Email retention laws in the United States require businesses to keep copies of emails for many years. There are federal laws that apply to all businesses and organizations, data retention laws for specific industries, and a swathe of email retention laws in the United States at the individual state level. Ensuring compliance with all the appropriate email retention laws in the United States is essential. Non-compliance can prove incredibly costly. Multi-million-dollar fines await any organization found to have breached federal, industry, or state regulations.
Email archiving is absolutely necessary as a result of these federal, state and industry email retention laws. Retention periods vary depending on the regulations that govern your industry sector. Email retention laws require all organizations to quickly execute a legal hold on archived email and provide data in the case of litigation.
All electronic documents must be retained by U.S organizations, which extends to email, in case the information is required by the courts. eDiscovery requests often require large volumes of data to be provided for use in lawsuits and the failure to provide the data can land an organization in serious trouble. Failure to present the requested email can result in hefty fines, sanctions and reputational damage.
For decades, U.S organizations have been required to store documents. Document retention laws are included in numerous legislative acts such as the Civil Rights Act of 1964, the Executive Order 11246 of 1965, the Freedom of Information Act of 1967, the Occupational Safety and Health Act of 1970, and the Reform and Control Act of 1986 to name but a few; however, just over a decade ago, data retention laws in the United States were updated to expand the definition of documents to include electronic communications such as emails and email attachments.
To improve awareness of the many different email retention laws in the United States, a summary of the minimum email retention periods have been included below as a guide. Please bear in mind that this is for information purposes only and does not constitute legal advice. Industry and federal electronic data and email retention laws in the United States are also subject to change. Up to date information should be obtained from your legal team.
What are the Different Email Retention Laws in the United States?
As you can see from the list below, there are several federal and industry-specific laws applying to email retention in the United States. These email retention regulations apply to emails received and sent, and include internal as well as external emails and email attachments.
|Email retention law
|Who it applies to
|How long emails must be stored
|Freedom of Information Act (FOIA)
|Federal, state, and local agencies
|Sarbanes Oxley Act (SOX)
|All public companies
|Department of Defense (DOD) Regulations
|Federal Communications Commission (FCC) Regulations
|Federal Deposit Insurance Corporation (FDIC) Regulations
|Food and Drug Administration (FDA) Regulations
|Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products
|Minimum of 5 years rising to 35 years
|Banks and Financial Institutions
|Health Insurance Portability and Accountability Act (HIPAA)
|Healthcare organizations (Healthcare providers, health insurers, healthcare clearinghouses and business associates of covered entities)
|Payment Card Industry Data Security Standard (PCI DSS)
|Credit card companies and credit card processing organizations
|Securities and Exchange Commission (SEC) Regulations
|Investment banks, investment advisors, brokers, dealers, insurance agents & securities firms
|Minimum of 7 years up to a lifetime
Email retention laws in the United States that are applied by each of the 50 states are beyond the scope of this article. There area also European laws, such as the GDPR email requirements, that must be considered if you do business with EU residents.
What is the Best Way to Store Old Emails?
Storing emails for a few years is not likely to require masses of storage for a small business with a couple of members of staff. However, the more employees an organization has, the greater the need for extensive resources just to store emails. The average size of a business email may only be 10KB, but multiply that by 123 – the average number of emails sent and received each day by an average business user in 2016 (Radicati email statistics report 2015-2019), and by 365 days in each year, and by the number of years that those emails need to be stored, and the storage requirements become considerable.
If any emails ever need to be accessed, it is essential that any email archive or backup can be searched. In the case of standard backups, that is likely to be an incredibly time consuming process. Backups are not designed to be searched. Finding the right backup alone can be almost impossible, let along finding all emails sent to, or received from, a specific company or individual. Backups have their uses, but they are not suitable for businesses for email retention purposes.
For that, an email archive is required. Email archives contain structured email data that can easily be searched. If ever an eDiscovery order is received, finding all email correspondence is a quick and easy task. Since many email archives are cloud based, messages are deduplicated, and files are compressed, they also do not require huge storage resources. Emails are stored in the cloud, with the space provided by the service provider.
Increasing Dependence on Email
- Number of emails sent and received daily in 2020: 306.4 billion (Radicati)
- Amount of business-critical data residing in emails: 60 percent (IDC)
With the rise of remote working, the reliance on business email has grown. More than ever users are treating their inbox as an archive to find documents or information. Email is a centralized store of sensitive data. Consequently, companies use email as a form of information retention, referring back to old emails to find vital information.
ArcTitan: TitanHQ’s Cost Effective and Convenient Email Archiving Solution
ArcTitan is a cost-effective, fast and easy-to-manage email archiving solution provided by TitanHQ that meets the needs of all businesses and enables them to comply with all email retention laws in the United States.
