Article: Regulatory Data Compliance - How Does This Affect Your Company?

Submitted By: Dan Schutte

Background for Compliance

Terrorist attacks, globalization, high-profile corporate scandals, and business-to-business online transactions have led to a dramatic rise in requirements to safeguard electronic customer data. Going beyond consumer protection, recent regulations (i.e. e-Discovery) are now requiring data retention and retrieval on messaging (email and instant messages). Frequently, blunt and unedited email and instant messages can become the smoking gun in litigation.

In order to become compliant, organizations must take several actions.

First is to design and implement comprehensive written information security policies for all staff.

Second is to deploy technical solutions that will maintain constant vigil on the data environment and notify of policy breaches.

Third is to monitor and enforce. If systems are implemented but review is not active, all efforts are lost. This also becomes precedent when court cases review a company's diligence in managing their environment.

The implications of non-compliance can range from hefty fines to potential prosecution and imprisonment of senior executives. The consequences are the same to a company that refuses to deliver or simply has not retained the data to produce. Over the past year there are several major court cases where failure to produce requested documents have rendered favorable awards to the plaintiffs, and in some cases fines were added.
High profile cases, such as Enron and WorldCom are weighty reminders that compliance and regulation are serious business issues.

What to Do?

So, what do organizations need to know to navigate the regulation matrix? More importantly, how can content security solutions help meet the compliance challenge?

The role of Content Security in Compliance is complex and wide-ranging. Regulatory compliance covers:

Privacy

Records retention and archiving

Monitoring of content for compliance

Recovery or discovery of information in response to litigation or court orders

From the Sarbanes-Oxley (SOX) Act to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), regulatory compliance requires vigilant content security policies for email and instant messaging, including archiving and encryption. SOX, for example, mandates that processes - including internal and external email - used to produce financial reports must be consistent, reliable, secure and accurate. Organizations, therefore, need to ensure that email systems are spam and virus- free, and that internal and externally shared data is secure. Protect, archive and retrieve. The SOX Act mandates that any email or IM included in the documented financial reporting process is retained for seven years. The challenge can be identifying the right messages to keep and finding them quickly and easily when required. Many businesses estimate that more than 50 percent of messages are not required for compliance purposes, but best practices are now saying to retain all messages.

SOX Does Not Apply to My Company

For those who may have decided that SOX or HIPPA does not apply to their business, e-Discovery (aka FRCP) will probably ensnare you. With a Supreme Court ruling in December, 2006, fundamentally any business that has employees is covered. The requirement is that all digital data (email, IM, documents) be retained for up to five years. Your specific industry compliance may add to this term, like NASD that requires seven years. In case of litigation, the plaintiff's counsel can request all data/messages on select time periods and personnel. Thirty days is the typical allowance to deliver all subpoenaed documents in a readable printed format.

Conclusion

Do you still feel that you may not be on the compliance list? Here is a list of current US regulations or agencies that can impact your business, depending on your industry and company structure.

FOIA- Freedom of Information Act
HIPPA
SEC
NASD
GLBA - Gramm-Leach-Bliley
SOX
FRCP/e-Discovery

Now you can see how broad this can become to decide if your business is required to meet compliance. Most companies fall under more than one regulation. The best course action is to decide that you are expected to comply. Most of the compliance measures have similar expectations - manage and retain you data environment.

We work with companies of all sizes to assure their data and messaging is in compliance. Our solutions are state of the art, quick to implement, cost effective and provide the comfort to know your data is secure. A phone discussion is a great way to assess your environment and what would be the best action plan. Visit our website www.enclavedata.com to learn more.

You have the responsibility to maintain your company's digital environment, with the right tools you can now also have the control to assure compliance and protect your company's assets