In many regulated industries, an email archiving policy is required to demonstrate the organization is complying with industry standards. Even when an organization does not operate within a regulated industry, it is still advisable to have policies for archiving emails so that data can be easily retrieved if required by a court under the Federal Rules of Civil Disclosure in 2006.
An email archiving policy should be the cornerstone of each organization´s email archiving strategy. No two policies for archiving emails are likely to be the same, so each should set out its purpose, the regulations that the policy is subject to, retention times per email type, and the process for deleting emails once their retention times have expired. There should also be sections relating to “litigation hold” and a list of personnel responsible for implementing and enforcing the email archiving policy.
This article provides examples of different types of policies for archiving emails, suggests some best practices to include in the execution of an email archiving policy, and offers advice about evaluating solutions in order to simplify enforcement of the policy and ensure compliance. If you have any questions related to the content of this article, we invite you to contact us and discuss your requirements with our experienced team of Sales Technicians.
Different Types of Policies for Archiving Emails
Typically there are two “informal” types of policies for archiving emails and one “formal” type of email archiving policy. The informal policies are either “save everything” or “user discretion”. Although compliance officers will likely weep at the informal policy types, each has its positives – for example, a “save everything” policy means there is no risk of a legal hold violation, and a “user discretion” policy has a high level of granular categorization.
However, both have their negatives inasmuch as a “save everything” policy will require continual expansion of storage space and have increased legal risks when email data is non-compliant, and a “user discretion” email archiving policy is open to human error and lacks control or oversight. For these reasons, many organizations implement a structured email archiving policy that journals all users and controls retention periods automatically.
Structured “formal” policies use archiving solutions to capture, index and store all inbound and outbound email. Once indexed, each email conforms to an automatically set retention time depending on its email type. Email management is simplified, data retrieval is accelerated, and the cost of email archiving is reduced. The only potential negative of a structured “formal” policy is that it requires co-operation between IT, legal, HR and finance to achieve common goals.
Email Archiving Policy Best Practices
There is little doubt a structured “formal” policy is the most appropriate of the three policies for archiving emails and, with a suitable archiving solution, the only best practices organizations need to be concerned with are the parameters to apply for the length of time emails should be retained. The best way to address this issue is to start with minimum legal requirements for each email type. For example:
- Emails that might be required for eDiscovery under the Federal Rules of Civil Disclosure should be retained as long as the state´s Statute of Limitations for that email type.
- Most state revenue departments require that financial records in email format should be retained for a minimum of three years.
- The IRS requires that you keep emails related to tax for three, four, six or seven years (sometimes indefinitely) depending on individual circumstances.
- The Payment Card Industry Data Security Standard stipulates that emails relating to card payments should be retained for the minimum of one year.
- The Health Insurance Portability and Accountability Act (HIPAA) states electronically-stored policy documents relating to the security of protected health information (PHI) should be retained for a minimum period of six years, but not emails containing PHI unless they relate to a child (up to age 21) or the death of a patient in care (up to two years after death).
In many circumstances, due to widely varying legal retention periods, it can be beneficial to index archived emails into different email types (or types of use) rather than by legal requirement. This will avoid maintaining an entire email database for the maximum legal retention period. Therefore HR correspondence might be retained for five years, emails related to revenue and expenses for four years, customer interactions three years, and everything else for one year.
If in doubt, most industry professionals recommend retaining emails for a maximum of seven years but, as it is always advisable to involve the legal department in the early stages of formulating an email archiving policy, any compliance grey areas should be left to the experts to resolve. Finally, avoid compiling policies that the archiving solution you implement cannot support – particularly when it comes to indexing archived emails into different email types of use.
Email Archiving Policies for GDPR Compliance
Exceptions to the above exist when a organizations collects, processes or stores the personal data of an EU citizen. Under the General Data Protection Regulations (GDPR), personal data extracted from emails can only be processed and retained for as long as there is a “lawful basis”. Once the lawful basis has expired, all personal data relating to the EU citizen must be deleted. EU citizens also have the right to request access to and erasure of their personal data, and email archiving policies have to be developed to address these situations.
Organizations are also required to review their email archiving policies for GDPR compliance to ensure they comply with the data minimization and storage limitation principles. The review will likely involve assessing what personal data of EU citizens is already held within an email database, archiving any data existing in a “live” database, and identifying a lawful basis for the continued processing and retention of the data. The review should be repeated periodically and policies and procedures adjusted as necessary
Evaluating Email Archiving Solutions
Email archiving solutions come in many different shapes and sizes, but there are certain features that a solution must have in order to comply with various rules and regulations. For example, the Federal Rules of Civil Disclosure stipulate that emails presented in eDiscovery must be accurate and immutable. This means that, in order to be compliant, an archiving solution must copy email data in real time (not periodically) and have mechanisms in place to prevent the alteration of archived data.
How email data is stored can also influence what constitutes a suitable email archiving solution. Email archiving solutions have different deployment options. They can be hardware-based, software-based, cloud-based or a hybrid of all three. Usually, cloud-based solutions are the most secure. Emails stored in data centers have less chance of being stolen, damaged or lost – as emails stored on a hardware solution might – and stronger defenses against online attacks than software installed on an organization´s server.
Cloud-based solutions also resolve potential storage space issues and their costs. As email data accumulates, organizations using hardware or software-based solutions may have to add additional devices, reassign servers or migrate data offsite. These extra costs do not apply to cloud-based solutions, as they are usually charged per user with no limit on the amount of storage space. Storing an organizations database of emails in one location also accelerates searches and email retrieval.
Achieve an Effective Email Archiving Strategy with ArcTitan Cloud
ArcTitan Cloud is a cloud-based archiving solution from SpamTitan that helps organizations manage their email archiving policy as simply as possible. A “set and forget” solution, ArcTitan Cloud complies with all major regulatory standards for email archiving, eDiscovery and disaster recovery by copying emails as they enter or leave a mail server, storing them in an IL5 certified data center, and protecting their integrity via tamper-evident access logs.
Using ArcTitan Cloud´s easy to navigate web portal, administrators can set retention periods per email type, set delegated access levels and monitor access via a comprehensive reporting suite. Our versatile cloud-based archiving solution is compatible with all operating systems, mail servers and email services, and scales up to 60,000 users without any loss of performance (Due to deduplicating data as it is indexed and stored, ArcTitan Cloud can search a database of thirty million emails in under a second).
Organizations with existing email archives can quickly and easily import email data from archiving and storage solutions such as MS Exchange, MSG, Google Apps, EML, and PST; and, as ArcTitan Cloud does not store emails in a proprietary format, data can be exported just as quickly and easily in a variety of formats via mandatory TLS protocols to ensure the integrity of email data both at rest and in transit.
Try a Free Trial of ArcTitan Cloud
If your organization is in the process of compiling an email archiving policy – or has attempted to implement policies for archiving emails in the past, but not found an appropriate solution to make the policies effective – we invite you to try a free trial of ArcTitan Cloud for thirty days. This should give most organizations the opportunity to evaluate the merits of our cloud-based archiving solution and compare them against any other solutions they may have evaluated.
There are no set up costs associated with our free trial offer of ArcTitan Cloud, no data conversion costs and no contracts to sign. To find out more about our offer, or to discuss your archiving requirements with one of our Sales Technicians, do not hesitate to get in touch. Depending on your current archiving arrangements, you could be trialing a fully-enabled version of ArcTitan Cloud and achieve an effective email archiving strategy within fifteen minutes.