Most business owners today are aware of certain responsibilities they have for email archiving under compliance legislation, but aren’t sure what the point of email compliance is or how to ensure it.
This blog post is a good starting point if you want to learn more about regulatory compliant email management. We’ll look at:
- what is meant by email compliance
- what can happen in cases of non-compliance
- essential email archiving compliance regulations across industries
- what happens when you don’t archive email
- frequently asked questions about email archiving
- 5 steps to email compliance
- an email compliance and data privacy checklist
What Is Compliance Legislation?
In business, compliance can mean several things ‒ conforming to rules and laws mandated by the government, state or industry, complying with international standards or sticking to your own internal policies.
In this article, we’re interested in compliance laws and regulations that control the retention of electronic records, particularly email.
Many US federal laws that deal with records retention now include electronically stored information (laws dealing with job application, workplace fairness, safety, regulations by the IRS, Freedom of Information Act, Gramm-Leach-Bliley Act, The Sarbanes-Oxley Act, The Federal Rules of Civil Procedure etc.).
Simply put, compliance legislation is a set of legal rules governing the protection and preservation of enterprise data.
All these compliance laws and rules require the retention of electronically stored information and communications data for a certain period of time (typically 7 years) while sticking to certain levels of data security.
This means that such data (including email communications) should be protected from unauthorized access and also stored for a certain amount of time before it can be disposed of, in case it is required for any kind of legal purpose.
Archiving Email for Compliance: Why It Matters
Every day, important business decisions and commitments are communicated by email and confidential financial documents are sent as email attachments.
Precisely because email constitutes a valid business record, companies are required by law to preserve email correspondence. It’s fair to say that preserving email is not a nicety, but a necessity – if you fail to properly capture, store, and archive all business emails, you’re failing to meet a set of stringent laws and regulations.
This entails not only damaged reputation but also hefty fines – the penalties can be severe if email compliance regulations are not closely followed.
One of the best known examples is the case of Morgan Stanley.
In 2006, the company was fined $15 million by the Securities and Exchange Commission when the SEC alleged that Morgan Stanley delayed handing over emails, destroyed others and wasn’t forthcoming about the nature of the communications.
And this brings us to the next question.
Who Is Responsible for Email Compliance?
Compliance with federal, state and industry regulations is an involved, complicated effort. Its complexity lies in the fact that it requires attention from a wide variety of employees, supervisors and executives.
In fact, everyone is responsible for email compliance:
- IT managers need to ensure there are policies and strategies in place that set specific procedures about how email should be handled;
- sysadmins need to ensure the proper archiving tools are implemented;
- compliance officers need to ensure all information is preserved for as long as possible in a prescribed manner;
- employees need to follow company procedures and use only the official enterprise communication channels.
There are numerous different rules that need addressing and a wide potential for variation from industry to industry, which makes it difficult to keep track of all obligations.
Sometimes, considerations like archiving digital communications may fall behind needs perceived as more immediate or wide-ranging, despite the sheer volume of messages and conversations that flow back and forth on a daily basis.
However, today, you can’t really afford to not have a good records retention policy. Simply put, the aftermath can be grueling and can be a huge blow to your business standing.
Remember the Consequence of Non-Compliance
Companies around the globe are coming under increasing pressure to ensure email compliance as more stories of corporate failure and fraud come to light.
The penalties for non-compliance with record retention regulations are typically severe. So severe they’re known to have put companies out of business.
Take GLBA, the law that regulates the collection and use of non-public personal information in the financial industry in the US. Penalties can range from $5,500 to $1.1 million. In Europe, the anticipated GDPR will have a two-tiered approach to penalties, with maximum fine amounting to €20 million or 4% of the company’s global annual turnover, whichever is higher.
From the likes of Enron to Shell and WorldCom to Nortel, companies haven’t been taking data protection and compliance very seriously and are now paying the price.
Particularly in the US and the UK, businesses can be overwhelmed by the many different compliance requirements that exist for data retention and archiving. Here are a few recent cases:
- A total of five Wall Street brokerages had to pay $8.25 million because they had discarded email related to customer transactions.
- Inappropriate emails sent by employees caused embarrassment for a top UK law firm. After the scandal, the media bombarded their head office for weeks.
- In the UK, the Inland Revenue office took action against around 200 employees in relation to misuse of email.
- In the UK, a bank was fined £2.3 million for failing to adhere to email compliance regulations.
Regulatory compliance remains the number one reason to implement an email archive. Businesses that put unstructured data archiving in the back seat are setting themselves up for failure. Recognizing the complete spectrum of compliance means placing the appropriate amount of attention and level of respect on unstructured communication data.
Email is often primary evidence in high-profile legal cases, especially sexual harassment and antitrust claims and discrimination actions that crop up in the news every day. It’s a headache for most employers, who are often held responsible for the email communications exchanged by employees.
