Comprehensive Guide to Email Retention Policy [with template]

  • Retention Policy
  • Comprehensive Guide to Email Retention Policy [with template]

    Once you send an email, you have virtually no control over what happens to that message. It can be printed, forwarded, edited and changed dramatically, all without your knowledge or consent.

    By implementing a process that captures your organization’s inbound and outbound email messages, you can protect your company against unwarranted claims by providing digital records of these messages. This process of capturing emails is called email archiving.

    Regulators and courts treat email messages as written documents. Managing these email messages as business records assures that you meet the burden of proof for regulations such as the Federal Rules of Civil Procedure. And in order to manage those messages, you’ll need strong email retention policies.

    Download our eBook for tips on how to choose the email archiving solution that’s right for you.

    What Is an Email Retention Policy

    An email retention policy establishes the length of time that organizations must retain emails — based on sets of legal parameters that differ across industries — before those emails can be deleted.

    Your corporate governance team should oversee your email retention policy and ensure that it complies with industry and government regulations. An email retention policy should cover all emails your organization sends and receives, contain guidelines on how long to retain emails and specify how they should be removed from your archiving solution.

    One of the most important aspects of an email retention policy is that retention management should be automatic. Emails should be removed from the system in a consistent manner without any manual intervention, thereby eliminating the risk of human error and significantly decreasing your liability. Automation should also account for any pending cases before deleting any emails.

    Below, you will find more detailed reasons why your organization needs an email retention policy. Then we will show you how to create and implement your own email retention policy, step by step.

    Why Does My Organization Need an Email Retention Policy?

    Email retention policies reduce your risk of liability when it comes to regulatory compliance and legal discovery and can enhance knowledge management.

    Regulatory Compliance

    Most companies have to comply with federal or state regulations that require them to produce emails during an investigation or an audit. Additionally, organizations may be subject to industry-specific regulations, such as the Health Information Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and so on.

    Failure to comply with these regulations could lead to financial loss and reputational damage. Since each regulation has different data retention requirements, defining email retention policies is essential.

    The table below gives you an overview of industry-specific regulations and their recommended retention periods.

    Regulation Industry Retention Period
    PCI DSS Credit card and its processing companies 1 year
    FCC – Title 47, Part 2 Telecommunication 2 years
    DOD 5015.2 DOD Contractors 3 years
    FOIA (Federal and State) All Federal, state and local government agencies 3 years
    FDIC Banking 5 years
    FDA – Title 21, Part 11 Pharmaceuticals, Biological Products, Food manufacturers 5 to 35 years
    HIPAA Healthcare 7 years
    Sarbanes Oxley (SOX) All public companies 7 years
    IRS All companies 7 years
    Gramm-Leach-Bliley Act Banking and Finance Firms 7 years
    SEC 17a(3) and 17a(4) Securities Firms, Investment Bankers, Brokers and Dealers, Insurance Agents 7 years to lifetime
    SEC 204-2 Investment Advisors 7 years to lifetime

    Even within some industries, the email retention periods are different depending upon the work performed or areas of expertise within these organizations. You should involve legal (including compliance), IT and management to find out what your obligation is to these regulations.

    Note: Information provided above is not legal advice and is for educational and planning purposes only. Please consult with your legal counsel.

    Legal Discovery

    EDiscovery is a provision in federal and state statutes. Discovery is a legal process that allows attorneys on both sides to ask for information that is relevant to a case and that may lead to the discovery of other important facts and information. Parties to a lawsuit are required to provide this information in the discovery portion of a case.

    As of October 1, 2007, amendments to Federal Rules of Civil Procedure 16, 26, 33, 34, 45 and revisions to Form 35 took effect. These amendments and revisions are all aimed at one particular area of discovery — electronically stored information, and email is a large piece of that.

    Knowledge Management

    Within an organization, users send and receive hundreds of emails per day. The information contained within these emails is not limited to general business correspondence, but also includes documents that will be needed for future projects.

