1-800-284-4156
Company Blog Support

Email Archiving Blog

Compliance, eDiscovery and Email Management

Everything to Know About Email Retention Laws

(Please note: The information presented in this article is not legal advice. It is meant for educational and planning purposes only. Please consult with your legal counsel for any issues related to email retention laws.)

Archiving email, when done without advanced technology, requires a tremendous amount of time and resources for businesses. While archiving email is time-consuming, it’s absolutely necessary as a result of federal, state and industry email retention laws.

Retention periods will vary dependent upon the laws and regulations that govern your specific business functions. Modern email retention laws require all organizations to quickly execute a legal hold on archived email and provide data in the case of litigation. Failure to comply often results in sanctions, fiscal penalties, and damage of your organizations’ reputation in the public eye.

“Modern email retention laws require all organizations to quickly execute a legal hold on archived email and provide data in the case of litigation.”

Origin of Email Retention Law

These demanding email archiving regulations, in which essentially nothing electronic that might be relevant for litigation can be deleted, began further back than many realize.

The need for email retention laws didn’t truly solidify until December 2006, when the Federal Rules of Civil Procedure were significantly revised. This revision marked the tenth-time changes were made to the laws since their establishment in 1938. (Cornell’s law school has an excellent index and explanation of the rules here.)

The revisions meant that everything electronic (emails, directives, files, communication and requests) would now have to be retained — which means if the courts request any kind of electronically stored information and you don’t have it, you have a potentially devastating legal problem on your hands.

Check out our full demo to see how we’re helping businesses comply with retention laws.

Current Federal Laws for Archiving

The laws that led to our current email archiving requirements began as early as 1950, and a survey of each major development provides a complete picture of what kind of documents must be maintained according to federal law.

In 2006, the federal government expanded the definition of “document” to include all electronically stored information. From the perspective of the federal government, this means that electronically stored information must now be governed in the same way paper document retention was governed. As such, email archiving regulations now included these 20th century laws.

 

Year Federal Law Legal Framework
1950 Federal Laws for Handling Federal Documents The National Archives and Records Administration established that anyone handling federal records must keep all such records indefinitely unless NARA allows their destruction. 

This now includes any kind of electronically stored information.

1964 Federal Laws for Job Application Records to Prevent Discrimination The Civil Rights Act of 1964 – along with the Americans with Disabilities Act and Age Discrimination in Employment Act passed later — has rules requiring that specific employment-application files must be maintained. This would include:

  • Policy and procedures about the job selection process and job notices
  • Physical-examination checks
  • Applications
  • References
1965 Federal Laws for Records Related to Workplace-Fairness Claims In 1965, Executive Order 11246 was issued. It requires that:

  • Any person, organization or company that has done the documentation of good faith compliance on issues related to workplace-fairness (i.e., doing their best to meet those requirements even when there are errors or shortcomings with their technology and procedures) must keep all related documentation for two years.
  • Any claims filed that have to do with the payroll-related Fair Labor Standards Act must keep all related documentation three years after the settlement date.

Of course, state laws might have different lengths and requirements and should be examined in addition to these federal requirements.

This now includes any kind of electronically stored information related to workplace fairness.

1967 Freedom of Information Act Governing Records of All Federal, State and Local Agencies All such agencies must retain their documents, which now includes emails.
1970 Federal Laws About Retaining Records Related to Workplace Safety Any documents related to employee safety, training, complaints and procedures — as outlined in the Occupational Safety and Health Act for businesses — must be kept for two years after the employee has left or after any incident.

This now includes any kind of electronically stored information related to workplace safety training, complaints, procedures or incidents.

1986 Federal Laws for Immigration Documents According to the Immigration Reform and Control Act of 1986, all I-9 forms that verify a person’s right to work in the United States must be kept for three years after either:

  • The hiring date; or
  • One year after their employment ends, whichever is later.

This now includes any kind of electronically stored I-9 information.

1997 The IRS Broadens Its Record Retention Laws to Include All Electronic Communications The Internal Revenue Service requires businesses to keep every record related to finances and employees for three years after the tax season.

Procedure 97-22 in 1997 defined this as both paper and electronic. In this case, the IRS was ahead of its time in defining “document” to include all electronic information.

1999 Gramm-Leach-Bliley Act Passed to legalize certain kinds of mergers, this act also mandated the banks and firms retain their documents, including email.
2002 The Sarbanes-Oxley Act Establishes Restrictions on Document Destruction This Act prohibits any kind of document destruction after the government makes an inquiry related to a criminal offense; this includes businesses, organizations, nonprofits and individuals.

Publicly traded companies must also indefinitely keep any documents related to insider dealings.

Companies that operate as federal contractors must maintain the same record retention policies that the federal government practices.

This now include any kind of electronically stored information.