Email as the Cause of Potential Compliance Issues
The Sarbanes-Oxley Act (SOX) affects all industries and imposes penalties on any organization which tampers with or alters email or other forms of electronic communication with the intention of fraud. The Act makes it clear that all businesses must keep their emails for at least 5 years and contains some ominous statements:
“Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies or makes a false entry in any record, document…shall be fined under this title, imprisoned for not more than 20 years, or both”. Additionally, any European companies with US listings are also required to keep the emails for 5 years.
Apart from regulations that affect all organizations in the public sector, there are compliance laws that are industry-specific.
For instance, the healthcare industry has its own set of rules that are covered under the Health Insurance Portability Accountability Act (HIPAA).
Likewise, the financial sector must adhere to SEC Rules 17a-3/a-4 and NASD Rules 3010/3110 which oblige broker/dealer organizations to maintain and store all emails pertaining to their trading activity for a minimum period of six years.
Email Compliance Laws and Regulatory Bodies
While there are many compliance regulations for email archiving, here’s a rundown of essential rules that govern corporate emails compliance across industries.
In case you want to take a deeper look at how K12 schools and higher education institutions, as well as government agencies are required to archive their records, check out our compliance checklists for education and government.
|Industry||Regulation/Regulatory Body||Retention Period|
|All||Internal Revenue Service (IRS)||7 years|
|All (Government + Education)||Freedom of Information Act (FOIA)||3 years|
|All public companies||Sarbanes-Oxley (SOX)||7 years|
|Financial||Gramm-Leach-Bliley Act (GLBA)||7 years|
|Financial (Banking)||FDIC||5 years|
(Brokers, dealers, investment bankers, securities firms)
|FINRA, SEC 17a-4, SEC 17a-3||7 years|
|DOD contractors||DOD 5015.2||3 years|
|Credit card companies||PCI DSS||1 year|
What Your Email Management Policy Should Look Like
While communications like emails, instant messages and SMS seem like informal and often inconsequential pieces of data, a wide variety of industries require businesses to retain them for a given period of time.
A lack of appropriate email archiving tools opens businesses up for regulatory issues, including fines and penalties that can significantly harm business effectiveness. A truly complete compliance strategy includes measures to save digital conversations and messages, ensuring this aspect of records retention is never overlooked.
While the drive towards email archiving is on the increase, a large number of companies still don’t have a functional and clearly defined email management policy.
In short, a good email policy should specify the following:
- During retention periods, organizations have to ensure that their data is available, searchable, secure and quickly recoverable.
- During legal proceedings, harassment cases and ediscovery requests, access to email archives is often required for evidence.
- The integrity of email is vital so that it can be used as evidence in court cases.
Not only must organizations retain this information, but also do so in a way that meets specific requirements about formatting, time spent in storage and other concerns.
Businesses must make sure all of these small details are addressed appropriately, or else a well-intentioned compliance effort can fail and lead to issues with regulators.
So, this points us to two things you need to ensure. The first one is to understand what a good retention policy includes and what it means in your industry, and more importantly how to implement it. Check for relevant regulations and learn about best practices.
The second one is to select the right archiving system. Company leaders must make sure a system can archive all of its unstructured data and do so in a way that adheres to rules laid out by relevant authorities.
Email Compliance Challenges and Technology Solutions
Implementing email laws and regulations may pose additional difficulties ‒ it may involve organizing training sessions for staff, hiring more employees or purchasing new equipment.
Regulations and the retention periods that you need to adhere to in order to stay compliant are often in partial opposition to data privacy laws, which creates additional confusion.
To use resources wisely and align their compliance initiatives, businesses typically use various compliance controls, including technological solutions.
Archiving solutions are on-premise, cloud based or virtual solutions that automatically capture, index and archive company data and make large volumes of archived information searchable and retrievable in seconds. Regulations often mandate that electronic data such as email and social media needs to be stored in a secure, tamper-proof format, and that’s what made information archiving a practice that quickly turned from best practice to necessity.
High-quality archiving solutions have advanced search and legal hold features that allow easy ediscovery and compliance with various laws and regulations in regulated industries and beyond. They ensure easy email policy management and allow storage in mandated WORM formats.
5 Easy Steps to Email Compliance
- Assess your regulatory requirements
Although we already talked about this obvious first step, you’d be surprised with how many organizations start implementing procedures before reviewing their email and social media compliance requirements first.
- Set email compliance procedures and educate employees
Once you have reviewed and understood your requirements, you need to address policy. Every member of staff from the top down should be aware of their individual responsibilities. The most common compliance problem isn’t the lack of procedure, but individual errors and confusion over requirements and responsibilities.
