Email Archiving Regulatory Compliance Summarised

Email archiving regulatory compliance in the United States calls on business enterprises to keep duplicates of all email messages for many years, in case they might be necessary for an official investigation.

There are federal laws that are relevant to various other groups and organizations, data retention laws as well as regulations for specific industries, and also a swathe of message retention laws and regulations inside the United States for state level legislation. Ensuring compliance with all the email retention laws is vital. Non-compliance might prove very costly. Multi-million-dollar fines await groups that breach federal legislation.

Lots of documents, which includes email, have to be kept available by U.S. organizations, to be used in upcoming court actions or perhaps eDiscovery requests. Not simply are sizable fines issued, groups could face criminal proceedings if particular info is forever erased.

For many years, U.S groups have actually been required to store documents. Document retention laws are integrated in a number of legislative acts like for instance the Civil Rights Act of 1964, the Executive Order 11246 of 1965, the Freedom of Information Act of 1967, the Occupational Safety and Health Act of 1970, in addition to the Reform and Control Act of 1986; however, close to ten years ago, information retention laws in the United States have actually been updated to maximize the meaning files to incorporate’ electronic’ marketing and sales communications like for instance email communications as well as email attachments.

To be able to boost awareness of the various email retention laws within the United States, we’ve created a summary. You have to take into account that this is for info purposes only and doesn’t constitute legal advice. For legal counsel on U.S. retention laws, we suggest you get in contact with your legal counsel. Market and federal digital data in addition to U.S. email retention legislation could be subject to amendment. Up to date details need to be sought from your legal team.

As you really should notice on the list, you will find lots of federal, industry specific email retention legislative acts in the United States. These laws relate to email messages received and discussed, and external and internal emails.

Email retention legislation Who it is applicable to How long emails must be kept
IRS Regulations All companies 7 Years
Freedom of Information Act (FOIA) Federal, state, and local agencies 3 Years
Sarbanes Oxley Act (SOX) All public companies 7 Years
Department of Defense (DOD) Regulations DOD contractors 3 Years
Federal Communications Commission (FCC) Regulations Telecommunications companies 2 Years
Federal Deposit Insurance Corporation (FDIC) Regulations Banks 5 Years
Food and Drug Administration (FDA) Regulations Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products Minimum of 5 years rising to 35 years
Gramm-Leach-Bliley Act Banks and Financial Institutions 7 Years
Health Insurance Portability and Accountability Act (HIPAA) Healthcare groups (Healthcare providers, health insurers, healthcare clearinghouses and business associates of covered bodies) 7 Years
Payment Card Industry Data Security Standard (PCI DSS) Credit card businesses and credit card processing groups 1 Year
Securities and Exchange Commission (SEC) Regulations Investment banks, investment advisors, brokers, dealers, insurance agents & securities companies Minimum of 7 years up to a lifetime

Email retention legislation within the U.S. that is utilized by every one of the 50 states are beyond the range of the article. There’s also European Union laws as GDPR to consider.

Storing emails for a few years won’t get started with masses of storage for a small company with several team members. Nonetheless the higher the number of workers people have, the greater the demand for wide ranging resources in order to save emails. If any emails need to be retrieved, it’s crucial the installed email archive might be browsed. With regular backups this could take quite a while.

For that, a contact archive is essential. Email archives embrace structured email information that will easily be examined and searched. If ever an eDiscovery order is submitted, finding all of the e-mail correspondence is a quick and straightforward mission task. Because a lot of email archives are cloud primarily based, additionally they don’t call for long storage solutions. Emails are saved within the cloud, using the area provided by the service supplier.


Is an email archiving service provider classed as a business associate under HIPAA?

Yes. An email archiving service provider is classed as a business associate under HIPAA if emails containing HIPAA-regulated data are sent to the archive. That means HIPAA-regulated entities will need to obtain a signed business associate agreement.

What must email archiving service providers do to comply with HIPAA?

Business associates of HIPAA-regulated entities are required to comply with the HIPAA Security Rule and must ensure appropriate technical, administrative, and physical safeguards are implemented to ensure the confidentiality, integrity, and availability of ePHI. They must protect against reasonably anticipated threats to ePHI and impermissible uses and disclosures and ensure compliance of the workforce.

Are all email archiving services HIPAA-compliant?

No. There are requirements for data protection so emails must be encrypted at rest and in transit, robust access controls are required, and emails must be protected against tampering. The service provider is also required to sign a business associate agreement.

Can I delete emails after the minimum retention period has been reached?

Once the minimum legal retention period has been reached, emails can be deleted from the archive unless a legal hold has been placed on any emails. If any emails contain regulated data, those emails must be securely deleted to prevent recovery or reconstitution of the data.

Do email archives need to be backed up?

You should ensure your email archive is backed up regularly to protect against data loss in the event of a cyberattack, hardware failure, or data corruption event. Cloud email archiving service providers often backup archives automatically for their customers.