Email Retention Requirements Explained

Email retention laws in the United States require business enterprises to keep copies of all email messages for numerous years, in case they are needed as part of any future investigation.

There are federal laws that are applicable to other organizations and groups, data retention laws and regulations for certain industries, and also a swathe of email retention laws in the United States at the state level. Ensuring compliance with all of the email retention laws is crucial. Non-compliance could prove tremendously costly. Multi-million-dollar fines await groups who breach federal legislation.

Many files, including those in email accounts, need to be kept by U.S. organizations in case of future court actions or for eDiscovery requests. Not only are substantial fines issued, groups may face criminal proceedings if any information is erased before the retention period elapses.

For years, U.S groups have already been obligated to store documents. Document retention laws are incorporated in several legislative acts such as the Civil Rights Act of 1964, the Executive Order 11246 of 1965, the Freedom of Information Act of 1967, the Occupational Safety and Health Act of 1970, and the Reform and Control Act of 1986; however, around ten years ago, data retention laws in the United States were updated to include ‘electronic’ communications such as email messages and email attachments.

In order to boost awareness of the various email retention laws in the United States, we have created a summary in this piece. You need to keep in mind that this is for information purposes only and does not constitute legal advice. For legal counsel on data retention laws in the United States, we suggest you get in contact with your legal representatives. Industry and federal digital data as well as email retention legislation in the United States may also be subject to amendment. Up-to-date information must be sought from your legal team.

As you should see on the list, there are many federal, industry-specific legislative acts in the United States that call for the retention of documents for minimum periods. These laws apply to documents and internal and external emails.

Email retention legislation Who it is applicable to How long emails must be kept
IRS Regulations All companies 7 Years
Freedom of Information Act (FOIA) Federal, state, and local agencies 3 Years
Sarbanes Oxley Act (SOX) All public companies 7 Years
Department of Defense (DOD) Regulations DOD contractors 3 Years
Federal Communications Commission (FCC) Regulations Telecommunications companies 2 Years
Federal Deposit Insurance Corporation (FDIC) Regulations Banks 5 Years
Food and Drug Administration (FDA) Regulations Pharmaceutical firms, food manufacturers, food storage and distribution firms, manufacturers of biological products Minimum of 5 years rising to 35 years
Gramm-Leach-Bliley Act Banks and Financial Institutions 7 Years
Health Insurance Portability and Accountability Act (HIPAA) Healthcare groups (Healthcare providers, health insurers, healthcare clearinghouses and business associates of covered bodies) 7 Years
Payment Card Industry Data Security Standard (PCI DSS) Credit card businesses and credit card processing groups 1 Year
Securities and Exchange Commission (SEC) Regulations Investment banks, investment advisors, brokers, dealers, insurance agents & securities companies Minimum of 7 years up to a lifetime

Email retention legislation in the U.S. applies in every one of the fifty states but the full extent of those laws are are beyond the scope of this post. There are also European Union laws like GDPR to consider which serve to protect consumer privacy and impose restrictions on how long personal data can be retained.

Storing emails for a couple of years will not take up masses of storage space for a small business with a few staff members, but the larger the company, the greater the storage needs. While the typical size of a business email is just 10KB, multiply that by 123 – the average number of messages sent and received every single day by an average business enterprise user (2016 Radicati email statistics report 2015-2019)  and 365 days annually, and the storage space is considerable, especially considering emails may need to be retained for several years.

While email backups are useful for recovering mailboxes in the event of a disaster, backups cannot be searched. An email archive is therefore recommended, as they index emails and allow rapid searches to be performed, which is invaluable in the event of an audit or eDiscovery request.


Why are backups not suitable for long-term email storage?

Backups of emails are created to recover entire mailboxes in the event of corrupted data, such as a ransomware attack. Recovering emails from backups can be a major challenge. The correct backup media must be found, which means the date of the emails must be known, and backups cannot easily be searched. This is why email archives are necessary for long term email storage – they can be searched and allow emails to be quickly and easily located.

What are the main benefits of cloud-based email archiving solutions?

IT teams may prefer to keep email archives on-premises where they feel they can better secure them, but there are several advantages of cloud-based archives. Storage capacity is never an issue due the scalability of the cloud, maintenance of the hardware is handled by the service provider, there is no need to purchase and upgrade disk or tape systems, and backups are automatically performed. The cloud can be as secure as on-premises systems and is often more cost-effective.

Are email archiving service providers classed as business associates?

It is likely that email archives will contain emails that include protected health information, so email archiving service providers are classed as business associates under HIPAA and are required to enter into a business associate agreement with HIPAA-covered entities.

Are there data retention requirements for medical records under HIPAA?

HIPAA data retention requirements do not cover patient medical records; however, there may be requirements to store medical records for a minimum time under state laws.

What happens if it I not possible to recover emails from backups?

In the event of a compliance investigation, the failure to produce requested emails is akin to having deleted those messages and severe financial penalties can be imposed. It is also a legal requirement to produce emails to support litigation if ordered to do so by a federal court. The failure to produce the requested emails can have serious consequences.