Email archiving: Regulations and solutions companies should know about
We all send emails. In fact, we send an awful lot of emails every single day. As of February 2017 it is estimated that the number of emails sent every day stands at 269 billion, with the average user partaking in 122 business-related email exchanges a day. Email is now a far bigger form of communication than postal letters; but if we all understand the importance of storing bank letters and receipts, why don’t we do the same for emails too? The truth is, if you’re operating a business, the law requires you to archive emails. Different countries have different rules and regulations regarding mail archiving, so it’s important to know where you stand. We’ll take you through the dos and don’ts of email archiving, focusing on the governing laws for the UK and the US.
- What is email archiving?
- Email archiving in the United Kingdom
- Email archiving in the United States
- How do I comply with regulations?
- Types of email archiving solutions
- Create your own email archiving policy
- Email archiving: know the facts and protect yourself!
Professional Email Address & Personal Domain Name
Give the right first impression with a custom email address and a free matching domain name!
What is email archiving?
Simply put, email archiving is a way of storing all of your incoming and outgoing messages in an organised manner. These emails, their metadata, and any attachments that are included within them, are preserved and protected for a designated period of time. Email archiving isn’t just simply saving emails; the process also involves organising them properly, so that specific emails can be dragged up as easily and quickly as possible when required.
What are the benefits of email archiving?
The obvious reason to ensure that you archive emails is because it’s illegal not to do so. But there are also many other benefits of keeping your emails archived. Firstly, this can help you to free up valuable server space. Your server is only designed to hold a certain number of emails, so overloading it will slow it down and eventually result in a lack of available storage space. By regularly archiving emails in a different location, you can help keep your server running quickly and efficiently. Mail archiving also means you can easily access files and messages whenever you need them. This can be very useful if you need to protect yourself in a legal dispute, provide evidence for an internal or external disagreement, or simply recover a file or message that you may have accidentally deleted.
Why is email archiving the law?
Email archiving isn’t just regulated to protect yourself legally: it’s also used to make sure you aren’t infringing on any laws yourself. Email archiving laws are designed to protect both businesses and their customers by acting as evidence in any legal disputes. For example, mail archives can be used to check for illegal interactions between companies. Examples of such illegal activity include colluding with competitors through price fixing, or agreements to eliminate competition by increasing barriers to entry through stockpiling or advertising. Email archiving can also serve to protect customers against the sharing of confidential information, like medical records, test results, proof of income, and more. On the other hand, it can be used by companies too, to check contractual agreements with customers or suppliers which perhaps haven’t been fulfilled. The government can also gain access if they suspect a company of tax evasion, fraud, or other high-profile crimes.
For whom and why is email archiving mandatory?
Except for non-traders (like small enterprises and freelancers), every business is obliged to archive business emails. This is set out by federal and state law and company data laws (complying with regulatory requirements and internal company procedures). Management is generally responsible for email archiving. If businesses fail to archive their emails, legal consequences and heavy fines may follow. You may also end up paying court costs, and will receive a guilty verdict if you cannot produce the requested information in a timely manner.
Never lose an email again! With IONOS, automatic email archiving can be added to your mailbox at the click of a button.
Email archiving in the United Kingdom
There are two important mail archiving laws to consider in the UK. These are the Data Protection Act and the Freedom of Information Act.
The Data Protection Act (DPA)
The Data Protection Act was set up in the UK in 1998 and concerns personal data. According to the DPA, anyone has the right to ask for a copy of their personal data being stored by businesses in the UK. If your company is asked for information under the DPA by an individual, you have a maximum of 40 days to locate this data, retrieve it, and respond to the query. You may charge a bill for this, but only up to a maximum of £10. This law applies to any firms who store and/or process personal information about customers, and if you fail to follow the rules and respond to this request, you could face an unlimited fine. Since the majority of customer data is processed through emails, email archiving is especially relevant here to make sure you can locate this data, process it, and hand it over within 40 calendar days.
