Email Archiving Compliance

Email archiving compliance is often attributed to email archiving solutions having capabilities for email security, permanence, and auditability. However, unless solutions are easy to use, it may not be possible to take advantage of these capabilities to archive emails compliantly, which could result in a loss of data or penalties for failing to retrieve data in a timely manner.

Organizations create and receive a considerably amount of data on a daily basis, and – in the majority of cases – the culprit is email. Email archiving enables organizations to clear inboxes without deleting data in order to free up space on email servers and allow them to work efficiently. However, there is a difference between archiving emails and archiving emails compliantly.

When emails are archived compliantly, they are copied as they pass through the mail server and transmitted securely to an on-premises or cloud server with appropriate safeguards in place to prevent unauthorized access. In this way, there is no risk of an email being altered or deleted between it being sent (or received) and copied into the archive. 

While this process automatically fulfills the security and permanence criteria for email archiving compliance, fulfilling the auditability requirement is a little harder. This is because it is impractical to keep all emails indefinitely, but federal, state, and industry rules have different data retention periods. Consequently, emails must be indexed and tagged as they are archived to facilitate search, review, and retrieval when necessary, and to facilitate mass deletion when retention periods expire.

A Quick Look at Some Federal, State and Industry Rules

In the context of email archiving compliance, possibly the most significant federal rule is the rule relating to eDiscovery in the Federal Rules of Civil Procedure. These put the burden of proof on an organization presenting an email as evidence to demonstrate the email is genuine. Email data that could potentially have been altered is likely to be considered inadmissible.

While there is no minimum or maximum retention period stated in the Federal Rules of Civil Procedure, other federal rules can require email data to be retained in its original format for long periods of time (sometimes indefinitely). Most organizations will be subject to PCI-DSS regulations, while many will also be subject to Sarbanes-Oxley, SEC, FDA, and/or FDIC regulations.

In addition, state laws for financial records and medical records vary considerably. In some states, data retention periods may only be several years, while in neighboring states it may be necessary to retain data for more than a decade. For companies operating in multiple states, the same type of data can be subject to widely varying retention periods – complicating email archiving compliance.

Industry rules, such as the Healthcare Insurance Portability and Accountability Act (HIPAA) can also complicate email archiving compliance by stipulating that some records must be retained for a minimum period (i.e., policy documents), but not others (i.e., medical records). It is also the case that HIPAA preempts other federal and state laws unless the federal or state law has better data protection provisions or provides more patient rights than HIPAA.

GDPR – The Cat Among the Pigeons

So far, complying with email archiving regulations appears fairly straightforward – make a copy of each email as it passes through the mail server, store it securely, index it for auditability, and set an automatic deletion policy to erase emails from the archive when the appropriate retention period expires. However, the cat among the pigeons is the General Data Protection Regulation (GDPR).

GDPR was created to enhance the rights of European Union citizens over their personal data and simplify the regulatory environment for international business. However, GDPR not only applies in the European Union, but all over the world; and organizations that collect, store, process, or share the personal data of EU data sets are required to comply with the regulation.

One of the primary rules of GDPR is that data should only be retained in a form that permits identification of the individual for no longer than is necessary for the purposes for which it was collected. This means that EU data sets are likely to have variable deletion criteria even though they may relate to the same transaction or service as a data set consisting of US data subjects.

Furthermore, EU data subjects have the right to know how their data is being used and who it has been shared with. They have the right to correct inaccurate or incomplete data, to request the transfer of data to another processor, and to request that their data is permanently erased. Right of access, transfer, and erasure requests have to be responded to within a month, which can be difficult if emails have not been indexed and tagged accurately at the point of archiving.

How to Reduce the Burden of Compliant Email Archiving 

The most challenging area of email archiving compliance is auditability – particularly if organizations collect, store, process, or share the data of EU data subjects. However, some archiving solutions reduce the burden of compliant email archiving by deduplicating data when emails are archived. This has the effect of reducing the amount of data stored – thus reducing storage costs – and more importantly accelerating searches and reducing the number of search results.

This, along with a granular indexing and tagging system, enables system administrators to apply data deletion policies more accurately and end-users to conduct searches much quicker. For example, deduplicating email archiving solutions such as ArcTitan Cloud can search a database of 300 million emails in less than a second and return navigable results within minutes. (ArcTitan Cloud also has the advantage of a user-friendly interface that makes setting up and scheduling searches much simpler). 

ArcTitan Cloud also has the capabilities required to ensure email security and permanence. Before being archived to secure cloud servers via TLS, emails are virus scanned and encrypted. Access to data archived in the cloud is provisioned and managed by a series of role-based access controls and authentication methods, and user logins are hashed and salted for extra security. Effectively, you couldn´t ask for a more straightforward and secure email archiving solution than ArcTitan Cloud.  

Find Out More about Email Archiving Compliance 

To find out more about email archiving compliance, visit ArcTitan.com; where the opportunity exists to ask any questions you may have about compliant email archiving and book a demo of ArcTitan Cloud in action. The ArcTitan team will also be able to demonstrate how simple it is to configure the solution to handle all types of complex email archiving requirements.