Many people believe only regulated businesses have to preserve emails and other digital files – this is a dangerous misconception. Data retention laws affect most businesses, regardless of whether they’re regulated or not. Which laws you must follow depends on the country in which you operate. In the USA, the list of regulations is long: SOX, HIPPA, Franks-Dobbs, Gramm Leach Bliley, and even the US Patriot Act. In Europe, there are specific laws for EU member countries as well as The European Union as a whole.
Did you know that you could be committing a crime if you delete an email? If you reuse backup media that can also run afoul of the law. Do that with malicious intent and you can serve 20 years in jail in the USA. Failure to produce emails for auditors can lead the SEC (Security and Exchange Commission) to levy a fine on financial businesses.
Here is a summary of some of the specific regulations and how they came to be. Because there are so many regulators and overlapping rules, some organisations decide to keep everything forever, as some rules say document A must be retained for period B and document C must be retained for period D. The regulations can get complicated as different retention periods and rules apply to different data types. It’s simplest just to assume you need a tamper-proof, offsite copy of all business communications, payroll and health records, and accounting transactions for all-time, forever.
SOX
After the Enron scandal in the USA, Congress passed the Sarbanes-Oxley Act of 2002 to make business demonstrate the veracity of their financial statements. The goal was to back up claims of “Everything is fine here. Business is good.” with actual facts, to protect investors from, in the case of Enron, fraud.
Toward that end, any kind of accounting data must be kept 7 years. Since email invariably discusses the company’s audit and the accountants review of the financial statements, email needs to be kept for 7 years. Also actions taken in operating the business are related to financial results, so that needs to be kept for 7 years as well. In other words, keep all email for a minimum of 7 years.
HIPPA
HIPPA is the Health Insurance Accountability and Portability Act. It was passed under President Clinton to allow Americans to keep their health insurance when they lost their job. That cruel bit of capitalism has been replaced by President Obama’s new health law, but the paperwork requirements of HIPPA remain. You would think a law called “Health Insurance…” would be geared toward those in the medical business, but the law applies to any discussion of anyone’s health, including your staff. That would include an employee requesting medial leave of time off to see the doctor or to care of a sick child or aging parent. That communication, of course, would be email communications. HIPPA requires that you hang onto that for 6 years.
Rules in the UK
Watson and Hall have poured over the rules in the UK regarding document detention. Their matrix groups communications and retention requirements by finance, government, communication, and cross-company compliance. According to Watson and Hall, in the UK, businesses are required to keep tax records for 3 years, cell phone text messages for 1 year (That would be difficult.), and 1 year for email, unless you are a financial business, in which case the requirement is 6 years. ISPs and companies hosting web sites are required to keep a record of web activity for 4 days and internet connection information for 1 year. Presumably this means logs.
German Data Retention Laws
Iron Mountain has compiled a list for Germany. Their guide for all of Europe is here. German businesses and companies operating in Germany are required to keep business communications for 6 years and payroll and accounting data to 10.
ArcTitan Cloud Email Archiving
The requirement for email eDiscovery and other documents up to 6 years old, makes it important to use an email archiving system, like ArcTitan, that gives users online access to what is archived offline and offsite. The alternative to that is to follow a cumbersome process to restore email data files from backup to look for what is requested. That is an unwieldy and error-prone process. ArcTitan includes a natural-language browser where one can search the email archive for all items related to, for example, “Merger with Acme Company.” This tool keeps your company in compliance with regulation and facilitates eDiscovery.