings with their technology and procedures) must keep all related documentation for two years.
    • Any claims filed that have to do with the payroll-related Fair Labor Standards Act must keep all related documentation three years after the settlement date.

    Of course, state laws might have different lengths and requirements and should be examined in addition to these federal requirements.

    This now includes any kind of electronically stored information related to workplace fairness.

    1967 Freedom of Information Act Governing Records of All Federal, State and Local Agencies All such agencies must retain their documents, which now includes emails.
    1970 Federal Laws About Retaining Records Related to Workplace Safety Any documents related to employee safety, training, complaints and procedures — as outlined in the Occupational Safety and Health Act for businesses — must be kept for two years after the employee has left or after any incident.

    This now includes any kind of electronically stored information related to workplace safety training, complaints, procedures or incidents.

    1986 Federal Laws for Immigration Documents According to the Immigration Reform and Control Act of 1986, all I-9 forms that verify a person’s right to work in the United States must be kept for three years after either:

    • The hiring date; or
    • One year after their employment ends, whichever is later.

    This now includes any kind of electronically stored I-9 information.

    1997 The IRS Broadens Its Record Retention Laws to Include All Electronic Communications The Internal Revenue Service requires businesses to keep every record related to finances and employees for three years after the tax season.

    Procedure 97-22 in 1997 defined this as both paper and electronic. In this case, the IRS was ahead of its time in defining “document” to include all electronic information.

    1999 Gramm-Leach-Bliley Act Passed to legalize certain kinds of mergers, this act also mandated the banks and firms retain their documents, including email.
    2002 The Sarbanes-Oxley Act Establishes Restrictions on Document Destruction This Act prohibits any kind of document destruction after the government makes an inquiry related to a criminal offense; this includes businesses, organizations, nonprofits and individuals.

    Publicly traded companies must also indefinitely keep any documents related to insider dealings.

    Companies that operate as federal contractors must maintain the same record retention policies that the federal government practices.

    This now include any kind of electronically stored information.

    2006 The Federal Rules of Civil Procedure These rules have been significantly revised since their establishment in 1938; they expand document retention to include all ESI (electronically stored information).

    Penalties for Violating Email Retention Laws

    As explained in this analysis of the landmark Qualcomm vs. Broadcom court case, if a federal court orders electronically stored information related to any of the federal laws listed above and you are not able to produce them, there can be dramatic consequences.

    Improper ESI management can result in a finding of spoliation of evidence by the court, and the imposition of one or more sanctions. These include, but are not limited to, adverse inference jury instructions, summary judgment, monetary fines and other sanctions. In some cases, such as Qualcomm v. Broadcom, attorneys can be brought before the bar and their livelihood put at risk.

    Email Policy Template Download our template to help write your own retention policy.
    Email Policy Template
    Download our template to help write your own retention policy.
    Get The Template Now

    Email Retention Laws in the 50 States

    Although the federal government’s laws on retaining electronically stored information affect every business, the states also have their own variations of these laws for every industry.

    Most laws require periods of email retention between three to seven years on average (with some requiring indefinite retention), as seen in the “Industry” section below.

    However, after verifying that you’ve satisfied all federal email retention requirements, always consult with legal counsel about specific laws within your state and local governments as it applies to your industry and position before deleting emails.

    Email Retention Laws by Industry

    The following list (as featured in our earlier blog post on this topic) gives a quick summary of how long industries should retain their emails, which would include incoming, outgoing and internal emails

    The list also shows which law or regulation governs the rule:

     

    Industry Regulatory Organization # of Years Required for Retention
    Credit Card and Related Processing Companies PCI DSS One year
    Telecommunication FCC (Title 47, Part 2) Two years
    All Federal, State and Local Agencies FOIA (Federal and State) Three years
    DOD Contractors DOD 5015.2 Three years
    Banking FDIC Five years
    Pharmaceuticals, Biological Products and Food Manufacturers Seven years
    All Companies IRS Seven years
    All Public Companies Sarbanes Oxley (SOX) Seven years
    Bank and Finance Firms Gramm-Leach-Bliley Act Seven years
    Healthcare HIPAA Seven years
    Investment Advisers SEC 204-2 Seven years to lifetime
    Securities Firms, Investment Bankers, Brokers and Dealers and Insurance Agents SEC 17a(3) and 17a(4) Seven years to lifetime

    Although these are general guidelines, the length of time required for retaining emails can vary within each industry. Any information in this article is not legal advice but is meant for educational and planning purposes. You must consult your legal, compliance, IT and management teams to confirm the exact requirements for your position.

