Comprehensive Guide to Email Retention Policy [with template]
Once you send an email, you have virtually no control over what happens to that message. It can be printed, forwarded, edited and changed dramatically, all without your knowledge or consent.
By implementing a process that captures your organization’s inbound and outbound email messages, you can protect your company against unwarranted claims by providing digital records of these messages. This process of capturing emails is called email archiving.
Regulators and courts treat email messages as written documents. Managing these email messages as business records assures that you meet the burden of proof for regulations such as the Federal Rules of Civil Procedure. And in order to manage those messages, you’ll need strong email retention policies.
What Is an Email Retention Policy
An email retention policy establishes the length of time that organizations must retain emails — based on sets of legal parameters that differ across industries — before those emails can be deleted.
Your corporate governance team should oversee your email retention policy and ensure that it complies with industry and government regulations. An email retention policy should cover all emails your organization sends and receives, contain guidelines on how long to retain emails and specify how they should be removed from your archiving solution.
One of the most important aspects of an email retention policy is that retention management should be automatic. Emails should be removed from the system in a consistent manner without any manual intervention, thereby eliminating the risk of human error and significantly decreasing your liability. Automation should also account for any pending cases before deleting any emails.
Below, you will find more detailed reasons why your organization needs an email retention policy. Then we will show you how to create and implement your own email retention policy, step by step.
Why Does My Organization Need an Email Retention Policy?
Email retention policies reduce your risk of liability when it comes to regulatory compliance and legal discovery and can enhance knowledge management.
Most companies have to comply with federal or state regulations that require them to produce emails during an investigation or an audit. Additionally, organizations may be subject to industry-specific regulations, such as the Health Information Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and so on.
Failure to comply with these regulations could lead to financial loss and reputational damage. Since each regulation has different data retention requirements, defining email retention policies is essential.
The table below gives you an overview of industry-specific regulations and their recommended retention periods.
|PCI DSS||Credit card and its processing companies||1 year|
|FCC – Title 47, Part 2||Telecommunication||2 years|
|DOD 5015.2||DOD Contractors||3 years|
|FOIA (Federal and State)||All Federal, state and local government agencies||3 years|
|FDA – Title 21, Part 11||Pharmaceuticals, Biological Products, Food manufacturers||5 to 35 years|
|Sarbanes Oxley (SOX)||All public companies||7 years|
|IRS||All companies||7 years|
|Gramm-Leach-Bliley Act||Banking and Finance Firms||7 years|
|SEC 17a(3) and 17a(4)||Securities Firms, Investment Bankers, Brokers and Dealers, Insurance Agents||7 years to lifetime|
|SEC 204-2||Investment Advisors||7 years to lifetime|
Even within some industries, the email retention periods are different depending upon the work performed or areas of expertise within these organizations. You should involve legal (including compliance), IT and management to find out what your obligation is to these regulations.
Note: Information provided above is not legal advice and is for educational and planning purposes only. Please consult with your legal counsel.
EDiscovery is a provision in federal and state statutes. Discovery is a legal process that allows attorneys on both sides to ask for information that is relevant to a case and that may lead to the discovery of other important facts and information. Parties to a lawsuit are required to provide this information in the discovery portion of a case.
As of October 1, 2007, amendments to Federal Rules of Civil Procedure 16, 26, 33, 34, 45 and revisions to Form 35 took effect. These amendments and revisions are all aimed at one particular area of discovery — electronically stored information, and email is a large piece of that.
Within an organization, users send and receive hundreds of emails per day. The information contained within these emails is not limited to general business correspondence, but also includes documents that will be needed for future projects.
It’s no surprise that much of an organization’s intellectual property resides in its email stores, which is why it’s important that these knowledge-based emails remain accessible to you even after employees are terminated or leave your organization.
How Can I Create an Effective Email Retention Policy?
Step 1: Determine How Long to Retain Emails
When determining how long to retain emails, consider both regulatory requirements and business needs.
We’ve already discussed different industry regulations and their minimum retention requirements, so let’s focus on business needs that affect email retention.
Pay close attention not only to the regulations that affect your industry, but also your customers’ and partners’ industries. You may have to implement an email regulation policy that differs by functional department or area of your business.
For example, most securities and brokerage firms have to retain their emails for seven years, but certain records such as member registration or corporate documents need to be kept for the life of the organization.
Individual departmental retention policies could look something like this:
|Customer Support||Three years|
|Information Technology||Three years|
|Human Resources||Seven years|
You may also need to set retention periods based on the type of correspondence. For example:
|Correspondence Type||Retention Period|
You may need to create multiple email retention policies depending on your industry or the types of customers you serve.
Step 2: Create a Legal Hold Policy
Even with an operational email retention policy in place, there may be times when you need to prevent emails from being automatically deleted from your archiving system. Placing a legal hold ensures that those emails are available for courts during a discovery phase in legal proceedings.
Make sure that your email retention policy clearly defines legal hold procedure, including:
- Who can place a legal hold?
- Who will have access to legal hold emails?
- What will be the review process?
