Email archiving: Regulations and solutions companies should know about

The obvious reason to ensure that you archive emails is because it’s illegal not to do so. But there are also many other benefits of keeping your emails archived. Firstly, this can help you to free up valuable server space. Your server is only designed to hold a certain number of emails, so overloading it will slow it down and eventually result in a lack of available storage space. By regularly archiving emails in a different location, you can help keep your server running quickly and efficiently. Mail archiving also means you can easily access files and messages whenever you need them. This can be very useful if you need to protect yourself in a legal dispute, provide evidence for an internal or external disagreement, or simply recover a file or message that you may have accidentally deleted.

Email archiving isn’t just regulated to protect yourself legally: it’s also used to make sure you aren’t infringing on any laws yourself. Email archiving laws are designed to protect both businesses and their customers by acting as evidence in any legal disputes. For example, mail archives can be used to check for illegal interactions between companies. Examples of such illegal activity include colluding with competitors through price fixing, or agreements to eliminate competition by increasing barriers to entry through stockpiling or advertising. Email archiving can also serve to protect customers against the sharing of confidential information, like medical records, test results, proof of income, and more. On the other hand, it can be used by companies too, to check contractual agreements with customers or suppliers which perhaps haven’t been fulfilled. The government can also gain access if they suspect a company of tax evasion, fraud, or other high-profile crimes.

Except for non-traders (like small enterprises and freelancers), every business is obliged to archive business emails. This is set out by federal and state law and company data laws (complying with regulatory requirements and internal company procedures). Management is generally responsible for email archiving. If businesses fail to archive their emails, legal consequences and heavy fines may follow. You may also end up paying court costs, and will receive a guilty verdict if you cannot produce the requested information in a timely manner.

The Data Protection Act was set up in the UK in 1998 and concerns personal data. According to the DPA, anyone has the right to ask for a copy of their personal data being stored by businesses in the UK. If your company is asked for information under the DPA by an individual, you have a maximum of 40 days to locate this data, retrieve it, and respond to the query. You may charge a bill for this, but only up to a maximum of £10. This law applies to any firms who store and/or process personal information about customers, and if you fail to follow the rules and respond to this request, you could face an unlimited fine. Since the majority of customer data is processed through emails, email archiving is especially relevant here to make sure you can locate this data, process it, and hand it over within 40 calendar days.

The Data Protection Act can also affect internal matters, for instance in cases of employment tribunal claims. Should an employee who has recently been let go decide to make a claim against you as an employer, you’ll need to locate internal emails for your defense. If you fail to do so, you could end up losing the case and being on the wrong end of an unfair staff dismissal prosecution.

First created in 2000, the Freedom of Information Act goes a step further than the Data Protection Act. It gives members of the public the right to access all the information that a company has collected about them, so this includes any information shared by email. This covers companies who have received data through outsourcing – so if you complete outsourced work, you need to archive your emails as well. When a request is made, companies have just 20 days to locate and return the information. If traces of this information are found on the network, the data must be retrieved, though there are exemptions that mean companies can refuse to pass the information on. If your company is found guilty of wrongdoing and withholding information illegally, your business may be faced with serious legal action.

For advice and guidance on the storing of electronic data, companies operating in the UK can refer to the British Standards Institution (BSI). The search function on their website can be used to look for information and recommendations that can then be purchased for a fee. Ones of particular interest for electronic data storage include the BS 4783 and BS ISO 15489-1.

The 1934 Act (full title: The Security Exchange Act of 1934) mainly dictates that records must be kept for any security exchanges. These exchanges usually involve stocks, and some of the largest and best-known of these include the New York Stock Exchange, the American Stock Exchange, and the Pacific Stock Exchange. Though not specifically defined, the ‘records’ that must be kept are very broadly defined, which would almost certainly cover emails if it came to a legal dispute. These records have to be kept for a minimum of 6 years, and the Securities and Exchange Commission (SEC) has the right to impose fines if records can’t be produced within a given time frame. The highest profile case of this was in 2002, when the SEC, acting in conjunction with the New York Stock Exchange (NYSE) and the National Association of Securities Dealers (NASD), fined five companies a total of 8.25 million US dollars (6.45 million pounds) for failing to comply with the 1934 Act. The parties involved included Goldman, Sachs & Co., Morgan Stanley & Co. Incorporated, and Deutsche Bank Securities Inc. The firms each paid 1.65 million USD (1.3 million pounds), to be shared between the NYSE, NASD, and the US Treasury.

The Commodity Futures Trading Commission is an independent agency which ensures that all futures commission merchants, member of contract markets, and introducing brokers keep complete records of all their transactions. Companies in this instance are required to keep their records for 5 years, and they must be able to produce them upon request within a reasonable time frame (as dictated by the CFTC). The CFTC has acted on behalf of the US government since its foundation in 1975; it is also authorised to give out penalties, recovering close to 2 billion USD (1.6 billion pounds) in total fines since its formation. In 1999, an amendment was made to the Commodity Futures Trading Commission’s legislation, meaning that electronically stored information (ESI) like emails are now considered records for transactions too. As a result, CFTC penalties have increased significantly: in the period of 2011-2012, the organisation issued more than 200 law enforcement actions.

The Sarbanes-Oxley Act (also known as Sarbox or SOX) was completed in 2002 and is designed to protect investors, shareholders, and the general public from ‘accounting errors and fraudulent practices in the enterprise’. Simply put, this amendment means that accountants must keep all official audit and review papers for a minimum of 5 years after conducting an audit or review of a company. The penalties for infringement of Sarbox are more severe: in some cases leading to long-term prison sentences. Email archiving would be considered a crucial part of keeping records from accounting audits and reviews, so it’s important to bear this rule in mind.

The Federal Rules of Civil Procedure (FRCP) is the legislation responsible for US district court procedure for all civil lawsuits. This set of rules was founded in 1938, but a recent amendment was made in December 2006 to cover the electronic sharing of information. It’s titled ‘Failure to Make or Cooperate in Discovery; Sanctions’: this amendment dictates that any emails, messages, files, requests, instructions, or other such information that could be considered relevant to a ‘current or future litigation’ can’t be removed, deleted, or overwritten. The penalties vary, with some of the more severe including contempt of court, heavy fines, and in some cases even an ‘automatic guilty verdict’.

While the laws and acts listed above are federal, there are additional laws which vary from state to state. So it’s a good idea to check your local state laws to make sure you’re not in breach of any rules or regulations.

Please note the legal disclaimer relating to this article.