Comprehensive Guide to Email Retention Policy [with template]

  • Retention Policy
  • Comprehensive Guide to Email Retention Policy [with template]

    Once we send an email, we have virtually no control over what happens to that message. It can be printed, forwarded, edited and changed dramatically, all without our knowledge or consent.

    By implementing a process that captures inbound and outbound email messages of our organization, we can protect ourselves against unwarranted claims by providing these digital records. This process of capturing and searching the emails is called email archiving.

    Regulators and courts treat email messages as written documents. Managing these email messages as business records assures that we meet the burden of proof of regulations such as the Federal Rules of Civil Procedure. This regulation requires every corporate litigant to recognize, declare and produce emails in civil litigation.

    Download our eBook on how to choose the best email archiving solution.

    The overwhelming questions that arise are:

    • How long should I be keeping this email?
    • Is it affected by the industry that I serve?
    • Whose email should I keep and for how long?

    All of these questions beg you to have a solid email retention policy. Download our free template to help write your own email retention policy.

    1. What is An Email Retention Policy?

    The basic and self-explanatory definition of email retention policy is:

    Email Retention Policy Definition: “A policy that establishes how long an email should remain in your email archiving solution before being deleted automatically.”

    The email retention policy should be governed by your corporate governance and comply with industry and government regulations.

    An email retention policy should cover all emails sent or received by your organization. It should contain the guidelines for how long emails should be kept and how they should be removed from the email archiving solution.

    One of the most important aspects of the email retention policy is that the management of retention of emails should be automatic. What this means to you is that emails should be removed from the system in a consistent manner without any manual intervention. This eliminates human error and decreases your liability significantly. The automation should also account for any pending cases before deleting any emails.

    Having an email archiving solution helps you in complying with your email retention policy. It would also assist you in automating your email retention policy.

    Below you will find more detailed reasons why your organization needs an email retention policy. Then we will guide you to create and implement your own email retention policy.

    2. Why do I need an Email Retention Policy?

    It is evident from the previous section how important it is to have an email retention policy. In this section we will dig into details of why you need a policy that would reduce your risk of liability from unforeseen circumstances.

    • Regulatory Compliance
    • Legal Discovery
    • Knowledge Management

    Regulatory Compliance:

    Most companies have to comply with federal or state regulation which would require them to produce emails during an investigation or an audit. Your company would be in a great deal of crisis if it had to produce an email due to compliance regulation and was not able to produce it without an operational email retention policy. You will not only suffer financial loss, but your reputation will also suffer.

    Different regulation applies to different industries. You need to be aware of any local, state or federal regulation in relation to your industry.

    Moreover, some organizations will have to abide to different regulations for the same industry. For example, a healthcare organization will have to comply with HIPAA regulation in the medical records department, Sarbanes-Oxley (SOX) in their finance department, OSHA in their medical facility, etc.

    The table below gives you an overview of certain industries and their regulation along with their recommended retention period.

    Regulation Industry Retention Period
    FDIC  Banking 5 years
    FCC – Title 47, Part 2 Telecommunication 2 years
    FDA – Title 21, Part 11 Pharmaceuticals, , Biological Products, Food manufacturers 5 to 35 years
    HIPAA Healthcare 7 years
    DOD 5015.2 DOD Contractors 3 years
    SEC 17a(3) and 17a(4) Securities Firms, Investment Bankers, Brokers and Dealers, Insurance Agents 7 years to lifetime
    SEC 204-2 Investment Advisors 7 years to lifetime
    Sarbanes Oxley (SOX) All public companies 7 years
    IRS All companies 7 years
    PCI DSS Credit card  and its processing companies 1 year
    FOIA (Federal and State) All Federal, state and local government agencies 3 years
    Gramm-Leach-Bliley Act Banking and Finance Firms 7 years

    Even within some industries, the email retention periods are different depending upon the work performed or areas of expertise within these organizations. You should involve legal (including compliance), IT and management to find out what is your obligation to these regulations.

    Note: Information provided above is not legal advice and is for educational and planning purposes only.  Please consult with your legal counsel.

    Legal Discovery

    eDiscovery is a provision in federal and state statutes. Discovery is a legal process that allows attorneys on both sides to ask for information that is relevant to a case and that may lead to the discovery of other important facts and information. Parties to a lawsuit are required to provide this information in the discovery portion of the case.

    As of October 1, 2007 amendments to Federal Rules of Civil Procedure 16, 26, 33, 34, 45 and revisions to Form 35 took effect. These amendments and revisions are all aimed at one particular area of discovery—electronically stored information, and e-mail is a large piece of that area.