    It’s no surprise that much of an organization’s intellectual property resides in its email stores, which is why it’s important that these knowledge-based emails remain accessible to you even after employees are terminated or leave your organization.

    How Can I Create an Effective Email Retention Policy?

    Step 1: Determine How Long to Retain Emails

    When determining how long to retain emails, consider both regulatory requirements and business needs.

    We’ve already discussed different industry regulations and their minimum retention requirements, so let’s focus on business needs that affect email retention.

    Pay close attention not only to the regulations that affect your industry, but also your customers’ and partners’ industries. You may have to implement an email regulation policy that differs by functional department or area of your business.

    For example, most securities and brokerage firms have to retain their emails for seven years, but certain records such as member registration or corporate documents need to be kept for the life of the organization.

    Individual departmental retention policies could look something like this:

    Department Retention Period
    Customer Support Three years
    Information Technology Three years
    Sales Five years
    Marketing Five years
    Development Five years
    Human Resources Seven years
    Accounting Seven years
    Legal Seven years

    You may also need to set retention periods based on the type of correspondence. For example:

    Correspondence Type Retention Period
    Customer Three years
    Administrative Five years
    Management Five years
    Financial Seven years

    You may need to create multiple email retention policies depending on your industry or the types of customers you serve.

    Step 2: Create a Legal Hold Policy

    Even with an operational email retention policy in place, there may be times when you need to prevent emails from being automatically deleted from your archiving system. Placing a legal hold ensures that those emails are available for courts during a discovery phase in legal proceedings.

    Make sure that your email retention policy clearly defines legal hold procedure, including:

    • Who can place a legal hold?
    • Who will have access to legal hold emails?
    • What will be the review process?
    • Who can remove a legal hold?

    Note: End users should not be able to see legal holds on their emails.

    Step 3: Get Executive Approval

    A policy is only beneficial to your organization if it is applied consistently. To have an effective email retention policy, you would need everyone’s buy in.

    First and foremost, you would need to have everyone from your organization (finance, human resources, IT, legal, etc.) involved to identify their business needs. Once that is done, it is imperative that all members of the executive team sign-off on the document.

    Step 4: Write the Policy

    A formal written policy will save you time and money if your organization is under audit.

    Written out, an email retention policy could look something like this:

    Department Retention Period
    Information Technology Three years
    Customer Support Three years
    Sales Five years
    Marketing Five years
    Development Five years
    Human Resources Seven years
    Accounting Seven years
    Legal Seven years
    Legal Hold Life of issue

    Legal Hold Process:

    Question Answer
    Who will approve placing a legal hold? Executive team and/or …
    Who can place a legal hold? Human resources, legal team and/or …
    Who will have access to legal hold emails? Outside legal counsel, legal team, human resources and/or …
    What will be the review process? Company process is …
    Who can remove a legal hold? Executive team and/or … needs to approve of legal hold

    Step 5: Get Legal Approval

    Once you have an email retention policy draft ready, you need to involve your legal team. Legal will vet the document and make sure it complies with both company policy and all applicable regulations.

    This is an iterative process. Once you receive the draft back from your legal team, make the necessary modifications and send an updated draft back to them again. You might have to repeat the process until all the items are resolved. By the end of this step your policy should:

    • Comply with industry, federal and state regulations
    • Define minimum retention periods
    • Define departmental roles and responsibilities

    How Do I Implement an Email Retention Policy?

    Once you’ve finalized your email retention policy, the next step is to implement it. Below are key considerations when implementing an operational email retention policy.

    • Automation

    Automating the process of capturing, storing and, eventually, disposing of emails is the key to an efficient email retention procedure. An email archiving system can automatically retain all emails that users send and receive, as well as dispose of emails according to company policy.

    • eDiscovery Capabilities

    It’s important to retain emails so they’re accessible to any stakeholder when necessary. Whether it is an auditor, courts during the discovery phase or another employee looking for past information, being able to easily retrieve these emails will save you time and money.

    • Litigation Hold

    To secure buy-in from both legal and compliance departments, it is absolutely necessary to implement a legal hold procedure.

