1. What is an E-mail Retention Policy?

Simply put, an e-mail retention policy/ERP is the process of keeping emails for compliance or business reasons. It differs from archiving (although these terms can be used interchangeably) in the fact that a retention policy decides when to dispose of redundant electronic messages, while the latter may keep them indefinitely. Therefore, an ERP should set forth parameters for which e-mails are to be stored, for how long, and the exact mechanism of their disposal. This schedule must also consider the regulatory timeframes for email preservation and other requirements applicable to your industry, if there are any.

2. Why Do You Need an E-mail Retention Policy?

Three main reasons can motivate businesses to create an ERP:

Regulatory Requirements: Certain types of businesses need to be in accordance with government laws, rules and regulations. Those vary by nation, state and industry.

Litigation: If a company gets embroiled in a legal action, some e-mail correspondence may need to be submitted as evidence.

Management: Old e-mail communications that can be easily searched for and retrieved can be useful in ongoing or future business projects.

Diagram 1

“What says the law?” is the first question you have to ask yourself before you begin working on your ERP. Don’t be a foe in the eyes of the law, that is to say, do not leave regulatory compliance undealt with. Create an ERP in writing with retention schedules based on laws and business needs. Legislation in most countries places government agencies under obligation to archive in a public record every e-mail they send or receive. Some of the primary legal-based compliance requirements driving the need for secure e-mail archiving are (alphabetically):

All EU countries

The Data Retention Directive

Note: In the early April 2014, the European Court of Justice found that the Directive violated Art. 7 and 8 of the Charter of Fundamental Rights of the European Union (norms that promote “respect for private life and communications” and the “protection of personal data”), thus invalidating it in essence.

Canada

Investment Industry Regulatory Organization of Canada (IDA) 29.7

Mutual Fund Dealers Association (MFDA)[3]

PIPEDA

Germany

GDPdU

[4]

Switzerland

Schweizerische Obligationenrecht, article 962

United Kingdom

British Standards Institution – BS 4783, BS 7799/ISO 17799, BS ISO 15489-1, BSI DISC PD 0008, BSI DISC PD0010, BSI DISC PD0012

Data Protection Act 1998

Freedom of Information Act 2000

Court Action under the Civil Procedure Rules

The Sarbanes-Oxley Act for US related firms

Financial Services Authority (FSA)

Employment Tribunals

The Data Retention Regulations 2009

United States

Banking: FDIC, OCC (Office of the Comptroller of the Currency)

Defense: DOD – 5015.2 Standard

Pharmaceutical: FDA Title 21 CFR Part 11

Telecommunications: FCC – Title 47, Part 42

Federal Rules of Civil Procedure (FRCP)

Freedom of Information Act

Gramm-Leach-Bliley Act

HFTA (Hedge Fund Transparency Act)

Healthcare: HIPAA (Health Insurance Portability and Accountability Act)

Investment Advisors Act and SEC Rule 204-2 (Books and Records Retention)

NASD Rule 3110 and NYSE Rule 440

General Business Oversight: Sarbanes-Oxley

SB 1386 (Only in California)

Brokerage Firms: Securities and Exchange Commission Rule 17a-4, SEC Rule 17a-3

The USA Patriot Act

Although a good ERP should involve all areas of the company, the key departments concerned with e-mail retention ought to set up a steering committee. In elaborating the ERP, however, the legal department is likely to have a precedence. This is so because defining e-mail retention periods in line with the local normative base and industry requisites would be critical if the company becomes embroiled in a rigorous eDiscovery. In addition, other departments most affected by rules and regulations should be expected to drive the process as well. A company’s IT department needs to have a say in technical matters, by all means.

3. How do you decide what is important?

Separating the wheat from the chaff is how we should handle the mass of messages. Classifying e-mails can alleviate the process of determination of which e-mails are not required for retention any more. Through categories defined in an exact manner, one can remove non-essential e-mails (e.g., duplicate e-mails or spam) that would otherwise jam an efficient search & retrieval system.