    Email Policy Template
    Download our template to help write your own retention policy.
    Get The Template Now

    Federal Laws and Rules

    • Federal Rules of Civil Procedure (FRCP) govern all civil procedures in the United States District Courts, including court procedures for civil lawsuits.
    • USA Patriot Act
    • FOIA

    State Laws and Rules

    • State Rules of Civil Procedure (SCRP) – State makes their own rules that apply in their own courts, however most states have adopted the rules are based on FRCP.
    • Public Record Laws
    • Open Meeting Laws

    Judges and courts do not have a favorable view of those organizations that cannot produce these emails during the discovery process. In fact, if you cannot produce the needed emails, it could be construed as destruction of evidence.

    Therefore, having an effective and operational email retention policy can assist your organization in any legal proceedings. For example, if you have a 3-year retention policy, then you will be obligated to provide emails for the last three years and nothing beyond that.


    “The very fact that the emails are missing leaves us in the realm of speculation as to what they contained and in what manner they might have assisted the plaintiff in litigating claims.”

    -Federal Magistrate Judge Dolinger (S.D.N.Y.)

    Knowledge Management

    On average, every user within an organization receives 105 emails per day, and the number is expected to increase to 125 by 2015. Information contained within these emails is not only general business correspondence but also includes documents which are needed for future projects.

    More than 70% of an organization’s Intellectual Property resides in its stores of email. Accessibility of these knowledge-based emails is needed after an employee is either terminated or left your organization.

    The three key reasons mentioned above should serve as your first step in understanding the requirements to create an effective email retention policy.

    3. How do I create an effective email retention policy?

    Now that we understand what an email retention policy is and why do we need it, we will go into building one step-by-step. This is a collaborative exercise with multiple departments involved in it.  Each company is different, and executives in the company are best suited to build a team whose mission is to create an email retention policy.

    The following steps are based on our experience in the email market over the years and gives you a starting point in creating an effective email retention policy.

    Step 1:  How long to retain the emails?

    Email retention dictates how long an email should be saved. The first and foremost step is to identify federal, state and industry regulation for your organization. Retaining emails with an email archiving solution reduces your cost, but there still is a cost associated with keeping these emails.

    Moreover, you would not want to increase your risk by keeping unwanted emails that a regulator or court can find during discovery phase.

    In this balancing act of what to do, below are the factors that will govern your retention period.

    [Factor 1] Regulation

    The best rule of thumb is to create an email retention policy with the minimum of the regulatory requirements. What this means is that if you have a regulatory requirement of keeping emails for only three years, then you should not be keeping these emails for more than the minimum of 3 years.

    Please see the table above to find out your regulatory minimum requirements.

    It is best to base your default retention policy on the particular industry of your organization:

    • Default retention policy: 7 years (or 5 years or 3 years)

    This is a catch-all policy. If there is no policy for a particular email than this policy will be enforced.

    [Factor 2] Department or Business Needs

    Pay close attention to your industry regulation and industry regulations of your customers and partners.  You may have to implement an email regulation policy which is different by functional department or area of business.

    For example, most of the securities and brokerage firms have to retain their emails for the 7 years but certain records like member registration or corporate documents need to be kept for the life of the organization.

    Individual departmental retention polices will look something like this:

    • Human Resources: 7 years
    • Accounting: 7 years
    • Legal: 7 years
    • Sales: 5 years
    • Marketing: 5 years
    • Development: 5 years
    • Information technology: 3 years
    • Customer Support: 3 years

    Add all the departments within your company and create a rough draft.

    Or, you might have to draft the policy based on type of communication, if this is the case the policy will start like this:

    • Financial correspondence (company criteria for is …): 7 years
    • Administrative correspondence (company criteria for is …): 5 years
    • Management correspondence (company criteria for is …): 5 years
    • Customer correspondence (company criteria for is …): 3 years

    Add all other type of correspondence and add the criteria.

    You may have to create a mixed email retention policy because of the industry or they type of customers you serve. In this case, use department and correspondence type both and create a policy.

    Step 2: Legal Hold Policy

    Even with an operational email retention policy, there are times that you would need to make sure that the emails are not automatically deleted from your email archiving system. For this very occasion, the ability to have legal hold on emails will make sure that the emails are available for courts during a discovery phase in legal proceedings.

    Placing legal hold on all content in a user’s account or targeting specific accounts based on dates, subject and message text should be an essential part of your email retention policy.

    Make sure that your email retention policy clearly states legal hold procedures. Important things to note:

    • Who can put the legal hold?
    • Who would have access to the legal hold emails?
    • What would be the review process?
    • How to remove the legal hold?

    Note: End-users should not be able to see legal hold on their emails.

    You legal hold policy will be something like this:

    • Legal hold: life of issue

    STEP 3: Write the Policy

    Creating a written email retention policy will be the key in enforcing your policy. A formal written policy will save you time and money when your organization is under audit. Your email retention policy will be helpful in defining how many emails your organization will have to provide during the discovery phase.

