Compliance Challenges
Common regulations that organizations adhere to include:
Freedom of Information Act
Who is required to comply?
All US Government entities, federal, local and state and those who do business with any federal or state agency or funded institution.
What is it?
The Freedom of Information Act, or FOIA, applies to all government sectors and went into effect in July 1967. It mandates that government records, documents and correspondence be disclosed to the public.
What are the requirements?
The Freedom of Information Act mandates that if you are in business with a government funded institution or a state or federal agency that you must retain all email records and business correspondence. Further, government entities must also retain email records as they subject to the FOIA.
What is the cost of non-compliance?
Heavy fines and loss of corporate/political reputation.
What is the significance of Freedom of Information compliance?
The Freedom of Information Act provides greater accountability on part of the US government and those who do business with it.
HIPAA
Who is required to comply?
Healthcare providers; hospitals, physicians and nurses, public health authorities, pharmacists, life insurers, self-ensured employers and medical billing services.
What is it?
Health Insurance Portability and Accountability Act issued in 1996. Establishes standards for electronic data exchange, confidentiality and security of all information related to healthcare. Data must remain accessible to authorized users and auditors while remaining secure and protected from unauthorized sources or usage.
What are the requirements?
There are two components; the Privacy Rule and the Security Rule.
Privacy Rule: Addresses and standardizes how organizations use and disclose health information. This rule protects against unauthorized disclosure of identifiable health information within an organization or its business associates. Includes all media; verbal, paper and most pertinent, electronic. Health organizations must notify patients of privacy rights and enforce procedures to protect it.
Security Rule: Enforces that organizations receive, maintain and transmit electronic health information in a safe and confidential manner that is readily available. There are three main safeguards to this information; administrative, physical and technical.
What is the cost of non-compliance?
Heavy fines up to $250K, imprisonment up to 10 years and loss of corporate reputation.
What is the significance of HIPAA compliance?
The act provides patients with increased control over how protected health information is used and disclosed. Organizations must standardize policies and procedures to ensure patient confidentiality.
FDA 21 CFR Part 11
Who is required to comply?
All pharmaceutical manufacturing companies and those doing business with said companies.
What is it?
The Food and Drug Administration enforced the Act beginning in 2000. The Act mandates that electronic records maintain a high level of safety and integrity in case of corruption or deletion.
What are the requirements?
The FDA 21 CFR Part 11 enforces that all electronic records have an audit trail that is time-stamped and provide a unique fingerprint. If changes are made to content, the security features in place must identify who modified the content and at what time. Electronic records must be retained in case of future litigation or reference.
What is the cost of non-compliance?
Heavy fines and loss of corporate reputation.
What is the significance of FDA compliance?
The FDA CFR 21 Part 11 Act provides measures and controls over corporate corruption or misrepresentation of information.
SEC 17a (3, 4)
Who is required to comply?
All persons engaged in trading securities as a broker or dealer, and persons associated with the business.
What is it?
The Securities and Exchange Commission on Electronic Storage of Broker-Dealer Records, in effect May 2003. Establishes standards for document and email retention in an accessible non-rewriteable and non-erasable format.
What are the requirements?
The SECa-4 requires brokers and dealers to preserve email records for six years; the first two years of which must be in an accessible location. All records must be time-stamped with a unique and sequential identification number, stored in a non-rewriteable/non-erasable format, organized and indexed with a duplicate copy stored separately from the original. The indexes should also be duplicated and stored separately from the original. They should also be available for examination and preserved as long as the original records, for at least six years.
What is the cost of non-compliance?
Heavy fines, imprisonment and loss of corporate reputation.
What is the significance of SEC 17a (3, 4) compliance?
The act is designed to protect investors and brokers from fraudulent activity and misinterpretation through electronic messaging.
NASD Rule 3110 & NYSE Rule 440
Who is required to comply?
All persons engaged in trading securities as a broker or dealer, and persons associated with the business.
What is it?
Both the National Association of Securities Dealers (NASD) Conduct Rule 3110 on Books and Records and the NYSE Rule 440 went into effect May 2003. Both rules establish standards for the preservation of accounts, records and importantly, electronic correspondence under the guidelines approved by the SEC 17a (3, 4).
What are the requirements?
The NASD Rule 3110 and NYSE Rule 440 require brokers and dealers to retain all electronic records and correspondence between the firm and customer. In close relation to the SEC 17a (3, 4) rules, there is a requirement to retain emails for six years in an accessible, non-rewriteable and non-erasable format. NASD Rule 3110 requires that supervisors have the ability to review corporate outgoing mail for non-compliant language and to enforce internal policy surrounding email correspondence.
What is the cost of non-compliance?
Heavy fines, imprisonment and loss of corporate reputation.
What is the significance of NASD Rule 3110 and NYSE Rule 440 compliance?
The rules are designed to protect investors and brokers from fraudulent activity and misinterpretation through electronic messaging.
IDA 29.7 (Canada)
Who is required to comply?
All Canadian Investment companies and those who do business with said companies.
What is it?
The Investment Dealers Association of Canada, or commonly referred to as IDA 29.7 is a regulation that mandates that all client correspondence, largely through email, must be archived and retained.
What are the requirements?
All client correspondence, largely emails and IM, must be retained for a period of five years from the date of creation. All information must be available for audit and review by the Association at all times, so a speedy discovery process is a necessity to comply with the request. Proof is required to ensure the information has not been corrupted.
What is the cost of non-compliance?
Heavy fines and loss of corporate reputation.
