Email archiving: Regulations and solutions companies should know about
We all send emails. In fact, we send an awful lot of emails every single day. In 2015, the total number of emails sent and received worldwide exceeded 205 billion a day, with the average user partaking in 122 business-related email exchanges a day. Email is now a far bigger form of communication than postal letters; but if we all understand the importance of storing bank letters and receipts, why don’t we do the same for emails too? The truth is, if you’re operating a business, the law requires you to archive emails. Different countries have different rules and regulations regarding mail archiving, so it’s important to know where you stand. We’ll take you through the dos and don’ts of email archiving, focusing on the governing laws for Canada and the US.
- 2 GB+ storage
- Sync across all your devices
- Spam filter and ad-free
What is email archiving?
Simply put, email archiving is a way of storing all of your incoming and outgoing messages in an organized manner. These emails, their meta data, and any attachments that are included within them, are preserved and protected for a designated period of time. Email archiving isn’t just simply saving emails; the process also involves organizing them properly, so that specific emails can be dragged up as easily and quickly as possible when required.
What are the benefits of email archiving?
The obvious reason to ensure that you archive emails is because it’s illegal not to do so. But there are also many other benefits of keeping your emails archived. Firstly, this can help you to free up valuable server space. Your server is only designed to hold a certain number of emails, so overloading it will slow it down and eventually result in a lack of available storage space. By regularly archiving emails in a different location, you can help keep your server running quickly and efficiently. Mail archiving also means you can easily access files and messages whenever you need them. This can be very useful if you need to protect yourself in a legal dispute, provide evidence for an internal or external disagreement, or simply recover a file or message that you may have accidentally deleted.
Why is email archiving the law?
Email archiving isn’t just regulated to protect yourself legally: it’s also used to make sure you aren’t infringing on any laws yourself. Email archiving laws are designed to protect both businesses and their customers by acting as evidence in any legal disputes. For example, mail archives can be used to check for illegal interactions between companies. Examples of such illegal activity include colluding with competitors through price fixing, or agreements to eliminate competition by increasing barriers to entry through stockpiling or advertising. Email archiving can also serve to protect customers against the sharing of confidential information, like medical records, test results, proof of income, and more. On the other hand, it can be used by companies too, to check contractual agreements with customers or suppliers which perhaps haven’t been fulfilled. The government can also gain access if they suspect a company of tax evasion, fraud, or other high-profile crimes.
For whom and why is email archiving mandatory?
Except for non-traders (like small enterprises and freelancers), every business is obliged to archive business emails. This is set out by federal and state law and company data laws (complying with regulatory requirements and internal company procedures). Management is generally responsible for email archiving. If businesses fail to archive their emails, legal consequences and heavy fines may follow. You may also end up paying court costs, and will receive a guilty verdict if you cannot produce the requested information in a timely manner.
- Professional, automatic email backup tool
- Powerful enterprise-wide search and eDiscovery
- Easy data recovery via one-click restore, download and migrate
Email archiving in Canada
Canadian laws on email archiving stem from 2 principle regulations: the Personal Information Protection and Electronic Documents Act and the Canadian Sarbanes-Oxley Act. The Investment Industry Regulatory Organization of Canada, founded in 2008, is the body responsible for enforcing these restrictions.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is a Canadian law concerning data privacy that came into operation in 2000. It was designed to improve consumer confidence in e-commerce, and it contains a clause stating it must be reviewed every 5 years. PIPEDA restricts the way that companies can collect data, except in circumstances of national security and emergencies. Canadians have the right to know why an organization has their data, how they obtained it, how they are using it, and to receive full details of it if requested. Organizations have an obligation to give this information upon request and to have ‘personal information policies that are clear, understandable, and readily available’. This means that email archiving is essential in Canada to ensure that you’re able to give customers information quickly and easily.
The Canadian Sarbanes-Oxley Act (C-SOX)
As you may have guessed, C-SOX is the Canadian equivalent of the 2002 Sarbanes-Oxley Act in the USA, dictating that accountants keep records of audits and reviews carried out. Its full title in Canada is the Keeping the Promise for a Strong Economy Act. It was founded in 2003, a year after SOX.
Email archiving in the United States
Federal laws are decisive in email archiving, which are designed to protect both companies and their clients. In the US, email archiving is dictated by four different acts and law changes, dating back to 1934. To be sure you are not infringing on US federal law, it’s important for business owners to understand what these 4 acts mean.
The 1934 Act
The 1934 Act (full title: The Security Exchange Act of 1934) mainly dictates that records must be kept for any security exchanges. These exchanges usually involve stocks, and some of the largest and best-known of these include the New York Stock Exchange, the American Stock Exchange, and the Pacific Stock Exchange. Though not specifically defined, the ‘records’ that must be kept are very broadly defined, which would almost certainly cover emails if it came to a legal dispute. These records have to be kept for a minimum of 6 years, and the Securities and Exchange Commission (SEC) has the right to impose fines if records can’t be produced within a given time frame. The highest profile case of this was in 2002, when the SEC, acting in conjunction with the New York Stock Exchange (NYSE) and the National Association of Securities Dealers (NASD), fined 5 companies a total of 8.25 million US dollars for failing to comply with the 1934 Act. The parties involved included Goldman, Sachs & Co., Morgan Stanley & Co. Incorporated, and Deutsche Bank Securities Inc. The firms each paid 1.65 million USD, to be shared between the NYSE, NASD, and the US Treasury.