    As with any business policy, your email retention policy should be simple and must be communicated to all users. Creating an effective email retention policy is not only governed by the business needs but also should pay attention to any technical requirements.

    Ability to retain emails in a cost effective way should be an important part of your organization policy.

    Now you email retention policy would be looking something like this:

    • Human Resources: 7 years
    • Accounting: 7 years
    • Legal: 7 years
    • Sales: 5 years
    • Marketing: 5 years
    • Development: 5 years
    • Information technology: 3 years
    • Customer Support: 3 years
    • Legal hold: life of issue

    Legal Hold Process:

    • Who would approve placing legal hold? – executive team and/or ….
    • Who can put the legal hold? – Human resource, legal team, and/or …
    • Who would have access to the legal hold emails? – Outside legal counsel, legal team, human resource, and/or …
    • What would be the review process? Company process is …
    • How to remove the legal hold? Executive team or/and … needs to approve removal of legal hold

    Step 4: Legal sign off

    Once you have the draft copy ready, you need to involve the legal team. Legal will vet the document and make sure it is according to the overall policies of the company and also the assumptions about the regulations are correct.

    This is an iterative process. Once you receive the copy back from your legal team, make the necessary modifications. Send the copy to them again. You might have to repeat the process until all the items are resolved. By the end of this step your policy should:

    • Abide by the industry, federal and state regulation
    • Be written in a manner which can be implemented
    • Have the right duration for emails
    • Clearly defines the roles

    Step 5: Executive sign off

    A policy is only beneficial to your organization if it is implemented and carried out consistently. To have an effective email retention policy, you would need everyones buy in.

    First and foremost, you would need to have everyone from your organization (finance, human resources, IT, legal, etc.) involved to identify their business needs. Once that is done, it is imperative that all members of the executive team sign-off on the document.

    Congratulations! Your email retention policy is done. The next step is implementing it.

    4. How do I implement an operational email retention policy?

    Implementation and reinforcing an effective email retention policy is as necessary as creating an email retention policy.  Below are the factors that must be considered when implementing an operational email retention policy.

    Step 1: Automate your Email Retention Policy

    As the definition dictates, the ability to retain and dispose of the email automatically makes it an efficient email retention procedure. An email archiving system like Intradyn’s Email Archiving Solution can automatically capture all the emails that are sent and received by every user for retention. That is first part of the automation.  The ability to dispose of these emails automatically based on your business needs is another necessity.

    Intradyn’s Email Archiving Solution can categorize emails based on your business needs and automatically remove emails from your system. This provides you with a hands-off approach to your retention policy.

    Step 2: eDiscovery Capabilities

    The reason to retain emails is to be able to provide to any stakeholder when necessary. Whether it is an auditor, courts during discovery phase or just another employee looking for some past information having a quick and fast retrieval of these emails will save you time and money.

    Intradyn’s Email Archiving Solution provides thorough searching capabilities to retrieve millions of archived emails within seconds. Having fuzzy and proximity searching capabilities based on keywords gives you more power to retrieve specific emails whether they are within the attachments of an email or just in the plain email.

    Moreover, Intradyn patent pending Messaging Intelligence can provide you visual insight to extend the internal or external investigation as needed.

    Step 3: Litigation Hold

    To get a buy in from the entire department especially the legal and compliance department, it is absolutely necessary to have an effortless method to suspend destruction of emails which are defined in your retention period.  Therefore, ability to suspend deletion of certain but not all emails immediately upon any indication of an official investigation or when a lawsuit is filed or appear imminent is vital.

    Intradyn’s Email Archiving Solution provides simple and easy steps to create legal holds on email based keywords, email address and email domains, date and other criteria.

    Step 4: Training

    A true operational email retention policy based on an email archiving system should not require any human intervention. Once configured in an email archiving solution provided by Intradyn it should automatically retain and dispose of emails as required by your policy.

    The users should be trained to use the email archiving solution so they can access and retrieve older emails when needed. Therefore, retrieval of emails should be non-intrusive to the employees working procedure. Intradyn’s Email Archiving Solution provides direct access to user’s email through their favorite email client.

    If you have an email archiving solution to manage your email retention policy, then restrict your employees or users to create a local PST on their hard drives. Having emails in your PST files which are older than your retention policy could amplify your risk. For e.g., a court would expect you to produce emails older than your retention policy if they exist other than your email archiving system.

    Moreover, your email server backup system should not maintain emails longer than the retention policy set in your email archiving system.

    As the chief operating officer and co-founder of Intradyn, Adnan provides wide-ranging oversight of day-to-day operations. He has two decades of experience helping to shape the direction of archiving solutions and has been instrumental in the success of the company’s global capabilities.

    Email Policy Template
    Download our template to help write your own retention policy.
    Get The Template Now