Compliance Challenges:
Common regulations that organizations adhere to
include:
Freedom of
Information Act
Who is required to comply?
All US Government entities, federal, local and state
and those who do business with any federal or state
agency or funded institution.
What is it?
The Freedom of Information Act, or FOIA, applies to
all government sectors and went into effect in July
1967. It mandates that government records, documents
and correspondence be disclosed to the public.
What are the requirements?
The Freedom of Information Act mandates that if you
are in business with a government funded institution
or a state or federal agency that you must retain
all email records and business correspondence.
Further, government entities must also retain email
records as they subject to the FOIA.
What is the cost of non-compliance?
Heavy fines and loss of corporate/political
reputation.
What is the significance of Freedom of
Information compliance?
The Freedom of Information Act provides greater
accountability on part of the US government and
those who do business with it.
HIPAA
Who is required to comply?
Healthcare providers; hospitals, physicians and
nurses, public health authorities, pharmacists, life
insurers, self-ensured employers and medical billing
services.
What is it?
Health Insurance Portability and Accountability Act
issued in 1996. Establishes standards for electronic
data exchange, confidentiality and security of all
information related to healthcare. Data must remain
accessible to authorized users and auditors while
remaining secure and protected from unauthorized
sources or usage.
What are the requirements?
There are two components; the Privacy Rule and the
Security Rule.
Privacy
Rule: Addresses and standardizes how
organizations use and disclose health
information. This rule protects against
unauthorized disclosure of identifiable health
information within an organization or its
business associates. Includes all media; verbal,
paper and most pertinent, electronic. Health
organizations must notify patients of privacy
rights and enforce procedures to protect it.
Security
Rule: Enforces that organizations
receive, maintain and transmit electronic health
information in a safe and confidential manner
that is readily available. There are three main
safeguards to this information; administrative,
physical and technical.
What is the cost of non-compliance?
Heavy fines up to $250K, imprisonment up to 10 years
and loss of corporate reputation.
What is the significance of HIPAA
compliance?
The act provides patients with increased control
over how protected health information is used and
disclosed. Organizations must standardize policies
and procedures to ensure patient confidentiality.
FDA 21
CFR Part 11
Who is required to comply?
All pharmaceutical manufacturing companies and those
doing business with said companies.
What is it?
The Food and Drug Administration enforced the Act
beginning in 2000. The Act mandates that electronic
records maintain a high level of safety and
integrity in case of corruption or deletion.
What are the requirements?
The FDA 21 CFR Part 11 enforces that all electronic
records have an audit trail that is time-stamped and
provide a unique fingerprint. If changes are made to
content, the security features in place must
identify who modified the content and at what time.
Electronic records must be retained in case of
future litigation or reference.
What is the cost of
non-compliance?
Heavy fines and loss of corporate reputation.
What is the significance of FDA
compliance?
The FDA CFR 21 Part 11 Act provides measures and
controls over corporate corruption or
misrepresentation of information.
SEC 17a
(3, 4)
Who is required to comply?
All persons engaged in trading securities as a
broker or dealer, and persons associated with the
business.
What is it?
The Securities and Exchange Commission on Electronic
Storage of Broker-Dealer Records, in effect May
2003. Establishes standards for document and email
retention in an accessible non-rewriteable and
non-erasable format.
What are the requirements?
The SECa-4 requires brokers and dealers to preserve
email records for six years; the first two years of
which must be in an accessible location. All records
must be time-stamped with a unique and sequential
identification number, stored in a
non-rewriteable/non-erasable format, organized and
indexed with a duplicate copy stored separately from
the original. The indexes should also be duplicated
and stored separately from the original. They should
also be available for examination and preserved as
long as the original records, for at least six
years.
What is the cost of non-compliance?
Heavy fines, imprisonment and loss of corporate
reputation.
What is the significance of SEC 17a (3,
4) compliance?
The act is designed to protect investors and brokers
from fraudulent activity and misinterpretation
through electronic messaging.
NASD Rule 3110 &
NYSE Rule 440
Who is required to comply?
All persons engaged in trading securities as a
broker or dealer, and persons associated with the
business.
What is it?
Both the National Association of Securities Dealers
(NASD) Conduct Rule 3110 on Books and Records and
the NYSE Rule 440 went into effect May 2003. Both
rules establish standards for the preservation of
accounts, records and importantly, electronic
correspondence under the guidelines approved by the
SEC 17a (3, 4).
What are the requirements?
The NASD Rule 3110 and NYSE Rule 440 require brokers
and dealers to retain all electronic records and
correspondence between the firm and customer. In
close relation to the SEC 17a (3, 4) rules, there is
a requirement to retain emails for six years in an
accessible, non-rewriteable and non-erasable format.
NASD Rule 3110 requires that supervisors have the
ability to review corporate outgoing mail for
non-compliant language and to enforce internal
policy surrounding email correspondence.
