Email archiving legal requirements generally stipulate the minimum amount of time that electronically stored information (ESI) should be retained and the manner in which it should be retained to safeguard the integrity of email data. The requirements can often vary due to a number of factors such as the industry an organization operates within, federal and state laws, and whether the organization uses a closed system of email communication or an open one.
This article dissects several high profile Acts to illustrate how difficult it can be for organizations to comply with the legal requirements for email archiving. It also suggests a solution that meets the archiving requirements of these Acts. However, please note the information in this article should not be interpreted as legal advice. Organizations should consult legal counsel to ensure compliance with the email archiving legal requirements specific to their individual situation.
The Main Reason for Archiving Emails
In 2006, an amendment to the Federal Rules of Civil Disclosure (Title V, Rule 26) made it an offence not to be able to produce ESI within thirty days if requested to do so by a court order. Although not strictly a requirement for organizations to archive emails, it does mean that organizations have to retain email data for as long as their state´s Statute of Limitations applies, or as long as industry regulations stipulate. In some circumstances, this could mean indefinitely.
Maintaining email data on a mail server for long periods of time is not practical. Mailbox quotas are filled – meaning that users can no longer receive emails – and the performance of the mail server is affected because of the volume of data it has to manage. The volume of resources used by the mail server affects the rest of the organization´s network, and having to produce a substantial amount of ESI within a thirty day limit under these circumstances would be impossible.
Email archiving reduces the burden on the email server by copying the email data and storing it elsewhere. Emails remaining on the mail server can be deleted to free up space and optimize the performance of the mail server and network. When users want to recover an email deleted from the mail server, they access it through the archive and can export it as a file, print it, or restore it to the mail server. The process is simple and compliant with the Federal Rules of Civil Disclosure.
Email Archiving: Legal Requirements for GDPR
If an organization collects, processes, shares or stores personal data relating to an EU citizen, it is subject to the General Data Protection Regulation (GDPR), even if the organization is physically located outside the EU. This regulation stipulates EU citizens have the right to access their personal data and correct anything that is amiss, or demand their personal data is not used for certain purposes or have the data erased altogether. They also have the right to be told what their personal data is being used for and with whom it is being shared.
With regard to the email archiving legal requirements for GDPR, organizations must protect the personal data of EU citizens against accidental or purposeful disclosure, loss or unauthorized alteration. This stipulation is similar to the data security measures required by HIPAA, Sarbanes-Oxley and the Federal Rules of Civil Procedure, and therefore the data security measures organizations put in place to ensure the integrity of email data must conform to the same high standards.
One further legal requirement of GDPR related to data stored in emails is that citizens’ requests to access and correct personal data must be complied with within thirty days. An email archiving solution enables organizations to retrieve data stored in emails far quicker than data stored in email backups, provided the emails are indexed as they pass through the mail server. It is also important that a copy of each email is made as it passes through the mail server so there can be no dispute that the retrieved email is not a true record and is being supplied in its original state.
How Long Should Archived Email Data be Stored?
Archived email data should be stored for as long as it might be needed. It was mentioned above that could be indefinitely, but in most cases the email archiving legal requirements for regulated industries stipulate a retention period of seven years (although many industry professionals recommend retaining archived email data for ten years). Retention periods for organizations in non-regulated industries will vary according to the nature of the organization´s business and applicable Statutes of Limitation.
Email archiving legal requirements can also differ within an industry according to the nature of the data. For example, public companies in the regulated financial services industry have to retain audit-related data after the conclusion of an audit review for seven years (Sarbanes-Oxley §802), but archived emails containing details of client account records only have to be retained for six years, and emails relating to individual transactions only have to be retained for three years (Exchange Act §17a-4).
The situation is even more confusing in the healthcare industry. The Health Insurance Portability and Accountability Act fails to stipulate any retention period for electronically stored Protected Health Information (ePHI) unless it relates to a child (up to age 21) or the death of a patient (up to two years after death). It does however state that electronically-stored policy documents relating to the security of ePHI should be retained for a minimum period of six years.
As mentioned above, organizations in any industry should consult legal counsel to ensure their archiving arrangements comply with the legal requirements for email archiving specific to their individual situation. Organizations that obtain, process, share or store EU citizens’ personal data should only retain the data for only as long as there is a “lawful basis” for retaining it, in order to be in compliance with the General Data Protection Regulation.
Email Archiving Legal Requirements for Disaster Recovery
There is a school of thought that email archiving legal requirements for disaster recovery only apply to organizations in regulated industries because it is only in regulated industries there are rules stipulating that a disaster recovery plan has to be implemented. However, in order to be fully compliant with the Federal Rules of Civil Disclosure, it is advisable that every organization implements a plan to recover emails in the event of a natural or environmental disaster or due to malicious acts.
Furthermore, in order to have an accurate and immutable database of saved email data, it is important that the mechanism implemented to comply with the legal requirements for email archiving makes a copy of each email entering and leaving a mail server in real time. Periodic backups and archiving present the opportunity for an email to be altered or deleted before a copy of the original can be made and stored in a secure location.
