SolarWinds MSP is becoming N-able

Read more

SOX & HIPAA Email Retention

Organizations in the US who don’t have some form of email retention policy run the risk of noncompliance, depending on which industry they operate in. The US legal system is a patchwork of different laws at both a state and federal level. Some of these laws span the vast majority of private and public sector organizations. Others focus on specific vertical sectors, particularly heavily regulated ones, and threaten heavy penalties for those that fail to comply with strict records retention legislation laws.

When it comes to archiving email, one of the most significant cross-sector laws applies to any company that may find itself in the federal court system. In 2006, the US Government revised its Federal Regulations on Civil Procedure (FCRP) to cover electronically stored information, bringing it into the age of email and other digital communications.

Rule 34(a) of the Regulations renders email discoverable. Rule 37 means that organizations should demonstrate that they have the appropriate email retention policies in place to put litigation holds on data and ensure that it will not be destroyed to a routine process.


Revised in 1997, Section 17a-4 of the SEC’s Securities Exchange Act requires financial statements, transaction records and other communications relating to its business to be held in an easily accessible form for two years, and for a total of three years. FINRA Rule 3110.09 (Retention of Correspondence and Internal Communications) requires investment firms such as broker dealers to do the same.

Rule 210.2-06 under the Sarbanes Oxley act requires that auditors retain all correspondence and related documents concerning an audit and which contain conclusions, opinions, analyses or financial data related to that audit. Section 302 requires CFOs and CEOs to personally vouch for the company retention policies, and section 404 requires auditors to certify companies’ internal control structure, of which records retention is a part. Finally, section 802 imposes fines or prison sentences for anyone altering electronic records in an investigation.


In the healthcare sector, while the HIPAA legislation doesn’t explicitly reference email retention, there are some rules relating to particular types of information. Individuals can demand an accounting of the disclosures of any protected health information (PHI) for a six-year period, for example. If a communication relating to a security or privacy policy change is required in writing, it must also preserve that for six years. This suggests that an entity covered by HIPAA would do well to maintain an email retention policy, if only to prove that no PHI was disclosed in email form. (Read our own HIPAA guides here.)

Better safe than sorry

There are several cases where legislation and regulation may not explicitly dictate email archiving as a measure, but may have other stipulations that make email archiving a useful tool.

Properly archived email is encrypted, often compressed, and held in a single store rather than scattered around the organization in departmental PST files. This reduces the attack surface and makes historical email – with its wealth of potentially sensitive information – far more manageable. It also creates a record of when and where those mails were sent, along with the sending and receiving parties.

This becomes relevant when proving or disproving an email-based information breach. Most US states have data breach notification laws – such as California’s SB1386, for example – that require organizations to notify customers in the event of a breach. An archival system can provide protection for stored historical email. Should the worst happen, it can also give companies a documented, immutable record of any email accidentally sent to the wrong parties.

As regulations evolve and often multiply, having a robust email retention policy can provide a foundational level of protection for organizations. It may not be a panacea for information security, but it is a useful tool as part of a broader strategy to meet often complex compliance requirements.

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site