Most business owners today are aware of certain responsibilities they have for email archiving under compliance legislation, but aren’t sure what the point of compliance is or how to ensure it.
This blog post is a good starting point if you want to learn more about regulatory compliance email management. We’ll look at:
- what is meant by compliance in terms of email archiving
- essential email archiving compliance regulations across industries
- what happens when you don’t archive email
- often asked questions about email archiving
What is Compliance Legislation?
Simply put, compliance legislation is a set of legal rules governing the protection and preservation of enterprise data, including electronically stored information.
This means that data (like email data) should be protected from unauthorized access and also stored for a certain amount of time before it can be disposed of, in case it is required for any kind of legal purpose.
Archiving Email for Compliance: Why It Matters
Every day, important business decisions and commitments are communicated by email and confidential financial documents are sent as email attachments.
Precisely because email constitutes a valid business record, companies are required by law to preserve email correspondence. It’s fair to say that preserving email is not a nicety, but a necessity: if you fail to properly capture, store, and archive all business emails, you’re failing to meet a set of stringent laws and regulations. This entails not only damaged reputation but also hefty fines—the penalties can be severe if compliance regulations are not closely followed. One of the best-known examples is the case of Morgan Stanely.
In 2006, the company was fined 15 million dollars by the Securities and Exchange Commission when the SEC alleged that Morgan Stanley delayed handing over emails, destroyed others and wasn’t forthcoming about the nature of the communications. In 2005, a 1.57 billion dollar judgment was upheld for non-compliance, but was later overturned.
And this brings us to the next question.
Who is Responsible for Email Compliance?
Compliance with federal, state and industry regulations is an involved, complicated effort. Its complexity lies in the fact that it requires attention from a wide variety of employees, supervisors and executives.
In fact, everyone is responsible for email compliance:
- IT managers need to ensure there are policies and strategies in place that set specific procedures about how email should be handled;
- sysadmins need to ensure the proper archiving tools are implemented;
- compliance officers need to ensure all information is preserved for as long as possible in a prescribed manner;
- employees need to follow company procedures and use only official enterprise communication channels.
There are numerous different rules that need addressing and wide potential for variation from industry to industry, which makes it difficult to keep track of all obligations.
Sometimes, considerations like archiving digital communications may fall behind needs perceived as more immediate or wide-ranging, despite the sheer volume of messages and conversations that flow back and forth on a daily basis.
However, today, you can’t really afford to not have a good records retention policy. Simply put, the aftermath can be grueling and can be a huge blow to your business standing.
Archiving Non-Compliance: Is It Really That Bad?
Companies around the globe are coming under increasing pressure to ensure data compliance as more stories of corporate failure and fraud come to light.
From the likes of Enron to Shell and WorldCom to Nortel, companies haven’t been taking data protection and compliance very seriously and are now paying the price.
Particularly in the US and the UK, businesses can be overwhelmed by the many different compliance requirements that exist for data retention and archiving. Here are a few recent cases:
- A total of 5 Wall Street brokerages had to pay $8.25 million because they had discarded email related to customer transactions.
- Inappropriate emails sent by employees caused embarrassment for a top UK law firm. After the scandal, the media bombarded their head office for weeks.
- In the UK, the Inland Revenue office took action against around 200 employees in relation to misuse of email.
- In the UK, a bank was fined £2.3 million for failing to adhere to compliance regulations.
Regulatory compliance remains the number one reason to implement an email archive. Businesses that put unstructured data archiving in the back seat are setting themselves up for failure. Recognizing the complete spectrum of compliance means placing the appropriate amount of attention and level of respect on unstructured communication data.
Email is often primary evidence in high-profile legal cases, especially sexual harassment and antitrust claims and discrimination actions that crop up in the news every day. It’s a headache for most employers, who are often held responsible for the email communications exchanged by employees.
Email: The Cause of Potential Compliance Issues
The Sarbanes-Oxley Act (SOX) affects all industries and imposes penalties on any organization which tampers with or alters email or other forms of electronic communication with the intention of fraud.
The Act makes it clear that all businesses must keep their emails for at least 5 years and contains some ominous statements:
“Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies or makes a false entry in any record, document…shall be fined under this title, imprisoned for not more than 20 years, or both”.
Additionally, any European companies with U.S. listings are also required to keep the emails for 5 years.
Apart from regulations that affect all organizations in the public sector, there are laws that are industry-specific.
For instance, the healthcare industry has its own set of rules that are covered under the Health Insurance Portability Accountability Act (HIPAA).
