Handling Work Email After Employee Termination or Resignation

It likely goes without saying that once an employee has left your company, you’ll want to disable their email account immediately after. Organizations run a real risk by leaving former employees’ accounts active, as employees who have resigned or been terminated could:

• Use their former company’s contact list to reach out to and steal clients
• Intentionally send out malicious information or spread information using a company email address
• Steal or share confidential company or client information
• Intentionally or accidentally delete important files and data
• Accidentally expose their former employer to the risk of an external data breach

Leaving former employees’ accounts active can also increase your operating expenses, as you’re continuing to pay for licenses and services you no longer need. These risks and expenses make it clear that an employer needs to disable an employee’s work email soon after termination or resignation.

When disabling or deactivating a former employee’s email account, it’s important not to jump straight to deleting their emails. After all, a terminated employee’s deleted emails could contain business-critical information that you might need to access at a later point in time.

Those emails might also hold information that’s necessary for eDiscovery or compliance purposes. For example, you might need to include a former employee’s emails in an eDiscovery request when investigating employee misconduct or preparing for litigation.

On the compliance side, certain laws and regulations require organizations to retain electronic communications and other records for a specified period of time and even reproduce these files upon request, as is the case with the Freedom of Information Act and the Family Educational Rights and Privacy Act.

Being too hasty about deleting an employee’s work emails after their termination or resignation can cause issues for your organization further down the road, so it’s in your best interest to find a centralized location to store those emails after you’ve disabled an employee’s account. An email archiving solution can provide long-term storage, and many archivers offer advanced security features such as encryption, multi-factor authentication and custom user permissions to help keep sensitive information safe.

Whether management has decided to sever ties with an employee, or an employee is leaving your company to pursue another opportunity, it’s important to follow the same basic process for disabling their email account to ensure that all your bases are covered:

1. Conduct an exit interview. This will not only help you better understand the reason(s) why an employee is choosing to leave your company (assuming they resigned), but it will also enable you to see which of their projects were in progress and which deliverables were outstanding. Once you have this information, you can follow up on any emails related to those projects or deliverables to prevent any balls from being dropped.
2. Change the password on the account. By restricting a former employee’s access to their mailbox, you can prevent them from obtaining confidential information, stealing clients or spreading misinformation using a company email address.
3. Set an autoresponder. It’s common practice to leave a former employee’s work email active for a period of one to three months after their termination, if only to avoid missing any important communications. Setting up an autoresponder explaining that the employee in question is no longer with your company and who the sender should contact, instead, eliminates any potential confusion.
4. Forward all incoming emails to an appropriate party. Most companies choose to forward these emails to the former employee’s manager or to their IT team. The designated party can then follow up on any incoming requests, or anything else that might require immediate action.
5. Audit all account activities. Keep an eye out for any unusual activity, such as copying files in bulk, attempts to access unauthorized information, attempts to install unapproved software and so on. If you detect any abnormalities, be sure to take swift action to address the issue and mitigate risk.
6. Archive all emails using a third-party platform. Archiving a former employee’s emails can help ensure regulatory compliance, make it easier to respond to eDiscovery requests and prevent you from accidentally deleting important company or customer data.
7. Delete the mailbox. Once the predetermined active window comes to an end and you’ve done your due diligence to ensure that all business-critical information is securely stored, you’re ready to delete the former employee’s email account.

Q: How long do I need to store an employee’s emails following their resignation or termination?

A: There are different retention requirements regarding employee files and records, all of which vary based on the type of record. For example, the U.S. Equal Employment Opportunity Commission requires employers to retain all personnel or employment records for a period of one year, while the Fair Labor Standards Act requires employers to retain all payroll records and sales and purchase records for a period of at least three years.

What’s less clear is how long employers are expected to retain the emails of employees who have resigned or been terminated. The best way to determine how long to retain a former employee’s emails is to first check which laws or regulations you’re subject to.

Certain laws and regulations include specific language about email retention; those can serve as a helpful compass when developing your own terminated employee email policy. It may be the case that you need to retain certain emails longer than others, depending on their contents. Once you’ve defined your retention period(s), be sure to have your legal team review it to ensure that everything is above board and compliant.

Develop Your Terminated Employee Email Policy

Our free data retention plan template makes it easy to create a custom retention policy for former employees’ emails and communicate expectations with your team.

Download our Data Retention Policy Template 

Q: Can a former employee’s emails still be used for eDiscovery purposes?

A: Yes, a former employee’s emails can be used for eDiscovery. In fact, it’s quite a common practice, especially in public offices — take, for example, former Secretary Hillary Clinton’s highly publicized email saga. Keeping this in mind, it’s important to develop a terminated employee email policy to protect your organization against liability.

Q: Do regulations such as GDPR prevent employers from accessing an employee’s emails after that employee has left the company?

A: The answer to this question varies based on the specific regulation.

The General Data Protection Regulation (GDPR), in particular, enables citizens of the European Union and the greater European Economic Area to exert control over how their personal data is used; it also enables these citizens, known as “data subjects,” to rescind access to their personal data. This creates a bit of a gray area for employers, especially in situations where an employee has used their work email account for both business and personal reasons.

Some measures you can take to reduce your risk include:

• Documenting your employee privacy policy (with attention to email)
• Documenting your internal processes for disabling work email after termination
• Creating generic accounts (such as sales@yourcompany.com) to handle client requests and communications after their main point of contact has left your company