The Data Protection Act can also affect internal matters, for instance in cases of employment tribunal claims. Should an employee who has recently been let go decide to make a claim against you as an employer, you’ll need to locate internal emails for your defense. If you fail to do so, you could end up losing the case and being on the wrong end of an unfair staff dismissal prosecution.
The Freedom of Information Act
First created in 2000, the Freedom of Information Act goes a step further than the Data Protection Act. It gives members of the public the right to access all the information that a company has collected about them, so this includes any information shared by email. This covers companies who have received data through outsourcing – so if you complete outsourced work, you need to archive your emails as well. When a request is made, companies have just 20 days to locate and return the information. If traces of this information are found on the network, the data must be retrieved, though there are exemptions that mean companies can refuse to pass the information on. If your company is found guilty of wrongdoing and withholding information illegally, your business may be faced with serious legal action.
For advice and guidance on the storing of electronic data, companies operating in the UK can refer to the British Standards Institution (BSI). The search function on their website can be used to look for information and recommendations that can then be purchased for a fee. Ones of particular interest for electronic data storage include the BS 4783 and BS ISO 15489-1.
Email archiving in the United States
Laws about email archiving aren’t universal. They differ from country to country, and even between different organizations within a country. In the U.S., email archiving is dictated by 4 different acts and law changes, dating back to 1934. To be sure you are not infringing on US federal law, it’s important for business owners to understand what these 4 acts mean.
The 1934 Act
The 1934 Act (full title: The Security Exchange Act of 1934) mainly dictates that records must be kept for any security exchanges. These exchanges usually involve stocks, and some of the largest and best-known of these include the New York Stock Exchange, the American Stock Exchange, and the Pacific Stock Exchange. Though not specifically defined, the ‘records’ that must be kept are very broadly defined, which would almost certainly cover emails if it came to a legal dispute. These records have to be kept for a minimum of 6 years, and the Securities and Exchange Commission (SEC) has the right to impose fines if records can’t be produced within a given time frame. The highest profile case of this was in 2002, when the SEC, acting in conjunction with the New York Stock Exchange (NYSE) and the National Association of Securities Dealers (NASD), fined five companies a total of 8.25 million US dollars (6.45 million pounds) for failing to comply with the 1934 Act. The parties involved included Goldman, Sachs & Co., Morgan Stanley & Co. Incorporated, and Deutsche Bank Securities Inc. The firms each paid 1.65 million USD (1.3 million pounds), to be shared between the NYSE, NASD, and the US Treasury.
The Commodity Futures Trading Commission (CFTC)
The Commodity Futures Trading Commission is an independent agency which ensures that all futures commission merchants, member of contract markets, and introducing brokers keep complete records of all their transactions. Companies in this instance are required to keep their records for 5 years, and they must be able to produce them upon request within a reasonable time frame (as dictated by the CFTC). The CFTC has acted on behalf of the US government since its foundation in 1975; it is also authorised to give out penalties, recovering close to 2 billion USD (1.6 billion pounds) in total fines since its formation. In 1999, an amendment was made to the Commodity Futures Trading Commission’s legislation, meaning that electronically stored information (ESI) like emails are now considered records for transactions too. As a result, CFTC penalties have increased significantly: in the period of 2011-2012, the organisation issued more than 200 law enforcement actions.
The Sarbanes-Oxley Act
The Sarbanes-Oxley Act (also known as Sarbox or SOX) was completed in 2002 and is designed to protect investors, shareholders, and the general public from ‘accounting errors and fraudulent practices in the enterprise’. Simply put, this amendment means that accountants must keep all official audit and review papers for a minimum of 5 years after conducting an audit or review of a company. The penalties for infringement of Sarbox are more severe: in some cases leading to long-term prison sentences. Email archiving would be considered a crucial part of keeping records from accounting audits and reviews, so it’s important to bear this rule in mind.