ArcTitan incorporates a range of security protections to ensure stored data is kept 100% secure and confidential, with email data encrypted in transit and at rest in Replicated Persistent Storage, with the archive automatically backed up for you.
In contrast to many email archiving solutions, ArcTitan is fast. The solution can process 200 emails per second from your email server and archived emails can be retrieved instantly via a browser or Outlook (using a plugin) or other mail clients. Emails can be archived from any location, whether in the office or on the go via a laptop or tablet. Multiple searches of the archive can be performed simultaneously with up to 30 million emails searched per second. There are no limits on storage space or the number of users and the solution can be scaled up to meet the needs of businesses of all sizes.
Ensuring email archive searchs are performed without hurting network performance and keeping data integrity intact are priorities for most businesses. ArcTitan makes eDiscovery easy for attorneys while simultaneously protecting data.
Data Compliance Considerations When Archiving Email with Remote Working
Last year saw a huge increase in remote working, the pandemic has significantly changed the technology and business landscape. As workers worldwide connects remotely, organizations must ensure that data compliance, security, and privacy is ensured. Cloud-based email archiving offers a cost-effective and efficient way to manage email data across a remote workforce.
A key benefit of cloud-based email archiving is the centralization of disparate email servers. With the ongoing move to remote working, this is even more important. Cloud-based email archiving offers a way to consolidate and manage the data held in business emails, while ensuring compliance across disparate working environments.
Main Features of ArcTitan
- Scalable, email archiving that grows with your business
- Email data stored securely in the cloud on Replicated Persistent Storage on AWS S3
- Lightning fast searches – Search 30 million emails a second
- Rapid archiving at up to 200 emails a second
- Automatic backups of the archive
- Email archiving with no impact on network performance
- Ensure an exact, tamper-proof copy of all emails is retained
- Easy data retrieval for eDiscovery
- Protection for email from cyberattacks
- Eliminate PSTs and other security risks
- Facilitates policy-based access rights and role-based access
- Only pay for active users
- Slashes the time and cost of eDiscovery other formal searches
- Migration tools to ensure the integrity of data during transfer
- Seamless integration with Outlook
- Supports single sign-on
- Save and combine searches
- Perform multiple searches simultaneously
- Limits IT department involvement in finding lost email – users can access their own archived email
- Compliant with regulations such as HIPAA, SOX, GDPR, Federal Rules of Civil Procedure, etc.
ArcTitan email archiving reduces storage space, eliminates mailbox quotas, and improve email server performance. Email archives allows users to clear their inboxes without deleting emails and creates a tamper-proof, repository for emails to meet compliance requirements and discovery requests.
Email Retention Laws in the United States FAQ
Is it difficult to change email archiving providers?
With ArcTitan you can important data in a wide range of formats, including from your legacy email archiving environment. Some email archiving providers use proprietary data formats which can make changing provider difficult. ArcTitan uses no proprietary formats. You can export data in all common formats should you ever wish to move your archive.
How does the GDPR affect email archiving?
The GDPR permits email data to be retained if the data is processed for archiving purposes. E.U. citizens can submit requests to access their data or have their data deleted, which is why an email archive is important for compliance. It allows personal data to be quickly found if requests are received.
How long do I need to archive emails?
This is between 1 to 7 years, although some email data may need to be kept indefinitely. The Payment Card Industry Data Security Standard (PCI DSS) requires email data to be kept for 1 year, whereas HIPAA, SOX, and the Gramm-Leach-Bliley Act require certain types of email data to be retained for 7 years.
Will any email archiving solution ensure compliance?
No – to be compliant, an email archiving solution must archive emails in an unchanged form, store emails in a tamper proof repository, encrypt emails in transit, encrypt email data at rest, and allow emails to be restored in their original form.
Do I need to continue paying for inactive mailboxes?
Some email archiving providers require you to continue paying for mailboxes and storage even if an employee leaves the company. With ArcTitan, you only pay for active users, even if you still need to store archived email data associated with inactive mailboxes.
What is the difference between a email archive and a backup?
An email archive is an archive used for long term email storage and an email backup is used for short to medium-term storage for disaster recovery. Backups aren’t easily searchable wheras email archives can be searched, and individual emails can be quickly found and restored.
Can I search inside archived email attachments?
With ArcTitan you can search emails across the entire organization, within departments/user groups, or individual mailboxes. You can also search inside all common email attachment types, including Microsoft Word, Excel and PowerPoint files, OpenOffice documents, as well as PDFs, RTFs, ZIP files, and many more.
How can I migrate my email archive to ArcTitan?
Migration of an existing archive to ArcTitan is a straightforward process and assistance will be provided. You can use a cutover migration – a straight transfer from an existing provider, perform a staged migration if you have a very large archive to minimize disruption, or a hybrid migration of you want to have a physical and virtual server.