US - Email Retention Laws
Question asked by Rod Strumbel - 12/20/2022 at 8:29 AM
Been going around and around trying to locate information for this for years, and have never found a definitive answer.  So let's ask it point blank.

Are there any ABSOLUTE email retention laws that must be followed in the US by an Internet Service Provider.  I have seen 18 USC 2703 that says that if the gov't asks then the ISP must retain what they are asking for for 90 days (and it can be extended an additional 90 days).   But that is AFTER THEY ASK FOR IT.  Generally speaking... how long is an ISP REQUIRED to keep email they have handled before throwing it away (if at all)?

Seeing the new Email Archives automated cleanup in the next BETA of SM made me come back to this topic :)


4 Replies

Reply to Thread
Kyle Kerst Replied
Employee Post
From what I've read, the US doesn't have any data retention requirements for ISPs and other providers unless required to do so by a warrant. This is primarily for user privacy reasons, but I am betting the investigatory organizations don't need you to retain the data in order for them to skim it when needed. So, I think its probably up to you how long you hold on to data and what data you hold on to. If you're approached with a warrant to retain user X's communications for a period of 90 days - then you'd want to adjust your process for that user and implement a legal hold of sorts. I don't have any specific background in this however so hopefully other users can comment here as well.
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
Douglas Foster Replied
I am fairly certain the answer is no.  My current company does not require archiving.   In a previous job, I worked at a big auto company that had a very structured records retention policy.   Email was considered "transient' data with a life of 12 months - no long term storage intended.

Records retention policy is a mixed bag because litigation is so common.   In the event of a lawsuit, the discovery process can require a search of your emails and then use them against you in their suit.   Based on what I learned at the auto company, the best process says (a) have a records retention rule which includes a purge schedule, and (b) make every effort to ensure that things are purged at that date.  Of course, purge rules can be suspended by court order.

The best way to get into trouble is (a) fail to purge in accordance with your records policy (or not have a records policy at all, (b) get sued, then (c) decide to do all your neglected purging.

For a service provider, I would suggest that records retention be explicitly specified by your customer as part of their contract.

Sharing that occurs in Brazil. 

In Brazil has the Marco Civil that requires to save the activity logging for 180 days. There is no policy for e-mail (archive), only if you according that with the customer (and pay for that).
Paul Blank Replied
As is typical, having archived email can work both for and against you or your company, depending on the situation where the data is requested. This should come as no surprise.

Reply to Thread