What do organizations need in order to make e-mail communications compliant? The most important component is a corporate e-mail policy. Based on relevant laws for their industry, compliance or risk officers should create corporate messaging policies that include compliance measures.
In addition to compliance with external legislation, companies also need to mitigate the risk of corporate liability and financial loss resulting from improper e-mail usage and lack of retention policies for corporate communications. Leveraging best practices and legal guidelines, organizations need to create and enforce corporate e-mail and messaging policies that address areas of potential liability such as: disclosure or transfer of intellectual assets, discrimination, harassment, client/attorney privilege, and other measures of due diligence protection against criminal and civil liability.
Compliance officers will find that most laws and corporate guidelines require the following e-mail capabilities in order to ensure compliance with e-mail policies:
- Message Retention
Companies need the ability to automatically retain e-mail messages for the amount of time required by relevant legislation. Search and retrieval of retained e-mails is another core capability, particularly for legal discovery. According to a recent survey, one in five employers has had e-mail subpoenaed. Without the proper policies and procedures for retention and destruction of e-mail, as well as a search mechanism, companies can incur tremendous costs. These costs range from the resources invested to recover and process e-mail from back-up files to potential fines, settlements and judgments against the company due to failure to produce required evidence in a timely manner. - Controlled Access
A major component of many privacy and corporate integrity laws is the protection of private information, as well as preventing unauthorized access to certain types of data. Companies must be able to secure e-mail transmission and prevent unauthorized disclosure by e-mail of certain types of data. - Information and Process Integrity
A number of regulations require procedures and controls to be in place to ensure integrity of certain processes and types of data. For e-mail compliance, this could mean applying handling instructions to relevant classifications of e-mail, automatically sending copies of e-mails to compliance officers, or enforcing an “ethical wall” scenario (a screening mechanism to protect against conflict of interest situations).
The following overview provides a sample of the types of laws that pertain to organizations and their business data and communications in the form of e-mail and messaging.
Message Retention
There are several regulations, particularly within the financial services industry, that require companies to retain business communications, including e-mail and instant message (IM) communications.
SEC Rule 17a
From the U.S. Securities and Exchange Commission (SEC), this mandate establishes retention policies for brokers, dealers, and exchange members. The rule requires original copies of all communications be preserved for a period of no less than three years, with the first two in an easily accessible location.
NASD Rule 3010
The National Association of Securities Dealers (NASD) Rule 3010 requires that broker-dealers and others implement specific capabilities for the sampling and review of messages sent out by broker-dealers. Other applicable NASD rules are Rules 3110 and 2210, which also establish retention regulations.
Other Regulations
Other regulations that mandate retention of e-mail and messages include New York Stock Exchange rules, The Universal Market Integrity Rules for Canadian Marketplaces, and the Companies Act in the U.K.
Controlled Access
There are a broad range of both U.S. and international laws pertaining to the usage and protection of private information. As of this writing, 23 states have passed data protection laws modeled on California’s Senate Bill 1386 (SB 1386) which mandates public disclosure of computer security breaches involving private data of California residents. So far this year, at least 26 more bills have been introduced in 13 states.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA requires that all health care organizations adopt medical information security, privacy, and data standards for patient information. The legislation also applies to companies with employee health records. Health data must be isolated and inaccessible to unauthorized access and the transmission of health information must be physically, electronically, and administratively safeguarded to ensure the confidentiality of data.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act requires financial institutions to safeguard clients’ private information. It imposes HIPAA-like standards for protecting customers’ information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule under section 501(b), requiring financial institutions under FTC jurisdiction to secure customer records and information.
The European Union Data Protection Directive of 2002
This regulation updates legal standards for the processing of personal data and the protection of privacy. The law sets stringent restrictions on which personal information can be collected and stored. It also dictates rules for passing personal data to non-EU countries.
Information and Process Integrity
These regulations require organizations to create, evaluate, and monitor internal controls affecting how certain types of data are handled.
Sarbanes-Oxley Act
This law mandates that public companies must control, protect, and retain information related to financial data that must be publicly disclosed. Companies must ensure that effective internal controls are in place to protect financial reporting data handled via e-mail.
Rule 21 CFR 11
Primarily focused on pharmaceutical and other Food and Drug Administration (FDA)- controlled industries, CFR 21 defines requirements for electronic records, electronic signatures, non-repudiation, authenticity, and other controls.
USA PATRIOT Act
This law requires financial services and insurance companies to implement anti-terrorism and anti-money-laundering regulations, including capabilities to identify customers and flag suspicious transactions. Broker-dealers must implement and document customer identity verification procedures; e-mail communications to establish a new account could fall under this rule.
Other Process-Related Regulations
Based on Sarbanes-Oxley, other countries are introducing similar legislation, among them Belgium, Canada, France, Japan, the Netherlands, and the UK. A sample of other regulations that mandate process controls include international laws such as Bill 198 in Ontario, The European Union Markets in Financial Instruments Directive, Basel II, and U.K.’s Combined Code of Corporate Governance 2003.
Powered by FireStats
Leave a Reply