Having an email retention policy is important for a number of reasons – the major two being the need to save space on your email server and the need to stay in line with federal and industry record-keeping regulations.
Defining how long your company will keep email communication can prove more challenging than you initially thought. The first stumbling block is that different departments will advocate for different retention windows.
How long should your retention policy really be?
There are both positive and negative aspects of having a longer retention policy, the main pros being business continuity and the fact that executives rely on old email chains to recollect past decisions. The cons are reflected in the fact that the longer the policy, the bigger the risk that some sensitive information will be exposed through unauthorized access or a security breach.
When it comes to short retention policies, they might violate various regulations that require that organizations in certain industries retain email and other electronic information for a number of years. Their major advantage, however, is that they are cheaper to implement and that they reduce the chance of being caught up in a legal investigation that focuses on information captured in emails. That’s why your legal department will generally support shorter retention periods that reflect the regulatory minimum.
1. Analyze relevant regulations
The process of designing an email retention policy should begin by listing all relevant regulations and the retention requirements outlined in each law that applies to your organization. These recommended retention periods may vary significantly based on the industry you belong to and the geolocation of your business. Here’s a list of major US laws and prescribed retention periods:
|Industry||Regulation/Regulatory Body||Retention Period|
|All||Internal Revenue Service (IRS)||7 years|
|All (Government + Education)||Freedom of Information Act (FOIA)||3 years|
|All public companies||Sarbanes-Oxley (SOX)||7 years|
|Financial||Gramm-Leach-Bliley Act (GLBA)||7 years|
|Financial (Banking)||FDIC||5 years|
(Brokers, dealers, investment bankers, securities firms)
|FINRA, SEC 17a-4, SEC 17a-3||7 years|
|DOD contractors||DOD 5015.2||3 years|
|Credit card companies||PCI DSS||1 year|
If the retention period is not outlined for your industry or a particular type of data, it’s recommended to stick to the minimum IRS recommendation of 7 years.
It’s important to begin with these regulatory minimums and include both your IT and legal department into the creation of the policy. Legal will not only be able to provide counsel based on the above regulations, but also come up with ideas on how to segment your data for retention.
As we saw in the introduction, some C-level executives will expect to have access to their historical email for longer time periods, so you might need to specify multiple policies based on different criteria like email type, the sender, the recipient, the topic or the department.
For instance, your policy can be designed in such a way that spam messages are never retained, your general correspondence is retained for 5 years, administrative and HR for 7 years, and then CEO correspondence, invoices and sales records are kept for 10 years or forever.
It’s important to note that retaining unstructured data like social media, content from chat apps, text messages and calls is also regulated nowadays. Read more about these evolving regulations:
Finally, your policy needs to contain strict guidelines regarding document deletion. It’s best to automate this process, which leads us to our number two best practice.
2. Get an email archiving solution
By implementing proper email retention policies, you will track the outbound, inbound and internal communication to ensure compliance. Without a comprehensive, company-wide approach to email management, you won’t know if the policies are being adhered to, especially if you leave their implementation to the judgment of department managers or end users. The majority of breaches and leaks of sensitive information happen because of the human factor – all it takes is one rogue or careless employee.Without a comprehensive, company-wide approach to email management, you won’t know if the policies are being adhered to. Click To Tweet
To prevent that, automating the process is the answer. One of the main benefits of data archiving technology is precisely their ability to help you ensure email compliance.
Email archiving solutions allow you to define email retention policies based on various criteria (type of data, regulations, department preferences), retain the email for as long as necessary and then purge the information only after the retention period expires in order for the data not to become an unnecessary liability. For instance, if a policy is set to last for 7 years, the delete functionality will make sure that all emails are automatically deleted immediately after the retention period expires.
Your email archiving software will automatically retain emails which are matched to a certain policy and keep them for as long as you specified in the parameters. The only thing you need to do periodically after setting up a new policy or rule is to update it in order for it to reflect the new laws, regulations and best practices.
3. Use it to proactively monitor communications
Your email archiving software can also help your compliance and HR teams to track employee misbehavior or prevent the sharing of sensitive business information, which might cause legal issues.
Let’s say you want to track the use of foul language in your staff’s digital communication. On Jatheon’s cloud email archiving software (Jatheon Cloud), it can be done in the following way:
- You’ll first need to create a keyword list. There are many available lists of profanity/potentially problematic keywords that you can simply copy-paste into your software.
- Once you’ve created the keyword list, go on to create a retention policy or a rule. On Jatheon Cloud, this is done through retention tags, where you’ll be able to define the tag name (Profanity), the time when the emails can be deleted (here it’s set to indefinitely, which means that they will remain in the archive forever), and specify the date range.
- If you’re scanning for curse words in the entire email (subjects, message body, and attachments), you can choose the Message criterion under Retention Search Term, and then choose the keyword list you’ve created. Confirm by clicking the Save button.
- You’ll then be able to see the list of all retention tags you have created so far, including Profanity.
Your email archiving solution will then automatically retain emails that match the policy, scan all outgoing, incoming and internal messages for these keywords and notify admins or compliance officers in case a rule is broken.
Other practical examples of proactive monitoring through retention policies can be the scanning of electronic communication for credit card or social security numbers.
If you’re using Jatheon’s on-premise email archiving solution, read this article to learn how to set up a policy and what actions are available once improper communication is found.
Jatheon is a global leader in data archiving, compliance and ediscovery with 17 years of experience with on-premise archiving, cloud and virtual email archiving solutions. To learn how Jatheon can help you choose and implement the right archiving solution for your business, contact us or get a demo.