Legislation is a complicated and convoluted world.  If it was easy, normal people would understand it and we wouldn't need lawyers.  Even the laws regarding email and email storage are complicated and overlap.  Several legal entities have a vested interest in email archive compliance and I will discuss them briefly here.

Numerous high profile business scandals over the past years have forced the hand of legislative bodies to enforce a solid and tangible audit trail.  Electronic records often form important parts of evidence and so must be retained and protected.  Part of this is to regulate business and ensure they are playing by the rules, and part is to increase public confidence in business.

The Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) are one of these entities that have jurisdiction in this area.  Their main rules are that businesses must retain emails and business records for between three and six years.  That records must be stored safely and securely in at least two different locations and they must be organized, date stamped and searchable.

The Federal Rules of Civil Procedure (FRCP) are a body of rules that govern court procedures for managing civil suits in the United States district courts. They also have a vested interest in your business data.   Their interest is that businesses keep their records in case they are needed for litigation purposes.  It is essential for any business that all electronic records meet email archiving compliance for this as the FRCP has notoriously little tolerance for those who don't comply.

The Sarbanes-Oxley Act of 2002 (SOX) also known as the Public Company Accounting Reform and Investor Protection Act of 2002 is legislation enacted by the Securities and Exchange Commission (SEC) in direct response to those recent high profile corporate scandals.

The SOX act relates to what kind of records are stored and for how long.  It isn't just the financial side of a business that is required to comply but any part of the business that generates or processes electronic records.  The Sarbanes-Oxley Act states that all business records, including electronic records and electronic messages, must be saved for 'not less than five years.'

This Act does not apply to private companies however, just public ones.

There is also another unlikely body with a vested interest in your records.  The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established federal regulations that require all organizations that manage Protected Health Information (PHI) to safeguard the privacy and security of their data.  Any company that deals with employee health information is also subject to this Act.

So you can see that email archiving compliance is a hot topic and not one anybody can ignore for long.  The penalties for not complying can be very large fines or even imprisonment for the worst offenders.  It could also leave your business exposed if you get caught up in litigation of any kind.  Without adequate records that have a context it may be difficult to defend yourself against a prosecution.