Terminated Employee Email Policy: Handling Work Email After Employee Termination or Resignation

A terminated employee email policy is a strategic framework for managing the email accounts of employees who are no longer with an organization. When an employee’s tenure ends, whether voluntarily or involuntarily, they often leave behind a wealth of information in their email account, including confidential data, client communications, internal communications and ongoing project details. Without a well-defined policy in place, you risk losing access to this critical information — or worse, having it exposed by a disgruntled former employee or in a data breach.

With that in mind, a terminated employee email policy aims to outline clear procedures for handling these email accounts post resignation, retirement or termination. This includes steps for securing and archiving emails, redirecting incoming messages and notifying relevant contacts of the employee’s departure. A comprehensive policy will also establish a timeline for these actions, ensuring they’re completed promptly to mitigate security risks.

Creating and enforcing a policy for handling work emails after termination demonstrates your organization’s commitment to safeguarding its intellectual property and maintaining professional relationships with both clients and partners. It also streamlines the offboarding process, providing a consistent approach for your human resources team to follow each time an employee leaves. Additionally, a well-crafted policy can provide peace of mind to remaining employees, reassuring them that the company takes data security and operational continuity seriously.

It likely goes without saying that once an employee has left your company, you’ll want to disable their email account immediately after. Organizations run a real risk by leaving former employees’ accounts active, as employees who have resigned or been terminated could:

• Use their former company’s contact list to reach out to and steal clients
• Intentionally send out malicious information or spread information using a company email address
• Steal or share confidential company or client information
• Intentionally or accidentally delete important files and data
• Accidentally expose their former employer to the risk of an external data breach

Leaving former employees’ accounts active can also increase your operating expenses, as you’re continuing to pay for licenses and services you no longer need. These risks and expenses make it clear that an employer needs to disable an employee’s work email soon after termination or resignation.

When disabling or deactivating a former employee’s email account, it’s important not to jump straight to deleting their emails. After all, a terminated employee’s deleted emails could contain business-critical information that you might need to access at a later point in time.

Those emails might also hold information that’s necessary for eDiscovery or compliance purposes. For example, you might need to include a former employee’s emails in an eDiscovery request when investigating employee misconduct or preparing for litigation.

On the compliance side, certain laws and regulations require organizations to retain electronic communications and other records for a specified period of time and even reproduce these files upon request, as is the case with the Freedom of Information Act and the Family Educational Rights and Privacy Act.

Being too hasty about deleting an employee’s work emails after their termination or resignation can cause issues for your organization further down the road, so it’s in your best interest to find a centralized location to store those emails after you’ve disabled an employee’s account. An email archiving solution can provide long-term storage, and many archivers offer advanced security features such as encryption, multi-factor authentication and custom user permissions to help keep sensitive information safe.

Developing a policy for managing former employees’ email accounts requires navigating complex legal and regulatory requirements. For example, under the General Data Protection Rule (GDPR), organizations must ensure that they process the personal data of citizens of the European Union and European Economic Area lawfully, fairly and transparently; this includes the personal and private data of employees post-termination. Additionally, public companies across all sectors are subject to the Sarbanes-Oxley Act (SOX), which imposes obligations to maintain accurate financial records, including email communications.

Looking to industry-specific examples, we’ve already mentioned FOIA, which applies to federal agencies in the United States, and FERPA, which impacts any educational institution that receives funding from the U.S. Department of Education. In the healthcare industry, the Health Information Portability and Accountability Act (HIPAA) mandates strict confidentiality of personal health information, requiring secure handling of any data present in employee emails.

Failure to adhere to any of the laws or regulations listed above — and the countless others to which your organization may be subject — can lead to severe consequences. For example, failure to comply with GDPR’s privacy and data protection requirements can result in fines of up to 4% of an organization’s annual global turnover or €20 million, whichever is higher. HIPAA violations can result in penalties ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million. These staggering figures underscore the critical need for a comprehensive terminated employee email policy.

Devising such a policy requires direct involvement from your legal and compliance teams to ensure adherence to all applicable laws and regulations. Your policy should outline specific steps for securing and archiving emails upon an employee’s departure, including immediate actions such as changing passwords and disabling email accounts. It’s important to incorporate an email archiving solution into your strategy to automatically preserve all emails in an easily retrievable, tamper-proof format. A mobile device management (MDM) solution is also vital, as it enables you to remotely wipe corporate data from former employees’ devices, further securing sensitive information.

