Business Email Backup and Retention Policies: What You Need to Know

Back to Blog

Most businesses treat email backup and email retention as the same thing. They are not — and the difference has real consequences when litigation arrives, a regulator sends an examination notice, or an employee's mailbox is accidentally deleted three days before a critical contract dispute surfaces.

Getting your email data management right requires understanding both concepts separately, knowing what your regulatory obligations actually require, and implementing the right technical infrastructure to meet those obligations. This guide provides exactly that — in plain language, without unnecessary legal jargon, with specific attention to the requirements that apply most commonly to Southern California businesses.

Retention vs. Backup: The Critical Distinction

Email backup is a point-in-time copy of your email data taken for disaster recovery purposes. Backup protects you from catastrophic failure scenarios: a server crash, accidental deletion of a mailbox, ransomware encryption of your mail store, a migration that corrupts data. Backups are typically taken daily or more frequently and retained for a defined window — often 30 to 90 days — before older backups are overwritten. Backup is not designed for long-term preservation or for searching and producing specific emails in response to legal or regulatory requests.

Email retention is the preservation of email records for a defined period for business, legal, or regulatory purposes. Retention infrastructure is designed to capture every email (including items that users delete from their primary mailboxes), preserve them in an immutable, tamper-evident store, make them searchable by date range, sender, recipient, subject, and keyword, and allow authorized administrators or legal counsel to export specific records for production. Retention is not primarily a disaster recovery tool — it is a compliance and legal evidence tool.

Legal Hold and eDiscovery

When a business anticipates or is involved in litigation, it has a legal obligation to preserve all potentially relevant electronically stored information (ESI) — including email — immediately upon receiving notice that litigation is likely. Failure to preserve, or destruction of potentially relevant evidence (even accidental deletion), is called "spoliation" and can result in sanctions, adverse inference jury instructions (the court tells the jury to assume the destroyed evidence would have hurt your case), or default judgment against you.

Legal hold means suspending normal retention policies for specific custodians or mailboxes — preventing automatic deletion of emails even if the normal policy would call for purging them — until the hold is released by legal counsel. In Microsoft 365, this is accomplished through Exchange Online's Litigation Hold or Microsoft Purview's eDiscovery hold features, which preserve all mailbox content (including deleted items) indefinitely for held mailboxes while maintaining normal operation for users.

eDiscovery is the process of searching, collecting, and producing ESI in response to discovery requests. Microsoft Purview includes Content Search and eDiscovery tools that allow administrators to search across all mailboxes in the organization by keyword, date, sender, recipient, and subject, export results in standard formats, and maintain an audit trail of all eDiscovery activities. Without an archiving and eDiscovery infrastructure, responding to discovery requests requires manual, error-prone mailbox exports that are expensive and difficult to authenticate.

Regulatory Retention Requirements by Industry

Regulation / Industry	Minimum Email Retention	Key Requirements
HIPAA (Healthcare)	6 years	Healthcare communications relating to PHI must be retained for 6 years from creation or last effective date. Applies to covered entities and business associates.
SOX (Public Companies)	7 years	Sarbanes-Oxley requires financial records and communications to be retained for 7 years. Applies to public companies and, in practice, to companies that may go public or be acquired.
SEC / FINRA (Financial Services)	3–7 years	FINRA Rule 4511 and SEC Rule 17a-4 require broker-dealers to retain business records including email for at least 3 years (most records) to 6 years (general ledger). Records must be in non-rewritable, non-erasable format (WORM).
CCPA / State Privacy Laws	Varies	California's CPRA and other state privacy laws create data minimization obligations that require you to not retain personal data longer than necessary — creating a retention maximum as well as a minimum.
General Business (No Specific Regulation)	3–5 years recommended	Standard business litigation statutes of limitations (3–4 years in California for most contract claims) inform the practical minimum retention period for general business correspondence.

Exchange Online Archiving in Microsoft 365

Microsoft 365 Business Premium and many other M365 plans include Exchange Online Archiving (EOA) as a native feature. EOA provides an "In-Place Archive" — a secondary mailbox that users can access alongside their primary mailbox in Outlook — into which older items are automatically moved based on archive policies. The archive mailbox grows without limit (subject to plan terms), preserves items that users delete from their primary mailbox when deletion policies are configured appropriately, and is fully searchable through Outlook and the Exchange admin center.

For litigation hold and regulatory compliance, Microsoft Purview extends beyond EOA to provide immutable preservation, legal hold management, eDiscovery workflows, and audit logging. Configuring these features correctly requires administrator access to the Microsoft Purview compliance portal and an understanding of how hold policies interact with retention labels and archive policies.

Key Configuration Steps

• Enable In-Place Archive for each licensed user in the Exchange admin center
• Configure a default archive policy that moves items older than 2 years to the archive (adjust based on your retention requirements)
• Create Microsoft Purview retention policies that preserve email for your required retention period before allowing deletion
• Configure litigation hold on executive and high-risk mailboxes proactively, before litigation arises
• Enable audit logging to create an immutable record of all mailbox access, message deletions, and eDiscovery activities
• Test eDiscovery workflows before you need them — discovering that your search tools don't work correctly during active litigation is not the moment you want to learn this

Third-Party Email Backup: When Microsoft 365 Native Features Aren't Enough

Microsoft 365 provides data availability and retention tools, but it is not a backup service in the traditional sense. Microsoft does not commit to restoring accidentally deleted data beyond a 30–90 day recycle bin window. If your Microsoft 365 tenant is compromised (ransomware, admin credential theft, accidental mass deletion), recovery options within Microsoft's native tooling are limited.

Third-party backup solutions — Veeam Backup for Microsoft 365, Spanning, Dropsuite, and others — provide daily snapshot backups of Exchange Online, SharePoint, OneDrive, and Teams data with point-in-time restore capabilities that go well beyond Microsoft's native retention. IT Center deploys and manages third-party M365 backup as part of our managed IT program, ensuring that email data is protected against both accidental deletion and platform-level incidents.

For businesses with compliance-grade archiving requirements, we also configure Purview retention policies, litigation hold, and eDiscovery workflows — and can produce evidence of compliant retention configuration for regulatory examinations or audit requests.