What is the cost of non-compliance?
Heavy fines, imprisonment and loss of corporate
reputation.
What is the significance of NASD Rule
3110 and NYSE Rule 440 compliance?
The rules are designed to protect investors and
brokers from fraudulent activity and
misinterpretation through electronic messaging.
IDA 29.7
(Canada)
Who is required to comply?
All Canadian Investment companies and those who do
business with said companies.
What is it?
The Investment Dealers Association of Canada, or
commonly referred to as IDA 29.7 is a regulation
that mandates that all client correspondence,
largely through email, must be archived and
retained.
What are the requirements?
All client correspondence, largely emails and IM,
must be retained for a period of five years from the
date of creation. All information must be available
for audit and review by the Association at all
times, so a speedy discovery process is a necessity
to comply with the request. Proof is required to
ensure the information has not been corrupted.
What is the cost of non-compliance?
Heavy fines and loss of corporate reputation.
What is the significance of IDA 29.7
compliance?
The IDA 29.7 act provides corporate accountability
in the face of fraudulent activity and
misinterpretation of electronic information.
Investment
Advisors Act
Who is required to comply?
Hedge Fund Managers/Advisors and their companies
with assets worth $25M or more.
What is it?
The SEC implemented a new regulation on private
investment pools called the Investment Advisors Act
(IAA) in February 2006. All hedge fund managers with
$25M worth of assets or more is liable under the IAA
regulations. The SEC requires that all said
companies be registered under the Investment
Advisors Act.
What are the
requirements?
IAA mandates that Investment Manager and Advisors
archive their records, largely electronic
correspondence, for a minimum of five years in an
easily accessible location from the end of the
fiscal year in which that record was created. For
the first two years the records are required to be
located internally in the Investment office and are
subject to random review by the Commission. Archived
messages must be stored in an archive available
online, with a second copy stored on tamper proof
media. Further, messages are required to be time and
date stamped with a unique serial ID.
What is the cost of non-compliance?
Heavy fines, imprisonment and loss of corporate
reputation.
What is the significance of Investment
Advisors Act compliance?
The Investment Advisors Act provides corporate
accountability against fraudulent activity and
corruption. It also safeguards financial information
from potential leakage.
Gramm-Leach-Bliley
Who is required to comply?
All banks, credit reporting agencies, securities
companies, tax preparation companies, real estate
settlement service companies, debt collectors,
insurance companies and those doing business with
said companies.
What is it?
The Gramm-Leach-Bliley Act, or commonly referred to
as the GLBA, signed in November 1999 and put into
full effect in July 2001. The Act governs how
customer’s financial information is collected and
disclosed and demands financial institutions to
implement and maintain safeguards to protect
information and prevent corruption, fraud and
leakage.
What are the requirements?
The Gramm-Leach-Bliley Act mandates that the
confidentiality and security of customer information
is enforced through securing the information, such
as email correspondence, and limiting its access.
Places of storage for this information must be
protected with secure access controls. Email
retention periods parallel that of the SEC 17a-4
regulation which requires retention of six years in
an easily accessible space, secure from erasure and
rewriting.
What is the cost of non-compliance?
Heavy fines, up to five years of imprisonment and
loss of corporate reputation.
What is the significance of
Gramm-Leach-Bliley compliance?
The significance behind the Gramm-Leach-Bliley Act
is to enhance protection of non-public personal
financial information and ensure its safety through
proper record keeping, supervisory review and
access.
FRCP
Who is required to comply?
Any entity who could be summoned in a US civil law
suit. Both residents and businesses in the US, and
companies conducting business or transactions with
said entities.
What is it?
The Federal Rules of Civil Procedure, or commonly
referred to as the FRCP, are court rules for civil
lawsuits in the US federal court system. The FRCP is
broken down into thirteen sections, each containing
a set of rules to define the procedures of the civil
lawsuit process. Amendments to the FRCP on December
1, 2006 addressed and approved changes to
regulations on electronically stored information
(ESI) requiring all data compilations to be
available for discovery requests.
What are the requirements?
The FCRP mandates that any party involved in
litigation must be able to produce electronically
stored information in as little as fourteen days.
Furthermore, information must be obtained in an
easily accessible form, typically its native format.
What is the cost of non-compliance?
Both your and the other parties court costs, heavy
fines and loss of corporate reputation.
What is the significance of FRCP?
The FRCP is designed to provide corporate
accountability during discovery requests for
litigation. The FRCP ensures that email, which is a
critical portion of corporate records, is archived,
searchable and useable to extract information during
the discovery process.
PIPEDA (Canada)
Who is required to comply?
All Canadian companies and those who do business
with said companies.
What is it?
Personal Information Protection and Electronic
Documents Act, or PIPEDA as it is commonly referred
to, is a Canadian law enacted in January 2004. The
Act protects personal information in Canadian
companies and organizations, and provides guidelines
for the use and release of that information.