The 9 Elements Every Terminated Employee Email Policy Should Include

1. Deactivation timeline: A clear deactivation timeline ensures that you promptly disable the former employee’s email account following their departure. This timeline should specify the exact period within which the account must be deactivated to prevent unauthorized access.
2. Data retention policy: Your data retention policy should specify how long to retain emails after an employee’s retirement, resignation or termination. When developing your data retention policy, be sure to refer to applicable laws and regulations, as many have specific records retention requirements.
3. Email forwarding instructions: Providing instructions on how to forward incoming emails is essential to business continuity. Your terminated employee email policy should outline the process for redirecting important communications, either to another employee or a designated supervisor, to prevent critical messages from being missed during the transition period.
4. Autoresponder: You can use an autoresponder on a former employee’s email account to inform external contacts of that employee’s departure and provide alternative contact information. Setting up an autoresponder is critical to maintaining professional relationships and providing clients and partners consistent support.
5. Access revocation procedures: Every terminated employee email policy should include clearly defined procedures for revoking an employee’s access to their email account and other related systems to prevent unauthorized access and protect your company’s digital assets from potential misuse.
6. Archiving protocols: Your policy should outline steps for archiving and backing up former employees’ emails to ensure that all relevant communications are preserved in a secure, retrievable format for future reference.
7. MDM protocols: Including MDM protocols is vital to securing company data on personal or company-issued mobile devices. Your MDM protocols should specify how to remotely wipe or secure email data on such devices.
8. Notification procedure: Your policy should detail how and when to notify relevant internal and external parties of the employee’s departure, including team members, IT personnel, clients and partners.
9. Roles and responsibilities: Be sure to clearly define the roles and responsibilities of your HR and IT departments in executing the email policy so that there’s full accountability through every stage of offboarding.

Whether management has decided to sever ties with an employee, or an employee is leaving your company to pursue another opportunity, it’s important to follow the same basic process for disabling their email account to ensure that all your bases are covered:

1. Conduct an exit interview. This will not only help you better understand the reason(s) why an employee is choosing to leave your company (assuming they resigned), but it will also enable you to see which of their projects were in progress and which deliverables were outstanding. Once you have this information, you can follow up on any emails related to those projects or deliverables to prevent any balls from being dropped.
2. Change the password on the account. By restricting a former employee’s access to their mailbox, you can prevent them from obtaining confidential information, stealing clients or spreading misinformation using a company email address.
3. Set an autoresponder. It’s common practice to leave a former employee’s work email active for a period of one to three months after their termination, if only to avoid missing any important communications. Setting up an autoresponder explaining that the employee in question is no longer with your company and who the sender should contact, instead, eliminates any potential confusion.
4. Forward all incoming emails to an appropriate party. Most companies choose to forward these emails to the former employee’s manager or to their IT team. The designated party can then follow up on any incoming requests, or anything else that might require immediate action.
5. Audit all account activities. Keep an eye out for any unusual activity, such as copying files in bulk, attempts to access unauthorized information, attempts to install unapproved software and so on. If you detect any abnormalities, be sure to take swift action to address the issue and mitigate risk.
6. Archive all emails using a third-party platform. Archiving a former employee’s emails can help ensure regulatory compliance, make it easier to respond to eDiscovery requests and prevent you from accidentally deleting important company or customer data.
7. Delete the mailbox. Once the predetermined active window comes to an end and you’ve done your due diligence to ensure that all business-critical information is securely stored, you’re ready to delete the former employee’s email account.

Sample Autoresponder Following An Employee Departure

Maintaining clear communication with partners and clients is a must after an employee leaves your organization, no matter the reason why. Setting up an autoresponder for the disabled account helps inform contacts of the change and provides them with an alternative point of contact, delivering consistent support even after an employee’s left.

Here are two free templates you can use for this purpose. The first is to notify clients and partners of an employee’s departure, and the second is to advise clients and partners of how ongoing projects will be handled following an employee’s departure.

Option One:

Subject Line: Regarding [Employee Name]

Dear [Recipient],

Thank you for your email. Please be advised that [Employee Name] is no longer with [Company Name].

For assistance, please contact [Alternative Employee Name] at [Alternative Contact Email] or [Alternative Contact Number].

For general inquiries, you may also reach us at [Company’s General Contact Information].

We appreciate your understanding and look forward to assisting you.

Best regards,

[Signature]

Option Two:

Subject Line: Important Update on Your Project with [Employee Name]

Dear [Recipient],

Thank you for your email. Please be advised that [Employee Name] is no longer with [Company Name]. We want to assure you that we will continue to manage any ongoing projects seamlessly.

For any questions or updates pertaining to [Project], please contact [Alternative Employee Name] at [Alternative Contact Email] or [Alternative Contact Number]. [Alternative Employee Name] has been fully briefed on the specifics of the project and will be your primary point of contact moving forward.

We appreciate your understanding and are committed to ensuring a smooth transition. We look forward to our continued work together.

Best regards,

[Signature]

Our free data retention plan template makes it easy to create a custom retention policy for former employees’ emails and communicate expectations with your team. Download your free copy today.

Q: Can an employer read an employee’s emails after they resign or are terminated?

A: Yes, in most cases, employers can access and read an employee’s emails after their departure, especially if those emails are hosted on company servers. However, specific legalities can vary depending on your location. It’s important for your company to have a clear policy so that employees are aware that their emails may be monitored or accessed post-termination.

Q: Can an employer access a former employee’s deleted emails?

A: Employers can typically access deleted emails if they have proper email archiving and backup systems in place; these systems store copies of all emails, including those that have been deleted.

Q: What should an employee do with their emails when they leave a company?

A: When an employee leaves a company, they must turn all important emails over to their supervisor or a designated colleague. Employees should refrain from deleting any emails or sensitive information before departure and should follow the company’s offboarding process and policies.

Q: Who is responsible for monitoring former employees’ email accounts?

A: The responsibility for monitoring former employees’ email accounts typically falls to the IT and HR departments. IT makes certain that the accounts are secure and properly archived, while HR manages the communication and administrative aspects of the process.

Q: How long do I need to store an employee’s emails following their resignation or termination?

A: There are different retention requirements regarding employee files and records, all of which vary based on the type of record. For example, the U.S. Equal Employment Opportunity Commission requires employers to retain all personnel or employment records for a period of one year, while the Fair Labor Standards Act requires employers to retain all payroll records and sales and purchase records for a period of at least three years.

What’s less clear is how long employers are expected to retain the emails of employees who have resigned or been terminated. The best way to determine how long to retain a former employee’s emails is to first check which laws or regulations you’re subject to.

Certain laws and regulations include specific language about email retention; those can serve as a helpful compass when developing your own terminated employee email policy. It may be the case that you need to retain certain emails longer than others, depending on their contents. Once you’ve defined your retention period(s), be sure to have your legal team review it to ensure that everything is above board and compliant.

Q: Can a former employee’s emails still be used for eDiscovery purposes?

A: Yes, a former employee’s emails can be used for eDiscovery. In fact, it’s quite a common practice, especially in public offices — take, for example, former Secretary Hillary Clinton’s highly publicized email saga. Keeping this in mind, it’s important to develop a terminated employee email policy to protect your organization against liability.

Q: Do regulations such as GDPR prevent employers from accessing an employee’s emails after that employee has left the company?

A: The answer to this question varies based on the specific regulation.

The General Data Protection Regulation (GDPR), in particular, enables citizens of the European Union and the greater European Economic Area to exert control over how their personal data is used; it also enables these citizens, known as “data subjects,” to rescind access to their personal data. This creates a bit of a gray area for employers, especially in situations where an employee has used their work email account for both business and personal reasons.

Some measures you can take to reduce your risk include:

• Documenting your employee privacy policy (with attention to email)
• Documenting your internal processes for disabling work email after termination
• Creating generic accounts (such as sales@yourcompany.com) to handle client requests and communications after their main point of contact has left your company

Q: How should former employees’ email accounts be reassigned or redistributed?

A: Former employees’ accounts should be reassigned or redistributed based on your company’s operational needs. This may involve:

• Forwarding emails to a supervisor or a designated team member who can oversee ongoing communications
• Migrating important emails to a shared company account or database
• Setting up shared mailboxes if multiple team members need to access the information
• Notifying all relevant contacts about the new point of contact for continued communication