EMAIL COMPLIANCE - WHAT TO CONSIDER
Communications with customers, patients and other entities is
coming under scrutiny for many industries. They govern what
should (not) be said in the emails, how they should be stored
and for how long they should be stored. This affects banking,
securities, hedge funds, healthcare, pharmaceutical, government,
legal and many other industries.
These regulations are taxing IT and Compliance departments
and new vendors are addressing this compliance issue with a
variety of tools that cover all, most or some of the
regulations.
Banking
The Gramm-Leach Bliley Act (GLBA) regulates how financial
services firms protect customers’ personal financial
information. The FDIC Advisory on the Information Technology
Risk Management Program requires encryption of electronic
customer information while in transit or in storage. The OCC
Advisory on Electronic Record Keeping stipulates that banks
should implement an electronic retention system ensuring
security for and compliance of customers records including
communications.
Securities
Members of national securities exchanges, brokers and dealers
are obliged to preserve all records for a minimum of six years,
the first two years in an easily accessible place (SEC Rule
17a-4). The affected records are broad and encompass originals
of communications generated and received by individuals within
financial institutions, including inter-office memoranda and
internal audit working papers. Also included are automated
messages sent to all customers, which could include email
blasts.
Hedge
Funds
The U.S. Securities and Exchange Commission (SEC) has imposed
regulations on private investment pools, also known as hedge
funds. The ruling requires that most hedge fund advisers
register with the SEC under the Investment Advisers Act of 1940,
which includes provisions for securing, managing and archiving
all electronic communication, including email and instant
messages.
Accounting
The Sarbanes-Oxley (SOX) Act of 2002 was passed by the U.S.
Congress, in response to major corporate and accounting scandals
including Tyco, WorldCom and Enron. It establishes strict
policies governing the retention and maintenance of records and
supporting correspondence (audit work-papers, memoranda,
correspondence and electronic records – including email -- for a
period of seven years) by publicly-traded companies. It is
expected that some version of SOX will be extended to
non-profits in the near future.
Healthcare
The Health Insurance Portability and Accountability Act (HIPAA)
encourages the widespread adoption of electronic transmission of
patient health data and mandates the use of security measures
like encryption to protect electronic health information from
unauthorized access while being transmitted over electronic
networks.
It also mandates to retain for six years a broad range of
documentation regarding their compliance.
Pharmaceutical
21 CFR Part 11 was enacted by The Food and Drug Administration
(FDA) in an effort to insure that electronic media provide the
same level of data integrity as the paper-based storage and
retrieval systems they are increasingly replacing. It defines
strict rules for the use of electronic signatures and electronic
records.
ALL
Industries
The Federal
Rules of Civil Procedure (FRCP) pertain to how litigants must
respond to electronic discovery (eDiscovery) requests in federal
court cases. These amendments have placed vitally important
demands on all companies, and even in some cases individuals, to
look at how they store their electronic data, for how long, and
in what forms.
As earlier indicated, there are
a number of tools on the market to assist a company in meeting
these regulations. The particular regulation can dictate the
functionality you need in a solution, but in general the
following characteristics will provide a cost effective approach
for all regulations:
-
Surveillance of
incoming and outgoing emails for key words
-
Archived emails are
searchable by email address, key words, date, etc.
-
Emails can be deleted
only after a specific period of time
-
Information is secure
and privacy concerns are addressed
-
Monitor multiple
languages
-
Include all web
traffic including email, instant messaging, twitter, other
social networking media, critical applications, etc.
-
Total cost of
ownership
You must consider the total cost
of ownership and not just the external cost of the vendor. The
costs of discovery can be high, the costs of not being able to
produce the information in a timely manner even higher.
