Email and Communications Archiving: Best Practices 101

Secure Modern Workplace | Archive
Noah Webster | Fri, 05/14/2021 - 18:46
scales of justice figurine

Co-Author: Madison Arcemont

The word archiving conjures up images of an infinitely large room of books or computers that have been storing information forever. This image is dated and, in the age of digital transformation, it is critical to think about simplifying the process of archiving electronic data. There is a fear associated with archiving that your data will be held forever, creating budget and resource pressure. But, with the right processes and tools, you maintain control over your data and retention policies while creating a structure that satisfies internal business processes and external legal requirements.

What data are you required to keep?

There are several reasons to maintain your company’s data: you may be required to keep those documents and communications by law, or it may be beneficial to reference in your regular course of business.  Depending on whether you need to reference data for compliance, anticipated or ongoing litigation, investigation, or operational needs, you will need to maintain different kinds of data.  When building your retention policies, you should start by running an audit to determine what data you create and how long it needs to be maintained.

Compliance

Several laws and regulations require companies to retain certain document types. For example, most companies will be covered by the Internal Revenue Service (IRS) tax audit procedures, employment laws like the Fair Labor Standards Act (FSLA), the Employee Retirement and Income Security Act (ERISA), and mandates by the Occupational Safety and Health Administration (OSHA).

There are also industry-specific requirements. Some of these laws include the Health Insurance Portability and Accountability Act (HIPAA) for organizations handling medical information, the Bank Secrecy Act and the Equal Credit Opportunity Act (among many others) for banking institutions, and the EU’s General Data Protection Regulation (GDPR) to serve customers in the European Union.

In general, your company is  required to retain corporate records like: accounting records, employee benefit plan records, insurance records, personnel records, and tax records. Click here for a more detailed list of the documents that fit in each of those categories(compiled by a state CPA Society).

In addition to corporate records, the SEC requires certain companies, like broker-dealers, to retain business-related communications (including work-related social media, like Slack, GroupMe, and WhatsApp).  These requirements vary based on your individual industry and company, so consult with your HR, legal, tax, and finance advisors to ensure you are retaining records for the proper length of time.

Operational needs 

Beyond legal compliance, data retention can support your business operations. For example, it may be beneficial for your company to maintain sales and product development reports  to improve products going forward.  Any documents that your teams refer to regularly should also be maintained, which is dependent on your company's needs.

Agreements

Customer or partner agreements should be maintained for at least the duration of the contractual period and a reasonable time afterwards.  Your retention practices should align with what your agreements require, especially where you provide services to customers and are responsible for holding their data.  These documents and their requirements are important not only if any contractual issues arise, but also to reference necessary information to provide service to the customer.

Anticipated or ongoing litigation or investigation

If incidents occur within the company, internal or external, relevant documents or communications can be useful in helping to understand the scope of the incident. For an internal investigation, relevant documents and communications can help  by providing evidence of the event. For a legal incident that brings about litigation, your company will be required to produce relevant documents and communications to help the Court understand the scope of the incident. 

If a company loses or destroys evidence that is relevant to the case, it can be sanctioned for spoliation.   For example, when a company received a significant number of product complaints and destroyed the relevant documents after only three years, a court determined that spoliation had occurred.  On the other hand, a court held that documents destroyed in the ordinary course of business relating to a 35-year-old product (that had never been in litigation) was not spoliation.

The Court’s decision often comes down to whether the party knew that litigation was coming, and whether a company’s data archiving policies are a factor in data deletion or retention.

What is a litigation hold?

During a litigation hold, a company takes steps to appropriately preserve documents needed for  anticipated or initiated litigation.  The litigation hold directs your company to preserve data that could be relevant evidence to the case.  This means that if you have an automatic deletion or archiving program in place, that program will be paused so relevant documents are no longer deleted.  Additionally, all employees involved will be directed not to delete documents or communications that may be relevant to the case.  

If litigation does arise or is anticipated, it is prudent to work with legal counsel to initiate and maintain a litigation hold on the company.

What data can you get rid of? 

It is not necessary to retain indefinitely every piece of data that your organization has, and while it might theoretically be possible to attempt to keep your data forever, it could often be very costly and burdensome. Additionally, the older the data is, the less useful it becomes; therefore, it is not worth the cost of keeping.

There are also times that the law requires you to delete certain data. Some compliance requirements, related to privacy or security for example, require the deletion of certain information when no longer necessary or after a certain period of time.  For example, if you serve customers located in the European Union, GDPR provides certain rules that require companies to delete personal data once it has fulfilled its purpose.

If your company has data that doesn’t fit into any of its legal obligations, whether compliance or anticipated litigation, or its operational needs, the data can be deleted.

It is best practice to describe your company’s approach to retention in a documented retention policy to manage retention in a disciplined way.  You can use this type of policy to respond to third-parties if you are ever required to explain why you don’t have certain documents. 

What are the benefits of using technology to manage data retention?

While the hope is always that nothing goes wrong and litigation and investigations never arise, using technology to manage your retention will save you time and resources if problems do come up. A retention policy can be executed using a variety of technologies, such as an archiving program.  With an archiving program, company admins can set up an archiving and deletion policy that will automatically move items to a user’s archive mailbox and delete items from that mailbox after a designated time. The admin places a retention time on messages to be moved to, then permanently deleted from, the archive.

Having an archiving program in place is one way to avoid spoliation if your organization ends up in litigation. Courts expect you to produce documents “in anticipation of litigation.” So, if you have a regular archiving policy in place, courts typically will not expect you to retrieve documents handled according to that policy before you anticipated litigation. Spoken in another way - If you practice a data retention policy (i.e., deleting emails that reach a certain age) and do not yet know about the complaint or the litigation, courts generally will not hold you liable to produce the information ...and its deletion during that time will generally not be considered spoliated.

Archiving technology can also simplify the process of putting a litigation hold in place. If you do anticipate litigation (for example, because an incident has occurred, a complaint has been received, or legal action has been taken), the company’s admin can place a simple litigation hold that will stop the deletion of data.

When litigation arises, having an archiving solution will create efficiencies for your team, saving you time and resources.   You can easily access everything you (and the court) need without the burden of maintaining data forever. Click here for more information on information that Zix can archive on behalf of your organization.

Also recommended for you:

Download white paper from Osterman Research “Why You Must Archive All of Your Business Records”

Download Infographic “The Shift from Reactive to Proactive Compliance”