It is not only firms in the financial services, education, and healthcare industries that need to be aware of business data retention laws. All companies in the United States must comply with business data retention laws, even if a firm is not covered under HIPAA, Gramm Leach Bliley, Franks-Dobbs, or SOX. The same applies for companies that do business with citizens of the European Union, as the EU also has business data retention laws.
It is a crime to violate business data retention laws
Did you know that the simple act of permanently deleting an email could get you in legal trouble? If you delete the contents of a backup tape, or reuse the wrong one, criminal charges may even be filed. Sentences of up to 20 years in jail are possible if data is deleted with malicious intent. The deletion of data is a serious crime. If a business operating in the financial sector is audited, and cannot show auditors certain emails, the SEC (Security and Exchange Commission) is likely to issue a heavy fine.
The laws covering data are complex. Different regulations call for different data retention periods. Some states have implemented data retention laws with even stricter controls than federal regulations. Some companies providing services to organizations in different business sectors, may have to comply with different laws depending on the firm they are currently working with. As a precaution, many companies in the United States decide to keep data indefinitely. Getting something wrong is too easy, and the consequences far too serious to take any chances.
When backing up data, including emails, backups should be created and stored securely off-site. Backups need to be physically secured, and should be encrypted to prevent unauthorized access. They must also be tamper-proof. In the event of emergency, it must be possible to restore data in its entirety. Information will need to be retrieved in its original form for eDiscovery or to provide to auditors.
If you are unsure about the regulations that cover data retention and which laws you must comply with, a brief summary is listed below. Please bear in mind that data retention laws are updated from time to time. At the time of publication, the information contained in this article is up to date and correct.
HIPAA – The Health Insurance Portability and Accountability Act (1996)
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and covers healthcare providers, healthcare clearinghouses, health insurers and business associates of HIPAA-covered entities. The legislation was signed into law by Bill Clinton, and initially was intended to protect Americans and retain insurance coverage while between jobs.
Since its introduction, the legislation has been updated with stricter requirements concerning data privacy and security and calls for safeguards to be implemented to ensure that Protected Health Information (PHI) is secured at all times. Rules were introduced to protect the privacy of patients and dictate when, and to whom, data can be disclosed. HIPAA also stipulates the actions that must be taken if data is accidentally exposed. HIPAA requires medical data to be retained for a minimum of six years after the last date of treatment. However, some states require data to be kept for 6 years or longer. HIPAA is only a minimum standard. States are permitted to introduce even stricter business data retention laws.
SOX – Sarbanes-Oxley Act (2002)
The Sarbanes-Oxley Act of 2002 was introduced in the wake of the Enron scandal. Businesses must be able to verify the accuracy of their financial statements. It is all well and good for a company to report to investors and stakeholders that everything is financially in order, but they must be able to prove that is the case. In the case of Enron, the information provided was deliberately inaccurate. SOX was introduced to protect investors from fraud.
Under SOX, all financial data must be retained for a minimum period of seven years, which extends to email, since email is often used to communicate financial information. Email communications discussing business operations must also be retained for 7 years.
UK business data retention laws
In the UK, business data retention laws apply, although different time scales apply to different data types and formats. A UK business must keep records of accounts for 3 years, although businesses in the financial services must keep data for six years. Emails must be kept for a year, as must text messages. If you are an Internet Service Provider (ISP) you must keep logs of Internet connection data for a period of a year, and ISPs and web hosts must keep records of the websites their customers have visited for a period of four days.
European business data retention laws
In Germany, all business communication data must be retained for a period of six years, although data relating to accounts and payroll must be kept for a decade. Different laws apply throughout Europe and are beyond the scope of this post. If you want to find out more about the different business data retention laws in Europe, take a look at the guide produced by Iron Mountain on this link.
Email Retention Periods in the United States
| Data retention law | Who Must Comply? | How long data must be stored |
| IRS Regulations | All companies | 7 Years |
| Freedom of Information Act (FOIA) | Federal, state, and local agencies | 3 Years |
| Sarbanes Oxley Act (SOX) | All public companies | 7 Years |
| Department of Defense (DOD) Regulations | DOD contractors | 3 Years |
| Federal Communications Commission (FCC) Regulations | Telecommunications companies | 2 Years |
| Federal Deposit Insurance Corporation (FDIC) Regulations | Banks | 5 Years |
| Food and Drug Administration (FDA) Regulations | Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products | Minimum of 5 years rising to 35 years |
| Gramm-Leach-Bliley Act | Banks and Financial Institutions | 7 Years |
| Health Insurance Portability and Accountability Act (HIPAA) | Healthcare organizations (Healthcare providers, health insurers, healthcare clearinghouses and business associates of covered entities) | 6 Years |
| Payment Card Industry Data Security Standard (PCI DSS) | Credit card companies and credit card processing organizations | 1 Year |
| Securities and Exchange Commission (SEC) Regulations | Investment banks, investment advisors, brokers, dealers, insurance agents & securities firms | Minimum of 7 years up to a lifetime |
Convenient solutions for archiving old email data
Data backups should be performed on a daily basis, and those backup tapes should be stored securely off site for the period of time dictated by industry regulations. Email is best stored in an archive. Archives are searchable and convenient. If an email is accidentally deleted and needs to be recovered, an email archive will allow this. It is far easier restoring an email from an archive than restoring an entire email account from a backup tape.
ArcTitan is a convenient and cost-effective solution for archiving emails to meet data retention requirements. ArcTitan features a natural language interface that allows searches to be performed, and individual emails can be rapidly located and restored. ArcTitan in lightning-fast, and can search 30 million emails a second, while emails are sent to the cloud-based archive at a rate of 200 messages a second.
ArcTitan indexes email headers, sender/receiver, subject, message body, and attachments separately, and indices are distributed across Apache Solr instances simultaneously. Raw email data is encrypted at rest and in transit to the archive and is stored in onto Replicated Persistent Storage. ArcTitan acts as a black box flight recorder for email. Come what may, you will never lose an email and will be able to recover emails quickly when you need them.
If you want to ensure compliance with business data retention laws, and have the flexibility to be able to retrieve old email data for audits (and when users accidentally delete important emails), ArcTitan is the answer.