Compliance
Odds are very high that your organization or firm is subject to some regulation on how to retain records. Some industries face stricter rules than others ie. health care organizations are governed by different rules than the financial sector as they need to adhere to HIPAA guidelines. Regulations are something that just about any organization has to deal with. However, the real challenge is to know which guidelines to adhere to and to keep up to date as they are constantly changing.
Compliance Challenges:
Common regulations that organizations adhere to include:
- The Freedom of Information Act
- FDA 21 CFR Part 11
- HIPAA
- SEC 17a (3, 4)
- NASD Rule 3110 & NYSE Rule 440
- IDA 29.7 (Canada)
- Investment Advisors Act
- Sarbanes-Oxley
- PIPEDA (Canada)
- Gramm-Leach-Bliley
Freedom of Information Act
Who is required to comply?
All US Government entities, federal, local and state and those who do business with any federal or state agency or funded institution.
What is it?
The Freedom of Information Act, or FOIA, applies to all government sectors and went into effect in July 1967. It mandates that government records, documents and correspondence be disclosed to the public.
What are the requirements?
The Freedom of Information Act mandates that if you are in business with a government funded institution or a state or federal agency that you must retain all email records and business correspondence. Further, government entities must also retain email records as they subject to the FOIA.
What is the cost of non-compliance?
Heavy fines and loss of corporate/political reputation.
What is the significance of Freedom of Information compliance?
The Freedom of Information Act provides greater accountability on part of the US government and those who do business with it.
HIPAA
Who is required to comply?
Healthcare providers; hospitals, physicians and nurses, public health authorities, pharmacists, life insurers, self-ensured employers and medical billing services.
What is it?
Health Insurance Portability and Accountability Act issued in 1996. Establishes standards for electronic data exchange, confidentiality and security of all information related to healthcare. Data must remain accessible to authorized users and auditors while remaining secure and protected from unauthorized sources or usage.
What are the requirements?
There are two components; the Privacy Rule and the Security Rule.
Privacy Rule: Addresses and standardizes how organizations use and disclose health information. This rule protects against unauthorized disclosure of identifiable health information within an organization or its business associates. Includes all media; verbal, paper and most pertinent, electronic. Health organizations must notify patients of privacy rights and enforce procedures to protect it.
Security Rule: Enforces that organizations receive, maintain and transmit electronic health information in a safe and confidential manner that is readily available. There are three main safeguards to this information; administrative, physical and technical.
What is the cost of non-compliance?
Heavy fines up to $250K, imprisonment up to 10 years and loss of corporate reputation.
What is the significance of HIPAA compliance?
The act provides patients with increased control over how protected health information is used and disclosed. Organizations must standardize policies and procedures to ensure patient confidentiality.
FDA 21 CFR Part 11
Who is required to comply?
All pharmaceutical manufacturing companies and those doing business with said companies.
What is it?
The Food and Drug Administration enforced the Act beginning in 2000. The Act mandates that electronic records maintain a high level of safety and integrity in case of corruption or deletion.
What are the requirements?
The FDA 21 CFR Part 11 enforces that all electronic records have an audit trail that is time-stamped and provide a unique fingerprint. If changes are made to content, the security features in place must identify who modified the content and at what time. Electronic records must be retained in case of future litigation or reference.
What is the cost of non-compliance?
Heavy fines and loss of corporate reputation.
What is the significance of FDA compliance?
The FDA CFR 21 Part 11 Act provides measures and controls over corporate corruption or misrepresentation of information.
SEC 17a (3, 4)
Who is required to comply?
All persons engaged in trading securities as a broker or dealer, and persons associated with the business.
What is it?
The Securities and Exchange Commission on Electronic Storage of Broker-Dealer Records, in effect May 2003. Establishes standards for document and email retention in an accessible non-rewriteable and non-erasable format.
What are the requirements?
The SECa-4 requires brokers and dealers to preserve email records for six years; the first two years of which must be in an accessible location. All records must be time-stamped with a unique and sequential identification number, stored in a non-rewriteable/non-erasable format, organized and indexed with a duplicate copy stored separately from the original. The indexes should also be duplicated and stored separately from the original. They should also be available for examination and preserved as long as the original records, for at least six years.
