Corporate Governance and Compliance
Introduction
Corporate Governance and Compliance
How Do the Regulations Apply to Email?
Under the Microscope – Security, Privacy and Archiving Regulations
Gramm-Leach-Bliley Act (Privacy)
Health Insurance Portability and Accountability Act (Privacy)
Sarbanes-Oxley (Retention)
SEC Rule 17a-4 (Retention)
NASD Conduct Rules 3010 & 3110 (Retention)
What Has Been the Impact on Businesses?
How Are Companies Protecting Themselves?
How Email Security Services Help Meet Regulatory Requirements
Introduction
MessageLabs currently scans over 65m emails per day on behalf of its clients.
In August, MessageLabs scanned more than 1.3-billion emails worldwide for spam, of which over 1.1-billion or 84.2%, were stopped as spam.
During the same period, we scanned over 1.5-billion emails for viruses, Trojans and other malicious content, and more than 106-million or 6.9% (or 1 in 14.5) were intercepted.
Corporate Governance and Compliance
From the late 1990s, in both the United States and Europe, numerous regulations have been introduced to deal with corporate scandals where unethical and creative business practices fell foul of the financial reporting and disclosure regulations that existed.
These new rules are principally aimed at introducing tighter regulation of internal controls over financial reporting and disclosure. They are also intended to strengthen existing privacy laws and require businesses to develop policies for the monitoring and archiving of business transactions, which includes electronic mail and instant messaging.
In Europe, the international Financial Sector has been largely concerned with something called Basel II, or the New Basel Capital Accord, to give it its full title. Basel II, although still in draft form, has some major implications for IT, and many banks will have already been planning to develop and improve their internal processes to meet these new requirements. Basel II is essentially a framework designed to facilitate greater market stability through strengthening business processes, and provides guidelines for a more sophisticated approaches to managing risk.
The European Data Protection Directive 95/46/EC in 1995 was designed to regulate the transfer and use of personal data across Europe. One aspect of this regulation, detailed in Article 25, is to place an embargo on the use of such personal data within countries outside Europe, which do not have “an adequate level of protection.”
Just what is meant by “adequate” could affect businesses on both sides of the Atlantic; hence, the EU/U.S. Safe Harbor agreement was designed to bridge this gap between the more stringent European requirements and the less centralised approach taken in America.
Moreover, the legislation in the U.S. equally applies to overseas companies that trade in the U.S. in the same way that the European regulations can apply to any businesses trading in Europe. It is speculated that similar legislation to Sarbanes-Oxley (SOX) may soon be introduced in Europe as high-profile accounting scandals make headlines.
How Do the Regulations Apply to Email?
In 2003, the U.S. Securities and Exchange Commission (SEC) and the National Association of Securities Dealers (NASD) provided clarification that brokers, dealers and other financial exchange members are required to preserve all electronic communications relating to their businesses for three years.
This interpretation may have been a surprise to those that had not previously considered email or IM to fall under this regulation: Should this mean the archiving of all emails or just those relating to specific transactions?
The consensus now suggests that any emails that may be construed as “business records” should be retained for the period required. Therefore, it is especially important to preserve any form of electronic communications that takes place with clients and business partners for compliance reasons.
According to the Yankee Group E-Mail Security Solutions Report issued February 2004, HIPAA and GLBA regulations “require enterprises to protect email containing customer data. SEC regulations require email to be archived for three years to provide records of financial transactions.”
The growing popularity of IM is borne out by media reports of Gartner’s prediction that IM is expected to exceed email in worldwide traffic by 2006. This increased use of IM - combined with low levels of monitoring - means that firms could fall foul of regulations, such as the Sarbanes-Oxley Act that requires auditing of all electronic communications.
(This is not contained within a report, but comes from a published interview with Gartner’s Maurene Kaplan-Grey).
Archiving each and every message may be considered as the easiest and lowest risk method of achieving compliance, as with printing these documents and storing the paper copy once offered a solution for some businesses. Nevertheless, with the rise in the volume of email traffic, spam and instant messaging, these approaches could soon present an even greater challenge, in keeping these systems running efficiently and effectively.
Under the Microscope – Security, Privacy and Archiving Regulations
Besides email, the health regulations in the U.S. and Europe now require electronic medical records to be stored securely for at least six years after final contact with the individual concerned.
Moreover, since the introduction of tighter regulations, such as the U.S. PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, 2001), and the UK Proceeds of Crime Act in 2002, banks are now required to gather and retain a wide variety of account information and transaction records for at least five years. It is now necessary to have a much greater understanding of customers and their activities than perhaps at any time before, in order to protect financial institutions from money-laundering activities.
There are several regulations that could apply to many businesses worldwide, some of which are particularly aimed at the Financial Sector, but those companies need to ensure they are particularly aware of:
Gramm-Leach-Bliley Act (Privacy)
GLBA, or the Financial Services Modernization Act as it is also known, was signed into law in 1999 and specifies a number of provisions related to privacy of consumer financial data, and is aimed at regulating how banking organisations in particular are able to use the information on their customers, for example to offer them other financial products.