2006 The Federal Rules of Civil Procedure These rules have been significantly revised since their establishment in 1938; they expand document retention to include all ESI (electronically stored information).

Penalties for Violating Email Retention Laws

As explained in this analysis of the landmark Qualcomm vs. Broadcom court case, if a federal court orders electronically stored information related to any of the federal laws listed above and you are not able to produce them, there can be dramatic consequences.

Improper ESI management can result in a finding of spoliation of evidence by the court, and the imposition of one or more sanctions. These include, but are not limited to, adverse inference jury instructions, summary judgment, monetary fines and other sanctions. In some cases, such as Qualcomm v. Broadcom, attorneys can be brought before the bar and their livelihood put at risk.

Email Retention Laws in the 50 States

Although the federal government’s laws on retaining electronically stored information affect every business, the states also have their own variations of these laws for every industry.

Most laws require periods of email retention between three to seven years on average (with some requiring indefinite retention), as seen in the “Industry” section below.

However, after verifying that you’ve satisfied all federal email retention requirements, always consult with legal counsel about specific laws within your state and local governments as it applies to your industry and position before deleting emails.

Email Retention Laws by Industry

The following list (as featured in our earlier blog post on this topic) gives a quick summary of how long industries should retain their emails, which would include incoming, outgoing and internal emails

The list also shows which law or regulation governs the rule:

 

Industry Regulatory Organization # of Years Required for Retention
Credit Card and Related Processing Companies PCI DSS One year
Telecommunication FCC (Title 47, Part 2) Two years
All Federal, State and Local Agencies FOIA (Federal and State) Three years
DOD Contractors DOD 5015.2 Three years
Banking FDIC Five years
Pharmaceuticals, Biological Products and Food Manufacturers Seven years
All Companies IRS Seven years
All Public Companies Sarbanes Oxley (SOX) Seven years
Bank and Finance Firms Gramm-Leach-Bliley Act Seven years
Healthcare HIPAA Seven years
Investment Advisers SEC 204-2 Seven years to lifetime
Securities Firms, Investment Bankers, Brokers and Dealers and Insurance Agents SEC 17a(3) and 17a(4) Seven years to lifetime

Although these are general guidelines, the length of time required for retaining emails can vary within each industry. Any information in this article is not legal advice but is meant for educational and planning purposes. You must consult your legal, compliance, IT and management teams to confirm the exact requirements for your position.

Email Retention Laws Internationally

General Data Protection Regulation (GDPR), which was approved in April 2016, is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA).

The GDPR has created a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply. It also addresses the export of personal data outside the EU and EEA areas.

The GDPR aims to give EU citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Companies that collect data on citizens in EU countries now need to comply with strict new rules around protecting customer data, effective since May 25, 2018.

The GDPR replaces the Data Protection Directive, which was enacted in 1995, before social media, instant messaging and other collaborative applications helped to create the day-to-day business hub into which the internet has morphed. The GDPR looks to close that gap to protect the privacy and security of data collected by organizations on individuals with today’s communications tools.

The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. These standards are quite high and will require most companies to make a large investment to meet and to administer the new regulatory standards.

Another rule will make it mandatory for companies to notify their data protection authority about a data breach within 72 hours of first becoming aware of it. The data processor will need to notify customers “without undue delay” after learning of the breach.

The GDPR should also be seen against the wider context of high profile data breaches which businesses from banking and finance to healthcare and telecommunications have suffered in recent years. These data breaches have ranged from the deployment of ransomware, malicious insider activity or, most commonly, the loss of data through the lack of oversight of employee activities and inadequate procedures and training.

Now that GDPR has become law, businesses and organizations need to ensure that they pay attention to the stipulations of the new regulations, and to make sure that their email communications are compliant. Here are some of the things a business or organization needs to think about when sending or archiving emails, or otherwise face the imposition of significant fines:

  • Personal data can only be held and processed for as long as is necessary for a specific purpose.
    • This necessitates careful consideration of how long archived emails need to be kept, further emphasizing the need for a concrete, thorough email retention policy.
  • Email contact cannot be made with clients without prior consent.
    • Consent needs to be explicit and informed.
    • Once consent is received it can only be used for that specific reason.

Are You Prepared?

If your organization is sued, are you prepared to provide records of all communications and transactions conducted by certain individuals – whether communications, emails, directives, files or requests?

Can you produce them within a specific timeframe and identify the records that are tied to a particular issue?

If you don’t have the technology in place to do an advanced and expedient email archive search, the problem could lead to legal trouble or, at least, a tremendous amount of employee hours and resources wasted on complying with court orders.

Our solutions can handle the most advanced archiving and searching challenges with ease. Contact us for helpful information about email retention laws and to learn more about our robust email archiving technology.

Questions to Ask
Before Buying an Archiving Solution