- Identify and purchase an information archiving solution
Explore your archiving options carefully and take time to compare various vendors, archiving plans and relevant features to consider. Don’t forget to assess your data backups and be disaster ready. Don’t assume your data is 100% secure in one location.
- Follow industry trends
Your email and other unstructured data won’t be secure if you only lock the door to the server room. Both the management and your IT team need to stay on top of your security software and make sure it’s kept up-to-date. This means following trends and reviewing industry changes.
For instance, the majority of US organizations in regulated industries archive email, but only 2-20% archive social media, which does not reflect compliance laws that have been amended to include alternative electronic channels (social media, mobile, video content…) into the definition of what constitutes a business record.
- Cooperate with your archiving services provider
Nobody knows more about archiving technology, features and processes than the company that archives your data. Take the time to discuss your current plan, explore upgrade options, identify gaps in your policies or highlight best practices. Remember that compliance is not an organizational issue only and that you’ll often need to revise your archiving strategy.
Email Archiving Is the Key to Compliance
Advanced solutions that automate much of the process reduce the obligation for employees and ensure a high level of compliance. When there’s no room for human error in email compliance efforts, they’re more likely to be successful.
Businesses must find secure, comprehensive and effective solutions to ensure they remain compliant with all aspects of relevant regulations in their industry.
If you’re not aware or unsure of the rules which govern your particular industry, you should get your legal team or external experts to explore the relevant legislation and set up email and social media archiving. Email archives are far superior to data backups because of storage capacity, search functions, ediscovery features and retention policy management.
Archiving Email Protects Customers and Companies
The data of most businesses contains not only sensitive information about the business itself but about their clients, partners and customers.
It is vital therefore that this customer data is kept private, which is one of the reasons that email compliance legislation exists. If an organization decides to take legal action against your business or vice versa, all records must be kept intact and unmodified in case they are required as evidence.
Even if you’re running a small business, it is vital that all data relating to accounts, transactions and customers is securely archived for later auditing if it is required. Failure to correctly archive sensitive data opens up businesses to legal scrutiny, reputational damage and fines. Compliance really affects the core of IT departments and IT infrastructure within an organization.
Compliance Archiving System
It can require some amount of work to develop an email compliance policy and this can take up valuable resources, especially if your IT department is small or a one-man show. The best way to start is to investigate secure data archiving options and ask the following questions:
- Will the archived content remain secure and unaltered for the appropriate time frame?
- How does this technology stay updated?
- How quickly can your organization retrieve data from the solution in the event that a legal request for data is received?
- Are there varying options of archiving solutions available to cater for small businesses and their growth?
Email Compliance Checklist
An email compliance checklist is a great way to ensure that business owners have everything in order so that they can avoid legal issues down the line. While compliance laws vary from country to country, the idea of data protection boils down to some general points.
The following list is a great starting point for any business owner wishing to get their data privacy compliance in order. Remember that these points do not in any way constitute a complete data protection policy — they are just guidelines which require significant follow-up work.
- Business owners should select an individual within the organization to take charge of email compliance and data protection issues. They can be appointed as the DPO or the officer responsible for compliance. This person should ensure that all areas of the business are compliant and that all data is being retained and backed up securely.
- If the country in which the business is based has an information commissioner or data compliance regulator, the organization should be registered with this body.
- How do different types of data come into the business? Compliance teams should identify the different areas where data is being collected. This could be done through a website portal, email system, social media, phone system or CCTV.
- Identify first-party and third-party data. Then evaluate what kinds of data need to be archived, for how long, and what can be deleted. In the case of email data, complete archiving is the usual answer.
- If you have a marketing department, it is vital that email lists and email data are secured in compliance with privacy and communications laws.
- All staff should be trained on what the correct procedures are if they come into contact with personal data, for example, sensitive email communications. Employees must know that they will generate legal trouble for the business in case of unauthorized private data disclosure.
- Identify the ways in which you will back up sensitive data to ensure compliance. As for email data, email archiving solutions that are compliant are the best way to satisfy the law.
- All data types should be archived in a way that supports ediscovery in a case of a data request during legal proceedings.
By now, you should have a better idea about how email archiving fits into compliance. In case you need to dig deeper into the specifics of your industry, check out the rest of our blog, as we cover most regulated industries for topics such as compliance, ediscovery, social media and email archiving.
In case you’re looking to improve your email management, here are some more resources to help you get started:
- How to Keep Up with Regulatory Compliance with Email Archiving [Infographic]
- Information Archiving – How to Approach a Long-Term Archiving Strategy
- 6 Tips for Better Email Management
- Why You Need a Fourth-Generation Email Archiving Solution
- How to Choose the Best Email Archiving Solution for Your Business: An Overview of Features to Consider [Whitepaper]
You can also visit our Regulatory Compliance page to learn how Jatheon’s email archiving solutions can help you stay in line with email compliance regulations in your industry.