Likewise, the financial sector must adhere to SEC Rules 17a-3/a-4 and NASD Rules 3010/3110 which oblige broker/dealer organizations to maintain and store all emails pertaining to their trading activity for a minimum period of six years.
What Your Email Management Policy Should Look Like
While communications like emails, instant messages and SMS seem like informal and often inconsequential pieces of data, a wide variety of industries require businesses to retain them for a given period of time.
A lack of appropriate data archiving tools opens businesses up for regulatory issues, including fines and penalties that can significantly harm business effectiveness.
A truly complete compliance strategy includes measures to save digital conversations and messages, ensuring this aspect of records retention is never overlooked.
While the drive towards email archiving is on the increase, a large number of companies still don’t have a functional and clearly defined email management policy.
In short, a good email policy should specify the following:
- During retention periods, organizations have to ensure that their data is available, searchable, secure and quickly recoverable.
- During legal proceedings, harassment cases and eDiscovery requests, access to email archives is often required for evidence.
- The integrity of email is vital so that it can be used as evidence in court cases.
It’s also worth noting that a simple understanding of unstructured data archiving often isn’t enough to meet all compliance requirements.
Not only must organizations retain this information, but they also do so in a way that meets specific requirements about formatting, time spent in storage and other concerns.
Businesses must make sure all of these small details are addressed appropriately, or else a well-intentioned compliance effort can fail and lead to issues with regulators.
So, this points us to two things you need to ensure. The first one is to understand what a good retention policy includes and what it means in your industry, and more importantly how to implement it. Check for relevant regulations and learn about best practices.
The second one is to select the right archiving system. Company leaders must make sure a system can archive all of its unstructured data and do so in a way that adheres to rules laid out by relevant authorities.
Email Archiving is the Key to Compliance
Archiving doesn’t have to be an insurmountable task or a source of worry, however.
Advanced solutions that automate much of the process reduce the obligation for employees and ensure a high level of compliance. When there’s no room for human error in compliance efforts, they’re more likely to be successful.
Businesses must find secure, comprehensive and effective solutions to ensure they remain compliant with all aspects of relevant regulations in their industry.
If you’re not aware or unsure of the rules which govern your particular industry, you should get your legal team or external experts to explore the relevant legislation and set up email and social media archiving.
Email archives are far superior to data backups because of storage capacity, search functions, eDiscovery features and many other reasons.
Archiving Email Protects Customers and Companies
Remember that the data of most businesses contains not only sensitive information about the business itself but about clients and customers.
It is vital therefore that this customer data is kept private, which is one of the reasons that compliance legislation exists. If an organization decides to sue your business or vice versa, all records must be kept intact and unmodified in case they are required as evidence.
Even if you’re running a small business, it is vital that all data relating to accounts, transactions and customers is securely archived for later auditing if it is required. Failure to correctly archive sensitive data opens up businesses to legal action, reputational damage and fines. Compliance really affects the core of IT departments and IT infrastructure within an organization.
Compliance Archiving System
It can require some amount of work to develop a data compliance policy and this can take up valuable resources, especially if your IT department is small or a one-man show. The best way to start is to investigate secure data archiving options and ask the following questions:
Will the archived content remain secure and unaltered for the appropriate time frame?
How does this technology stay updated?
How quickly can your organization retrieve data from the solution in the event that a legal request for data is received?
Are there varying options of archiving solutions available to cater for small businesses and their growth?
Email Archiving Compliance Laws and Regulatory Bodies
While there are many compliance regulations for email archiving, here’s a rundown of essential rules that govern corporate emails compliance across industries.
In case you want to take a deeper look at how K12 schools and higher education institutions, as well as government agencies are required to archive their records, check out our compliance checklists on education and government.
IndustryRegulation/Regulatory BodyRetention Period
|All||Internal Revenue Service (IRS)||7 years|
|All (Government + Education)||Freedom of Information Act (FOIA)||3 years|
|All public companies||Sarbanes-Oxley (SOX)||7 years|
|Financial||Gramm-Leach-Bliley Act (GLBA)||7 years|
|Financial (Banking)||FDIC||5 years|
(Brokers, dealers, investment bankers, securities firms)
|FINRA, SEC 17a-4, SEC 17a-3||7 years|
|DOD contractors||DOD 5015.2||3 years|
|Credit card companies||PCI DSS||1 year|
By now, you should have a better idea about how email archiving fits into compliance. In case you need to dig deeper into the specifics of your industry, check out the rest of our blog, as we cover most regulated industries for topics such as compliance, eDiscovery, social media and email archiving.
In case you’re looking to improve your email management, here are some more texts to help you get started: