Business Data Retention – Best Practices

What is the first (best) practice in the email retention space?

If you have a question about what business data to retain consult your attorney to ensure that you are in compliance with all federal, state, and local regulations. You will also want to ensure that you have documented retention requirements for your clients, and that your staff and vendors know how to address them in the services you provide.

Retention requirements vary widely, as you can see in the list below:

• Internal Revenue Service (US IRS): seven (7) years

• Payment Card (PCI DSS): one (1) year

• California Franchise Tax Board (CA FTB): four (4) years

• DISA Security Technical Implementation Guides (STIG): one (1) year

• Many State Revenue Departments: three (3) years

• HIPAA Section 164: six (6) years

It gets even more confusing. For example, medical records retention is set by each state.

In the state of California, that looks something like this:

• Adult patient records: seven (7) years

• Minor patient records: one (1) year after the patient reached the age of 18, but at least 7 years

If you are confused, consult legal counsel.