Businesses and other organizations must store employees’ email communications for several reasons. Some of those reasons are practical, such as for marketing initiatives, strategic planning, or other business needs. Other reasons, however, stem from regulatory compliance: federal guidelines that require email to be stored for record-keeping, law enforcement, or privacy purposes. 

The first example of a records retention rule dates back to the 1950s, where physical documents (letters, memos, and other files) had to be preserved for a specific period of time. As email came along and replaced written documents, those same rules were extended into the electronic era. 

E-discovery is the legal process of searching electronic records for specific pieces of information. For example, two parties in civil litigation might perform e-discovery on each others’ files; or a regulatory agency might perform e-discovery against a company as part of a pending enforcement action. 

E-discovery technology helps to keep the information in electronic records transparent and available for legal purposes. Email retention is the first step in that process: organizations save their electronic information for posterity, and if the need arises, e-discovery can find relevant pieces of information for the matter at hand. 

This is why it’s imperative to have an email archiving solution for your business, which should be in compliance with any records-retention obligations you have. 

How Long Should Emails Be Retained?

The answer to this question varies. Regulatory obligations impose certain retention periods for various types of records, email or otherwise. Tax returns, for example, should be retained for as long as seven years. Any data that’s part of a litigation dispute should be retained until the litigation is resolved. Those requirements are beyond a company’s control. 

When retaining email purely for the company’s own purposes, the answer is more of a cost-versus-benefit equation. Stored emails can help businesses compare information or data over time, to help make future decisions. These emails contain useful information to grow as a company. 

On the other hand, there are significant risks when holding data for too long. For example, if you suffer a privacy breach and personally identifiable information is exposed, you could be liable for damages to the affected persons—including those people whose information you didn’t need to keep, but you’d kept anyway. 

Why Have an Email Retention Period?

Records retention laws require archiving some documents for a specific period of time, and some also impose an expiration date to delete emails. Laws such as the Health Insurance Portability and Accountability Act (HIAA), protect private health data. Other industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS) govern the personal data exchanged in credit card transactions. 

Preserving emails can be necessary for litigation or compliance purposes, or for a business’s own analytics. The more information you preserve, however, the greater the chance for a security breach that exposes private information in those emails.  

Are Companies Required to Keep Emails?

All companies will need to abide by federal, state, and industry regulations when archiving emails. Saving emails isn’t necessarily a company policy but a legal requirement. These regulations will determine how long you need to keep emails until deletion. 

Reciprocity Frameworks and Retention Periods

Reciprocity’s ZenGRC software helps a company to organize its data, and adjusts its parameters as regulations and standards change. 

Our software uses templates that accommodate common frameworks necessary for businesses. Data can easily be transferred and stored according to these frameworks, and be customized to your business needs. 

ZenGRC supports frameworks for all of the major laws and regulations that include record retention requirements. For example, publicly traded companies must comply with the Sarbanes-Oxley Act. As part of SOX compliance, companies are obligated to retain financial and audit data for seven years. 

Any healthcare data must abide by HIPAA, which protects the security of medical and patient documentation. HIPAA has a data retention period of at least six years. 

The California Consumer Privacy Act (CCPA) is a state data privacy law that protects California residents and monitors how businesses handle personal data. The CCPA retention period is 24 months.

The European Union’s General Data Protection Regulation (GDPR) and the Gramm-Leach-Bliley Act (for the banking industry) also have privacy restrictions and records retention requirements.

These are only a few frameworks supported by Reciprocity ZenGRC software. You can customize your retention periods based on your company’s specific needs and schedule, aligned with regulatory regulation. 

What is Microsoft 365 Mailbox Retention Policy?

The concept of a mailbox retention policy was developed under Microsoft 365. This policy allows you to create a prompt to delete emails after a specific expiration date automatically. All you need to do is use a “retention tag” that signals an action after a certain period to delete.

The automation of this mailbox retention policy simplified the process. Managing copious emails can be challenging, time-consuming, and costly for a business. Automation can be an excellent investment to manage email retention.

What are the Email Retention Policy Laws in the U.S.?

Almost all businesses in the United States are required to abide by email retention regulations. Those rules, however, differ depending on its industry regulations and specific state laws. 

Depending on the industry, a business can expect to archive its emails for three to seven years. It’s best to work with legal counsel to understand what guidelines apply to your business.

What are the Best Practices for Email Retention in Any Industry?

You first need to identify federal, state, and industry regulations for your business; and then develop email retention policies and procedures to meet those regulatory requirements. Using automation for email retention is the best way to prevent violations. 

Simply put: using ZenGRC reduces your risk of litigation. Email retention policies can change or alter at any given time. It’s better to rely on automation so you can focus on other business needs without keeping up with email retention parameters. 

Set up a demo today!