What are Email Archiving Legal Requirements?

Email archiving legal requirements vary considerably, and exist at the federal and state level. How, and for how long you should archive emails, may also be subject to the industry your business operates in – or with whom you do business. We look at some of these variables and suggest a solution appropriate for most businesses.

In 2006 the laws relating to eDiscovery under the Federal Rules of Civil Disclosure were amended and it became an offence not to produce electronically stored information (ESI) within 30 days if required to do so by a court order. Although not necessarily an email archiving legal requirement, it does mean businesses have to retain searchable email data for as long relevant Statutes of Limitations apply, or for as long as industry regulations demand. In some cases, searchable email databases have to exist indefinitely.

Storing any type of data long term can lead to issues. With regard to emails, mailbox quotas can get filled up – resulting in users being unable to receive emails – and mail servers can become inefficient due to the volume of data they have to manage. The increased resources used by mail servers can impact business networks, and – if it is necessary to produce a large quantity of ESI within 30 days – the likelihood is that an operating system may be unable to cope with the demand which means the deadline could easily be missed.

Email archiving reduces the burden on the email server by copying email data and storing it elsewhere. Emails remaining on the mail server can be deleted to free up space and optimize the performance of the mail server and operating system. When users want to recover an email deleted from the mail server, they access it through the archive and export it as a file, print it, or restore it to their email account. The process is simple and compliant with the Federal Rules of Civil Disclosure.

Email Archiving Legal Requirements Stipulated by Law

Although archived email data should be stored for as long as it might be needed, there are some email archiving legal requirements stipulated by law. For example, the Securities Exchange Act stipulates public companies in the regulated financial services industry have to retain emails relating to individual financial transactions for three years and client account records for six years. However, Sarbanes-Oxley stipulates audit-related data contained with emails have to be retained for seven years.

The email archiving legal requirements in the healthcare industry are even more complicated. Although the Health Insurance Portability and Accountability Act (HIPAA) does not stipulate a general retention period for electronic Protected Health Information, there are email archiving legal requirements to maintain healthcare records relating to minors until they reach the age of twenty-one years, and email correspondence relating to the death of a patient in care for up to two years. Any documents relating to HIPAA compliance also need to be retained for 6 years.

Tax-related email archiving legal requirements can vary by state, although the IRS requires electronic data to be retained for periods of between three and seven years depending on which taxes the data relates to. Your business might also be required to comply with the Payment Card Industry Security Standard for data retention if it processes credit card payments, or your state´s Freedom of Information Act – which, in some circumstances requires data to be produced quickly when requested.

Email Archiving: Legal Requirements for GDPR

If your business collects, processes, or stores data from European citizens, it also has to comply with the EU´s General Data Protection Regulation (GDPR). The email archiving legal requirements of the GDPR stipulate that (however email data is stored) data must be protected against unauthorized disclosure, unauthorized amendment, and loss; which, for businesses in the financial services or healthcare industries, is similar to the requirements of Sarbanes-Oxley and HIPAA.

One difference between U.S. Freedom of Information Acts and the GDPR is that, when requested, businesses have to respond to requests for data access  by EU citizens within thirty days. EU citizens have the right to know what data is maintained about them, have the opportunity to correct anything that is wrong, and request the data is erased. Therefore, in order to comply with the email archiving legal requirements for GDPR, businesses should have a system in place capable of searching and retrieving data quickly.

Email Archiving for Disaster Recovery

A formal system for archiving emails not only helps businesses comply with email archiving legal requirements, but can also be of significant benefit for disaster recovery. Although businesses in regulated industries are generally required to have a disaster recovery plan, most businesses would be unable to cope if their email databases were wiped out by a natural disaster or cyberattack – or if the business was the victim of a ransomware attack.

One important feature that should be present in a system for archiving emails for disaster recovery purposes is that the system makes a copy of each inbound and outbound email as it passes through the mail server. Periodic backups and archiving could leave gaps in the disaster recovery process, while real-time archiving is necessary for the system to comply with the email archiving legal requirements of the Federal Rules for Civil Disclosure.

Cloud-Based Systems for Archiving Emails

Cloud-based systems for archiving emails are quickly becoming the system of choice for email archiving. Cloud-based systems eliminate the need for data to be stored on business networks, or backed-up onto hardware which then has to be stored either on-site or off-site. They also have the advantage of being more secure than on-premises solutions and have better defenses against unauthorized access and cyberattacks.

Searching and retrieving archived data is much simpler on a cloud-based system than having to find and restore data from hardware storage, plus users are able to recover their own misplaced or deleted emails from the system without having to rely on the IT team to help them. Finally, should an email database be wiped out by a natural disaster or cyberattack, it can quickly be restored with the click of a mouse. However, not all cloud-based systems for archiving emails are the same and features can vary considerably. Not all email archives will be compliant with all laws and regulations, so care must be taken when choosing a solution to ensure compliance.

ArcTitan’s Cloud-Based System for Archiving Emails

ArcTitan is a Software-as-a-Service cloud-based system for archiving emails that businesses can just set and forget. Compliant with all email archiving legal requirements stipulated by law, ArcTitan removes duplicated content from emails, and compresses and indexes data before archiving it in an IL5 certified data center – Replicated Persistent Storage on AWS S3. The archive is also automatically backed up to protect against data loss and the archive can be accessed even during an outage. Consequently, searches are accelerated, data retrieval is quicker, and both search results and data retrieval are free of duplicated content and secure.

ArcTitan processes and archives emails at a rate of 200 messages a second and searches can be performed at a rate of 30 million emails a second. All emails are encrypted in the archive and are encrypted in transit to and from the archive, with passwords hashed and encrypted.

ArcTitan has a dynamic storage capacity – expanding as required to accommodate businesses´ requirements. Administrators can apply access controls and a permission hierarchy for authorized personnel via LDAP and Active Directory, and review tamper-evident audit trails in order to identify suspicious activity or attempts to access archived data without permission. Furthermore, ArcTitan is scalable up to 60,000 users with no limit on storage space. Customers only pay for the number of active users.

To find out more about ArcTitan, or to ask questions about email archiving legal requirements, do not hesitate to get in touch. Our team will be happy to answer any questions you have and will invite you to see a free demo of ArcTitan in order to evaluate our cloud-based system for archiving emails. Speak with us today and, depending on your current system for archiving emails, you could be up and running with ArcTitan within fifteen minutes.