The act was formulated to strengthen accounting oversight and corporate accountability. It did this by increasing accounting and auditor regulations, enhancing disclosure requirements, creating new federal laws and increasing penalties under existing federal laws.

An important aspect of the act focuses on the details of data security, retention and protection. So the question is, how does the Sarbanes-Oxley legislation impact email retention policies?

Surveys indicate that 93 percent of all business documents are created electronically and that has forced most corporations to address their retention policies. Businesses, small or large, can no longer consider email retention a non-priority.

Companies must develop a classification of data for off-site storage, such as an online storage service that encrypts and protect the data.

The Sarbanes-Oxley Act includes three provisions that deal with electronic documents, such as those communicated through emails. They include document alteration or destruction, mandatory document retention and obstruction of justice.

In terms of document alteration or destruction, the Sarbanes-Oxley law states that people who knowingly alter, destroy, mutilate, falsify or conceal any document (electronic or paper) with the intent to impede proceedings involving federal agencies may be fined or imprisoned up to 20 years, or both. How does this impact email retention policies? If a company has an email retention policy in place, it must include a security plan. Only certain individuals should be given clearance to access the archived emails. A report with that person's name and purpose should be produced every time a certain email is accessed, and documentation of change to the existing document should be noted.The Sarbanes-Oxley provision of mandatory document retention forces businesses to keep records readily for review for a period of up to five years. The penalty for knowingly and willfully violating this provision imposes fines and a maximum sentence of 10 years in prison, or both. How does this impact email retention policies? A business must generate a data-retention policy with archive history periods included. According to Sarbanes-Oxley, the time period for such retention should be at least five years. The emails should be classified by dates (months and years) to make it less complicated for auditors to access such information. If the emails are disorganized, the auditors may have to dig deeper and they might find improprieties. The obstruction of justice segment is similar to the document alteration provision under the Sarbanes-Oxley Act, but it includes a statute that prohibits tampering with witnesses. The legislation states that acting or attempting to alter or destroy a record or other object "with the intent to impair the object's integrity or availability for use in an official proceeding" can be punishable with fines, imprisonment for up to 20 years, or both. How does this impact email retention policies? Again, any company that has a data retention policy must enforce a security plan such that data can be accessed by only the proper personnel. An online data backup service with strong encryption and user tracking helps eliminate the chance of human intervention with whatever email data has been stored. With certain managed backup services, online backups are performed automatically, so data is protected without manual intervention. Data moves through an existing network connection, using state-of-the-art data security including AES encryption to a secure remote data center.Clearly, the document-retention regulations implemented by the Sarbanes-Oxley legislation sends a signal to businesses that they must institute a policy regarding their data and documents, including those transmitted through email. Businesses must realize that they can be held liable for retained and deleted electronic documents. The policies these businesses put in place should include an inventory of all the electronic hardware and software that can store emails (including cell phones and laptops), all locations and storage formats of archived emails, and all the methods that email documents can be transferred into and out of the company. The next step should include classification of such emails, and then a secure off-site online backup storage plan.

The days of simply keeping emails in a folder at each workstation are part of the past thanks to businesses that have put forth a solid data retention plan. The Sarbanes-Oxley Act has served as an effective means to help push the creation of such plans.