Blog

Email is a huge part of running a business—and there is a lot of it. Failure to comply with e-discovery requests for emails as part of a litigation proceeding can mean financial and legal repercussions for your business. That’s what makes the creation and implementation of an effective email retention policy so important. Whether you run a small private company or work within a large government agency, these are the email retention best practices you need to keep in mind to be prepared for anything:

1. Determine Specific Regulatory Minimums

Every industry is governed by a different set of regulations when it comes to email retention and archiving. Before you craft your company’s personal email retention policies, you should always start by listing the industry standard regulations that your company is obligated to meet. This should include making a note of any relevant document retention requirements associated with each regulation. Here’s a general list of some of the most common archiving requirements. When in doubt, it’s safest to retain your email communications for at least 7 years.

• Internal Revenue Service (US IRS): seven (7) years
• Payment Card (PCI DSS): one (1) year
• California Franchise Tax Board (CA FTB): four (4) years
• DISA Security Technical Implementation Guides (STIG): one (1) year
• Many State Revenue Departments: three (3) years
• HIPAA Section 164: six (6) years

2. Specify classification buckets

Archiving every single email for the regulatory maximum can become impractical and expensive. To avoid this pitfall, create an email classification structure you and your employees can follow. Implementing this can be complex, as every employee will subjectively classify their communications. To keep the emails you drop into these buckets more consistent, keep your categories broad. You can create separate categories for Business, Personal, Invoices, and any other broad categories that will suit your particular business model.

Once you’ve classified your categories, set retention lengths for each category and email type. This will take the guesswork out of email retention for everyone on your team. Your retention timelines should be based on the government, state and industry regulations that apply to your business. These guidelines will tell you how long an email should remain in your system before being automatically deleted. If you don’t stick to these guidelines, you could face legal and financial repercussions.

In general, standard business correspondence should be retained for a 1 year minimum, or 5 to 10 years on the safest side. Certain legal, financial, and contract items will require between 5 and 10 years of retention. Exceptions requiring longer retention can be set with no expiration date and archived.

However there are exceptions to these rules. Policies for some medical professions require emails be retained for the life of the patient.

4. Create Automation Guidelines

If your company is sending out a large number of emails, it may be beneficial for you to use an automated retention technology. This can help rule out inconsistencies that may arise based on manual classification and retention alone. These technologies rely on rules that are used to classify, inspect and partition based on email type, folders and individual messages. Microsoft Office Exchange does this using email retention tags. While you shouldn’t rely solely on automation, you can rely on it for more simple tasks and request user input for more complex decisions.

5. Draft a Company-wide Email Retention Policy

To be completely prepared for any e-discovery or legal proceedings, you should draft an actual retention policy with the aid of your legal and IT teams. This policy should include the following points:

• The policy should make retention compliance mandatory for all employees who create, send and receive emails

• The policy should address data privacy issues -- enforcing that no employee using company resources should have an expectation of email privacy

• Acceptable and unacceptable uses of the email system

• Clearly state where all records will be managed and retained

• Train employees on which emails should be manually retained and which can be automated

• List any retention timeline exceptions

• Processes for dealing with auditing and violations

• Review the policy annually to keep up with changing industry regulations and technology

6. Know When to Archive

Archiving is an important part of email retention. Emails that have been retained for long periods of time, stretching beyond the memory of users, (such as legal, financial, and contract items) need to be indexed and easily searchable so that they can be located quickly in the event of an e-discovery or legal proceeding. This is where cloud archiving comes into play.

Lost mail needs to be able to be recovered rapidly. Nordic Backup backup works with all versions of Microsoft Exchange, and can not only backup Exchange Databases, but we can also backup and restore individual emails, attachments, and appointments all with zero downtime on the Exchange server so your business will be prepared for anything.

An email retention policy should be a part of your overall records retention program -- but it’s also just that; a part. To keep your company’s retention up to code, you need to focus your retention efforts on more than just email. The best solution for this isn’t always easily found. Relying on hard drives alone can come back to bite you in the end.

Keep your company’s data protected and readily available to you at all times by investing in a secure cloud backup solution. Explore our Small Business and Server Pro cloud backup plans to find the business solution that’s right for you.