    • Training

    A truly operational email retention policy should require minimal human intervention because your archiving solution should automatically capture and dispose of emails according to company policy. With that said, it’s important to train your employees on how to use your email archiving solution so that they can access archived emails as needed.

    If you use an email archiving solution to manage your email retention policy, be sure to restrict employees’ ability to create a local Personal Storage Table (PST) on their hard drives. Having emails in PST files which are older than your retention policy could amplify your risk. For example, a court would expect you to produce emails older than your retention policy if they exist anywhere other than your email archiving system.

    Moreover, your email server backup system should not maintain emails longer than the retention policy set in your email archiving system.

    Should I Inform My Employees About My Email Retention Policy?

    Yes. An email retention policy is only effective when it’s applied across your entire organization,  in all departments and at every level. That’s why it’s crucial that all employees are aware of and understand the policy you’ve put in place.

    As with any business policy, it’s important that your email retention policy is easy to understand and shared with everyone. Some helpful ways you can spread the word include clearly communicating the changes directly to existing staff members and making sure your employee handbook is updated to reflect the new policy.

    How Can I Enforce My Policy Consistently?

    Implementing an email retention policy isn’t a one-time occurrence. You’ll need to make sure that it’s updated according to changing regulations and that employees are made aware of these changes.

    Additionally, it’s important to maintain compliance with the policy throughout your company. No matter the size of your organization, monitoring this can be at best a tedious task to do all on your own. That’s why it’s always a good idea to have an email archiving solution in place.

    How Can I Use an Email Archiving Solution to Proactively Monitor Communications?

    With an email archiving solution in place, you can easily set up rules to scan all outgoing and incoming emails for certain keywords. This enables your compliance team to get ahead of any emails that could potentially harm your company either internally, as a result of employee behavior, or externally, through the unauthorized release of sensitive or privileged information.

    Why Else Should I Invest in an Email Archiving Solution?

    An email archiving solution is good for much more than monitoring communications. Here are a few more reasons why you should have one in place:

    • Automation

    An email archiving platform’s automations enable you to take a “set it and forget it” approach to email retention. All you have to do is create your policy according to the legal parameters you’re obligated to follow, apply it to the correct subset of emails and then let the software take care of retaining and removing those emails accordingly.

    By allowing your email archiving software to automatically delete emails with expired policies, you also remove any potential for human error and the liability that comes with it.

    • Thorough Searching Capabilities

    Archiving solutions typically feature advanced search capabilities so you can instantly retrieve the exact communication you’re looking for from millions of archived emails. Having fuzzy and proximity searching capabilities based on keywords gives you more power to retrieve specific communications, whether they exist in the body of an email or within an attachment.

    • Creating Legal Holds

    Sometimes, you will need to put a legal hold on an individual email or set of emails. Intradyn’s Email Archiving Solution provides easy steps to place legal holds based on keywords, email addresses or domains, dates and other criteria.

    Avatar photo

    As the chief operating officer and co-founder of Intradyn, Adnan brings 20+ years of experience in the email retention and archiving space to shape Intradyn’s archiving solutions. As COO, Adnan oversees the company’s financial and human resources operations and takes the lead in managing the original equipment manufacturer relationship. Adnan provides wide-ranging oversight of Intradyn’s day-to-day operations to drive greater operational efficiency and grow the company’s global capabilities.

    Along with his business partner, Adnan successfully spun out Intradyn’s archiving business from Mirapoint Software Inc., where he held the position of vice president. Mirapoint Software was primarily focused on archiving solutions for program offices, customer support, corporate infrastructure and the supply chain. Prior to that, Adnan managed complex Internet Channel group projects at eFunds Corporation (now Fidelity National Information Services).

    Adnan holds a Bachelor of Science degree from Minnesota State University and a Master of Business Administration in IT and Finance from the University of St. Thomas.

    Email Policy Template Download our template to help write your own retention policy.
    Email Policy Template
    Download our template to help write your own retention policy.
    Get The Template Now