The Commodity Futures Trading Commission (CFTC)
The Commodity Futures Trading Commission is an independent agency which ensures that all futures commission merchants, member of contract markets, and introducing brokers keep complete records of all their transactions. Companies in this instance are required to keep their records for 5 years, and they must be able to produce them upon request within a reasonable time frame (as dictated by the CFTC). The CFTC has acted on behalf of the US government since its foundation in 1975; it is also authorized to give out penalties, recovering close to 2 billion USD in total fines since its formation. In 1999, an amendment was made to the Commodity Futures Trading Commission’s legislation, meaning that electronically stored information (ESI) like emails are now considered records for transactions too. As a result, CFTC penalties have increased significantly: in the period of 2011-2012, the organization issued more than 200 law enforcement actions.
The Sarbanes-Oxley Act
The Sarbanes-Oxley Act (also known as Sarbox or SOX) was completed in 2002 and is designed to protect investors, shareholders, and the general public from ‘accounting errors and fraudulent practices in the enterprise’. Simply put, this amendment means that accountants must keep all official audit and review papers for a minimum of 5 years after conducting an audit or review of a company. The penalties for infringement of Sarbox are more severe: in some cases leading to long-term prison sentences. Email archiving would be considered a crucial part of keeping records from accounting audits and reviews, so it’s important to bear this rule in mind.
The Federal Rules of Civil Procedure
The Federal Rules of Civil Procedure (FRCP) is the legislation responsible for US district court procedure for all civil lawsuits. This set of rules was founded in 1938, but a recent amendment was made in December 2006 to cover the electronic sharing of information. It’s titled ‘Failure to Make or Cooperate in Discovery; Sanctions’: this amendment dictates that any emails, messages, files, requests, instructions, or other such information that could be considered relevant to a ‘current or future litigation’ can’t be removed, deleted, or overwritten. The penalties vary, with some of the more severe including contempt of court, heavy fines, and in some cases even an ‘automatic guilty verdict’.
In addition, individual states also have the capacity to impose laws on a company. Most state revenue departments require companies to hold on to data for at least three years. In California, the minimum is four years. Beyond this, the IRS can request data from up to seven years back.
How do I comply with regulations?
The basic rule is to be sure to store any emails that could potentially be used as evidence in any current or future lawsuits, either against you or in your defense. But it’s not enough to simply “store” these emails, you also have to know:
- Exactly where the data is saved
- The archiving technology used to store emails
- The archiving schedule (how quickly are files added? Are they added on a particular day/at a particular time? How many years are they stored for before they’re eventually deleted?)
- How the email recycling process works (Do files stay on the server after archiving?)
- The search function/process used to locate emails
- How long it would take to produce emails for evidence
- The different formats you could produce the emails in
These are all questions you could be asked to answer in cases of a potential lawsuit. Remember: If you can’t answer these questions when required, you’re breaking the law. And if you can’t locate and submit these emails in a quick and easy manner, you’re in danger of being subject to legal action yourself.
Types of email archiving solutions
On a daily basis, sensitive information like invoices, contracts, and internal business content is sent via email. So, it’s important to have a solid archiving solution in place to ensure that this data can always be retrieved.
There are three main ways to archive emails: Third-party solutions, on-site solutions, and cloud-based solutions. Third-party solutions host your email archive through outsourcing, meaning that the business doesn’t have to bear the cost of hardware or software. On-site solutions, on the other hand, require you to handle your own archiving, through the use of external software. Nowadays, companies are increasingly focusing on cloud-based solutions. This type of solution typically means lower entry costs and a simple monthly subscription charge. Most of the leading email archive solution providers, like Veritas Enterprise Vault, Barracuda Message Archiver, and EMC SourceOne offer two or even all three of these methods. These email archiving solutions collect your emails in two different ways: they either take content directly from your mail server (this process is known as journaling), or they copy your emails while they are being sent/received. These archives also feature a search function, allowing you to locate important emails quickly in cases of emergency. However, a cloud-based solution also means that all data will be located on the provider’s system together with other companies’ data. If another company gets hacked, your information could also be compromised.
Create your own email archiving policy
Once you’ve chosen an archiving solution, we recommend that you outline a clear policy to pass onto employees. Since email archiving may seem trivial to some people, you should explain the key points behind it. We suggest you mention:
- The importance of archiving emails
- Where emails will be archived
- How long emails will be stored for (and why)
- Which emails will be kept and which can be deleted
- The person/company responsible for the email archiving, with a point of contact for enquiries
By doing this, you will ensure that all your employees understand the importance of email archiving and cooperate to help your company avoid a potentially sticky situation in future.
Email archiving: Know the facts and protect yourself!
Emails have been around a while now, becoming our biggest form of communication in the workplace. As a result, it’s crucial that you know the archiving laws in your state and follow them. Failure to do so could result in severe penalties, like large fines, a damaged reputation, and in some cases even prison sentences. But email archiving isn’t just important because it’s required by law: there are many benefits to having an extra storage system for older emails. You can free up server space, boosting speed and efficiency, and you don’t have to panic if you accidentally delete an email either. By choosing a solid email archiving solution, you can take the pressure off and let a third party handle your archives. Alternatively, you can choose to keep your email archiving on site, equipping your IT department with the perfect tools to take care of it. Whichever way you choose to handle mail archiving, you can be sure that having a good policy in place will save you a lot of stress and potentially a nasty penalty in the future.
Click here for important legal disclaimers.
- 2 GB+ storage
- Sync across all your devices
- Spam filter and ad-free