What is the cost of non-compliance?
Heavy fines, imprisonment and loss of corporate reputation.
What is the significance of SEC 17a (3, 4) compliance?
The act is designed to protect investors and brokers from fraudulent activity and misinterpretation through electronic messaging.
NASD Rule 3110 & NYSE Rule 440
Who is required to comply?
All persons engaged in trading securities as a broker or dealer, and persons associated with the business.
What is it?
Both the National Association of Securities Dealers (NASD) Conduct Rule 3110 on Books and Records and the NYSE Rule 440 went into effect May 2003. Both rules establish standards for the preservation of accounts, records and importantly, electronic correspondence under the guidelines approved by the SEC 17a (3, 4).
What are the requirements?
The NASD Rule 3110 and NYSE Rule 440 require brokers and dealers to retain all electronic records and correspondence between the firm and customer. In close relation to the SEC 17a (3, 4) rules, there is a requirement to retain emails for six years in an accessible, non-rewriteable and non-erasable format. NASD Rule 3110 requires that supervisors have the ability to review corporate outgoing mail for non-compliant language and to enforce internal policy surrounding email correspondence.
What is the cost of non-compliance?
Heavy fines, imprisonment and loss of corporate reputation.
What is the significance of NASD Rule 3110 and NYSE Rule 440 compliance?
The rules are designed to protect investors and brokers from fraudulent activity and misinterpretation through electronic messaging.
IDA 29.7 (Canada)
Who is required to comply?
All Canadian Investment companies and those who do business with said companies.
What is it?
The Investment Dealers Association of Canada, or commonly referred to as IDA 29.7 is a regulation that mandates that all client correspondence, largely through email, must be archived and retained.
What are the requirements?
All client correspondence, largely emails and IM, must be retained for a period of five years from the date of creation. All information must be available for audit and review by the Association at all times, so a speedy discovery process is a necessity to comply with the request. Proof is required to ensure the information has not been corrupted.
What is the cost of non-compliance?
Heavy fines and loss of corporate reputation.
What is the significance of IDA 29.7 compliance?
The IDA 29.7 act provides corporate accountability in the face of fraudulent activity and misinterpretation of electronic information.
Investment Advisors Act
Who is required to comply?
Hedge Fund Managers/Advisors and their companies with assets worth $25M or more.
What is it?
The SEC implemented a new regulation on private investment pools called the Investment Advisors Act (IAA) in February 2006. All hedge fund managers with $25M worth of assets or more is liable under the IAA regulations. The SEC requires that all said companies be registered under the Investment Advisors Act.
What are the requirements?
IAA mandates that Investment Manager and Advisors archive their records, largely electronic correspondence, for a minimum of five years in an easily accessible location from the end of the fiscal year in which that record was created. For the first two years the records are required to be located internally in the Investment office and are subject to random review by the Commission. Archived messages must be stored in an archive available online, with a second copy stored on tamper proof media. Further, messages are required to be time and date stamped with a unique serial ID.
What is the cost of non-compliance?
Heavy fines, imprisonment and loss of corporate reputation.
What is the significance of Investment Advisors Act compliance?
The Investment Advisors Act provides corporate accountability against fraudulent activity and corruption. It also safeguards financial information from potential leakage.
Gramm-Leach-Bliley
Who is required to comply?
All banks, credit reporting agencies, securities companies, tax preparation companies, real estate settlement service companies, debt collectors, insurance companies and those doing business with said companies.
What is it?
The Gramm-Leach-Bliley Act, or commonly referred to as the GLBA, signed in November 1999 and put into full effect in July 2001. The Act governs how customer’s financial information is collected and disclosed and demands financial institutions to implement and maintain safeguards to protect information and prevent corruption, fraud and leakage.
What are the requirements?
