What are the legal requirements for email archiving?

The information in this article applies to:

  • GFI MailArchiver for Exchange 2
  • GFI MailArchiver for Exchange 3
  • GFI MailArchiver for Exchange 4
  • GFI MailArchiver for Exchange 5
  • GFI MailArchiver for Exchange 6

Article ID: KBID002205

Query keywords:

Section 802 of the Sarbanes-Oxley Act requires auditors to retain auditing information for a period of 7 years. The information refers to all records relevant to the audit or review; this includes workpapers, memoranda, correspondence, communications, and electronic records (including email). In fact, Section 802 makes it a crime, punishable by up to 10 years in jail, if auditors of public companies fail to maintain such correspondence.

Section 302 of the Sarbanes-Oxley Act requires the CEO and CFO of a public company to personally certify and attest to the accuracy of their company's financial statements contained in periodic reports. Section 404 requires auditors to certify the underlying controls and processes that companies use to reach financial results. Both sections require proof that a company's reported financial information can be relied on - and require companies to invest in procedures that ensure information is recorded and managed in a trustworthy manner, including email. As an organization's dependence on electronic mail continues to grow, the mismanagement of email provides a growing target for litigators and regulators. Companies must ensure that records in digital form are managed with the same care and attention as records in paper form.

Business records must be protected at all times from unauthorized tampering and deletion, more so when a company is involved in audits, investigations, litigation or other formal proceedings. It is therefore of primary importance to copy and archive data before a user has a chance to manipulate it or delete it. Companies must ensure that directors, management and accounting personnel in particular, are informed of their obligation to preserve business records.

Therefore, you are legally required to ensure that you archive a copy of all your email communications (particularly those of departments dealing with accounting, auditing, orders and so on), including both internal and external mail for a period of up to 7 years.

For more information about the Sarbanes-Oxley Act please see http://www.sarbanes-oxley.com/ and http://cpcaf.aicpa.org/Resources/Sarbanes+Oxley/. See also 'What is the Sarbanes-Oxley Act?' at KBID002204.


Note:

The Sarabanes-Oxly Act affects only certain countries. You may want to check the legal requirements for email archiving for the country from where you operate, which may be different from what is explained above.