Rules and regulations on email retention

Legal requirements extend beyond routine business practices. In anticipation of potential litigation, organizations must be well-prepared. The discovery phase, where parties exchange information for court use, underscores the critical role of email retention. Preservation, often under a legal hold, ensures that emails and associated metadata remain unchanged and “frozen in time.”

Unlike emails retained for collaboration or continuity, subject to defined deletion dates, legal holds persist until the court matter is resolved. This means the content retains its unalterable state throughout the legal proceedings. Organizations, recognizing the legal significance of email retention, often leverage built-in retention functionality in platforms like Microsoft 365. This not only streamlines retention processes but also ensures preservation during litigation, all without incurring additional costs for each user in the organization. Understanding and adhering to these legal dimensions of email retention is crucial for organizations navigating regulatory landscapes and anticipating potential legal challenges.

Regulatory requirements

Governments and their agencies make and update rules and regulations regularly that direct organizations and their employees to retain emails for a specified period.

Rulemaking body

Authorizing law or regulation

Applies to

California

California Consumer Protection Act (CCPA)

Businesses with gross revenues of more than $25 million that do business in California, or that buy or sell customer data. 

U.S. Federal Trade Commission

Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999

Companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.

European Union (includes European Economic Area)

General Data Protection Regulation (GDPR), a subset of the Charter of Fundamental Rights of the European Union

Any organization that collects information about people, or organization that processes that data on behalf of the collecting organization.

United Kingdom

Data Protection Act of 2018

Organizations operating within the UK, or offering goods and services to people within the UK.

U.S. Department of Health and Human Services

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Healthcare providers, healthcare businesses, and healthcare insurance providers

International Standards Organization (ISO)

ISO 15489

ISO 15489-certified organizations

U.S. Securities and Exchange Commission (SEC)

Sarbanes-Oxley Act (SOX)

Primarily public companies (with some federal evidence retention laws including all U.S. corporations).

U.S. Internal Revenue Service (IRS)

26 CFR § 1.6001-1 – Records

All businesses doing business in the U.S.

Federal Deposit Insurance Corporation (FDIC)

Record retention requirements

Banks and credit card issuers

Legal requirements

All organizations want to avoid going to court, but that is not always possible, so being well-prepared when the worst-case scenario arises. Once a company is aware of pending litigation, it prepares for discovery, which is the phase where both parties gather and exchange the information they intend to use in court.

From a records perspective, each party must not only make discovery materials available to the other but also preserve materials from the time of litigation notification. As discussed earlier, preservation means that no changes can be made to the information or its associated metadata. This is often also referred to as a legal hold. In the case of email, this means not only are emails saved and their content unchangeable but accessing them changes none of the associated metadata. In short, this content is frozen in time.

Unlike emails retained during the normal course of business for collaboration or continuity—which have a defined deletion date—legal holds must stay in place until the matter is resolved in the courts. Only then can those documents revert to their original retention schedule.

For many organizations, Microsoft 365’s built-in retention functionality can bring retention and preservation of emails for litigation to every seat in your company at no additional cost.

More resources

Communication and educating employees on email retention policies

Communication and educating employees on email retention policies Back to Email Retention Simplified with harmon.ie How should an organization communicate its email retention policy and educate its employees? The policy creation process is over, but the policy implementation and communication...

Email archiving, disposition, and preservation

Email archiving, disposition, and preservation Back to Email Retention Simplified with harmon.ie Email archiving is the way emails have been stored for decades. Traditional email archiving solutions store emails in compressed files to take up less room in the user’s...

RIM, what is it?

RIM, what is it? Back to Email Retention Simplified with harmon.ie What is records and information management (RIM)? According to ARMA, formerly known as the Association of Records Managers and Administrators, records and information management (RIM) is defined as “the...