Your New Email Retention Policy in 10 Steps

information-managementBecause of e-discovery, compliance and knowledge management demands, it’s more important than ever for all types of organizations to effectively manage email archival, search and retrieval. Because of the growing volume of email, this has never been more difficult… until now.

With a solid email retention policy and an email management application like Email Manager from CMA to implement it, you will minimize risk and enable much needed access to archived email.

The 10 Steps

Below is an excerpt from Eric Lundgren’s recent article from the Information Management website that walks you through how to create an email retention policy in 10 straightforward steps:

1). Define an Email Retention Policy

In order to fully understand its retention obligations, an organization must first have a clear understanding of the types of content it transmits electronically. To provide this insight, the email retention policy should specify:

    • Document types that employees can send via email, as well as the specific files, such as sensitive business contracts, that must be transmitted using a different method.
    • Content guidelines defining what should or should not go into emails, including policies around what constitutes sexual harassment or other unacceptable language.
    • Enforcement measures and best practices that automatically scan for policy violations and designate an internal authority to periodically review content.

2). Eliminate the Variables Hindering Centralization

3). Educate Employees about the Retention Policy

4). Incorporate Relevant Regulations into the Retention Policy

It is critical that all email retention policies incorporate the requirements of the mandates governing the industry in which an organization operates. There are many common regulations to consider:

    • Sarbanes-Oxley regulations apply to public companies across all industries and impose severe penalties on any business that deliberately alters or deletes documents in order to defraud customers or other third parties. To comply with SOX guidelines, companies must retain auditable emails for a minimum of five years from the end of their last fiscal year.
    • FINRA rules demand that financial services firms establish formal, written policies and procedures that detail their email retention policies. After outlining these policies, a business must then demonstrate that all retention processes are in full compliance with FINRA guidelines.
    • HIPAA regulations apply to any email message or other electronic records that contain sensitive information about an individual’s medical history. The preservation period for a medical record is a minimum of five years, though some related statutes dictate that certain information be retained for the life of the patient.

Although many regulations exist beyond the three listed above, all regulatory bodies — regardless of industry — meeting the following requirements is a key aspect of compliance:

    • Data permanence, where data must be in its original state without being altered or deleted.
    • Data security, where all retained information must be protected against security threats, including access by unauthorized persons and any outside forces that could physically damage or endanger the availability of archived messages.
    • Availability, where organizations must prove that all emails subject to the retention policy can be easily accessed by authorized personnel in a timely manner.


5). Identify Roles with Unique Retention Requirements

6). Balance Retention Guidelines and Related IT Costs

7). Provide Employees with Access to Archived Messages

8). Ensure that Retention Policies Can Accommodate Legal Holds

9). Validate that All Messages Are Archived

10). Use Technology to Enforce Retention Policies

Step 11

Once your email retention policy is in place, you’ll need an application to implement it, such as Email Manager from CMA. Email Manager will enable you to tag, track and archive all of your email to make email retention policy implementation as efficient and cost-effective as possible.