The Gramm-Leach-Bliley Act mandates that the confidentiality and security of customer information is enforced through securing the information, such as email correspondence, and limiting its access. Places of storage for this information must be protected with secure access controls. Email retention periods parallel that of the SEC 17a-4 regulation which requires retention of six years in an easily accessible space, secure from erasure and rewriting.
What is the cost of non-compliance?
Heavy fines, up to five years of imprisonment and loss of corporate reputation.
What is the significance of Gramm-Leach-Bliley compliance?
The significance behind the Gramm-Leach-Bliley Act is to enhance protection of non-public personal financial information and ensure its safety through proper record keeping, supervisory review and access.
FRCP
Who is required to comply?
Any entity who could be summoned in a US civil law suit. Both residents and businesses in the US, and companies conducting business or transactions with said entities.
What is it?
The Federal Rules of Civil Procedure, or commonly referred to as the FRCP, are court rules for civil lawsuits in the US federal court system. The FRCP is broken down into thirteen sections, each containing a set of rules to define the procedures of the civil lawsuit process. Amendments to the FRCP on December 1, 2006 addressed and approved changes to regulations on electronically stored information (ESI) requiring all data compilations to be available for discovery requests.
What are the requirements?
The FCRP mandates that any party involved in litigation must be able to produce electronically stored information in as little as fourteen days. Furthermore, information must be obtained in an easily accessible form, typically its native format.
What is the cost of non-compliance?
Both your and the other parties court costs, heavy fines and loss of corporate reputation.
What is the significance of FRCP?
The FRCP is designed to provide corporate accountability during discovery requests for litigation. The FRCP ensures that email, which is a critical portion of corporate records, is archived, searchable and useable to extract information during the discovery process.
PIPEDA (Canada)
Who is required to comply?
All Canadian companies and those who do business with said companies.
What is it?
Personal Information Protection and Electronic Documents Act, or PIPEDA as it is commonly referred to, is a Canadian law enacted in January 2004. The Act protects personal information in Canadian companies and organizations, and provides guidelines for the use and release of that information.
What are the requirements?
PIPEDA mandates that any personal information which is collected by a company must be done so with consent and used alone for the reason in which it was initially collected. Records, largely email correspondence, must be stored securely. Security must include password access and limited personnel access. Electronic email records must be retained for the entire course of business in which that information relates to, both currently and at any possible time in the future, when that information may be required.
What is the cost of non-compliance?
Heavy fines, court costs and loss of corporate reputation.
What is the significance of PIPEDA?
PIPEDA safeguards personal information that may have been exchanged during the course of business. The act provides accountability and security to this sensitive data by restricting its access and providing security measures around it.
Sarbanes-Oxley
Who is required to comply?
All publically traded companies are required to comply, along with associated attorneys and business partners. Sarbanes-Oxley has also set an e-records management standard for all business to attain to.
What is it?
The Enron and WorldCom scandals redefined electronic record management legislation globally. Sarbanes-Oxley was implemented in 2002 and legislates how business records are protected and preserved to prevent destruction and corruption. Further, SOX, as it is commonly referred to, enforces corporate accountability particularly in the face of audit and litigation requests.
What are the requirements?
Sarbanes-Oxley mandates that all electronic records, audit work papers and correspondence be retained for a period of seven years. Further, tamper proof resources are required to prevent corruption and modification of records.
What is the cost of non-compliance?
Heavy fines, up to 20 years imprisonment and loss of company reputation.
What is the significance of Sarbanes-Oxley compliance?
The rule is designed to protect investors from fraudulent activity and safeguard financial data. All public companies are responsible to implement and practice dependable record management policies that allow for disclosure of information and transparency of business practices.
*this is not a complete list of compliance regulation for the above specified industries.
Why Jatheon:
Jatheon’s Plug n Comply™ appliance is an integrated solution that is simple, secure and scalable, offering absolute control of confidential messaging data. The Jatheon appliance allows organizations to meet and exceed the highest standards of regulatory compliance and corporate governance. Our network appliance reduces the risk associated with outsourced technologies, significantly reduces e-mail storage and discovery costs, and enforces electronic records management policies. Additionally Jatheon’s archiving appliance will offer indexing and archiving functionally for enterprise based e-mail encryption systems. Jatheon is the only company with a solution for companies deploying end to end e-mail encryption.