What is the significance of IDA 29.7 compliance?
The IDA 29.7 act provides corporate accountability in the face of fraudulent activity and misinterpretation of electronic information.
Investment Advisors Act
Who is required to comply?
Hedge Fund Managers/Advisors and their companies with assets worth $25M or more.
What is it?
The SEC implemented a new regulation on private investment pools called the Investment Advisors Act (IAA) in February 2006. All hedge fund managers with $25M worth of assets or more is liable under the IAA regulations. The SEC requires that all said companies be registered under the Investment Advisors Act.
What are the requirements?
IAA mandates that Investment Manager and Advisors archive their records, largely electronic correspondence, for a minimum of five years in an easily accessible location from the end of the fiscal year in which that record was created. For the first two years the records are required to be located internally in the Investment office and are subject to random review by the Commission. Archived messages must be stored in an archive available online, with a second copy stored on tamper proof media. Further, messages are required to be time and date stamped with a unique serial ID.
What is the cost of non-compliance?
Heavy fines, imprisonment and loss of corporate reputation.
What is the significance of Investment Advisors Act compliance?
The Investment Advisors Act provides corporate accountability against fraudulent activity and corruption. It also safeguards financial information from potential leakage.
Gramm-Leach-Bliley
Who is required to comply?
All banks, credit reporting agencies, securities companies, tax preparation companies, real estate settlement service companies, debt collectors, insurance companies and those doing business with said companies.
What is it?
The Gramm-Leach-Bliley Act, or commonly referred to as the GLBA, signed in November 1999 and put into full effect in July 2001. The Act governs how customer’s financial information is collected and disclosed and demands financial institutions to implement and maintain safeguards to protect information and prevent corruption, fraud and leakage.
What are the requirements?
The Gramm-Leach-Bliley Act mandates that the confidentiality and security of customer information is enforced through securing the information, such as email correspondence, and limiting its access. Places of storage for this information must be protected with secure access controls. Email retention periods parallel that of the SEC 17a-4 regulation which requires retention of six years in an easily accessible space, secure from erasure and rewriting.
What is the cost of non-compliance?
Heavy fines, up to five years of imprisonment and loss of corporate reputation.
What is the significance of Gramm-Leach-Bliley compliance?
The significance behind the Gramm-Leach-Bliley Act is to enhance protection of non-public personal financial information and ensure its safety through proper record keeping, supervisory review and access.
FRCP
Who is required to comply?
Any entity who could be summoned in a US civil law suit. Both residents and businesses in the US, and companies conducting business or transactions with said entities.
What is it?
The Federal Rules of Civil Procedure, or commonly referred to as the FRCP, are court rules for civil lawsuits in the US federal court system. The FRCP is broken down into thirteen sections, each containing a set of rules to define the procedures of the civil lawsuit process. Amendments to the FRCP on December 1, 2006 addressed and approved changes to regulations on electronically stored information (ESI) requiring all data compilations to be available for discovery requests.
What are the requirements?
The FCRP mandates that any party involved in litigation must be able to produce electronically stored information in as little as fourteen days. Furthermore, information must be obtained in an easily accessible form, typically its native format.
What is the cost of non-compliance?
Both your and the other parties court costs, heavy fines and loss of corporate reputation.
What is the significance of FRCP?
The FRCP is designed to provide corporate accountability during discovery requests for litigation. The FRCP ensures that email, which is a critical portion of corporate records, is archived, searchable and useable to extract information during the discovery process.
PIPEDA (Canada)
Who is required to comply?
All Canadian companies and those who do business with said companies.
What is it?
Personal Information Protection and Electronic Documents Act, or PIPEDA as it is commonly referred to, is a Canadian law enacted in January 2004. The Act protects personal information in Canadian companies and organizations, and provides guidelines for the use and release of that information.
What are the requirements?
PIPEDA mandates that any personal information which is collected by a company must be done so with consent and used alone for the reason in which it was initially collected. Records, largely email correspondence, must be stored securely. Security must include password access and limited personnel access. Electronic email records must be retained for the entire course of business in which that information relates to, both currently and at any possible time in the future, when that information may be required.
What is the cost of non-compliance?
Heavy fines, court costs and loss of corporate reputation.
What is the significance of PIPEDA?
PIPEDA safeguards personal information that may have been exchanged during the course of business. The act provides accountability and security to this sensitive data by restricting its access and providing security measures around it.
Sarbanes-Oxley
Who is required to comply?
All publically traded companies are required to comply, along with associated attorneys and business partners. Sarbanes-Oxley has also set an e-records management standard for all business to attain to.
What is it?
The Enron and WorldCom scandals redefined electronic record management legislation globally. Sarbanes-Oxley was implemented in 2002 and legislates how business records are protected and preserved to prevent destruction and corruption. Further, SOX, as it is commonly referred to, enforces corporate accountability particularly in the face of audit and litigation requests.
What are the requirements?
Sarbanes-Oxley mandates that all electronic records, audit work papers and correspondence be retained for a period of seven years. Further, tamper proof resources are required to prevent corruption and modification of records.
What is the cost of non-compliance?
Heavy fines, up to 20 years imprisonment and loss of company reputation.
What is the significance of Sarbanes-Oxley compliance?
The rule is designed to protect investors from fraudulent activity and safeguard financial data. All public companies are responsible to implement and practice dependable record management policies that allow for disclosure of information and transparency of business practices.
*this is not a complete list of compliance regulation for the above specified industries. |
