We have compiled a quick reference email archiving compliance guide to help you comply with federal, state, and industry regulations regarding email retention.
The Importance of Email Archiving Compliance
All businesses are required to keep records of their business activities. You are required to keep records of revenues, expenses, and taxes for 3-7 years and must produce those records in the event of an audit by the IRS or other tax authority. The failure to produce records such as invoices and receipts could result in a financial penalty.
In the event of legal action, you may be requested to provide copies of a range of documents and electronic communications, including emails. Courts often order companies to provide emails when legal action is taken against a company. If you are unable to produce these records, the consequences can be grave.
Emails can contain a huge amount of important data. Many business decisions are made via email, businesses commit to purchases and communicate financial documents via email, and policies and procedures are often to be found in email accounts. All of those communications need to be stored for several years and in many cases, those documents are stored nowhere else. It is essential for the information in emails to always be available in case it is needed, and for security and to ensure the performance of your mail server does not suffer, email data should be stored separately, in an easily accessible, searchable archive.
Financial Penalties for Email Archiving Noncompliance
Regulatory bodies also require emails to be produced in the event of an audit. If you are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act, or the Gramm-Leach-Bliley Act and are audited and cannot produce the requested email data, financial penalties can be issued and they can be significant.
In 2006, Morgan Stanley delayed producing email data and reportedly deleted email data. The company was fined $15 million by the Securities and Exchange Commission. The Financial Industry Regulatory Authority (FINRA) fined LPL Financial Holdings $7.5 million and a further $1.5 million fund had to be set up to compensate customers for email failures. FINRA also fined Scottrade $2.6 million for significant email retention failures in 2015. Scottrade had failed meet its email archiving compliance responsibilities by not keeping emails in the required format and not retaining certain categories of emails.
Email Archiving Compliance Requirements
You must retain certain categories of emails for a set time period to comply with federal, state, and industry email archiving compliance regulations. The length of time emails must be retained can vary considerably depending on the type of data. Some regulations only require emails to be kept for a year, others require emails to be kept indefinitely. Generally speaking, the retention period for most categories of emails is between 3 and 7 years.
Some of the regulations that require emails to be retained are detained in the table below.
| Legislation | Covered Entities | Minimum Email Retention Period |
| Payment Card Industry Data Security Standard (PCI DSS) | Credit card businesses and credit card processing groups | 1 Year |
| Federal Communications Commission (FCC) Regulations | Telecommunications companies | 2 Years |
| Department of Defense (DOD) Regulations | DOD contractors | 3 Years |
| Freedom of Information Act (FOIA) | Federal, state, and local agencies | 3 Years |
| U.S. State Laws (financial records) | All companies | 3 Years (but variable) |
| Food and Drug Administration (FDA) Regulations | Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products | 5 Years – 35 Years |
| Federal Deposit Insurance Corporation (FDIC) Regulations | Banks | 5 Years |
| Health Insurance Portability and Accountability Act (HIPAA) | Healthcare providers, health insurers, healthcare clearinghouses, and business associates of HIPAA-covered entities | 6 Years |
| Securities and Exchange Commission (SEC) Regulations | Investment banks, investment advisors, brokers, dealers, insurance agents & securities companies | 7 years up to a lifetime |
| Gramm-Leach-Bliley Act | Banks and Financial Institutions | 7 Years |
| Sarbanes Oxley Act (SOX) | All public companies | 7 Years |
| Internal Revenue Service (IRS) Regulations | All companies | 7 Years |
How to Securely Store Emails for Compliance
While there are different options available for storing emails securely, an email archiving solution is the best choice. Email archiving compliance solutions automate email archiving and retention and eliminate the potential for human error. Email archives store an exact copy of emails with protections to prevent tampering to preserve the integrity of emails and attachments – an essential requirement for legal compliance.
Email archiving compresses emails and attachments and removes duplicate emails to save on storage space. Implementing an email archive typically saves around 80% on email storage space. Around 1,000 GBs of email data will be compressed and will only require 200 GB of storage space.
After seeking legal advice to determine how long emails need to be retained, you can create your email archiving policy and automate the process to ensure that all sent and received emails and email attachments are sent to the archive. You can set time limits for retention and automatically delete emails once the retention period is reached.
The other key benefit of an email archive is it can be easily searched. Emails are tagged and indexed prior to archiving to ensure that emails can be quickly found when they need to be accessed or recovered.
Choosing an Email Archiving Solution
While it is possible to create an archiving solution for email from scratch, it is a a time consuming and expensive process. Email archiving compliance software is a much more cost-effective solution and can be used to create an archive on existing hardware, in the cloud, or hybrid solutions are possible.
Cloud-based email archiving is now the most popular choice. Cloud-based solutions allow you to move your email data outside of the email system to reduce storage space. You eliminate the possibility of data loss due to hardware failures as email archiving solution providers incorporate a range of safeguards to protect against data loss. They will ensure that your email archive is always accessible and that it is automatically backed up.
Cloud-based email archiving solutions are easy to set up, configure, and use. Searches can be performed quickly when data needs to be found and recovered and the archive can be accessed via your mail client or a web-based interface.
ArcTitan: Email Archiving Compliance Made Simple
ArcTitan from TitanHQ has been developed to make email archiving compliance simple. ArcTitan is a set and forget cloud-based archiving solution that allows you to automate email archiving completely to meet all of your compliance requirements.
ArcTitan has no limits on email storage. As your email archive grows, more storage space is made available; you will never have to worry about running out of space. Regardless of the size of the archive, performance will not be affected. Emails are archived in real time and sent to the archive which is housed in an IL5 certified data center with data encrypted in transit and at rest. Duplicate content is removed, and emails are compressed to reduce storage space and improve search efficiency. Each email is indexed to ensure fast searches can be performed and emails can be retrieved instantly when they are required. With ArcTitan you can search more than 30 million emails a second, searches can be combined and saved, and multiple searches can be performed at the same time.
The archive can be accessed through virtually any mail client or via a web-based interface. End users can search their archive to find emails that have been deleted from their mailbox directly through their mail client, so they never need bother the IT support team. An advanced delegation mechanism compatible with LDAP and Active Directory allows administrators to create a permission hierarchy for key employees, while tamper-evident audit trails identify any unauthorized alterations to archived email.
Your existing archived data can be imported from MS Exchange, Google Apps, EML, MBOX, MSG or PST and exported to EML, MSG, PDF, TIFF or PST. If you ever need any help, our highly skilled engineers will be available to provide assistance.
If you feel you are paying too much for email archiving or are yet to set up an email archiving compliance solution, give the TitanHQ team a call. Our Sales Technicians will be happy to answer your questions and schedule a product demonstration so you can see for yourself how easy email archiving is with ArcTitan.