Email archiving compliance is a hot topic of debate. There is no universal rule/ standard when it comes to archiving email. There are multiple factors to be taken into account, among which the most important ones are industry and geographically related.
Specific industries such as financial services, healthcare, and governmental organizations are often enough more regulated than others and these organizations need to comply with specific industry rules regarding document protection, archiving and retrieval of data.
Many companies wrongly assume that if their business is not part of a clearly regulated industry, then email archiving is not a compulsory procedure. What is overlooked is the fact that nearly all organizations must comply with general regulations, be it employment laws, financial laws, labour standards which impose proper electronic data storage and protection for a determined time frame. As an example, in the US the changes of the Federal Rules of Civil Procedure (FRCP) in 2009 have had a widespread impact on email storage and retention policies. The Federal Rules of Civil Procedure apply to any organization that has the potential to be involved in a litigation. Similar regulation exist for most other nations also.
These changes are forcing many firms, from virtually all industries, to implement corporate email archiving systems in order to quickly and adequately respond to e-Discovery notices. The implementation of an email archiving system is the only cost effective and compliant solution. Data is never lost and companies benefit of simple search and retrieval tools to meet the legal and compliance challenges facing all industries today.
The law has caught up with the high-tech era. Companies of any size and in any field of activity are required by the law to treat the storage and retrieval of email same as any other records of business. Organizations have no choice but to comply and a professional email archiving system is the solution.
Email Compliance Laws & Regulations – Overview
The following information is intended to be a summary of compliance regulations concerning records of incoming and outgoing email in different industries and geographical areas. There are over 1000 worldwide institutions involved in issuing such regulations and procedures. The list below is not meant to be comprehensive, being limited to the most impacting Anglo-Saxon related legislation – often serving as a basis for the international rules and regulations.
The Sarbanes-Oxley (SOX) Act came into force in 2002 and introduced major changes to the regulation of financial practice and corporate governance. The Sarbanes-Oxley Act of 2002 is mandatory and all organizations with operations in the US, large and small. The act establishes rules about records of financial documents and availability for public disclosure. The Sarbanes-Oxley Act requires auditors to retain auditing information for a period of 7 years (workpapers, memoranda, correspondence, communications, and electronic records, including email).
Investments and Securities
The Securities and Exchange Commission (SEC) is setting the minimum requirements with respect to the records that broker-dealers must keep in the US, and how long those records and other documents relating to a broker-dealer's business must be. The Securities Exchange Commission and the National Association of Securities Dealers (NASD) have passed as well regulations on how member companies must archive, index, store and retrieve electronic communications including email. According to the SEC, archives must hold electronic data for periods between 3 to 6 years.
FINRA is the largest independent regulator for all securities firms doing business in the United States. The FINRA rulebook currently consists of both NASD Rules and certain NYSE Rules that FINRA has incorporated. FINRA has developed clear guidelines to make registered representatives aware of the compliance requirements and potential liabilities when using the Web and electronic communications for business purposes. In accordance, firms must retain all incoming and outgoing communications related to their firms business as such, for a period of 3 years from the date of last use.
The Health Insurance Portability and Accountability Act (HIPAA), was passed by the U.S. Congress in 1996 establishing the rules of confidentiality, integrity and availability of patient information which is no longer just a best practice for healthcare organizations, it's a legal requirement. It advocates the adoption of electronic transmission of patient health data through the use of security measures like encryption to protect confidentiality of health information while being transmitted over electronic networks.
Practically, all organizations that deal with patients’ electronic healthcare information must comply. This includes (but is not limited to): clinics and hospitals, healthcare insurers, physicians' offices, public health authorities, pharmacies, donation banks, and long-term care facilities. Also included are entities that handle, exchange or store private electronic health information, such as life insurers, IT systems vendors, universities. In many cases, HIPAA provisions have generated extensive changes in medical record keeping and billing systems.
The Gramm-Leach Bliley Act (GLBA), fully effective since 2001, requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information, requesting that banks should implement an electronic retention system ensuring security and compliance.
The provisions include: Financial Privacy Rule (privacy notices describing how they use and disclose consumers' personal information), Safeguards Rule (reasonable policies and procedures to ensure the security and confidentiality of customer information) and Pretexting Protection (preventing someone to gain access to personal information without the proper authority to do so).
The Federal Rules of Civil Procedure (FRCP), last updated in 2009, govern the conduct of all civil suits brought in district courts. Many US states have also implemented their own e-Discovery requirements based on these FRCP rules.
Since the FRCP changes, the discovery of email for litigation has become a critical component of legal inquiries. Organizations that are unable to meet the requirements may suffer severe fines and the risk of unfavourable court rulings.
The Freedom of Information Act is regulating the general right of access to information held by public authorities and gives people the right to request information kept by government and state institutions. Over 90 countries around the world have implemented some form of such legislation. FOIA enforces email compliance and the obligation of public authorities to respond to internal investigation and FOIA information requests promptly and efficiently.