The return on investment can be
surprising, especially for a “cloud” based solution. Factors
used in determining a return on investment include:
-
Cost of electronic
discovery, some companies can justify on 3 inquires per year
-
Staff for IT
administration
-
General increase in
employee productivity
-
Regulatory fines and
penalties
-
Reputation risk
Below
is a matrix of some vendors that provide solutions in this
space.
| |
M
e
s
s
a
g
e
W
a
t
c
h
e
r |
F
r
o
n
t
B
r
i
d
g
e |
S
y
m
a
n
t
e
c |
A
u
t
o
n
o
m
y
C
o
r
p |
D
i
g
i
t
a
l
I
n
f
o
S
e
c
u
r
i
t
y |
S
m
a
r
s
h |
Z
i
p
L
i
p |
A
d
v
i
s
o
r
M
a
i
l |
G
l
o
b
a
l
R
e
l
a
y |
P
o
s
t
i
n
i |
P
r
o
o
f
P
o
i
n
t |
N
e
t
S
e
n
t
r
y |
|
Email Archive |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Email Surveillance |
√ |
|
√ |
|
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Hosted Solution |
√ |
√ |
√ |
√ |
√ |
√ |
|
√ |
√ |
√ |
√ |
|
|
In-House Solution |
√ |
|
√ |
√ |
|
|
√ |
|
|
|
|
√ |
|
PCI
Compliant Solution |
√ |
|
|
|
|
|
|
|
|
|
|
|
|
Instant Messages integrated with Email Archive |
√ |
|
|
|
|
√ |
√ |
|
√ |
|
|
√ |
|
Twitter integrated with Email Archive |
√ |
|
|
|
|
√ |
√ |
|
|
|
|
√ |
|
Facebook integrated with Email Archive |
√ |
|
|
|
|
√ |
√ |
√ |
|
|
|
√ |
|
LinkedIn integrated with Email Archive |
√ |
|
|
|
|
√ |
√ |
√ |
|
|
|
√ |
|
All
Web traffic |
|
|
|
|
|
|
|
|
|
|
|
√ |
|
Works with Novell Groupwise |
√ |
|
|
|
|
|
|
|
|
|
|
√ |
|
Works with Exchange |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Works with Linux |
√ |
|
|
|
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Pre-Populated Policies |
√ |
|
|
|
√ |
√ |
|
√ |
|
|
|
|
|
Import Old Email Files (.pst, .edb, etc.) |
√ |
√ |
√ |
√ |
|
√ |
√ |
√ |
√ |
|
|
√ |
|
Keywords and Phrases Searching |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
Role-Based administration |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
√ |
|
|
√ |
√ |
|
Spam
Filtering |
√ |
√ |
√ |
|
√ |
√ |
√ |
√ |
√ |
√ |
|
|
|
Virus Protection |
√ |
√ |
√ |
|
√ |
√ |
√ |
√ |
√ |
√ |
|
|
Note: Visage does not have
intimate knowledge of each of these vendors or their products.
This matrix was complied by interpreting the websites of the
majority of these vendors.
Visage would like to highlight
two vendors we have knowledge of that have some functionality
overlap but really addresses the market from different angles.
Both have “try before you buy” programs and are cost effective.
MessageWatcher
is a robust system that addresses the compliance and
productivity needs of most organizations. They offer both an
on-premise and cloud solution.
NetSentry
is a fairly new entry into the market that uses well established
technology that has been used by thousands of organizations in
the international market. Since they capture and replay virtually all
internet traffic, this solution is tailored for those who have
more digital forensics (IP protection, employee performance)
concerns.
Contact
Visage Solutions today to see how we can assist you with
this and other compliance matters.
_________________________________________________________________________
About Visage Solutions –
www.VisageSolutions.com
Visage Solutions is a consulting company operating in the areas
of regulatory compliance, risk assessment, information security,
risk management and compliance processes. Utilizing our
proprietary SingleVue™ and OpsAudit™ methodologies, the company
focuses on assisting business entities in mitigating operational
risk. Visage has provided solutions to a client base ranging
from private, entrepreneurial companies to large multinationals.
Our team is comprised of experienced executives, managers and
consultants who can assist clients with the development,
implementation and execution of their risk management and
compliance strategy.