What are the requirements?
PIPEDA mandates that any personal information which
is collected by a company must be done so with
consent and used alone for the reason in which it
was initially collected. Records, largely email
correspondence, must be stored securely. Security
must include password access and limited personnel
access. Electronic email records must be retained
for the entire course of business in which that
information relates to, both currently and at any
possible time in the future, when that information
may be required.
What is the cost of non-compliance?
Heavy fines, court costs and loss of corporate
reputation.
What is the significance of PIPEDA?
PIPEDA safeguards personal information that may have
been exchanged during the course of business. The
act provides accountability and security to this
sensitive data by restricting its access and
providing security measures around it.
Sarbanes-Oxley
Who is required to comply?
All publically traded companies are required to
comply, along with associated attorneys and business
partners. Sarbanes-Oxley has also set an e-records
management standard for all business to attain to.
What is it?
The Enron and WorldCom scandals redefined electronic
record management legislation globally.
Sarbanes-Oxley was implemented in 2002 and
legislates how business records are protected and
preserved to prevent destruction and corruption.
Further, SOX, as it is commonly referred to,
enforces corporate accountability particularly in
the face of audit and litigation requests.
What are the requirements?
Sarbanes-Oxley mandates that all electronic records,
audit work papers and correspondence be retained for
a period of seven years. Further, tamper proof
resources are required to prevent corruption and
modification of records.
What is
the cost of non-compliance?
Heavy fines, up to 20 years imprisonment and loss of
company reputation.
What is
the significance of Sarbanes-Oxley compliance?
The rule is designed to protect investors from
fraudulent activity and safeguard financial data.
All public companies are responsible to implement
and practice dependable record management policies
that allow for disclosure of information and
transparency of business practices.
*this is not a
complete list of compliance regulation for the above
specified industries.
FAQ:
Q.
How does Jatheon’s Plug n Comply™ solution search
and retrieve e-mails?
A. The appliance
indexes and archives the data as if it was a
dictionary. When a search is performed, the data is
searched against the dictionary or index file based
on your search query. Only when the e-mail is
clicked on, the appliance then retrieves the e-mail
in an uncompressed format. This type of indexing
allows for e-mails to be searched in a very quick
and efficient manner.
Jatheon’s technology allows on average for a 10
to 1 compression ratio on all data stored on the
appliance.
Q.
How long does the implementation take for Jatheon’s
Plug n Comply™ solution?
A. It takes only a
few hours and not days. This is because the
appliance is non- intrusive to the network layer.
Our appliance requires minimal training and is
simple to deploy, manage and operate.
Q.
Is it possible to delete messages from Jatheon’s
Plug n Comply™?
A. No. All messages
are stored in the appliance until the pre-determined
expunge date. This date is decided by the champion
of the e-mail archiving initiative.
Q.
Is there any hardware or software required for
Jatheon’s Plug n Comply™?
A. No. The appliance
is a turn-key solution that comes equipped with all
the hardware and software for e-mail archiving.
Q.
What e-mail platforms does Jatheon’s Plug n Comply™
support?
A. The appliance
integrates with all the major e-mail platforms:
Microsoft Exchange, Lotus Notes, Novell Groupwise
and Kerio.
Q.
Is it possible to upload an existing archive?
A. Yes. Jatheon
offers professional services for data migration.
Q.
Does a full audit trail exist?
A. Yes. All messages
are time and date stamped. The appliance also offers
authenticity features which include a DNA
fingerprint to ensure that the e-mail has not been
manipulated.
Q. Does Jatheon’s Plug
n Comply™ archive all e-mails?
A. Yes. All e-mails
that go through the e-mail server are archived.
Q.
Does Jatheon’s Plug n Comply™ archive Instant
Messaging and Bloomberg Mail?
A. Yes, we archive
specific types of IM (Yahoo, MSN, AIM, ICQ, etc) and
Bloomberg Mail.
Q.
Does Jatheon’s Plug n Comply™ solution impact the
performance of the existing e-mail server?
A. No. Because the
appliance is non-intrusive, it has no impact on the
performance of your e-mail server.
Q.
Data Migration: ...can the product automatically
migrate data between tiers or systems? If so,
briefly describe.
Yes – The PnC products support data migration.
Migration and ingestion of existing customer data is
done by the appliance from files in either a pst or
eml format. Using the optional Jatheon pst crawler,
searches for local pst files are done and they are
actively imported and ingested into the appliance
for archiving and searching.
The Jatheon suite of products are integral in the
e-mail platform migration process. Clients wishing
to move from one e-mail platform to another, ie.
Novell Groupwise to Exchange 2007, are usually
concerned of their data being lost or compromised
during the migration process. By including Jatheon’s
solution in their platform migration strategy, the
client can go through this process with ease and
comfort, knowing that all the e-mail has been
archived on the Jatheon appliance.
Compliance