Health Insurance Portability and Accountability Act (Privacy)
The Health Insurance Portability and Accountability Act (HIPAA), 1996 was designed to allow employees to keep hold of their health insurance between jobs, without their personal information being open to abuse. It requires healthcare providers to implement standards that safeguard the security of electronically based health information. In addition, it required the creation of a federal law to protect personally identifiable information and places specific requirements on health care and other organisations with regard to how they manage electronic communication with and about patients.
Sarbanes-Oxley (Retention)
SOX, also known as The Public Company Accounting Reform and Investor Protection Act of, 2002 was drafted largely as a legislative response to the corporate corruption and financial scandals rampant at the turn of the century. It provides severe criminal penalties for corporate executives who destroy documents and business information. Section 404 calls for an annual report of management, attesting to the adequacy of internal financial controls.
SEC Rule 17a-4 (Retention)
The Securities and Exchange Commission has put in place a comprehensive and specific set of rules for the management of electronic communications. These rules include storage of duplicate copies, maintenance of indices, and the ability to present stored messages for inspection and review. Archives must be readily available for up to two years and at least accessible for the year following. It further requires that all business transactions and communications are to be stored and accessible for seven years.
NASD Conduct Rules 3010 & 3110 (Retention)
NASD members are required to have a system in place to supervise the activities of its employees and business associates, which will allow the retention and monitoring of all business transactions. This also includes the preservation of all customer correspondence, much of which may be in the form of emails.
What Has Been the Impact on Businesses?
According to an April 2004 IDC Worldwide Security Software Forecast report, “government and industry regulations such as HIPAA, Sarbanes-Oxley, GLBA and the SEC have caused unprecedented pressure on corporations to secure their use of electronic communications.
Each of these regulations can carry criminal penalties and/or civil penalties. Criminal means criminal prosecution of individuals as well as substantial fines. Successful criminal convictions generally lead to civil lawsuits. Civil lawsuits can carry substantial financial penalties and damage a company’s reputation with its customers.”
How Are Companies Protecting Themselves?
The 2004 Computer Security Institute (CSI) and FBI Computer Crime and Security Survey found that, “respondents in the financial, utility and telecommunications sectors believe the Sarbanes-Oxley Act is having an impact on their organisations’ information security.” In addition, according to various media reports, companies have spent anywhere from $5 to $30 million to comply with Sarbanes-Oxley to build investor trust.
These examples represent a subset of regulations that affect electronic mail administration and archiving. In spite of them, there is still a lack of leadership in the IT world over how best to protect companies against crimes and penalties.
Although initially stimulated by the U.S. regulations, they have also been partially embraced by some companies in France, Germany and northern Europe. Asia-Pacific countries such as Japan and Singapore are beginning to adopt similar approaches to email archiving.
In a July 2004 report, Ferris stated that regulatory requirements such as HIPAA and GLBA are increasingly having “an impact on the way messaging managers must treat their organisations’ email. With requirements proliferating, administrators need to have a process to interpret the regulations and apply them to their email environments.”
As the November 15th 2004 deadline approaches for compliance with Section 404 of SOX, the main concerns regarding compliance have tended to focus on establishing the appropriate internal controls and processes governing financial reporting and disclosure. However, Ferris also found that in 2003, the majority of companies do not have archiving and retention policies in place and that few enterprises regularly delete mail on a scheduled basis.
How Email Security Services Help Meet Regulatory Requirements
That said, according to Gartner in November 2003, vendors are now beginning to offer what they characterise as “email active-archiving,” a new market for a breed of solutions which has specifically emerged to help solve these complex email management issues.
(This doesn’t refer to a specific report, rather an email active-archiving quadrant developed by Gartner).
Primarily aimed at the compliance requirements of the U.S. financial market, vendors in this category have focused on the capture of email messages for compliance with regulation from the SEC and NASD.
The best products in this market include tools for the auditing, sampling and supervision of messages to ensure that communication with customers meets legal guidelines, and through providing a searchable archive of email messages across different time periods, businesses will be able to further benefit by reducing the size of the live email repository.
In particular, products able to track messages at the Internet or gateway level can capture all messages going into or out of the company regardless of the email application.
A failure to comply with these regulations, notably, the requirement for businesses to protect emails that contain customer data, can introduce substantial risks; particularly if confidential information is disclosed by the use of email, a companys credibility and reputation can be severely compromised.
As businesses acknowledge the duty of care they have toward employees, more widespread use of email management and scanning services can foster a safer working environment; and spam filtering can be used to remove a large percentage of spam from the increasing volume of email that must be archived to meet these regulations.
The information relating to MessageLabs’ services contained in this report is based on data generated internally by MessageLabs and has not been subject to an independent review by a third party.
Alerts
Monthly Reports
