Better safe than sorry
There are several cases where legislation and regulation may not explicitly dictate email archiving as a measure, but may have other stipulations that make email archiving a useful tool.
Properly archived email is encrypted, often compressed, and held in a single store rather than scattered around the organization in departmental PST files. This reduces the attack surface and makes historical email – with its wealth of potentially sensitive information – far more manageable. It also creates a record of when and where those mails were sent, along with the sending and receiving parties.
This becomes relevant when proving or disproving an email-based information breach. Most US states have data breach notification laws – such as California’s SB1386, for example – that require organizations to notify customers in the event of a breach. An archival system can provide protection for stored historical email. Should the worst happen, it can also give companies a documented, immutable record of any email accidentally sent to the wrong parties.
As regulations evolve and often multiply, having a robust email retention policy can provide a foundational level of protection for organizations. It may not be a panacea for information security, but it is a useful tool as part of a broader strategy to meet often complex compliance requirements.