In the wake of Enron and WorldCom and amid growing scrutiny of business practices, companies are establishing strict e-mail policies, not just because it's a good idea but because a growing body of law says they have to. Regulatory compliance, in fact, is the third biggest concern for corporate information officers, behind viruses and spam, according to a study by messaging consultants Ferris Research.

Most of the headlines about "smoking gun" e-mails have involved big corporations, but everybody needs to know the new standards. Michael Overly, a partner in the eBusiness & Information Technology group at law firm Foley & Lardner in Los Angeles, says, "The FTC, state attorney general offices, and other consumer protection agencies and regulatory entities don't hesitate to audit and prosecute businesses, whatever their size, for failing to comply."

There are literally hundreds of laws and regulations that have recordkeeping requirements, and these vary depending on where a business is located and what kinds of activities it's engaged in. Many messaging security companies and archiving firms will do a lot of the work of figuring out which laws you need to comply with (see How to Avoid Scammers, Spammers, and the Rest of the Bad E-Guys and The Secrets of E-mail Stash). Keeping track of the law can be a full-time job, though, especially if you are in a heavily regulated business like health care or financial services. It's usually worth the expense to hire a lawyer to find out which e-mails (and other data) you need to keep and for how long.

Here are some of the most wide-ranging laws and rules affecting e-mail:


SOX, as it is unaffectionately known, applies only to public companies and covers a lot of ground. In terms of e-mail, the law sets strict standards for the handling of confidential information and establishes time frames for the retention of all electronic records and messages--at least five years in most cases, or seven for certain types of information. In the past few months, there has been a SOX backlash as companies complain that the cost of implementing the technology needed to comply with the law has cut deeply into their bottom lines. (See Surviving Sarbanes-Oxley Inc., September 2005.)


The Financial Modernization Act of 1999, as GLB is also known, is designed to protect the personal information of customers held by a wide range of financial businesses. Though GLB is thought of mainly as a law covering banks and brokerages, it also extends to such businesses as travel agents and real estate appraisers.

Health Insurance Portability and Accountability Act

HIPAA requires, among other things, that organizations in the health care industry ensure that the patient information on their computers is secure, and that e-mail containing health information is protected against unauthorized access.

California Security Breach Information Act

This law, also known as California 1386, requires that businesses and state agencies that have access to confidential data notify individuals when their personal information may have been compromised.

Confidential data includes everything from Social Security numbers to driver's license details to credit card information.

SEC 17a-4, NASD Rules 3010 and 3110

These rules apply to broker dealers and other businesses that trade securities and fall under the jurisdiction of the Securities and Exchange Commission and the National Association of Securities Dealers. All three rules require covered businesses to implement both policies and technology for the electronic storage and retrieval of e-mails and instant messaging for set periods of time.