There is no question that email has become the information medium of choice for both private citizens as well as businesses. Ever since the first commercial email found its way to the Internet back in 1988, the technology landscape has never been the same. Email is unquestionably the most popular Global Internet-based application – ever.
So people in business send email; what’s the big deal? Nobody dies from email, email hasn’t been accused of causing cancer (yet) and the Roman Empire did not fall because of email. The problem is that 70% of employees have admitted to sending company private information out to the Internet through email. The average employee will spend approximately 2.2 hours per day responding to or sending email. While this figure should be alarming on its own, if you extrapolate this out over a year you will see that this equals over 70 full 8 hour days. That is 34% of an employees time spent dealing with email. Now figure in the fact that 25-30% of all email leaving your company is of a personal nature and an astounding 50% of employees report receiving “inappropriate” email at work. Now, take those figures and factor in the fact that 27% of Fortune 500 companies have had to defend themselves in court over sexual harassment charges stemming from inappropriate email.
So what does all of this have to do with compliance? There are several mandates that have been put in place stemming back from the mid 90’s. In 1996 the Health Insurance Portability and Accountability Act (HIPAA) was enacted by President Clinton. There are two “rules” in HIPAA that affect email – The Security Rule and The Privacy Rule. The basic tenant of The Security Rule is information security “Best Practices”. The Privacy Rule is mostly mirrored within The Security Rule and won’t be discussed in this article. The Security Rule is broken down into three basic sections: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. “How does this relate to email?” you ask. Given that 70% of employees have admitted to emailing company information this is very important, you could lose your HIPAA compliance with poor email safeguards in place. A patient could have their identity stolen if their personal information were made public. The professional image you strive to uphold could be dashed to pieces by one quick click of the “send” key. For more information on HIPAA visit:
http://www.cms.hhs.gov/HIPAAGenInfo/
Gramm-Leach-Bliley Act (GLBA) is the regulation that governs the financial industry. The general idea behind GLBA is to ensure privacy and security of all non-public personal information (NPI). Like HIPAA, the GLBA has two rules that affect personal financial information. These are: the Financial Privacy Rule and the Safeguards Rule. While not as granular as the HIPAA Security Rule, the Safeguards Rule is a good framework with which to build both email and security standards for financial institutions. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions. The main portion of the Safeguards Rule center on: confidentiality, integrity, and information availability. These also include provisions for administrative, physical and technical safeguards. For more information on GLBA visit:
http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
There are also other laws that affect email security. The Sarbanes-Oxley Act also known as the Public Company Accounting Reform and Investor Protection Act of 2002 (SOX or SarbOx) is actually governed by the Securities and Exchange Commission (SEC). From Enron to Tyco International to WorldCom – scandals eroded public trust in accounting and reporting practices thus resulting in this new federal law. Section 404 of SOX deals with a Management Assessment of Internal IT Controls while section 802 deals specifically with policies and standards on record retention, protection, online storage, audit trails and more. Additionally, the quality of your records management, transactional communications (which includes email, instant messaging and spreadsheets) could fall under scrutiny. These items must be retained for at least six years and must remain in their original state – tampering with documents that are covered under SOX is a violation of Chapter 73, title 18 United States Code – that’s a federal law, by the way. For more on SOX visit:
http://www.sarbanes-oxley.com/
There are several other laws that may apply to your business, the SEC Rule 17a-4, the NASD Rules 3010 and 3110, for example. The NASD rules require that members (National Association of Securities Dealers, Inc.) retain correspondence (including email) of registered representatives relating to their investment, banking or securities business. Records are required to state the names of those persons who prepared and reviewed the outgoing correspondence and MUST be available to the NASD upon request. For more information on the SEC visit:
http://www.sec.gov
The bottom line is nobody likes to have Big Brother breathing down their neck. Nobody likes having this much legislation wrapped around our businesses day in and day out. In fact, if you do business internationally, you may even be required to comply with those standards as well as these. The other fact is that these regulations are most likely going to expand in this country – and possibly other countries. With the global horizon shrinking and business stretching beyond our shores, we have to make sure that we do things correctly. If it means that I put some additional controls in place to insure that my customers’ identities are safe – then it is no long Big Brother, it is Better Business.
Doug Finch
Support Director
Bynari Inc.
