Does the organization require an email retention policy?
The answer for most organizations will clearly be yes! Companies which fall under Sarbanes-Oxley, SEC 17a-3/4, NASD 3010 or HIPAA regulations will need to have an email retention policy. Organizations seeking to pass a SAS 70 audit will want to have a policy even if no law or regulation requires it. Companies involved in litigation may find themselves required by court order to retain emails if they do not already have a policy in place. And even if a particular business does not fall under any of these categories, it may still want to implement an email retention policy to protect against general legal risk or customer complaints, and also to take advantage of the operational benefits email retention offers.
What should an email retention policy include?
This can vary from industry to industry, and smaller companies may have different requirements from larger ones. If a company has a Documents Retention Specialist, they should consult him or her first to check what may be required and what policies are already in place regarding the retention of paper records. A company's corporate counsel is another resource, and should have specifics on any laws or contractual obligations that could affect an email retention policy. The important things to include are: clear, easy to understand requirements that are well documented, explained to all users, and that are enforced consistently across the organization. A policy should also address when email should be deleted, and provide a way to ensure that this occurs when it should. Business stakeholders should be also be consulted to ensure that the policy supports, rather than hinders, their business needs.
What about legal holds?
A legal hold is a process which an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. The legal hold is initiated by a notice or communication from legal counsel to an organization that suspends the normal processing of records, such as backup tape recycling, archiving, and other management of documents and information.
It is likely that an organization will be involved in litigation at some point during its history. Legal holds can come into play and could supersede any email retention policy that addresses destruction of data. It is therefore important to ensure that the technical systems in use have a way to store all email for any or all users covered by any court order or discovery request, and that it can prevent users from inadvertently deleting emails.
When is it time to have an email retention policy?
The answer is now. Especially in the following cases:
- The company is subject to Sarbanes-Oxley, SEC 17a-3/4, NASD 3010, HIPAA, or rel="noopener noreferrer" other regulations. Learn more about email compliance.
- Management wishes to be audited to SAS 70 standards.
- The company conducts any business through email with customers and is subject to PCI regulations.
- Management wants to pre-emptively establish a policy so that the company is prepared in the event of litigation.
- Email Administration is considering an email archiving solution.
- The company uses email to communicate management decisions, directives, policies, or disciplinary actions to employees.
- The company uses email to communicate financial information to investors, partners, agents, or others that may make decisions based on this information.
Are there any other benefits to having an email retention policy?
Email retention policy benefits in summary
- Compliance with legal and regulatory requirements is easier
- Reduced infrastructure costs as a result of lower storage requirements.
- Improved email management efficiency and server performance
- When your email retention policy is implemented using an email archiving solution, old messages can be more easily found and restored , there is less chance of data loss due to systems failures, and messages can be easily audited for policy compliance.
With a comprehensive email retention policy in place that has been developed with the cooperative efforts of senior management, technology, legal and other sectors within the organization, together with the technology that rel="noopener noreferrer" can enforce and enhance the policy, such as email archiving software like GFI Archiver, email administrators can be well positioned to handle legal and operation issues if they occur.