Comprehensive Guide to Email Retention Policy [with template]

An email retention policy establishes the length of time that organizations must retain emails — based on sets of legal parameters that differ across industries — before those emails can be deleted.

Your corporate governance team should oversee your email retention policy and ensure that it complies with industry and government regulations. An email retention policy should cover all emails your organization sends and receives, contain guidelines on how long to retain emails and specify how they should be removed from your archiving solution.

One of the most important aspects of an email retention policy is that retention management should be automatic. Emails should be removed from the system in a consistent manner without any manual intervention, thereby eliminating the risk of human error and significantly decreasing your liability. Automation should also account for any pending cases before deleting any emails.

Below, you will find more detailed reasons why your organization needs an email retention policy. Then we will show you how to create and implement your own email retention policy, step by step.

Email retention policies reduce your risk of liability when it comes to regulatory compliance and legal discovery and can enhance knowledge management.

Regulatory Compliance

Most companies have to comply with federal or state regulations that require them to produce emails during an investigation or an audit. Additionally, organizations may be subject to industry-specific regulations, such as the Health Information Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and so on.

Failure to comply with these regulations could lead to financial loss and reputational damage. Since each regulation has different data retention requirements, defining email retention policies is essential.

The table below gives you an overview of industry-specific regulations and their recommended retention periods.

Even within some industries, the email retention periods are different depending upon the work performed or areas of expertise within these organizations. You should involve legal (including compliance), IT and management to find out what your obligation is to these regulations.

Note: Information provided above is not legal advice and is for educational and planning purposes only. Please consult with your legal counsel.

Legal Discovery

EDiscovery is a provision in federal and state statutes. Discovery is a legal process that allows attorneys on both sides to ask for information that is relevant to a case and that may lead to the discovery of other important facts and information. Parties to a lawsuit are required to provide this information in the discovery portion of a case.

As of October 1, 2007, amendments to Federal Rules of Civil Procedure 16, 26, 33, 34, 45 and revisions to Form 35 took effect. These amendments and revisions are all aimed at one particular area of discovery — electronically stored information, and email is a large piece of that.

Knowledge Management

Within an organization, users send and receive hundreds of emails per day. The information contained within these emails is not limited to general business correspondence, but also includes documents that will be needed for future projects.

It’s no surprise that much of an organization’s intellectual property resides in its email stores, which is why it’s important that these knowledge-based emails remain accessible to you even after employees are terminated or leave your organization.

Step 1: Determine How Long to Retain Emails

When determining how long to retain emails, consider both regulatory requirements and business needs.

We’ve already discussed different industry regulations and their minimum retention requirements, so let’s focus on business needs that affect email retention.

Pay close attention not only to the regulations that affect your industry, but also your customers’ and partners’ industries. You may have to implement an email regulation policy that differs by functional department or area of your business.

For example, most securities and brokerage firms have to retain their emails for seven years, but certain records such as member registration or corporate documents need to be kept for the life of the organization.

Individual departmental retention policies could look something like this:

You may also need to set retention periods based on the type of correspondence. For example:

You may need to create multiple email retention policies depending on your industry or the types of customers you serve.

Step 2: Create a Legal Hold Policy

Even with an operational email retention policy in place, there may be times when you need to prevent emails from being automatically deleted from your archiving system. Placing a legal hold ensures that those emails are available for courts during a discovery phase in legal proceedings.

Make sure that your email retention policy clearly defines legal hold procedure, including:

• Who can place a legal hold?
• Who will have access to legal hold emails?
• What will be the review process?
• Who can remove a legal hold?

Note: End users should not be able to see legal holds on their emails.

Step 3: Get Executive Approval

A policy is only beneficial to your organization if it is applied consistently. To have an effective email retention policy, you would need everyone’s buy in.

First and foremost, you would need to have everyone from your organization (finance, human resources, IT, legal, etc.) involved to identify their business needs. Once that is done, it is imperative that all members of the executive team sign-off on the document.

