Email Archiving Compliance

Because so much data is sent, received, and shared via email, it is important that organizations pay full attention to email archiving compliance. Many federal and state regulations mandate minimum data retention periods, during which time emails may need to be retrieved, reviewed, or restored – or, in the case of GDPR email archiving compliance, restricted, rectified or erased.

Email archiving compliance would be a lot simpler if all organizations were subject to one set of data retention rules, but they are not. In the United States, all businesses must comply with IRS retention regulations and the Federal Rules of Civil Procedure, public company data retention is governed by SOX 802, and organizations that accept credit card payments are subject to PCI-DSS requirements.

In addition, companies that operate in regulated industries such as finance, telecommunications, healthcare, and pharmaceuticals are subject to further data retention rules. Other businesses may also be required to retain data to comply with state provisions, while the EU´s General Data Protection Regulation (GDPR) can impact how organizations archive emails compliantly.

Why Archive Emails?

Email archiving is the practice of copying emails as they pass through the mail server (both inbound and outbound) and storing them separately in a read-only format to create an immutable library of tamper-proof documentation. As emails are copied, they are indexed in order that future search requests for audits, litigation, internal enquiries, etc. can be performed quickly and easily.

There are multiple advantages of email archiving inasmuch as if an employee accidently deletes or misplaces a business-critical email, it can be quickly and easily replaced. On a larger scale, if an organization suffers an outage or an email database ransom attack, having an immutable library of archived emails readily available supports disaster recovery and business continuity.

Ideally, organizations should maintain email archives off-premise, and preferably in the cloud. Cloud email archiving solutions free up on-premise storage space, improve the performance of mail servers, and ensure business continuity in the event of an on-premise disaster. More importantly, cloud solutions have the required levels of security to support email archiving compliance.

What is Email Archiving Compliance?

The term email archiving compliance is fairly self-explanatory. It means archiving emails in compliance with the regulations a business is subject to so emails can be retrieved, reviewed, and restored as necessary. If an organization is subject to GDPR, it also means having the capability to comply with data subject rights such as the right to restrict who data is shared with.

Generally, compliance is determined by three factors – security, permanence, and auditability. This means that emails must be stored in an environment that protects against loss, theft, or damage, stored in their original state, and accessible when required. To comply with GDPR, emails also have to be individually identifiable so they can be erased if a data subject requests data is deleted.

For these reasons, backing up emails is no substitute for archiving emails. While it is possible to back up and store emails securely, gaps can exist between when an email is sent, received, or shared, and when a copy is made – during which time the email could be amended or deleted. Additionally, searching an un-indexed database of emails to comply with a disclosure requirement may not be manageable within the time allowed – potentially attracting substantial financial penalties.

Complying with Email Archiving Requirements Can be Challenging

There are multiple challenges to email archiving compliance. Some emails may have to be archived longer than others depending on the industry or the location a company operates in, and some may have to be retained indefinitely. For example, SOX 802 applies different data retention requirements to public companies depending on the nature of data “relevant to audit or review”:

• Customer invoices must be retained for five years.
• Accounting records and tax returns must be retained for seven years.
• Bank statements, payroll records, and training manuals must be retained permanently.

Naturally it is impractical to retain every email forever. The amount of storage required would be colossal and the costs of storage astronomical. Therefore, it is important there is an indexing system in place that tags emails according to the nature of data in their content and automatically deletes archived emails once the appropriate retention period has expired – if at all.

Tagging an email to be deleted in five or seven years – or not at all – is a fairly simple operation, but rarely is email archiving compliance that simple. If an organization operates in multiple states, different data retention requirements may apply to the same type of data. For example, in the medical profession, state laws dictate how long medical records have to be retained. In some states, this can be as short as three years; while in neighboring states, it could be as long as eleven years.

Email archiving compliance is further complicated in the medical professional by the Healthcare Insurance Portability and Accountability Act (HIPAA) stipulating that HIPAA-related documentation has to be retained for a minimum of six years, and the potential for medical records to be used in litigation – which in some states requires the data to be retained for a further twelve years.

GDPR Email Archiving Compliance

All of the above is further complicated by GDPR email archiving compliance. The GDPR rules give EU data subjects multiple rights which pre-empt federal and state laws. These rights include the right to know what data has been collected, how it has been used, and who it has been shared with. EU data subjects have the right to view what data is maintained about them, transfer it from one processor to another, request corrections when data are inaccurate or that data is permanently deleted.

While it might be possible to tag an email as pertaining to an EU data set to ensure archived email data is maintained in a separate set, exceptions exist to the access rights of EU data subjects which can further complicate GDPR email archiving compliance. For example, a data controller can decline an access request if data the request refers to is subject to judicial proceedings, a civil law claim, or the investigation of a breach of ethics for professionals in regulated industries.

Consequently, any solution implemented to comply with most email archiving requirements has to have granular search, view, and retrieve capabilities – potentially across disparate mail servers – with robust access controls in place to prevent unauthorized access. It is also important that traffic between email servers and the email archiving solution is encrypted to render data indecipherable and unusable in the event of an interception, redirection, or man-in-the-middle attack.

Try Compliant Email Archiving from ArcTitan Cloud

Not all email archiving solutions are the same. For example, some solutions archive email data periodically rather than in real time. This can cause issues with compliance, as the opportunity exists to amend or delete emails before the archiving solution has had the chance to copy them. If email data that a company later relies on in a judicial or regulatory hearing is found to be inaccurate, it could have a significant impact on the outcome of the hearing.

ArcTitan Cloud not only archives and indexes emails in real time, but deduplicates email data before it is sent securely to our cloud servers to reduce capacity requirements, accelerate searches, reduce the number of search results, and make the navigation of results easier. Email data is stored in a tamper-proof repository, from where it is remotely accessible by date, by user, or by tag subject to the user requesting access to the data having appropriate user permissions.

Due to the advanced nature of the archiving process, ArcTitan Cloud can archive up to two hundred emails per second, search a database of thirty million emails in less than a second, and deliver retrieved data securely in a variety of formats. All user passwords are hashed and encrypted for additional security, email data is scanned using dual antivirus engines, and users can be quickly provisioned and deprovisioned via LDAP, Google, SSO, and iMail authentication.

To find out more about email archiving compliance – and how simple it is to transfer existing archived email data to ArcTitan Cloud – contact ArcTitan.com today to arrange a free demo of ArcTitan Cloud in action. The demo gives you the opportunity to ask any questions you have about compliant email archiving and configuring ArcTitan Cloud to comply with complex email archiving requirements.