(Please note: The information presented in this article is not legal advice. It is meant for educational and planning purposes only. Please consult with your legal counsel for any issues related to email retention laws.)
Archiving email, when done without advanced technology, requires a tremendous amount of time and resources for businesses. While archiving email is time-consuming, it’s absolutely necessary as a result of federal, state and industry email retention laws.
Retention periods will vary dependent upon the laws and regulations that govern your specific business functions. Modern email retention laws require all organizations to quickly execute a legal hold on archived email and provide data in the case of litigation. Failure to comply often results in sanctions, fiscal penalties, and damage of your organizations’ reputation in the public eye.
“Modern email retention laws require all organizations to quickly execute a legal hold on archived email and provide data in the case of litigation.”
Origin of Email Retention Law
These demanding email archiving regulations, in which essentially nothing electronic that might be relevant for litigation can be deleted, began further back than many realize.
The need for email retention laws didn’t truly solidify until December 2006, when the Federal Rules of Civil Procedure were significantly revised. This revision marked the tenth-time changes were made to the laws since their establishment in 1938. (Cornell’s law school has an excellent index and explanation of the rules here.)
The revisions meant that everything electronic (emails, directives, files, communication and requests) would now have to be retained — which means if the courts request any kind of electronically stored information and you don’t have it, you have a potentially devastating legal problem on your hands.
Current Federal Laws for Archiving
The laws that led to our current email archiving requirements began as early as 1950, and a survey of each major development provides a complete picture of what kind of documents must be maintained according to federal law.
In 2006, the federal government expanded the definition of “document” to include all electronically stored information. From the perspective of the federal government, this means that electronically stored information must now be governed in the same way paper document retention was governed. As such, email archiving regulations now included these 20th century laws.
|Year||Federal Law||Legal Framework|
|1950||Federal Laws for Handling Federal Documents||The National Archives and Records Administration established that anyone handling federal records must keep all such records indefinitely unless NARA allows their destruction.
This now includes any kind of electronically stored information.
|1964||Federal Laws for Job Application Records to Prevent Discrimination||The Civil Rights Act of 1964 – along with the Americans with Disabilities Act and Age Discrimination in Employment Act passed later — has rules requiring that specific employment-application files must be maintained. This would include:
|1965||Federal Laws for Records Related to Workplace-Fairness Claims||In 1965, Executive Order 11246 was issued. It requires that:
Of course, state laws might have different lengths and requirements and should be examined in addition to these federal requirements.
This now includes any kind of electronically stored information related to workplace fairness.
|1967||Freedom of Information Act Governing Records of All Federal, State and Local Agencies||All such agencies must retain their documents, which now includes emails.|
|1970||Federal Laws About Retaining Records Related to Workplace Safety||Any documents related to employee safety, training, complaints and procedures — as outlined in the Occupational Safety and Health Act for businesses — must be kept for two years after the employee has left or after any incident.
This now includes any kind of electronically stored information related to workplace safety training, complaints, procedures or incidents.
|1986||Federal Laws for Immigration Documents||According to the Immigration Reform and Control Act of 1986, all I-9 forms that verify a person’s right to work in the United States must be kept for three years after either:
This now includes any kind of electronically stored I-9 information.
|1997||The IRS Broadens Its Record Retention Laws to Include All Electronic Communications||The Internal Revenue Service requires businesses to keep every record related to finances and employees for three years after the tax season.
Procedure 97-22 in 1997 defined this as both paper and electronic. In this case, the IRS was ahead of its time in defining “document” to include all electronic information.
|1999||Gramm-Leach-Bliley Act||Passed to legalize certain kinds of mergers, this act also mandated the banks and firms retain their documents, including email.|
|2002||The Sarbanes-Oxley Act Establishes Restrictions on Document Destruction||This Act prohibits any kind of document destruction after the government makes an inquiry related to a criminal offense; this includes businesses, organizations, nonprofits and individuals.
Publicly traded companies must also indefinitely keep any documents related to insider dealings.
Companies that operate as federal contractors must maintain the same record retention policies that the federal government practices.
This now include any kind of electronically stored information.
|2006||The Federal Rules of Civil Procedure||These rules have been significantly revised since their establishment in 1938; they expand document retention to include all ESI (electronically stored information).|
Penalties for Violating Email Retention Laws
As explained in this analysis of the landmark Qualcomm vs. Broadcom court case, if a federal court orders electronically stored information related to any of the federal laws listed above and you are not able to produce them, there can be dramatic consequences.
