Email Retention Policies: What You Need to Know

After awarding a $500 million iPad contract, emails surfaced demonstrating that former Los Angeles Unified School District (LAUSD) superintendent had begun meeting personally with Apple and Pearson a year before the contract went out to public bid. The FBI is now sorting through old emails as evidence and LAUSD has announced recently that it will double the amount of time emails are saved to two years.  

Companies that cannot produce electronic documents, including emails, during the process of legal discovery are generally disfavored in court. At times, the inability to produce such documents may even be seen as destruction of evidence. A good email retention policy can protect against this.

An email retention policy determines how long emails will exist in your archiving solution before being automatically deleted. Even beyond a working email retention policy, you should consider using legal holds which allow you to prevent particular mailboxes or messages from being automatically deleted from the email archiving system.

Why it’s a big deal: In a nutshell, an email archiving policy reduces your risk for liability. Your industry may even be regulated by federal or state laws requiring that you maintain emails for a specific period of time. Even within industries the details of the laws and regulations may have nuances depending on the type of work being performed or area of expertise so it’s important to take the time to really familiarize yourself with them. The chart below lists out some of the regulated industries.

You can start to build a best practice retention policy with these few tips:

  1. Determine what regulations apply to your organization and start with those as minimums
  2. Segment to avoid keeping everything for the legal maximum. You can segment by content (for example, you might have different policies for sales records, invoices, etc.). You can also segment by department or use- for example, human resources, executive emails, marketing, etc.
  3. Consider other department and business needs

Regulation

Industry

Retention Period

FDIC

Banking

5 years

FCC- Title 47, Part 2

Telecommunication

2 years

FDA- Title 21, Part 11

Pharmaceuticals, Biological Products, Food Manufacturers

5-35 years

HIPPA

Healthcare

7 years

SEC 17a(3) and 17a(4)

Securities Firms, Investment Bankers, Brokers and Dealers, Insurance Agents

7 years-lifetime

SEC 204-2

Investment Advisors

7 years-lifetime

Sarbanes Oxley (SOX)

All public companies

7 years

IRS

All companies

7 years

PCI DSS

Credit card and its processing companies

1 year

FOIA (Federal and State)

All federal, state, and local government agencies

3 years

Gramm-Leach-Bliley Act

Banking and Finance Firms

7 years