Data retention requirements

Answered by:

Question:

How long must a federally insured small bank retain its documents and emails? I have run into a situation where I am being told that a bank uses a back-up system that overwrites its backups every three weeks or so. I have tried to find some regulation/statute that addresses the data retention by a bank of its own records - not its depositors', vendors', etc. - I can't find it. I know that this can't be the case; I must somehow be looking in the wrong way/places. For example: It is my understanding that an institution such as a bank would have to issue a "litigation hold letter" on all data when it has reason to know that litigation is likely. How can there be any data to retain if it's always being overwritten? Any insight on my confusion or suggestion as to where I can find a resource that would help on this would be greatly appreciated . . . .

Answer:

You have a good question.

First you should have a Data Retention Policy and then a procedure.
Your system should then be aligned to comply with the policy.
Is there a specific timeline associated with data retention? no.
What is a good rule of thumb?

Depends on the data and the use.

Email Storage (during and care).

Note: You have two questions here.

First is the email system. Typically it is a size allocation that relates to the user (and they need to keep their mail box cleaned up). If a mail box exceeds the allocated size the user is sent a warning message. If they do not respond and clean up the box, the system will lock them out, prevent them from sending or saving emails, or delete enough (automatically) to bring them into compliance with the storage requirements.
Email system should be backed up each day. Back-up copies should be keep for at least six months and longer if needed.