- Who can remove a legal hold?
Note: End users should not be able to see legal holds on their emails.
Step 3: Get Executive Approval
A policy is only beneficial to your organization if it is applied consistently. To have an effective email retention policy, you would need everyone’s buy in.
First and foremost, you would need to have everyone from your organization (finance, human resources, IT, legal, etc.) involved to identify their business needs. Once that is done, it is imperative that all members of the executive team sign-off on the document.
Step 4: Write the Policy
A formal written policy will save you time and money if your organization is under audit.
Written out, an email retention policy could look something like this:
|Information Technology||Three years|
|Customer Support||Three years|
|Human Resources||Seven years|
|Legal Hold||Life of issue|
Legal Hold Process:
|Who will approve placing a legal hold?||Executive team and/or …|
|Who can place a legal hold?||Human resources, legal team and/or …|
|Who will have access to legal hold emails?||Outside legal counsel, legal team, human resources and/or …|
|What will be the review process?||Company process is …|
|Who can remove a legal hold?||Executive team and/or … needs to approve of legal hold|
Step 5: Get Legal Approval
Once you have an email retention policy draft ready, you need to involve your legal team. Legal will vet the document and make sure it complies with both company policy and all applicable regulations.
This is an iterative process. Once you receive the draft back from your legal team, make the necessary modifications and send an updated draft back to them again. You might have to repeat the process until all the items are resolved. By the end of this step your policy should:
- Comply with industry, federal and state regulations
- Define minimum retention periods
- Define departmental roles and responsibilities
How Do I Implement an Email Retention Policy?
Once you’ve finalized your email retention policy, the next step is to implement it. Below are key considerations when implementing an operational email retention policy.
Automating the process of capturing, storing and, eventually, disposing of emails is the key to an efficient email retention procedure. An email archiving system can automatically retain all emails that users send and receive, as well as dispose of emails according to company policy.
- eDiscovery Capabilities
It’s important to retain emails so they’re accessible to any stakeholder when necessary. Whether it is an auditor, courts during the discovery phase or another employee looking for past information, being able to easily retrieve these emails will save you time and money.
- Litigation Hold
To secure buy-in from both legal and compliance departments, it is absolutely necessary to implement a legal hold procedure.
A truly operational email retention policy should require minimal human intervention because your archiving solution should automatically capture and dispose of emails according to company policy. With that said, it’s important to train your employees on how to use your email archiving solution so that they can access archived emails as needed.
If you use an email archiving solution to manage your email retention policy, be sure to restrict employees’ ability to create a local Personal Storage Table (PST) on their hard drives. Having emails in PST files which are older than your retention policy could amplify your risk. For example, a court would expect you to produce emails older than your retention policy if they exist anywhere other than your email archiving system.
Moreover, your email server backup system should not maintain emails longer than the retention policy set in your email archiving system.
Should I Inform My Employees About My Email Retention Policy?
Yes. An email retention policy is only effective when it’s applied across your entire organization, in all departments and at every level. That’s why it’s crucial that all employees are aware of and understand the policy you’ve put in place.
As with any business policy, it’s important that your email retention policy is easy to understand and shared with everyone. Some helpful ways you can spread the word include clearly communicating the changes directly to existing staff members and making sure your employee handbook is updated to reflect the new policy.
How Can I Enforce My Policy Consistently?
Implementing an email retention policy isn’t a one-time occurrence. You’ll need to make sure that it’s updated according to changing regulations and that employees are made aware of these changes.
Additionally, it’s important to maintain compliance with the policy throughout your company. No matter the size of your organization, monitoring this can be at best a tedious task to do all on your own. That’s why it’s always a good idea to have an email archiving solution in place.
How Can I Use an Email Archiving Solution to Proactively Monitor Communications?
With an email archiving solution in place, you can easily set up rules to scan all outgoing and incoming emails for certain keywords. This enables your compliance team to get ahead of any emails that could potentially harm your company either internally, as a result of employee behavior, or externally, through the unauthorized release of sensitive or privileged information.
Why Else Should I Invest in an Email Archiving Solution?
An email archiving solution is good for much more than monitoring communications. Here are a few more reasons why you should have one in place:
An email archiving platform’s automations enable you to take a “set it and forget it” approach to email retention. All you have to do is create your policy according to the legal parameters you’re obligated to follow, apply it to the correct subset of emails and then let the software take care of retaining and removing those emails accordingly.
By allowing your email archiving software to automatically delete emails with expired policies, you also remove any potential for human error and the liability that comes with it.
- Thorough Searching Capabilities
Archiving solutions typically feature advanced search capabilities so you can instantly retrieve the exact communication you’re looking for from millions of archived emails. Having fuzzy and proximity searching capabilities based on keywords gives you more power to retrieve specific communications, whether they exist in the body of an email or within an attachment.
- Creating Legal Holds
Sometimes, you will need to put a legal hold on an individual email or set of emails. Intradyn’s Email Archiving Solution provides easy steps to place legal holds based on keywords, email addresses or domains, dates and other criteria.