Creating an Email Archiving Policy

You should create an email archiving policy covering all email data that is sent and received by your organization to ensure compliance with government and industry regulations. Even if you are not in a highly regulated industry such as finance or healthcare, you will need to retain email data for compliance.

Having a formal email archiving policy will eliminate the potential for error, which could potentially prove extremely costly. The failure to produce emails for eDiscovery or compliance audits can see significant financial penalties imposed.

Creating a Structured Email Archiving Policy

Informal email archiving policies can be used that rely on the discretion of employees to add all appropriate emails to the archive. This approach will certainly save money on storage, but it is not without risk. All it takes is for one employee to make mistakes to place the organization at risk of a substantial fine. Having an informal policy of saving every email means you will end up paying for storage that may not be needed. This is a less risky approach but is far from ideal. User discretion policies are best avoided in favor of a structured and automated email archiving policy covering different data types.

When you create your email retention policy you will need to work closely with your IT, legal, compliance, and HR departments, as input will be required from each to create a policy that meets all business needs. This is likely to take some time, but the effort put in at the start will ensure headaches and costs are avoided in the future.

The best place to start when creating your policies is to determine the legal requirements for data retention for each data type. Email retention periods differ considerably from country to country and for different regulations, which exist at the federal, state, local, and industry level.

You will also need to ensure that you retain emails to meet eDiscovery requirements, which apply at both state and federal level and are stipulated in legislation such as the U.S. Patriot Act, Federal Rules of Civil procedure (FRCP), and Freedom of Information Act (FOIA). You should seek advice from your legal team on the retention periods to comply with these laws. To help you get started, we have listed some of the legal email retention requirements below:

Legislation Regulations Cover… Minimum Email Retention Period
Internal Revenue Service (IRS) Regulations All companies 7 Years
Sarbanes Oxley Act (SOX) All public companies 7 Years
Gramm-Leach-Bliley Act Banks and Financial Institutions 7 Years
Health Insurance Portability and Accountability Act (HIPAA) Healthcare providers, health insurers, healthcare clearinghouses, and business associates of HIPAA-covered entities 6 Years for policies, 2 years for data retaining to death of a patient, and data relating to a child’s healthcare until the child is 21 years.
Securities and Exchange Commission (SEC) Regulations Investment banks, investment advisors, brokers, dealers, insurance agents & securities companies Minimum of 7 years up to a lifetime
Federal Deposit Insurance Corporation (FDIC) Regulations Banks 5 Years
Food and Drug Administration (FDA) Regulations Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products 5 Years – 35 Years
U.S. State Laws (Financial records) All companies Variable, but mostly 3 Years
Freedom of Information Act (FOIA) Federal, state, and local agencies 3 Years
Department of Defense (DOD) Regulations DOD contractors 3 Years
Federal Communications Commission (FCC) Regulations Telecommunications companies 2 Years
Payment Card Industry Data Security Standard (PCI DSS) Credit card businesses and credit card processing groups 1 Year
E.U General Data Protection Regulation (GDPR) All entities doing business with E.U. Citizens Only as long as there is a legal basis to do so

The easiest option when creating an email archiving policy is to determine the minimum email retention requirements and set your policy to meet the longest retention period, but this should be avoided. It will be costly to retain all emails for 7 years for example and it could also increase legal risk. A good best practice is to only retain emails for the minimum legal retention period. You should configure your email archiving solution to delete emails automatically when the retention period expires, unless data has been placed on legal hold.

ArcTitan Cloud

ArcTitan Cloud is a 100% cloud-based email archiving solution from TitanHQ that simplifies email archiving and allows you to easily apply your email archiving policy and comply with all legal obligations.

ArcTitan Cloud is a cloud-native email archiving solution that is fully compatible with all operating systems and email services and is scalable up to 60,000 mailboxes. ArcTitan supports imports and exports of email data in a wide range of data formats, with email data protected by end-to-end encryption in transit and encryption at rest in a data center certified to the IL5 standard.

If you are looking for a secure, low cost, easy to use email archiving solution, give the TitanHQ team a day to find out more about ArcTitan Cloud. Product demonstrations can be requested, and you are welcome to trial the solution free of charge.