The Scope section, as shown in the text box below, aims to embrace all types of e-mail messages subject to retention rules. Anything left outside should be treated per se as an exception, therefore handled manually. In other ERP versions, this part can also include staff who is entrusted to create, send, receive, or retain e-mail messages and attachments.

4. How long you should keep the different types of e-mails?

Knowing what should be kept is only the first step. What follows next is to assess how long it should be kept.

4.1 Minimum/Maximum Retention Periods

In order to create a valid e-mail records retentions schedule, you need to identify first all applicable minimum retention periods. A single e-mail retention period is deemed enough for most companies.

Statutes of limitations prohibit the initiation of late legal proceedings, for instance, lodging a complaint or criminal prosecution after a period of time stipulated by law. They can be a useful source for determining the longevity of some retention periods. Here are some examples from the Canadian legal system provided by the lawyers Dan Michaluk and Hicks Morley:

  • Employee name and address records – three years from end of employment
  • Records of hours worked – three years from current
  • Wages paid records – three years from current
  • Records related to protected leaves – three years from date leave expires
  • Excess hours and overtime averaging agreements – three years from last day of work subject to the agreement
  • Vacation time and pay records – three years from date of creation
  • Occupational Health and Safety Act medical surveillance records – longer than 20 years from the time records wre first made, or 40 years from last time of such records made
  • Patient records (by members of the College of Physicians and Surgeons of
    Ontario) – longer than 10 years from last date of entry, or date patient reached or
    would have reached 18 years of age
  • Income tax records – records and books of account (subject to exceptions) to be
    kept for six years from the end of the last taxation year to which they relate.
    Minimum retention periods like the ones listed above are assigned by statute either
    because their associated records have value to regulators as an aid to enforcement, or
    because they are of direct value to the public itself (as with medical records).

Maximum retention time is important as well. Business dealings weigh in with the decision to keep some sorts of e-mails. Consequently, it is advisable to retain e-mails that are related to income, expenses, taxes, contracts, etc. According to PIPEDA Principle 4.5.3, “Personal information that is no longer required to fulfill the identified purposes should be destroyed, erased, or made anonymous.”

In other words, provided that retention is no longer necessary from a legal or business point of view, it would be reasonable to assume that the initial purpose for collection had ceased to exist. Nevertheless, the U.S. courts seems to be more favourable towards organizations that tend to keep their records longer.

4.2 Automation

Automation of sorting out e-mails is common nowadays. Most organizations in large- to mid-sized businesses prefer an automated ERP as opposed to the small business’s user-based approach. Manual classification, archival and destruction of e-mails is likely to be performed poorly, regardless of the quality of the education program. Mailbox size limits, document management systems, and e-mail archiving solutions are some of the features used by companies to control the retention of e-mails.

4.3 Archiving, Storage & Backup

You may further the searchability index if you decide to consolidate all e-mail stores into one online repository. Due to the efficient contemporary archival services, a person can browse through the e-mail database and find the one he needs in no time. By increasing searchability of e-mails, you decrease both unproductive e-mail searches and all related costs.

E-mails can be used as a piece of evidence in a trial, and those should be available to the opposing counsel regardless of how expensive or difficult to search for and retrieve them.

Electronic messages of specific interest of every description should be made accessible within a suitable period of time. A specific repository for e-mail attachments should store them separately from users’ inboxes or e-mail folders.

4.4 Security

E-mails often contain firm secrets and intellectual property – approximately 80% of the business-critical content for an organization is there, according to a whitepaper from Frost & Sullivan. For that reason, security measures like user authentication, encryption, verified destruction, and so forth, should be taken into consideration.

In addition, to tighten security, many organizations use a web-based e-mail system accessible by authorized personnel only via a login process controlled by trusted administrators.

E-mails can be easily altered—hence, rendered legally void—simply by clicking edit and change. An ERP should take all necessary measures to maintain e-mails in their original, unaltered state, securing them against external and internal threats. Consequently, an e-mail must be kept and retrieved in an authentic, trustworthy, and tamperproof way. E-mails must remain accessible, readable, and unchanged for the full retention period.

