A growing nexus of government regulations and amendments – SEC, HIPAA, Sarbanes Oxley, etc. – are bringing larger swathes of companies under their preview. These regulations require companies to retain electronic documents and communications, including email, for prolonged periods. Moreover, demanded information has to be produced in as little as days or weeks.
An additional factor that has made regulatory compliance relevant to companies across the board is the recent amendments to the Federal Rules of Civil Procedure (FRCP). The new amendments lay out the procedures for handling unstructured data (e-mails, IM, SMS messages), which have become very important in modern litigations. Electronic data needs to be found and presented to the Court within days, failing which the company is liable to be severely penalized, or even have its license revoked.
Given the popularity of email in organizations, the bulk of electronic data is in the form of emails. Email archiving or email compliance software allows for email records in an organization to be preserved, indexed and retrieved when required.
However, SMBs have the general perception is that regulatory compliance, and hence email archiving software, mostly concerns financial institutions or large organizations. But in fact even small and large organizations in health care, government, legal services, telecommunications and other industries also have the burden of regulatory compliance. Plus, pan industry regulations like Sarbanes-Oxley Act are applicable to all publicly traded companies.
Simplified Email Compliance for SMBs
HyperOffice provides email archiving and email compliance software with a special focus towards SMBs. You can easily store and secure all incoming and outgoing company emails for as long as you like, and be proactively prepared in an expanding and evolving regulatory landscape. Emails are tamper-proof, and irreversibly stamped with time and owner. Rich discovery tools allow you to search quickly for specific information across company inboxes in response to eDiscovery requests.
You get all this for none of the costs normally associated with on premise email archiving software. All you need to do is pay an inexpensive monthly fees, while we host and manage the solution for you.
The Regulatory Landscape
The following are the major regulations and Acts which affect SMBs, and their specific requirements:-
SEC Rule 17a-4 is the most stringent government regulation and applies to all financial services companies. Electronic documents, including email, have to be preserved by these companies for at least 6 years. Although SEC doesn’t mandate that all email communications be preserved, it covers important communications pertaining to securities transactions, trade confirmations, monthly statements, etc. relating to the broker-dealer’s business internally, to customers, or to the general public.
To be fully compliant with this regulation, companies need to secure all electronic records in tamper proof form, have all records stored in original and duplicate form, and have the ability to present records at immediate request. Hence, SEC email compliance requires companies to preserve company emails for a period of at least six years.
NASD 3010 & 3110
The National Association of Securities Dealers is a self-regulatory organization of the securities industry, responsible for the operation and regulation of the Nasdaq stock market and over-the-counter markets. It regulates and develops rules for securities firms for the benefit of investors. Specifically, Rules 3010 and 3110 govern the behavior of registered representatives of securities firms. NASD requires these firms to supervise representatives’ activity, including incoming and outgoing email correspondence. Firms must retain correspondence of registered members, including emails, pertaining to investment banking or securities business in tune with the requirements of SEC 17a-4.
The Sarbanes-Oxley Act (HE.3763) of 2002
The Sarbanes Oxley Act of 2002 is applicable of all publicly traded US companies, large or small, which list on US stock exchanges. It also covers financial services companies, CPAs and CPA firms, as well as attorneys of publicly traded companies. The purpose of Sarbanes Oxley is to ensure transparency in corporate governance and financial reporting.
Section 802 of the Act requires for every accounting firm that audits public companies, to maintain its audit documents, including email, for a minimum of seven years. Section 302 requires the management of a public company to personally certify and attest to the accuracy of their company’s financial statements contained in periodic reports. Section 404 requires auditors to certify the underlying controls and processes that companies use to reach financial results. Both sections require proof that a company’s reported financial information can be relied on – and require companies to invest in procedures that ensure information is recorded and managed in a trustworthy manner.
Sarbanes Oxley compliance therefore requires affected companies to retain a record of internal and external communications, including email, for a period of 7 years. Willful concealment or destruction of records can attract heavy financial penalties and even criminal proceeding which can result in imprisonment for prolonged periods.
The HIPAA (Health Insurance Portability and Accountability Act) establishes standards for the privacy of individuals and their health records, giving patients greater access to their personal medical documents and control over how their personal information is used by health organizations. It covers providers of health plans, clearinghouses, certain healthcare providers, and prescription drug card sponsors (Medicare). HIPAA rules seek to ensure that medical records, including e-mail records, are better stored and organized for the benefit of patients. Organizations are required to safeguard patient records with PHI (protected health information), or in other words, health information which is individually indentifiable. To be HIPAA email compliant, affected companies need to secure email messages and servers, protect them from unauthorized access, and ensure that senders and receivers of emails are verifiable. Although data e
Food and Drug Administration Enforcement Policy 21 CFR Part 11
This relates to pharmaceutical companies, and implies that under certain circumstances, electronic records should be treated as equivalent to paper documents, with electronic signatures having the same legal value as handwritten signatures. The Act requires that all electronic records, including email, have an audit trail that is time-stamped and provide a unique fingerprint.ncryption is not mandatory under HIPAA, it is an “addressable” issue.
On December 1, 2006, amendments to The Federal Rules of Civil Procedure (FRCP) went into effect. These amendments deal with the conduct of all civil suits brought in Federal district courts and include specific guidelines for discovery and disclosure. They apply to any organization which may be subject to litigation in a US court of law. The new amendments state that both parties involved in any court hearings have 30 days to determine how to give access to data for the purpose of gathering evidence for the case. Organizations must know where their electronic data is, including emails; how to retrieve it; and how to meet data requests. To be FRCP compliant, companies need to have procedures and systems in place to ensure secure storage and prompt retrieval.