Email Archiving: Retention Policy Best Practices
Having an email retention policy is important for a number of reasons — the major two being the need to save space on your email server and the need to stay in line with federal and industry record-keeping regulations.
Defining how long your company will keep email communication can prove more difficult than you initially thought. The first stumbling block is that different departments will advocate for different retention windows.
How long should your retention policy really be?
There are both positive and negative aspects of having a longer retention policy, the main pros being business continuity and the fact that executives rely on old email chains to recollect past decisions. The cons are reflected in the fact that the longer the policy, the bigger the risk that some sensitive information will be exposed through unauthorized access or a security breach.
When it comes to short retention policies, they might violate various regulations that require that organizations in certain industries retain email and other electronic information for a number of years. Their major advantage, however, is that they are cheaper to implement and that they reduce the chance of being caught up in a legal investigation that focuses on information captured in emails. That’s why your legal department will generally support shorter retention periods that reflect the regulatory minimum.
Email retention policy best practices
1. Analyze relevant regulations
The process of designing an email retention policy should begin by listing all relevant regulations and the retention requirements outlined in each law. These recommended retention periods may vary significantly based on the industry your belong to and the geolocation of your business. Here’s a list of major US laws and prescribed retention periods:
If the retention period is not outlined for your industry or a particular type of data, it’s recommended to stick to the minimum IRS recommendation of 7 years.
It’s important to begin with these regulatory minimums and include both your IT and legal department into the creation of the policy. Legal will not only be able to provide counsel based on the above regulations, but also come up with ideas on how to segment your data for retention.
As we saw in the introduction, some C-level executives will expect to have access to their historical email for longer time periods. It’s possible to create multiple policies based on the email type/sender/topic/department.
For instance, your policy can be designed in such a way that spam messages are never retained, your general correspondence is retained for 5 years, administrative and HR for 7 years, and then invoices, sales records and CEO correspondence is kept for 10 years or forever.
It’s important to note that retaining unstructured data like social media, content from chat apps, text messages and calls is also regulated nowadays. Read more about the evolving regulations:
Creating a Text Messaging Policy: A Guide for Government Agencies 10 Quick Facts About Text Messaging and FOIA How to Avoid the Risks of Social Media for Business
Finally, your policy needs to contain strict guidelines regarding document deletion. It’s best to automate this process, which leads us to our number two best practice.
2. Get an email archiving solution
By implementing proper email retention policies, you will track the outbound, inbound and internal communication to ensure compliance. Without a comprehensive, company-wide approach to email management, you won’t know if the policies are being adhered to, especially if you leave their implementation to the judgment of department managers or end users. The majority of breaches and leaks of sensitive information happen because of the human factor — all it takes is one rogue or careless employee.
To prevent that, automating the process is the answer. One of the main benefits of data archiving technology is precisely their ability to help you ensure email compliance.
Email archiving solutions allow you to define email retention policies based on various criteria (type of data, regulations, department preferences), retain the email for as long as necessary and then purge the information only after the retention period expires in order for the data not to become an unnecessary liability. For instance, if a policy is set to last for 7 years, the delete functionality will make sure that all emails are automatically deleted immediately after the retention period expires.
Your archiving software will automatically retain emails which are matched to a certain policy and keep them for as long as you specified in the parameters. The only thing you need to do once you set up a new policy or rule is to update it in order for it to reflect the new laws, regulations and best practices.
3. Use it to proactively monitor communications
Your email archiving software can also help your compliance and HR teams to track employee misbehavior or prevent the sharing of sensitive business information, which might cause legal issues.
Let’s say you want to track the use of foul language in your staff’s digital communication. On Jatheon’s cloud archiving software (Jatheon Cloud), it can be done in the following way:
Your email archiving solution will then automatically retain emails that match the policy, scan all outgoing, incoming and internal messages for these keywords and notify admins or compliance officers in case a rule is broken.
Other practical examples of proactive monitoring through retention policies can be the scanning of electronic communication for credit card or social security numbers.
If you’re using Jatheon’s on-premise email archiving solution, read this article to learn how to set up a policy and what actions are available once improper communication is found.
Jatheon is a global leader in data archiving, compliance and ediscovery with 15 years of experience with on-premise archiving and a new, latest-generation cloud email archiving solution. To learn how Jatheon can help you choose and implement the right archiving solution for your business, contact us or .
Originally published at https://jatheon.com on December 10, 2019.
