General discussion

  • Creator
  • #2189133

    Email Archiving Regulations


    by matt.santee ·

    I am a network administrator for a credit union in Texas. I have been tasked with finding out what the regulations are regarding email archiving for our credit union. Specifically, I need to know:

    1. What type of email needs to be archived? (i.e. All email, only those that contain business related or member information, etc.)
    2. How long do we have to store the email?
    3. How accessible does the archived email need to be?
    4. Etc., etc.

    Any information regarding these regulations, or where to find these regulations, would be greatly appreciated.

    Thank you.


All Comments

  • Author
    • #3071628

      The starting point would be..

      by fluidtech ·

      In reply to Email Archiving Regulations

      Sarbanes-Oxley Act of 2002

      I’m not sure of what level of implementation this is at…but this is where you should start.

    • #3071531

      Legal issue, not IT issue

      by stress junkie ·

      In reply to Email Archiving Regulations

      When I was working for a mutual fund company they had an entire department of people whose only job was to research regulations and determine if the company was in compliance with the regulations. The department’s name was the Compliance Department. The whole idea of asking the IT department to research regulations and determine if the business is in compliance with those regulations is asking the IT department to practice law. That’s illegal.

      Any business that looks for legal advise from the IT department is asking for trouble. Your employer should hire a legal consultant or someone who is licensed to practice law for this. When you say “We are in compliance with this or that regulation.” you are giving a legal opinion. You shouldn’t do that.

    • #3053528

      it’s simple

      by jaqui ·

      In reply to Email Archiving Regulations

      ask your boss how long you have to keep all account records.

      here, when I was working in a bank, we had to keep all records for 7 years.
      every transaction slip, everything, for 7 years.

      it falls under the government regs for finacial institutions.

      • #3053494

        He was told to do the research

        by stress junkie ·

        In reply to it’s simple

        You are essentially saying what I said. The business managers should know the regulations. Matts problem is that he was told to do the research. That is a serious problem. You really need an attorney to give a legal opinion. In leiu of that the business managers can do the research and make up their own mind about what is required, at their peril. The IT department should only be asked to find a way to implement requirements that are stated by the management.

        So, as you say yourself, the IT department depends on the managers to state the requirements. Then the IT department can implement the stated requirements.

        • #3053406


          by jaqui ·

          In reply to He was told to do the research

          but his source is his boss.
          then he’s implementing what his boss decided was needed and he’s not under the gun for picking wrong.

          legal requirements for financial records are specific for each country, most do use the 7 year, and all data. just for ease of international business / banking.
          ( an industry standard? )

          about the only difference was that here every letter, email is included in the laws. no exceptions.
          what are the laws there?
          his boss already knows the answer to the question.
          so get the boss to detail what, for how long, and how accessable.

        • #3058142

          With a recent Court ruling here

          by hal 9000 ·

          In reply to yup,

          We keep all e-mail indefinitely sure we archive it but we keep it here for ever or the life of the company and then pass it onto the receiver’s if appointed.

          Currently here an E-Mail has the same force in Law as a Letter so for purely legal reasons they are all kept no matter what they are.

          I’ve only needed to pull an archive once to prove that a e-mail that allegedly originated from one business proportion an illegal activity didn’t actually originate from that business but had been altered once sent.

          With the upcoming Anti Terror Laws that will be coming soon we will not only need to keep them indefinitely but have a chain of proof in place just to prove that our archived e-mail was what was actually sent or received so it’s gong to get a bit messier to comply but really it’s no big deal.

          I would presume that the Homeland Security Act in the US imposes the same obligations as our upcoming laws. So we no longer need to only comply buy work on the idea that we need to be able to look into the future to make sure that our clients are protected from changes that may be made latter.


    • #3058132

      A possible place to turn

      by mirrormirror ·

      In reply to Email Archiving Regulations

      I used to work for the Texas Credit Union League. If your CU has paid it’s dues, then you can ask them if there are any regulations with regards to credit unions.

      In all truth, I think that it is up to the person running the CU or the board of directors.

Viewing 3 reply threads