The Federal Rules of Civil Procedure
The Federal Rules of Civil Procedure (FRCP) is the legislation responsible for US district court procedure for all civil lawsuits. This set of rules was founded in 1938, but a recent amendment was made in December 2006 to cover the electronic sharing of information. It’s titled ‘Failure to Make or Cooperate in Discovery; Sanctions’: this amendment dictates that any emails, messages, files, requests, instructions, or other such information that could be considered relevant to a ‘current or future litigation’ can’t be removed, deleted, or overwritten. The penalties vary, with some of the more severe including contempt of court, heavy fines, and in some cases even an ‘automatic guilty verdict’.
While the laws and acts listed above are federal, there are additional laws which vary from state to state. So it’s a good idea to check your local state laws to make sure you’re not in breach of any rules or regulations.
How do I comply with regulations?
The basic rule is to be sure to store any emails that could potentially be used as evidence in any current or future lawsuits, either against you or in your defence. But it’s not enough to simply ‘store’ these emails, you also have to know:
- Exactly where the data is saved
- The archiving technology used to store emails
- The archiving schedule (how quickly are files added? Are they added on a particular day / at a particular time? How many years are they stored for before they’re eventually deleted?)
- How the email recycling process works (Do files stay on the server after archiving?)
- The search function/process used to locate emails
- How long it would take to produce emails for evidence
- The different formats you could produce the emails in
These are all questions you could be asked to answer in cases of a potential lawsuit. Remember: If you can’t answer these questions when required, you’re breaking the law. And if you can’t locate and submit these emails in a quick and easy manner, you’re in danger of being subject to legal action yourself.
Types of email archiving solutions
There are three main ways to archive emails: Third-party solutions, on-site solutions, and cloud-based solutions. Third-party solutions host your email archive through outsourcing, meaning that the business doesn’t have to bear the cost of hardware or software. On-site solutions, on the other hand, require you to handle your own archiving, through the use of external software. Nowadays, companies are increasingly focusing on Cloud-based solutions. This type of solution typically means lower entry costs and a simple monthly subscription charge. Most of the leading email archive solution providers, like Veritas Enterprise Vault, Barracuda Message Archiver, and EMC SourceOne offer two or even all three of these methods. These email archiving solutions collect your emails in two different ways: they either take content directly from your mail server (this process is known as journaling), or they copy your emails while they are being sent/received. These archives also feature a search function, allowing you to locate important emails quickly in cases of emergency. However, a cloud-based solution also means that all data will be located on the provider’s system together with other companies’ data. If another company gets hacked, your information could also be compromised.
Create your own email archiving policy
Once you’ve chosen an archiving solution, we recommend that you outline a clear policy to pass onto employees. Since email archiving may seem trivial to some people, you should explain the key points behind it. We suggest you mention:
- The importance of archiving emails
- Where emails will be archived
- How long emails will be stored for (and why)
- Which emails will be kept and which can be deleted
- The person/company responsible for the email archiving, with a point of contact for enquiries
By doing this, you will ensure that all your employees understand the importance of email archiving and cooperate to help your company avoid a potentially sticky situation in future.
Email archiving: know the facts and protect yourself!
Emails have been around a while now, becoming our biggest form of communication in the workplace. As a result, it’s crucial that you know the archiving laws in your country and follow them. Failure to do so could result in severe penalties, like large fines, a damaged reputation, and in some cases even prison sentences. But email archiving isn’t just important because it’s required by law: there are many benefits to having an extra storage system for older emails. You can free up server space, boosting speed and efficiency, and you don’t have to panic if you accidentally delete an email either. By choosing a solid email archiving solution, you can take the pressure off and let a third party handle your archives. Alternatively you can choose to keep your email archiving on site, equipping your IT department with the perfect tools to take care of it. Whichever way you choose to handle mail archiving, you can be sure that having a good policy in place will save you a lot of stress and potentially a nasty penalty in future.