One of the biggest challenges for achieving email archiving compliance is auditability. Whereas it is often possible to implement an archiving solution that copies and indexes emails as they enter the mail server before storing them securing, it is not so easy to find an archiving solution with user-friendly search and retrieve capabilities that produces easily navigable results.
Most organizations appreciate the value of email archiving – not only for freeing space on the mail server to ensure it works efficiently, but also for reducing the workload of IT Help Desks attributable to users accidently deleting emails or being unable to find them. Email archiving can also prove valuable when used for retaining data to comply with state, federal, and industry regulations.
However, when complying with state, federal, and industry regulations, archived data has to be immutable. This means it has to be archived at the point of entry and retained in its original state without alteration. Consequently, compliant email archiving solutions have to include secure storage, access controls, and event logs. Backups of emails just will not do.
One further condition of email archiving compliance is auditability. This term relates to the search capabilities of the archiving solution when documentation needs to be produced for investigations, audits, or as evidence in a civil law case. In these circumstances, the speed at which searches can be completed and results extracted can make the difference between compliance and noncompliance.
This is certainly true when an EU data subject exercises their rights under GDPR. If an individual requests access to their personal data, access requests have to be responded to within a month. Looking for an individual´s data in a poorly indexed and oversized email database can be like looking for a needle in a haystack – but, if the access request is not responded to in a timely manner, Information Commissioners can take enforcement action and issue substantial penalties.
The Challenges of Email Archiving Compliance
Putting GDPR aside for a minute, companies in the United States can find complying with data retention regulations exceptionally challenging. Not only do multiple federal and state laws exist with different data retention requirements, but some laws (i.e., Sarbanes-Oxley) also have different data retention requirements for different types of data (payroll, bank accounts, invoices, etc.).
Companies that operate across multiple states will find different data retention regulations apply in neighboring states, while those in specific industries will find federal rules preempt state rules for some types of data, and state rules preempt federal rules for other types of data. The healthcare industry is a perfect example of this due to the volume of “federal-floor” standards in HIPAA.
When you bring GDPR back into the mix, the complexity of email archiving compliance further increases. Now, organizations cannot archive all data collected in 2022 for deletion in (say) 2032. Data has to be individually tagged and indexed to respond to access requests, and to comply with the requirement of GDPR that data is retained in a form that permits identification of the individual for no longer than is necessary for the purposes for which it was collected.
Looking forward, GDPR is not the only regulation that crosses borders. The Texas Medical Records Privacy Act applies to all organizations that collect, assemble, possess, analyze, store, or transmit personally identifiable information belonging to a citizen of Texas – regardless the organization´s location or whether the citizen was in Texas at the time the data was collected. Importantly, access requests under the Medical Records Privacy Act have to be responded to within fifteen days.
Overcoming the Challenges of Compliant Email Archiving
The challenges of different data retention requirements, data access requests, and cross-border regulations are difficult to overcome, but they are not impossible with an ArcTitan Cloud email archiving solution. ArcTitan overcomes the challenges of compliant email archiving by deduplicating emails before they are archived to reduce the volume of data being stored.
This reduces the amount of data that has to be administered, indexed, and searched through, and therefore accelerates the speed at which searches are performed. Deduplication also produces fewer results per search – making the results more navigable – and, because less data is being stored, data storage costs are significantly reduced – up to 75% in most cases.
ArcTitan Cloud can search a database of 300 million emails in less than a second and, due to its granular tagging capabilities, produce fast responses to access requests. The portal´s user-friendly interface simplifies the deployment of retention policies and access controls, while integrations with leading directory tools facilitates the easy onboarding of users and application of permissions.
To ensure security and permanence, emails are virus scanned and encrypted before being transmitted to our secure servers, where user login credentials are hashed and salted to enhance security. Furthermore, because the solution is cloud-based, it is infinitely scalable and accessible from any Internet-connected device (subject to user permissions and access controls).