4.5 Records Destruction

Canadian Fact Sheet #10 defines destruction of records as “…either physically damaging the item (rendering it unusable) and discarding it, or, if re-use within the organization is preferred, it means employing wiping utilities provided by various software companies.” Also, it prescribes a number of best practices for destruction of records as follows:

  • Duplicates of official records that contain personal information should be stamped with “shred after” and “do not copy” warnings
  • Hire a records destruction agent
  • Reserve a right to audit an agent’s processes

The organization’s IT team needs to be entrusted with the responsibility of destruction of e-mails beyond the retention period in a procedure denominated “digital cleansing” in order to verify that everything is executed properly. In addition to complying with regulatory and legal obligations, a good ERP should manage data in a risk-aware and cost-effective way.

4.5.1 Record Destruction vs. Litigation Holds and Spoliation of Evidence

The policy of destroying e-mail must be ready to call a halt at any time. An ERP must have an infallible “hold procedure” to ensure that routine purge of e-mail records in conformity with normally performed retention schedules is suspended in the event of anticipated litigation, government inspection or investigation. As terrifying as it may sound, knowing that a stop is needed may not be enough in itself, because the actual implementation of stopping may not be easy for complex enterprises.

Legal holds can supersede virtually any retention policy that addresses the destruction of data, in our cases, e-mails. Therefore, it is crucial that the technical systems in use can switch quickly from destruction to preservation mode and store all e-mails covered by a court order or discovery request. Spoilation of electronic evidence can be detrimental to your company, money- and reputation-wise.

The IT team should participate in the “legal hold” procedure, since their expertise can positively impact the immediate suspension of the required e-mails.

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

5. Audit

If your organization is frequently audited by external or internal entities, it would certainly display making good-faith efforts to develop and enforce an effective ERP. The audit process should be put in place for two main reasons:

  • To ensure that all envisaged materials for deletion are processed according to policy standards and employees are familiar with these policy requirements.
  • To demonstrate, for compliance purposes inter alia, the good resolve the company puts in the development and implementation of effective best practices with regard to ERP.
  1. Implementation of an ERP. Organizational Culture & Employee Education

Understanding employees’ existing practices regarding e-mail management may prove important. They usually get accustomed to some style or have complete freedom, and a policy that revokes those may be unpopular at first. A little bit at a time or a pilot project of the ERP initiated by a single department such as HR might be a good idea. It is important that you emphasize the fact that e-mail policy compliance is not optional, it is always mandatory.

Once the e-mail policy is well-defined, employees must be informed and educated on it. Without any doubt, this is a step that cannot be dispensed with, because serious consequences may occur if the opposite comes to pass — for instance, if employees destroy e-mails of great importance.

In general, employees are likely to take the policy to their liking and the courts will be more accepting when the company shows real effort to manage e-mail business records effectively, following laws and business objectives. Furthermore, to show compliance to outside institutions, the organization must be able to prove that it has put in resources and willingness to get what policy they have (regardless of its potential flaws) to the attention of their personnel.

One approach at hand to the executives is to organize the training in a similar way to other compliance-oriented education training programs related, for example, to safety and sanitation or non-discrimination in employment. Implementing a feasible ERP and communicating it clearly to your employees can save you a lot of trouble with harassment and discrimination problems as well (See Diagram 2). And if such an issue does arise, your organization will have the right to investigate and defend against that, because it will be in compliance with the applicable laws and regulations.

Diagram 2

Computer-based tests are preferable, and ideally, employees should sign off that they have passed it in high spirits, content with the fact their education (perhaps) matches the latest standards in the industry in which they pursue a career.

Your organization’s policy should also include a disclaimer that all e-mails composed at the organization’s ground are not private and may be constantly monitored. Without such a clause, the firm risks violating an employee’s right to privacy when they investigate harassment or a discrimination claim.

Conclusion

The Osterman Research reveals that “although 98% of mid-sized and large organizations in North America have some sort of policy focused on the use of e-mail, only 31% have a detailed and thorough policy about appropriate use of e-mail.”

It almost seems like most organizations are not aware of the benefits they can gain from a decent ERP. So let’s revisit them the once again.

