You are here

Complete List of Email Retention Laws: Federal, State and Industry

June 16, 2017 By Tom Holmes - Cloud Solution
(Please note: The information presented in this article is not legal advice. It is meant for educational and planning purposes only. Please consult with your legal counsel for any issues related to email retention laws.)
Archiving email, if not done without advanced technology, requires a tremendous amount of time and resources for businesses. While archiving email is time-consuming, it’s necessary because of federal, state and industry email retention laws.
This demanding archiving culture, in which essentially nothing electronic that might be relevant for litigation can be deleted, began further back than many realize. 
The need for email retention laws didn’t truly solidify until December 2006, when the Federal Rules of Civil Procedure were significantly revised. This revision marked the tenth time changes were made to the laws since their establishment in 1938. (Cornell’s law school has an excellent index and explanation of the rules here.)
The revisions meant that everything electronic – emails, directives, files, communication and requests – would now have to be retained—meaning if the courts request any kind of electronically stored information and you don’t have it, you’ve got a potentially devastating legal problem on your hands.

Current Federal Laws for Archiving

The laws that led to our current archiving requirements began as early as 1950, and a survey of each major development provides a complete picture of what kind of documents must be maintained according to federal law.
As mentioned above, in 2006 the federal government expanded the definition of “document” to include all electronically stored information. This means, from the perspective of the federal government, that electronically stored information must now be governed in the same way that the following laws have governed paper document retention:
1950: Federal Laws for Handling Federal Documents

The National Archives and Records Administration established that anyone handling federal records must keep all such records indefinitely unless NARA allows their destruction. This now includes any kind of electronically stored information.
1964: Federal Laws for Job Application Records to Prevent Discrimination

The Civil Rights Act of 1964 – along with the Americans with Disabilities Act and Age Discrimination in Employment Act passed later – has rules requiring that specific employment-application files must be maintained. This would include everything from:
·        Policy and procedures about the job selection process and job notices
·        Physical-examination checks
·        Applications
·        References
This now includes any kind of electronically stored information related to these job selections and hiring procedures.
1965: Federal Laws for Records Related to Workplace-Fairness Claims

In 1965, Executive Order 11246 was issued. It requires that:
·        Any person, organization or company who has done the documentation of good-faith compliance on issues relating to workplace-fairness (i.e., doing their best to meet those requirements even when there are errors or shortcomings with their technology and procedures) must keep all related documentation for two years.
·        Any claims filed that pertain to payroll-related Fair Labor Standards Act must keep all related documentation three years after the settlement’s date.
Of course, state laws might have different lengths and requirements and should be examined in addition to these federal requirements. This now includes any kind of electronically stored information related to workplace fairness.
1967: Freedom of Information Act Governing Records of All Federal, State and Local Agencies
·        All such agencies must retain their documents, which now includes emails.
1970: Federal Laws About Retaining Records Related to Workplace Safety
·        Any documents related to employee safety training, complaints and procedures – as outlined in the Occupational Safety and Health Act for businesses – must be kept for two years after the employee has left or after any incident.
This now includes any kind of electronically stored information related to workplace safety training, complaints, procedures or incidents
1986: Federal Laws for Immigration Documents

According to the Immigration Reform and Control Act of 1986:
·        All I-9 forms that verify a person’s right to work in the United States must be kept for three years after either:
o   the hiring date; or
o   one year after their employment ends, whichever is later.
This now includes any kind of electronically stored I-9 information.
1997: The IRS Broadens Its Record Retention Laws to Include All Electronic Communications

The Internal Revenue Service requires businesses to:
·        Keep every record related to finances and employees for three years after the tax season.
Procedure 97-22 in 1997 defined this as both paper and electric. In this case, the IRS was ahead of its time in defining “document” to include all electronic information.
1999: Gramm-Leach-Bliley Act
Passed to legalize certain kinds of mergers, it also mandated that:
·        Banks and financial firms retain their documents, including email.
2002: The Sarbanes-Oxley Act Establishes Restrictions on Document Destruction
·        This Act prohibits any kind of document destruction after the government makes an inquiry related to a criminal offense; and this includes businesses, organizations, nonprofits, and individuals.
·        Publicly traded companies must also indefinitely keep any documents related to insider dealings.
·        Companies that operate as federal contractors must maintain the same record retention policies that the federal government practices.
This now includes any kind of electronically stored information.
2006: The Federal Rules of Civil Procedure
These rules are significantly revised for the tenth time since their establishment in 1938.
·        They expand document retention to include all ESI (Electronically Stored Information).

Penalties for Not Producing Electronically Stored Information in Litigation

As explained in this analysis of the landmark Qualcomm vs. Broadcom court case, if a federal court orders electronically stored information related to any of the federal laws listed above and you are not able to produce them, there can be dramatic consequences.
Improper management of ESI can result in a finding of spoliation of evidence and the imposition of one or more sanctions including adverse inference jury instructions, summary judgment, monetary fines and other sanctions. In some cases, such as Qualcomm v. Broadcom, attorneys can be brought before the bar and their livelihood put at risk.

Email Retention Laws in the 50 States

Although the federal government’s laws on retaining electronically stored information affect every business, the states also have their own variations of these laws for every industry, from medical to finance.
Most laws require periods of email retention between three to seven years on average (with some requiring indefinite retention), as seen in the “Industry” section below.
However, after verifying that you’ve satisfied all federal retention requirements, always consult with legal counsel about specific laws within your state and local governments as it applies to your industry and position before deleting emails.

Email Retention Laws by Industry

The following alphabetical list (as featured in our earlier blog post on this topic) gives a quick summary of how long industries should retain their emails, which would include incoming, outgoing and internal emails
The list also shows which law or regulation governs the rule:
·        All companies: IRS – 7 years
·        All federal, state and local agencies: FOIA (federal and state) – 3 Years
·        All public companies: Sarbanes Oxley (SOX) – 7 years
·        Bank and finance firms: Gramm-Leach-Bliley Act – 7 Years
·        Banking: FDIC – 5 Years
·        Credit card and related processing companies: PCI DSS – 1 Year
·        DOD contractors: DOD 5015.2 – 3 Years
·        Healthcare: HIPAA – 7 Years
·        Investment advisers: SEC 204-2 – 7 Years to lifetime
·        Pharmaceuticals, biological products, food manufacturers: 5 to 35 years
·        Securities firms, investment bankers, brokers and dealers, insurance agents: SEC 17a(3) and 17a(4) – 7 years to lifetime
·        Telecommunication: FCC (Title 47, Part 2) – 2 Years
Although these are general guidelines, the length of time for retaining emails can vary within each industry. Any information in this article is not legal advice, but is meant for educational and planning purposes. You must consult your legal, compliance, IT and management teams to confirm the exact requirements for your position.

Are You Prepared?

If your organization is sued, are you prepared to provide records of all communications and transactions conducted by certain individuals – whether communications, emails, directives, files or requests?
Can you produce them within a specific range of dates and single out the records that are tied to a particular issue?