7

We’ve all become so accustomed to using email in our daily personal and working lives that we really don’t give a whole lot of thought to it. It’s the fastest way to communicate with others in the course of the day, and the emails we send and receive – in general – never see the light of day again once they’ve been read.

People have different opinions when it comes to the maintenance of their inbox. Some delete messages immediately, while others have never deleted a single thing. Somewhere between these two extremes lies the average user, who periodically takes inventory of their email and cleans out their folders. And data backups record everything.

Amidst the thousands of emails that circulate through a company, relevant information can be found. Reference material, contracts, personnel issues, and proprietary information mingle with meeting requests, off-topic messages, and company news, making for a sizeable amount of data. Sifting through this mass of messages to separate the wheat from the chaff, as it were, is the reason many businesses have an email retention policy in place.

What factors should I consider to decide how long the e-mail must be stored? Is there any way to measure the duration? I mean, we can't just set 3 years as the duration without having a statistical reason. So what do you think is the best duration and WHY? Why 3 years for example.

Community
  • 1
Lamya
  • 103
  • 8

1 Answers1

6

First check with your legal expert if there are any laws in your country which require you to have a minimum retention period. For instance depending on your industry you might have to take into account either of these regulations:

  • Sarbanes-Oxley regulations: To comply with SOX guidelines, companies must retain auditable emails for a minimum of five years from the end of their last fiscal year.
  • FINRA rules demand that financial services firms establish formal, written policies and procedures that detail their email retention policies. After outlining these policies, a business must then demonstrate that all retention processes are in full compliance with FINRA guidelines. According to SEC 17a 3-4 you should retain email for three to six years (depending on the type of record), the first two years in a readily available location.
  • HIPAA regulations apply: The retention period for a medical record is a minimum of five years, though some related rules dictate that information should be retained for the life of the patient. (HIPAA isn't officially approved yet I think)

Also have a look at this paper published by contoural on how to build a good email retention policy.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • I think I should follow the international standards as you suggested. The paper is helpful, thank you – Lamya Jul 25 '13 at 09:54
  • [HIPAA](http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act) was passed into law in 1996; granted it covers medical records, not email. HIPAA has strong restrictions on putting any protected health information (PHI) inside email. (Granted not all of HIPAA fully went into effect in 1996 and newer laws like [HITECH](http://en.wikipedia.org/wiki/Health_Information_Technology_for_Economic_and_Clinical_Health_Act) (2009) and to some extent [PPACA](http://en.wikipedia.org/wiki/Patient_Protection_and_Affordable_Care_Act) (2010) also are relevant.) – dr jimbob Jul 25 '13 at 14:10
  • Could you go into further detail of FINRA? It seems to imply that there are FINRA guidelines regarding e-mail retention policies, without actually giving any information of value as to what those guidelines *are*. – Iszi Jul 25 '13 at 19:23
  • @Iszi I added some more detail, FINRA is notorious for also enforcing rules. They actually fined ING for 1.2 million USD – Lucas Kauffman Jul 25 '13 at 20:16