E-mail retention policy benefits in summary:

  1. Compliance with legal and regulatory requirements is easier.
  2. Reduced infrastructure costs as a result of lower storage requirements.
  3. Improved e-mail management efficiency and server performance.
  4. When your e-mail retention policy is implemented using an e-mail archiving solution, old messages can be more easily found and restored, there is less chance of data loss due to systems failures, and messages can be easily audited for policy compliance.

Reference List

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Brown, J. (2013). What is an Email Retention Policy and Why Does Your Business Need One? Retrieved on 21/06/2014 form https://www.ltnow.com/what-is-an-email-retention-policy/

Chernichaw, A. & Freeman, B. (2014). EU High Court Strikes Down Data Retention Law. Retrieved on 21/06/2014 from
http://www.whitecase.com/articles/042014/eu-high-court-strikes-down-data-retention-law/#.U5gh-nby_sk

Courtney, C. (2013). 7 Factors to Consider Before Creating an Email Retention Policy. Retrieved on 21/06/2014 from
http://www.d4discovery.com/2013/06/7-factors-to-consider-before-creating-an-email-retention-policy/

Farrell, J. (2011). Guiding principles – regulating document retention in 22 key global jurisdictions. Retrieved on 21/06/2014 from http://www.legalweek.com/legal-week/feature/2042984/guiding-principles-regulating-document-retention-22-key-global-jurisdictions

Foley (2013). Addressing And Managing The “Email Problem” With Records Retention And eDiscovery. Retrieved on 21/06/2014 from http://www.foley.com/addressing-and-managing-the-email-problem-with-records-retention-and-ediscovery-09-11-2013/

GFI. Email retention policy in the workplace. Retrieved on 21/06/2014 form http://www.gfi.com/pages/email-retention-policy

GrexIt Inc. Get started with Email Retention and Compliance policies. Retrieved on 21/06/2014 form http://grexit.com/blog/get-started-with-email-retention-and-compliance-policies/

Howell, C. (2013). United States: Addressing And Managing The “Email Problem” With Records Retention And eDiscovery. Retrieved on 21/06/2014 from http://www.mondaq.com/unitedstates/x/266362/disclosure+electronic+discovery+privilege/Addressing+And+Managing+The+Email+Problem+With+Records+Retention+And+eDiscovery

Iron Mountain (2011). Setting Retention Policy for Electronic Information. Retrieved on 21/06/2014 from http://imknowledgecenter.com/Knowledge-Center/Reference-Library/View-by-Document-Type/White-Papers-Briefs/S/Setting-Retention-Policy-for-Electronic-Information.aspx

Michaluk, D. & Morley, H. (2009). A lawyer’s perspective on records retention and destruction. Retrieved on 21/06/2014 from http://www.hicksmorley.com/images/Records%20Retention%20and%20Destruction_1.pdf

Musgrove, G. (2013). Document retention and destruction in Australia. Retrieved on 21/06/2014 from http://www.maddocks.com.au/reading-room/a/document-retention-and-destruction-in-australia

Neal, D. (2009). UK email retention law comes into force. Retrieved on 21/06/2014 from
http://www.v3.co.uk/v3-uk/news/1995650/uk-email-retention-law-comes-force

Netmail (2014). Email Policy Kit. Retrieved on 21/06/2014 from http://www.netmail.com/sites/default/files/ePolicy_Kit_2014.pdf

Nunez, O. (2012). The Continuing Importance and Impact of E-mail Retention and Destruction Policies. Retrieved on 21/06/2014 from http://www.gshllp.com/60-second-memos/the-continuing-importance-and-impact-of-e-mail-retention-and-destruction-policies

Red Earth Software. What are the EU rules for email retention? Retrieved on 21/06/2014 form http://www.policypatrol.com/what-are-the-eu-rules-for-email-retention/

Symantec (2011). Email Retention and Archiving. Retrieved on 21/06/2014 from Wikipedia. Email Archiving. Retrieved on 21/06/2014 from http://en.wikipedia.org/wiki/Email_archiving

The Email Laundry. Best Practice for Email Retention. Retrieved on 21/06/2014 from http://www.theemaillaundry.com/upload_image/Email%20RetentionUK.pdf