Data Disposal and Email Retention Laws

Data disposal is a key process in a legal entity’s policies and procedures for managing personal and confidential information. In general, private and public entities store data on their servers. This information may include financial and health information which should not fall into the wrong hands. So, there must be a proper procedure for destroying and disposing that information by using industry approved methods.

The Federal Trade Commission has implemented a data disposal rule in relation to consumer reports and records to prevent unauthorized access to or use of that information. In California, several statutes have been promulgated to address this issue. For example, California Civil Code Sections 1798.81, 1798.81.5, and 1798.84 are applicable. In fact, Civil Code 1798.81 states as follows: “A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.” Therefore, there are standards to follow and implement to avoid unnecessary complications. The state legislature has encouraged the implementation of “reasonable security” for personal information under Civil Code 1798.81.5. Also, Civil Code 1798.84 outlines the legal remedies which include initiating a civil action.

The proper retention of emails is paramount especially if the electronic messages include private, confidential or proprietary information. For example, “email archiving” is one method to retain electronic messages especially if there is the possibility of litigation. The emails should be backed up in a searchable format for practical reasons. Electronic discovery allows the parties to request and obtain electronic documents during litigation. In most cases, the electronic discovery process is time consuming and complicated especially because there is a large volume of data involved in the lawsuit. Also, more importantly, the failure to comply with electronic discovery requests may result in sanctions.

There are various email retention laws implemented in various countries. For example, in the United States, the IRS requires companies to store emails for at least seven years. The Freedom of Information Act (“FOIA”) requires federal, state, and local agencies to retain emails for at least three years. The Sarbanes Oxley Act, requires all public companies to retain emails for at least seven years. The Federal Deposit Insurance Corporation (“FDIC”) mandates emails to be retained for at least five years. The Gramm-Leach-Bliley Act (“GLBA”) requires banks and financial institutions to retain emails for at least seven years. The Health Insurance Portability and Accountability Act (“HIPAA”) requires healthcare organizations – such as healthcare providers, health insurers, healthcare clearing houses and business associates of covered entities – to retain emails for at least six years. The Payment Card Industry Data Security Standard (PCI DSS) requires credit card companies and credit card processing companies to retain emails for at least one year. Finally, the Security and Exchange Commission’s regulations require investment banks, investment advisors, brokers/dealers, and insurance agents and securities firms to retain emails for at least seven years.

Organizations should use a safe and secure email retention solution to make sure electronic messages are properly archived on computers. The data should be kept secure and confidential at all times. Electronic messages – i.e., emails – should be encrypted “in transit” and “at rest” and backed up on a regular basis. It is possible to archive emails from any location whether locally or remotely. Therefore, data compliance is an important factor when archiving electronic messages from local or remote locations.

Our internet and cybersecurity lawyers have been prosecuting and defending legal actions in state and federal courts and are available to speak with clients. Our law firm assists clients in matters related to internet, cybersecurity, and privacy. Please contact our law firm to speak with an internet attorney at your earliest convenience.