Analysts estimate that as much as 75 percent of corporate documentation is created and commu- nicated via email. No doubt, a significant amount of your organization’s intellectual property lives on its messaging servers.
In business today, email is often both the most common and most preferred method of com- munication. As a corporate asset, email must be protected and in some instances regulated. Governments and corporate policy makers are defining regulations that affect email and the data it contains. The enforcement of these policies and regulations is known as compliance.
As mentioned in Chapter 2, organizations can no longer afford to simply ignore the whole aspect of compliance with legal, regulatory, and corporate requirements regarding the production, handling, transmission, and retention of electronic messages. Each day a demand for evidence for litigation or to provide documentation to regulatory agencies to prove they are complying with their regulations is delivered.
Many organizations in the financial services, insurance, and health-care industries must main- tain records of communication that occurs when employees perform daily business tasks.
Organizations that consider compliance when they plan their information technology infras- tructures, including their email infrastructures, can supply the required documentation on demand with less effort. They can also comply with other regulatory requirements more easily.
Organizations that don’t consider compliance up front may find themselves sorting through millions of email messages manually, wasting time and money. Organizations can also be held legally responsible for not complying with laws or regulatory requirements.
Although an organization may have never been subject to litigation or may not be required to follow regulatory requirements, there’s a good chance that you handle private and confidential information that may be regulated by laws or regulations in your country or region. It’s important that you understand the laws and regulations that apply to your organization and take proactive steps to make sure that you comply with them.
Selected Laws Governing Electronic Records in Effect as of 2007
This list is by no means exhaustive and estimates are that actual laws that have some impact of elec- tronic records, including international, federal, state, and local number in the thousands.
◆ Sarbanes-Oxley Act of 2002 (SOX): A U.S. federal law that requires the preservation of records
by certain exchange members, brokers, and dealers.
◆ Security Exchange Commission Rule 17a-4 (SEC Rule 17 A-4): A U.S. Security and Exchange
Rule that provides rules regarding the retention of electronic correspondence and records. ◆ National Association of Securities Dealers 3010 & 3110 (NASD 3010 & 3110): The NASD
requires that member firms establish and maintain a system to ‘‘supervise’’ the activities of each registered representative, including transactions and correspondence with the public.
Also, NASD 3110 requires that member firms implement a retention program for all correspon- dence that involves registered representatives. These regulations affect primarily broker-dealers, registered representatives, and individuals who trade securities or act as brokers for traders who are subject to the regulations.
◆ Gramm-Leach-Bliley Act (Financial Modernization Act): A U.S. federal law that protects
consumers’ personal financial information held by financial institutions.
◆ Financial Institution Privacy Protection Act of 2001: This law amends the Gramm-Leach
Bliley Act to provide enhanced protection of nonpublic personal information.
◆ Health Insurance Portability and Accountability Act of 1996 (HIPAA): A U.S. federal law that
provides rights and protections for participants and beneficiaries in group health plans. ◆ Uniting and Strengthening America by Providing Appropriate Tools Required to Inter-
cept and Obstruct Terrorism Act of 2001 (PATRIOT Act): A U.S. federal law that expands the
authority of U.S. law enforcement for the stated purpose of fighting terrorist acts in the United States and abroad.
In addition to these U.S. laws and regulations, the following regulations also specify requirements that may rely on journaling technology:
◆ European Union Data Protection Directive (EUDPD): This directive standardizes the pro-
tection of data privacy for citizens throughout the European Union (EU) by providing baseline requirements that all member states must achieve through national implementing legislation. ◆ Japan’s Personal Information Protection Act: This act regulates the collection, use, and
transfer of personal information in and out from Japan. The Personal Information Protection Act applies to government or private entities that collect, handle, or use personal information of 5,000 or more individuals.
Exchange Server 2007 has been designed to help organizations to meet compliance require- ments and contains several features that help you capture email messages in a user mailbox and as they flow in, through, and out of the organization.
There are generally three broad areas of compliance requirements: information retention, access control, and data integrity.
The following list provides several examples of the areas where compliance expectations are increasing and should be planned for based on what you determined in your initial analysis:
Data retention policies Many organizations are required to keep data for a specific time and then remove that data to protect privacy.
Privacy and confidentiality requirements Organizations have to protect the privacy of indi- viduals and the confidentiality of communications.
Ethical walls Organizations that work with securities and other financial information are frequently required to prohibit communication between specific groups in their own organization.
Discovery requests Organizations are sometimes subject to litigation. As part of this process, litigants can request information from each other. This information frequently comes in the form of email messages.
The following compliance features provide the tools to help you seamlessly manage messages in your organization: