In order to address growing e-discovery, compliance and knowledge management requirements, organizations must retain a greater number of emails than ever before. Yet with such a large percentage of internal and external business communications performed via email, this is becoming an increasingly difficult task, one with which many struggle to keep pace. Additionally, as the volumes of messages requiring retention grow, so too, do the related storage, retrieval and administrative costs. To address these challenges and prepare for litigation and compliance reviews, enterprises need a standardized, policy-based email retention system that ensures all relevant messages are stored safely and in accordance with any pertinent industry laws and governing bodies.
Developing a well-planned, enterprise-wide email retention policy helps establish uniform and consistent rules for all email and electronic records. Such a policy outlines email content, sets retention and deletion criteria and provides the flexibility to accommodate litigation holds and enable role-based user access. Leveraging a robust information governance solution also helps simplify the management of this process. The ideal solution should automate retention policy enforcement and task documentation, while providing an archiving and retrieval engine that streamlines an organization’s ability to locate messages for audits, litigation and e-discovery in a timely and cost-effective manner.  By doing so, organizations can reduce e-discovery costs, improve regulatory compliance, enhance data access, reduce the risk of litigation and improve IT performance without increasing costs.
To make email management procedures a cost-effective business asset, enterprises need to develop, actively enforce and audit comprehensive retention guidelines. These rules should specify consistent, enterprise-wide data archive windows and define permissions for who can access, change or delete messages, attachments and other records. To this end, organizations should guide themselves through the process of developing, implementing, monitoring and auditing a comprehensive email retention policy using the following 10 steps.

1. Define an Email Retention Policy

In order to fully understand its retention obligations, an organization must first have a clear understanding of the types of content it transmits electronically. To provide this insight, the email retention policy should specify:

  • Document types that employees can send via email, as well as the specific files, such as sensitive business contracts, that must be transmitted using a different method.
  • Content guidelines defining what should or should not go into emails, including policies around what constitutes sexual harassment or other unacceptable language.
  • Enforcement measures and best practices that automatically scan for policy violations and designate an internal authority to periodically review content.

2. Eliminate the Variables Hindering Centralization Without formal archiving guidelines and an automated system to manage the process, employees often save old messages and attachments on local storage systems, such as a PC hard drive. This lack of standardization makes tracking and protecting archived messages problematic. For example, a judge can request messages saved on personal archives during litigation and e-discovery. But if an employee saves these on a hard drive, which then fails, the information is lost and the enterprise becomes vulnerable to legal and regulatory penalties around the spoliation of data.
Moreover, locating the necessary data on all local hard drives throughout a large organization is a difficult, time-consuming and expensive process that often fails to discover every message saved on a nonstandardized source. To avoid the possibility of missing a message, email retention policies should include specific, centralized archiving methods that prohibit employees from saving messages in personal folders. 3. Educate Employees about the Retention Policy

Even though a formal email retention policy may be defined and in place, many employees may remain unaware that such guidelines exist. To ensure that archiving rules are followed across the enterprise, all employees must be trained on the policy and able to demonstrate that they understand content and storage procedures, as well as any rules restricting the use of personal folders. Moreover, education should:

  • Detail the reasons why these rules are in place,
  • Offer instructions for using any supporting archiving technology and
  • Outline the consequences of noncompliance at both a business and personal level.

4. Incorporate Relevant Regulations into the Retention Policy It is critical that all email retention policies incorporate the requirements of the mandates governing the industry in which an organization operates. There are many common regulations to consider:

  • Sarbanes-Oxley regulations apply to public companies across all industries and impose severe penalties on any business that deliberately alters or deletes documents in order to defraud customers or other third parties. To comply with SOX guidelines, companies must retain auditable emails for a minimum of five years from the end of their last fiscal year.
  • FINRA rules demand that financial services firms establish formal, written policies and procedures that detail their email retention policies. After outlining these policies, a business must then demonstrate that all retention processes are in full compliance with FINRA guidelines.
  • HIPAA regulations apply to any email message or other electronic records that contain sensitive information about an individual’s medical history. The preservation period for a medical record is a minimum of five years, though some related statutes dictate that certain information be retained for the life of the patient. 

