Email archiving is a widely utilized business practice for managing vast quantities of email communications; yet it is sometimes the case companies implement archiving solutions without considering email archiving compliance. Failing to comply with email archiving requirements can result in issues when emails are subsequently requested for eDiscovery or audit purposes.
One of the challenges of using any electronically stored information to support litigation is proving its authenticity – and this is particularly true with email. The content, metadata, and timestamps of emails are easy to change, and – unless an organization is able to prove an email is genuine – there is a chance it will be considered inadmissible and may even harm the organization´s case.
The challenge of proving authenticity not only applies to litigation. Emails presented in a regulatory inspection or audit can also be closely scrutinized if their authenticity is in doubt. This means organizations not only have to implement email archiving solutions that archive emails in real time, but that emails have to be stored securely to prevent the possibility of alteration.
A further email archiving challenge is the volume of data retention regulations companies may have to comply with. In addition to federal regulations such as the Federal Rules of Civil Procedure, documents supporting tax returns may have to be retained for up to seven years, while companies subject to Sarbanes-Oxley regulations have to keep some documents forever.
States also have data retention regulations which can vary considerably depending on the state and the nature of business a company engages in – notwithstanding that some states apply some regulations to citizens of the state regardless of where the citizen is at the time data is collected. For companies operating in multiple states, complying with data retention laws can be very complex.
Industry regulations can also have an impact on email archiving compliance – the healthcare industry being a prime example due to some standards of the Healthcare Insurance Portability and Accountability Act (HIPAA) pre-empting federal and state laws, but not affecting the minimum data retention period for medical records – which varies according to state regulations.
Any organization that collects, maintains, processes, or shares data relating to an EU data subject is required to comply with the General Data Protection Regulation – a regulation that “enhances individuals´ control and rights over their personal data and simplifies the regulatory environment for international business”. GDPR not only applies in the EU, but to all organizations globally.
In the context of email archiving compliance, GDPR does not stipulate minimum or maximum data retention periods – data should be retained only for as long as required to fulfil the purpose for which it was collected. However, the regulation gives individuals the right to know what data has been collected, to correct errors, and request data is transferred to another processor or deleted.
Individuals´ rights have to be complied with in a timely manner or organizations can be sanctioned with substantial fines. Consequently, when archiving data collected from EU data subjects, they have to be indexed and tagged differently from other data subjects to ensure data access requests can be complied with within the allowed timeframe – notwithstanding that data controllers need to know if email data is being used for an investigation or civil action so the access request can be declined.
GDPR aside, one way around data retention requirements is to keep all data forever. However, this solution is not practical. The volume of storage required just to keep emails – and the costs involved – would be colossal; and, if maintained on the mail server, would ultimately impact the performance of the mail server. For this reason, many companies utilize an email archiving solution.
Email archiving solutions copy each email as it passes through the mail server and stores the content, metadata, and any attachments in a separate archive in read-only format to prevent alteration. As the emails are copied, they are indexed and tagged so they can be searched for, reviewed, and retrieved whenever required – subject to the appropriate user authorization.
The process not only facilitates the fast retrieval of email data when required for eDiscovery or audit purposes, but it also enables accidently deleted emails to be restored quickly or entire databases of emails to be recovered in the event of a disaster – thus supporting business continuity. The solutions can also be configured to automatically delete emails when the data retention requirement expires.
Although archiving emails per se can deliver multiple benefits to companies, email archiving solutions do not guarantee email archiving compliance. In order to guarantee compliance, the solutions have to have measures in place to ensure security, permanence, and auditability to protect data against, loss, damage, or theft, and guarantee authenticity and availability.
For this reason, email backups are no substitute for archiving. Although it is possible to securely back up email data, deletions and alterations can occur between the time data is received or sent and when it is backed up. Furthermore, searching backups for data to deliver it within the allowed timeframe – particularly data required under GDPR – can be time-consuming and resource-intensive.
For these reasons, any solution implemented to support email archiving compliance should archive emails instantly and include secure methods of transferring data between the mail server and archive, granular indexing and tagging capabilities, fast search capabilities, and event logs so that an audit trail exists for all activity involving archived emails.
ArcTitan goes above and beyond the requirements for email archiving compliance by deduplicating emails prior to indexing them and transferring data securely to secure cloud servers. Deduplication has the benefits of reducing storage costs, accelerating searches (because there is not so much data to search through), and reducing the number of search results.
Once received by our secure servers, archived emails are stored in a tamper-proof environment, where they can be accessed by authorized users and searched, reviewed, and retrieved as necessary. Due to the deduplication process, ArcTitan can search a database of thirty million emails within a second and return results to authorized users in minutes.
ArcTitan supports multiple authentication methods for user access – i.e., SSO, LDAP, Active Directory, etc. – scans all emails for viruses when archiving them, and hashes user passwords for additional security. To find out more about compliant email archiving, contact ArcTitan.com to arrange a non-obligation demo of ArcTitan Cloud in action.