Yes, Emails Contain Business Records: Here’s How to Handle Them

As someone who’s worked in information governance and compliance for more than 25 years, I’ve lost count of how many times I’ve heard someone say, “Email isn’t a real record.” Compliance folks see it as a liability. IT departments often see it as digital clutter. And in-house legal teams? They tend to see email as a dangerous landfill of discoverable, inculpatory evidence. But here’s the truth: emails are business records—maybe not all of them, but many of them are. Ignoring that fact has consequences.

Let’s start with the scale of the issue. Many employees love their inboxes and often use them as a combination notepad, to-do list, and forever archive. The average U.S. employee sends and receives over 160 emails per day. That’s a staggering volume of communication—some of it routine, some of it trivial, but a surprising amount of it is actually important. Over time, inboxes grow bloated. Storage costs go up. EDiscovery becomes more painful. Privacy risks increase. Yet still, there’s resistance to managing email like the information asset it truly is.

Many Emails are Not Transitory

Part of the confusion comes from how we think about records. Many organizations are still tempted to classify emails as “transitory” by default—ephemeral messages that don’t need to be saved. But email is a medium, not a message type. Some emails are absolutely transitory. But many are not.

In fact, emails are often the only place where key records exist. Think about it. Ever gotten a shipping or project completion notice by email? An expense or vacation approval? Budget and expense approvals?  A vendor’s quote? Legal advice? Maybe even an HR decision or a performance review? Separate from any attachment, these emails are business records, and in many organizations, they never make it beyond someone’s inbox.

Now, if you’re thinking, “Well, that’s all the more reason to just save everything,” I get it. But that creates its own set of problems. Unlimited email retention means increased eDiscovery costs. If you’ve got 10+ years of emails, every litigation hold becomes a monumental task. And then there’s privacy. Old emails are full of personal information—birthdates, health info, account numbers, even passwords. The more you keep, the more you’re putting at risk of having to report “an unknown amount” of personal information was breached.

Unfortunately, the opposite strategy—deleting everything—isn’t viable either. You can’t just wipe all emails after 30 days and hope for the best. If you do, you’re almost guaranteed to destroy legitimate business records. And that can lead to real consequences, from regulatory sanctions to court sanctions. We’ve seen entire industries learn that the hard way.

The Regulatory Angle

In recent years, a number of large Wall Street firms and global financial institutions found themselves under intense regulatory scrutiny for failing to retain business communications, especially those sent via personal devices or ephemeral messaging apps. One reason many traders were using these messaging apps was they were a faster and easier way to communicate. In 2021 the SEC started an enforcement sweep that began with a $125 million fine against J.P. Morgan’s broker-dealer arm after the firm admitted to widespread use of personal devices and WhatsApp for work conversations that were not archived​.

In a 2022 wave of record-keeping cases, 16 more financial firms (including major players like Bank of America, Morgan Stanley, Goldman Sachs, and Citigroup) paid combined SEC penalties of over $1.1 billion​, with several of the largest banks fined about $125 million each​. The message from regulators is clear: if business is being conducted, the communication must be preserved—regardless of the medium or platform.

Classification is Key

So, what’s the answer? It starts with a mindset shift: recognize that email is a container, not a category. Don’t treat all emails as records, and don’t treat them all as trash. Instead, classify based on content. A vacation approval email? That’s a record. A “there’s cake in the break room” email saved from 12 years ago? Probably not.

Next, give employees tools to do the right thing. Platforms like Microsoft 365 offer simple ways to classify and tag emails. You don’t need expensive add-ons to implement retention labeling and basic policies. Much of this can be highly automated—all with the basic version. Even creating “working document” folders where non-record emails can live for a fixed period—say, two years—helps tremendously. Employees can keep any email they need in the short term, but you’ve set expectations these will be deleted.  Let those folders delete expired emails automatically. 

For emails that have long-term business value—such as those related to intellectual property, important business processes, contracts, or critical business decisions—encourage employees to move them to shared repositories. That way, you avoid leaving important information trapped in individual inboxes, while still managing retention and access. Again, doable with base M365.

Strive for Balance

Ultimately, email governance is about balance. We can’t let email run wild, but we also can’t eliminate it from our information strategy. Legal, compliance, IT, and employees all have valid concerns—and a workable solution needs to address all of them.

So, are there really business records in email? Absolutely. And if your organization hasn’t built a strategy around that reality yet, now’s the time. Start small if you need to, but start with intention. Because in the eyes of regulators, judges, and yes—even your own business leaders—if it walks like a record and talks like a record, it probably is a record. And it’s up to us to treat it that way.