    Email Retention Laws Internationally

    General Data Protection Regulation (GDPR), which was approved in April 2016, is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA).

    The GDPR has created a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply. It also addresses the export of personal data outside the EU and EEA areas.

    The GDPR aims to give EU citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Companies that collect data on citizens in EU countries now need to comply with strict new rules around protecting customer data, effective since May 25, 2018.

    The GDPR replaces the Data Protection Directive, which was enacted in 1995, before social media, instant messaging and other collaborative applications helped to create the day-to-day business hub into which the internet has morphed. The GDPR looks to close that gap to protect the privacy and security of data collected by organizations on individuals with today’s communications tools.

    The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. These standards are quite high and will require most companies to make a large investment to meet and to administer the new regulatory standards.

    Another rule will make it mandatory for companies to notify their data protection authority about a data breach within 72 hours of first becoming aware of it. The data processor will need to notify customers “without undue delay” after learning of the breach.

    The GDPR should also be seen against the wider context of high profile data breaches which businesses from banking and finance to healthcare and telecommunications have suffered in recent years. These data breaches have ranged from the deployment of ransomware, malicious insider activity or, most commonly, the loss of data through the lack of oversight of employee activities and inadequate procedures and training.

    Now that GDPR has become law, businesses and organizations need to ensure that they pay attention to the stipulations of the new regulations, and to make sure that their email communications are compliant. Here are some of the things a business or organization needs to think about when sending or archiving emails, or otherwise face the imposition of significant fines:

    • Personal data can only be held and processed for as long as is necessary for a specific purpose.
      • This necessitates careful consideration of how long archived emails need to be kept, further emphasizing the need for a concrete, thorough email retention policy.
    • Email contact cannot be made with clients without prior consent.
      • Consent needs to be explicit and informed.
      • Once consent is received it can only be used for that specific reason.

    FAQs

    Q: Who is responsible for email retention?

    A: The simple answer — every organization. Modern email retention laws require all organizations to follow specific email retention laws and archiving regulations in the event of potential litigation. Retention periods may vary.

    Q: How are emails tracked for record retention?

    A: Email retention laws dictate how long an email should be saved. The first step is to identify federal, state and industry regulations for your organization. Retaining emails with an email archiving solution can provide you with peace of mind knowing that your emails are safe, secure and easily searchable. Intradyn’s Email Archiver captures all incoming and outgoing emails in real time. Our software uses an SMTP server that listens to all incoming messages in real time, and a mail relay server or email firewall forwards all email copies to an archive.

    Q: Are there laws around email retention?

    A: Yes — there are many. We included the complete list in previous sections, but there are laws specific to states and industries, in addition to international email retention laws such as the General Data Protection Regulation.

    Q: What is the legal recommendation on email archiving retention? Is it okay not to have an email retention policy?

    A: Modern email retention laws require all organizations to quickly execute a legal hold on archived email and provide data in the case of litigation. Failure to comply often results in sanctions, fiscal penalties and damage to your organization’s reputation in the public eye. Though it’s not required, an email retention policy will help you safely store emails and find them quickly if needed.

    Are You Prepared?

    If your organization is sued, are you prepared to provide records of all communications and transactions conducted by certain individuals – whether communications, emails, directives, files or requests?

    Can you produce them within a specific timeframe and identify the records that are tied to a particular issue?

    If you don’t have the technology in place to do an advanced and expedient email archive search, the problem could lead to legal trouble or, at least, a tremendous amount of employee hours and resources wasted on complying with court orders.

    Our social media, text messaging, and email archiving solutions can handle the most advanced archiving and searching challenges with ease. Contact us for helpful information about email retention laws and to learn more about our robust email archiving technology.

     

    Ready to Write Your Own Email Retention Policy?

    Our free template will help you define the purpose of your policy, set classifications for emails and
    establish retention periods.

    Get the Template Now

    Avatar photo

    Azam is the president, chief technology officer and co-founder of Intradyn. He oversees global sales and marketing, new business development and is responsible for leading all aspects of the company’s product vision and technology department.

    Email Policy Template Download our template to help write your own retention policy.
    Email Policy Template
    Download our template to help write your own retention policy.
    Get The Template Now