At Jatheon, we're committed to providing you with everything you need, day in and day out, to keep your e-mail securely stored and your business productive. Our industry leading customer service, technology and expertise gives you complete peace of mind, eliminating risk and giving you the time to focus on your business. We offer organizations a cost effective, easy to use e-mail management solution that is complemented by its constantly evolving next-generation technologies. As a result, organizations are able to help satisfy their e-mail and policy management, compliance, legal discovery, and mail migration needs.
FAQ:
Q. How does Jatheon’s Plug n Comply™ solution search and retrieve e-mails?
A. The appliance indexes and archives the data as if it was a dictionary. When a search is performed, the data is searched against the dictionary or index file based on your search query. Only when the e-mail is clicked on, the appliance then retrieves the e-mail in an uncompressed format. This type of indexing allows for e-mails to be searched in a very quick and efficient manner.
Jatheon’s technology allows on average for a 10 to 1 compression ratio on all data stored on the appliance.
Q. How long does the implementation take for Jatheon’s Plug n Comply™ solution?
A. It takes only a few hours and not days. This is because the appliance is non- intrusive to the network layer. Our appliance requires minimal training and is simple to deploy, manage and operate.
Q. Is it possible to delete messages from Jatheon’s Plug n Comply™?
A. No. All messages are stored in the appliance until the pre-determined expunge date. This date is decided by the champion of the e-mail archiving initiative.
Q. Is there any hardware or software required for Jatheon’s Plug n Comply™?
A. No. The appliance is a turn-key solution that comes equipped with all the hardware and software for e-mail archiving.
Q. What e-mail platforms does Jatheon’s Plug n Comply™ support?
A. The appliance integrates with all the major e-mail platforms: Microsoft Exchange, Lotus Notes, Novell Groupwise and Kerio.
Q. Is it possible to upload an existing archive?
A. Yes. Jatheon offers professional services for data migration.
Q. Does a full audit trail exist?
A. Yes. All messages are time and date stamped. The appliance also offers authenticity features which include a DNA fingerprint to ensure that the e-mail has not been manipulated.
Q. Does Jatheon’s Plug n Comply™ archive all e-mails?
A. Yes. All e-mails that go through the e-mail server are archived.
Q. Does Jatheon’s Plug n Comply™ archive Instant Messaging and Bloomberg Mail?
A. Yes, we archive specific types of IM (Yahoo, MSN, AIM, ICQ, etc) and Bloomberg Mail.
Q. Does Jatheon’s Plug n Comply™ solution impact the performance of the existing e-mail server?
A. No. Because the appliance is non-intrusive, it has no impact on the performance of your e-mail server.
Q. Data Migration: ...can the product automatically migrate data between tiers or systems? If so, briefly describe.
Yes – The PnC products support data migration. Migration and ingestion of existing customer data is done by the appliance from files in either a pst or eml format. Using the optional Jatheon pst crawler, searches for local pst files are done and they are actively imported and ingested into the appliance for archiving and searching.
The Jatheon suite of products are integral in the e-mail platform migration process. Clients wishing to move from one e-mail platform to another, ie. Novell Groupwise to Exchange 2007, are usually concerned of their data being lost or compromised during the migration process. By including Jatheon’s solution in their platform migration strategy, the client can go through this process with ease and comfort, knowing that all the e-mail has been archived on the Jatheon appliance.
How it works:
Organizations form all industries or services have the daunting task of monitoring electronic messages to ensure the strict adherence to regulatory or corporate policies. Jatheon’s Plug n Comply™ appliances offer the ability to set policies that messages are compared to in real-time.
Messages received by the archive are compared to the user created polices and any messages that violate the established policy will have a pre-determined action triggered. This action may include notifying the offender directly; notify the offender’s manager, or notifying the organizations Compliance Officer.
The Compliance Officer can review the statistics maintained by the appliance; detailed statistical information is maintained on a daily basis. Compliance Officers can review the detailed violation statistics by rule.