Step 4: Write the Policy

A formal written policy will save you time and money if your organization is under audit.

Written out, an email retention policy could look something like this:

Legal Hold Process:

Step 5: Get Legal Approval

Once you have an email retention policy draft ready, you need to involve your legal team. Legal will vet the document and make sure it complies with both company policy and all applicable regulations.

This is an iterative process. Once you receive the draft back from your legal team, make the necessary modifications and send an updated draft back to them again. You might have to repeat the process until all the items are resolved. By the end of this step your policy should:

• Comply with industry, federal and state regulations
• Define minimum retention periods
• Define departmental roles and responsibilities

Once you’ve finalized your email retention policy, the next step is to implement it. Below are key considerations when implementing an operational email retention policy.

• Automation

Automating the process of capturing, storing and, eventually, disposing of emails is the key to an efficient email retention procedure. An email archiving system can automatically retain all emails that users send and receive, as well as dispose of emails according to company policy.

• eDiscovery Capabilities

It’s important to retain emails so they’re accessible to any stakeholder when necessary. Whether it is an auditor, courts during the discovery phase or another employee looking for past information, being able to easily retrieve these emails will save you time and money.

• Litigation Hold

To secure buy-in from both legal and compliance departments, it is absolutely necessary to implement a legal hold procedure.

• Training

A truly operational email retention policy should require minimal human intervention because your archiving solution should automatically capture and dispose of emails according to company policy. With that said, it’s important to train your employees on how to use your email archiving solution so that they can access archived emails as needed.

If you use an email archiving solution to manage your email retention policy, be sure to restrict employees’ ability to create a local Personal Storage Table (PST) on their hard drives. Having emails in PST files which are older than your retention policy could amplify your risk. For example, a court would expect you to produce emails older than your retention policy if they exist anywhere other than your email archiving system.

Moreover, your email server backup system should not maintain emails longer than the retention policy set in your email archiving system.

Yes. An email retention policy is only effective when it’s applied across your entire organization,  in all departments and at every level. That’s why it’s crucial that all employees are aware of and understand the policy you’ve put in place.

As with any business policy, it’s important that your email retention policy is easy to understand and shared with everyone. Some helpful ways you can spread the word include clearly communicating the changes directly to existing staff members and making sure your employee handbook is updated to reflect the new policy.

Implementing an email retention policy isn’t a one-time occurrence. You’ll need to make sure that it’s updated according to changing regulations and that employees are made aware of these changes.

Additionally, it’s important to maintain compliance with the policy throughout your company. No matter the size of your organization, monitoring this can be at best a tedious task to do all on your own. That’s why it’s always a good idea to have an email archiving solution in place.

With an email archiving solution in place, you can easily set up rules to scan all outgoing and incoming emails for certain keywords. This enables your compliance team to get ahead of any emails that could potentially harm your company either internally, as a result of employee behavior, or externally, through the unauthorized release of sensitive or privileged information.

An email archiving solution is good for much more than monitoring communications. Here are a few more reasons why you should have one in place:

• Automation

An email archiving platform’s automations enable you to take a “set it and forget it” approach to email retention. All you have to do is create your policy according to the legal parameters you’re obligated to follow, apply it to the correct subset of emails and then let the software take care of retaining and removing those emails accordingly.

By allowing your email archiving software to automatically delete emails with expired policies, you also remove any potential for human error and the liability that comes with it.

• Thorough Searching Capabilities

Archiving solutions typically feature advanced search capabilities so you can instantly retrieve the exact communication you’re looking for from millions of archived emails. Having fuzzy and proximity searching capabilities based on keywords gives you more power to retrieve specific communications, whether they exist in the body of an email or within an attachment.

• Creating Legal Holds

Sometimes, you will need to put a legal hold on an individual email or set of emails. Intradyn’s Email Archiving Solution provides easy steps to place legal holds based on keywords, email addresses or domains, dates and other criteria.