Business Data Retention Laws: What You Need to Know

It is not only firms in the financial services, education, and healthcare industries that need to be aware of business data retention laws. All companies in the United States must comply with business data retention laws, even if a firm is not covered under HIPAA, Gramm Leach Bliley, Franks-Dobbs, or SOX. The same applied for companies with a European base. The EU also has business data retention laws.

It is a crime to violate business data retention laws

Did you know that the simple act of permanently deleting an email could get you in hot water? If you delete the contents of a backup tape, or reuse the wrong one, you may even be looking at a spell in jail. How long? Up to 20 years if you do it knowingly, with malicious intent. The deletion of data is a serious crime. If a business operating in the financial sector is audited, and cannot show auditors certain emails, the SEC (Security and Exchange Commission) is likely to issue a heavy fine.

The laws covering data are complex. Different regulations call for different data retention periods. Some states have implemented data retention laws with even stricter controls than federal regulations. Some companies providing services to organizations in different business sectors, may have to comply with different laws depending on the firm they are currently working with. As a precaution, many companies in the United States decide to keep data indefinitely. Getting something wrong is too easy, and the risk for doing so too high.

All data must be backed up and stored off site. The backups must be physically secured, and should be encrypted. They must also be tamper-proof. In the event of emergency, it must be possible to restore data in its entirety, and information may need to be retrieved if a lawsuit is filed or if an audit must take place.

Not sure which data retention laws apply? Listed below is a brief summary. Please bear in mind that data retention laws are updated from time to time. At the time of publishing, the information contained in this article is up to date.

HIPAA – The Health Insurance Portability and Accountability Act (1996)

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and covers healthcare providers, healthcare clearinghouses, health insurers and business associates of HIPAA-covered entities. The legislation was signed into law by Bill Clinton, and initially was intended to protect Americans and keep them covered with health insurance in the event of job loss.

Since its introduction, the legislation has been updated with stricter requirements concerning data privacy and security, and the safeguards that must be implemented to ensure that Protected Health Information (PHI) is secured at all times. Rules were introduced to protect the privacy of patients and dictate when, and to whom, data can be disclosed. HIPAA also stipulates the actions that must be taken if data is accidentally exposed. HIPAA requires medical data to be retained for a minimum of six years after the last data of treatment. However, some states require data to be kept for 7 years or longer. HIPAA is only a minimum standard. States are permitted to introduce even stricter business data retention laws.

SOX – Sarbanes-Oxley Act (2002)

The Sarbanes-Oxley Act of 2002 was introduced in the wake of the Enron scandal. Businesses must be able to verify the accuracy of their financial statements. It is all well and good for a company to report to investors and stakeholders that everything is financially in order, but they must be able to prove that is the case. In the case of Enron, the information provided was inaccurate. Deliberately inaccurate. SOX was introduced to protect investors from fraud.

Under SOX, all financial data must be retained for a minimum period of seven years, which extends to email, since email is often used to communicate account information. Email communications discussing business operations must also be retained for 7 years.

UK business data retention laws

In the UK, business data retention laws apply, although different time scales apply to different data types and formats. A UK business must keep records of accounts for 3 years, although businesses in the financial services must keep data for six years. Emails must be kept for a year, as must text messages. If you are an Internet Service Provider (ISP) you must keep logs of Internet connection data for a period of a year, and ISPs and web hosts must keep records of the websites their customers have visited for a period of four days.

European business data retention laws

In Germany, all business communication data must be retained for a period of six years, although data relating to accounts and payroll must be kept for a decade. Different laws apply throughout Europe and are beyond the scope of this post. If you want to find out more about the different business data retention laws in Europe, take a look at the guide produced by Iron Mountain on this link.

Convenient solutions for archiving old email data

Data backups should be performed on a daily basis, and those backup tapes stored securely off site for the period of time dictated by industry regulations. Email is best stored in an archive. Archives are searchable and convenient. If an email is accidentally deleted and needs to be recovered, an email archive will allow this. It is far easier restoring an email from an archive than restoring an entire email account from a backup tape.

ArcTitan is a convenient and cost-effective solution for archiving old emails. ArcTitan features a natural language browser that allows searches to be performed, and individual emails can be rapidly located and restored. If you want to ensure compliance with business data retention laws, and have the flexibility to be able to retrieve old email data for audits (and when users accidentally delete important emails), ArcTitan is the answer.