Although many regulations exist beyond the three listed above, all regulatory bodies — regardless of industry — make meeting the following requirements a key aspect of compliance:

  • Data permanence, where data must be in its original state without being altered or deleted.
  • Data security, where all retained information must be protected against security threats, including access by unauthorized persons and any outside forces that could physically damage or endanger the availability of archived messages.
  • Availability, where organizations must prove that all emails subject to the retention policy can be easily accessed by authorized personnel in a timely manner.

5. Identify Roles with Unique Retention Requirements Specific organizational roles have unique archiving requirements, which must be captured in the larger retention policy. For example, brokers at financial services firms are obligated to keep all of their electronic correspondence for up to six years. Likewise, in pharmaceutical companies, scientists or physicians who perform drug tests must keep test-related emails on hand for even longer, as these may contain highly sensitive information that can be requested as evidence in e-discovery. Finally, it is common practice in most enterprises to save the emails of CEOs indefinitely, even after their tenures have ended. 6. Balance Retention Guidelines and Related IT Costs

Though there are many specific legal and regulatory guidelines around email retention, no court or compliance authority demands the archiving of every email ever sent or received. As a result, organizations should implement a retention policy that reduces the storage burden by ensuring that the emails essential to meeting compliance and litigation guidelines are saved, while those that are not needed are deleted. By reducing storage through retention and deletion policies in line with legal and compliance mandates, IT can limit storage-related expenditures and streamline email administration tasks, which often comprise more than 40 percent of total IT support costs. In addition, this approach limits the amount of content requiring evaluation during the legal review phase of e-discovery, further reducing costs. 7. Provide Employees with Access to Archived Messages

As enterprises establish overarching policies for archiving and deleting email messages, they must also verify that all employees have access to the electronic assets they need to carry out their business responsibilities. To support productivity, policies should establish rules that enable certain messages to be saved for personal communication, while allowing all other messages to be managed by the default retention strategy. These rules should also allow users to search for all archived email in both production and offline storage systems, and in some cases, enable employees in similar roles to access messages owned by their co-workers. 8. Ensure that Retention Policies Can Accommodate Legal Holds

Email retention policies must be flexible enough to be suspended if a legal hold is necessary. For example, if an organization is anticipating legal action, it might choose to retain all emails in order to preserve the information that may be used as evidence during litigation. It is critical that policies accommodate legal holds, because courts can impose sanctions for the spoliation of any messaging content or electronic records that are relevant to a legal proceeding. 9. Validate that All Messages Are Archived

In order to comply with e-discovery and litigation mandates, businesses must confirm and demonstrate that all emails are captured and subject to the retention policy. To support this critical goal – and eliminate the possibility that information escapes retention – organizations should leverage an information governance solution with functionality that provides the live, real-time capture of every message that falls under the rules of the retention policy. 10. Use Technology to Enforce Retention Policies

To achieve the goals outlined in its email retention policy, an organization should implement a robust, automated information governance solution capable of enforcing policy guidelines across the business in an efficient, effective manner. Such a solution is the key to improving legal hold management, speeding retention processes and maintaining an archive that preserves necessary messages and purges nonessential emails as necessary. Information governance solutions should help simplify access to archived messages through rules to grant permission by business classification, protect messages as corporate assets and make them available to employees within similar roles. 
Given the heightened emphasis placed on the preservation and security of electronic assets, organizations across all industries are under increasing pressure to develop and implement a robust, comprehensive email retention policy that complies with various legal and regulatory bodies. Bolstering such a policy with an automated information governance solution enables enterprises to more efficiently and cost-effectively store and locate emails for e-discovery, litigation, compliance and knowledge management purposes. In doing so, they are able to optimize their message archival and deletion processes, while simultaneously improving system performance, strengthening data availability, reducing maintenance costs and minimizing the risk of legal penalties or sanctions.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access