Improper ESI management can result in a finding of spoliation of evidence by the court, and the imposition of one or more sanctions. These include, but are not limited to, adverse inference jury instructions, summary judgment, monetary fines and other sanctions. In some cases, such as Qualcomm v. Broadcom, attorneys can be brought before the bar and their livelihood put at risk.
Email Retention Laws in the 50 States
Although the federal government’s laws on retaining electronically stored information affect every business, the states also have their own variations of these laws for every industry.
Most laws require periods of email retention between three to seven years on average (with some requiring indefinite retention), as seen in the “Industry” section below.
However, after verifying that you’ve satisfied all federal email retention requirements, always consult with legal counsel about specific laws within your state and local governments as it applies to your industry and position before deleting emails.
Email Retention Laws by Industry
The following list (as featured in our earlier blog post on this topic) gives a quick summary of how long industries should retain their emails, which would include incoming, outgoing and internal emails
The list also shows which law or regulation governs the rule:
|Industry||Regulatory Organization||# of Years Required for Retention|
|Credit Card and Related Processing Companies||PCI DSS||One year|
|Telecommunication||FCC (Title 47, Part 2)||Two years|
|All Federal, State and Local Agencies||FOIA (Federal and State)||Three years|
|DOD Contractors||DOD 5015.2||Three years|
|Pharmaceuticals, Biological Products and Food Manufacturers||Seven years|
|All Companies||IRS||Seven years|
|All Public Companies||Sarbanes Oxley (SOX)||Seven years|
|Bank and Finance Firms||Gramm-Leach-Bliley Act||Seven years|
|Investment Advisers||SEC 204-2||Seven years to lifetime|
|Securities Firms, Investment Bankers, Brokers and Dealers and Insurance Agents||SEC 17a(3) and 17a(4)||Seven years to lifetime|
Although these are general guidelines, the length of time required for retaining emails can vary within each industry. Any information in this article is not legal advice but is meant for educational and planning purposes. You must consult your legal, compliance, IT and management teams to confirm the exact requirements for your position.
Email Retention Laws Internationally
General Data Protection Regulation (GDPR), which was approved in April 2016, is a regulation in European Union (EU) law on data protection and privacy for all individuals within the EU and the European Economic Area (EEA).
The GDPR has created a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply. It also addresses the export of personal data outside the EU and EEA areas.
The GDPR aims to give EU citizens and residents control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Companies that collect data on citizens in EU countries now need to comply with strict new rules around protecting customer data, effective since May 25, 2018.
The GDPR replaces the Data Protection Directive, which was enacted in 1995, before social media, instant messaging and other collaborative applications helped to create the day-to-day business hub into which the internet has morphed. The GDPR looks to close that gap to protect the privacy and security of data collected by organizations on individuals with today’s communications tools.
The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. These standards are quite high and will require most companies to make a large investment to meet and to administer the new regulatory standards.
Another rule will make it mandatory for companies to notify their data protection authority about a data breach within 72 hours of first becoming aware of it. The data processor will need to notify customers “without undue delay” after learning of the breach.
The GDPR should also be seen against the wider context of high profile data breaches which businesses from banking and finance to healthcare and telecommunications have suffered in recent years. These data breaches have ranged from the deployment of ransomware, malicious insider activity or, most commonly, the loss of data through the lack of oversight of employee activities and inadequate procedures and training.
Now that GDPR has become law, businesses and organizations need to ensure that they pay attention to the stipulations of the new regulations, and to make sure that their email communications are compliant. Here are some of the things a business or organization needs to think about when sending or archiving emails, or otherwise face the imposition of significant fines:
- Personal data can only be held and processed for as long as is necessary for a specific purpose.
- This necessitates careful consideration of how long archived emails need to be kept, further emphasizing the need for a concrete, thorough email retention policy.
- Email contact cannot be made with clients without prior consent.
- Consent needs to be explicit and informed.
- Once consent is received it can only be used for that specific reason.
Are You Prepared?
If your organization is sued, are you prepared to provide records of all communications and transactions conducted by certain individuals – whether communications, emails, directives, files or requests?
Can you produce them within a specific timeframe and identify the records that are tied to a particular issue?
If you don’t have the technology in place to do an advanced and expedient email archive search, the problem could lead to legal trouble or, at least, a tremendous amount of employee hours and resources wasted on complying with court orders.
Our solutions can handle the most advanced archiving and searching challenges with ease. Contact us for helpful information about email retention laws and to learn more about our robust email archiving technology.