One further compelling argument for email archiving in real time is to mitigate the risk of a cyberattack. Hackers have recently been infiltrating mail servers and extracting data from them before encrypting data, including email.They then issues a ransom demand for the keys to unlock the encrypted data. If emails are encrypted, the data will be of no value to the hackers, but the loss of an organization´s emails can have a significant impact on its ability to function. With real time email archiving, the stolen email data can be restored with the click of a mouse.
How Archived Email Data Should be Stored
Email archiving legal requirements can also vary in terms of how archived email data should be stored. Whereas Sarbanes-Oxley and the federal Food, Drug and Cosmetic Act stipulate archived email data should be “stored to prevent deterioration or loss” and “secure from alteration, inadvertent erasures or loss”, the Health Insurance Portability and Accountability Act leaves it up to individual organizations to assess the risks to the integrity of data and reasonably address the risks identified in a risk analysis.
It is in all organizations´ best interests to adopt best practices to ensure the integrity of email. This includes encrypting archived data, any data remaining on the mail server after archiving, and email correspondence sent outside of a closed system of email communication. The transfer of email data to a location outside a secure network system should be conducted using mandatory TLS protocols and all search and retrieval requests should also be conducted over a secure communication channel.
How email data should be stored in order to comply with the legal requirements for email archiving will be determined by an organization´s individual situation. Email archiving solutions come in a choice of deployment options from removable media to hardware, software, cloud-based solutions and hybrid solutions. Organizations relying on removable media or hardware to archive email data and act as a mechanism for disaster recovery should be conscious of the risks of loss, damage and theft.
Why Cloud-Based Email Archiving Solutions are Growing in Popularity
Of the different deployment options for complying with email archiving legal requirements, the solutions most favored by organizations both within and outside regulated industries are cloud-based solutions. Cloud-based email archiving solutions move data out of the network completely and free up more space than software solutions. Data centers cannot be lost, damaged or stolen like hardware solutions, and have advanced mechanisms in place to prevent malware attacks and unauthorized access. Data is also automatically replicated across cloud servers and backed up.
By storing all of an organization´s email data in one secure environment, cloud-based email archiving solutions are quicker at searching and retrieving archived emails than software or hardware solutions (and by association, hybrid solutions). This is especially true if using cloud email services such as Office 365. They are also easier to use than many alternative solutions and enable users to recover their own lost, misfiled or accidentally deleted emails (subject to authorization) without having to rely on the services of IT support teams.
With the ability to comply with the legal requirements for email archiving, restore databases at the click of a button, and enhance productivity – while ensuring the integrity of email data – it is not difficult to see why cloud-based email archiving solutions are growing in popularity. However, before committing to a cloud-based solution to comply with the legal requirements for email archiving, it is recommended to evaluate the options, as not all cloud-based email archiving solutions are the same.
Comply with the Legal Requirements for Email Archiving with ArcTitan
ArcTitan is a “set and forget” cloud-based solution for archiving emails that helps organizations comply with the legal requirements for email archiving in respect of the Federal Rules of Civil Disclosure, Sarbanes-Oxley, the Exchange Act, the Health Insurance Portability and Accountability Act, and the Drug and Cosmetic Act – among many other acts of legislation that apply to email backups, retention and archiving in regulated industries.
For all organizations, ArcTitan´s ability to expand storage capacity as email data grows over time means that that it is not necessary to budget for extra storage, manage servers or migrate data to a deployment option where security is not guaranteed. No matter how large an organization´s email database grows, performance will never be affected. Archiving time and access time will never be any slower, and additional server capacity will not be required to improve performance.
In terms of security and the integrity of data, emails are archived in real time and maintained in an IL5 certified data center via mandatory TLS protocols. An advanced delegation mechanism compatible with LDAP and Active Directory allows administrators to create a permission hierarchy for key employees, while tamper-evident audit trails identify any unauthorized alterations to archived email, or suspicious client-orientated activity.
Prior to archiving all of an organization´s email data in one secure location, ArcTitan removes any duplicated content and leaves stubs of original attachments in the mail server. Our cloud-based solution for complying with email archiving legal requirements then compresses the remaining data and indexes it to accelerate searches and eliminate duplicated data from search results. All archived email management is conducted via a browser-based portal over a secure connection. Archives can also be accessed through all major email clients, such as Outlook.
ArcTitan supports all email service providers and servers. It allows system administrators to define email retention policies to fit each individual organization´s regulatory needs and can search a database of 30 million emails in less than a second. Existing archived data can be imported from MS Exchange, Google Apps, EML, MBOX, MSG or PST and exported to EML, MSG, PDF, TIFF or PST. ArcTitan can support up to 60,000 users and our service is backed up by our industry-leading team of Sales Technicians.
See ArcTitan in Action
If your organization is concerned about email archiving legal requirements, or simply wants to implement a reliable email archiving solution to relieve the burden on your mail server, contact our team of Sales Technicians and request a free demo of ArcTitan. Our team of Sales Technicians will be happy to answer any questions you have about how to comply with the legal requirements for email archiving and schedule a demo at a convenient time for you and your team.
As our solution for complying with email archiving legal requirements does not use a proprietary format, and no costly or time-consuming data conversions are necessary. Consequently, deploying ArcTitan takes just minutes, and our Sales Technicians can liaise with your organization´s IT department to ensure a seamless integration if necessary. Contact us today to find out more about ArcTitan and for further information about how to comply with the legal requirements for email archiving.