Business email archiving requirements?
June 18, 2015 1:02 PM Subscribe
Are there any laws -- federal or state -- which require business emails to be archived for a certain period of time? We are a privately-held Illinois LLC and are not regulated by the FDA, FINRA, or any of the usual suspects.
I work at a small company and have sort of fallen backward into being the entire IT department, mostly because I know anything about computer (but it's not that much.) We currently have all of our terminated employees' email accounts set as active, because no one has ever figured out what to do with them, but that also means they show up in everyone's contact list. I'd like to delete inactive accounts, but at this point I'm unsure of whether this will run us afoul of any laws or regulations such that I should look into an archiving solution (and if so, for how many years back).
Google has abjectly failed me.
You are not my lawyer, this is not legal advice, thank you.
I work at a small company and have sort of fallen backward into being the entire IT department, mostly because I know anything about computer (but it's not that much.) We currently have all of our terminated employees' email accounts set as active, because no one has ever figured out what to do with them, but that also means they show up in everyone's contact list. I'd like to delete inactive accounts, but at this point I'm unsure of whether this will run us afoul of any laws or regulations such that I should look into an archiving solution (and if so, for how many years back).
Google has abjectly failed me.
You are not my lawyer, this is not legal advice, thank you.
To kind of back end into this question, financial firms are required to hold records for 3-10 years even after the company closes depending on the kinds of business they're involved in. You are not that kind of business but that's the one I'm familiar with, so hey.
Anyway, because of that, I was the one doing all the initial archiving of old accounts before the company switched to a forreals management and archiving system, and I can tell you that it is super trivially easy to save old email records. You'll probably be able to do them in an afternoon and then you won't even have to worry about if you even need to save them or not because you'll have them and don't ever have to worry about it again.
On Outlook they're .pst and .ost files. Different clients have different proprietary software extensions, but it's all the same stuff. When I did it exported everyone's emails to a clean Outlook account and saved them there because Outlook lets you password protect the files and we needed that. Just save them on a physical DVD and drop it in the old person's personnel folder, then delete their email profile and call it a day.
This is all a lot of words to not exactly answer your question, which yeah you should ask a lawyer about probably, but blank DVDs are cheap, saving the emails is easy, and just doing it is going to be faster/less expensive than asking a lawyer if you even need to.
posted by phunniemee at 1:33 PM on June 18, 2015 [1 favorite]
Anyway, because of that, I was the one doing all the initial archiving of old accounts before the company switched to a forreals management and archiving system, and I can tell you that it is super trivially easy to save old email records. You'll probably be able to do them in an afternoon and then you won't even have to worry about if you even need to save them or not because you'll have them and don't ever have to worry about it again.
On Outlook they're .pst and .ost files. Different clients have different proprietary software extensions, but it's all the same stuff. When I did it exported everyone's emails to a clean Outlook account and saved them there because Outlook lets you password protect the files and we needed that. Just save them on a physical DVD and drop it in the old person's personnel folder, then delete their email profile and call it a day.
This is all a lot of words to not exactly answer your question, which yeah you should ask a lawyer about probably, but blank DVDs are cheap, saving the emails is easy, and just doing it is going to be faster/less expensive than asking a lawyer if you even need to.
posted by phunniemee at 1:33 PM on June 18, 2015 [1 favorite]
There is a right way and an easy way to solve this problem:
The right way is to go to a lawyer and come up with some sort of sane, legally-defensible retention policy. It is entirely possible that you may not be required to retain anything, at least day-to-day course of business emails, and much of the stuff can be deleted right now. You might need to do some queries and select certain stuff to be retained, though. And it might make sense to get a real email archival product rather than trying to roll your own solution.
The easy way, which I'd do under duress and if forced to do it when it wasn't my job, would be to just dump each of the email accounts to static files on a hard drive, in a plaintext format. This is pretty easy to do if you load them as IMAP accounts in Thunderbird and then export them or make a copy of the underlying mail directories. Lots of instructions online; google for "archive email offline" plus or minus your favorite email program name. I'd burn each one to a CD labeled with the employee's name, and hand them over to HR or whoever maintains physical corporate records, and wash your hands of the whole business. Then delete the accounts.
The 'easy way' will almost certainly result in the company preserving more information than it needs to have, which some companies perceive as a risk, because what exists can be discovered later. So the discs-in-a-file-cabinet option could well be perceived as a really terrible solution, because it means you're getting zero value from the information, while also keeping it around so that it's subject to discovery later on, potentially long after it could have been lawfully destroyed.
At the very least you should talk to someone in your organization and see if they prefer the "delete everything that we're not absolutely required to retain" approach, or the "retain everything that we might ever possibly need to have" approach. At the very least that will keep you from getting your hand slapped by your own employer for your choice.
posted by Kadin2048 at 2:09 PM on June 18, 2015 [1 favorite]
The right way is to go to a lawyer and come up with some sort of sane, legally-defensible retention policy. It is entirely possible that you may not be required to retain anything, at least day-to-day course of business emails, and much of the stuff can be deleted right now. You might need to do some queries and select certain stuff to be retained, though. And it might make sense to get a real email archival product rather than trying to roll your own solution.
The easy way, which I'd do under duress and if forced to do it when it wasn't my job, would be to just dump each of the email accounts to static files on a hard drive, in a plaintext format. This is pretty easy to do if you load them as IMAP accounts in Thunderbird and then export them or make a copy of the underlying mail directories. Lots of instructions online; google for "archive email offline" plus or minus your favorite email program name. I'd burn each one to a CD labeled with the employee's name, and hand them over to HR or whoever maintains physical corporate records, and wash your hands of the whole business. Then delete the accounts.
The 'easy way' will almost certainly result in the company preserving more information than it needs to have, which some companies perceive as a risk, because what exists can be discovered later. So the discs-in-a-file-cabinet option could well be perceived as a really terrible solution, because it means you're getting zero value from the information, while also keeping it around so that it's subject to discovery later on, potentially long after it could have been lawfully destroyed.
At the very least you should talk to someone in your organization and see if they prefer the "delete everything that we're not absolutely required to retain" approach, or the "retain everything that we might ever possibly need to have" approach. At the very least that will keep you from getting your hand slapped by your own employer for your choice.
posted by Kadin2048 at 2:09 PM on June 18, 2015 [1 favorite]
The right way is to go to a lawyer and come up with some sort of sane, legally-defensible retention policy.
A written policy that is followed across the board is a very good idea if your company has any reasonable chance of being involved in lawsuits. A lack of formal plan or one that's selectively enforced can look bad if you're subject to discovery and can't turn up e-mails.
posted by Candleman at 3:26 PM on June 18, 2015
A written policy that is followed across the board is a very good idea if your company has any reasonable chance of being involved in lawsuits. A lack of formal plan or one that's selectively enforced can look bad if you're subject to discovery and can't turn up e-mails.
posted by Candleman at 3:26 PM on June 18, 2015
You may want to also contact your local ARMA chapter to see if anyone does consulting work for hire and can help you out. A good records manager will know how to create a useful records retention schedule for your needs based on applicable laws.
posted by mostly vowels at 7:35 PM on June 19, 2015
posted by mostly vowels at 7:35 PM on June 19, 2015
« Older Can you explain my urination problem? | Why can't I connect to Facebook? Got a gremlim in... Newer »
This thread is closed to new comments.
Google things like retention, frcp and ediscovery for better search results.
posted by michaelh at 1:32 PM on June 18, 2015