Creating an Email Archiving Policy

You should create an email archiving policy covering all email data that is sent and received by your organization to ensure compliance with government and industry regulations. Even if you are not in a highly regulated industry such as finance or healthcare, you will still need to retain certain types of email data for compliance and will need to create a formal policy for archiving emails.

Having a formal email archiving policy will eliminate the potential for error, which could potentially prove extremely costly. The failure to produce emails for eDiscovery or compliance audits can see significant financial penalties imposed.

Creating a Structured Email Archiving Policy

Informal email archiving policies can be used that rely on the discretion of employees to add all appropriate emails to the archive. This approach will certainly save money on storage, but it is not without risk. All it takes is for one employee to make a mistake to place the organization at risk of a substantial fine. Having an informal policy of saving every email means you will end up paying for storage that may not be needed. This is a less risky approach but is far from ideal. User discretion policies are best avoided in favor of a structured and automated email archiving policy covering different data types.

When you create your email retention policy you will need to work closely with your IT, legal, compliance, and HR departments, as input will be required from each to create a policy that meets all business needs. This is likely to take some time, but the effort put in at the start will ensure headaches and unnecessary costs are avoided in the future.

The best place to start when creating your policies is to determine the legal requirements for data retention for each data type. Email retention periods differ considerably from country to country and for different regulations, which exist at the federal, state, local, and industry level.

You will also need to ensure that you retain emails to meet eDiscovery requirements, which apply at both state and federal level and are stipulated in legislation such as the U.S. Patriot Act, Federal Rules of Civil Procedure (FRCP), and the Freedom of Information Act (FOIA). You should seek advice from your legal team on the retention periods to comply with these laws. To help you get started, we have listed some of the legal email retention requirements below:

Email Retention Legislation in the United States

Legislation Regulations Cover… Minimum Email Retention Period
Internal Revenue Service (IRS) Regulations All companies 7 Years
Sarbanes Oxley Act (SOX) All public companies 7 Years
Gramm-Leach-Bliley Act Banks and Financial Institutions 7 Years
Health Insurance Portability and Accountability Act (HIPAA) Healthcare providers, health insurers, healthcare clearinghouses, and business associates of HIPAA-covered entities 6 Years for policies, 2 years for data retaining to death of a patient, and data relating to a child’s healthcare until the child is 21 years.
Securities and Exchange Commission (SEC) Regulations Investment banks, investment advisors, brokers, dealers, insurance agents & securities companies Minimum of 7 years up to a lifetime
Federal Deposit Insurance Corporation (FDIC) Regulations Banks 5 Years
Food and Drug Administration (FDA) Regulations Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products 5 Years – 35 Years
U.S. State Laws (Financial records) All companies Variable, but mostly 3 Years
Freedom of Information Act (FOIA) Federal, state, and local agencies 3 Years
Department of Defense (DOD) Regulations DOD contractors 3 Years
Federal Communications Commission (FCC) Regulations Telecommunications companies 2 Years
Payment Card Industry Data Security Standard (PCI DSS) Credit card businesses and credit card processing groups 1 Year
E.U General Data Protection Regulation (GDPR) All entities doing business with E.U. Citizens Only as long as there is a legal basis to do so

The easiest option when creating an email archiving policy is to determine the minimum email retention requirements and set your policy to meet the longest retention period, but this should be avoided. It will be costly to retain all emails for 7 years, for example, and it could also increase legal risk. A good best practice is to only retain emails for the minimum legal retention period. You should configure your email archiving solution to delete emails automatically when the retention period expires, unless data have been placed on legal hold.

ArcTitan Cloud

ArcTitan Cloud is a 100% cloud-based email archiving solution from TitanHQ that simplifies email archiving and allows you to easily apply your email archiving policy and comply with all legal and regulatory obligations.

ArcTitan Cloud is a cloud-native email archiving solution that is fully compatible with all operating systems and major email services and mail clients. The solution is scalable up to 60,000 users, with essentially no limits on storage space and in contrast to many email archiving services, you only pay for the number of active users.

ArcTitan supports imports and exports of email data in a wide range of data formats, with email data protected by end-to-end encryption in transit and encryption at rest in a data center certified to the IL5 standard. Archives are stored on Replicated Persistent Storage on AWS S3, with automated backups of the archive performed.

ArcTitan acts as a black box flight recorder for email, creating a tamper-proof copy of all emails with a full audit trail maintained. The solution supports policy-based access rights and role-based access, integrates with LDAP and Active Directory for easy access configuration, and once your email retention policies have been defined, ArcTitan really is a set and forget solution.

When you need to access the archive to find emails and attachments, searching is a quick and simple process. Intuitive, super-fast search screens allow searches to be performed at a rate of 30 million emails a second. Multiple searches can be performed simultaneously, messages and attachments are scanned in the same search, and searches can be combined and saved and search data viewed or exported in all common data formats.

If you are looking for a secure, low cost, easy to use email archiving solution, give the TitanHQ team a day to find out more about ArcTitan Cloud. Product demonstrations can be requested, and you are welcome to trial the solution free of charge for 14 days in your own environment, with full product support provided throughout the trial as if you were already a customer.

Frequently Asked Questions (FAQs)

What are the main advantages of archiving email?

An email archive allows you to retain a tamper-proof copy of all important emails for compliance and protects against data loss. In contrast to backups, archives can be searched, and emails retrieved in seconds. You can save up to 80% of storage space with an archive, improve the performance of your mail server, and eliminate PSTs which can be a compliance risk. An archive also makes eDiscovery requests painless.

Is cloud email archiving more cost effective?

Email archiving in the cloud can be a much more cost-effective option than on-premises email archiving. The up-front costs are much lower as there is no need to purchase hardware. There is no need to pay to maintain expensive hardware, and storage is cheaper. For most SMBs, especially those that lack the IT infrastructure and skilled in-house staff, the cloud offers a better option for a fixed, low monthly payment.

How much does a cloud-based email archiving solution cost?

ArcTitan is a cloud-based email archiving solution that requires no hardware purchases, so the upfront costs are low. You simply pay for the number of active monthly mailboxes. There are no additional costs, no limits on storage space, and the solution will grow with your company. The 2021 monthly per user cost with ArcTitan starts at $2.92 (based on 100 users).

Is email archiving GDPR compliant?

An email archiving solution can be made GDPR compliant, but it will not be compliant by default. You must only retain the personal data of EU residents for as long as there is a legal basis to do so, and you must ensure that requests to access and delete personal data are processed quickly. An email archiving solution can help you in this regard, as you can quickly, easily, and efficiently search the archive and retrieve/delete data.

What are the problems with the Office 365 email archiving?

Office 365 email archiving is a basic email archiving solution with limited functionality. The solution has In-Place Hold, Litigation Hold and In-Place Discovery for compliance, but the email retention policy is basic users have control over their archives which can result in data loss. Searching archives is also limited to 250 results and attachments must be searched separately so searching can be slow. You also have to pay for all mailboxes, even if users leave the company.